Privacy Policy

1. Data Controller

The entity responsible for processing your personal data (the 'data controller') is: MyLifeSoul GmbH, Musterstraße 12, 10115 Berlin, Germany. Commercial Register: Amtsgericht Berlin-Charlottenburg, HRB 234567 B. Managing Director: Elena Hoffmann. Privacy contact: privacy@mylifesoul.com. For all data protection questions, requests, or complaints, please contact our privacy team at the email address above. We will respond within 30 days.

2. Categories of Personal Data We Collect

We collect the following categories of personal data: IDENTITY & CONTACT DATA — your email address, provided voluntarily to receive your personalized portrait. DEMOGRAPHIC DATA — date of birth, gender, and relationship status, collected via our questionnaire and used solely for creating your reading. PREFERENCE DATA — your answers to questions about personality traits and qualities you seek in a partner, used for sketch personalization. PAYMENT DATA — billing details processed by Stripe Inc. on our behalf; we never see, store, or have access to your full card number. USAGE & TECHNICAL DATA — IP address, browser type, operating system, pages visited, time on site, and clickstream data, collected automatically via cookies and server logs. ANALYTICS DATA — anonymized behavioral data collected via PostHog analytics to understand how visitors interact with our pages and improve the experience.

3. Special Category (Sensitive) Data

Our questionnaire may collect data that could be considered sensitive under Art. 9 GDPR, such as information about your relationship status or emotional state. We collect this information solely to provide a personalized entertainment service. By submitting the questionnaire, you provide explicit consent for us to process this information for the stated purpose only. You may withdraw consent at any time by contacting privacy@mylifesoul.com, and we will delete the relevant data within 30 days.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under Article 6 GDPR: CONTRACT PERFORMANCE (Art. 6(1)(b)) — processing your order data (email, questionnaire answers) to fulfil the service contract and deliver your soulmate sketch within 24 hours. LEGAL OBLIGATION (Art. 6(1)(c)) — retaining financial records for 10 years as required by §§ 238, 257 HGB (German Commercial Code) and § 147 AO (German Fiscal Code). LEGITIMATE INTERESTS (Art. 6(1)(f)) — detecting and preventing fraud, securing our systems, analyzing aggregate website usage, and improving our services. Our legitimate interests are balanced against your rights and do not override your fundamental data protection rights. CONSENT (Art. 6(1)(a)) — for optional marketing emails, use of non-essential analytics cookies, and processing of any sensitive questionnaire data. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Purposes of Processing

We use your personal data for the following specific purposes: (1) Service Delivery — generating and emailing your personalized soulmate portrait within 24 hours of order. (2) Payment Processing — verifying and completing your payment securely via Stripe. (3) Customer Support — responding to questions, refund requests, and complaints via email. (4) Order History — maintaining your order records so you can access previous purchases via our dashboard. (5) Fraud & Security — detecting abuse, preventing unauthorized access, and protecting the integrity of our systems. (6) Analytics & Improvement — understanding visitor behavior in aggregate (e.g., conversion rates, page performance) to improve the user experience. No data is used for automated individual decision-making or profiling with legal or significant effects.

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. We share data only with the following trusted service providers, each bound by a Data Processing Agreement (DPA) under Art. 28 GDPR: STRIPE INC. (USA) — payment processing. Data transferred under EU Standard Contractual Clauses (SCCs). Privacy policy: stripe.com/privacy. SENDGRID / TWILIO (USA) — transactional email delivery (order confirmation, sketch delivery). Data transferred under SCCs. VERCEL INC. (USA) — website hosting infrastructure deployed in the EU region where possible. POSTHOG INC. (USA/EU) — product analytics. We use PostHog in a privacy-first mode with IP anonymization enabled and no cross-site tracking. Data may be processed on EU-based servers. MONGODB ATLAS (EU) — encrypted database storage for order records. CLOUDINARY (USA/EU) — image hosting for generated portraits, processed under SCCs. We do not share your data with advertisers, data brokers, or any third parties for marketing purposes.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States. Where we transfer personal data to countries without an adequate level of data protection (as determined by the European Commission), we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR; Supplementary technical measures such as encryption at rest and in transit; and Data minimization to limit what is transferred. For details of the safeguards applicable to each transfer, please contact privacy@mylifesoul.com.

