Life – Privacy Policy

Effective date: 17 June 2026

1. Introduction & scope

This Privacy Policy explains how axxtas GmbH (“axxtas”, “we”, “us”, “our”) processes personal data in connection with the Life mobile application for iOS (the “App”), the associated website at life.axxtas.com and any related backend services (together, the “Service”).

Life is an AI-powered productivity assistant that helps users capture, categorise and schedule tasks, events and routines across their social, work and school life.

As a German limited liability company, we comply in particular with:

• the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”);

• the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”);

• the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, “TDDDG” / formerly TTDSG), in particular § 25 on accessing or storing information on user devices;

• the United Kingdom General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”), where you are in the UK;

• the revised Swiss Federal Act on Data Protection (“revFADP”), where you are in Switzerland;

• the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, and others as enacted), where you are in the United States;

• the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”), where you are in Australia.

This Policy supplements, but does not replace, our Terms of Service and any in-app or jurisdiction-specific notices we may provide.

2. Data controller

The data controller within the meaning of Art. 4(7) GDPR (and the equivalent definition under the UK GDPR, revFADP and the Australian Privacy Act) for processing carried out through the Service is:

axxtas GmbH

Augustenweg 5

82140 Olching

Germany

E-mail: hello@axxtas.com

Telephone: +49 8142 44 87 973

axxtas GmbH is registered in the Commercial Register (Handelsregister) of the Local Court of Munich (Amtsgericht München). For corporate identifiers and our managing directors, please see the Legal Notice / Impressum.

3. Definitions

Personal data: any information relating to an identified or identifiable natural person.

Processing: any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).

Controller: the entity that determines the purposes and means of processing — here, axxtas GmbH.

Processor / Subprocessor: a third party that processes personal data on behalf of the controller (e.g. our cloud hosting provider).

You / User: the natural person who installs, registers for or uses the Service.

4. Personal data we process

We only process personal data that is necessary to provide the Service, manage your account, deliver the features you use, fulfil our contractual and legal obligations, and protect the Service against abuse. The categories below describe what we may collect.

4.1 Account & identity data

A unique account identifier created when you sign up.

Mobile phone number used to sign in via phone OTP. We do not offer e-mail/password sign-up and we do not store user e-mail addresses.

Display name, optional username (used to find and add friends) and optional profile photo.

Authentication tokens and basic account timestamps.

Phone-number verification status.

4.2 Productivity & calendar data (the content you create or import)

The tasks, events, routines, weekly goals and AI to-do instructions you create in the App, together with the metadata required to display, schedule and re-schedule them.

If you enable calendar sync (see §4.10), the event details imported from your device calendar — including event titles, notes and start/end times — for the calendars you select.

4.3 Preferences & lifestyle data

The preferences and lifestyle settings you configure in the App, such as your time-zone, sleep schedule, time budgets per category, free-time interests and reminder channel preferences.

4.4 AI memory & conversation data

Short user-authored "memory items" that you choose to save so the AI can personalise its replies.

Recent in-app chat turns held in memory during a session to keep context (not retained as long-term chat history).

4.5 Social-graph data (only if you use social features)

Friend requests, confirmed friendships and any "keep-in-touch" cadence settings you configure.

Users you have blocked and reports you submit about other users (kept for safety and abuse-prevention purposes).

Your username and profile photo are considered public and are visible to every user of the Service (e.g. so other users can find and add you as a friend). Your display name is visible to users you connect with through these features.

4.6 Subscription & entitlement data

Your subscription tier and entitlement information received from RevenueCat and the App Store, together with a pseudonymous RevenueCat App User ID linked to your account.

Aggregate usage records of AI features (e.g. token / credit counts) used to enforce monthly limits and prevent abuse. We do not store the prompt or response text in the credit ledger.

We do not receive your full payment card or bank details. Payments are handled by Apple and RevenueCat — see §14.

4.7 Location data (only on demand)

If you grant the iOS location permission and request a weather-aware suggestion, we use your approximate coarse coordinates (latitude/longitude) only to fetch local weather information from WeatherAPI.com.

We do not persist your coordinates and we do not track your location in the background.

4.8 Device, technical & log data

Device platform (iOS), operating-system version, app version and build, device language and locale.

A push notification token and a per-app device identifier (Apple identifierForVendor) used to deliver reminders and notifications via the Apple Push Notification service.

Crash and performance diagnostics emitted by the operating system and the Apple App Store frameworks (subject to your platform-level settings).

Server-side logs containing minimal, non-sensitive metadata (e.g. timestamps, anonymised request identifiers, error / exception data). We do not log your AI prompt or chat content.

App-attestation tokens generated on your device by Apple DeviceCheck / App Attest, used by Firebase App Check to verify that requests come from a genuine, unmodified instance of the App.

The Internet Protocol (IP) address from which you connect (processed transiently by our hosting and infrastructure providers, e.g. for routing, rate-limiting and abuse detection).

4.9 Advertising data

We do not display advertising in the App. We do not use Google AdMob or any other advertising network, and we do not collect or process advertising identifiers (Apple IDFA).

4.10 Device calendar (only if you enable calendar sync)

If you enable calendar sync and grant the iOS calendar permission, the App accesses your device (Apple) calendar to import your events and help you avoid scheduling conflicts.

When enabled, we import event details — including titles, notes and start/end times — from the calendars you select into the Service, and keep them in sync through a periodic background refresh (approximately every 15 minutes) while the feature remains enabled.

When you choose to export Life events to your device calendar, the App creates the corresponding entries in your device calendar.

The App accesses your device calendar only after you enable calendar sync and grant the operating-system calendar permission, and you can disable calendar sync at any time in the App.

4.11 What we do not collect

We do not access your device address book, contacts, microphone, camera roll (other than the single image you actively pick as a profile photo) or motion sensors.

We do not maintain a web-analytics tracker or marketing-analytics SDK (no Mixpanel, Amplitude, Segment, PostHog, Sentry, etc. are integrated as of the effective date of this Policy).

We do not knowingly collect any “special categories” of personal data (Art. 9 GDPR, e.g. health, religion, biometric data) and we ask that you do not voluntarily put such information into your tasks, memory items or chat messages.

5. Sources of data

We obtain personal data from the following sources:

From you directly: when you sign up, configure preferences, create tasks/events/routines, save AI memory items, send chat messages, configure friends, or contact us.

Automatically from your device: when the App connects to our backend (technical and log data, App Check tokens, optional location).

From partners: when Apple or RevenueCat confirm a purchase or subscription status; when other Life users invite you, send you a friend request, or interact with you within the social features.

6. Purposes & legal bases (GDPR Art. 6)

Where the GDPR or the UK GDPR applies, we rely on the following legal bases. Where the revFADP applies, we process data in line with the principles of lawfulness, good faith and proportionality (Art. 6 revFADP); the table below also describes the corresponding purpose under Swiss law.

Purpose Categories of data Legal basis (GDPR)

Creating and authenticating your account, phone verification, signing you in. Account & identity data, technical data. Art. 6(1)(b) — performance of contract.

Providing the core scheduling, AI chat, routine and reminder features (storing your tasks, generating “My Day”, sending the reminders you set). Productivity & calendar data, preferences, AI memory, technical data. Art. 6(1)(b) — performance of contract.

Operating the social features (friends, keep-in-touch, blocking) at your request. Social-graph data, account data. Art. 6(1)(b) — performance of contract.

Managing subscriptions, entitlements and AI usage limits. Subscription data, usage / token records. Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — legal obligation (tax / accounting record-keeping).

Security, fraud prevention, abuse handling, App Check / App Attest attestation, rate limiting, moderation of reports. Technical & log data, App Check tokens, IP address, report data. Art. 6(1)(f) — legitimate interests (operating a secure, abuse-free Service).

Providing customer support and answering your messages. Contact data, the content of your message. Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest in handling user requests.

Complying with legal obligations (tax law, responding to lawful requests by authorities, fulfilling deletion / access requests). All relevant categories. Art. 6(1)(c) — legal obligation.

Establishing, exercising or defending legal claims. All relevant categories. Art. 6(1)(f) — legitimate interest; Art. 9(2)(f) — where applicable.

