PRIVACY POLICY TOBALIE

TOBALIE GmbH (hereinafter “Tobalie”, “we”, “us”) is aware of the importance of the personal data entrusted to
it. It is therefore particularly important to us to ensure the confidentiality and lawful processing of your data on
our online platform (the “website”) for the provision of information on the acquisition, care and keeping of pets,
for networking with service partners as well as other users and for trading in pet-related products. This privacy
policy applies to all forms of presentation of our website, regardless of whether it is a web version or a mobile
version (e.g. app on a smartphone), as well as to native apps on all end devices.
In principle, browsing the website is possible without the processing of your personal data, however, the use of
our services may require the processing of your personal data (in particular as soon as you move in the registered
user area).
In this data protection declaration, you will find information on the data processing carried out by us. We use the
terms set out in the General Data Protection Regulation (“GDPR”). For better comprehensibility, we would like
to explain to you below the most important terms according to their legal definition.

  • Personal data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data subject: The person whose personal data are processed.
  • Controller: The natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processor: The natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
  • Consent (of the data subject): any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to personal data relating to him or her being processed.
  • Personal data breach: The breach of security that results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful.

1. WHO IS RESPONSIBLE FOR DATA PROCESSING AND WHOM CAN I CONTACT?

1.1 Tobalie is the responsible party within the meaning of Article 4 Z 7 DSGVO. You can reach us at
TOBALIE GmbH
Eschenbachgasse 11/DG, 1010 Vienna
E-mail: office@tobalie.com

1.2 Our contact person for data protection is Tobias Amesberger.

2. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?

2.1 Use of the website and contact via the website

a. Description: To provide information on acquisition, care and husbandry, networking with
service partners and other users as well as trading products, we operate the website at the
following address www.tobalie.com. To facilitate contact, Tobalie provides an interactive
contact form on the website. In principle, the website can also be used without processing
your personal data, although no contact can be made without your providing personal data.

b. Data categories: Contact data (first and last name, academic title, address, telephone number,
e-mail address), IP address and additional personal data that you voluntarily provide to us via
the input mask used for registration for the purpose of contacting us.

c. Legal basis: We process the aforementioned personal data on the basis of legitimate legal
interests (Article 6 para 1 lit f DSGVO) such as the proper operation of our website and the
provision of information on acquisition, care and keeping as well as networking with service
partners and trading in products.

d. Storage period: We store the aforementioned personal data for the duration of the existence
of our legitimate interests. This means, for example, that when you visit our website, we
process your data for the duration of your visit and, in the case of an enquiry via the contact
form, for the duration of the processing of your enquiry.

2.2 Sending newsletters and marketing materials

a. Description: You can subscribe to our newsletter (online), which will regularly inform you
about our products and services related to the acquisition, care and keeping of animals as well
as networking with service partners. In addition, with your consent, we will be happy to send
you additional marketing material on areas of interest to you. No newsletters or other
marketing material can be sent to you without your consent.

b. Data categories: Contact details (first and last name, academic title, address, telephone
number, email address).

c. Legal basis: We process the aforementioned personal data on the basis of your consent in
accordance with Article 6 (1) (a) in conjunction with Article 88 DSGVO.

d. Storage period: We store the aforementioned personal data until the time of revocation of the
respective consent. A revocation has the consequence that we no longer process your data
from this point in time, whereby the legality of the data processing carried out on the basis
of the consent up to the revocation remains unaffected by the revocation. To revoke your
consent, please contact us at office@tobalie.com.

2.3 Membership management in the Tobalie Portal

a. Description: On the Tobalie portal, users can create profiles and network with experts and
service providers from the pet sector, among others. The use of the Tobalie portal requires at
least the processing of your personal data in the form of your first and last name, your e-mail
address and a password chosen by you. No user account can be created without this data.

b. Categories of data: The personal data mentioned under this point a. are processed. In addition,
those personal data are processed which you provide to us voluntarily (e.g. date of birth,
address, favourite places etc.).

c. Legal basis: We process the aforementioned personal data on the basis of our legitimate legal
interests (Article 6 para f DSGVO).

d. Storage period: We store the aforementioned personal data for the duration of the existence
of your user account as well as beyond that in accordance with the statutory retention periods
(e.g. retention obligation under tax law according to § 132 para 1 BAO: 7 years, beyond that
as long as they are of importance for the tax authorities in pending proceedings; retention
obligation under company law according to §§ 190, 212 UGB: 7 years; retention obligation
under turnover tax law for invoices according to § 11 para 2 UStG: 7 years).

2.4 Managing Premium Membership on the Tobalie Portal

a. Description: On the Tobalie portal, users can also take out a paid premium membership. This
gives you access to our special services, such as unlimited storage of posted content for more
extensive evaluations, exclusive content and discounts, and the exclusion of advertising. The
conclusion of the Premium Membership requires at least the processing of your personal data
in the form of your first and last name, your e-mail address, your bank details and a password
chosen by you. No Premium Membership can be concluded without this data.

b. Categories of data: The personal data mentioned under this point 2.3a. are processed. In
addition, those personal data are processed which you provide to us voluntarily (e.g. date of
birth, address, favourite places, purchases made in the shop, professional articles read, pages
visited on Tobalie, etc.).

c. Legal basis: We process the aforementioned personal data for the performance of a contract
(Article 6 (b) DSGVO).

d. Storage period: We store the aforementioned personal data for the duration of your Premium
Membership, and beyond that in accordance with the respective statutory retention periods
(e.g. retention obligation under tax law in accordance with § 132 para 1 BAO: 7 years, and
beyond that for as long as they are of significance for the tax authorities in pending
proceedings; retention obligation under company law in accordance with §§ 190, 212 UGB:
7 years; retention obligation under turnover tax law for invoices in accordance with § 11 para
2 UStG: 7 years).

2.5 Operation of an online appointment request tool

a. Description: The Tobalie portal contains experts and service providers from the pet sector.
These can be requested for a telephone call, video call or meeting by means of an online
appointment request. You decide which personal data you want to make available to the
expert or service provider. The use of the appointment request tool requires at least the
processing of your personal data in the form of the e-mail address.

b. Data categories: The contact data (e.g. first and last name, academic title, address, telephone
number, etc.) that you provide to the expert or service provider via the tool are processed. In
any case, the e-mail address and IP address are processed.

c. Legal basis: We process the aforementioned personal data on the basis of your consent
(Article 6 (1) (a) in conjunction with Article 88 DSGVO).

d. Storage period: We store the aforementioned personal data for the duration of the use of the
online tool and until the time of revocation of your consent. A revocation has the consequence
that we no longer process your data from this point in time, whereby the legality of the data
processing carried out on the basis of the consent up to the revocation remains unaffected by
the revocation. To revoke your consent, please contact us at office@tobalie.com.

2.6 Legal prosecution

a. Description: If a legal dispute arises during the ongoing contractual relationship between you
and us or after its termination, the data necessary for the appropriate legal prosecution will
be transmitted to legal representatives and courts.

b. Data categories: Contact details (e.g. first and last name, acad. title, address), data related to
the litigation in question (e.g. your conduct in relation to the use of the website);

c. Legal basis: We process the aforementioned personal data on the basis of legitimate legal
interests (Article 6 (f) in conjunction with Article 9 (2) (f) DSGVO) for the purpose of legal
prosecution.

d. Storage period: We store the aforementioned personal data for the purpose of pursuing or
defending legal claims, insofar as this is necessary for the potential conduct of proceedings
or until the expiry of the statutory limitation periods, whereby the statutory regular limitation
period is three years.

3. TO WHICH RECIPIENTS WILL YOUR PERSONAL DATA BE TRANSFERRED?

3.1 In the course of our data processing, we transmit your personal data to the following recipients to the
extent necessary:

  • Service partners and experts, service providers, legal representatives, courts and administrative authorities, tax advisors and external payroll accounting as well as companies commissioned to support our internal IT infrastructure (software, hardware).

4. WHAT RIGHTS DO YOU HAVE?

4.1 You have the right to information under Article 15 of the GDPR, the right to rectification under Article
16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing
under Article 18 of the GDPR, the right to object under Article 21 of the GDPR, the right not to be
subject to automated decision-making in individual cases, including profiling, and the right to data
portability under Article 20 of the GDPR. Furthermore, you have the right to lodge a complaint with a
competent data protection supervisory authority (Art 77 DSGVO). You can find more information about
your rights at: https://www.dsb.gv.at/rechte-der-betroffenen.

4.2 The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42,
1030 Vienna (https://www.dsb.gv.at/).

5. EMBEDDING OF SOCIAL MEDIA PLUG-INS AND SIMILAR INSTRUMENTS

5.1 Tobalie uses the following social media plug-ins or similar instruments as part of the operation of the
website. In particular, we integrate elements of social media services on our website in order to display
images, videos and texts. When you visit pages that display these elements, data may be transmitted
from your browser to the respective social media service and stored there. We have no access to this
data. A description of the respective service and the personal data processed can be found below.

