This privacy statement applies to data processing by mittemitte GmbH ("Mitte, "controller", "we" or "us") when using the Mitte App ("App").

The Mitte App enables you to use our "Smart Replenishment Service". Through the digital connection with your Mitte device, the App can recognise when your Mitte device needs a new Mitte cartridge and/or CO2 cylinder and will inform you in time. You can then easily order the products via the App.

The App also contains a shopping cart. You can add and remove Mitte cartridges and CO2 cylinders from the shopping cart and purchase these items through the shopping cart at any time, whether or not our system has detected if an item is in need of replacement.

The use of the Smart Replenishment Service, of the App and the ordering process via the App involves certain processing of your personal data. Personal data is any information relating to an identified or identifiable natural person, e.g. name, address, email address. We process data that you provide to us independently as well as data that your Mitte device and the App collect and transmit.

When processing your personal data, we observe the applicable data protection laws, in particular the European General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG").

This privacy statement describes which personal data we process, for which purposes and on which legal basis.

We take the protection of your personal data very seriously. We process your data only for the purposes clearly defined in this privacy statement. If we process data for other purposes and/or pass on your data to third parties for other purposes, we will only ever do so with your explicit consent.

1. Name and Contact Details of the Controller

Responsible for the processing of your data is mittemitte GmbH, Sonnenallee 224a, 12059 Berlin, Germany, [email protected].

2. Name and contact Details of our Data Protection Officer

You can reach our data protection officer at the following contact details: IITR Datenschutz GmbH, Dr Sebastian Kraska, Marienplatz 2, 80331 München, E-Mail: [email protected], Telephone: 089-18917360.

3. Collection and Storage of Personal Data as well as Method and Purpose of their Processing, relevant Legal Basis and Storage Period

3.1. Downloading the App

When downloading the app, the required information is transferred to the App Store,

i.e. in particular user name, e-mail address and customer number of your account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it.

We only process the data to the extent necessary for downloading the mobile App to your mobile device.

3.2. Use of the App

Each time the App is accessed, our system automatically collects the following data from your end device and stores it in log files: name of the file accessed, date and time of access, amount of data transferred, notification of successful access, type of browser and version used, your IP address, your operating system. This data is not merged with other data sources.

The temporary collection of data by the system is necessary to enable delivery of the App to your end device and to ensure its performance. The storage in log files also takes place to ensure the stability and functionality of the website. Furthermore, the data serves to optimise the app experience and to ensure the security of the information technology systems against possible attacks from outside. This is also the legitimate interest in processing the aforementioned data according to Art. 6 para. 1 p. 1 lit. f) GDPR.

3.3. Creation of a Mitte Account

You can create an account in the App by entering the following data:

• Your e-mail address.

• Your title

• Your first and last name

• Your address

To confirm the e-mail address you have provided, we use the so-called double opt-in procedure. This means that after your registration we will send you an e-mail to the email address you have provided, in which we ask you to confirm your e-mail address.

We process your e-mail address in order to fulfil our service towards you. The legal basis is Art. 6 para. 1 lit. b) GDPR.

3.4. Ordering Mitte Products via the App

If you want to order Mitte products via the App when using the Smart Replenishment Service or when using the manual shopping cart function, we additionally need the following data from you:

• Your credit card details

• Your credit card details are necessary for us to fulfil the purchase contract for our products that you order via the App.

• The legal basis for the data processing is Art. 6 para. 1 lit. b) GDPR.

• Once you have made a purchase via the App, we will only store your credit card details for future purchases in the web shop or in the App if you have given us your explicit consent by clicking on the checkbox.

• The legal basis for the data processing is Art. 6 para. 1 lit. a) GDPR. You may revoke your consent at any time with effect for the future.

3.5. Transmission of data from the Mitte device to the Mitte App

When you connect your Mitte device to your Wifi, your Mitte device regularly transmits certain technical data as well as data on your dispense to the App. This data is necessary, among other things, for the App to be able to recognise when your Mitte device needs a new Mitte cartridge or a new CO2 cylinder and to suggest an appropriate new order to you.

