Privacy NoticeArticles 12 and 13 GDPR

• necessary for the performance of pre-contractual measures or a contract with you (Article 6(1)(b) GDPR),
• necessary for compliance with legal obligations (e.g. statutory retention obligations under commercial and tax law, payment services regulation) (Article 6(1)(c) GDPR),
• necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data (Article 6(1)(f) GDPR), or
• based on consent given by you (Article 6(1)(a) GDPR).

4.1. Visit to the Website and Web App

4.1.1. The publicly accessible marketing pages of the Website (e.g. homepage, service and product description, “How it works”, policy pages) provide static content only. These pages can be used without registration and without entering personal data; personal data are collected only to the extent technically required (see below). When you access our Website or Web App, certain technical information (access data, “server log files”) is automatically processed in order to enable the display of the pages and to ensure the stability and security of our offering (for details see section 7).

4.1.2. In addition, cookies and similar technologies are used depending on your browser settings and consents (see section 8).

4.1.3. The legal basis for processing strictly necessary technical data is our legitimate interest in a secure, stable and functional web presence (Article 6(1)(f) GDPR). The legal basis for optional cookies is your consent (Article 6(1)(a) GDPR).

4.1.4. Retention period: Server log files are generally stored for 12 Months unless a longer storage period is required for security or evidential reasons.

4.1.5. Optional access protection (HTTP Basic Authentication): In certain operating modes (e.g. protected test or staging environments), access to the Website or Web App may be additionally protected by HTTP Basic Authentication. In this case, user name and password are processed solely for the immediate verification of the access data in the HTTP headers and are not stored permanently in our systems.

4.2. Contact / Lead capture (“Contact Us” / “Get Started”)

4.2.1. If you contact us via the contact or lead form integrated on the Website (“Contact Us”, “Get Started” or similar designations), we process – depending on the specific configuration – in particular the following data:

• Mandatory fields: First name, last name, business e-mail address, company name, company size, confirmation of the relevant conditions (e.g. terms/privacy).
• Optional information: Telephone number, country, city, role/function in the company, information on how you heard about us, free-text message.
• Meta/communication data: Time of the enquiry, technical log data, internal lead identifiers where applicable.

4.2.2. Form entries are validated on the server side and stored as a lead data record in a dedicated data structure. Processing takes place via an API endpoint (e.g. “/api/leads”); the lead data are persisted in a Firebase Firestore collection (e.g. “leads”). There is no automated transfer of these leads to third parties; they are used exclusively internally for handling and tracking the enquiry.

4.2.3. The purpose of processing is to handle your enquiry, to contact you (e.g. to arrange demos, prepare offers), to document communication and – where relevant – to prepare a contractual relationship with you or your company (e.g. hotel, chain or other business partner).

4.2.4. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures) and our legitimate interest in properly handling enquiries and documenting business communication (Article 6(1)(f) GDPR).

4.2.5. Retention period: Enquiries, lead records and correspondence are generally stored for 24 months after completion of processing; if a contractual relationship is established, the retention periods set out in sections 4.4/4.5 apply.

4.3. Use of the browser-based tipping function (Web App) by guests (“tippers”)

4.3.1. When guests access the Web App via QR code or link to provide a tip to a member of staff of a hotel, we process – depending on the specific configuration – in particular the following data:

• Transaction data: Date and time, amount, currency, payment status, QR code used or assignment to the beneficiary employee/team/hotel, transaction ID.
• Context data: Hotel/location, room number or table ID where applicable, service/department (e.g. housekeeping, restaurant).
• Optional data provided by the guest: Free-text message, rating, name, e-mail address for digital payment confirmations/receipts.
• Technical data: IP address, device information, browser type and version, language settings where applicable (see also section 7).

The tipping function is operated via our back-end services. Transaction and context data are primarily stored in a relational database (MySQL) as the “source of truth” and are additionally mirrored in specific Firestore collections (e.g. “transactions”) for real-time synchronisation.

4.3.2. Payment data (in particular credit card and Apple Pay/Google Pay data) are generally processed exclusively by the payment service provider we have integrated. We receive only information as to whether the payment was successful, as well as technically necessary payment references (e.g. masked card number, token, transaction ID, card type) in order to enable assignment to the tip and for settlement purposes. We do not store full card or wallet data (e.g. full card number, CVC).

4.3.3. The purpose of processing is to provide the digital tipping function, to process the payment, to assign tips to the entitled employees/hotels, to provide reporting to hotels and to comply with statutory retention obligations under commercial and tax law and to assert or defend claims (e.g. in case of queries or chargebacks).

4.3.4. The legal basis is Article 6(1)(b) GDPR (performance of the payment/use contract concluded with the guest) and Article 6(1)(c) GDPR (statutory retention obligations). Where we analyse transaction data for the purposes of fraud prevention, system security, reporting and product improvement, this is based on our legitimate interests (Article 6(1)(f) GDPR).

4.3.5. Retention period: Transaction and settlement-related data are generally stored for the duration of the statutory retention periods (as a rule up to 7 years after the end of the relevant financial year); thereafter only as long as necessary for the assertion or defence of legal claims.

4.4. Accounts for hotel administrators and staff (Admin Area and staff app)

4.4.1. Hotels and other companies can use the Thank You Vibes for their staff. Administration takes place via a multi-tenant Admin Area based on Laravel Filament. Depending on the configuration, the following data in particular are processed:

• Hotel/company data: Company name, address, industry, contact person, contract data, services booked, licence/tariff information.
• Admin account data: Name, position, business contact details, login data (user name, e-mail), role and permission profiles (e.g. Super Admin, Company Admin, Hotel Admin, Sales Representative), assignment to companies/hotels.
• Staff data: Name, unique staff ID, position/department, assignment to a hotel/location, language settings and further profile data where applicable (e.g. display name, optional profile picture).
• Account/wallet data for the payout of tips: e.g. IBAN or other payment identifiers required for distributing and paying out tips.
• Usage and configuration data: Login and activity logs, tipping history and totals, configurations and settings in the dashboard, sales pipeline information, commission data, feature flag information (remote config), audit logs for key admin actions.
• Technical data: System and device information, device tokens (e.g. for push notifications via Firebase Cloud Messaging) and tenant/scope information to ensure tenant separation (tenant isolation).

The Admin Area is designed as a multi-tenant back office application for managing companies (tenants), hotels (sub-entities), users and roles, payments, sales pipelines, commissions, configurations, reporting and audits. Data are primarily stored in a MySQL database (authoritative data store); selected data records are mirrored in Firestore collections (e.g. “companies”, “hotels”, “userspresence”, “transactions”, “notifications”, “remoteconfig”) for real-time synchronisation.

4.4.2. The purpose is to set up and manage user accounts, assign and pay out tips, provide reporting at hotel and staff level (e.g. overviews and statistics), manage sales pipelines and commissions, and ensure IT security, abuse prevention and traceability of admin actions (audit logs).

4.4.3. The legal basis is Article 6(1)(b) GDPR (performance of contracts with the hotel as our contracting partner or with registered users) and Article 6(1)(f) GDPR (legitimate interests in a secure and transparent tipping system, tenant separation, traceability of transactions and admin actions, product improvement). Where we are legally obliged to retain certain data or to disclose data to authorities, processing is additionally based on Article 6(1)(c) GDPR.

4.4.4. Retention period: Data on user accounts are processed for the duration of the contractual relationship with the respective hotel/company and thereafter as long as statutory retention obligations or legitimate interests (e.g. assertion or defence of claims) exist. Inactive accounts are generally deleted after 7 years unless longer retention obligations apply.

4.4.5. Additional processing in the mobile staff app

Where staff also use the mobile Thank You Vibes (e.g. iOS/Android app), we process, in addition to the data listed in section 4.4.1, in particular the following:

• Authentication and account status: E-mail address (login), Firebase UID, authentication tokens, password reset token, authentication timestamps. Passwords are processed exclusively by Firebase Authentication, stored in hashed and salted form, and are not visible to us in plain text. Multi-factor authentication (MFA) may be implemented optionally.
• Profile and identity: Display name, optional profile photo (uploaded to Firebase Storage), structured identity and address data where applicable (e.g. country, city) as well as KYC-related data where required by applicable law or contract (e.g. to comply with tax or employment law obligations). All identity data are stored in user-specific Firestore documents and protected by security rules.
• Settings and preferences: Local preferences (e.g. language, UI settings, notification settings) are stored on the end device; selected preferences are also synchronised to Firestore to enable consistency across devices. Location data may be used temporarily – if you grant the relevant permissions on your device – to pre-populate default values (country, currency) or determine contextual information for transactions. Location data are not stored permanently as separate movement profiles.
• Tip defaults and transactions: User-defined tip presets are stored in UID-specific Firestore collections. Transaction data (tipping history) are managed primarily in MySQL and additionally in Firestore as described in section 4.3; location-related information may optionally be stored in individual transaction records where this is required for documentation and traceability.
• QR code generation: User- and hotel-specific QR codes are generated on the server side and stored in Firebase Storage; referencing metadata are managed in Firestore. The codes serve to uniquely assign tips and are linked, for example, to rooms, tables or staff.
• Support and feedback: Haptic and audio feedback is processed locally on the device; no additional personal data are transmitted to our servers for this purpose. Where support requests are submitted from within the app by e-mail or via contact functions, section 4.2 applies in addition.

