Thank You App - The Smart Way to Say Thank You

1. Introduction, scope

1.1. This privacy notice describes how we process personal data in connection with the use of the website [[HAUPT-DOMAIN]] operated by TY APP TECHNOLOGIES LIMITED (hereinafter the “Website”) and the browser-based version of the “Thank You App” that can be accessed via QR code or link (hereinafter the “Web App”). It also covers the browser-based administration back end connected to the Web App (the “Admin Area”) for companies and hotels as well as – to the extent described in more detail in section 4.4 – the use of the mobile staff app that is operated on the same back-end systems (together the “Online Offering”).

1.2. The protection of personal data and compliance with data protection law, in particular Regulation (EU) 2016/679 (“General Data Protection Regulation” – GDPR) as well as applicable national data protection and telecommunications provisions, is of the highest priority to us.

1.3. This privacy notice provides an overview of which categories of personal data we process, for which purposes we process them, on which legal bases we rely, to whom data may be disclosed, how long data are stored and which rights data subjects have.

1.4. Terms such as “personal data”, “processing”, “controller”, “processor” etc. are used in the sense of the definitions in Article 4 GDPR.

1.5. The current version of this privacy notice can be accessed, saved and printed at any time on our website.

2. Controller, data protection contact

2.1. The controller within the meaning of Article 4(7) GDPR is:

TY APP TECHNOLOGIES LIMITED
Registration number: HE 484442
Registered office: 61–63 Lord Byron Street, 6th floor, office 602, 6023 Larnaca, Cyprus
E-mail (general): [[ALLGEMEINE KONTAKT-E-MAIL]]

2.2. At present, the statutory requirements for the mandatory appointment of a data protection officer (Article 37 GDPR) are not met. Should this change, the corresponding contact details will be added to this privacy notice.

3. Processing of personal data in general

3.1. We process personal data where this is

necessary for the performance of pre-contractual measures or a contract with you (Article 6(1)(b) GDPR),
necessary for compliance with legal obligations (e.g. statutory retention obligations under commercial and tax law, payment services regulation) (Article 6(1)(c) GDPR),
necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data (Article 6(1)(f) GDPR), or
based on consent given by you (Article 6(1)(a) GDPR).

3.2. Where we process special categories of personal data within the meaning of Article 9(1) GDPR (e.g. health data), this will only be done in the exceptional cases set out in Article 9(2) GDPR. Such processing is generally not envisaged in the context of the Website and the Web App.

3.3. If you give us your consent to process your data, you may withdraw this consent at any time with effect for the future (see sections 13 and 16). The lawfulness of the processing carried out until the withdrawal remains unaffected.

3.4. Personal data will only be disclosed, transmitted or otherwise made accessible to third parties where and insofar as this is

necessary for the purposes described in this privacy notice,
required on the basis of a legal provision or a regulatory/judicial order, or
covered by a consent.

3.5. Within our company, only those departments and staff members will have access to personal data who need such data in order to perform their tasks (need-to-know principle).

3.6. No decision-making based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR takes place in the context of the Website, the Web App, the Admin Area or the mobile app.

4. Collection and processing of personal data from the data subject

We generally process personal data directly from the data subjects, in particular when visiting the Website, using the Web App or the Admin Area, using the mobile staff app, contacting us or within the framework of a contractual relationship. Processing takes place solely on one of the legal bases set out in section 3.

4.1. Visit to the Website and Web App

4.1.1. The publicly accessible marketing pages of the Website (e.g. homepage, service and product description, “How it works”, policy pages) provide static content only. These pages can be used without registration and without entering personal data; personal data are collected only to the extent technically required (see below). When you access our Website or Web App, certain technical information (access data, “server log files”) is automatically processed in order to enable the display of the pages and to ensure the stability and security of our offering (for details see section 7).

4.1.2. In addition, cookies and similar technologies are used depending on your browser settings and consents (see section 8).

4.1.3. The legal basis for processing strictly necessary technical data is our legitimate interest in a secure, stable and functional web presence (Article 6(1)(f) GDPR). The legal basis for optional cookies is your consent (Article 6(1)(a) GDPR).

4.1.4. Retention period: Server log files are generally stored for 12 Months unless a longer storage period is required for security or evidential reasons.

4.1.5. Optional access protection (HTTP Basic Authentication): In certain operating modes (e.g. protected test or staging environments), access to the Website or Web App may be additionally protected by HTTP Basic Authentication. In this case, user name and password are processed solely for the immediate verification of the access data in the HTTP headers and are not stored permanently in our systems.

4.2. Contact / Lead capture (“Contact Us” / “Get Started”)

4.2.1. If you contact us via the contact or lead form integrated on the Website (“Contact Us”, “Get Started” or similar designations), we process – depending on the specific configuration – in particular the following data:

Mandatory fields: First name, last name, business e-mail address, company name, company size, confirmation of the relevant conditions (e.g. terms/privacy).
Optional information: Telephone number, country, city, role/function in the company, information on how you heard about us, free-text message.
Meta/communication data: Time of the enquiry, technical log data, internal lead identifiers where applicable.

4.2.2. Form entries are validated on the server side and stored as a lead data record in a dedicated data structure. Processing takes place via an API endpoint (e.g. “/api/leads”); the lead data are persisted in a Firebase Firestore collection (e.g. “leads”). There is no automated transfer of these leads to third parties; they are used exclusively internally for handling and tracking the enquiry.

4.2.3. The purpose of processing is to handle your enquiry, to contact you (e.g. to arrange demos, prepare offers), to document communication and – where relevant – to prepare a contractual relationship with you or your company (e.g. hotel, chain or other business partner).

4.2.4. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures) and our legitimate interest in properly handling enquiries and documenting business communication (Article 6(1)(f) GDPR).

4.2.5. Retention period: Enquiries, lead records and correspondence are generally stored for [[DAUER KONTAKT, e.g. 12 MONTHS]] after completion of processing; if a contractual relationship is established, the retention periods set out in sections 4.4/4.5 apply.

4.3. Use of the browser-based tipping function (Web App) by guests (“tippers”)

4.3.1. When guests access the Web App via QR code or link to provide a tip to a member of staff of a hotel, we process – depending on the specific configuration – in particular the following data:

Transaction data: Date and time, amount, currency, payment status, QR code used or assignment to the beneficiary employee/team/hotel, transaction ID.
Context data: Hotel/location, room number or table ID where applicable, service/department (e.g. housekeeping, restaurant).
Optional data provided by the guest: Free-text message, rating, name, e-mail address for digital payment confirmations/receipts.
Technical data: IP address, device information, browser type and version, language settings where applicable (see also section 7).

The tipping function is operated via our back-end services. Transaction and context data are primarily stored in a relational database (MySQL) as the “source of truth” and are additionally mirrored in specific Firestore collections (e.g. “transactions”) for real-time synchronisation.

4.3.2. Payment data (in particular credit card and Apple Pay/Google Pay data) are generally processed exclusively by the payment service provider we have integrated. We receive only information as to whether the payment was successful, as well as technically necessary payment references (e.g. masked card number, token, transaction ID, card type) in order to enable assignment to the tip and for settlement purposes. We do not store full card or wallet data (e.g. full card number, CVC).

4.3.3. The purpose of processing is to provide the digital tipping function, to process the payment, to assign tips to the entitled employees/hotels, to provide reporting to hotels and to comply with statutory retention obligations under commercial and tax law and to assert or defend claims (e.g. in case of queries or chargebacks).

4.3.4. The legal basis is Article 6(1)(b) GDPR (performance of the payment/use contract concluded with the guest) and Article 6(1)(c) GDPR (statutory retention obligations). Where we analyse transaction data for the purposes of fraud prevention, system security, reporting and product improvement, this is based on our legitimate interests (Article 6(1)(f) GDPR).

4.3.5. Retention period: Transaction and settlement-related data are generally stored for the duration of the statutory retention periods (as a rule up to 7 years after the end of the relevant financial year); thereafter only as long as necessary for the assertion or defence of legal claims.

4.4. Accounts for hotel administrators and staff (Admin Area and staff app)

4.4.1. Hotels and other companies can use the Thank You App for their staff. Administration takes place via a multi-tenant Admin Area based on Laravel Filament. Depending on the configuration, the following data in particular are processed:

Hotel/company data: Company name, address, industry, contact person, contract data, services booked, licence/tariff information.
Admin account data: Name, position, business contact details, login data (user name, e-mail), role and permission profiles (e.g. Super Admin, Company Admin, Hotel Admin, Sales Representative), assignment to companies/hotels.
Staff data: Name, unique staff ID, position/department, assignment to a hotel/location, language settings and further profile data where applicable (e.g. display name, optional profile picture).
Account/wallet data for the payout of tips: e.g. IBAN or other payment identifiers required for distributing and paying out tips.
Usage and configuration data: Login and activity logs, tipping history and totals, configurations and settings in the dashboard, sales pipeline information, commission data, feature flag information (remote config), audit logs for key admin actions.
Technical data: System and device information, device tokens (e.g. for push notifications via Firebase Cloud Messaging) and tenant/scope information to ensure tenant separation (tenant isolation).

The Admin Area is designed as a multi-tenant back office application for managing companies (tenants), hotels (sub-entities), users and roles, payments, sales pipelines, commissions, configurations, reporting and audits. Data are primarily stored in a MySQL database (authoritative data store); selected data records are mirrored in Firestore collections (e.g. “companies”, “hotels”, “userspresence”, “transactions”, “notifications”, “remoteconfig”) for real-time synchronisation.

4.4.2. The purpose is to set up and manage user accounts, assign and pay out tips, provide reporting at hotel and staff level (e.g. overviews and statistics), manage sales pipelines and commissions, and ensure IT security, abuse prevention and traceability of admin actions (audit logs).

4.4.3. The legal basis is Article 6(1)(b) GDPR (performance of contracts with the hotel as our contracting partner or with registered users) and Article 6(1)(f) GDPR (legitimate interests in a secure and transparent tipping system, tenant separation, traceability of transactions and admin actions, product improvement). Where we are legally obliged to retain certain data or to disclose data to authorities, processing is additionally based on Article 6(1)(c) GDPR.

4.4.4. Retention period: Data on user accounts are processed for the duration of the contractual relationship with the respective hotel/company and thereafter as long as statutory retention obligations or legitimate interests (e.g. assertion or defence of claims) exist. Inactive accounts are generally deleted after [[DAUER LÖSCHUNG INAKTIVE KONTEN, e.g. 7 YEARS]] unless longer retention obligations apply.

4.4.5. Additional processing in the mobile staff app
Where staff also use the mobile Thank You App (e.g. iOS/Android app), we process, in addition to the data listed in section 4.4.1, in particular the following:

Authentication and account status
- E-mail address (login), Firebase UID, authentication tokens, password reset token, authentication timestamps.
- Passwords are processed exclusively by Firebase Authentication, stored in hashed and salted form, and are not visible to us in plain text.
- Multi-factor authentication (MFA) may be implemented optionally.
Profile and identity
- Display name, optional profile photo (uploaded to Firebase Storage), structured identity and address data where applicable (e.g. country, city) as well as KYC-related data where required by applicable law or contract (e.g. to comply with tax or employment law obligations).
- All identity data are stored in user-specific Firestore documents and protected by security rules.
Settings and preferences
- Local preferences (e.g. language, UI settings, notification settings) are stored on the end device; selected preferences are also synchronised to Firestore to enable consistency across devices.
- Location data may be used temporarily – if you grant the relevant permissions on your device – to pre-populate default values (country, currency) or determine contextual information for transactions. Location data are not stored permanently as separate movement profiles.
Tip defaults and transactions
- User-defined tip presets are stored in UID-specific Firestore collections.
- Transaction data (tipping history) are managed primarily in MySQL and additionally in Firestore as described in section 4.3; location-related information may optionally be stored in individual transaction records where this is required for documentation and traceability.
QR code generation
- User- and hotel-specific QR codes are generated on the server side and stored in Firebase Storage; referencing metadata are managed in Firestore. The codes serve to uniquely assign tips and are linked, for example, to rooms, tables or staff.
Support and feedback
- Haptic and audio feedback is processed locally on the device; no additional personal data are transmitted to our servers for this purpose.
- Where support requests are submitted from within the app by e-mail or via contact functions, section 4.2 applies in addition.

The above data processing serves to provide the functionality of the staff app, to enable a secure and traceable tipping and payout model, to store configurations and preferences and to ensure the integrity and security of the system. The legal bases are Article 6(1)(b) GDPR (performance of contract), Article 6(1)(f) GDPR (IT security, fraud prevention, product improvement) and – where location or KYC data are not legally required – Article 6(1)(a) GDPR (consent).

4.5. Contractual partners (hotels, other business partners) and their contact persons

4.5.1. In the context of contractual relationships with hotels and other business partners (e.g. payment service providers, marketing/IT service providers) we process data of our contractual partners and of their contact persons, in particular:

Master and contact data (company name, legal form, register details, name/function of contact persons, contact details),
Contract data (subject matter of the contract, term, conditions, correspondence),
Billing and payment data (bank details, payment terms, booking data).

4.5.2. The purpose is the initiation, management and performance of contractual relationships and compliance with statutory documentation and retention obligations.

4.5.3. The legal basis is Article 6(1)(b) and (c) GDPR; in addition we rely on our legitimate interests in an efficient and legally compliant business process (Article 6(1)(f) GDPR).

4.5.4. Retention period: For the duration of the contractual relationship and thereafter for the duration of statutory retention periods and limitation periods for related claims.

4.6. Newsletter / direct marketing (if implemented)

4.6.1. If you register for a newsletter or expressly agree to receive information (e.g. on product updates, new features, invitations to webinars), we process your e-mail address and, where applicable, your name.

4.6.2. The legal basis is your consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time with effect for the future, e.g. via the unsubscribe link in every newsletter e-mail.

4.6.3. Where we use e-mail contact details obtained in connection with an existing customer relationship for direct marketing of our own similar products, such use may be based on our legitimate interests (direct marketing, Article 6(1)(f) GDPR), to the extent permitted by applicable telecommunications law. You may object to this use at any time (see sections 13 and 16).

4.7. Applications

4.7.1. If you apply to us, we process your application documents (in particular master data, contact data, CV, certificates, cover letter, communication data). Any special categories of personal data provided voluntarily will only be processed within the limits permitted by law.

4.7.2. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures in the context of the application process) and – where necessary – Article 9(2)(b) and (h) GDPR.

4.7.3. Retention period: Application documents are generally retained for 6 Months after completion of the application process unless longer storage is required on the basis of explicit consent or due to ongoing proceedings.

4.8. Employees of TY APP TECHNOLOGIES LIMITED

4.8.1. Data of our own employees (in particular master, contact, contract, remuneration, working time and absence data) are processed exclusively for the establishment, performance and termination of the employment relationship and for compliance with employment, social security and tax law obligations.

4.8.2. The legal basis is Article 6(1)(b) and (c) GDPR, and additionally Article 9(2)(b) GDPR where special categories of data are concerned.

5. Collection of data from third parties

5.1. Where necessary, we also process data that have not been collected directly from the data subject, for example:

in the context of credit or sanctions list checks of hotels or companies,
from publicly accessible sources (e.g. commercial register, trade register, company websites).

5.2. We also receive data from third parties (e.g. our contractual hotels) where these provide us with staff data for the use of the Thank You App. Hotel operators are obliged to inform their staff about such transfer.

5.3. The legal basis is Article 6(1)(b), (c) or (f) GDPR, depending on the specific context.

6. Duration of processing, retention periods, transfers to third countries

6.1. We store personal data only for as long as this is required for the respective processing purposes, statutory retention obligations exist or we have a legitimate interest in storage (e.g. to defend against liability claims within limitation periods).

6.2. As soon as data are no longer required for the purposes mentioned and no statutory retention obligations prevent deletion, the data are deleted or anonymised.

6.3. For hosting and operating the Website, the Web App, the Admin Area and the mobile staff app we use, among other things, infrastructure from Google Firebase / Google Cloud Platform (GCP). This includes in particular hosting, databases (e.g. Firestore), push notifications (Firebase Cloud Messaging), remote config (feature flags), logging, monitoring and backups. In this context, personal data may be transferred to recipients in countries outside the EU/EEA (in particular the USA). Where no adequacy decision of the European Commission is in place, transfers are based on appropriate safeguards within the meaning of Articles 44 et seq. GDPR (in particular EU standard contractual clauses and supplementary technical and organisational measures).

6.4. In the context of payment processing (see section 9), data may be transferred to payment service providers established within or outside the EU/EEA (e.g. to Stripe Payments Europe, Limited, based in Ireland). [Link Informationen Zahlungsidenstleister: Dun & Bradstreet] Where required, appropriate safeguards within the meaning of the GDPR are also implemented for such transfers.

6.5. In exceptional cases, transfers may also be based on one of the derogations set out in Article 49 GDPR (e.g. explicit consent, necessity for the performance of a contract).

7. Server log files (access data)

7.1. When you access our Website, Web App, Admin Area and – where relevant – certain back-end interfaces (APIs), we automatically collect certain access data (“server log files”) for technical reasons, which your browser or app transmits. These include in particular:

IP address and unique device identifier,
date and time of access,
URL accessed and referrer URL,
amount of data transferred,
browser type and version used, operating system.

7.2. This data is processed for the following purposes:

establishing and maintaining the connection,
ensuring the stability and security of the systems,
error analysis and detection of abuse,
internal statistical analysis (in aggregated form).

Log data may be stored and analysed centrally via GCP/Firebase logging and monitoring services.

7.3. The legal basis is our legitimate interest in secure and stable technical operation of the Website, the Web App, the Admin Area and the mobile app (Article 6(1)(f) GDPR).

7.4. Retention period: Server log files are stored for 12 Months and then deleted unless further reasons (e.g. IT security incidents, ongoing proceedings) require longer retention.

8. Cookies and similar technologies (static cookie policy)

8.1. General

8.1.1. Our Website and Web App use cookies and similar technologies (e.g. local storage, pixels). Cookies are small text files that are stored on your end device and contain certain information.

8.1.2. We use

strictly necessary cookies that are essential for the operation of the Website/Web App (e.g. for display, security functions, session management, load balancing), and
optional cookies (e.g. for reach measurement, statistics, marketing), where you have consented to this.

8.1.3. Our application code for the marketing Website currently (as of 12/2025) does not set any additional tracking or marketing cookies; any cookies serve technical purposes only (e.g. session management, security). Technically necessary cookies may, however, be set by the hosting and infrastructure platform used (e.g. GCP/Firebase).

8.1.4. The cookie list below (section 8.4) is designed as a static overview with placeholders and must be adapted in the event of introduction, change or removal of cookies so that it reflects the actual use of cookies correctly.

8.2. Legal bases

8.2.1. Strictly necessary cookies are processed on the basis of our legitimate interest in a functioning and secure web presence (Article 6(1)(f) GDPR) and – where applicable – in accordance with national telecommunications provisions.

8.2.2. Non-essential cookies are only set if you have given your prior consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future by adjusting your browser settings and/or deleting cookies.

8.2.3. Please note that if you deactivate certain cookies, some functions of the Website/Web App may be restricted or unavailable.

8.3. Cookie settings in the browser

8.3.1. You can configure your browser to prevent cookies from being stored or to display a notification before a new cookie is set. The relevant settings depend on the browser you are using.

8.3.2. You can delete cookies that have already been stored at any time via the browser settings.

9. Payment processing via payment service providers

9.1. For the processing of digital tips, payment service providers are integrated (e.g. card acquirers, payment service providers for Apple Pay/Google Pay). At present, Stripe Payments Europe, Limited, Ireland (“Stripe”) is used as a payment service provider; other payment service providers may be added in the future. Details on data processing by Stripe can be found in Stripe’s own privacy notice.

9.2. When using the Web App, payment data (e.g. card number, expiry date, CVC) are entered directly into an input mask of the payment service provider or into a technical component provided by it. We do not receive these sensitive payment data in full form, but only technical references and abstracted information (e.g. last 4 digits of the card, card type, token).

9.3. Payment service providers act – depending on the specific setup – as independent controllers or as joint controllers within the meaning of Article 26 GDPR. Further information on the processing of personal data by the respective payment service provider can be found in that provider’s own privacy notice.

9.4. The legal basis for integrating payment service providers is Article 6(1)(b) GDPR (performance of the payment/tipping contract) and Article 6(1)(f) GDPR (legitimate interest in secure and efficient payment processing).

10. Integration of third-party services and content

10.1. Where we in future integrate content or services of third parties on the Website or in the Web App (e.g. map services, embedded videos, fonts, CDNs), this may involve the transfer of personal data (in particular IP address, browser data) to such third parties.

10.2. Depending on the service, processing is either based on our legitimate interests (Article 6(1)(f) GDPR; e.g. in an attractive presentation of our online offering) or on your consent (Article 6(1)(a) GDPR), in particular where optional cookies are used for this purpose.

10.3. The specific third-party providers integrated and their privacy notices will be listed by name in this privacy notice or at another appropriate place on the Website as soon as they have been finalized.

11. Processors

11.1. We engage processors within the meaning of Article 4(8) and Article 28 GDPR for specific activities (e.g. hosting, e-mail dispatch, development, support, monitoring). We conclude data processing agreements with such processors pursuant to Article 28 GDPR to ensure an adequate level of data protection and that data are processed only in accordance with our instructions.

11.2. Our processors include in particular (examples, some already in use, some as placeholders):

Hosting / infrastructure: Google Cloud Platform / Firebase (Google LLC, USA)
E-mail and communication services: Google Cloud Platform / (Google LLC, USA)
Error and performance monitoring: [[MONITORING-DIENST]], [[SITZ]], [[LINK DSE]]

11.3. A list of the processors currently used can be made available on request (to [[KONTAKT-E-MAIL]]), provided that this does not compromise trade or business secrets.

12. Security of processing

12.1. We implement appropriate technical and organisational measures in accordance with Article 32 GDPR in order to ensure a level of security appropriate to the risk. These include in particular measures to safeguard the confidentiality, integrity and availability of systems (e.g. access and admission controls, encryption, backups, authorisation concepts, security policies).

12.2. Key technical principles of our platform include:

MySQL as the leading system (“source of truth”) for key business and transactional data,
Firestore as a non-authoritative but highly available real-time and synchronisation layer, with all writes to Firebase being performed exclusively via the back end,
strict role-based access control (RBAC) with clearly defined roles (e.g. Super Admin, Company Admin, Hotel Admin, Sales Representative) and tenant isolation per company and hotel,
no storage of raw passwords or full payment data in our systems; passwords are processed exclusively by Firebase Authentication, payment data exclusively by payment service providers,
comprehensive audit logs for security-relevant and administrative actions in the Admin Area.

12.3. Our security measures are reviewed regularly and adjusted where necessary to reflect the state of the art.

13. Rights of data subjects

13.1. Data subjects have the following rights under the applicable statutory provisions in particular:

Right of access (Article 15 GDPR): You may request information as to whether and which personal data we process about you and further information on this processing.
Right to rectification (Article 16 GDPR): You may request the rectification of inaccurate data and the completion of incomplete data.
Right to erasure (Article 17 GDPR): You may, under certain conditions, request the erasure of your personal data (“right to be forgotten”).
Right to restriction of processing (Article 18 GDPR): You may, in certain cases, request the restriction of processing.
Right to data portability (Article 20 GDPR): You have the right to receive the data you have provided in a structured, commonly used and machine-readable format and to have those data transmitted to another controller, where technically feasible.
Right to object (Article 21 GDPR): You may, on grounds relating to your particular situation, object at any time to processing based on Article 6(1)(e) or (f) GDPR. In the case of direct marketing, you have a general right to object.
Withdrawal of consent (Article 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.
Right to lodge a complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes data protection law.

14. Exercising your rights, right to lodge a complaint

14.1. You may exercise your rights at any time by contacting:

TY APP TECHNOLOGIES LIMITED
61–63 Lord Byron Street, 6th floor, office 602, 6023 Larnaca, Cyprus
E-mail: [[KONTAKT-E-MAIL]]

In order to process your request properly, we may ask you for additional information to verify your identity.

14.2. Irrespective of this, you have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority of your habitual residence, your place of work or the place of the alleged infringement is competent in particular.

15. Currency and amendment of this privacy notice

15.1. This privacy notice is currently valid and is dated 12/2025.

15.2. Due to the further development of our Website, Web App, Admin Area or mobile app or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy notice. The current version can be accessed on our website at any time.

1. Introduction, scope

1.4. Terms such as “personal data”, “processing”, “controller”, “processor” etc. are used in the sense of the definitions in Article 4 GDPR.

1.5. The current version of this privacy notice can be accessed, saved and printed at any time on our website.

2. Controller, data protection contact

2.1. The controller within the meaning of Article 4(7) GDPR is:

TY APP TECHNOLOGIES LIMITED
Registration number: HE 484442
Registered office: 61–63 Lord Byron Street, 6th floor, office 602, 6023 Larnaca, Cyprus
E-mail (general): [[ALLGEMEINE KONTAKT-E-MAIL]]

3. Processing of personal data in general

3.1. We process personal data where this is

necessary for the performance of pre-contractual measures or a contract with you (Article 6(1)(b) GDPR),
necessary for compliance with legal obligations (e.g. statutory retention obligations under commercial and tax law, payment services regulation) (Article 6(1)(c) GDPR),
necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data (Article 6(1)(f) GDPR), or
based on consent given by you (Article 6(1)(a) GDPR).

3.4. Personal data will only be disclosed, transmitted or otherwise made accessible to third parties where and insofar as this is

necessary for the purposes described in this privacy notice,
required on the basis of a legal provision or a regulatory/judicial order, or
covered by a consent.

3.5. Within our company, only those departments and staff members will have access to personal data who need such data in order to perform their tasks (need-to-know principle).

4. Collection and processing of personal data from the data subject

4.1. Visit to the Website and Web App

4.1.2. In addition, cookies and similar technologies are used depending on your browser settings and consents (see section 8).

4.1.4. Retention period: Server log files are generally stored for 12 Months unless a longer storage period is required for security or evidential reasons.

4.2. Contact / Lead capture (“Contact Us” / “Get Started”)

Mandatory fields: First name, last name, business e-mail address, company name, company size, confirmation of the relevant conditions (e.g. terms/privacy).
Optional information: Telephone number, country, city, role/function in the company, information on how you heard about us, free-text message.
Meta/communication data: Time of the enquiry, technical log data, internal lead identifiers where applicable.

4.2.4. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures) and our legitimate interest in properly handling enquiries and documenting business communication (Article 6(1)(f) GDPR).

4.3. Use of the browser-based tipping function (Web App) by guests (“tippers”)

Transaction data: Date and time, amount, currency, payment status, QR code used or assignment to the beneficiary employee/team/hotel, transaction ID.
Context data: Hotel/location, room number or table ID where applicable, service/department (e.g. housekeeping, restaurant).
Optional data provided by the guest: Free-text message, rating, name, e-mail address for digital payment confirmations/receipts.
Technical data: IP address, device information, browser type and version, language settings where applicable (see also section 7).

4.4. Accounts for hotel administrators and staff (Admin Area and staff app)

Hotel/company data: Company name, address, industry, contact person, contract data, services booked, licence/tariff information.
Admin account data: Name, position, business contact details, login data (user name, e-mail), role and permission profiles (e.g. Super Admin, Company Admin, Hotel Admin, Sales Representative), assignment to companies/hotels.
Staff data: Name, unique staff ID, position/department, assignment to a hotel/location, language settings and further profile data where applicable (e.g. display name, optional profile picture).
Account/wallet data for the payout of tips: e.g. IBAN or other payment identifiers required for distributing and paying out tips.
Usage and configuration data: Login and activity logs, tipping history and totals, configurations and settings in the dashboard, sales pipeline information, commission data, feature flag information (remote config), audit logs for key admin actions.
Technical data: System and device information, device tokens (e.g. for push notifications via Firebase Cloud Messaging) and tenant/scope information to ensure tenant separation (tenant isolation).

Authentication and account status
- E-mail address (login), Firebase UID, authentication tokens, password reset token, authentication timestamps.
- Passwords are processed exclusively by Firebase Authentication, stored in hashed and salted form, and are not visible to us in plain text.
- Multi-factor authentication (MFA) may be implemented optionally.
Profile and identity
- Display name, optional profile photo (uploaded to Firebase Storage), structured identity and address data where applicable (e.g. country, city) as well as KYC-related data where required by applicable law or contract (e.g. to comply with tax or employment law obligations).
- All identity data are stored in user-specific Firestore documents and protected by security rules.
Settings and preferences
- Local preferences (e.g. language, UI settings, notification settings) are stored on the end device; selected preferences are also synchronised to Firestore to enable consistency across devices.
- Location data may be used temporarily – if you grant the relevant permissions on your device – to pre-populate default values (country, currency) or determine contextual information for transactions. Location data are not stored permanently as separate movement profiles.
Tip defaults and transactions
- User-defined tip presets are stored in UID-specific Firestore collections.
- Transaction data (tipping history) are managed primarily in MySQL and additionally in Firestore as described in section 4.3; location-related information may optionally be stored in individual transaction records where this is required for documentation and traceability.
QR code generation
- User- and hotel-specific QR codes are generated on the server side and stored in Firebase Storage; referencing metadata are managed in Firestore. The codes serve to uniquely assign tips and are linked, for example, to rooms, tables or staff.
Support and feedback
- Haptic and audio feedback is processed locally on the device; no additional personal data are transmitted to our servers for this purpose.
- Where support requests are submitted from within the app by e-mail or via contact functions, section 4.2 applies in addition.

4.5. Contractual partners (hotels, other business partners) and their contact persons

Master and contact data (company name, legal form, register details, name/function of contact persons, contact details),
Contract data (subject matter of the contract, term, conditions, correspondence),
Billing and payment data (bank details, payment terms, booking data).

4.5.2. The purpose is the initiation, management and performance of contractual relationships and compliance with statutory documentation and retention obligations.

4.5.3. The legal basis is Article 6(1)(b) and (c) GDPR; in addition we rely on our legitimate interests in an efficient and legally compliant business process (Article 6(1)(f) GDPR).

4.5.4. Retention period: For the duration of the contractual relationship and thereafter for the duration of statutory retention periods and limitation periods for related claims.

4.6. Newsletter / direct marketing (if implemented)

4.6.2. The legal basis is your consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time with effect for the future, e.g. via the unsubscribe link in every newsletter e-mail.

4.7. Applications

4.7.2. The legal basis is Article 6(1)(b) GDPR (pre-contractual measures in the context of the application process) and – where necessary – Article 9(2)(b) and (h) GDPR.

4.8. Employees of TY APP TECHNOLOGIES LIMITED

4.8.2. The legal basis is Article 6(1)(b) and (c) GDPR, and additionally Article 9(2)(b) GDPR where special categories of data are concerned.

5. Collection of data from third parties

5.1. Where necessary, we also process data that have not been collected directly from the data subject, for example:

in the context of credit or sanctions list checks of hotels or companies,
from publicly accessible sources (e.g. commercial register, trade register, company websites).

5.3. The legal basis is Article 6(1)(b), (c) or (f) GDPR, depending on the specific context.

6. Duration of processing, retention periods, transfers to third countries

6.2. As soon as data are no longer required for the purposes mentioned and no statutory retention obligations prevent deletion, the data are deleted or anonymised.

6.5. In exceptional cases, transfers may also be based on one of the derogations set out in Article 49 GDPR (e.g. explicit consent, necessity for the performance of a contract).

7. Server log files (access data)

IP address and unique device identifier,
date and time of access,
URL accessed and referrer URL,
amount of data transferred,
browser type and version used, operating system.

7.2. This data is processed for the following purposes:

establishing and maintaining the connection,
ensuring the stability and security of the systems,
error analysis and detection of abuse,
internal statistical analysis (in aggregated form).

Log data may be stored and analysed centrally via GCP/Firebase logging and monitoring services.

7.3. The legal basis is our legitimate interest in secure and stable technical operation of the Website, the Web App, the Admin Area and the mobile app (Article 6(1)(f) GDPR).

7.4. Retention period: Server log files are stored for 12 Months and then deleted unless further reasons (e.g. IT security incidents, ongoing proceedings) require longer retention.

8. Cookies and similar technologies (static cookie policy)

8.1. General

8.1.1. Our Website and Web App use cookies and similar technologies (e.g. local storage, pixels). Cookies are small text files that are stored on your end device and contain certain information.

8.1.2. We use

strictly necessary cookies that are essential for the operation of the Website/Web App (e.g. for display, security functions, session management, load balancing), and
optional cookies (e.g. for reach measurement, statistics, marketing), where you have consented to this.

8.2. Legal bases

8.2.3. Please note that if you deactivate certain cookies, some functions of the Website/Web App may be restricted or unavailable.

8.3. Cookie settings in the browser

8.3.1. You can configure your browser to prevent cookies from being stored or to display a notification before a new cookie is set. The relevant settings depend on the browser you are using.

8.3.2. You can delete cookies that have already been stored at any time via the browser settings.

9. Payment processing via payment service providers

10. Integration of third-party services and content

11. Processors

11.2. Our processors include in particular (examples, some already in use, some as placeholders):

Hosting / infrastructure: Google Cloud Platform / Firebase (Google LLC, USA)
E-mail and communication services: Google Cloud Platform / (Google LLC, USA)
Error and performance monitoring: [[MONITORING-DIENST]], [[SITZ]], [[LINK DSE]]

11.3. A list of the processors currently used can be made available on request (to [[KONTAKT-E-MAIL]]), provided that this does not compromise trade or business secrets.

12. Security of processing

12.2. Key technical principles of our platform include:

MySQL as the leading system (“source of truth”) for key business and transactional data,
Firestore as a non-authoritative but highly available real-time and synchronisation layer, with all writes to Firebase being performed exclusively via the back end,
strict role-based access control (RBAC) with clearly defined roles (e.g. Super Admin, Company Admin, Hotel Admin, Sales Representative) and tenant isolation per company and hotel,
no storage of raw passwords or full payment data in our systems; passwords are processed exclusively by Firebase Authentication, payment data exclusively by payment service providers,
comprehensive audit logs for security-relevant and administrative actions in the Admin Area.

12.3. Our security measures are reviewed regularly and adjusted where necessary to reflect the state of the art.

13. Rights of data subjects

13.1. Data subjects have the following rights under the applicable statutory provisions in particular:

Right of access (Article 15 GDPR): You may request information as to whether and which personal data we process about you and further information on this processing.
Right to rectification (Article 16 GDPR): You may request the rectification of inaccurate data and the completion of incomplete data.
Right to erasure (Article 17 GDPR): You may, under certain conditions, request the erasure of your personal data (“right to be forgotten”).
Right to restriction of processing (Article 18 GDPR): You may, in certain cases, request the restriction of processing.
Right to data portability (Article 20 GDPR): You have the right to receive the data you have provided in a structured, commonly used and machine-readable format and to have those data transmitted to another controller, where technically feasible.
Right to object (Article 21 GDPR): You may, on grounds relating to your particular situation, object at any time to processing based on Article 6(1)(e) or (f) GDPR. In the case of direct marketing, you have a general right to object.
Withdrawal of consent (Article 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.
Right to lodge a complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes data protection law.

14. Exercising your rights, right to lodge a complaint

14.1. You may exercise your rights at any time by contacting:

TY APP TECHNOLOGIES LIMITED
61–63 Lord Byron Street, 6th floor, office 602, 6023 Larnaca, Cyprus
E-mail: [[KONTAKT-E-MAIL]]

In order to process your request properly, we may ask you for additional information to verify your identity.

15. Currency and amendment of this privacy notice

15.1. This privacy notice is currently valid and is dated 12/2025.

Privacy Notice - Articles 12 and 13 GDPR for the Website and Web App „Thank You App“

1. Introduction, scope

2. Controller, data protection contact

3. Processing of personal data in general

4. Collection and processing of personal data from the data subject

4.1. Visit to the Website and Web App

4.2. Contact / Lead capture (“Contact Us” / “Get Started”)

4.3. Use of the browser-based tipping function (Web App) by guests (“tippers”)

4.4. Accounts for hotel administrators and staff (Admin Area and staff app)

4.5. Contractual partners (hotels, other business partners) and their contact persons

4.6. Newsletter / direct marketing (if implemented)

4.7. Applications

4.8. Employees of TY APP TECHNOLOGIES LIMITED

5. Collection of data from third parties

6. Duration of processing, retention periods, transfers to third countries

7. Server log files (access data)

8. Cookies and similar technologies (static cookie policy)

8.1. General

8.2. Legal bases

8.3. Cookie settings in the browser

9. Payment processing via payment service providers

10. Integration of third-party services and content

11. Processors

12. Security of processing

13. Rights of data subjects

14. Exercising your rights, right to lodge a complaint

15. Currency and amendment of this privacy notice

Privacy Notice - Articles 12 and 13 GDPR for the Website and Web App „Thank You App“

1. Introduction, scope

2. Controller, data protection contact

3. Processing of personal data in general

4. Collection and processing of personal data from the data subject

4.1. Visit to the Website and Web App

4.2. Contact / Lead capture (“Contact Us” / “Get Started”)

4.3. Use of the browser-based tipping function (Web App) by guests (“tippers”)

4.4. Accounts for hotel administrators and staff (Admin Area and staff app)

4.5. Contractual partners (hotels, other business partners) and their contact persons

4.6. Newsletter / direct marketing (if implemented)

4.7. Applications

4.8. Employees of TY APP TECHNOLOGIES LIMITED

5. Collection of data from third parties

6. Duration of processing, retention periods, transfers to third countries

7. Server log files (access data)

8. Cookies and similar technologies (static cookie policy)

8.1. General

8.2. Legal bases

8.3. Cookie settings in the browser

9. Payment processing via payment service providers

10. Integration of third-party services and content

11. Processors

12. Security of processing

13. Rights of data subjects

14. Exercising your rights, right to lodge a complaint

15. Currency and amendment of this privacy notice