Privacy policy.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection provisions is:

GEOTRACE GmbH & Co. KG
Waldleite 21
97295 Waldbrunn, Germany
Phone: +49 (0) 93 06 / 53 42 380
E-mail: info@noa.life

Data protection officer

For questions about data protection and the exercise of your data subject rights, you can reach our data protection contact point by e-mail at datenschutz@noa.life or by post at the address given above, marked "Datenschutz" (data protection).

2. General information on data processing

2.1 Scope of the processing of personal data

As a matter of principle, we process personal data of our users only insofar as this is necessary to provide a functional website as well as our content and services. The processing regularly takes place only with the user's consent or where permitted by law.

2.2 Legal bases

• Art. 6 (1) (a) GDPR — consent
• Art. 6 (1) (b) GDPR — contract performance / pre-contractual measures
• Art. 6 (1) (c) GDPR — legal obligation
• Art. 6 (1) (f) GDPR — legitimate interest

2.3 Data erasure and storage period

Personal data is erased or blocked as soon as the purpose of storage no longer applies. Storage beyond that may take place where provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject.

3. Hosting and server log files

The website is hosted by:

ALL-INKL.COM – Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68, 02742 Friedersdorf, Germany

A data processing agreement pursuant to Art. 28 GDPR is in place with the hosting provider. The servers are located in a data centre in Germany. The legal basis for using the host is Art. 6 (1) (f) GDPR (legitimate interest in the secure and efficient provision of the website).

On every visit, the browser automatically transmits information to the server. This information is stored temporarily in a so-called log file:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the file retrieved
• Volume of data transmitted
• Notification of whether the retrieval was successful
• Identification data of the browser and operating system used
• Referrer URL

Legal basis: Art. 6 (1) (f) GDPR. The data is stored to ensure the functionality of the website and to defend against attacks. Storage period: the server log files are deleted automatically after 7 days. Individual entries are stored longer only where this is necessary to investigate a specific security incident; in that case the affected log files are retained until the incident has been fully resolved.

4. Cookies

Our website uses cookies. Cookies are small text files that are stored in the browser or by the browser on the user's device.

4.1 Technically necessary cookies

These cookies are required for the website to function (e.g. shopping cart, login, locally stored account data). Legal basis: Art. 6 (1) (f) GDPR and § 25 (2) TDDDG (German Telecommunications Digital Services Data Protection Act).

4.2 Analytics and marketing cookies

For reach measurement we use no cookies and no third-party services — in particular no Google Analytics and no Meta Pixel. Instead, we use our own cookieless reach measurement: when a page is accessed, a short, anonymous signal is sent to our own server (track.php) and evaluated there exclusively in aggregate form (e.g. number of page views, referring page, rough device category). No information is stored on or read from your device in the process; consent pursuant to § 25 (1) TDDDG is therefore not required. Your IP address is not stored permanently for this purpose. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the statistical analysis and improvement of our offering).

4.3 Managing cookies

You can withdraw your consent at any time or adjust your settings. Most browsers also offer functions for managing and deleting cookies.

5. Contact forms & e-mail contact

You can contact us via the website by e-mail at info@noa.life. In this case, the user's personal data transmitted with the e-mail is stored.

The data is not passed on to third parties. The data is used exclusively to process the conversation.

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual) or Art. 6 (1) (f) GDPR (legitimate interest in responding).

6. Account system & order processing

If you create a user account on noa.life or order a NOA device, we process the following data:

• Master data (name, e-mail, address and phone where applicable)
• Order data (product, quantity, price, order date)
• Payment and shipping data
• Stored trusted persons and device data, where applicable

Account and order data are processed and stored server-side in our database (orders, subscription/plan data, assigned devices and emergency contacts). Sign-in to the NOA app takes place via an encrypted access token.

Legal basis: Art. 6 (1) (b) GDPR (contract performance). Storage period: until termination of the contract plus statutory retention periods (in particular § 257 HGB (German Commercial Code), § 147 AO (German Fiscal Code)).