The above data processing serves to provide the functionality of the staff app, to enable a secure and traceable tipping and payout model, to store configurations and preferences and to ensure the integrity and security of the system. The legal bases are Article 6(1)(b) GDPR (performance of contract), Article 6(1)(f) GDPR (IT security, fraud prevention, product improvement) and – where location or KYC data are not legally required – Article 6(1)(a) GDPR (consent).

4.5. Contractual partners (hotels, other business partners) and their contact persons

4.5.1. In the context of contractual relationships with hotels and other business partners (e.g. payment service providers, marketing/IT service providers) we process data of our contractual partners and of their contact persons, in particular: Master and contact data, Contract data, Billing and payment data.

4.5.2. The purpose is the initiation, management and performance of contractual relationships and compliance with statutory documentation and retention obligations.

4.5.3. The legal basis is Article 6(1)(b) and (c) GDPR; in addition we rely on our legitimate interests in an efficient and legally compliant business process (Article 6(1)(f) GDPR).

4.5.4. Retention period: For the duration of the contractual relationship and thereafter for the duration of statutory retention periods and limitation periods for related claims.

4.6. Newsletter / direct marketing (if implemented)

4.6.1. If you register for a newsletter or expressly agree to receive information, we process your e-mail address and, where applicable, your name.

4.6.2. The legal basis is your consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time with effect for the future.

4.6.3. Where we use e-mail contact details obtained in connection with an existing customer relationship for direct marketing of our own similar products, such use may be based on our legitimate interests (direct marketing, Article 6(1)(f) GDPR). You may object to this use at any time.

4.7. Applications

4.7.1. If you apply to us, we process your application documents (in particular master data, contact data, CV, certificates, cover letter, communication data).

4.7.2. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures in the context of the application process) and – where necessary – Article 9(2)(b) and (h) GDPR.

4.7.3. Retention period: Application documents are generally retained for 6 Months after completion of the application process unless longer storage is required on the basis of explicit consent or due to ongoing proceedings.

4.8. Employees of TY APP TECHNOLOGIES LIMITED

4.8.1. Data of our own employees are processed exclusively for the establishment, performance and termination of the employment relationship and for compliance with employment, social security and tax law obligations.

4.8.2. The legal basis is Article 6(1)(b) and (c) GDPR, and additionally Article 9(2)(b) GDPR where special categories of data are concerned.

• IP address and unique device identifier,
• date and time of access,
• URL accessed and referrer URL,
• amount of data transferred,
• browser type and version used, operating system.

8.1. General

8.1.1. Our Website and Web App use cookies and similar technologies (e.g. local storage, pixels). Cookies are small text files that are stored on your end device and contain certain information.

8.1.2. We use strictly necessary cookies that are essential for the operation of the Website/Web App, and optional cookies where you have consented to this.

8.1.3. Our application code for the marketing Website currently (as of 12/2025) does not set any additional tracking or marketing cookies; any cookies serve technical purposes only (e.g. session management, security).

8.2. Legal bases

8.2.1. Strictly necessary cookies are processed on the basis of our legitimate interest in a functioning and secure web presence (Article 6(1)(f) GDPR).

8.2.2. Non-essential cookies are only set if you have given your prior consent (Article 6(1)(a) GDPR).

8.3. Cookie settings in the browser

You can configure your browser to prevent cookies from being stored or to display a notification before a new cookie is set. You can delete cookies that have already been stored at any time via the browser settings.

• Hosting / infrastructure: Google Cloud Platform / Firebase (Google LLC, USA)
• E-mail and communication services: Google Cloud Platform (Google LLC, USA)
• Error and performance monitoring: Google Cloud Platform / Firebase (Google LLC, USA), Sentry (Functional Software, Inc.)

• MySQL as the leading system (“source of truth”) for key business and transactional data,
• Firestore as a non-authoritative but highly available real-time and synchronisation layer,
• Strict role-based access control (RBAC) and tenant isolation,
• No storage of raw passwords or full payment data in our systems,
• Comprehensive audit logs for security-relevant and administrative actions.