Privacy Policy

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is: Herotion GmbH Friedrichstraße 16 72072 Tübingen Germany Email: info@mymiloapp.com Represented by the Managing Directors: Riccardo Gäckle, Niclas Wiebe, Lukas Schönauer

The controller has appointed a Data Protection Officer. You can reach them at: Email: info@mymiloapp.com

We only process personal data of our users to the extent necessary for providing this website, delivering our services, or communicating with you. Processing is carried out exclusively on the basis of one of the following legal grounds: • Consent (Art. 6(1)(a) GDPR) • Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) • Legal obligation (Art. 6(1)(c) GDPR) • Legitimate interest (Art. 6(1)(f) GDPR)

a) Data Processed Through our waitlist form, we collect the following personal data: • Name (required) • Email address (required) • Location (required) • Clinic / facility (optional) b) Purpose of Processing The data is processed for the purpose of: • Managing the waitlist, • Contacting you, • Providing information about product and project progress. c) Legal Basis Art. 6(1)(a) GDPR (consent). d) Storage Duration The data will be stored for as long as the waitlist exists or until consent is withdrawn. After withdrawal of consent or once the purpose no longer applies, the data will be deleted without undue delay, unless statutory retention obligations apply.

a) Hosting This website is technically operated by: Vercel Inc. 340 S Lemon Ave #4133 Walnut, CA 91789 USA When visiting the website, Vercel automatically collects the following data: • IP address • Date and time of access • Browser type and operating system • Referrer URL b) Purpose of Processing The data is processed for the purpose of: • Ensuring secure and stable website operation, • Error analysis, • Prevention of misuse. c) Legal Basis Art. 6(1)(f) GDPR (legitimate interest). d) Storage Duration Server log files are stored for a maximum of 30 days and then automatically deleted, unless security-related events require longer retention.

For the technical storage and management of waitlist data, we use: Supabase Inc. 548 Market Street, PMB 97211 San Francisco, CA 94104-5401 USA Processing is carried out exclusively for providing the waitlist functionality. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Supabase. Supabase Inc. acts as a data processor for the storage and management of data. Processing is carried out exclusively on the instructions of the controller. Data transfer to the USA is based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR).

For the technical provision of this website and the waitlist functionality, we engage carefully selected data processors pursuant to Art. 28 GDPR, in particular: • Vercel Inc. (hosting) • Supabase Inc. (database and backend services) As both companies are based in the USA, personal data may be transferred to a third country. The transfer is based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR, as Vercel Inc. and Supabase Inc. are certified under the EU-U.S. Data Privacy Framework (DPF). The respective certification status can be verified at any time via the official list of the U.S. Department of Commerce.

This website only uses technically necessary cookies that are required for the operation of the website (e.g., storing the cookie consent status). Legal basis: § 25(2)(2) TTDSG in conjunction with Art. 6(1)(f) GDPR. Analytics or marketing cookies are currently not used. Should such tools be implemented in the future, this will only occur on the basis of prior consent.

Data subjects have the following rights: • Right of access (Art. 15 GDPR) • Right to rectification (Art. 16 GDPR) • Right to erasure (Art. 17 GDPR) • Right to restriction of processing (Art. 18 GDPR) • Right to data portability (Art. 20 GDPR) • Right to object (Art. 21 GDPR) • Right to withdraw consent (Art. 7(3) GDPR) To exercise these rights, you may contact us or our Data Protection Officer at any time.

You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg).