This privacy information applies to data processing by: Outastory GmbH.

1. Name and Contact Details of the Data Controller and the Data Protection Officer

Data controller: Thimo Buchheister, Outatsory GmbH, Bemeroder Strasse 67, 30559 Hannover.

Data Protection Officer: Attorney Kai Flatau, Rothenbaumchaussee 150, 20149 Hamburg

You can reach our Data Protection Officer at: 040 35 71 62 73.

Competent data protection authority: The State Commissioner for Data Protection Lower Saxony

Prinzenstraße 5, 30159 Hannover

Phone: +49 (0511) 120 45 00

Fax: +49 (0511) 120 45 99

Email: poststelle@lfd.niedersachsen.de

2. Collection and Storage of Personal Data and the Nature and Purpose of Their Use

When Visiting the Website/APP

When accessing our website www.Outastory.app, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automated deletion after 10 days:

• IP address of the requesting computer/device,
• Date and time of access,
• Name and URL of the retrieved file,
• Website from which access was made (referrer URL),
• Browser used and, if applicable, the operating system of your computer and the name of your access provider.

We process the aforementioned data for the following purposes:

• Ensuring smooth connection to the website,
• Ensuring comfortable use of our website,
• Evaluating system security and stability, and
• For other administrative purposes.

The legal basis for data processing is Art. 6 Para. 1 S. 1 lit. f GDPR. Our legitimate interest follows from the purposes for data collection listed above. Under no circumstances do we use the collected data for the purpose of drawing conclusions about your identity.

In addition, we use cookies and analytics services when visiting our website. More detailed explanations can be found in sections 3 and 4 of this privacy policy.

3. Cookies

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your device, do not contain viruses, Trojans or other malware.

Information is stored in the cookie that arises in connection with the specific device used. However, this does not mean that we directly gain knowledge of your identity.

The use of cookies serves, on the one hand, to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after leaving our website.

Furthermore, we also use temporary cookies to optimize user-friendliness, which are stored on your device for a specific defined period. If you visit our website again to use our services, it is automatically recognized that you have already been with us and what entries and settings you have made, so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you (see section 5). These cookies enable us to automatically recognize when you revisit our website that you have already been with us. These cookies are automatically deleted after a defined time.

The data processed by cookies is necessary for the stated purposes to protect our legitimate interests and those of third parties in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is created. However, completely disabling cookies may result in you not being able to use all functions of our website.

4. Email Contact

The general email address of Outastory GmbH is published on our website.

Contact via the provided email address is possible. In the event of contact, the user's personal data transmitted with the email will be stored.

In principle, there is no disclosure of data to third parties in this context. The data is used exclusively for processing the conversation.

The legal basis for processing data transmitted in the course of sending an email is Art. 6 Para. 1 lit. f GDPR.

If the email contact is aimed at concluding a contract, then the additional legal basis for processing is Art. 6 Para. 1 lit. b GDPR.

Processing the personal data from the email sent to us serves solely to handle the contact. This also constitutes the necessary legitimate interest in processing the data.

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.

5. Analysis Tools

The tracking measures listed below and used by us are carried out on the basis of Art. 6 Para. 1 S. 1 lit. f GDPR. With the tracking measures we use, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you. These interests are to be regarded as legitimate within the meaning of the aforementioned regulation.

The respective data processing purposes and data categories can be found in the corresponding tracking tools.

a) Google Analytics

For the purpose of statistical evaluation, we obtain information about your use of our website in order to improve our website and its functionalities on this basis. However, no personal data is transmitted or stored that could identify you as a user.

For these purposes, we use the Google Analytics analysis tool provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA ("Google"). This tool supports us in analyzing traffic to and on our website. For this purpose, Google collects information about your dwell time and your interaction with our website as well as your IP address based on page views. This data is evaluated by Google to create reports that may include statements about your dwell time, approximate geographical origin, origin of visitor traffic, exit pages and usage processes.

In Google Analytics, interactions from you as a visitor to our website are primarily captured using cookies. These cookies are used to store non-personal data and are not made accessible across domains in browsers.

Information that Google generates through the use of cookies about your use of our website is regularly transmitted to data centers in the USA and stored there anonymously. Our website uses the IP address anonymization provided by Google for this purpose. The IP anonymization function in Google Analytics sets the last octet for your IPv4 type IP address and the last 80 bits for IPv6 addresses to zero in memory shortly after they are sent to the Google Analytics data collection network for capture. The complete IP address is therefore never written to the hard drive. This function ensures the anonymization of your IP address before storage and processing within the framework of Google Analytics, so that a clear determination of your identity by Google is excluded.

b) Google reCaptcha

To better protect our website from fraudulent activities such as scraping, credential stuffing and automated account creation, we use the reCaptcha system from Google.

reCAPTCHA is a captcha service that has been operated by Google LLC since 2009. It attempts to distinguish whether a specific action on the Internet is performed by a human or by a computer program or bot.

When someone interacts with our website, reCAPTCHA collects data about their behavior, such as keyboard inputs, mouse movement and timing, and browser history. The script communicates with Google's server using a secret key to encrypt the communication.

c) Google Fonts

Google Fonts offers the option to use various fonts on our website without having to upload them to our server. In this case, when a user accesses the website, the fonts are loaded via a Google server. This external call causes user data to be transmitted to Google:

• Which browser you use
• That you visit our website
• The operating system you use
• The screen resolution of your computer
• Your IP address and
• Your browser's language settings.

The transfer of your data to Google Inc. is based on the Trans-Atlantic Data Privacy Framework between the EU and the USA, which grants the USA a level of protection equivalent to the regulations within the EU.

Google Inc. is a certified company within the meaning of the Framework.

Further information on data protection in connection with Google can be found in the Google Analytics Help at this link.

6. Sentry

We use Sentry, an error management tool, for our website. The service provider is the American company Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA.

Functional Software also processes your data in the USA. Sentry and Functional Software are active participants in the EU-US Data Privacy Framework, which regulates the correct and secure data transfer of personal data from EU citizens to the USA. More information can be found at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

In addition, Functional Software uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are template forms provided by the EU Commission and are intended to ensure that your data also complies with European data protection standards if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and through the standard contractual clauses, Functional Software commits to maintaining the European data protection level when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

The Data Processing Addendum, which corresponds to the standard contractual clauses, can be found at https://sentry.io/legal/dpa/

You can learn more about the data processed through the use of Sentry in the privacy policy at https://sentry.io/privacy/?tid=331753884268

6. sendinblue GmbH

Outastory uses the Brevo system from sendinblue GmbH, Köpeniker Strasse 126, 10179 Berlin, www.brevo.com, for sending emails (e.g., for sending new access credentials).

We receive technical support, including for handling email traffic, from ThreeB IT GmbH, Bergstrang 105, 49479 Ibbenbüren.

Since personal data about you could also be sent in this process, we have concluded a contract for commissioned data processing with ThreeB IT.

ThreeB IT, in turn, has concluded a contract for commissioned data processing with seninblue GmbH.

TÜV Rheinland has confirmed to sendinblue GmbH that the technical and organizational measures for commissioned data processing meet the requirements of the GDPR.

7. Social Media Plugins

We use social plugins from the social networks Facebook, X (formerly Twitter) and Instagram on our website based on Art. 6 Para. 1 S. 1 lit. f GDPR in order to make ourselves better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. The responsibility for data protection-compliant operation must be ensured by their respective providers.

a) Facebook/Facebook

Social media plugins from Facebook are used on our website to make their use more personal.

When you access a page of our website that contains such a plugin, your browser establishes a direct connection with Facebook's servers. The content of the plugin is transmitted by Facebook directly to your browser and integrated into the website by it. Through the integration of the plugins, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there.

If you are logged in to Facebook, Facebook can directly associate the visit to our website with your Facebook account. If you interact with the plugins, for example by clicking the "LIKE" or "SHARE" button, the corresponding information is also transmitted directly to a Facebook server and stored there. The information is also published on Facebook and shown to your Facebook friends.

Facebook can use this information for the purposes of advertising, market research and needs-based design of Facebook pages. For this purpose, Facebook creates usage, interest and relationship profiles, for example to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services related to the use of Facebook.

If you do not want Facebook to associate the data collected via our website with your Facebook account, you must log out of Facebook before visiting our website.

Please refer to Facebook's privacy policy at this link for the purpose and scope of data collection and the further processing and use of the data by Facebook, as well as your rights and settings options to protect your privacy.

b) X (formerly Twitter)

Plugins from the short message network X Inc. (hereinafter: "X") are integrated on our website. You can recognize the X plugins (tweet button) by the X logo on our page. You can find an overview of tweet buttons here.

When you access a page of our website that contains such a plugin, a direct connection is established between your browser and the X server. X thereby receives the information that you have visited our page with your IP address. If you click the X "button" while you are logged into your X account, you can link the content of our pages to your X profile. This allows X to associate the visit to our pages with your user account. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by X.

If you do not want X to be able to associate the visit to our pages, please log out of your X user account.

Further information can be found in X's privacy policy at this link.

c) Instagram

Our website also uses so-called social plugins ("plugins") from Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (hereinafter: "Instagram").

The plugins are marked with an Instagram logo, for example in the form of an "Instagram camera".

When you access a page of our website that contains such a plugin, your browser establishes a direct connection to Instagram's servers. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. Through this integration, Instagram receives the information that your browser has called up the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram.

