1. Introduction

This Privacy Policy explains how Y factor collects, uses, stores, and shares the User’s information, as well as the User’s rights under the EU and UK General Data Protection Regulation (GDPR).

2. Data Controller

Y factor (The Company) is the data controller responsible for the users’ personal data. Users can contact The Company at:

Email: hello@yfactor.app

Address: Y factor Aps (CVR: 44690934), Suomisvej 4, 1927 Frederiksberg C, Denmark

3. The User’s Personal Data

This Privacy Policy applies to Y factor’s processing of personal data when the User:

a) uses Y factor’s Website or interact with The Company

b) uses Y factor’s Services, including downloading the App

c) provides personal data about themselves as part of creating a user account

d) makes a purchase

3.1 The Personal Data Y factor Collects

The Company collects the following data from its users when using the Services.

• Account Information (e.g. name, email, phone number, user type, donation preference, etc.)

• User Content (photos, messages, and other content you upload - see section 3.2)

• Technical Data (IP address, browser type, device identifiers, usage logs)

• Verification Data (identity verification details are processed through Veriff)

• Payment Data (payment details are processed through App Store or Google Play)

The e-mail addresses and names are used to connect users to their accounts. The e-mail address is also used for re-setting passwords if the user has forgotten the password set upon creating the account.

The information will only be stored as long as the User has an active account. The User may delete the account at any time. The User can request their account to be deleted immediately inside the App or by contacting support@yfactor.app.

3.2 User content - The Personal Data That the User Provides

This is the data the User enters themselves when using the Company’s Services. This data includes for example the User’s name, nickname, profile description, photos, email address, phone number, height, weight, eye colour, hair colour, reports the User makes of other users, chat conversations with other users, support conversations, and other content the User uploads.

3.3 Cookies

The Company uses information capsules (cookies) and similar technologies on the Website to collect data about how the Website is used, for example, how many visitors it has, how much time the visitors spend on the Website, and which pages the visitors are interested in when they visit.

The information is used for statistical purposes to enable the Company to better understand what the visitors are interested in. The Company uses this information to continually improve the Website. The information may also be used for online marketing purposes. For example, if the User has visited the Website, the User may later see an advertisement from The Company on a platform that the Company advertises on, for example, Facebook, Instagram, or Google Search.

The collection of the information is based on consent through a cookie banner on the Website, in accordance with GDPR art. 6 (1) a). In the event that a User is not interested in being tracked and targeted by marketing, the User can change their consent in the cookie banner.

The Company uses the following types of cookies:

• Necessary cookies - no consent needed (authentication, security, session management, user preferences etc.)

• Analytics and performance cookies - consent required (Mixpanel)

• Marketing and third-party cookies - consent required (Google Analytics, Meta Pixel, retargeting ads, etc.)

3.4 Other storage in the mobile application

In the App the Company depends on storage through:

• Secure authentication storage to store credentials like passwords, tokens, or authentication keys that users use to log in or verify their identity (e.g., Keychain).

• Local storage for preferences to allow the app to remember the User’s choices and improve the user experience (e.g., AsyncStorage)

• Third-party software development kits (SDKs) store user identifiers or session tokens to provide essential features like analytics, messaging, identity verification, and payments (e.g., Mixpanel, Stream, Veriff, RevenueCat, OneSignal).

4. Purposes for The Company’s processing of the User’s Data

The Company uses the User’s data in order to:

• Provide and improve the Services

• Verify the User’s identity and maintain account security

• Analyse app performance and User behavior (via e.g. Mixpanel, Stream, Sentry)

• Communicate with the User (e.g., customer support, updates)

• Prevent fraud and ensure compliance with legal obligations

The Company has the right to analyse and disclose market statistics which can be based on anonymous data from Y factor users. Y factor never shares identifiable User data with third parties for marketing purposes.

5. Legal Basis for Processing

The Company processes the User’s personal data based on:

• The User’s Consent (e.g., marketing communications, use of user-uploaded photos with prior written consent)

• Contract Performance (e.g., required account details e.g. name, e-mail and user type are necessary for providing the Services to the User)

• Legitimate Interests (e.g., improving the Services, fraud prevention, security)

• Legal Obligations (e.g., compliance with regulatory requirements)

6. Data Retention

The User’s data (incl. personal data) is stored securely on AWS servers in Frankfurt, which comply with GDPR requirements.

The Company retains the User’s data only for as long as necessary to fulfill the purposes outlined in this policy.

Inactive accounts will be automatically deactivated (following notification) after being inactive for 3 months. Deactivated accounts will be automatically deleted (following notification) after being deactivated for 3 years.

After deleting the User’s account (either at the User’s own initiation or as part of the automatic flow), some of the User’s content like chat history, reports of other users, and support e-mails, might be kept. This is necessary in order for the Company to continue to provide its Service to other users. When no longer needed, the Company securely deletes or anonymises the User’s data.

7. Data Sharing and Third-Party Services

The Company may share the User’s data with the Company’s third-party data processors:

• Service Providers (e.g., AWS - servers in Frankfurt, Bitbucket, Apple Developer, Google Play, Mixpanel, Veriff, Stream, Sentry, OneSignal, RevenueCat, Google Workspace, Freshworks)

• Legal Authorities if required by law

• Other Y factor members

• With the User's Consent, when explicitly approved by the User

8. International Data Transfers

Some of the Company’s service providers operate outside the EEA. When the Company transfers the User’s data internationally, the Company implements appropriate safeguards such as Standard Contractual Clauses (SCCs) or rely on adequacy decisions.

9. The User’s GDPR Rights

Under GDPR, the User has the right to:

• Access the User’s personal data - done through the app with immediate effect

• Rectify inaccurate data - done through the App with immediate effect

• Request erasure of the User’s data ("right to be forgotten") - done through the App with immediate effect. The User can request an e-mail with the User’s data before deletion.

• Restrict processing of the User's data

• Object to data processing

• Data portability (receive the User's data in a structured format)

• Withdraw consent at any time (for processing based on consent)

To exercise the User’s rights, some things can be done by the User directly in the App. For other things the User might need to request it through the Company’s customer support. Contact support at support@yfactor.app with any inquiries in this regard.

If the User has any concerns about the way in which the Company is processing the User’s personal data, the User is encouraged to contact the Company first at support@yfactor.app, so it can be attempted to try to resolve the issue together.

If the User is not satisfied with the Company’s response, the User has the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet

Carl Jacobsens Vej 35, 2500 Valby, Denmark

Phone: +45 33 19 32 00

Email: dt@datatilsynet.dk

Website: www.datatilsynet.dk

For users in the UK, they also have the right to lodge a complaint with the British Information Commissioner’s Office

https://ico.org.uk/make-a-complaint/data-protection-complaints/

10. Automated Decision-Making and Profiling

The Company does not use automated decision-making or profiling that significantly affects the User.

11. Updates to This Privacy Policy

The Company may update this Privacy Policy from time to time. The User will be notified of any significant changes.

12. Contact The Company

For any privacy-related inquiries, please contact the Company at hello@yfactor.app