In particular, the device transmits the following data to the App:

• The status of your Mitte device, i.e. in particular information on the fill level of your Mitte cartridge and CO2 cylinder.

• Dispense data, i.e. in particular your carbonation preference, timestamp, duration of dispense.

• Other technical data of the mittemitte device, such as Wifi signal strength, sensor data, etc.

The aforementioned data is initially required so that the App can determine when your Mitte cartridges or CO2 cylinders will be empty and to suggest a new order in good time. In addition, the transmitted data helps with customer service should your device not function properly at some point and provides overall information about the condition and functioning of the device. The data is therefore collected and processed for the purpose of providing the Smart Replenishment Service to you. The legal basis for the data processing is Art. 6 para. 1 lit. b) GDPR.

Data on your dispense (carbonation preference, timestamp, duration) is also processed by us in order to continuously improve our products and thus give you a better customer experience. The dispense data transmitted by the device is only used in aggregated form and cannot be traced back to you personally. We do not intend to use the data in any way to create a usage profile of you or to pass this data on to a third party. The data processing is based on Art. 6 para. 1 lit. f) GDPR: Our legitimate interest is to continuously improve and develop our products in order to offer our customers a better service.

3.6. Data Processing for Personal Addressing by e-mail

If you give us your explicit consent, we will send you information about our services and offers by e-mail. For this purpose, we process your name and e-mail address. When you register for our newsletter, we use the double opt-in procedure. This means that after you have registered with your e-mail address, we will send you an email to the specified e-mail address in which we ask you to confirm that you actually wish to receive the newsletter.

The legal basis for sending our information is Art. 6 para. 1 lit. a) GDPR. You may revoke your consent at any time with effect for the future.

3.7. Storage Period

We delete the data collected and stored in connection with the creation of your Mitte account at the latest when you delete your Mitte account. However, deletion of your personal data is not possible if and to the extent that your data is still required to process an order you placed with Mitte.

Irrespective of this, we store your data processed during the purchase of our products until the expiry of the statutory or possible contractual warranty rights. After the expiry of this period, we retain the information of the contractual relationship required under commercial and tax law for the periods determined by law. For this period (regularly ten years from the conclusion of the contract), the data is processed again solely in the event of an audit by the tax authorities.

4. Recipients of Personal Data

To process your personal data, we sometimes use the services of external service providers (IT providers, payment service providers, carriers, analytic tools). In part, these third parties act as Data Controllers, in part they act in the function of a Processor on our behalf and according to our instructions.

4.1. Payment Service Provider Stripe Payments Europe Ltd.

If you order a product via the Mitte App, payment processing is carried out via the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, ("Stripe"). We transmit to Stripe the information you provide during the ordering process, together with information about your order (name, address, credit card information, invoice amount, currency and transaction number). Your data will only be passed on for the purpose of processing payment with Stripe and only to the extent that it is necessary for this purpose. The data entered is only processed by Stripe and stored by Stripe. I.e. we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment.

The transmission of your data to Stripe is necessary for the processing of the purchase contract with you and is therefore based on Art. 6 para. 1 lit. b) GDPR.

For more information on Stripe's privacy statement, please visit: https://stripe.com/en-gb-de/privacy

4.2. Analysis Service Mixpanel, Inc.

We use the analysis tool "Mixpanel" from Mixpanel, Inc., 405 Howard St., Floor 2, San Francisco, CA 94105, USA. The tool allows us to analyse how you use the App and interact with the features in the App. The analysis helps us to better understand the needs of our customers and to continuously improve our service. We have concluded a Data Processing Agreement with Mixpanel, which can be viewed at https://mixpanel.com/legal/dpa/. The storage and processing of the collected data in the USA is based on the so-called Standard Contractual Clauses.

The processing of user data is pseudonymised, i.e. no personal clear data (such as names) is processed and your IP address is only stored in a shortened form.

