We, Otternway UG (haftungsbeschränkt), take the protection of your personal data very seriously and strictly adhere to the applicable data protection laws, particularly the General Data Protection Regulation (GDPR).

In the following, we inform you about how we process your personal data when using our web application "LYFA - Leave Your Face Alone."

"LYFA - Leave Your Face Alone" is an application that monitors your hand and face movements using your webcam to detect unwanted habits, such as nail biting, and reminds you to interrupt them through notifications.

For any questions regarding data protection, you can contact us at any time via info@otternway.com.

Last updated: 27.04.2025

---

The following provides an overview of what data we collect, how we use it, and what rights you have regarding your data.

Responsible Entity

Data processing on this website is carried out by the website operator. You can find our contact details in the Responsible Entity section of this privacy policy.

How Do We Collect Your Data?

• Direct Data: Data you voluntarily provide to us via contact forms or other communication channels.
• Automatically Collected Data: Technical data such as internet browser, operating system, and time of access, which are automatically collected when you visit the website.
• Video and Motion Data: When using "LYFA - Leave Your Face Alone", we collect video recordings and hand movement data via your webcam to analyze your behavior and trigger reminders.

What Do We Use Your Data For?

• Providing and maintaining the website: Ensuring error-free functionality.
• Analyzing user behavior: Understanding browsing behavior to improve our services.
• Contract processing: Handling data for contract offers, orders, or other service requests.
• Functionality of LYFA: Using video and motion data to detect unwanted habits and provide reminders.

Storage Duration

Unless a specific retention period is mentioned in this privacy policy, your personal data will remain with us until the purpose of data processing no longer applies.

If you make a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons to retain your personal data (e.g., tax or commercial retention obligations); in such cases, deletion will occur after these obligations cease to apply.

You have the right to:

• Access: Information about your stored personal data.
• Correction: Rectification of incorrect data.
• Deletion: Erasure of your data.
• Restriction of Processing: Limiting how your data is processed.
• Data Portability: Transfer of your data.
• Objection: Object to the processing of your data.

Additionally, you have the right to file a complaint with the competent data protection authority.

For any questions regarding data protection, you can contact us at any time via info@otternway.com.

---

When you visit this website, your browsing behavior may be analyzed using analytics tools. More information on this can be found in the following sections of this privacy policy.

PostHog Product Analytics

We use PostHog to anonymously track how you interact with LYFA - Leave Your Face Alone. PostHog helps us understand how our users interact with our application so we can improve our services. PostHog uses an anonymized identifier to track your usage of LYFA - Leave Your Face Alone. If you accept our analytics cookies, this identifier is stored as a cookie in your browser. If you decline our analytics cookies, this identifier is stored in your browser's localStorage and is never used to personally identify you. For the localStorage - if you close your browser or manually delete your localStorage, this identifier will be lost and no longer be associated with your device.

All analytics data is processed in accordance with GDPR and is never used to personally identify you. For more information about PostHog, visit https://posthog.com.

Also see the section "Cookies and Tracking Technologies" for more information.

---

The processing of your personal data is based on the following legal grounds:

• Consent (Art. 6(1)(a) GDPR):
  You have given us explicit consent to process certain personal data, such as using your webcam and processing your motion data within the "LYFA - Leave Your Face Alone" web application. You can withdraw your consent at any time.

• Contract Performance (Art. 6(1)(b) GDPR):
  Processing is necessary for fulfilling a contract with you or for pre-contractual measures.

• Legal Obligation (Art. 6(1)(c) GDPR):
  We are legally required to process certain data, such as fulfilling tax obligations.

• Legitimate Interests (Art. 6(1)(f) GDPR):
  We process your data to safeguard our legitimate interest in providing and improving our services reliably, provided your interests or fundamental rights and freedoms do not outweigh ours.

• Special Legal Grounds:
  If we process personal data belonging to special categories (Art. 9 GDPR), this is based on your explicit consent or other specific legal provisions.

The specific legal basis for each data processing activity can be found in the following sections of this privacy policy.