This information (including your IP address) is transmitted by your browser directly to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can directly associate the visit to our website with your Instagram account. If you interact with the plugins, for example by clicking the "Instagram" button, this information is also transmitted directly to an Instagram server and stored there.

The information is also published on your Instagram account and displayed to your contacts there.

If you do not want Instagram to directly associate the data collected via our website with your Instagram account, you must log out of Instagram before visiting our website.

Further information can be found in Instagram's privacy policy at this link.

8. Links

Our website may contain links to third-party websites over whose content we have no control and for which we assume no responsibility or liability. This third party may receive from your browser, in addition to other data, the information from which page you came to them. The third party is solely responsible for this data.

9. Deletion of Data

Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also occur if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. Blocking or deletion of data also occurs when a storage period prescribed by the aforementioned standards expires, unless there is a requirement for further storage of the data for the conclusion or fulfillment of a contract.

10. Data Subject Rights

You have the right:

• according to Art. 15 GDPR to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected from us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about their details;
• according to Art. 16 GDPR to request the immediate correction of incorrect or completion of your personal data stored with us;
• according to Art. 17 GDPR to request the deletion of your personal data stored with us, unless processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
• according to Art. 18 GDPR to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful but you refuse its deletion and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
• according to Art. 20 GDPR to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request the transfer to another controller;
• according to Art. 7 Para. 3 GDPR to revoke your consent to us at any time. This has the consequence that we may not continue the data processing based on this consent for the future and
• according to Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.

11. Right to Object

If your personal data is processed on the basis of consent or legitimate interests in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR.

If you wish to exercise your right of revocation or objection, an email to: datenschutz@outastory.de is sufficient.

12. Data Security

During website visits, we use the widely used SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser. This is usually 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted encrypted by the closed representation of the key or lock symbol in the lower status bar of your browser.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in accordance with technological development.

13. Currency and Amendment of this Privacy Policy

This privacy policy is currently valid and is dated 01.08.2025.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed and printed by you at any time on the website https://outastory.app/datenschutzerklaerung.

This privacy notice applies to data processing by: Outastory GmbH.

1. Name and Contact Details of the Data Controller and the Data Protection Officer

Data controller: Thimo Buchheister, Outastory GmbH, Bemeroder Strasse 67, 30559 Hannover.

Data Protection Officer: Attorney Kai Flatau, Rothenbaumchaussee 150, 20149 Hamburg

You can reach our Data Protection Officer at: 040 35 71 62 73.

Competent data protection authority: The State Commissioner for Data Protection of Lower Saxony

Prinzenstraße 5, 30159 Hannover

Telephone: +49 (0511) 120 45 00

Telefax: +49 (0511) 120 45 99

Email: poststelle@lfd.niedersachsen.de.

2. Collection and Storage of Personal Data and the Nature and Purpose of Their Use

a) When Registering with Outastory

When registering with Outastory for the first time, you provide your personal data

• First name
• Last name
• Address
• Password
• Email

b) During the course of use, we collect, process and store:

• Title and number of read/listened to and current stories
• Number of pages read
• Current page per story (also for AudioStory)
• Current number of paid Bookies
• Preferred genres
• Preferred characters/writers
• Selected ornaments
• Number of posted comments

This data is stored and processed in the cloud in storage space provided by Microsoft. Microsoft is a company based in the USA: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Technical support, including for processing, is provided by threeB IT GmbH, Bergstrang 105, 49479 Ibbenbüren.

threeB IT has in turn concluded a data processing agreement with Microsoft.

This data remains in this storage for the duration of the usage relationship.

c) You create your own password with which you can log in to the platform.

Additionally, a few metadata items are stored that are necessary to manage and assign the account:

• id (automatically generated unique alphanumeric text to identify the record)
• created (When the account was set up)
• updated (When data was last updated)
• consent (Documentation of consent to the terms of use and privacy policy)

d) OutaStory needs this data to manage and process the usage relationship with you.

In particular, this ensures that you can browse through the stories and continue reading where you previously left off.

We also want to give you personalized recommendations and ensure that you always have sufficient Bookies available.

If you have purchased ornaments, we store them so they can be inserted into the stories.

We would like to recruit members who are engaged in the community as ambassadors. For this purpose, we store the number of posted comments.

The legal basis for processing within the scope of the usage relationship is Art. 6 (1) sentence 1 lit. b GDPR. This allows Outastory to process the data to fulfill the usage contract.