8. Data Retention Schedule

We retain personal data only as long as necessary for its original purpose or as required by law: EMAIL ADDRESS (order customers) — 10 years from last transaction (§ 257 HGB). EMAIL ADDRESS (marketing consent only) — until you unsubscribe or withdraw consent. QUESTIONNAIRE ANSWERS & SKETCH DATA — 3 years from order date, then permanently deleted. PAYMENT RECORDS — 10 years (§ 257 HGB, § 147 AO). SERVER & ACCESS LOGS — 30 days, then automatically purged. ANALYTICS DATA — 12 months, then anonymized and aggregated. SUPPORT CORRESPONDENCE — 3 years from ticket closure. After retention periods expire, data is securely and permanently deleted or anonymized so that it can no longer be attributed to any individual.

9. Cookies and Tracking Technologies

We use the following categories of cookies: STRICTLY NECESSARY COOKIES — essential for the website to function (session management, security tokens). These cannot be disabled without affecting site functionality. ANALYTICS COOKIES — we use PostHog to collect anonymized data about how visitors use our site (pages visited, time spent, click patterns). IP addresses are anonymized before storage. These cookies are only activated with your consent. PREFERENCE COOKIES — remember your language preference (e.g., English or German). You can manage cookie preferences at any time via our cookie settings banner or by deleting cookies in your browser settings. Blocking certain cookies may affect site functionality. We do not use advertising or retargeting cookies.

10. Data Security Measures

We apply a comprehensive set of technical and organizational security measures (TOMs) to protect your data: ENCRYPTION — all data in transit is protected by TLS 1.2+ (HTTPS). Database storage uses AES-256 encryption at rest. ACCESS CONTROL — access to personal data is restricted to authorized employees on a need-to-know basis. All staff receive data protection training. INFRASTRUCTURE — our servers are hosted in ISO 27001-certified data centres. We apply regular security patches and vulnerability assessments. INCIDENT RESPONSE — in the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and inform affected individuals without undue delay where required (Art. 34 GDPR). Despite our efforts, no internet-based service can guarantee 100% security. If you suspect any unauthorized use of your data, please contact privacy@mylifesoul.com immediately.

11. Your Rights Under GDPR

As a data subject residing in the EEA, you have the following rights, which you can exercise free of charge by emailing privacy@mylifesoul.com: RIGHT OF ACCESS (Art. 15) — receive a copy of the personal data we hold about you, along with information about how it is used. RIGHT TO RECTIFICATION (Art. 16) — have inaccurate or incomplete data corrected without undue delay. RIGHT TO ERASURE / 'RIGHT TO BE FORGOTTEN' (Art. 17) — request deletion of your data where it is no longer necessary, consent has been withdrawn, or we have no overriding legitimate grounds. RIGHT TO RESTRICTION (Art. 18) — request that we suspend processing of your data while a dispute is being resolved. RIGHT TO DATA PORTABILITY (Art. 20) — receive your data in a structured, machine-readable format (JSON or CSV) and transfer it to another provider. RIGHT TO OBJECT (Art. 21) — object to processing based on legitimate interests or direct marketing at any time. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. RIGHT TO WITHDRAW CONSENT (Art. 7(3)) — withdraw any consent given at any time, without affecting the lawfulness of processing prior to withdrawal. RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Art. 22) — we do not use fully automated decision-making that produces legal or similarly significant effects. We will respond to all requests within 30 days. We may ask for identity verification before processing your request.

12. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided personal data through our website, please contact privacy@mylifesoul.com and we will delete the information promptly. Users between 16 and 18 years of age should obtain parental consent before using paid services.

13. Right to Lodge a Complaint

If you believe we have processed your data unlawfully or have not responded adequately to a privacy request, you have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority (Federführende Aufsichtsbehörde) is: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Friedrichstr. 219, 10969 Berlin, Germany. Website: datenschutz-berlin.de. Email: mailbox@datenschutz-berlin.de. You may also contact the supervisory authority of your country of residence or place of work within the EEA.

14. Changes to This Privacy Policy

We review and update this Privacy Policy periodically to reflect changes in our services, legal requirements, or industry best practices. When we make material changes, we will: post the revised policy on this page with an updated 'Last updated' date; display a prominent notice on our website for at least 30 days; send an email notification to registered users where the changes significantly affect how we process their data. We encourage you to review this policy periodically. Your continued use of our services after changes take effect constitutes acceptance of the updated policy. The version history of this policy is available on request.