Privacy policy for the nunc. espresso system

We are pleased that you have chosen the nunc. Espresso System and our nunc. App. You can use the nunc. App to manage your use of the nunc. Espresso System to optimize and our to use extended operating services (e.g. remote update, remote diagnostics, automatic refilling and much more).

About the data protection relevant aspects when using the nunc. Espresso system including the nunc. App and the extended operating services, we would like to

Next Level Coffee GmbH
Uferstraße 6
7846 5 Constance
Germany

E-mail: info@nextlevelcofee.de

as well as the

nunc . GmbH
Oberlohnstr. 3
78467 Constance
Germany

Email: information@nunc.coffee

(hereinafter also “we” or “Next Level Coffee”)

as joint controllers within the meaning of data protection law and at the same time service providers, will inform you below.

Your personal data will be processed exclusively within the framework of the statutory provisions of data protection law of the European Union, in particular the EU General Data Protection Regulation (hereinafter "GDPR") and, in addition, the Federal Data Protection Act (hereinafter "BDSG") as well as the Telecommunications Digital Services Data Protection Act (hereinafter "TDDDG") and other statutory provisions on data protection (collectively "Data Protection Laws").

The terms used in this data protection notice, such as “personal data” or their “processing”, correspond to the definitions in Art. 4 GDPR. If you would like to take a look at the GDPR yourself, you can find it online at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679. The BDSG (German Federal Data Protection Act) can also be found online at the following link: https://www.gesetze-im-internet.de/bdsg_2018/ ; the TDDDG (German Telemedia Act) can be found here: https://www.gesetze-im-internet.de/ttdsg/.

This privacy policy applies only to data processing within the scope of using the nunc. app and the extended operational services. For Next Level Coffee's websites or offerings, the privacy policies available there apply exclusively.

Furthermore, the following information does not refer to external websites of other providers to which links are provided from the nunc. app.

If you have any questions about the processing of your personal data, please do not hesitate to contact us using the contact details mentioned above.

Subject of data protection and data categories

The subject of data protection is the protection of personal data. Personal data is all information relating to an identified or identifiable natural person (so-called "data subject"). Your personal data therefore includes all data that allows you to be identified, such as your name, address, telephone number, or email address. As part of your use of the nunc. app and the extended operating services, we regularly process the following categories of personal data about you:

Master data (Name first Name) ;

Contact details (email address, delivery address) ;

Log files (your IP address, device identification /user name, UUID, system status, Timestamp, event-related meta information such as EventType, device ID, event ID) ;

Payment information (payment methods, credit card information, payment status, refunds);

Usage data (amount of coffee prepared, coffee shots per day, total coffee consumption in grams, type of coffee shot, type of coffee roast, date and time of use, remaining coffee stock, taste preferences and ratings, recipe usage, tip payments made via the app, total usage in hours, support requests for the app and the machine)

Brewing and grinding parameters (e.g. brewing temperature, pressure, water tank level, condition of the brewing unit, grinding level, shutter speed, humidity, grinding time);

Device information ( e.g. device ID, current firmware version, availability of updates, NFC tag information, error messages and codes);

Order history (coffee type, quantity, price, order date, etc.)

Processing purposes and legal bases

We process your data only for the purposes for which it was collected and to the extent permitted by applicable law. The purposes and legal bases for processing your data may include, for example, the following:

Fulfillment of a contract or implementation of pre-contractual measures (Art. 6 Para. 1 S. 1 Letter b GDPR): In particular for the initiation and implementation of a contractual relationship between you and us.

Fulfillment of a legal obligation (Art. 6 para. 1 p. 1 letter c GDPR): In particular to fulfil legal obligations, such as retention obligations under commercial and tax law.

Consent (Article 6 (1) (a) GDPR): If necessary, we will process certain data only on the basis of your previously granted, express and voluntary consent. In this case, the specific purposes arise from the content of the respective declaration of consent. You have the right to revoke your consent at any time with future effect (see also Section 19).
Protection of legitimate interests (Article 6 (1) (f) GDPR): We will also process certain data to protect our legitimate interests or those of third parties, e.g., to provide extended operational services. You can find out how you can object to such processing and under what conditions we must stop or restrict our processing in Section 19.
Please note that this is not a complete or exhaustive list of possible legal bases, but rather merely examples intended to make the legal bases of data protection law more transparent. For more detailed information on the legal bases for individual data processing operations in the context of using the nunc. app and the extended operating services, please refer to the explanations in the following sections.
1. Download the nunc. app
When you download our nunc. app, the necessary information is transferred to the respective app store. This includes, in particular, your username, email address, time of download, and the individual device ID. However, we have no influence on this data collection, as it is the responsibility of the respective app store operator. This data is not stored by us.

In this context, please also note the privacy policy of the app store operators:
- for the iOS App Store: Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA, available at www.apple.com/en/privacy/privacy-policy/, and
- for the Google Play Store: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, available under http://www.google.de/intl/en/policies/privacy/
1. Hosting
To provide the nunc. app and extended operating services, we use the service of OVH GmbH, Christopherstraße 19, 50670 Cologne, Germany (hereinafter “OVH”) . Our IT infrastructure is hosted on OVH servers. Hosted within the European Economic Area (EEA). All data collected during the use of the nunc. Espresso system is generally transferred to and stored on OVH servers within the EEA.

OVH acts on our behalf on the basis of a contract for order processing within the meaning of Art. 28 GDPR, which we have concluded with OVH OVH undertakes to process the respective personal data only on our behalf and in accordance with our instructions.
1. Automated data processing when using our app
When you access our nunc. app, your device may automatically process personal data, even if you do not use the features offered. In this case, the following personal data will be automatically processed:
- Date and time of access,
- Duration of use,
- Type of device,
- operating system used,
- the features you use,
- Amount of data sent,
- Type of event,
- IP address/ device ID/device token.
We process this data on the basis of our legitimate interest in accordance with Art . 6 Para . 1 S. 1 Letter f GDPR for the purposes of enabling you to use our nunc. app and the extended operating services, ensuring the technical operation of our nunc. app and, if necessary, eliminating faults. In doing so, we pursue the legitimate interest of enabling and permanently maintaining the use of our nunc.app and its technical functionality. When you access our nunc. app, this data is processed automatically. Without providing this data, you cannot use our nunc. app . We do not use this data to draw conclusions about your identity.

When you access our nunc. app, corresponding information may be stored on your device and/or corresponding information already stored on your device may be accessed. The storage or access is based on § 25 para. 2 No. 2 TDDDG, as this information is absolutely necessary to ensure the operation of the nunc. app and IT security and to be able to provide you with our extended operational services as requested.

The automatically collected data is usually if the purpose no longer applies, the data will be deleted unless another legal basis applies and subject to any applicable statutory retention periods. If the latter applies, we will delete the data once the other legal basis no longer applies or after the respective statutory retention period has expired.

We cannot accept any objection to the collection and storage of your server log data, as this data is essential for the smooth operation of the nunc. app.
1. Registration and creation of a user account
To access our nunc. app and use the extended operating services, you must register and create a user account. During registration, you will provide your email address and confirm it with a one-time password (OTP). You will also be required to provide your first name. We will send a registration confirmation to the email address you provided. For orders within the nunc app (see Section 11 ), you can also enter address information and payment methods during the checkout process or via your account settings.

The following data is processed during registration:
- First name,
- E-mail address,
- Device ID of the nunc. portafilter machine,
Data processing during registration and creation of a user account is carried out solely for the purpose of initiating and executing a user agreement with you on the basis of Art. 6 (1) (b) GDPR, as well as to make our services accessible and to protect our legitimate interests pursuant to Art. 6 (1) (f) GDPR. In the latter case, we have a legitimate interest in making the services you request properly accessible.

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right to object to storage, please contact us in writing or by email.

You have the option to manage and update your master and contact data at any time via your user account settings. We will delete your data as soon as the purpose for processing no longer applies usually as soon as you delete your user account subject to compliance with any ongoing statutory retention periods.
1. Login
To use the nunc. app, you must log in using an existing user account (see Section 6). Login is done by entering your registered email address and confirming it once with a one time password (OTP), which we will send to this email address.
The processing of your data within the framework of the login is only carried out for the purpose of implementing the user agreement with you on the basis of Art. 6 (1) (b) GDPR and to make our services accessible and to protect our legitimate interests based on Art. 6 para. 1 p. 1 letter f GDPR. In the latter case, we have a legitimate interest in making the services you request properly accessible.

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right to object to storage, please contact us in writing or by email.
We will delete your data as soon as the purpose of processing no longer applies usually as soon as you delete your user account - subject to compliance with any ongoing statutory retention periods.
Customer 360

The data collected during registration and creation of a user account (see Section 6) as well as the data collected during use of the nunc. Espresso system and the nunc. app (see Section 1) will be linked, subject to your prior consent, with data we collect from other sources (e.g., as part of online orders) and your existing customer profile. This is done for the purposes of lead and customer management and for the proper provision of the extended operating services (see Sections 10 et seq.).

The described data processing is carried out on the basis of your consent in accordance with Article 6 paragraph 1 sentence 1 letter a GDPR.

If you have given us your consent to process your data, you can revoke this consent at any time with future effect . In these cases, we will no longer process your data unless we are legally obligated to retain it. To exercise your right of revocation, please contact us in writing or by email.

We will delete your data as soon as the purpose of processing no longer applies - usually as soon as you delete your user account - subject to compliance with any ongoing statutory retention periods.

Connecting your device to the nunc. portafilter machine

To use the extended operating services, you must pair your nunc. portafilter machine with your nunc. app via Bluetooth. This is particularly important for the initial configuration of the machine so that you can perform the WiFi setup using the nunc. app. To establish a connection between the nunc. portafilter machine and your device, you must first activate the Bluetooth function on your device. You will then be asked to grant access authorization. You can then connect your device to the nunc. portafilter machine via Bluetooth. You can grant these permissions voluntarily, and they will remain active until you reset them by deactivating the respective settings on your device. If you do not wish to grant these permissions, you will not be able to use the extended operating functions.

About the nunc. App you can view usage data (see section 1) that is collected via the nunc. portafilter machine and transferred to our cloud, and use the extended operating services (see following paragraphs).

Corresponding information may be stored on your device and/or corresponding information already stored on your device may be accessed. This storage or access is based on Section 25 (2) No. 2 of the Telemedia Act (TDDDG), as this information is absolutely necessary to ensure the operation of the nunc. app and IT security, and to provide you with our extended operating services as requested.

Advanced operational services

Roast Shelf Monitoring
Your use of the nunc. Espresso system is analyzed and evaluated by us to ensure you get the best possible use of the nunc. espresso system, as well as optimal maintenance and support services, and to ensure that you always have enough coffee beans available for preparation without overstocking. The following information about the nunc. portafilter machine is collected:

Number of coffee shots,

Coffee shot history including coffee shot type (e.g. Espresso or Americano) and type of coffee roast,

Coffee consumption in grams,

Real-time coffee remaining stock.

This data is processed solely for the purpose of executing the user agreement with you on the basis of Article 6 (1) (b) GDPR, as well as to protect our legitimate interests pursuant to Article 6 (1) (f) GDPR, in order to be able to offer you optimal use of the nunc. Espresso system and the desired functionalities of the nunc. app. In the latter case, we have a legitimate interest in making the services you request properly accessible.

Subject to your consent in accordance with Article 6 (1) (a) GDPR, the above-mentioned data will be merged into your customer profile for the purposes of lead and customer management.

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it.

You may revoke your consent to the processing described above at any time with future effect. To exercise your right of objection and/or revocation, please contact us in writing or by email.

We will delete your data as soon as the purpose of processing no longer applies, subject to compliance with any ongoing statutory retention periods.

Brew & Shot Rating Service

Using the nunc. app, you have the opportunity to rate the quality and taste of individual roasts and coffee shots. Based on an analysis of your ratings, we can draw conclusions about your taste preferences, which we will save in your customer profile, subject to your consent. This is done solely for the purpose of offering you optimal use of the nunc. espresso system and the desired functionalities of the nunc. app.