Processing and transmission of your personal data to third parties for purposes other than those listed does not take place unless

• the disclosure is necessary pursuant to Art. 6 (1) sentence 1 lit. f GDPR for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data, or
• there is a legal obligation to disclose pursuant to Art. 6 (1) sentence 1 lit. c GDPR, or
• you have expressly consented to the disclosure.

b) When Visiting the Service Platform

When you access our service platform, information is automatically sent to the server of our service platform by the browser used on your device. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automated deletion:

• IP address of the requesting computer/device (deletion after seven days, unless further storage is required to defend against or eliminate abuse),
• Date and time of access,
• Name and URL of the retrieved file,
• Service platform from which access was made (referrer URL),
• Browser used and, if applicable, the operating system of your computer as well as the name of your access provider.

The aforementioned data is processed by us for the following purposes:

• Ensuring a smooth connection establishment of the service platform,
• Ensuring comfortable use of our service platform,
• Evaluation of system security and stability, and
• for other administrative purposes.

The legal basis for data processing is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest follows from the purposes for data collection listed above. Under no circumstances do we use the collected data for the purpose of drawing conclusions about you as a person.

3. Payment Service Providers and E-Commerce

Payment Services

We integrate payment services from third-party companies. If you make a purchase with us, your payment data (e.g., name, payment amount, account details, credit card number) will be processed by the payment service provider for the purpose of payment processing. The respective contractual and privacy terms of the respective providers apply to these transactions. The use of payment service providers is based on Art. 6 (1) lit. b GDPR (contract processing) as well as in the interest of the smoothest, most comfortable and secure payment process possible (Art. 6 (1) lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 (1) lit. a GDPR is the legal basis for data processing; consents can be revoked at any time for the future.

We use the following payment services / payment service providers within this website:

PayPal

The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal").

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.

For details, see PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Stripe

The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe").

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://stripe.com/de/privacy and https://stripe.com/de/guides/general-data-protection-regulation.

You can read details about this in Stripe's privacy policy at the following link: https://stripe.com/de/privacy.

Mastercard

The provider of this payment service is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter "Mastercard").

Mastercard may transmit data to its parent company in the USA. Data transfer to the USA is based on Mastercard's Binding Corporate Rules. Details can be found here: https://www.mastercard.de/de-de/datenschutz.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.

VISA

The provider of this payment service is Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter "VISA").

The United Kingdom is considered a safe third country under data protection law. This means that the United Kingdom has a level of data protection equivalent to that in the European Union.

VISA may transfer data to its parent company in the USA. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html.

Further information can be found in VISA's privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

E-Commerce

If you order goods/services from us, we pass on your personal data to the transport company entrusted with delivery and to the payment service provider commissioned with payment processing. Only such data is disclosed that the respective service provider needs to fulfill its task. The legal basis for this is Art. 6 (1) lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. If you have given appropriate consent pursuant to Art. 6 (1) lit. a GDPR, we will pass on your email address to the transport company entrusted with delivery so that it can inform you by email about the shipping status of your order; you can revoke your consent at any time.

Data Transfer in Connection with Contract Conclusion for Services and Digital Content

We only transmit personal data to third parties if this is necessary within the framework of contract processing, for example to the credit institution commissioned with payment processing.

Further transmission of data does not take place or only if you have expressly consented to the transmission. Your data will not be passed on to third parties without express consent, for example for advertising purposes.

The basis for data processing is Art. 6 (1) lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

Credit Checks

In the case of a purchase on account or another payment method where we make advance payment, we may carry out a credit check procedure (scoring). For this purpose, we transmit your entered data (e.g., name, address, age or bank details) to a credit agency. Based on this data, the probability of payment default is determined. If there is an excessive payment default risk, we can refuse the relevant payment method.

The credit check is carried out on the basis of contract fulfillment (Art. 6 (1) lit. b GDPR) as well as to avoid payment defaults (legitimate interest according to Art. 6 (1) lit. f GDPR). If consent has been obtained, the credit check is carried out on the basis of this consent (Art. 6 (1) lit. a GDPR); consent can be revoked at any time.

4. Cookies

We use cookies on our site. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your device and do not contain viruses, trojans or other malware.

Information is stored in the cookie that results in each case in connection with the specifically used device. However, this does not mean that we thereby obtain direct knowledge of your identity.

The use of cookies serves, on the one hand, to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after leaving our site.

Furthermore, we also use temporary cookies to optimize user-friendliness, which are stored on your device for a specific defined period. If you visit our site again to use our services, it is automatically recognized that you have already been with us and what inputs and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you (see section 4). These cookies enable us to automatically recognize that you have already been with us when you visit our site again. These cookies are automatically deleted after a respectively defined time.

The data processed by cookies are required for the purposes mentioned to protect our legitimate interests as well as those of third parties pursuant to Art. 6 (1) sentence 1 lit. f GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a notice always appears before a new cookie is created. However, the complete deactivation of cookies may result in you not being able to use all the functions of our website.

5. Email Contact

The general email address of Outastory GmbH is published on our website.

Contact via the provided email address is possible. In the event of contact, the personal data of the user transmitted with the email will be stored.

