1. Introduction

Reflectly ApS ("Reflectly", "Memorado", "we", "our" or "us") are committed to respecting your privacy and processing personal data in accordance with the EU GDPR.

The Privacy Policy set out in this document relates to all of the apps owned by Reflectly, at any given time and subject to change. For a complete list of the apps covered please refer to the Apple App Store and Google Play Store developer profile pages. Collectively they will be referred to as the "Apps" and this includes future means of providing software or services, including but not limited to desktop or browser. Certain parts of the Privacy Policy will only relate to some of the Apps or app categories.

The Privacy Policy should be read carefully to discover how we obtain, process, store and disclose your personal data.

Although the Privacy Policy relates to more than one app, indicating acceptance for one app does not result in acceptance for all of them. Separate acceptance to the Privacy Policy must be given for each app, even if they are downloaded as a bundle.

2. Personal Data

Purpose and Lawful Basis

Personal Data Descripion	Processing Purpose	Lawful Basis
Name, nickname, email and subscription status	To create an account, allowing you to secure and back up your content. To provide access to Premium features if a subscription is purchased. To provide Newsletters with exclusive content and inform you of offers, depending on whether your status is Free (basic) or Premium. To notify you about material changes to the Terms of Service and Privacy Policy.	Necessary for the performance of a contract we have with you. Necessary to comply with legal obligations. We require your consent.* *By ticking the box you consent to Newsletters from both the Reflectly app and/or Glass Half Full (a news platform controlled by us). To revoke your consent click 'Unsubscribe' at the bottom of one of our emails.
Profile photo	To provide you with a more personalised service.	We require your consent.
Moods, associated activities, feelings and additional photos, notes, text and voice notes detailing mental health, moods or related thoughts (the "Mental Health Data”)	To provide a mood journal that contains relevant content, stores entries, compiles data and presents statistics	We require your explicit consent to process the health data. It constitutes a special category of personal data under the GDPR, which by default is prohibited save for certain exceptions including explicit consent. Explicit consent is given by marking a tick in the requisite box at sign up or the update notice.
Fingerprint or facial authentication (the "Biometric Data”)	To provide security and privacy.	We require your explicit consent to process the biometric data. It constitutes a special category of personal data under the GDPR, which by default is prohibited save for certain exceptions including explicit consent. Explicit consent is given by affirmatively clicking that you allow us to access the data when prompted.
Geo-location data	We may ask to access your geo-location data and with your help, attribute data to key locations. This will allow us to automate features such as journaling, habit tracking and health data aggregation or monitoring.	We require your consent.
Data relating to exercise, mindfulness, sexual activity, sleep, physique, nutrition, heart rate, blood pressure and other data supported by Apple Health (the "Apple Health Data”)	To monitor your health more effectively by allowing us to write data. To provide your health data in an easy to read graphical format, and to track your progress.	We require your explicit consent to process the Apple Health Data. It constitutes a special category of personal data under the GDPR, which by default is prohibited save for certain exceptions including explicit consent. Explicit consent is given by affirmatively clicking that you allow us to read and write data when prompted.
Calendar data from the terminal device	To automatically integrate Calendar events.	We require either your consent, or explicit consent depending on the calendar event. If the event relates to a special category of personal data such as health or religious belief (i.e. medical appointments or church service) explicit consent is required. Explicit Consent is one of the limited exceptions to the prohibition of processing special category personal data under the GDPR. Both consent and explicit consent, whichever is required, can be given by affirmatively clicking that you allow us to access the data when prompted.

Some of the Apps may not collect every category of personal data listed above. This will be clear if and when it applies (e.g. if not asked for your email address, it is not being collected).

Necessary for performance of contract

We process some of your personal data because it is necessary for the performance of a contract we have with you or it is necessary prior to entering into such a contract. If you do not wish to provide a nickname or email for example, we cannot create your account and you will be unable to avail of certain features. It should be noted, however, that not every app will process this data.

Changes to Personal Data

It is important that the personal data we have in relation to you is current and accurate. If your personal data (e.g. email address) changes during our relationship please inform us promptly. If, for whatever reason, your personal data is inaccurate or incomplete you have the right for this to be corrected or completed.

Unprompted Health Data

Although some of our Apps do not directly prompt or encourage you to input health data, you may wish to still provide such data. Often this data is not collected for storage or any other purposes, but instead, stored locally on your device terminal. The same applies to our expenditure and budgeting apps, despite the fact health spending may exist as a default spending category.