This data processing as part of your evaluation of the roasts and coffee shots takes place to execute the user agreement with you on the basis of Art . 6 paragraph 1 sentence 1 letter  b GDPR and to protect our legitimate interests based on Art . 6 paragraph 1 sentence 1 letter f GDPR, in order to be able to offer you the optimal use of the nunc. Espresso system and the desired functionalities of the nunc. app. Our legitimate interests lie in the proper provision of the services you request. The storage of your taste preferences in your customer profile is based on your consent in accordance with Article 6 paragraph 1 sentence 1 letter a GDPR.

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. If you have given us your consent to process your data, you can revoke this consent at any time with future effect. In these cases, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right of objection and revocation, please contact us in writing or by email.

We will delete your data as soon as the purpose of processing no longer applies, subject to compliance with any ongoing statutory retention periods.

Recipe Management Service

The Recipe Management Service optimizes the extraction of your coffee by optimizing grinding and brewing parameters based on the sensor data collected by the nunc portafilter machine. This enables the automatic adjustment of the grinder and the brewing unit of your nunc. portafilter machine to the correct grinding and brewing parameters. Subject to your consent, your roasting and recipe preferences will be saved in your customer profile.

This data processing takes place to execute the user agreement with you on the basis of Art. 6 paragraph 1 sentence 1 letter b GDPR and to protect our legitimate interests based on Article 6 paragraph 1 sentence 1 letter f GDPR, in order to be able to offer you optimal use of the nunc. Espresso system and the desired functionalities of the nunc. app. Our legitimate interests lie in making the services you request properly accessible. The storage of your roasting and recipe preferences in your customer profile is based on your consent in accordance with Article 6 paragraph 1 sentence 1 letter a GDPR.
If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. If you have given us your consent to process your data, you can revoke this consent at any time with future effect. In these cases, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right of objection and revocation, please contact us in writing or by email.

We will delete your data as soon as the purpose of processing no longer applies, subject to compliance with any ongoing statutory retention periods.

Coffee Recommendations

If you allow the receipt of push-up notifications via the nunc. app in the settings of your device, use we collect information about your use of the nunc. Espresso system, in particular information about your coffee consumption as well as your taste and recipe preferences, in order to give you tips on how to optimize individual recipes and to recommend certain roasts according to your taste or new taste profiles via push-up notification.

This is done solely for the purpose of ensuring that you can make the best possible use of the nunc. Espresso system and provide the desired services. The legal basis for data processing is our legitimate interest in accordance with Art . 6 paragraph 1 sentence 1 letter f GDPR. Our legitimate interests lie in ensuring proper access to the services you request.

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right to object to storage, please contact us in writing or by email.

We will delete your data as soon as the purpose of processing no longer applies, subject to compliance with any ongoing statutory retention periods.

Notification Service

If you allow the receipt of push-up notifications via the nunc. app in the settings of your device, we will regularly inform you via corresponding push-up notifications about certain statuses of your nunc. portafilter machine (e.g., fill level of the water tank). This is only done for the purpose of ensuring you can make optimal use of the nunc. Espresso system as well as an optimal maintenance and support service. For this purpose an analysis and evaluation of the brewing and grinding parameters (e.g. brewing temperature, pressure, water tank level, condition of the brewing unit, grinding degree, shutter speed, humidity, grinding time) as well as certain technical device information (e.g. device ID, current firmware version, availability of updates, NFC tag, error messages) that we read from your nunc. portafilter machine.

Data processing is carried out solely for the purpose of properly executing the user agreement with you and to be able to offer you the desired functionalities of the nunc. app. The legal basis for data processing is the user agreement concluded with you in accordance with Article 11. 6 paragraph 1 sentence 1 letter b GDPR.

As part of the Notification Service , corresponding information may be stored on your device and/ or corresponding information already stored on your device may be accessed. Access is based on § 25 para. 2 No. 2 TDDDG, as this information is absolutely necessary in order to be able to provide the requested service properly.

We will delete your data as soon as the purpose of processing no longer applies, subject to compliance with any ongoing statutory retention periods.

Orders via the nunc. app

You can order coffee beans via the nunc . app. In order to enable you to select and order coffee beans via our nunc . app, as well as to pay for and deliver them, we process the data you provided during registration (see section 6 ), the billing and delivery address you provided during the ordering process , and information about the products you ordered. This information is linked to your existing customer profile ( see section 8 ). The processing is carried out for the purpose of providing contractual services within the scope of operating our online shop, for order processing, billing, delivery, and for providing customer services.

Processing is carried out on the basis of Article 6 (1) (b) GDPR (execution of order processes) or Article 6 (1) (c) GDPR, insofar as the storage serves to fulfill statutory retention periods. The information marked as mandatory is required to establish and fulfill the contract. Without this data, we are not able to execute the contract with you. We only transmit the data to third parties in the context of the order, in particular for payment processing and delivery, or within the framework of statutory rights and obligations. The data will only be processed in third countries if this is necessary to fulfill the contract (e.g. for delivery to a delivery location outside the EU).

For the processing of online orders we use the services of Shopify International Ltd. , Haddington Road, 2nd Floor, 1-2 Victoria Buildings, Dublin D04 XN32, Ireland (hereinafter "Shopify"). All data collected as part of the ordering process on our nunc app is generally transferred to Shopify servers and stored there. Any transfer of personal data to Shopify 's parent company ( Shopify Inc. 151 O'Connor Street, Ground floor , Ottawa, Ontario, K2P 2L8, Canada) is subject to the EU Commission's adequacy decision (see https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002D0002).

Further information on data processing by Shopify can be found on Shopify ’s websites at the following links:

https://www.shopify.com/legal/privacy?country=us&lang=en,

https://help.shopify.com/en/manual/privacy-and-security/privacy.

For payment processing we work with the following payment service providers:

Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland ( hereinafter “Stripe”),

Apple Distribution International Ltd. , Hollyhill Industrial Estate, Hollyhill , Cork, T23 YK84 Ireland ( hereinafter “Apple Pay”),

Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland ( hereinafter “Google Pay”)

For the purpose of payment processing, your payment details (name of your bank, IBAN, BIC, credit or debit card information, billing address) are transferred to the respective payment service provider. We do not store your payment details ourselves. We only receive and store information about the status of the respective transaction (e.g., "payment successful" or "payment declined," etc.).

Please therefore note the data protection and security information of the payment service providers :

Stripe: https://stripe.com/privacy

Apple Pay: https://www.apple.com/legal/privacy/data/en/apple-pay/

Google Pay: https://support.google.com/googlepay/answer/9039712?hl=en

The data you provide when placing an order will be deleted after the relevant statutory warranty, limitation and retention periods have expired.

Coffee Smart Subscription

You have the option of subscribing to automatic follow-up deliveries. In this case, we estimate the need for a new coffee delivery (quantity and timing) based on previous orders and an analysis of your usage data (see Section 10, Letter d) and initiate the appropriate delivery in a timely manner. Your preferred payment option will be automatically charged. The processing is carried out for the purpose of providing contractual services within the scope of operating our online shop, for order processing, billing, delivery, and providing customer services.

The processing is carried out on the basis of Article 6 paragraph 1 sentence 1 letter b GDPR (execution of the order processes) or Article 6 paragraph 1 sentence 1 letter c GDPR, insofar as the storage serves to fulfil statutory retention obligations.

The data you provide when placing an order will be deleted after the relevant statutory warranty, limitation and retention periods have expired.

Yapa - Service

You have the option of providing a personalized tip to the individual producers of the various coffee beans to support them and contribute to sustainable coffee production. We process the data collected during order processing (see Section 11) as well as the respective tip amount. This processing is carried out for the purpose of providing the requested services.

The processing is carried out to protect our legitimate interests on the basis of Article 6 paragraph 1 sentence 1 letter f GDPR or Article 6 paragraph 1 sentence 1 letter c GDPR, insofar as the storage serves to fulfill statutory retention obligations. In the former case, our legitimate interest lies in the proper provision of the services you request.

We work with the following payment service providers to process payments :

Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland ( hereinafter “Stripe”)

Apple Distribution International Ltd. , Hollyhill Industrial Estate, Hollyhill , Cork, T23 YK84 Ireland ( hereinafter “Apple Pay”),

Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland ( hereinafter “Google Pay”)

PayPal (Europe) S.à.rl . et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg ( hereinafter “PayPal”)

For the purpose of payment processing, your payment details (name of your bank, IBAN, BIC, credit or debit card information , billing address) are transferred to the respective payment service provider. We do not store your payment details ourselves. We only receive and store information about the status of the respective transaction (e.g., "payment successful" or "payment declined," etc.).

Please therefore note the data protection and security information of the payment service providers :

Stripe: https://stripe.com/privacy

Apple Pay: https://www.apple.com/legal/privacy/data/en/apple-pay/

Google Pay: https://support.google.com/googlepay/answer/9039712?hl=en

PayPal: https://www.paypal.com/en/legalhub/paypal/privacy-full?locale.x=en_EN

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right to object to storage, please contact us in writing or by email.

The data you provide when placing an order will be deleted after the relevant statutory warranty, limitation and retention periods have expired.

Other contact

You have the option of contacting us by email . In this case, we will process the data disclosed as part of your inquiry to respond to your inquiry based on our legitimate interests in processing customer inquiries in accordance with Article 6 (1) (f) GDPR. In this context, data may also be transferred to third parties, such as affiliated companies, to process your request.

If your data is processed based on legitimate interests, you can object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate an overriding legitimate interest or are otherwise legally obligated to store it. To exercise your right to object to storage, please contact us in writing or by email.

We will delete your data as soon as the purpose of processing no longer applies, subject to compliance with any ongoing statutory retention periods.

Information on joint responsibility

The processing of personal data related to the use of the nunc. Espresso system in accordance with the above sections is carried out under joint responsibility within the meaning of Article 26 (1) (1) GDPR by the companies named at the beginning of this data protection notice.

In this context, the respective personal data may be exchanged between the joint controllers. The legal basis for this is generally the protection of our legitimate interests pursuant to Article 6 (1) (f) GDPR. Our legitimate interests lie in the optimization of our business processes, the effective allocation of our resources, and the provision and management of central IT infrastructure.

Against this background, we have an agreement on joint responsibility The agreement essentially includes the following:

Areas of responsibility : Responsibility for the operation and administration of the nunc. app and the underlying IT systems, including the CRM system, and the management of the data stored therein lies primarily with Next Level Coffee GmbH. In this respect, Next Level Coffee GmbH is also responsible for data collection and updating in the context of using the nunc. espresso system.

Data security : Next Level Coffee GmbH, along with nunc GmbH, is primarily responsible for ensuring adequate security of personal data and for implementing appropriate protective measures and basic data protection principles (e.g., through authorization management and access control, implementation of a deletion concept, privacy by design).

Information and reporting obligations : Next Level Coffee GmbH fulfills its information obligations with this privacy policy. Fulfillment of any reporting obligations in the event of a data protection incident also lies with Next Level Coffee GmbH, with the joint controllers providing each other with the best possible support and providing each other with all necessary information.

Rights of data subjects/contact persons: Next Level Coffee GmbH is also responsible for processing and responding to data protection inquiries and concerns from customers and users. This means that your contact for all data protection questions is Next Level Coffee GmbH. If you wish to exercise your data protection rights (e.g., requests for information or deletion), You can contact us at any time using the contact details provided at the beginning of this privacy policy. To the extent necessary to implement your request, the joint controllers will promptly inform and support each other and provide each other with all information necessary to respond to requests for information and other requests.

If you have any further questions about the joint controllership agreement, you can contact us at any time using the contact details provided at the beginning of this privacy notice.

Recipients of personal data

Within our company, only those people who need your personal data for the stated purposes have access to it. We will only pass on your personal data to external recipients if this is necessary to process or handle your request, if we have your consent to do so or if there is another legal permission. External recipients can in particular be:

Affiliated companies : These include, in particular, nunc GmbH, Oberlohnstr. 3, 78467 Konstanz, Germany, with whom we may exchange personal data if necessary for internal administrative, marketing, or customer service purposes. This is done to protect our legitimate interests pursuant to Art. 6 (1) (f) GDPR.

Processors : These are service providers we use to provide services, for example, in the areas of technical infrastructure and maintenance. We carefully select and regularly review such processors to ensure that your privacy is protected. These service providers may only use the data for the purposes specified by us and in accordance with our instructions. We are authorized to use such processors in compliance with the legal requirements of Article 28 GDPR.