As a general rule, the data is not passed on to third parties in this context. The data is used exclusively for processing the conversation.

The legal basis for processing the data transmitted in the course of sending an email is Art. 6 (1) lit. f GDPR.

If the email contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) lit. b GDPR.

The processing of personal data from the sent email serves us solely to process the contact. This also constitutes the required legitimate interest in the processing of the data.

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

6. Analysis Tools

The tracking measures listed below and used by us are carried out on the basis of Art. 6 (1) sentence 1 lit. f GDPR. With the tracking measures used, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.

The respective data processing purposes and data categories can be found in the corresponding tracking tools.

a) Google Analytics

For the purpose of statistical evaluation, we obtain information about your use of our website in order to improve our website and its functionalities on this basis. However, no personal data whatsoever is transmitted or stored by which you can be identified as a user.

For these purposes, we use on our website the analysis tool Google Analytics provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA ("Google"). This tool supports us in analyzing traffic to and on our website. For this purpose, Google collects information about your dwell time and your interaction with our website as well as your IP address based on page views. This data is evaluated by Google to create reports that may include statements about your dwell time, approximate geographical origin, origin of visitor traffic, exit pages and usage sequences, among other things.

In Google Analytics, interactions by you as a visitor to our website are primarily recorded using cookies. These cookies are used to store non-personal data and are not made accessible across domains in browsers.

Information that Google generates through the use of cookies about your use of our website is regularly transmitted to data centers in the USA and stored there in anonymized form. Our website uses the IP address anonymization provided by Google for this purpose. The IP anonymization function in Google Analytics sets the last octet for your IPv4 IP address and the last 80 bits for IPv6 addresses to zero in memory shortly after they are sent to the Google Analytics data collection network for collection. The full IP address is therefore never written to disk. This function ensures the anonymization of your IP address before storage and processing within the framework of Google Analytics, so that a clear identifiability of your person by Google is excluded.

b) Google reCaptcha

To better protect our website from fraudulent activities such as scraping, credential stuffing and automated account creation, we use Google's reCaptcha system.

reCAPTCHA is a captcha service that has been operated by Google LLC since 2009. It attempts to distinguish whether a particular action on the Internet is performed by a human or by a computer program or bot.

When someone interacts with our website, reCAPTCHA collects data about their behavior, such as keyboard input, mouse movement and timing, as well as browser history. The script communicates with Google's server using a secret key to encrypt the communication.

c) Google Fonts

Google Fonts offers the option to use different fonts on our website without having to upload them to our server. In this case, when a user accesses the website, the fonts are loaded from a Google server. This external call results in user data being transmitted to Google:

• Which browser you use
• that you visit our website
• the operating system you use
• the screen resolution of your computer
• your IP address as well as
• the language settings of your browser.

The transfer of your data to Google Inc. takes place on the basis of the Trans-Atlantic Data Privacy Framework between the EU and the USA, which grants the USA a level of protection equivalent to the regulations within the EU.

Google Inc. is a certified company within the meaning of the Framework.

Further information on data protection in connection with Google can be found, for example, in the Google Analytics help at this link.

7. sendinblue GmbH

Outastory uses the Brevo system from sendinblue GmbH, Köpeniker Strasse 126, 10179 Berlin, www.brevo.com, for sending emails (e.g., for sending new access data).

Technical support, including for handling email traffic, is provided by ThreeB IT GmbH, Bergstrang 105, 49479 Ibbenbüren.

Since personal data from you could also be sent in the process, we have concluded a data processing agreement with ThreeB IT.

ThreeB IT has in turn concluded a data processing agreement with seninblue GmbH.

TÜV Rheinland has confirmed to sendinblue GmbH that the technical and organizational measures for data processing meet the requirements of the GDPR.

7. Deletion of Data/Duration of Storage

Personal data will be deleted or blocked as soon as the exclusive soft opening phase ends. Storage may also occur beyond this if this was provided for by the European or national legislator in Union law regulations, laws or other provisions to which we are subject; this is the case insofar as statutory retention periods exist, in particular within the framework of the retention periods pursuant to § 147 German Fiscal Code (AO), which provides for a storage period for business letters including emails of ten years, as well as within the framework of § 257 German Commercial Code (HGB), which provides for a retention obligation of six years in particular for contracts. Legal basis: Art. 6 (1) sentence 1 lit. c GDPR (legal obligation).

Your personal data may also be stored to preserve evidence for the assertion of or defense against legal claims within the framework of the statutes of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years. The regular limitation period begins at the end of the year in which the claim arose and the creditor obtained or should have obtained knowledge of the circumstances giving rise to the claim and the identity of the debtor without gross negligence. Legal basis: Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest: assertion, exercise or defense of or against legal claims).