You can object to processing based on Art. 6(1)(f) GDPR at any time on grounds relating to your particular situation (see §16).

7. AI processing & automated decisions

Life uses generative AI to help you plan your day. Specifically, Anthropic's Claude family of models is invoked through our backend when you:

send a message in the in-app AI chat;

request an AI suggestion or auto-schedule;

run the “My Day” daily organiser.

The data sent to Anthropic's Claude API as part of these requests typically includes the message you wrote, a short summary of your recent calendar / routine state, the relevant AI memory items, your time-zone, and (if you have enabled it) the local weather. The response is returned, displayed to you, and may, with your confirmation, create or modify entries in your calendar.

Anthropic's Claude API is used by us under Anthropic's commercial terms. Under those terms Anthropic does not use the prompts and responses we submit through its commercial API to train, fine-tune or improve its models, and retains such data only for a limited period for safety and abuse-monitoring purposes, as described in Anthropic's documentation. For details see the Anthropic Commercial Terms of Service and Anthropic's Privacy Policy.

Automated individual decision-making (Art. 22 GDPR). AI suggestions, reminders, weekly auto-schedules and the “My Day” plan are support tools: they reorganise and propose entries on your own calendar, you can always accept, edit or reject them, and they do not produce legal or similarly significant effects on you. We do not use your data for credit scoring, pricing personalisation, profiling for advertising purposes, or any other automated decision producing such effects.

8. Recipients & subprocessors

We share personal data only with the recipients listed below, only to the extent strictly necessary for the purpose, and on the basis of a written data-processing agreement (Art. 28 GDPR) where required.

8.1 Other users of the Service

Your username and profile photo are public within the App and are visible to every user of the Service (so other users can find and add you).

When you use a social feature, the following additional information becomes visible to the people you connect with:

• your display name;

• the existence of friend / keep-in-touch relationships you confirm with them;

any keep-in-touch cadence the two of you mutually configure.

Your tasks, events, routines, AI memory, sleep schedule and chat messages are private to you and are never shared with other Life users.

8.2 Subprocessors

Provider Purpose Processing locations References

Google Ireland Limited / Google LLC — Firebase (Authentication, Database, Backend Functions, Storage, Logging, App Check, Hosting) Hosting our backend; storing your account and content; verifying that requests come from a genuine App instance. Primarily EU (Frankfurt, Germany). Some platform-level signals (e.g. App Check) may be processed globally. Firebase Privacy · Google Cloud DPA

Anthropic, PBC Generating AI replies, suggestions and auto-schedules via the Claude API. United States. Privacy Policy · Commercial Terms

RevenueCat, Inc. Managing in-app subscriptions, entitlements and reconciling Apple purchases. United States (with global CDN edges). Privacy Policy · DPA · GDPR overview

WeatherAPI.com (TutorialsPanel Ltd) Returning current weather for the coordinates you provide when you ask the assistant for weather-aware suggestions. United Kingdom. Privacy Policy

Apple Inc. — App Store, StoreKit, Sign in with Apple (if used in future), Apple Push Notification service, DeviceCheck / App Attest Distributing the iOS app, processing iOS in-app purchases, attesting genuine app instances. United States and EU. Privacy

Expo / Expo Application Services (650 Industries, Inc.) Providing the build / over-the-air update infrastructure used to publish the App. United States. Privacy

We may add or change subprocessors from time to time. The authoritative list is the one in this Policy at any given moment; material changes will be reflected in the version history at the top of the page.

8.3 We do not sell or “share” your data

We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA (see §18). We do not disclose data to data brokers or social-media platforms for marketing purposes.

8.4 Other disclosures

We may disclose personal data:

• to professional advisors (lawyers, accountants, auditors) bound by confidentiality, where necessary;

• to courts, regulators, supervisory authorities or law-enforcement agencies, where required by law or to defend legal claims; and

• to a successor entity in the context of a merger, acquisition or business reorganisation, subject to confidentiality.

9. International data transfers

We host the core of the Service in the European Union (Frankfurt, Germany — Google Cloud region europe-west3). Some of our subprocessors are located outside the European Economic Area (“EEA”), the United Kingdom or Switzerland — in particular in the United States.