6.1 Device, location and emergency data (NOA service)

To provide its protective function, the NOA service processes the following data of the person equipped with a NOA device:

• Location data (GPS/position data of the device) for location display, for safe zones (geofence) and for inactivity monitoring (no-movement),
• Alarm and event data (triggered alarms, time, position, notification history),
• Emergency contacts (name, phone, e-mail of the stored trusted persons).

In the event of an alarm, the recipients are the emergency contacts stored by the customer (via SMS, e-mail or phone call) and — only where the option has been booked and no confirmation is received — an emergency/monitoring centre (escalation).

Consent of the person wearing the device: The customer ensures that the person equipped with a NOA device has consented to the processing of their location data or that a corresponding authorisation exists.

Legal basis: Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (contract performance); for any health/vital-sign data additionally Art. 9 (2) (a) GDPR; furthermore, to protect vital interests in the event of an alarm, Art. 6 (1) (d) GDPR. Storage period for location/telemetry data: 90 days after invoicing; after that the data is deleted or anonymised, unless statutory retention obligations or an alarm/clarification process that has not yet been concluded prevent this.

7. Embedded services & tools

7.1 Material Symbols (icon font from Google)

To display interface symbols (icons), this website embeds the "Material Symbols" font from Google. When the website is accessed, the icon font file is loaded from the Google server for this purpose; in the process, your IP address may be transmitted to Google. The website's body text fonts, by contrast, are not loaded from Google — only system fonts already present on your device are used here. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a consistent, high-performance presentation). Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google may also transfer data to the USA; this is based on the EU Standard Contractual Clauses and Google's certification under the EU-US Data Privacy Framework.

7.2 Map service (self-hosted)

The location map in the NOA service uses the Leaflet map software (self-hosted) and obtains map tiles via our own server proxy. In the process, no user IP or location is transmitted to an external map provider (data minimisation, Art. 5 (1) (c) GDPR).

7.3 Payment processing

For payment processing we use — depending on the payment method you choose — the following payment service providers as recipients of the payment-relevant data:

• PayPal – PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (for payment by PayPal).
• Stripe – Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (for payment by credit card or Apple Pay).
• SEPA direct debit – processed via our account-holding bank on the basis of the SEPA mandate you have granted.

Only the data required for the respective payment is transmitted (e.g. name, invoice amount, payment/account details). The named payment service providers process this data as independent controllers on the basis of their own privacy policies. Legal basis: Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (f) GDPR (secure and smooth payment processing).

7.4 Notification services (alarm)

To provide the alarm function, the NOA service transmits notifications to the emergency contacts you have stored in the event of an incident. For this purpose, we use telecommunications and dispatch service providers as processors:

• SMS and voice call/announcement dispatch via a telecommunications gateway provider,
• E-mail dispatch (order, account and alarm notifications) via an e-mail dispatch service,
• where the monitoring centre option has been booked, the transmission of the alarm and location data to a connected 24/7 emergency/service centre (escalation only if no trusted person confirms in time).

Data processing agreements pursuant to Art. 28 GDPR are in place with these service providers; only the data required for the respective notification is transmitted. Legal basis: Art. 6 (1) (b) GDPR (contract performance), Art. 6 (1) (a) GDPR (consent) and, to protect vital interests, Art. 6 (1) (d) GDPR.

7.5 Further services

Shipping: To deliver the devices, we pass the required shipping data (name, delivery address and, for shipment notification, e-mail/phone where applicable) on to the commissioned shipping company — usually DHL (DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn). Legal basis: Art. 6 (1) (b) GDPR.

Newsletter: If you consent to receiving our newsletter, we process your e-mail address using the double opt-in procedure to send the newsletter. You can unsubscribe from the newsletter at any time via the unsubscribe link in every e-mail or in your customer account. Legal basis: Art. 6 (1) (a) GDPR; the withdrawal takes effect for the future.

Reach measurement: For statistical analysis we use the cookieless, self-operated reach measurement described in section 4.2. No data is passed on to third parties in the process.

8. Rights of data subjects

You have the following rights vis-à-vis us regarding the personal data concerning you:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdrawal of consent given (Art. 7 (3) GDPR) with effect for the future

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Competent for the controller's registered seat (Bavaria):

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
www.lda.bayern.de

9. Changes to this privacy policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements, or to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.