Data will also be blocked or deleted if a storage period prescribed by the aforementioned norms expires, unless there is a requirement for further storage of the data for conclusion or fulfillment of a contract.

If you wish to continue using Outastory after the pre-opening phase ends, your already stored data will be transferred.

If, on the other hand, you do not wish to continue using Outastory, your data including the uploaded stories will be deleted.

8. Data Subject Rights

You have the right:

• pursuant to Art. 15 GDPR to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected from us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• pursuant to Art. 16 GDPR to request the immediate rectification of incorrect or completion of your personal data stored by us;
• pursuant to Art. 17 GDPR to request the deletion of your personal data stored by us, unless processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
• pursuant to Art. 18 GDPR to request restriction of the processing of your personal data, insofar as the accuracy of the data is contested by you, the processing is unlawful but you refuse its deletion and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have lodged an objection to the processing pursuant to Art. 21 GDPR;
• pursuant to Art. 20 GDPR to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request transmission to another controller;
• pursuant to Art. 7 (3) GDPR to revoke your once given consent to us at any time. This has the consequence that we may not continue the data processing based on this consent for the future and
• pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.

9. Right to Object

If your personal data is processed on the basis of consent or legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR.

If you wish to exercise your right of revocation or objection, an email to: datenschutz@outastory.de. is sufficient.

10. Data Security

We use the widespread SSL (Secure Socket Layer) procedure in connection with the highest encryption level supported by your browser when visiting the service platform. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can recognize whether an individual page of our website is transmitted encrypted by the closed display of the key or lock symbol in the lower status bar of your browser.

Furthermore, we use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in accordance with technological developments.

11. Currency and Amendment of this Privacy Policy

This privacy policy is currently valid and dated 01.08.2025.

Due to the further development of our service platform and offers via it or due to changed legal or official requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed and printed out by you at any time on the service platform at https://outastory.app/datenschutzerklaerung.

This privacy information applies to data processing by: OutaStory GmbH.

1. Name and Contact Details of the Data Controller and the Data Protection Officer

Data Controller: Thimo Buchheister, OutaStory GmbH, Bemerderoder Strasse 67, 30559 Hannover.

Data Protection Officer: Attorney Kai Flatau, Rothenbaumchaussee 150, 20149 Hamburg

You can reach our Data Protection Officer at: 040 35 71 62 73.

Competent Data Protection Authority: The State Commissioner for Data Protection Lower Saxony

Prinzenstraße 5, 30159 Hannover

Phone: +49 (0511) 120 45 00

Fax: +49 (0511) 120 45 99

Email: poststelle@lfd.niedersachsen.de.

2. Collection and Storage of Personal Data as well as Type and Purpose of its Use

a) When Registering with OutaStory

When first registering with OutaStory, you provide your personal data:

• First name
• Last name
• Username
• Email

The data is stored at OutaStory in a separate database.

In addition, minimal metadata is stored that is necessary to manage and assign the account:

• id (automatically generated, unique alphanumeric text for identifying the data record)
• created (When the account was created)
• updated (When data was last updated)
• consent (Documentation of consent to the terms of use and privacy policy)

OutaStory needs this data to establish and process the user relationship with you.

We also store which stories you have posted, how many pages the stories have, and when you published a story.

We need this data to manage the user relationship with you.

This data is stored and processed in the cloud in storage space of Microsoft. Microsoft is a company based in the USA: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Technical support is provided by ThreeB IT GmbH, Bergstrang 105, 49479 Ibbenbüren.

ThreeB IT in turn has concluded a data processing agreement with Microsoft.

Your data will be stored as long as this user relationship exists with us or we need the data to process this user relationship.

The legal basis for processing within the scope of the user relationship is Art. 6 Para. 1 S.1 lit. b GDPR. This allows OutaStory to process the data to fulfill the user agreement.

Processing and transmission of your personal data to third parties for purposes other than those listed does not take place, unless

• the disclosure is necessary according to Art. 6 Para. 1 S. 1 lit. f GDPR for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data, or
• there is a legal obligation for the disclosure according to Art. 6 Para. 1 S. 1 lit. c GDPR, or
• you have expressly consented to the disclosure.

b) When Visiting the Service Platform

When accessing our service platform, information is automatically sent to the server of our service platform by the browser used on your device. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automated deletion:

• IP address of the requesting computer/device (deletion after seven days, unless further storage is required to prevent or eliminate abuse),
• Date and time of access,
• Name and URL of the retrieved file,
• Service platform from which access is made (referrer URL),
• Browser used and, if applicable, the operating system of your computer as well as the name of your access provider.

The mentioned data is processed by us for the following purposes:

• Ensuring smooth connection establishment of the service platform,
• Ensuring comfortable use of our service platform,
• Evaluation of system security and stability, and
• for other administrative purposes.

