Seroton App Privacy Policy

September 19, 2025

In addition to our online services, we provide you with a mobile app that you can download to your mobile device. Below, we inform you about the processing of personal data when using our mobile app. Personal data includes all data that can be related to you personally, such as name, address, email addresses, or user behavior. With this notice, we aim to inform you about our processing activities and fulfill our legal obligations, particularly those from the EU General Data Protection Regulation (GDPR).

1. Responsible Party

The responsible party within the meaning of the GDPR for the processing of personal data in our app is:

Seroton GmbH
Richard-Stücklen-Straße 19
91710 Gunzenhausen
hello@seroton.com

For data protection inquiries or to exercise your rights as a data subject, please contact dataprotection@seroton.com.

2. Data Protection Officer

We have appointed as our Data Protection Officer:

Kertos GmbH
Brienner Straße 41
80333 Munich
Email: dsb@kertos.io

3. Data Processing within the App

3.1. Provision and Use of the App

When downloading the app, the required information is transferred to the app store, especially the username, email address, customer number, time of download, payment information, and the unique device identifier. The app store also independently collects various data and provides analysis results. We have no influence on this data processing and are not responsible for it. We only process this data to the extent necessary for the download of the mobile app to your device.

Recipients:
Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google, LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Infrastructure and hosting, server-side logic, and execution of app processes)

Processed Data:

• Usage data (e.g., IP address, date and time of the request)

• Device data (e.g., device ID, operating system)

• Contact data (e.g., email address, mobile number)

• Network data (e.g., MAC address when using WLAN)

• Identification data (e.g., unique device number IMEI, unique subscriber number IMSI)

• App store data (e.g., username, customer number, payment information)

• Technical log data (e.g., request and response data, error messages)

Legal Basis:
Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR (Ensuring the security and operation of the app)

Storage Duration:
For the duration of the app usage and beyond in accordance with statutory retention periods

Third-Country Transfer:
Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and additional standard contractual clauses (SCCs)

Further Information:
https://policies.google.com/privacy, https://cloud.google.com/terms/cloud-privacy-notice?hl=en

3.2. System Permissions

Certain functions of our app require access to specific interfaces and data on your device. Depending on the operating system, your express consent may be required for this. Below, we explain which functions our app may request permissions for (as relevant) and for what purposes this occurs. You can manage these permissions in the system settings of your device at any time.

• Location Services / Location Data: Permission to access your device's location services is necessary so the app can connect to the RelaxHub hardware device and provide the haptic experience. If you do not allow access, use may be limited or not possible.

• Notifications/Push Messages: A permission is required for using push services. On some devices, this is enabled by default for all apps.

• Bluetooth: The app needs access to your device’s Bluetooth interface to connect the RelaxHub hardware device and provide the haptic experience.

• Camera: The app needs permission to use your device's camera, for example, to take photos or scan QR codes. Access occurs only if you select the corresponding function in the app.

• Microphone: Permission is required for using your device’s microphone to record and process audio data. Access is only requested and used when you actively use the recording feature.

• Mobile Data (iOS) / Networks (Android): These permissions enable the app to transmit data over your device’s internet connection. This may be necessary for sending inputs from the app to our servers, such as during a search.

• Access to Device Storage: Our app may require permission to store or access files on your device. On both Android and iOS, the app can only access its own app-specific storage area; access to external files or the general device storage is not possible.

3.3. Registration and User Authentication

Purpose:
Creation of a user account to provide personalized app functionalities and content

Recipients:
Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google, LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
(Main database for storing and managing user data and app content, providing and managing user authentication for our application)

Processed Data:

• Name

• Email Address

• Password (encrypted storage)

• Gender

• Birthday

• Personal Focus (e.g., performance, relaxation)

• Personal Goals (e.g., stress reduction)

• Routine (e.g., frequency of use)

• Experience Level with Relaxation Exercises

• Connected Seroton RelaxHubs

• Device Information (operating system, smartphone version)

• Login Information (e.g., email address, username)

