Privacy Policy

In the following, we inform you about who is responsible for processing your personal data, for what purpose and to what extent your personal data is processed and what rights you have.

This privacy policy applies to both the distribution and the operation of the kōno App by C. Josef Lamy GmbH.

In the context of the further development of data protection law and technological or organizational changes, our data protection information is regularly reviewed for the need to adapt or supplement it and adapted as necessary.

This data protection notice has the status of 12/12/2022

‍
A. Information About the Responsible Persons

I. Name and Contact Details of the Responsible Persons

C. Josef Lamy GmbH
‍Grenzhöfer Weg 32
69123 Heidelberg
Germany

info@lamy.de

II. Name and Contact Detail of the Data Security Officer

Michael Gruber
Externer Datenschutzbeauftragter
BSP-SECURITY

datenschutzbeauftragter@lamy.de

‍

B. Information on the Scope and Purpose of the Processing of Personal Data

I. Distribution of the kōno App

‍

1. Server Log Files

Each time you visit the Lamy websites, usage data is transmitted to us or our web hoster/IT service provider by your Internet browser and stored in log data (so-called server log files). This stored data includes

- Time of the call,
- Name of the page called up,
- IP address (masked),
- browser used,
- operating system used and
- HTTP method.

The legal basis for this data processing is our overriding legitimate interest in ensuring the trouble-free operation of our Lamy websites in accordance with Art. 6 para. 1 p. 1 lit f General Data Protection Policy (GDPR).

This personal data is deleted by us after 90 days.‍

‍

2. Cookies

We use different types of cookies. Below you will find information about these different types.

‍a) Technically Necessary Cookies

Technically necessary cookies ensure functions without which our websites cannot be used as intended. These are so-called first party cookies that are only used by us. The legal basis is our overriding legitimate interest in accordance with Art. 6 para. 1 p. 1 lit. f GDPR in the error-free functioning of our Lamy websites. This personal data is deleted by us after 30 days at the latest. You can find further information in our cookie banner under "Cookie details".

b) Functional Cookies

Functional cookies are not absolutely necessary for the operation of our Lamy websites, but support their user-friendliness, for example by storing language or location settings for a renewed visit to the Lamy websites. The legal basis for the use of these cookies is your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. This personal data is deleted by us after 90 days at the latest. You can find further information in our cookie banner under "Cookie details".

c) Analysis Cookies

Analysis cookies collect information about how you use websites. This is to improve their attractiveness, content and functionality. For this purpose, the following information is collected, for example

- the number of times a page or sub-pages are accessed,
- the time spent on the website,
- the order of the pages visited
- which search terms led you to our website
- the country, region, and city from which the access occurred
- the percentage of mobile devices accessing the Lamy websites, and
- which areas of a website are of particular interest to you.

The legal basis for the setting of analysis cookies is your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. We delete this personal data after 12 months at the latest. Further information can be found in section 3 "Analysis and marketing" and in our cookie banner under "Cookie details".

‍

3. Marketing Cookies

Marketing cookies help us to analyze our advertising campaigns with our advertising partners and to create a profile of your interests in order to show you relevant and targeted advertising on other websites. These are so-called third-party cookies that are set by our advertising partners when you visit our Lamy websites. The legal basis for the setting of marketing cookies is your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. This personal data is deleted by us after 12 months at the latest. Further information can be found in section 3 "Analysis and marketing" and in our cookie banner under "Cookie details".

a) Use of Google Analytics

We use Google Analytics on our Lamy websites. Google Analytics is a web analytics service provided by Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google LLC and Google Ireland Limited hereinafter jointly "Google").‍

aa) Type of Data Processing

Google Analytics uses cookies to analyze your use of the Lamy website. Google Analytics thus receives the following information about you:

- Online identifiers including cookie identifiers,
- IP addresses,
- device identifiers and
- identifiers assigned by you.