The legal basis for data processing is Art. 6 Para. 1 S.1 lit. f GDPR. Our legitimate interest follows from the purposes for data collection listed above. Under no circumstances do we use the collected data for the purpose of drawing conclusions about your person.

3. Registration

a) After accessing the website OutaStory.App, you will be asked to enter your personal data. This data is stored in the cloud in storage space of ionos. Ionos is a company based in Germany whose servers are located in Germany (IONOS SE, Elgendorfer Str. 57, 56410 Montabaur).

Technical support is provided by ThreeB IT GmbH, Bergstrang 105, 49479 Ibbenbüren.

ThreeB IT in turn has concluded a data processing agreement with ionos.

This data remains in this storage for the duration of the contractual relationship.

b) At the same time, you create your own password with which you can log in to the platform.

You can also store a pseudonym under which you want to publish your stories.

c) After registration, you can place your stories on the platform. For this process, we use the WordPress system from ionos. You send us the stories via email.

Email delivery is done via the Brevo system of sendinblue GmbH, Köpeniker Strasse 126, 10179 Berlin, www.brevo.com.

See section 7 below.

c) The transmitted stories are also stored in storage of ionos.

d) The sent emails are stored for security purposes.

d) The submission of the completed registration is stored with date, time and IP address.

e) In order to identify who/which story was posted on the platform, we link your data with your stories.

The legal basis for processing within the scope of the user relationship is Art. 6 Para. 1 S.1 lit. b GDPR. This allows OutaStory to process the data to fulfill the user agreement.

4. Cookies

We use cookies on our site. These are small files that your browser automatically creates and which are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your device, do not contain viruses, Trojans or other malware.

Information is stored in the cookie that relates to the specific device used. However, this does not mean that we directly gain knowledge of your identity.

The use of cookies serves, on the one hand, to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after leaving our site.

Furthermore, we also use temporary cookies to optimize user-friendliness, which are stored on your device for a specific defined period. If you visit our site again to use our services, it is automatically recognized that you have already been with us and what entries and settings you have made, so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you (see section 4). These cookies enable us to automatically recognize when you visit our site again that you have already been with us. These cookies are automatically deleted after a defined time.

The data processed by cookies is necessary for the stated purposes to protect our legitimate interests as well as those of third parties according to Art. 6 Para. 1 S. 1 lit. f GDPR.

Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a notice always appears before a new cookie is created. However, complete deactivation of cookies may result in you not being able to use all functions of our website.

5. Email Contact

The general email address of OutaStory GmbH is published on our website.

Contact via the provided email address is possible. In case of contact, the personal data of the user transmitted with the email will be stored.

In principle, there is no disclosure of data to third parties in this context. The data is used exclusively for processing the conversation.

The legal basis for processing data transmitted in the course of sending an email is Art. 6 Para. 1 lit. f GDPR.

If the email contact aims at concluding a contract, the additional legal basis for processing is Art. 6 Para. 1 lit. b GDPR.

Processing personal data from the sent email serves us solely for handling the contact. This is also the required legitimate interest in processing the data.

The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection.

6. Analysis Tools

The tracking measures listed below and used by us are carried out on the basis of Art. 6 Para. 1 S. 1 lit. f GDPR. With the tracking measures used, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you. These interests are to be considered legitimate within the meaning of the aforementioned regulation.

The respective data processing purposes and data categories can be found in the corresponding tracking tools.

a) Google Analytics

For the purpose of statistical evaluation, we obtain information about your use of our website in order to improve our website and its functionalities on this basis. However, no personal data is transmitted or stored by which you can be identified as a user.

Furthermore, we create evaluations about the use of the stories. With this data, we can, for example, settle advertising funds with you.

In addition, we can make the data available to you so that you can check the success of the stories.

For these purposes, we use the analysis tool Google Analytics provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA ("Google") on our website. This tool supports us in analyzing the traffic to and on our website. For this purpose, Google collects information about your dwell time and your interaction with our website as well as your IP address based on page views. This data is evaluated by Google to create reports that may include statements about your dwell time, approximate geographical origin, origin of visitor traffic, exit pages and usage patterns.

In Google Analytics, interactions from you as a visitor to our website are primarily recorded using cookies. These cookies are used to store non-personal data and are not made accessible across domains in browsers.

Information that Google generates through the use of cookies about your use of our website is regularly transmitted to data centers in the USA and stored there anonymously. Our website uses the IP address anonymization provided by Google for this purpose. The IP anonymization function in Google Analytics sets the last octet of your IPv4 IP address and the last 80 bits of IPv6 addresses to zero in memory shortly after they are sent to the Google Analytics data collection network. The complete IP address is therefore never written to disk. This function ensures the anonymization of your IP address before storage and processing within Google Analytics, so that unique identification of your person by Google is excluded.

b) Google reCaptcha

To better protect our website from fraudulent activities such as scraping, credential stuffing and automated account creation, we use Google's reCaptcha system.

reCAPTCHA is a Captcha service that has been operated by Google LLC since 2009. It attempts to distinguish whether a particular action on the Internet is performed by a human or by a computer program or bot.