---

As part of our business activities, we collaborate with various external entities. In some cases, the transfer of personal data to these external entities is necessary. We only share personal data with third parties in the following cases:

• Contract Performance: To provide our services, such as with hosting providers (e.g., Hetzner Online GmbH) or analytics tools.
• Legal Obligation: For example, when transferring data to tax authorities or other legally required entities.
• Legitimate Interests: When there is a legitimate interest in sharing data, and your interests do not outweigh ours.
• Consent: When you have explicitly agreed to share your data with specific third parties.

When using data processors, we share personal data of our users only based on a valid data processing agreement. In the case of joint processing, a joint processing agreement is established.

Examples of Recipients:

• Hosting Provider:
  Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, responsible for hosting our web application and backend services.

---

The entity responsible for data processing on this website is:

Otternway UG (haftungsbeschränkt)
Amtsgericht Tostedt (Germany)
HRB 211390

Otternweg 3
21629 Neu Wulmstorf
Germany

Email: info@otternway.com

---

• Direct Data: Information you voluntarily provide to us via contact forms or other communication channels.
• Technical Data: Automatically collected data such as internet browser, operating system, IP address, and time of access.
• Video and Motion Data: When using LYFA - Leave Your Face Alone we analyse the videostream of your (web) camera to detect hand and face movements.
• Tracking Data: We collect tracking data about the usage of LYFA - Leave Your Face Alone to improve the application and analytics for you.
• Event Data: When events (e.g. notification/reminder, etc.) occur we store them in our backend together with your account data to create a history of your actions and notifications.

• Direct Collection: Data that you actively enter, such as in contact forms.
• Automatic Collection: Technical data is automatically collected by our IT systems as soon as you visit the website.
• Video and Motion Data: Data is collected through access to your webcam to analyze video and motion data in real-time. This occurs only with your explicit consent and only locally on your device.
• Tracking Data: We collect tracking data about the usage of LYFA - Leave Your Face Alone to improve the application and analytics for you.

---

We process your personal data for the following purposes:

• Functionality of LYFA: Ensuring the error-free operation and functionality of our web application.
• Account Management: Managing your account and user data.
• Behavior Analysis: Analyzing your hand and face movements to detect unwanted habits such as nail-biting.
• Notifications: Triggering notifications when certain movements are detected to remind you to interrupt unwanted behaviors.
• Service Improvement: Analyzing collected data to continuously improve and develop LYFA.
• Personalization of User Experience: Adapting the application to individual usage habits and needs.

---

The processing of your personal data is based on the following legal grounds:

• Consent (Art. 6(1)(a) GDPR):
  You have given us explicit consent to process your video and motion data. You can withdraw this consent at any time without affecting the lawfulness of the processing carried out before the withdrawal. You can revoke your consent in the application settings.

• Contract Performance (Art. 6(1)(b) GDPR):
  Processing is necessary to fulfill a contract with you or to take pre-contractual measures.

• Legitimate Interests (Art. 6(1)(f) GDPR):
  To protect our legitimate interests, such as improving our services and user experience, provided that your interests or fundamental rights and freedoms do not outweigh ours.

---

Retention Period of Your Data

• Direct Data: Data that you voluntarily provide (e.g., via contact forms) is stored as long as necessary to fulfill the respective purpose. Once processing is completed, these data are deleted unless legal retention obligations apply.
• Technical Data: Automatically collected technical data, such as internet browser, operating system, and IP address, are stored for a maximum of 30 days and then automatically deleted.
• Video and Motion Data: The video and motion data itself is real-time processed locally on your device for the duration of your active use of LYFA - Leave Your Face Alone.
• Event Data: We store events (e.g. notifications, reminders, etc.) in our backend together with your account data. This data will be stored as long as your account exists.

Deletion Criteria

We delete your personal data as soon as the purpose of storage no longer applies and no legal retention obligations exist. This specifically includes:

• Termination of your use of LYFA.
• Withdrawal of your consent for data processing.
• Completion and fulfillment of contractual obligations.