We receive the following information, for example:

- Access numbers to certain pages within the website (so-called click path),
- Information about times of access (so-called dwell time of the user),
- information about pages from which the user accesses the website (so-called referrer URL),
- information about pages via which the user leaves the website (so-called bounce pages),
- information about the regional origin of users (e.g., sorted by city or country of origin), and
- information about the conversion rate of certain sub-pages.

The Lamy websites use Google Analytics with the extension "_anonymizeIp()" (so-called IP masking). This shortens IP addresses before they are transmitted to the USA within member states of the European Union. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and only shortened there.

On behalf of Lamy, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.

bb) Legal Basis of the Data Processing

The information collected in this way is usually transferred to a Google server in the USA and stored there. For the USA, there is no adequacy decision pursuant to Art. 45 GDPR, as the USA cannot provide protection of personal data comparable to the GDPR. Access by US authorities to the data stored by Google cannot be ruled out. We have agreed standard contractual clauses with Google that serve as a guarantee for adequate protection of your data. The standard contractual clauses are available at https://workspace.google.com/terms/mcc_terms.html.

The legal basis for this data processing is your consent pursuant to Art. 6 (1) p. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time and without giving reasons for the future. The legality of the processing carried out based on the consent until the revocation is not affected by the revocation.

By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our websites, it may no longer be possible to fully use all functions of the websites.

In addition, you can prevent the collection of data generated by the cookie and related to your use of our websites to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link ((https://tools.google.com/dlpage/gaoptout?hl=de).

For more information on terms of use of Google Analytics and data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/de/ and https://policies.google.com/?hl=de.

cc) Storage Period

We delete this personal data after 12 months.

b) Use of Google Ads Conversion Tracking

We use Google Ads for online marketing on our Lamy websites. Google Ads is an online advertising system of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google LLC and Google Ireland Limited hereinafter jointly "Google").

aa) Type of Data Processing

We use the conversion tracking tool offered by Google Ads. A so-called conversion occurs when you click on one of our Google Ads ads and then interact with us in some other way, for example by making a purchase or signing up for the newsletter. This allows us to see which keywords, ads and campaigns lead to customer actions. Conversion tracking allows us to evaluate and optimize the success of our advertising efforts.

The Google Ads conversion tracking tool uses cookies for this purpose. As soon as you click on one of Lamy's Google Ads ads and thereby reach one of our Lamy websites, Google Ads stores a cookie. This cookie enables Google Ads to recognize your web browser. If you visit our Lamy websites and the conversion cookie has not yet expired, Google and we recognize that you have clicked on a Google Ads ad from Lamy and were thereby redirected to one of the Lamy websites. The cookie with the conversion data is read by Google and we receive statistical evaluations from Google. We do not collect any personal data ourselves. We have no influence on how Google uses the data. However, according to its own information, Google takes care to maintain the confidentiality and security of conversion data.

By means of conversion cookies, we receive the following information:

- Unique cookie ID,
- number of ad impressions per placement (frequency),
- last impression (relevant for post-view conversions) and
- Opt-out information (marking that you no longer wish to be contacted).

bb) Legal Basis of the Data Processing

The data collected in this way is usually transferred to a Google server in the USA and stored there. For the USA, there is no adequacy decision according to Art. 45 GDPR, since the USA cannot provide protection of personal data comparable to the European GDPR. Access by US authorities to the data stored by Google cannot be ruled out. We have agreed standard contractual clauses with Google that serve as a guarantee for adequate protection of your data. The standard contractual clauses are available at https://workspace.google.com/terms/mcc_terms.html

By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our Lamy websites, it may no longer be possible to fully use all functions of the Lamy websites.

In addition, you can prevent the collection of data generated by the cookie and related to your use of the Lamy websites (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de).

