Privacy Policy

The protection of your privacy is very important to us. Below, we provide detailed information on how we handle your personal data, which is always carried out in compliance with data protection regulations. Personal data refers to information relating to the factual or personal circumstances of an identified or identifiable natural person.

The data controller responsible for the collection, processing and use of your personal data is Biogena GmbH & Co KG (hereinafter: Biogena). As the data controller, Biogena can be contacted using the details below:

Biogena GmbH & Co KG, Strubergasse 24

5020 Salzburg

Infoline: +43 662 23 11 11

Fax: +43 662 23 11 11-5590

Email: [email protected]

The data protection officer for the Biogena Group is VACE Systemtechnik GmbH, Linzer Straße 16e, A-4221 Steyregg, who can be contacted at [email protected].

You may at any time request information regarding the data we process about you, as well as exercise your right to rectification, erasure, restriction of processing of your data, or your right to data portability. Should you wish to object to the collection, processing or use of your data by Biogena in accordance with the statutory provisions, you may direct your objection to the contact details provided above.

Consent once given may be withdrawn at any time. You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data is unlawful. You may exercise this right with a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement.

2.1.1 Server log data

When you visit our website, log data is automatically recorded and temporarily stored; however, this data does not allow us to identify you personally. This data includes, for example, browser type and version, referrer URL, truncated IP address, provider name and operating system used. All log data is analysed anonymously by us or by a service provider commissioned by us exclusively for statistical purposes, to improve our offering, to facilitate troubleshooting, and to defend against attacks on our online shop.

We use Microsoft Azure, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter: Microsoft Azure), to host the website and the online shop (see section 2.2). Data processing takes place in data centres within the European Union.

2.1.2 Cloudflare

We use Cloudflare, a service provided by Cloudflare, Inc., 6th Floor, Riverside Building, County Hall, Westminster Bridge Road, London SE1 7PB, United Kingdom (hereinafter: Cloudflare), for the security, optimisation and delivery of data traffic on the website and in the online shop.

In this process, all data traffic between your browser and the website or the online shop is routed via Cloudflare’s servers, filtered and analysed to ward off attacks (in particular DDoS attacks), bots and other misuse, and to ensure performance and availability. The legal basis for the processing is our legitimate interest in the secure, stable and high-performance operation of the website and the online shop in accordance with Article 6(1)(f) of the GDPR. A transfer to third countries outside the EEA (in particular to the USA and the United Kingdom) cannot be ruled out. Transfers to the USA and the United Kingdom are carried out on the basis of the respective adequacy decision:

• Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Privacy Shield: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32023D1795

• Commission Implementing Decision (EU) 2025/ 1226 of 24 June 2025 amending Implementing Decision (EU) 2021/1772 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the protection of personal data by the United Kingdom: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=OJ:L_202501226&qid=1779433958760

We use Scayle, a service provided by ABOUT YOU SE & Co. KG, Domstraße 10, 20095 Hamburg, Germany (hereinafter: Scayle). Scayle provides the e-commerce system and hosts our online shop. This involves the transfer of personal data to third countries, specifically the USA, the United Kingdom (UK) and Switzerland, on the basis of the respective adequacy decisions:

- Implementing Decision (EU) 2023/ 1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Privacy Shield: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/? uri=CELEX:32023D1795

- Commission Implementing Decision (EU) 2025/1226 of 24 June 2025 amending Implementing Decision (EU) 2021/1772 pursuant to Regulation

(EU) 2016/679 of the European Parliament and of the Council on the adequacy of the protection of personal data by the United Kingdom: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=OJ:L_202501226&qid=1779433958760

- Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection of personal data in Switzerland: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32000D0518

2.2.1 Online registration in the webshop

Purchases in our webshop and the use of our product wishlist are possible following online registration in our Biogena Club (for consumers) or our partner area (for doctors and therapists).

Your personal details and email address will be processed for registration purposes. Your online access is password-protected. Here you can view details of your completed, pending and recently dispatched orders, and manage your accumulated loyalty points, your personal data and any newsletter subscriptions.

This information is stored until your online access is deleted. Data processing is carried out for the purpose of fulfilling the contract in accordance with Article 6(1)(b) of the GDPR. Where statutory retention obligations under the Federal Tax Code apply, any further data processing will continue until the expiry of the seven-year retention period. This is done to fulfil this legal obligation incumbent upon us in accordance with Article 6(1)(c) of the GDPR. The provision of the data is strictly necessary for the conclusion and performance of the contract.

We engage a data processor to manage online access.

2.2.2 Order processing

Online ordering is only possible after online registration and logging in to the website. Your email address is processed for the purpose of logging in. We process the data provided during the online to process your purchase and dispatch your order. We require your email address so that we can confirm receipt of your order. You will also receive your order and dispatch confirmation via your email address. We also require your email address and telephone number so that we can contact you in the event of queries regarding your order or delivery issues.