• Authentication Data (e.g., password hash, security tokens)

• Device Information (e.g., device ID, IP address)

• Usage Statistics (e.g., login times, login frequency)

Legal Basis:
Art. 6 para. 1 lit. b GDPR (Contract Fulfillment), for health data Art. 9 para. 2 lit. a GDPR (express consent)

Storage Duration:
For the duration of account usage; personal data is deleted after account deletion

Third-country Transfer:
Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and additional standard contractual clauses (SCCs)

Further Information:
https://firebase.google.com/support/privacy

3.4. Personalized Program Recommendations

Purpose:
Provision of personalized program recommendations to enhance the user experience

Processed Data:

• Current Mood (e.g., relaxed, stressed)

• Time Availability (e.g., preferred usage times)

• Previous Interactions (e.g., used programs, frequency)

• User Preferences (e.g., preferred types of exercises)

• Progress Data (e.g., frequency of app usage)

Legal Basis:
Art. 6 para. 1 lit. a GDPR (Consent)

Storage Duration:
For the duration of the use of the personalized recommendation feature; upon withdrawal of consent, specific data for recommendations are deleted

Further Information:
The use of personalized program recommendations is voluntary. You can withdraw your consent at any time in the app settings.

3.5. Feedback and Problem Reporting

Purpose:
Improvement of the user experience and product, error correction

Recipients: –

Processed Data:

• Engagement Scales

• Favorites

• Questionnaires on usage behavior and satisfaction

  
  

3.6. Tracking and Analysis

To improve our services and to analyze and optimize app usage, we use various tracking and analysis technologies. Mainly mobile advertising IDs such as the “Identifier for Advertisers” (IDFA) for Apple devices and “Google Advertising ID” (GAID/AAID) for Android devices are used. These IDs are used for device recognition for analysis and advertising purposes. Additionally, we integrate SDKs from third parties (e.g., for statistics, advertising, or error reports) that collect device-specific information (e.g., advertising ID, usage behavior, IP address, and possibly location data). If these technologies are not technically necessary, their use is based exclusively on your prior consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TMG. You can withdraw your consent at any time in the app's privacy settings or in your device settings.

3.6.1. Mixpanel

Purpose:
Analysis of user behavior to optimize the website and offered online services

Recipients:
Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA

Processed Data:

• Access Data (e.g., IP address, date and time of request)

• Usage Data (e.g., visited pages, interactions with the website)

• Source and Traffic Data (e.g., referrer URL, entry page)

• Device Data (e.g., device type, screen resolution)

• Browser Data (e.g., browser type and version)

• Location Data (e.g., country, region – based on IP address)

Legal Basis:
Consent according to Art. 6 para. 1 lit. a GDPR i.V.m. § 25 para. 1 TMG

Storage Duration:
Data is stored according to the provider for up to 12 months

Third-country Transfer:
Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR)

Further Information:
https://mixpanel.com/legal/privacy-policy

3.6.2. Google BigQuery

Purpose:
Data analysis to optimize our services and business processes

Recipients:
Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google, LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Processed Data:

• Usage Statistics (e.g., page views, dwell time)

• Transaction Data (e.g., purchase history, product preferences)

• Aggregated User Information (e.g., demographic data, location data)

• Performance Indicators (e.g., load times, error rates)

Legal Basis:
Legitimate interest according to Art. 6 para. 1 lit. f GDPR (Improvement and optimization of our services, increasing user-friendliness)

Storage Duration:
Data is stored for a maximum period of 24 months and then deleted or anonymized.

Third-country Transfer:
Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and additional standard contractual clauses (SCCs)

Further Information:
https://cloud.google.com/terms/cloud-privacy-notice

4. Contact

If you contact us via the in-app form or email, we will process the personal data you provide (e.g., name, email address, content of the message) solely for processing and responding to your request.

Legal Basis:
Generally, our legitimate interest in communicating with you (Art. 6 para. 1 lit. f GDPR) or – if the inquiry is for the initiation or fulfillment of a contract – Art. 6 para. 1 lit. b GDPR.

Storage Duration:
Your data will only be stored as long as necessary to process your request.

Disclosure:
Disclosure to third parties does not occur unless we are legally obligated or it is essential to process your request.

5. Registration for the Innovators Program

Purpose:
Conducting user tests, surveys, and feature tests as part of our Innovators Program

Processed Data:

• Contact Information (e.g., name, email address)

• User Data (e.g., usage behavior, preferences)

• Feedback Data (e.g., survey responses, test reports)

• Technical Data (e.g., device information, app version)

Legal Basis:
Consent according to Art. 6 para. 1 lit. a GDPR

Storage Duration:
Data is stored for the duration of participation in the Innovators Program and deleted after leaving the program or at the user's request.

Further Information:
Participation in the Innovators Program is voluntary. You can withdraw your consent at any time with effect for the future by unregistering from the program or contacting us.

6. International Data Transfer

We generally process your data within the EU and EEA. However, some service providers are located in so-called “third countries.” The GDPR sets high standards for this. All recipients must meet these standards. Before transferring to a third-country service provider, we check data protection levels and only choose providers with proven adequate protection. Each service provider – even outside the EEA – has entered into a data processing agreement with us.

For providers outside the EEA, additional requirements apply: According to Art. 44 ff. GDPR data may be transferred if at least one of the following conditions is met:

• The EU Commission has established an adequate level of data protection.

• Standard contractual clauses are agreed with the recipient.

• Further suitable guarantees according to Art. 46 GDPR.

• In exceptional cases, one of the exceptions under Art. 49 GDPR applies.

  
  

7. Data Recipients

Transfer of the personal data we collect generally only occurs if:

• You have given your express consent according to Art. 6 para. 1 lit. a GDPR,

• the transfer is necessary to protect legitimate interests or to assert, exercise, or defend legal claims according to Art. 6 para. 1 lit. f GDPR and there is no reason to believe that your interests deserving protection outweigh this,

• we are legally obliged (Art. 6 para. 1 lit. c GDPR) or

• the transfer is legally permissible and necessary for contract fulfillment or pre-contractual measures (Art. 6 para. 1 lit. b GDPR).

Possible recipients include:

• Processors: Group companies or external service providers, e.g., in the area of technical infrastructure, processing, maintenance, or payment processing. They are only allowed to use data according to our instructions.

• Public Authorities: Authorities and offices, e.g., tax authorities, public prosecutors, courts, if we are obliged to do so or legitimate interests require it.

  
  

8. Data Security and Protective Measures

We ensure that your personal data remains secure and confidential. To protect against manipulation, loss, or misuse, we use technical and organizational measures that are regularly reviewed and adjusted to the state of the art.

Please note that other people or institutions on the Internet may disregard data protection requirements. In particular, unencrypted data (e.g., emails) can be viewed by third parties. We have no control over this. Therefore, protect your data against misuse through encryption or similar measures.

9. Data Storage

Personal data is deleted or blocked as soon as the purpose of storage ceases to apply. Further storage can occur if provided for by European or national regulations. Data will also be blocked or deleted if a legal retention period expires unless needed for contract fulfillment.

10. Data Subject Rights

You have the following rights regarding your personal data:

• Right to Access: You can find out whether we are using your personal data. If so, you have the right to know which data it is, why we use it, who receives it, and how long we store it.

• Right to Rectification: You can request immediate correction of incorrect or completion of incomplete data.

• Right to Erasure: You can request deletion, e.g., if data is no longer needed, you withdraw your consent, or the use was unlawful.

• Right to Restriction of Processing: You can request blocking in certain cases.

• Right to Data Portability: You receive your data in a machine-readable format.

• Right to Withdraw Consent and Object: You can withdraw your consent at any time with effect for the future. The lawfulness of past processing remains unaffected. You can object to the use of your data for advertising purposes at any time; this also applies to related profiling.

  
  

Complaint:
You can lodge a complaint with a supervisory authority if you feel your rights are being violated.