---

Your personal data will only be shared with third parties if:

• Legally Required: For example, to comply with legal obligations.
• Contractually Necessary: To provide our services, such as with hosting providers or third-party providers essential for the operation of LYFA.
• With Your Consent: You have explicitly agreed to share your data with specific third parties.

Possible Recipients:

• Hosting Providers: For the provision and maintenance of the web application.
• Analytics Tools: If we use external analytics tools to monitor user behavior and improve our services.

International Data Transfers

If your data is transferred outside the EU/European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, such as by concluding Standard Contractual Clauses (SCCs).

---

We implement comprehensive technical and organizational measures to protect your personal data from unauthorized access, loss, or destruction. These include:

• Encryption: All data transmissions between your device and our servers are secured using SSL/TLS encryption.
• Access Controls: Strict access restrictions ensure that only authorized personnel have access to your data.
• Regular Security Audits: Our systems are regularly checked and updated to address security vulnerabilities.
• Data Backup Measures: Regular backups ensure that your data can be restored in case of data loss.

Despite all security measures, absolute security cannot be guaranteed. However, we do everything in our power to protect your data as effectively as possible.

---

You have the right to:

• Access (Art. 15 GDPR): Receive free information about your stored personal data, its origin, recipients, and the purpose of processing.
• Rectification (Art. 16 GDPR): Correct inaccurate or incomplete data.
• Erasure (Art. 17 GDPR): Request the deletion of your data, provided no legal retention obligations exist.
• Restriction of Processing (Art. 18 GDPR): Restrict the processing of your data under certain conditions.
• Data Portability (Art. 20 GDPR): Receive your data in a structured, commonly used, and machine-readable format.
• Objection (Art. 21 GDPR): Object to the processing of your data for reasons arising from your particular situation.
• Right to Withdraw Consent: If data processing is based on your consent, you can withdraw this consent at any time without providing reasons, effective for the future.
• Right to Lodge a Complaint: If you believe that the processing of your data violates the GDPR, you have the right to file a complaint with a supervisory authority.

Exercising Your Rights

To exercise your rights, please contact us at:

info@otternway.com

We utilize cookies and similar tracking technologies to gather and store information about how you interact with our Services. You have the option to manage your cookie preferences through your browser settings. However, please note that disabling certain cookies may impact the functionality of our site.

We use the following types of cookies:

• Essential Cookies: Required for core functionality and seamless operation of LYFA, such as session management, authentication, and subscription state tracking; includes both session and persistent cookies.
• Analytics Cookies: Help us understand user behavior on our website and continuously improve our services. They can be used for audience measurement or to evaluate the effectiveness of marketing campaigns. The storage of these cookies is based on Article 6(1)(a) GDPR, provided explicit user consent has been obtained. Otherwise we only use an identifier which is stored in your browser's localStorage which is automatically deleted when you close your browser. Neither of these are used to identify you personally but only help us to understand how our users in general use our services.

Legal Basis: Art. 6(1)(b) GDPR – necessary for contract performance; no consent required.

---

We reserve the right to modify this privacy policy as needed to comply with legal requirements or to reflect changes in our services. Any updates will be published on this page and will take effect upon publication. The date of the last update is indicated at the top of the introduction.

We recommend that you review this privacy policy regularly to stay informed about how we protect your data.

---

If you have any questions about this privacy policy or the processing of your personal data, please feel free to contact us at any time:

Otternway UG (haftungsbeschränkt)
Otternweg 3
21629 Neu Wulmstorf
Germany

Email: info@otternway.com

---

Consent to Data Processing

When using LYFA - Leave Your Face Alone, your video and motion data will only be collected and processed with your explicit consent. You must agree to the use of your webcam and the processing of your motion data before you can use LYFA.

Withdrawal of Consent

You can withdraw your consent to the processing of your personal data at any time without providing a reason. The withdrawal can be made by contacting us via the methods provided in the Contact Information section.

After withdrawal, we will cease processing your data and delete it in accordance with the deletion criteria outlined in the Data Storage and Deletion section.