When someone interacts with our website, reCAPTCHA collects data about their behavior, such as keyboard input, mouse movement and timing, and browsing history. The script communicates with Google's server using a secret key to encrypt communication.

c) Google Fonts

Google Fonts offers the option to use various fonts on our website without having to upload them to our server. In this case, when a user accesses the website, the fonts are reloaded via a Google server. This external call causes user data to be transferred to Google:

• Which browser you use
• that you visit our website
• the operating system you use
• the screen resolution of your computer
• your IP address, and
• the language settings of your browser.

The transfer of your data to Google Inc. is based on the Trans-Atlantic Data Privacy Framework between the EU and the USA, which grants the USA a level of protection equivalent to the regulations within the EU.

Google Inc. is a certified company within the meaning of the Framework.

Further information on data protection in connection with Google can be found in the Google Analytics Help at this link.

7. sendinblue GmbH

OutaStory uses the Brevo system of sendinblue GmbH, Köpeniker Strasse 126, 10179 Berlin, www.brevo.com, for sending emails (e.g. for sending new access data).

Technical support, including for handling email traffic, is provided by ThreeB IT GmbH, Bergstrang 105, 49479 Ibbenbüren.

Since personal data from you could also be sent in the process, we have concluded a data processing agreement with ThreeB IT.

ThreeB IT in turn has concluded a data processing agreement with sendinblue GmbH.

TÜV Rheinland has confirmed to sendinblue GmbH that the technical and organizational measures for data processing meet the requirements of the GDPR.

8. Deletion of Data/Storage Period

Personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also occur if this was provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject; this is the case insofar as statutory retention periods exist, in particular within the scope of retention periods according to § 147 Tax Code (AO), which provides for a storage period for business letters including emails of ten years, as well as within the scope of § 257 HGB, which provides for a retention obligation of six years, particularly for contracts. Legal basis: Art. 6 Para. 1 S. 1 lit. c GDPR (legal obligation).

Your personal data may also be stored to preserve evidence for the assertion of or defense against legal claims within the scope of statutes of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years. The regular limitation begins at the end of the year in which the claim arose and the creditor gained or should have gained knowledge of the circumstances giving rise to the claim and the person of the debtor without gross negligence. Legal basis: Art. 6 Para. 1 S. 1 lit. f GDPR (legitimate interest: assertion, exercise or defense of or against legal claims).

Blocking or deletion of data also occurs when a storage period prescribed by the aforementioned norms expires, unless there is a need for further storage of the data for a contract conclusion or contract fulfillment.

If you want to continue using OutaStory after the completion of the pre-opening phase, your already stored data will be transferred.

If, on the other hand, you do not want to continue using OutaStory, your data including the posted stories will be deleted, unless we still need individual data for billing purposes.

9. Data Subject Rights

You have the right:

• according to Art. 15 GDPR to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected from us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• according to Art. 16 GDPR to request the immediate correction of incorrect or completion of your personal data stored with us;
• according to Art. 17 GDPR to request the deletion of your personal data stored with us, unless processing is necessary for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for asserting, exercising or defending legal claims;
• according to Art. 18 GDPR to request the restriction of processing of your personal data, insofar as you dispute the accuracy of the data, processing is unlawful but you refuse deletion and we no longer need the data, but you need it for asserting, exercising or defending legal claims, or you have lodged an objection to processing according to Art. 21 GDPR;
• according to Art. 20 GDPR to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request transmission to another controller;
• according to Art. 7 Para. 3 GDPR to revoke your once given consent to us at any time. As a result, we may no longer continue the data processing based on this consent for the future, and
• according to Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.

10. Right to Object

If your personal data is processed on the basis of consent or legitimate interests according to Art. 6 Para. 1 S. 1 lit. f GDPR, you have the right to object to the processing of your personal data according to Art. 21 GDPR.

If you wish to exercise your right of revocation or objection, an email to: datenschutz@OutaStory.de is sufficient.

11. Data Security

When visiting the service platform, we use the widespread SSL (Secure Socket Layer) procedure in connection with the highest encryption level supported by your browser. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. Whether an individual page of our website is transmitted encrypted can be recognized by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

12. Validity and Amendment of this Privacy Policy

This privacy policy is currently valid and dated 01.08.2025.

Due to the further development of our service platform and offers or due to changed legal or regulatory requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed and printed at any time on the service platform at https://OutaStory.app/datenschutzerklaerung.