Public bodies : These are authorities, state institutions, and other public bodies, such as supervisory authorities, courts, public prosecutors, or tax authorities. Personal data will only be transferred to such public bodies for legally compelling reasons. The legal basis for such a transfer may be Article 13(1) GDPR. 6 Paragraph 1 Sentence 1 letter c GDPR.

Private positions: Service providers and auxiliary persons to whom data is transmitted based on a legal obligation or to protect legitimate interests, such as tax consultants or auditors. The transmission then takes place on the basis of Article 6 (1) (c) and/or (f) GDPR.

Data processing in third countries

If we transfer your data to third countries outside the EU or EEA in accordance with the above, we will ensure before the transfer that, except in legally permitted exceptions, the recipient either has an adequate level of data protection or that you consent to the data transfer. An adequate level of data protection is ensured, for example, by the recipient's certification under the EU-US Data Privacy Framework, the conclusion of EU standard contractual clauses, or the existence of so-called Binding Corporate Rules (BCRs). Please contact us using the communication channels listed above to receive a copy of the specific so-called guarantees for the transfer of your data to third countries.

Storage period

We store your personal data only for as long as necessary to fulfill the purposes or in the case of consent as long as you do not revoke your consent. In the event of an objection, we will no longer process your personal data unless further processing is permitted or even mandatory under the relevant legal provisions (e.g., within the framework of commercial and tax law retention periods). We will also delete your personal data if we are legally obligated to do so.

For further details on the storage period of your personal data, please refer to the respective explanations in the sections listed above.

Your rights

As a data subject, you have numerous rights. These include:

Right to information (Article 15 GDPR): You have the right to receive information about the data we have stored about you.

Right to rectification and erasure (Article 16 and Article 17 GDPR): You can request that we correct incorrect data and – if the legal requirements are met – delete your data.

Right to restriction of processing (Article 18 GDPR): You can request that we restrict the processing of your data (e.g. by blocking it) -provided that the legal requirements are met.

Right to data portability (Article 20 GDPR): If you have provided us with data on the basis of a contract or consent, you can request, if the legal requirements are met, that you receive the data you have provided in a structured and common format or that we transmit it to another responsible party.

Right to object to data processing based on legitimate interests (Article 21 GDPR): You have the right to object to data processing by us at any time for reasons arising from your particular situation, insofar as this is based on legitimate interests within the meaning of Article 6 Paragraph 1 S. 1 letter f GDPR. If you exercise your right of objection, we will stop processing your data unless we can demonstrate compelling legitimate grounds for further processing which outweigh your rights, or the processing serves to assert, exercise or defend legal claims.

Revocation of consent (Article 7 GDPR): If you have given us your consent to process your data, you can revoke this consent at any time without giving reasons , with effect for the future. The legality of the processing of your data up to the time of revocation remains unaffected.

Right to lodge a complaint with the supervisory authority (Article 77 GDPR): You can also lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. In particular, you can contact the data protection authority responsible for your place of residence, your place of work or the place of the alleged violation. The supervisory authority responsible for data protection is: The State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (LfDI), reachable at PO Box 10 29 32 , 70025 Stuttgart , Germany, Telephone : +49 711 615541-0, Fax: +49 711 615541-15, Email: poststelle@lfdi.bwl.de, Internet: www.baden-wuerttemberg.datenschutz.de.

If you have any questions about the processing of your personal data and your rights as a data subject, we will inform you about the We are happy to assist you via the above- mentioned communication channels.

Security

We take technical and organizational security measures to protect your personal data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. These security measures are always adapted to the current state of the art.

Your use of our r Personal data transmitted through our extended operational services is transmitted securely using encryption. We use the Transport Layer Security (TLS) encryption protocol, more widely known by its predecessor, Secure Sockets Layer (SSL).

Our employees are bound to confidentiality.

Changes

From time to time, it may become necessary to adapt the content of this privacy policy. We therefore reserve the right to change it at any time. We recommend that you familiarize yourself with the most current version of this privacy policy. We will also publish the amended version of the privacy policy here.

If translations of this privacy policy are made, the German version shall prevail.

Status: April 2025