---

We collect and process only the personal data necessary for the provision and improvement of LYFA - Leave Your Face Alone. This means that we only capture video and motion data required to detect unwanted habits and trigger appropriate reminders. No unnecessary data is collected or stored.

Automated Processing

LYFA - Leave Your Face Alone uses automated algorithms to analyze your hand and face movements. These algorithms detect patterns and motions associated with unwanted habits and trigger corresponding reminders.

Processing Logic

• The algorithm analyzes real-time motion data to determine whether specific actions, such as nail-biting, are occurring.
• Based on this analysis, notifications are generated to remind you to interrupt the unwanted habit.

Effects of Automated Decisions

These automated processes are solely designed to enhance your user experience and assist you in reducing unwanted habits. No profiling, categorization, or evaluation of your personal identity takes place.

Automated Decision-Making

Our service does not include fully automated decision-making processes that have legal or similarly significant effects on you. If you have any questions about our processes, you are welcome to contact us at any time.

Data Transfers to Third Countries

Your personal data is primarily processed and stored within the European Economic Area (EEA). If a transfer of your data to a third country (outside the EEA) is necessary, we ensure that appropriate safeguards are implemented in accordance with applicable data protection laws, such as the conclusion of Standard Contractual Clauses (SCCs).

However, when using certain services, your data may be transferred to a third country (e.g., the United States). This primarily applies to the use of payment service providers (e.g., Creeme.io or Stripe). Please note that the U.S. does not currently offer a level of data protection comparable to the GDPR.

To still ensure the protection of your data, we enter into Standard Contractual Clauses (SCCs) with the respective service providers and implement additional security measures where possible.

If any changes occur, we will inform you in advance and take the necessary protective measures.

---

To provide and improve "LYFA - Leave Your Face Alone," we collaborate with various third-party providers that perform specific services on our behalf. These providers have access only to the data necessary to fulfill their tasks and are contractually obligated to comply with data protection laws.

Examples of Third-Party Providers:

• Hosting Provider:
  Hetzner, responsible for hosting our web application. More details can be found in the Hosting section of this privacy policy.

We use Creem by Armitage Labs OÜ as our payment service provider to facilitate secure transactions. Creeme.io processes payments via Stripe, which acts as a payment gateway. When you make a purchase, certain personal data is shared with these third parties to process your payment securely.

Data Processed:

• Name
• Email address
• Billing address
• Payment details (e.g., credit card, bank information)
• Transaction data (e.g., amount, currency, timestamp)

Legal Basis: We process payment data under Art. 6(1)(b) GDPR ("performance of a contract"), as this is necessary to fulfill your purchase.

Third-Party Payment Providers:

Payments are processed by:

Creem
Provider: Armitage Labs OÜ
Kreiukse tee 5, Randvere, 74016 Harju maakond, Estonia
For further information please refer to the privacy policy of Creeme.io: https://www.creem.io/privacy

Stripe
Provider: Stripe Inc.
354 Oyster Point Blvd, South San Francisco, CA 94080, USA
For further information please refer to the Privacy Policy of Stripe: https://stripe.com/privacy

Data Transfer Outside the EU:
Since Stripe operates globally, data may be transferred outside the European Economic Area (EEA), including the USA. Stripe complies with GDPR through Standard Contractual Clauses (SCCs) and other appropriate safeguards.

"LYFA - Leave Your Face Alone" is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16 years of age.

If we become aware that a child under 16 has provided personal data without parental or guardian consent, we will delete this data immediately.

If you are a parent or guardian and believe that your child has used our services without your consent, please contact us immediately at info@otternway.com so we can remove the relevant data.

---

"LYFA - Leave Your Face Alone" processes your video and motion data in real-time on your device. Data collection and analysis occur locally on your device, without raw data being transmitted to our servers.

Only anonymized analysis results, which do not allow for any identification of your person, may be stored on our servers to improve our services.

Technologies Used:

• Webcam Access:
  We use your browser's API to access the webcam and capture video and motion data.

• Local Processing:
  Data analysis is performed using an integrated algorithm within the application that detects unwanted habits and triggers corresponding reminders.