For these transfers we rely on the following safeguards:

EU–US Data Privacy Framework (and its UK and Swiss extensions) where the recipient is self-certified and the transfer is covered by an applicable adequacy decision — including for transfers to Google LLC and others on the active DPF list.

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented where necessary with additional technical and organisational measures (encryption in transit and at rest, access controls, regional data residency).

UK International Data Transfer Addendum issued by the Information Commissioner's Office, for transfers originating in the UK.

Swiss data-protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), for transfers originating in Switzerland.

You can request a copy of, or further information about, the safeguards in place by contacting hello@axxtas.com.

10. Data retention

We keep personal data only as long as necessary for the purpose for which it was collected, plus any period required by applicable law. Indicative retention periods:

Data category Retention

Account & identity data For the lifetime of your account; deleted within 30 days of an account-deletion request, except where retention is required by law.

Productivity & calendar data, routines, weekly flex items, AI memory items Until you delete the item or your account.

In-app AI chat history Not retained as a permanent log; only the recent turns of the current session are kept in memory to maintain context.

Subscription & entitlement records For the lifetime of the subscription, plus the statutory tax / accounting period (under § 147 of the German Fiscal Code, generally up to 10 years for relevant accounting documents).

Credit / token usage ledger Up to 24 months for fraud-prevention, billing and audit purposes.

Server logs (cloud function logs) Up to 30 days for routine logs; up to 12 months for security-relevant events.

Reports about other users (moderation) Up to 24 months after closure of the report, to enable us to detect repeat offences. Reports submitted by you are deleted when you delete your account; reports about you may be retained as part of the moderation audit trail.

Backups Encrypted backups are rotated; deletion from backups occurs within the normal backup-rotation cycle (typically 35 days).

11. Security of processing

We implement appropriate technical and organisational measures under Art. 32 GDPR, including:

encryption in transit and at rest;

strict access rules so that personal data is only accessible to the authenticated user it belongs to or to authorised backend processes;

Firebase App Check (DeviceCheck / App Attest) to block requests from non-genuine clients;

rate limiting and abuse-prevention measures;

least-privilege access controls and audit logging within our team;

multi-factor authentication on administrative accounts;

regular dependency and security review;

secure secret management for third-party credentials (never embedded in the App).

12. Cookies, SDKs & local storage

The mobile App does not use HTTP cookies in the classical web sense. It does, however, use device-side storage and SDKs that access information stored on or sent from your device. Where access to or storage of information on your device is not strictly necessary to provide the Service you have requested, we ask for your consent in line with § 25 TDDDG and the equivalent UK PECR rules.

The technologies used in the App fall into the following groups:

Strictly necessary: secure authentication tokens, session storage of your sign-in state, App Check tokens, local copies of your tasks and routines (so the App keeps working briefly offline), language preference, locally stored consent choices. These are essential to deliver the Service and do not require consent.

Functional: remembering your time-zone, theme and notification preferences. Used only to operate features you have set up.

The website at life.axxtas.com is purely informational and does not currently use analytics or advertising cookies. Should we add such technologies in the future, we will obtain your consent through a cookie banner before doing so.

13. Advertising

The App does not display advertising. We do not use Google AdMob or any other advertising network, do not collect advertising identifiers (Apple IDFA), and do not engage in marketing tracking, retargeting, or e-mail marketing on the Service.

14. Subscriptions, payments & entitlements

Paid plans are sold and billed by Apple (App Store) on iOS, in accordance with their own terms and privacy policies. We do not see your full payment instrument, billing address or bank details.

We use RevenueCat as our subscription back-end to confirm purchase status, sync entitlements across devices and enforce subscription tiers. RevenueCat receives a pseudonymous App User ID, receipt data from the platform stores and basic device metadata.

For invoices and tax records we comply with German bookkeeping rules (§§ 140 ff., 257 of the German Commercial Code; § 147 of the German Fiscal Code).

15. Children & minors

Life is intended for users aged 16 years and older. We do not knowingly create or maintain accounts for, or knowingly collect personal data from, children under 16 in the EEA, the UK, Switzerland or Australia, and we do not knowingly collect personal data from children under 13 in the United States within the meaning of the Children's Online Privacy Protection Act (COPPA).