For more information on terms of use of Google Ads and data protection at Google, please visit https://support.google.com/google-ads/answer/9028179?hl=de&ref_topic=3119071 https://policies.google.com/?hl=de.

cc) Storage Period

This personal data is deleted by us after 12 months.

c) Google Tag Manager

We use Google Tag Manager for online marketing on our Lamy websites. The Google Tag Manager is an online advertising system of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google LLC and Google Ireland Limited hereinafter jointly "Google").‍

aa) Type of Data Processing

The Google Tag Manager is a tool that we integrate and manage centrally via a user interface. Tags are small sections of code that track your activities, for example. For this purpose, JavaScript code sections are inserted into the source code of our website, which can come from Google-internal products but also from other providers. We use this to track the following:

- IP address
- Location
- Information on operating system and terminal device

bb) Legal Basis of the Data Processing

By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our Lamy websites, it may no longer be possible to fully use all functions of the Lamy websites.

For more information on terms of use of Google Tag manager and data protection at Google, please visit https://support.google.com/google-ads/answer/9028179?hl=de&ref_topic=3119071 https://policies.google.com/?hl=de.

cc) Storage Period

This personal data is deleted by us after 12 months.

d) FullStory

To analyze user behavior on our website, we use the analytics service FullStory, of FullStory Inc, 120 Ottley Dr NE Ste 100, Atlanta, GA 30324, USA ("FullStory").

aa) Type of Data Processing

FullStory records information about the behavior of website visitors, enabling us to analyze it and improve the user experience on our website. In doing so, FullStory processesthe following data:

‍

Usage patterns:

- Clicks
- Mouse movements
- Scrolling
- Typing (except sensitive information)

Tech specs:

- Browser
- Device type
- Operating system
- Viewfinder size
- Script errors
- IP address (can be disabled)

Navigation:

- Pages visited
- Referrers
- URL parameters
- Session duration

bb) Legal Basis of the Data Processing

The data collected in this way is generally transferred to a FullStory server in the USA and stored there. For the USA, there is no adequacy decision according to Art. 45 GDPR, as the USA cannot provide protection of personal data comparable to the European GDPR. Access by US authorities to the data stored by FullStory cannot be ruled out. We have agreed standard contractual clauses with FullStory that serve as a guarantee for adequate protection of your data. FullStory's privacy statement is available at https://www.fullstory.com/legal/privacy-policy/

The legal basis for data processing is your consent according to Art. 6 para. 1 p. 1 lit. a) GDPR.

You can revoke your consent for data processing at any time with effect for the future by using the following opt-out link: https://www.fullstory.com/optout/.

cc) Storage Period

This personal data will be deleted by us after 12 months.

e) Meta Ads

We use the analysis tool Meta Ads on our Lamy websites. Meat Ads is a service of Meta Platforms Inc. The responsible service provider in the EU is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta Platforms Inc. and Meta Ireland Limited hereinafter jointly "Meta").

aa) Type of Data Processing

With the help of Meta Ads, we can adapt our advertising measures to your interests. This is done by a snippet of JavaScript code that is triggered and saves your user behavior on our Lamy websites by means of cookies if you have reached the Lamy websites via a Meta Ad. These cookies allow Meta to match your user data with your Facebook account data. If you are logged in as a Facebook user, your visit to our Lamy websites is automatically assigned to your account.

Meta Ads collects the following information, which is passed on to us:

Information stored in the HTTP header, i.e. IP address, information about the web browser used, page location, document, referrer and the visitor to the web pages,
Pixel-specific data, i.e. pixel ID and data of the Facebook cookie,
Button click data, i.e. all buttons clicked by you on the Lamy websites and all pages called up as a result of the button clicks,
optional values when visiting personalized data events, e.g. conversion value and page type, and
Form field names filled in when you purchase a product, e.g., email address, address and quantity of product purchased.

bb) Legal Basis of the Data Processing

bb) Legal Basis of the Data Processing

The data collected in this way may be transferred to a LinkedIn server in the USA and stored there. For the USA, there is no adequacy decision according to Art. 45 GDPR, since the USA cannot provide protection of personal data comparable to the European GDPR. Access by US authorities to data stored on Celonis Inc. cannot be ruled out. We have agreed standard contractual clauses with LinkedIn that serve as a guarantee for adequate protection of your data. You can find further information at https://www.make.com/en/privacy-notice.

cc) Storage Period

This personal data will be deleted by us after 12 months.

i) Typeform

We use Typeform from TYPEFORM SL, C/Bac de Roda, 163 (Local), 08018 Barcelona Spain (Typeform) for our contact form. This allows us to provide you with an easy way to contact us.

aa) Type of Data Processing

For this purpose, we share the following personal data with Typeform:

Name
Email Address
Device
Occupation

Mandatory data are marked with an *.

Typeform is a recipient of your personal data and acts as a processor for us. The processing of the data provided in this section is not required by law or contract. Without your consent and the transmission of your personal data, we cannot provide you with a contact form. However, you have the possibility to contact us at the following e-mail address info@lamy.de. The data will be stored exclusively for the purpose of transmitting inquiries and responding to them. The obligatory data serve the allocation and the answer of your request.

In addition, Typeform collects the following personal data with the help of cookies: Information about your terminal device (IP address, device information, operating system, browser settings). Furthermore, usage data is collected such as date and time when you used the contact form. Typeform needs this data to ensure the presentation of the contact form and its functionality.

bb) Legal Basis of Data Processing

This corresponds to Typeform's legitimate interest (pursuant to Art. 6 para. 1 p. 1 lit. f GDPR) and serves the performance of the contract (pursuant to Art. 6 para. 1 p. 1 lit. b GDPR). You can find more information at: https://help.typeform.com/hc/en-us/articles/360029581691-What-happens-to-my-data.

The legal basis for this processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. The revocation can be made via the specified contact options. Your data will be processed as long as a corresponding consent exists. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

You can find more information on objection and removal options vis-à-vis Typeform at: https://admin.typeform.com/to/dwk6gt.

cc) Storage Period

This personal data will be deleted by us after 12 months.

‍

II. SendinBlue, Newsletterservice

For our newsletter service we use the service provider Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin ("Sendinblue"). Information about Sendinblue can be found at https://de.sendinblue.com/datenschutz-uebersicht/.

If you enter your e-mail address in the box provided for newsletter registration on the landing page and click the checkbox to receive the newsletter, you consent to us processing your e-mail address for this purpose. When registering to receive the newsletter, in addition to your e-mail address, your IP address, your name, and with your consent your occupation, employer type, personal motivation to use the App, your gender as well as the date and time of the request will be stored to provide evidence in the event of misuse of the e-mail address used.

The legal basis for the data processing is your consent in accordance with Art. 6 Para. 1 S. 1 lit. GDPR. You can revoke your consent once given at any time and without giving reasons for the future (by e-mail to datenschutzbeauftragter@lamy.de or via the unsubscribe link provided in each e-mail). The lawfulness of the processing carried out based on the consent until the revocation is not affected by the revocation.

After revocation of the consent, we will delete the data transmitted by you via the request, unless and to the extent that legal, in particular commercial and tax law retention periods are opposed or another legal basis exists.

‍

III. Data Processed During the Purchase of the App

‍

1. App Store and Other App Providers

When you download this app, certain personal data required for this purpose will be transmitted to the corresponding App Store (Apple App Store) or the respective other app provider.

In particular, the e-mail address, user name, customer number of the downloading account, the individual device identification number, payment information and the time of download are transmitted to the App Store or the respective other app provider.

We have no influence on the collection and processing of this data, which is carried out exclusively by the app store selected by you. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the App Store or the respective other app provider.

‍

2. Payment Service Provider

As a payment service provider and A part of our tax obligations, we use Stripe Technology Europe Ltd, The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland.

For this, the data required for the processing of payments and for the invoice, such as name, e-mail address, date of birth and means of payment are processed. If required for tax obligations, the address, tax identification number, company information, as well as the company's online transaction history and sales taxes collected, total tax payments to date, and other relevant information required for processing the business user's tax returns are also processed.

The legal basis for this is Art. 6 para. 1 p. 1 lit. b, f GDPR. You can find more information under https://stripe.com/, https://stripe.com/de/payments, https://stripe.com/de/payments/checkout, https://stripe.com/de/billing, https://stripe.com/de/invoicing, https://stripe.com/de/legal/dpa, https://stripe.com/de/tax, https://stripe.com/de/privacy, and https://stripe.com/de/legal/ssa.