---

We host the content of our website and web applications, including the backend with user accounts and user statistics, with the following provider:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany
(referred to as "Hetzner")

For more information about data protection at Hetzner, please refer to Hetzner's Privacy Policy:
https://www.hetzner.com/legal/privacy-policy/

Legal Basis for Processing

The use of Hetzner is based on Article 6(1)(f) GDPR. We have a legitimate interest in ensuring the reliable provision of our website and applications.

If explicit consent has been obtained, processing is also based on Article 6(1)(a) GDPR and § 25(1) TTDSG, insofar as consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.

Data Processing Agreement (DPA)

We have entered into a Data Processing Agreement (DPA) with Hetzner in accordance with Article 28 GDPR. This agreement ensures that Hetzner processes the personal data of our website visitors only according to our instructions and in compliance with GDPR regulations.

Data Transfers

The data stored with our cloud provider Hetzner is processed and stored exclusively within the European Union (EU) or the European Economic Area (EEA). No data transfers to third countries take place.

However, data processed in the context of payment transactions may be transferred to payment service providers in third countries (e.g., the USA). Further information can be found in the Payment Service Providers section of this privacy policy.

Our websites and web applications, including "LYFA - Leave Your Face Alone," use cookies and similar tracking technologies. Cookies are small data packets stored on your device that do not cause any harm. They serve various purposes and are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit, while persistent cookies remain stored on your device until you delete them yourself or they are automatically removed by your browser.

Types of Cookies

• First-Party Cookies: Set directly by us, the operator of this website. These enable essential functions such as navigation on the website and the use of services like the shopping cart.
• Third-Party Cookies: Set by external companies that provide services for us, such as analyzing user behavior or integrating payment services.

Functions of Cookies

• Necessary Cookies: Essential for the operation of the website, enabling core functions such as shopping cart functionality or video display. These cookies are stored based on Article 6(1)(f) GDPR, as we have a legitimate interest in providing our services in a technically flawless and optimized manner.
• Analytics Cookies: Help us understand user behavior on our website and continuously improve our services. They can be used for audience measurement or to evaluate the effectiveness of marketing campaigns. The storage of these cookies is based on Article 6(1)(a) GDPR, provided explicit user consent has been obtained.

Legal Basis for Processing

• Article 6(1)(f) GDPR: Necessary cookies are used to fulfill our legitimate interest in the reliable and optimized provision of our services.
• Article 6(1)(a) GDPR and § 25(1) TTDSG: Cookies and similar technologies that require user consent, such as analytics or advertising cookies. Consent can be revoked at any time.

Consent Management

When you first visit our website, a cookie banner will inform you about our use of cookies and ask for your consent. You can adjust your preferences at any time via your browser's cookie settings or revoke your consent.

Withdrawal of Consent

You can withdraw your consent to the storage of cookies and similar technologies at any time. This can be done either via your browser settings or by contacting us directly. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Managing and Deleting Cookies

You can configure your browser settings to:

• Notify you when a cookie is set
• Allow cookies only in individual cases
• Block cookies for specific cases or in general
• Automatically delete cookies when closing the browser

Please note that disabling cookies may limit the functionality of this website.

---

Waiting List Data Collection

If you sign up for our waiting list by entering your email address, we collect and process:

• Your email address
• The timestamp of your registration
• Optional information you may provide (such as your name or how you heard about us)

Purpose of Processing

We use this data for the following purposes:

• To notify you when LYFA - Leave Your Face Alone officially launches
• To send you product updates, news, and important announcements related to the launch
• To gather statistical information about interest in our product
• To improve our product and services based on user feedback

Legal Basis for Processing

The processing of your email address and associated data is based on:

• Your consent (Art. 6(1)(a) GDPR): By entering your email address and clicking the sign-up button, you consent to the processing of your data for the purposes of receiving launch notifications and product updates.