Some EU Member States have set a lower digital age of consent under Art. 8 GDPR. In Germany the relevant minimum age remains 16. Where a Member State sets a different threshold, that local rule applies and, where required, parental authorisation is needed for users below the local digital age of consent.

If you believe a person under 16 (or under 13 in the United States) has created a Life account or otherwise provided us with personal data, please contact hello@axxtas.com and we will take steps to delete the account and any associated data.

16. Your rights under the EU & UK GDPR

If you are in the EU, the EEA, the United Kingdom or Switzerland, you have the following rights, subject to the conditions set out in the GDPR / UK GDPR / revFADP:

Right of access (Art. 15 GDPR / Art. 25 revFADP): obtain confirmation of, and a copy of, the personal data we hold about you.

Right to rectification (Art. 16 GDPR / Art. 32 revFADP): have inaccurate or incomplete data corrected.

Right to erasure (Art. 17 GDPR / Art. 32 revFADP — “right to be forgotten”): have your personal data deleted, subject to legal retention obligations.

Right to restriction of processing (Art. 18 GDPR).

Right to data portability (Art. 20 GDPR): receive the data you provided to us in a structured, commonly used, machine-readable format.

Right to object (Art. 21 GDPR / Art. 30(2)(b) revFADP) to processing based on Art. 6(1)(f) (legitimate interests), including profiling.

Right to withdraw consent (Art. 7(3) GDPR) at any time, without affecting the lawfulness of processing performed beforehand.

Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22 GDPR). As described in §7, Life does not engage in such decision-making.

Right to lodge a complaint with a supervisory authority (see §21).

17. Switzerland (revFADP)

If you are in Switzerland, the revised Federal Act on Data Protection (revFADP, in force since 1 September 2023) applies to our processing. Where this Policy refers to the GDPR, an equivalent reading under the revFADP applies. In particular:

You may exercise your right of access under Art. 25 revFADP and your right to rectification, deletion and objection under Arts. 32 ff. revFADP.

You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern, edoeb.admin.ch.

For data transfers from Switzerland to countries without an adequate level of protection, we rely on the Swiss-US Data Privacy Framework (where applicable) or on Standard Contractual Clauses recognised by the FDPIC.

18. United States & California (CCPA/CPRA)

This section provides additional disclosures for users located in the United States and, in particular, California. We are committed to giving you privacy rights consistent with the CCPA/CPRA and comparable laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana and other U.S. states as they come into force.

18.1 Notice at Collection (CCPA § 1798.100)

The categories of personal information we collect, the categories of sources, and the business or commercial purposes for which we collect each category are described in §4 (categories of data), §5 (sources) and §6 (purposes) above.

The CCPA categorises personal information as follows. Where a category is collected, the table below summarises our practice:

CCPA category Collected? Disclosed to subprocessors for a business purpose? Sold or “shared”?

A. Identifiers (name, phone, IP address, account ID). Yes. Yes — to the providers in §8.2. No.

B. Customer-records information (Civil Code § 1798.80(e)) — phone number. Yes. Yes — Firebase Auth. No.

F. Internet / network activity (interactions within the App). Yes (limited; no third-party web analytics). Yes — Firebase / Cloud Logging. No.

G. Geolocation (coarse, on-demand, only with permission). Optional. WeatherAPI.com (on demand, not stored). No.

I. Inferences drawn from any of the above. No persistent inferences for advertising profiling. — No.

K. Sensitive personal information (CPRA): precise geolocation, account log-in / password, contents of messages where we are not the intended recipient, etc. Phone number (where used as account log-in factor). For the strictly necessary business purposes in §6. No.

We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. We do not knowingly sell or share the personal information of consumers under 16 years of age.

We do not use sensitive personal information to infer characteristics about you. As a result, the “Limit the Use of My Sensitive Personal Information” right does not change the way we process such information beyond what is described in this Policy.

18.2 Your California rights

Right to know the categories and specific pieces of personal information we have collected about you.

Right to delete personal information we hold about you.

Right to correct inaccurate personal information.

Right to opt out of sale or sharing for cross-context behavioural advertising. We do not engage in such sale / sharing, but you may still send us a request and we will confirm in writing.