Some of the Apps provide the option to back up your data with iCloud, for more information on how Apple processes your personal data see Apple's Privacy Policy. The option to synchronise data across devices using Google Drive or Dropbox may also be provided, please refer to their privacy policies.

3. Automatic Collection, Retention and Sharing

Device information automatically collected

In conjunction with our partners we automatically collect and log certain information stored on your terminal device including device type, operating system specification, network settings, unique device identifier and IP address. Our Analytics provider may by default use IP addresses to determine your general non-specific location. Among other things, this allows geographic sorting and protects us and our apps against misuse and nefarious activity. However, we do not use your IP address to analyse geographic user trends. To learn more about how our Analytics provider collects and processes your IP address please refer to their privacy policy.

Retention of Personal Data

We are committed to the principle of storage limitation and will retain your personal data for no longer than is necessary to fulfil our processing purposes. Following account deletion, revocation of consent or a written deletion request, your personal data will be retained for no longer than 30 days, save for certain instances where legal obligations require longer retention periods.

We will also anonymise some personal data so it will no longer be associated with you. In this event we are entitled to retain and use the information freely.

Sharing with Third Parties

In order to provide you with our services, carry out our activities and to comply with legal obligations, we share your personal data with certain third parties such as:

• cloud storage providers;
• analytics providers, who assist us in the improvement and optimisation of the App;
• push notification providers; and
• law enforcement authorities, government authorities, government bodies and the courts where they request it and disclosure is lawful. (e.g. prevention and detection of crime).

4. International Data Transfers

To provide storage and email newsletters we transfer your data to our partners outside the EU. We are committed to ensuring your personal data is protected when transferring to third countries without an adequate level of protection, namely the U.S.

In light of the EU-US Privacy Shield being invalidated, Standard Contractual Clauses are now relied on. Reflectly acknowledges the comments in Schrems II that additional safeguards may be needed to supplement such clauses. We are currently assessing our transfers and working with our partners to implement safeguards, along with the updated Standard Contractual Clauses.

5. Security

We have implemented appropriate technical and organisational security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to. These measures include encryption and pseudonymisation. Access to your personal data is granted strictly on a need to know basis and we have carefully selected our service providers with security considerations in mind.

6. Your Rights

General Rights

You have several rights in relation to your personal data, these include the right to:

• Access a copy of the personal data we hold about you;
• Correction or completion of any inaccurate or incomplete personal data;
• Erasure (save for personal data necessary to comply with legal obligations or for the establishment, exercise or defence of legal claims);
• Obtain a copy of your personal data in a portable format;
• Restrict the processing of your personal data, in the following instances:
• You are contesting the accuracy of your personal data and we need time to verify it.
• Processing has been found unlawful, but you oppose erasure.
• You require the personal data for the establishment, exercise or defence of legal claims, but we no longer need it for our processing purposes.
• Withdraw consent or explicit consent for specific processing;
• Object to the processing of personal data for direct marketing purposes.

If you wish to exercise any of these rights, please contact us. We may request proof of identification to verify your request.

Complaint: Supervisory authority

If you think we have infringed your rights under data protection legislation, you have the right to lodge a complaint. When making your complaint, the relevant supervisory authority is the one in the country:

1. where you are habitually resident;
2. where you work; or
3. where the alleged infringement took place.

The right to lodge a complaint is without prejudice to any other administrative or judicial remedy you may have. The contact information for the Danish Data Protection Agency is provided below.

Datatilsynet
Carl Jacobsens Vej 35
DK-2500 Valby
+45 33 19 32 00
dt@datatilsynet.dk

7. Age Requirement

You must be at least 13 years of age to use any of the Apps.

8. Cookies

The Websites owned or otherwise controlled by Reflectly use cookies. To learn more about the types of cookies we use, their purpose and the options available to you, please read the Cookie Policy.

9. Contact

If you wish to get in contact with us please email hello@reflectly.app or write to us at Balticagade 14B, 8000 Aarhus C, Denmark.

Questions, comments and requests in relation to this privacy policy or the processing of your personal data should be addressed to our Data Protection Officer ("DPO").

DPO email: dpo@reflectly.app

10. Changes to this Privacy Policy

We are constantly reviewing our Privacy Policy to ensure compliance with data protection legislation. Our apps are also constantly evolving and new features and services may change how we process your personal data. Any substantive or material change to this Privacy Policy will be brought to your attention.