Data Retention

Your email address and associated data will be stored:

• Until you request removal from our waiting list
• Until a reasonable period after our product launch (typically 12 months) if you haven't converted to a regular user
• If you become a user of our service after launch, your data will be processed according to our general user data policies

Your Rights

Regarding your waiting list registration data, you have the right to:

• Withdraw your consent at any time by clicking the unsubscribe link in our emails or contacting us
• Request information about the data we store about you
• Request correction or deletion of your data
• Request restriction of processing of your data

Data Security

We take appropriate technical and organizational measures to ensure the security of your email address and associated data. These include encryption during data transmission and access restrictions to this data within our organization.

---

Newsletter Data

If you would like to subscribe to the newsletter** offered on our website, we require:

• Your email address
• Information that allows us to verify that you are the owner of the provided email address and that you consent to receiving the newsletter.

No additional data is collected unless provided voluntarily.

We use this data exclusively for sending the requested information and do not share it with third parties.

The processing of data entered into the newsletter signup form is carried out exclusively based on your consent (Article 6(1)(a) GDPR).

You can withdraw your consent to store your data, email address, and its use for sending the newsletter at any time, for example, via the "unsubscribe" link in the newsletter. The lawfulness of previously conducted data processing remains unaffected by the withdrawal.

Analytics Methods

As part of our newsletter, we use analytics methods to track:

• How often the newsletter is opened
• Which links are clicked

These data are only evaluated anonymously or in aggregated form to continuously improve our newsletter.

Data Storage and Deletion

• Your newsletter subscription data is stored until you unsubscribe from the newsletter.
• Once unsubscribed or when the purpose for storage no longer applies, your data is removed from our newsletter distribution list.
• Data stored for other purposes remains unaffected.
• We reserve the right to delete or block email addresses from our newsletter distribution list at our discretion based on our legitimate interest in ensuring that our newsletter is not used for spam or unauthorized purposes.

YouTube with Enhanced Privacy Mode

Our website embeds videos from YouTube. The operator of the embedded content is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Data Processing by YouTube

When you visit a page on our website that contains an embedded YouTube video, a connection to YouTube's servers is established. In this process, your browser communicates which of our pages you have visited. If you are logged into your YouTube account, YouTube can associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.

Enhanced Privacy Mode

We use YouTube in enhanced privacy mode. According to YouTube, videos played in enhanced privacy mode are not used to personalize your browsing experience on YouTube. Advertisements displayed in enhanced privacy mode are also not personalized. In enhanced privacy mode, no cookies are set. Instead, local storage elements are stored in the user's browser, which can contain personal data and be used for recognition purposes similar to cookies. You can find more details about enhanced privacy mode here: YouTube Support – Enhanced Privacy Mode.

Further Data Processing

After activating a YouTube video, additional data processing actions may be triggered by YouTube, over which we have no control. This particularly includes the storage and usage of your data by YouTube in accordance with their privacy policy.

Legal Basis for Using YouTube

The use of YouTube is based on the following legal grounds:

• Legitimate Interest (Article 6(1)(f) GDPR): We have a legitimate interest in providing an appealing online presence, which includes embedding YouTube videos.
• Consent (Article 6(1)(a) GDPR and § 25(1) TTDSG): If explicit consent is requested, the processing of personal data by YouTube is based on your consent. This includes storing cookies and accessing information on your device (e.g., device fingerprinting). You can revoke your consent at any time.

Data Processing Agreement (DPA)

We have entered into a Data Processing Agreement (DPA) with Google in accordance with Article 28 GDPR. This agreement ensures that Google processes the personal data of our website visitors only in accordance with our instructions and in compliance with GDPR regulations.

Data Transfers

Your personal data is processed and stored exclusively within the European Union (EU) or the European Economic Area (EEA). No data transfers to third countries take place. If a data transfer to a third country becomes necessary in the future, we will ensure that appropriate safeguards are implemented in accordance with applicable data protection laws, such as by concluding Standard Contractual Clauses (SCCs).

EU-US Data Privacy Framework (DPF)

Google is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the United States that ensures compliance with European data protection standards for data processing in the USA. Each company certified under the DPF is obligated to comply with these data protection standards. For more information, please refer to the provider's details at the following link: EU-US Data Privacy Framework.