Right to limit the use of sensitive personal information.

Right to non-discrimination for exercising any of these rights.

You may exercise these rights free of charge, and you may use an authorised agent. We will verify your request using information already associated with your account (e.g. control of the account phone number). To exercise a right, e-mail hello@axxtas.com with the subject line “California Privacy Request”. If we deny your request, you may appeal by replying to our response within 60 days.

18.3 Other U.S. states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, etc.)

Where another state's privacy law applies, you have substantially similar rights — typically: access, deletion, correction, data portability, opt-out of sale / targeted advertising / certain profiling, and (in some states) the right to appeal. You may exercise these rights through the same contact channel as above.

18.4 “Do Not Track” and Global Privacy Control

Our website honours the Global Privacy Control (GPC) signal as a valid request to opt out of the sale or sharing of personal information by jurisdictions that recognise it. As we do not currently sell or share personal information, this signal does not alter our practices, but we will continue to honour it.

18.5 Shine the Light (California Civil Code § 1798.83)

We do not disclose personal information to third parties for those third parties' own direct-marketing purposes.

19. Australia (Privacy Act 1988 / APPs)

If you are in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply.

APP 1 — open and transparent management of personal information: this Policy is our APP Privacy Policy.

APP 5 — notification of collection: matters covered in §§1, 2, 4, 5, 8 and 9.

APP 6 — use and disclosure: described in §6 and §8.

APP 8 — cross-border disclosure: as described in §9, recipients in the United States and other jurisdictions process personal information on our behalf. By providing personal information you acknowledge that, while we take reasonable steps to ensure overseas recipients comply with the APPs, we may not be accountable under APP 8.1 for acts or practices of those recipients that breach the APPs.

APP 11 — security of personal information: see §11.

APP 12 / 13 — access to and correction of personal information: contact us at hello@axxtas.com.

Notifiable Data Breaches scheme: in the event of an eligible data breach affecting Australian users we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by Part IIIC of the Privacy Act.

You may complain to the OAIC at oaic.gov.au if you consider we have breached the APPs.

20. How to exercise your rights

To exercise any of the rights described above:

Use the in-app controls where available — for example, you can edit your profile, delete tasks, routines or memory items at any time, and you can permanently delete your account from Account > Delete account in the App.

Or write to us at hello@axxtas.com. Please describe your request and the jurisdiction whose rights you are invoking, so we can route it correctly. We may need to verify your identity using the phone number associated with your account.

We will respond within the time limits set by applicable law — generally one month under the GDPR / UK GDPR (extendable by two further months for complex requests) and 45 days under the CCPA (extendable by 45 days). There is no fee for requests; for manifestly unfounded or excessive requests we may charge a reasonable fee or refuse, in line with the law.

21. Supervisory authority & complaints

You may lodge a complaint with a data-protection supervisory authority. The authority competent for axxtas GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18

91522 Ansbach, Germany

www.lda.bayern.de

You may also contact:

• your local EU/EEA supervisory authority (the list is maintained by the European Data Protection Board: edpb.europa.eu);

• in the United Kingdom: the Information Commissioner's Office (ICO), ico.org.uk;

• in Switzerland: the FDPIC (see §17);

• in Australia: the OAIC (see §19).

22. Data Protection Officer & representatives

We have assessed our processing against § 38 BDSG and Art. 37 GDPR and have determined that we are not currently required to appoint a Data Protection Officer. You can nevertheless reach our privacy team at hello@axxtas.com for any privacy matter, and we will respond promptly. If a DPO becomes required, we will appoint one and update this Policy.

As axxtas GmbH is established in the European Union, no representative under Art. 27 GDPR is required for the EU. If a representative is required for the United Kingdom under Art. 27 UK GDPR, we will publish the representative's contact details in this section.

23. Changes to this Policy

We may update this Privacy Policy from time to time, for example to reflect new features, new subprocessors or changes in the law. The version and effective date at the top of the page indicate the current version. For material changes that affect your rights, we will notify you in advance through the App or by another reasonable means before the change takes effect.

24. Contact

For all privacy-related questions, requests and complaints: