Privacy Policy of the Quitora App

Preamble

With the following privacy policy we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process, for which purposes and to what extent in the context of providing our application.

This privacy policy applies to the Quitora App. The Quitora App is delivered via two channels: as a mobile app (iOS, later also Android) through the respective app store, and as a web app via the browser on a PC for users without a mobile device. Where individual processing operations relate only to one of the two delivery channels, this is indicated at the relevant section.

The terms used are not gender-specific.

Note on the target audience

Our offering is intended exclusively for persons aged 18 years and older. We do not knowingly process personal data of minors. Should we become aware that a minor has created an account, we will delete the account and the associated data without undue delay.

Last update: 3 May 2026

Table of contents

• Preamble
• Controller
• Overview of processing operations
• Relevant legal bases
• Security precautions
• Transmission of personal data
• International data transfers
• General information on data retention and deletion
• Rights of data subjects
• Business services
• Business processes and operations
• Use of online platforms for listing and sales purposes
• Providers and services used in the course of business
• Payment procedure
• Provision of the web app and hosting
• Processing of data in the context of applications (apps)
• Functions of the Quitora programme
• Purchase of applications via appstores
• Registration, login and user account
• Contact and inquiry management
• Artificial intelligence (AI)
• Emergency chat and crisis notice
• Cloud services
• Changes and updates
• Terminology and definitions

Controller

Quitora UG (haftungsbeschränkt)
Strelitzer Strasse 24
10115 Berlin
Germany

Authorised representative: Nico Stockmann

E-mail address: hello@quitora.eu

Data protection contact: hello@quitora.eu

Imprint: https://quitora.eu/imprint/

Overview of processing operations

The following overview summarises the types of data processed and the purposes for which they are processed and refers to the affected data subjects.

Categories of processed data

• Inventory data.
• Payment data.
• Contact data.
• Content data (in particular reflection and chat inputs).
• Contract data.
• Usage data.
• Meta, communication and process data.
• Log data.
• Health-related content (in particular information on smoking behaviour, trigger situations, crisis moments).

Categories of data subjects

• Service recipients and clients.
• Employees.
• Prospective customers.
• Communication partner.
• Users.
• Business and contractual partners.
• Third parties.
• Customers.

Purposes of processing

• Provision of contractual services and fulfilment of contractual obligations.
• AI-supported reflection and crisis guidance within the Quitora programme.
• Communication.
• Security measures.
• Office and organisational procedures.
• Conversion tracking.
• Organisational and administrative procedures.
• Feedback.
• Marketing.
• Provision of our online services and usability.
• Information technology infrastructure.
• Financial and payment management.
• Public relations.
• Business processes and management procedures.
• Artificial intelligence (AI).

Relevant legal bases

Relevant legal bases according to the GDPR: In the following you will find an overview of the legal bases of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

• Consent (Article 6 (1) (a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Performance of a contract and prior requests (Article 6 (1) (b) GDPR) - Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Compliance with a legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Article 6 (1) (f) GDPR) - The processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not prevail.
• Processing of special categories of personal data with explicit consent (Article 9 (2) (a) GDPR) - The data subject has given explicit consent to the processing of data of special categories (in particular health-related content) for one or more specified purposes. This legal basis applies in particular to content from the Coach Chat, Emergency Chat and Challenge Chat insofar as it contains health-related information.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Germany. This includes in particular the Federal Data Protection Act (BDSG). The BDSG contains special provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making, including profiling. Furthermore, data protection laws of the individual federal states may apply.

Reference to the applicability of the GDPR and the Swiss DPA: This privacy policy is intended to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). Within the scope of application of the Swiss FADP, the legal interpretation of these terms is determined exclusively by Swiss law.

Security precautions

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.

Securing online connections through TLS/SSL encryption technology: All data transmissions between the app, the web app and our servers take place exclusively in encrypted form, in order to protect user data from unauthorised access.