You can also find more information about Mixpanel's privacy statement here: https://mixpanel.com/legal/privacy-policy/

Data processing is carried out exclusively on the basis of your express consent in accordance with Art. 6 para. 1 lit. a) GDPR.

5. Transfer of Data to Third Party Countries

Except as set out in sections 3.2, we do not transfer your personal data to recipients in countries outside the European Union or the European Economic Area where a level of data protection comparable to that in the European Union cannot be assumed.

6. Data Security

All personal data transmitted by you is transferred using the secure and proven SSL (Secure Socket Layer) standard, which is also used for online banking, for example. We also use appropriate technical and organizational security measures to protect stored personal data against manipulation, partial or complete loss and unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data is only stored on servers hosted in the EU that are certified in accordance with DIN ISO/ IEC 27001 (as amended from time to time).

7. Your Rights

In relation to our processing of your personal data, you have the following rights free of charge:

7.1. Right to Information pursuant to Art. 15 GDPR

You have the right to receive information from us about whether and which data we process about you. This includes information on how long and for what purpose we process the data, the source of the data and the recipients or categories of recipients to whom we pass on the data. We can also provide you with a copy of this data.

7.2. Right to Rectification pursuant to Art. 16 GDPR

You have the right to request that we rectify information about you that is not or no longer accurate without delay. In addition, you can request that we complete your incomplete personal data. If required by law, we will also inform third parties of this rectification if we have disclosed your personal data to them.

7.3. Right to Deletion pursuant to Art. 17 GDPR

You have the right to request that we delete your personal data without delay if one of the following cases applies:

• Your data is no longer necessary for the purposes for which it was collected or otherwise processed or the purpose has been achieved;

• You withdraw your consent and there is no other legal basis for the processing;

• You object to the processing and there are no prevailing legitimate grounds for the processing; in the case of the use of personal data for direct marketing, a mere objection by you to the processing is sufficient;

• Your personal data has been processed unlawfully;

• The deletion of your personal data is necessary to comply with a legal obligation under European Union law or the law of a member state to which we are subject.

Your right to deletion may be restricted on the basis of statutory provisions. This includes in particular the restrictions listed in Article 17 GDPR and Section 35 Federal Data Protection Act (BDSG).

7.4. Right to the Restriction of Processing pursuant to Art. 18 GDPR

You have the right to request us to restrict the processing of your personal data if one of the following reasons applies:

• you dispute the correctness of your personal data for a period of time that allows us to verify the correctness of the personal data;

• the processing is unlawful and you object to the deletion of the personal data and request instead the restriction of the use of your personal data;

• we no longer need your personal data for the purposes of processing; however, you need them for the assertion, exercise or defence of legal claims, or

• you have objected to the processing as long as it has not yet been determined whether our legitimate reasons outweigh yours.

If you have obtained a restriction on processing under the above list, we will inform you before the restriction is withdrawn.

7.5. Right to Data Portability pursuant to Art. 20 GDPR

You have the right to obtain personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to others. The exercise of this right does not affect your right to deletion.

7.6. Right to Object pursuant to Art. 21 GDPR

According to Art. 21 GDPR, you have in particular the right to object to the processing of your data at any time on the grounds of your particular situation, if we base this processing on legitimate interests pursuant to Art. 6 Art. 1 lit. f) GDPR. If you object, we will no longer process your personal data, except in two cases:

• We can prove that there are compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms; or

• the processing serves the assertion, exertion or defence of legal claims.

In particular, if we process your personal data for direct marketing, you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for this purpose.

7.7. Right of Withdrawal of Consent pursuant to Art. 7 GDPR

You can withdraw your consent given to us at any time with effect for the future. This withdrawal can be made in the form of an informal notification to the abovementioned contact addresses. If you withdraw your consent, the legitimacy of the data processing carried out up to that point will not be affected.

7.8. Right to file a Complaint with the Supervisory Authority

If you believe that the processing of your data by us violates applicable data protection law, you have the right to file a complaint with one of the competent supervisory authorities. The supervisory authority responsible for us is: