Privacy Policy

We, Lovelaice GmbH ("we" or "us"), are committed to protecting your privacy when you access and use our Websites and use and/or receive our Services and to ensure the security and integrity of your personal data in accordance with applicable data protection laws.

Personal data means any information relating to an identified or identifiable natural person.

This Privacy Policy governs our websites including lovelaice.com, www.lovelaice.com, app.lovelaice.com ("Websites") and the applications and other services offered by, and corporate events related to us ("Services"). It gives details of what data is collected by and/or provided to us when accessing and using our Websites and using and/or receiving our Services, how we may store and use such personal data and what rights you have as a data subject regarding your personal data.

Last updated: March 6, 2026

A. Data Controller

The data controller for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

Lovelaice GmbH

Kemptener Straße 64

D-87600 Kaufbeuren

contact@lovelaice.com

Further information on this Privacy Policy and about exercising your data protection rights can be obtained from us at the above contact details.

B. Collection of Your Personal Data

We collect your personal data when:

you use our Websites or use and/or receive our Services,
you contact us via any means, including via phone, email, social media or contact forms,
you disclose or submit information via channels operated by us (including our Websites and Services, blogs and community forums) or register for or log in to such channels operated by us, and/or
third parties provide us with your personal data in accordance with applicable data protection laws.

It is necessary for us to collect personal data in order to offer you our Websites and Services. If you do not provide us with the personal data that we request, we may not be able to offer you our Websites and Services properly.

C. Types of Data Collected

We may collect the following data about you:

Master Data — Personal information such as name, email address and company information.
Input Data — Information you provide when you contact us or information you disclose or submit within channels operated by us (including our Websites and our Services) or when you register for or log-in to such channels, such as support requests.
Contract Data — Information relating to any contract between you and us such as user ID and contractual dates.
Billing Data — Information you provide to us for billing purposes, such as tax numbers and VAT identification numbers, or that we create for billing purposes, such as invoice numbers.
Preferences — Information regarding how you wish to interact with us such as information regarding how you wish to be contacted by us and how you wish to use and/or receive our Services.
Usage Data — Information about how you use and interact on our Websites and in relation to our Services such as information on what features of our Websites and Services are being used, experiment metadata, logs, IP address, IP location and unique device identifiers of your internet access device, information on browser type and version, information on browser plug-in types and versions, log-in data, mobile network information, time zone settings, operating system and platform, URL clickstream to, through and from our Websites and Services, length and time of visit to our Websites and use of our Services, interactions with user interfaces, page interactions including scrolling and mouseovers.

D. Purposes of Processing | Legal Basis | Legitimate Interests

We will process your personal data only to the extent permitted under applicable laws. The following table describes the purposes for which and the legal basis on which we process your personal data and — where the processing is carried out for the purpose of safeguarding our legitimate interests or those of a third party (Art. 6 (1) 1 f) GDPR) — states the respective legitimate interests relevant in each case:

Purpose of Processing	Legal Basis	Legitimate Interests
Specific purposes chosen by you	Art. 6 (1) 1 a) GDPR	n/a
Providing marketing information and communications regarding any of our services (including newsletters, personalized advertising and tracking for marketing purposes)	Art. 6 (1) 1 a) GDPR, Art. 6 (1) 1 f) GDPR	To inform about the business activities of us
Conducting market research	Art. 6 (1) 1 a) GDPR	n/a
Verification of your identity for the use of certain our Websites and the use of certain our Services	Art. 6 (1) 1 a) GDPR	n/a
Fulfilling our obligations under contracts entered between you and us, performing such contracts and taking necessary steps requested by you before entering into such contract	Art. 6 (1) 1 b) GDPR	n/a
Complying with a statutory duty or an order of a competent court or public authority	Art. 6 (1) 1 c) GDPR	n/a
Providing the possibility to be contacted for any reason and to be able to respond to enquiries and feedback	Art. 6 (1) 1 a), b), f) GDPR	To ensure our availability for any requests
Providing our Websites and our Services for the public and for registered users	Art. 6 (1) 1 b), f) GDPR	To inform about and carry out the business activities of us
Enabling and maintaining the functionality of our Websites and our Services	Art. 6 (1) 1 b), f) GDPR	To inform about and carry out the business activities of us
Ensuring the usability of our Websites and our Services	Art. 6 (1) 1 b), f) GDPR	To ensure that our Websites and our Services can be used in a suitable manner
Continuous optimization of our Websites and our Services	Art. 6 (1) 1 b), f) GDPR	To ensure that our Websites and our Services remain innovative, up to date and can be used in a suitable manner
Analyzing and monitoring the use of our Websites and our Services	Art. 6 (1) 1 a), b), f) GDPR	To understand and meter how our Websites and our Services are used in order to recognize any faults and disruptions, to enhance their functionality and to improve our Services and the user experience
Ensuring the overall system security, health and stability of our Websites and our Services	Art. 6 (1) 1 b), c), f) GDPR	To provide our Websites and our Services free from errors and defects and to ensure their security
Preventing unauthorized or unlawful use of and access to our Websites and our Services	Art. 6 (1) 1 c), f) GDPR	To protect your data and your interests, to ensure the security of our Websites and Services and to protect our business activities, business interests, intellectual property and other rights of us
Safeguarding and defending our vital interests and exercising any rights and asserting any claims we may have	Art. 6 (1) 1 f) GDPR	To protect our business activities, business interests, intellectual property and other rights of us and to safeguard any rights and remedies available to us

The respective legal basis mentioned in the above table is further described as follows:

Art. 6 (1) 1 a) GDPR: You have given your consent to the processing of your personal data by us.
Art. 6 (1) 1 b) GDPR: The processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such contract.
Art. 6 (1) 1 c) GDPR: The processing of your personal data is necessary for compliance with one of our legal obligations.
Art. 6 (1) 1 f) GDPR: The processing of your personal data is necessary for the purposes of our legitimate interests or those of a third party, and your interests or fundamental rights and freedoms that require the protection of personal data do not override those interests.

We generally do not process special categories of personal data pursuant to Article 9 (1) GDPR (for example information or photographs that may reveal ethnic origin, health, religion, sexual orientation or similar) and ask you to not provide any such special categories of personal data to us e.g. via the Websites or Services.

E. No Automated Decision-Making

No automated decision-making, including profiling, takes place.

F. Use of Cookies

We use cookie technology on our Websites and within our Services. When you access and use our Websites and Services, a cookie may be placed within the memory of your internet access device. A cookie is a small piece of data containing alphanumerical information that our Websites and Services can store via your internet access device for later retrieval. We use such cookies to provide you with a personalized and improved user experience.

Our Websites and Services use both transient cookies and persistent cookies.

Transient cookies: Transient cookies are automatically deleted upon closing of your browser. Such transient cookies also include, in particular, session cookies. Session cookies contain a session identifier, allowing different requests from your browser to be assigned to your particular browsing session and will allow your internet access device to be recognized upon your return to our Websites and Services.
Persistent cookies: Persistent cookies will be automatically deleted after a specified period of time, which may vary depending on the type of cookie placed. We may use persistent cookies to help us to track use of our Websites and Services, such as the number and frequency of visits to our Websites and Services and which parts of our Websites and Services are visited.

We use cookies for several purposes — including for marketing purposes where you have given your prior consent or where we have a legitimate interest to use cookies — as specified in Section D of this Privacy Policy. Many browsers accept cookies per default. However, your browser settings can be configured in order to prevent the storage of cookies. You may also delete cookies placed by our Websites at any time within your browser settings. Deactivating the storage of or deleting cookies may limit the functionality of our Websites.

G. Recipients of Personal Data | Third-Party Services

We will not sell, license, rent or trade your personal data. We will not otherwise disclose your personal data except as described within this Privacy Policy.

To facilitate the achievement of the purposes for processing your personal data as described in Section D of this Privacy Policy, we may also disclose your personal data to the recipients listed below in connection with services they provide to us. These recipients may process your personal data only on our express instructions and have committed to us to maintain confidentiality and to ensure appropriate technical and organizational data protection measures:

Email service providers (currently Google Ireland Limited and Loops, Inc.),
Processing facility providers (currently Amazon Web Services EMEA Sàrl),
AI and model infrastructure providers (currently OpenAI, L.L.C., Anthropic PBC, Google LLC, Mistral AI SAS, Perplexity AI Inc., DeepSeek, and OpenRouter),
Billing solution providers (currently Stripe, Inc.),
Interactive fonts providers (currently Google Ireland Limited),
Error tracking and monitoring providers (currently Functional Software, Inc., d/b/a Sentry), and
Data analytics providers (currently Google Ireland Limited and Amplitude, Inc.).

We may also disclose your personal data to third parties, if required by law, e.g. in order to respond to a court or government request.