5.2 The legal basis for embedding the following services is your consent in accordance with Article 6 (1)
(a) DSGVO.

5.3 Storage period: We process your personal data until the time of your revocation of a valid consent at
any time. The revocation of consent does not affect the lawfulness of the processing carried out on the
basis of the consent until the revocation. You can (partially) prevent the use of the following services
by setting the internet browser used accordingly and thus permanently prevent such data processing.

5.4 Google Maps

a. We use Google Maps from Google Inc. on our website. Google Ireland Limited (Gordon
House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe.
Google Maps allows us to better show you locations and thus adapt our service to your needs.

b. Through the use of Google Maps, data, in particular data on the use of the Maps functions by
visitors to the website, is transmitted to Google and processed on Google servers. For more
information on data processing by Google, please refer to the Google privacy policy at
https://www.google.at/intl/de/policies/privacy/. You can also change your settings there in
the privacy centre. There you can also change your settings in the privacy centre so that you
can manage and protect your data.

5.5 Instagram

a. Tobalie has integrated components of the Instagram service on this website. Instagram is a
service that qualifies as an audiovisual platform and allows users to share photos and videos
and also to redistribute such data to other social networks.

b. The operating company of the Instagram services is Instagram LLC, 1 Hacker Way, Building
14 First Floor, Menlo Park, CA, USA.

c. Each time one of the individual pages of this website operated by the data controller is called
up and on which an Instagram component (Insta button) has been integrated, the internet
browser on the information technology system of the data subject is automatically caused by
the respective Instagram component to download a representation of the corresponding
component from Instagram. Within the scope of this technical procedure, Instagram receives
information about which specific subpage of our website is visited by the data subject.

d. If the data subject is logged in to Instagram at the same time, Instagram recognises which
specific subpage the data subject is visiting each time the data subject calls up our website
and for the entire duration of the respective stay on our website. This information is collected
by the Instagram component and assigned by Instagram to the respective Instagram account
of the data subject. If the data subject activates one of the Instagram buttons integrated on
our website, the data and information thus transmitted will be assigned to the personal
Instagram user account of the data subject and stored and processed by Instagram.

e. Instagram always receives information via the Instagram component that the data subject has
visited our website if the data subject is logged into Instagram at the same time as calling up
our website; this takes place regardless of whether the data subject clicks on the Instagram
component or not. If the data subject does not want this information to be transmitted to
Instagram, he or she can prevent the transmission by logging out of his or her Instagram
account before accessing our website.

f. Further information and Instagram’s applicable privacy policy can be found at
https://help.instagram.com/155833707900388 and
https://www.instagram.com/about/legal/privacy/.

5.6 Google Analytics

a. This website uses Google Analytics, a web analytics service provided by Google, Inc.
(“Google”). Google Analytics uses “cookies”, which are text files placed on your computer,
to help the website analyse how users use the site. The information generated by the cookie
about your use of this website is usually transmitted to a Google server in the USA and stored
there. In the event that IP anonymisation is activated on this website, however, your IP
address will be truncated beforehand by Google within member states of the European Union
or in other contracting states to the Agreement on the European Economic Area. We would
like to point out that on this website Google Analytics has been extended by the code
“gat._anonymizeIp(); ” in order to ensure anonymised collection of IP addresses (so-called
IP masking).

b. Only in exceptional cases will the full IP address be transmitted to a Google server in the
USA and shortened there. On behalf of the operator of this website, Google will use this
information for the purpose of evaluating your use of the website, compiling reports on
website activity and providing other services relating to website activity and internet usage
to the website operator. The IP address transmitted by your browser as part of Google
Analytics will not be merged with other Google data.

c. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (incl. your IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaop tout?hl=de. You can also prevent the collection by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent future collection of your data when visiting this website: Disable Google Analytics.

d. You can find more information on the terms of use and data protection at
https://marketingplatform.google.com/about/analytics/terms/de/.