Transmission of personal data

In the course of processing personal data, it may happen that this data is transmitted to or disclosed to other entities, companies, legally independent organisational units, or individuals. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into the application. In such cases, we observe the legal requirements and particularly conclude relevant contracts or agreements that serve to protect your data with the recipients of your data.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the EU-US Data Privacy Framework (DPF), which has been recognised as a secure legal framework by the EU Commission's adequacy decision of 10 July 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers, which comply with the EU Commission's requirements and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF serves as the primary level of protection, while the Standard Contractual Clauses act as an additional security measure. Should any changes occur within the DPF framework, the Standard Contractual Clauses will serve as a reliable fallback option.

For individual service providers, we will inform you whether they are certified under the DPF and if Standard Contractual Clauses are in place. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce's website at https://www.dataprivacyframework.gov/.

General information on data retention and deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing is no longer applicable or the data is no longer needed. Exceptions to this rule exist if statutory obligations or special interests require a longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or protection of the rights of other natural or legal persons, must be archived accordingly.

Specific retention periods for Quitora content:

• Coach Chat content (Day 1-90): Storage until the end of the running programme plus 30 days for follow-up. Subsequent automated deletion if no follow-up use takes place.
• Emergency Chat content: Storage for a maximum of 90 days from the entry, after which automated deletion takes place. No further storage occurs.
• Challenge Chat content (from Day 91): Storage until the end of the running follow-up programme plus 30 days. Subsequent automated deletion.
• Tracker data, streak, running programme activities, meditation accesses: Storage until the user deletes their account.
• Account master data: Storage until account deletion or up to 12 months of inactivity (with prior notification).
• Server log files and IP addresses: Storage for a maximum of 30 days, then deletion or anonymisation.

In cases where multiple retention periods or deletion deadlines for a date are specified, the longest period always prevails.

Data retention and deletion: The following general deadlines apply for retention and archiving according to German law:

• 10 years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the necessary work instructions and other organisational documents (Section 147 (1) No. 1 in conjunction with (3) of the German General Tax Code (AO), Section 14b (1) of the German VAT Act (UStG), Section 257 (1) No. 1 in conjunction with (4) of the German Commercial Code (HGB)).
• 8 years: Accounting documents, such as invoices, booking and expense receipts (Section 147 (1) No. 4 and 4a in conjunction with (3) of the AO; Section 257 (1) No. 4 in conjunction with (4) of the HGB).
• 6 years: Other business documents to the extent that they are significant for taxation purposes (Section 147 (1) No. 2, 3, 5 in conjunction with (3) AO; Section 257 (1) No. 2 and 3 in conjunction with (4) HGB).
• 3 years: Data required to consider potential warranty and compensation claims or similar contractual claims and rights, in line with the regular statutory limitation period of three years (Sections 195, 199 of the German Civil Code).

Rights of data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to revoke consents at any time. Please note that withdrawing your consent to AI processing may result in the programme no longer being available in its AI-supported form, since the AI-supported coach is a core component of Quitora.
• Right of access: You have the right to request confirmation as to whether the data in question is being processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
• Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
• Right to erasure and right to restriction of processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted. The app provides a function to fully delete your account at any time.
• Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
• Right to lodge a complaint with a supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement.

Business services

We process personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers and other cooperation partners (collectively referred to as "Contractual Partners"), for the initiation, execution and settlement of contractual relationships as well as comparable legal relationships.

• Processed data types: Inventory data (e.g. full name, residential address, contact information, customer number); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Contract data (e.g. contract object, duration, customer category).
• Data subjects: Service recipients and clients; Prospective customers; Business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; Communication; Office and organisational procedures.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Provision of mobile applications: We process the data of our customers and users in order to provide them with our contractual services within the scope of the provision and operation of our mobile applications, as well as to ensure the security, availability and further development of our services; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
• Provision of software and platforms: We process the data of our customers and users in order to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our offer and to develop it further; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
• Device authorisations: The use of our application or its functionalities may require user authorisations to access certain device functions (e.g. for audio playback of meditations). By default, these authorisations must be granted by the user and can be revoked at any time in the device settings. The refusal or revocation of such authorisations may affect the functionality of our application.

Business processes and operations

Personal data of service recipients and clients including customers are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relations. This data processing supports business processes in areas such as customer management, sales, payment transactions, accounting and project management.

• Processed data types: Inventory data; Payment data; Contact data; Content data; Contract data; Usage data; Meta, communication and process data; Log data.
• Data subjects: Service recipients and clients; Prospective customers; Communication partner; Business and contractual partners; Employees; Third parties; Customers.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Office and organisational procedures; Business processes and management procedures; Information technology infrastructure; Financial and payment management; Communication.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Customer Management and CRM: Processes required in the context of customer management; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
• General Payment Transactions: Procedures required for carrying out payment transactions, monitoring bank accounts and controlling payment flows; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Use of online platforms for listing and sales purposes

We offer our services on online platforms operated by other service providers. In addition to our privacy policy, the privacy policies of the respective platforms apply.

• Processed data types: Inventory data; Payment data; Contact data; Contract data; Usage data; Meta, communication and process data.
• Data subjects: Service recipients and clients; Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Marketing; Business processes and management procedures.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Apple App Store: App and software distribution platform; Service provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.apple.com/app-store/; Privacy Policy:https://www.apple.com/privacy/privacy-policy/.
• Google Play: App and software distribution platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy: https://policies.google.com/privacy.

Providers and services used in the course of business

As part of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (in short, "services") in compliance with legal requirements.

• Processed data types: Inventory data; Payment data; Contact data; Content data; Contract data.
• Data subjects: Service recipients and clients; Prospective customers; Business and contractual partners; Employees.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Office and organisational procedures; Business processes and management procedures.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• DATEV: Software for accounting, communication with tax advisors and authorities, and document storage; Service provider: DATEV eG, Paumgartnerstr. 6 - 14, 90429 Nürnberg, Germany; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy:https://www.datev.de/web/de/m/ueber-datev/datenschutz/; Data Processing Agreement: Provided by the service provider.

Payment procedure

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options. Quitora distinguishes between two payment channels:

Mobile app (iOS, later Android): Billing is processed exclusively via the payment processing of the relevant app store (Apple In-App Purchase, possibly later Google Play Billing). We only receive confirmations of completed payments and transaction IDs; account or credit card information is not disclosed to us.

Web app (use of Quitora exclusively via the browser on a PC, without the mobile app): Billing is processed via the payment service provider Stripe. Stripe processes payment data (in particular credit card or bank account information) independently in its role as payment service provider. We only receive confirmations of completed payments and transaction IDs.

Additionally, the terms and conditions and privacy notices of the respective providers apply to the payment transactions.

• Processed data types: Inventory data; Payment data; Contract data; Usage data; Meta, communication and process data; Contact data.
• Data subjects: Service recipients and clients; Business and contractual partners; Prospective customers.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Business processes and management procedures; Provision of our online services and usability.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• RevenueCat: Management of subscriptions (recurring payments) and integration with app stores for the automation of payment processing; Service provider: RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.revenuecat.com/; Privacy Policy: https://www.revenuecat.com/privacy/; Basis for third-country transfers: Standard Contractual Clauses, Data Processing Agreement.
• Stripe (web payments for users without the mobile app): Payment service (technical integration of online payment methods, processing of credit card and bank account information); Service provider: Stripe Payments Europe Ltd. (for EU/EEA), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (contracting party) and Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA (parent company); Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Website: https://stripe.com; Privacy Policy:https://stripe.com/en-de/privacy; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.

Provision of the web app and hosting

For users who use Quitora as a web app via the browser on a PC, we process the data necessary to deliver the web app. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of the web app to the user's browser.

• Processed data types: Usage data; Meta, communication and process data (e.g. IP addresses, timestamps); Log data (e.g. log files concerning logins).
• Data subjects: Users of the web app.
• Purposes of processing: Provision of the web app and usability; Information technology infrastructure; Security measures.
• Retention and deletion: Log file information is stored for a maximum period of 30 days and then deleted or anonymised.
• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• ALL-INKL: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: ALL-INKL.COM, Neue Medien Münnich, Inhaber: René Münnich, Hauptstrasse 68, 02742 Friedersdorf, Germany; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy: https://all-inkl.com/datenschutzinformationen/; Data Processing Agreement: Provided by the service provider.

Processing of data in the context of applications (apps)

We process the data of the users of our application to the extent necessary to provide the users with the application and its functionalities, to monitor its security and to develop it further. Furthermore, we may contact users in compliance with the statutory provisions if communication is necessary for the purposes of administration or use of the application.

Legal basis: The processing of data necessary for the provision of the functionalities of the application serves to fulfil contractual obligations. If the processing of data is not necessary for the provision of the functionalities of the application, but serves the security of the application or our business interests, it is carried out on the basis of our legitimate interests. If users are expressly requested to give their consent to the processing of their data, the data covered by the consent is processed on the basis of the consent.

• Processed data types: Inventory data; Usage data; Meta, communication and process data; Payment data; Contract data.
• Data subjects: Users.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Security measures; Provision of our online services and usability.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Device authorisations for access to functions and data: The use of our application or its functionalities may require user authorisations for access to certain functions of the devices used (e.g. audio playback of meditations). By default, these authorisations must be granted by the user and can be revoked at any time in the device settings. We point out that the refusal or revocation of the respective authorisations may affect the functionality of our application.
• No location history and no movement profiles: Location data are not processed. The app does not create a location history or movement profile of the devices used or of their users.

Functions of the Quitora programme

Within the Quitora App we provide our users with a structured behaviour change programme aimed at smoking cessation. The programme consists of a 90-day base phase and an optional follow-up programme. The following functions collect and process personal data:

Daily lessons and reflection questions: Users receive a daily reading content (Lesson) for the reflection of their smoking behaviour. Following each reading content, reflection questions are presented which the user answers in the Coach Chat. The user's reflection answers are stored and processed within the framework of the AI-supported guidance (see section "Artificial intelligence").

Coach Chat (Day 1 to 90): In the Coach Chat, users formulate their reflection answers and receive AI-supported feedback to deepen the engagement with their smoking behaviour. The contents of the Coach Chat are stored and transmitted to Anthropic PBC (see section "Artificial intelligence"). Since the contents typically include health-related information about smoking and addictive behaviour, we obtain your explicit consent under Article 9 (2) (a) GDPR before the first use of the Coach Chat.

Emergency Chat (from Day 61): From Day 61 of the programme an Emergency Chat is available to support users in acute risk situations or crisis moments. The contents of the Emergency Chat are stored and transmitted to Anthropic PBC (see section "Artificial intelligence"). Due to the particular sensitivity of these contents, increased protective measures and a shorter retention period apply (90 days from entry, then automated deletion). We obtain your explicit consent under Article 9 (2) (a) GDPR before the first use. Please also refer to the section "Emergency chat and crisis notice".

Challenge Chat (from Day 91, in the follow-up programme): In the follow-up programme from Day 91 onwards, users can take part in weekly challenges. In the associated Challenge Chat, the active weekly task and the user's individual experiences are reflected upon. The contents are stored and transmitted to Anthropic PBC (see section "Artificial intelligence"). Here too we obtain your explicit consent under Article 9 (2) (a) GDPR before the first use.

Smoke-free Tracker and Streak (from Day 61): In the smoke-free tracker, users document their smoke-free days. The streak function counts uninterrupted smoke-free days since the day of the last cigarette (Day 60) or since the last manual reset. These data are entered exclusively at the user's request and stored for the duration of the user's account.

Running programme: The running programme provides users with instructions for physical activity in the context of smoking cessation. Only the manually entered activity completions ("session completed") are recorded. Location data, GPS tracking and sensor data are not processed.

Audio meditations: Guided meditation sessions are available in the audio meditations area. We record which meditation was accessed at which time, in order to display the personal overview in the user's account. No content recording takes place.

Impulse exercises: Short exercises for the engagement with smoking behaviour are available in the impulse exercises area. We record which exercise was accessed at which time.

• Processed data types: Content data (reflection and chat inputs, health-related information about smoking and addictive behaviour); Usage data (Lesson accesses, tracker entries, meditation accesses, running programme activities); Contract data (day in the programme, programme phase).
• Data subjects: Users.
• Purposes of processing: Provision of contractual services (programme delivery); AI-supported reflection and crisis guidance; Behaviour change support within the Quitora programme.
• Retention and deletion: Specific periods see section "General information on data retention and deletion". Emergency Chat content is automatically deleted 90 days after entry.
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR) as well as explicit consent to the processing of health-related content (Article 9 (2) (a) GDPR).

Purchase of applications via appstores

The purchase of our application is done via special online platforms operated by other service providers (so-called "appstores"). In this context, the privacy notices of the respective appstores apply in addition to our privacy notices. This applies in particular with regard to the methods used on the platforms for performance measurement and interest-related marketing as well as possible costs.

• Processed data types: Inventory data; Payment data; Contact data; Contract data; Usage data; Meta, communication and process data.
• Data subjects: Service recipients and clients; Users.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Provision of our online services and usability.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Apple App Store: App and software distribution platform; Service provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy: https://www.apple.com/privacy/privacy-policy/.
• Google Play: App and software distribution platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy: https://policies.google.com/privacy.

Registration, login and user account

Users can create a user account. Within the scope of registration, the required mandatory information is communicated to the users and processed for the purposes of providing the user account on the basis of contractual fulfilment of obligations. The processed data includes in particular the login information (pseudonym/username, password and an e-mail address).

During registration we additionally obtain your consents to the processing of health-related content (Article 9 (2) (a) GDPR) as well as to the AI-supported processing of your inputs by Anthropic PBC. Without these consents the programme cannot be carried out.

Within the scope of using our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action for the purpose of protection against misuse and other unauthorised use.

• Processed data types: Inventory data; Contact data; Content data; Usage data; Log data.
• Data subjects: Users.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Security measures; Organisational and administrative procedures; Provision of our online services and usability.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion". Deletion after termination.
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Registration with pseudonyms: Users may use pseudonyms as user names instead of real names.
• User profiles are not public: User profiles are not publicly visible or accessible.
• Account deletion in the app: The app settings provide a function to fully delete the user account and the associated data. Subject to statutory retention obligations, all personal data are irrevocably deleted.
• Deletion of data after termination: If users have terminated their user account, their data relating to the user account will be deleted, subject to any legal permission, obligation or consent of the users.
• No obligation to retain data: It is the responsibility of the users to secure their data before the end of the contract in the event of termination. We are entitled to irrevocably delete all user data stored during the term of the contract.

Contact and inquiry management

When contacting us (e.g. via mail, contact form, e-mail, telephone) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

• Processed data types: Contact data; Content data; Meta, communication and process data.
• Data subjects: Communication partner.
• Purposes of processing: Communication; Organisational and administrative procedures; Feedback; Provision of our online services and usability.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Performance of a contract (Article 6 (1) (b) GDPR).

Artificial intelligence (AI)

We use Artificial Intelligence (AI) as a core component of our programme to provide users with reflective guidance and support throughout the smoking cessation process. By "AI" we understand, in line with the term "AI system" as defined in Article 3 No. 1 of the AI Regulation, a machine-based system designed for varying degrees of autonomous operation, capable of producing outputs such as predictions, content, or recommendations from given inputs.

Our AI systems are used in strict compliance with legal requirements. These include both specific regulations for artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimisation as well as confidentiality. We ensure that the processing of personal data is always based on a legal foundation – in the Quitora context this is the performance of a contract pursuant to Article 6 (1) (b) GDPR as well as your explicit consent pursuant to Article 9 (2) (a) GDPR for the processing of health-related content.

When using external AI systems, we carefully select their providers. In accordance with our legal obligations, we ensure that the AI providers comply with applicable provisions. We have concluded a Data Processing Agreement (DPA) and Standard Contractual Clauses with our AI provider.

• Processed data types: Content data (reflection and chat inputs of users, including health-related information on smoking and addictive behaviour); Usage data (accesses to chat functions, timestamps).
• Data subjects: Users.
• Purposes of processing: AI-supported reflection, challenge and crisis guidance within the Quitora programme; Provision of the contractually agreed AI functions.
• Retention and deletion: Coach Chat content: until programme end + 30 days. Emergency Chat content: 90 days from entry, then automated deletion. Challenge Chat content: until follow-up programme end + 30 days.
• Legal basis: Performance of a contract (Article 6 (1) (b) GDPR) as well as explicit consent to the processing of health-related data (Article 9 (2) (a) GDPR).

Further information on processing methods, procedures and services used:

• Claude API (Anthropic): We use the Claude API of Anthropic PBC for three processing contexts within the Quitora programme: (a) in the daily Coach Chat (Day 1-90) for reflective guidance on the lesson contents and the user's engagement with their own smoking behaviour; (b) in the Emergency Chat (from Day 61) for supportive guidance in acute risk situations and crisis moments; (c) in the Challenge Chat for the weekly challenges (from Day 91, in the follow-up programme) for the reflection of the active weekly task.In all three contexts, the following data is transmitted to Anthropic and processed there to generate the respective response:
  • The user's inputs (reflection answers, descriptions of smoking and addictive behaviour, trigger situations, crisis content).
  • The current day in the program (day 1–90 of the base program, or week of the follow-on program), so the AI can take the relevant lesson reference and progression into account.
  • Where useful for a personalised response: selected onboarding information about the user's prior smoking behaviour (duration of smoking in life-years, average daily consumption, price per pack in the selected currency) as well as the resulting calculated money saved since day 60. This information is used solely to calibrate the AI's reply individually (e.g. tone, time reference, financial anchor) and is not processed for any further purpose.

  Explicitly no real names, email addresses, IP addresses, passwords, payment data or other account master data are transmitted to Anthropic. The link with the user account is established exclusively via a pseudonymous, internally assigned identifier.

  The transmitted contents are processed by Anthropic exclusively for generating the response and are not used for training or further development of the AI models (Zero-Retention for training purposes pursuant to the Anthropic Commercial Terms). Anthropic further processes the data for ensuring service quality, identifying and correcting technical errors, and ensuring the security and integrity of the AI services; no further use takes place; Service provider: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR; the AI-supported reflection, challenge and crisis guidance is a core component of the booked programme) as well as explicit consent to the processing of health-related content (Article 9 (2) (a) GDPR). Consent is obtained separately during onboarding and may be revoked at any time with effect for the future; revocation results in the termination of the AI-supported programme components; Website: https://www.anthropic.com/; Privacy Policy: https://www.anthropic.com/legal/privacy; Data Processing Agreement (DPA):https://www.anthropic.com/legal/data-processing-addendum; Basis for third-country transfers: EU-US Data Privacy Framework (Anthropic PBC is listed as a certified organisation, available at https://www.dataprivacyframework.gov) and additionally Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914, agreed in the Data Processing Agreement with Anthropic.

Emergency chat and crisis notice

Quitora is not a medical device and does not replace medical, psychotherapeutic or psychological advice or treatment. The Emergency Chat within the Quitora App serves as supportive guidance in risk situations in the context of smoking cessation; it is not an emergency or crisis service.

In the event of acute medical or psychological complaints, please contact emergency services, a physician, or an on-call psychotherapeutic service in your country immediately. Additionally, please use the available helpline and addiction support services in your country; the relevant points of contact can be found via official health or emergency portals.

The Emergency Chat in the app cannot replace timely, in-person help in acute crises. We treat the contents of the Emergency Chat with particular confidentiality and a shorter retention period (90 days from entry, then automated deletion).

Cloud services

We use Internet-accessible software services (so-called "cloud services", also referred to as "Software as a Service") provided on the servers of their providers for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).

Within this framework, personal data may be processed and stored on the provider's servers insofar as this data is part of communication processes with us or is otherwise processed by us in accordance with this privacy policy.

• Processed data types: Inventory data; Contact data; Content data; Usage data; Meta, communication and process data.
• Data subjects: Prospective customers; Communication partner; Business and contractual partners; Users; Third parties.
• Purposes of processing: Office and organisational procedures; Information technology infrastructure; Security measures; Provision of our online services and usability; Organisational and administrative procedures; Business processes and management procedures.
• Retention and deletion: Deletion in accordance with the information provided in the section "General information on data retention and deletion".
• Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Consent (Article 6 (1) (a) GDPR).

Further information on processing methods, procedures and services used:

• Google Cloud Services: Cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy:https://policies.google.com/privacy; Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.
• Firebase: Platform for developers of applications for mobile devices and websites; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Website:https://firebase.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.
• Firebase Authentication: Authentication of users, management of user accounts, password reset, email/password login, login with third-party providers, multi-factor authentication; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Website: https://firebase.google.com/products/auth; Basis for third-country transfers: Data Privacy Framework (DPF).
• Cloud Firestore: Storage and real-time synchronisation of data between clients and the cloud; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; Legal basis: Performance of a contract (Article 6 (1) (b) GDPR); Website:https://firebase.google.com/products/storage; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses.

Conversion measurement and funnel analytics

We use analytics tools to evaluate the usage of our app in a pseudonymous form. The purpose is to understand at which points users leave the app or run into difficulties, so we can iterate on and improve the app in a targeted way.

The collection takes place on the basis of our legitimate interest in continuously improving the app. Only pseudonymised data is collected; there is no link with your user account, and no advertising identifiers (such as IDFA or AAID) are processed.

You can object to this collection at any time by turning off the corresponding switch in the app under "Settings". An objection stops the collection for your device immediately.

• Types of data processed: Usage data (e.g. screens viewed, session duration, abandoned flows); meta, communication and procedural data (e.g. device and operating-system category, approximate country-level location, pseudonymous installation ID).
• Data subjects: Users.
• Purposes of processing: Conversion measurement; provision of our online offering and user experience; business processes and business-management procedures.
• Retention and deletion: Pseudonymised analytics data is retained for a maximum of 14 months and then automatically deleted. An objection by the user stops the collection immediately; already-collected pseudonymous data remains until the retention period expires.
• Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information:

• Firebase Analytics (Google Analytics for Firebase): Pseudonymous usage analytics for mobile apps. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
• Data processed:pseudonymous installation ID, device and operating-system category, approximate country-level location, app version, event and screen data (e.g. about opening the onboarding flow or submitting a reflection). No advertising identifiers (IDFA, AAID) are processed, no personal device fingerprinting is performed, no link is established with the Firebase Auth user account, and no content data or reflection answers are transferred to Firebase Analytics.
• Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Privacy policy: https://policies.google.com/privacy.
• Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses. Right to object: at any time in the app under "Settings".

Changes and updates

We kindly ask you to inform yourself regularly about the contents of our privacy policy. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organisations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.

Terminology and definitions

In this section, you will find an overview of the terminology used in this privacy policy. Where the terminology is legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

• Inventory data: Inventory data encompass essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments. These data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs).
• Content data: Content data comprise information generated in the process of creating, editing, and publishing content of all types. In the Quitora context this includes in particular reflection answers, chat inputs, and health-related descriptions of smoking and addictive behaviour.
• Contact data: Contact data are essential information that enables communication with individuals or organisations. They include phone numbers, postal addresses, and email addresses, as well as means of communication like social media handles and instant messaging identifiers.
• Artificial Intelligence (AI): The purpose of processing data through Artificial Intelligence (AI) in the Quitora context comprises the automated analysis and processing of users' reflection and chat inputs in order to generate tailored responses and reflection impulses. The processing is based on the performance of a contract and on the explicit consent of the users.
• Meta, communication and process data: These categories contain information about how data is processed, transmitted, and managed, including IP addresses, timestamps, identification numbers and involved parties.
• Usage data: Usage data refer to information that captures how users interact with digital products, services or platforms – including which features are used, how long users spend on specific pages, and through what paths they navigate the application.
• Personal Data: "Personal data" means any information relating to an identified or identifiable natural person ("data subject").
• Log data: Log data refer to information regarding events or activities that have been logged within a system or network, including timestamps, IP addresses, user actions, and error messages.
• Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation, performed with or without the help of automated procedures, in connection with personal data, including collection, evaluation, storage, transmission and deletion.
• Contract data: Contract data are specific details pertaining to the formalisation of an agreement between two or more parties, including contract object, duration and conditions.
• Payment data: Payment data comprise all information necessary for processing payment transactions. In the Quitora mobile app, payment data are processed exclusively via the respective app store providers (Apple, Google); for web purchases via Stripe.
• Health-related content: In the Quitora context, health-related content covers all information that users provide as part of their reflection on smoking and addictive behaviour, including descriptions of trigger situations, relapses and crisis moments. The processing is based exclusively on the explicit consent pursuant to Article 9 (2) (a) GDPR.