H. Third-Country Data Transfers

We process personal data within the European Economic Area (EEA) unless otherwise stated below / in this Privacy Policy:

Amazon Web Services (AWS): We use AWS for provision of processing facilities and data storage, provided by Amazon Web Services EMEA Sàrl. AWS may process data outside the EEA. We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU–US Data Privacy Framework (DPF)), or EU Standard Contractual Clauses (SCCs) and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third-country transfers and relevant case law of the Court of Justice of the European Union.
Amplitude: We use Amplitude on our Websites and within our Services, a product analytics service provided by Amplitude, Inc. Amplitude collects event-based usage data (such as feature usage, experiment metadata, logs and session information) to help us analyze product usage, perform user behavior analysis and generate aggregated product insights. The data collected by Amplitude may be transferred to and processed on servers in the US by relying on the DPF. We have also entered into SCCs with Amplitude.
Google Analytics: We use Google Analytics on our Websites, a cookie-based web analytics service provided by Google Ireland Limited. The information generated by the cookie about your use of our Websites may be transmitted to a Google server in the USA. Any transfer outside the EEA to the US within the Google group is based on the DPF; we have also entered into SCCs with Google. As "IP anonymization" is activated for our Websites, any collected IP address will be truncated by Google within the EU or EEA before being transmitted to a Google server in the US. Google will use this information on our behalf to analyze the use of our Websites, to compile reports on website activity and to provide services to us related to the use of our Websites.
Google Fonts: We use Google Fonts on our Websites, a service of Google Ireland Limited for the integration of external fonts. In order to integrate such fonts, they are usually retrieved from a Google server in the USA. When you visit our websites, certain usage data is transmitted to such server and stored by Google. Any transfer outside the EEA to the US within the Google group is based on the DPF; we have also entered into SCCs with Google.
Stripe: We use Stripe on our websites, a payment-processing service provided by Stripe, Inc. Stripe may process data outside the EEA. We ensure adequate protection by relying on EU Commission Adequacy Decisions (where available), or SCCs and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third-country transfers, and relevant case law of the Court of Justice of the European Union.
YouTube: Our Websites use embedded videos offered by YouTube, a service of Google Ireland Limited. We have activated the "extended data protection mode" offered by YouTube. According to YouTube, data will therefore only be transmitted to YouTube when an embedded video is played. If you play these videos, YouTube may collect certain usage data and other information about your use of the video. Any transfer outside the EEA to the US within the Google group is based on the DPF; we have also entered into SCCs with Google.
Google Login and GitHub Login: We support Google Login and GitHub Login on our Websites. These tools allow you to authenticate with our Websites and Services using your existing provider account without a separate registration process. Depending on your privacy settings with the provider, the provider may transmit basic profile information (for example name, profile picture and email address) and other publicly available profile data to us. Data transfers to provider servers outside the EEA (e.g. the US) may occur and are subject to the provider's transfer arrangements (for example SCCs).

I. Retention Time

We store your personal data for the period of time that is necessary for the purpose for which it was collected (see Section D of this Privacy Policy) and/or for as long as we have a legitimate interest in storing such data. We also store your personal data for a period prescribed by law, by court order or by official regulation — the exact period may vary from case to case. To the extent necessary, we also store your personal data until the expiry of applicable limitation periods for the enforcement of our own claims.

The criteria applied by us to determine the storage period include:

The period of time over which we provide our Websites and Services to you,
whether there is a legal retention obligation to which we are subject, and
whether retention is advisable in view of our legal position.

J. Your Data Subject Rights

You have the following rights under the GDPR regarding the processing of your personal data:

Right of access (Art. 15 GDPR),
Right to rectification (Art. 16 GDPR),
Right to erasure (so called "right to be forgotten") (Art. 17 GDPR),
Right to restriction of processing (Art. 18 GDPR),
Right to data portability (Art. 20 GDPR),
Right to object to processing in certain cases (Art. 21 GDPR),
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR), and
Right to withdraw consent at any time if the processing of your personal data is based on such consent. Such withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

To exercise the above rights, please contact us at the contact details provided in Section A of this Privacy Policy.

Irrespective of the above rights, you have the right to lodge a complaint with a competent supervisory authority.

K. Data Security

We have established a privacy program designed to help protect your personal data. We use industry-standard encryption to secure data transmitted between your device and our servers. We maintain reasonable administrative and technical safeguards intended to protect against the loss, misuse, unauthorized access, alteration, or disclosure of your personal data. All data is securely stored and can only be accessed by entitled employees of us on a "need to know basis".

L. Version

This is the current version of our Privacy Policy. We reserve the right to adapt this Privacy Policy, in particular in the event of changes to legal requirements or adjustments to our websites.

Changes to this Privacy Policy will be made by updating this page and, where required, communicated to you separately. We recommend that you review this Privacy Policy at regular intervals.