5.7 Hotjar

a. We use Hotjar by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street,
St Julian’s STJ 1000, Malta) on our website to statistically analyse visitor data. Hotjar is a
service that analyses the behaviour and feedback of you as a user on our website through a
combination of analytics and feedback tools. We receive reports and visual representations
from Hotjar that show us where and how you “move” on our site. Personal data is Page 7from 8
automatically anonymised and never reaches Hotjar’s servers. This means that you as a
website user are not personally identified and we still learn a lot about your user behaviour.

b. As mentioned in the section above, Hotjar helps us analyse the behaviour of our site visitors.
These tools offered by Hotjar include heatmaps, conversion funnels, visitor recording,
incoming feedback, feedback polls and surveys (you can find out more about these at
https://www.hotjar.com/). In this way, Hotjar helps us to provide you with a better user
experience and service. On the one hand, it provides a good analysis of online behaviour, and
on the other, it gives us good feedback on the quality of our website. Because besides all the
analytical aspects, we of course also simply want to know your opinion about our website.
And with the feedback tool, that’s exactly what we can do.

c. As you browse our website, Hotjar automatically collects information about your user
behaviour. In order to be able to collect this information, we have installed our own tracking
code on our website. The following information may be collected about your computer or
browser: IP address of your computer (collected and stored in an anonymous format), screen
size, browser info (which browser, version, etc.), your location (but only the country), your
preferred language setting, web pages (sub-pages) you visit, and the date and time you access
one of our sub-pages (web pages).

d. If you wish to opt out of Hotjar’s tracking process, please refer to the following link for
instructions: https://www.hotjar.com/opt-out. For more information about the cookies used
by Hotjar and Hotjar’s privacy policy, please see the information at
https://www.hotjar.com/privacy.

5.8 Youtube

a. We have integrated YouTube components on our website. The video portal is operated by
YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube is a video portal
that has been a subsidiary of Google since 2006. When you call up a page on our website that
has a YouTube video embedded, your browser automatically connects to the YouTube or
Google servers. In the process, various data are transferred (depending on the settings).
Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for
all data processing in Europe.

b. As soon as you visit one of our pages that has a YouTube video embedded, YouTube sets at
least one cookie that stores your IP address and our URL. If you are logged into your
YouTube account, YouTube can usually assign your interactions on our website to your
profile using cookies. This includes data such as session duration, bounce rate, approximate
location, technical information such as browser type, screen resolution or your internet
service provider. Other data may include contact details, any ratings, sharing of content via
social media or adding to your favourites on YouTube. If you are not signed in to a Google
Account or a YouTube account, Google stores data with a unique identifier associated with
your device, browser or app. For example, your preferred language setting is retained. But a
lot of interaction data can’t be stored because fewer cookies are set.

c. Google stores the collected data for different lengths of time. Some data you can delete at
any time, others are automatically deleted after a limited time and still others are stored by
Google for a longer period of time. Some data (such as items from “My Activity”, photos or
documents, products) stored in your Google Account will remain stored until you delete
them. Even if you are not signed in to a Google Account, you can delete some data associated
with your device, browser or app. You can find more information about the storage period as Page 8from 8
well as data processing within YouTube at:
https://www.youtube.com/static?gl=DE&template=terms&hl=de.

5.9 Facebook

a. On this website, we use functions of Facebook, a social media network of the company
Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.
Specifically, we use the Facebook Like button and the Facebook Pixel on our website.

b. For more information on which functions (social plug-ins) Facebook provides, please visit
https://developers.facebook.com/docs/plugins/.

c. By visiting our website, information can be transmitted to Facebook. If you have a Facebook
account, Facebook can assign this data to your personal account. If you do not wish this,
please log out of Facebook.

d. The privacy policy, what information Facebook collects and how they use it can be found at
https://www.facebook.com/policy.php.

5.10 LinkedIn

a. We use functions of the social media network LinkedIn of the company LinkedIn
Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA on our website.

b. By calling up pages that use such functions, data (IP address, browser data, date and time,
cookies) are transmitted to LinkedIn, stored and evaluated.

c. If you have a LinkedIn account and are logged in, this data will be assigned to your personal
account and the data stored in it.

d. The privacy policy, what information LinkedIn collects and how they use it can be found at
https://www.linkedin.com/legal/privacy-policy.

5.11 XING

a. We use functions of the social media network XING of the company XING SE,
Dammtorstraße 30, 20354 Hamburg, Germany on our website.

b. When calling up pages that use such functions, data (IP address, browser data, date and time,
cookies) is transmitted to XING, stored and evaluated.

c. If you have a XING account and are logged in, this data will be assigned to your personal
account and the data stored in it.

d. The privacy policy, what information XING collects and how they use it can be found at
https://www.xing.com/privacy.