The storage period is based on the legal requirements for tax-relevant data.

‍

IV. Data Processed During Use

We can only provide you with the benefits of our app if certain data required for app operation is processed by us during use.

‍

1. Data Processing Through the App Itself

aa) Type of Data Processing

In order for our app to function properly, your access to the following data or functions is required:

- Automation
- Bluetooth
- Operating aids
- Focus
- Control center and menu bar
- Display
- Volume control
- Lock screen

In addition, access to the following data or functions is based on your consent:

- Installing a browser extension for Chrome, Safari, Firefox and other web browsers
- Installing Apple Shortcuts
- Media and Apple Music
- calendar
- Full disk access
- Files and folders

You can activate or deactivate access to these data or functions at any time.

bb) Legal Basis of the Data Processing

The legal basis for this is Art. 6 para. 1 p. 1 lit. b GDPR as far as the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

If this processing is based on your consent the legal basis is Art. 6 para. 1 p. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. The revocation can be made via the specified contact options. Your data will be processed as long as a corresponding consent exists. By declaring the revocation, the lawfulness of the processing carried out so far is not affected.

cc) Storage Period

Your personal data will be stored as long as the contract is valid. After termination of the contract, the data will be deleted after 6 months at the latest, unless legal regulations stipulate a longer retention period.

‍

2. AWS Amazon Web Services

We use the following AWS Amazon Web Service to host the app, as Codebase of the app, and to distribute the app

- Amazon EKS
- Elastic Load Balancing
- Amazon Simple Queue Service
- Amazon EC2
- Amazon RDS for MySQL
- Amazon CloudWatch
- Amazon Elastic Container Registry
- Amazon Simple Email Service

aa) Type of Data Processing

We process the following data:

Demographic Data

- Name
- questionnaire analysis
- Email address

Marketing-related Data

- UTM Parameter

Payment-related Data

- IP Address & location
- Subscribed/Purchased Product
- Date of purchase

Product Data

- Behavioral data on usage of the product
- Blocked URLs
- Name of Modes
- To be opened URLs
- Blocked Application
- To be opened Application
- Start & End Time Activated Mode on Device
- Device & System Information

bb) Legal Basis of the Data Processing

cc) Storage Period

Your personal data will be stored as long as the contract is valid. After termination of the contract, the data will be deleted after 12 months at the latest, unless legal regulations stipulate a longer retention period.

‍

3. Google Analytics, Google Tag Manager

Regarding Google Analytics and Google Tag Manager, please refer to above.

C. Information on the Rights of Data Subjects

You have the right

- to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you may request information about the purposes of processing, the categories of personal data processed, as well as the categories of recipients to whom your data have been or will be disclosed. The full scope of your right to information can be found in Art. 15. GDPR.

- In accordance with Art. 16 GDPR, to demand the immediate correction of inaccurate or incomplete personal data stored by us.

- In accordance with Art. 17 GDPR, to request the deletion of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims.

- In accordance with Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its deletion and we no longer need the data, but you require it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR.

- In accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller.

- In accordance with Art. 7 (3) GDPR, to revoke your consent given to us at any time. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation.

- object to the processing of your personal data in accordance with Art. 21 GDPR, provided that your personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1) p. 1 lit. f GDPR and insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.

- In accordance with Art. 77 GDPR, to complain to a supervisory authority. The competent supervisory authority is:

Der Landesbeauftragte für den Datenschutz und Informationsfreiheit

‍

K. Inferences drawn from other personal information.

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Collected? YES

‍

L. Medical Data

Medical history and health information you provide us, including health conditions, healthcare providers visited, reasons for visit, dates of visit, booking and appointment data (including appointment date/time, provider information, appointment procedure, whether or not user is a new patient for a particular provider).

Collected? NO

‍

M. Other Identifying Information That You Voluntarily Chose to Provide

Personal Data in emails, letters or online forms that you send or submit to us.

Collected? YES

‍

Personal information does not include:

‍

Publicly available information from government records.
De-identified or aggregated consumer information.
Information excluded from the CCPA's scope, like:

health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

‍

We obtain the categories of personal information listed above from the following categories of sources:

‍

Directly from our clients or their agents. For example, from information that our clients provide to us related to the services for which they engage us.
Indirectly from our clients or their agents. For example, through information we collect from our clients in the course of providing services to them.
Directly and indirectly from activity on our website (kono.lamy.com; lamykono.com). For example, from submissions through our website portal or website usage details collected automatically.
From third-parties that interact with us in connection with the services we perform.

‍

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

‍

To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal information in order for us to provide you with a selection of healthcare providers relevant to the criteria you input, we will use that information to prepare and submit to you a selection of such healthcare providers.
To provide you with information, products or services that you request from us.
To provide you with email alerts and other notices concerning our products or services, or events or news, that may be of interest to you.
To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
To improve our website and present its contents to you.
For testing, research, analysis and development of service offerings.
As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
As described to you when collecting your personal information or as otherwise set forth in the CCPA.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

‍

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

‍

Sharing Personal Information

‍

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

‍

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category C: Protected classification characteristics under California or federal law.

Category F: Internet or other similar network activity.

Category G: Geolocation Data.

Category I: Professional or employment-related information.

Category L: Medical Data.

Category M: Other Identifying Information That You Voluntarily Chose to Provide.

‍

We disclose your personal information for a business purpose to the following categories of third parties:

Our affiliates.
Service providers.
Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.

In the preceding twelve (12) months, we have not sold any personal information.

‍

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

‍

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

The categories of personal information we collected about you.
The categories of sources for the personal information we collected about you.
Our business or commercial purpose for collecting or selling that personal information.
The categories of third parties with whom we share that personal information.
If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

sales, identifying the personal information categories that each category of recipient purchased; and
disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

‍

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

‍

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

‍

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by email sent to team@lamykono.com.

‍

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

‍

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

‍

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

‍

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

‍

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

‍

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

‍

Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website homepage.

‍

Contact Information

If you have any questions or comments about this notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

‍

Phone: +1 (646) 998-4244

Email: team@lamykono.com

Postal Address: Lamy Inc., 452 W Broadway, New York, New York, 10012

‍

Privacy Policy

‍A. Information About the Responsible Persons

I. Name and Contact Details of the Responsible Persons

II. Name and Contact Detail of the Data Security Officer

B. Information on the Scope and Purpose of the Processing of Personal Data

I. Distribution of the kōno App

1. Server Log Files

2. Cookies

‍a) Technically Necessary Cookies

b) Functional Cookies

c) Analysis Cookies

3. Marketing Cookies

a) Use of Google Analytics

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

b) Use of Google Ads Conversion Tracking

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

c) Google Tag Manager

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

d) FullStory

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

e) Meta Ads

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

f) LinkedIn Ads

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

g) Twitter Ads

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

h) Make

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

i) Typeform

aa) Type of Data Processing

bb) Legal Basis of Data Processing

cc) Storage Period

II. SendinBlue, Newsletterservice

III. Data Processed During the Purchase of the App

1. App Store and Other App Providers

2. Payment Service Provider

IV. Data Processed During Use

1. Data Processing Through the App Itself

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

2. AWS Amazon Web Services

aa) Type of Data Processing

bb) Legal Basis of the Data Processing

cc) Storage Period

3. Google Analytics, Google Tag Manager

C. Information on the Rights of Data Subjects

Annex

‍PRIVACY NOTICE FOR U.S. RESIDENTS

NOTICE CONCERNING CALIFORNIA CONSUMER PRIVACY ACT

A. Identifiers.

Collected? YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

Collected? YES

C. Protected classification characteristics under California or federal law.

Collected? NO

D. Commercial information.

Collected? YES

E. Biometric information.

Collected? YES

F. Internet or other similar network activity.

Collected? YES

G. Geolocation data.

Collected? YES

‍
A. Information About the Responsible Persons