If points are collected or redeemed during the online ordering process, the points are linked to your personal details and purchase data. This enables us to track members’ individual transactions and to manage the loyalty points earned or redeemed correctly. This data is stored by the operator for a maximum of five years whilst your membership is active and processed for a further twelve months after termination.

Data processing is carried out for the purpose of fulfilling the contract in accordance with Article 6(1)(b) of the GDPR. Your online orders are stored until your online account is deleted.

Where statutory retention obligations under the Federal Tax Code apply, data processing beyond this period shall continue until the expiry of the seven-year retention period. This is carried out to fulfil this legal obligation incumbent upon us in accordance with Article 6(1)(c) of the GDPR. The provision of the data is strictly necessary for the conclusion and performance of the contract.

We use the data processor Auth0 for the standardised web login in the participating stores. In this context, the web login involves the transfer of personal data to the United States of America. Auth0 is certified under the EU-US Data Privacy Framework.

2.2.2.1 Payment services

Credit card payments are processed via Adyen N.V., Simon Carmiggeltstraat 6, 1011 DJ Amsterdam, Netherlands (hereinafter: Adyen). Biogena neither gains access to your credit card details nor does it store them. Your details are entered on an Adyen website secured with TLS. Adyen does not act as a data processor for Biogena but processes the payment data in connection with the payment service under its own independent responsibility under data protection law.

Alternatively, you may also use the payment service provider PayPal (Europe) S.à r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg (PayPal). In this case, payments are processed via your PayPal account or by credit card. If you select this option during the ordering process, the data required for payment processing, including first name, surname, address, email address, IP address and telephone number, will be transmitted to PayPal. The personal data exchanged between PayPal and us may be passed on by PayPal to credit reference agencies. The purpose of this transfer is to verify identity and creditworthiness. PayPal is not a data processor for Biogena but processes personal data in connection with the payment service and any identity and creditworthiness checks carried out by a credit reference agency under its own data protection responsibility.

The transfer of data to both Adyen and PayPal is for the purpose of payment processing. The transfer is carried out for the performance of a contract in accordance with Article 6(1)(b) of the GDPR.

2.2.2.2 Customer survey – we value your feedback

Following your order of Biogena products, you will receive an invitation to a voluntary customer survey four weeks after purchase; you may opt out of this at any time with future effect. The data obtained from this is analysed anonymously and provides important feedback to help us tailor our products even more closely to the needs of our consumers and to support our scientific team.

2.2.3 Appointment booking

Data processing is carried out for the purpose of booking, managing and processing appointments in accordance with Article 6(1)(b) of the GDPR. In particular, your name, contact details, preferred appointment time and, where applicable, any further information required for the processing of the appointment will be processed.

For appointment booking as part of our biohacking service, we use eTermin GmbH, Mättivor 3, 6430 Schwyz, Switzerland (eTermin). The transfer to eTermin is based on the Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection of personal data in Switzerland (https://eur-lex.europa.eu/legal-content/DE/ TXT/HTML/?uri=CELEX:32000D0518). For appointment booking within the scope of Biohacking Medical Services, mobimed Software GmbH, Schottenfeldgasse 60/31, 1070 Vienna, Austria (Mobimed) is used.

2.2.4 Video consultations and appointments

Agora Lab, Inc., 2804 Mission College Boulevard, Suite 110, Santa Clara, CA 95054, USA (Agora) is used. In particular, audio and video streams, IP addresses, device and connection data, and timestamps are processed. The transfer to the USA is carried out on the basis of Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Privacy Shield (https:// eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023D1795).

For the technical provision of the video consultation service, we engage arztkonsultation ak GmbH, Schusterstraße 3, 19055 Schwerin, Germany (Arztkonsultation). Audio and video streams, IP addresses, device and connection data, and timestamps are processed. No personal data is transferred to third countries.

If you send us an enquiry via the contact form, the personal data you provide will be processed by Biogena exclusively for the purpose of dealing with your enquiry and – if necessary to answer your enquiry – forwarded to the relevant company within the Biogena Group.

As enquiries via contact forms can vary widely, we require at least the information from you that is defined as mandatory fields in the contact form.

To process customer enquiries and customer service cases, we use the ticketing and helpdesk system provided by Zendesk International Limited, 55 Charlemont Place, Saint Kevin’s, Dublin, D02 F985, Ireland (Zendesk). For the operation of Zendesk, personal data is transferred to the USA on the basis of Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Privacy Shield (https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32023D1795).

2.4.1 Cookies

To make the website user-friendly (web analytics) and to enable the use of certain features, such as our online shop or the product wishlist, we use cookies and similar technologies in some areas.

Cookies are small files that are stored locally on your device and which store certain settings and data for exchange with our system via your browser. Most of the cookies we use are session cookies and are deleted from your hard drive once you close your browser. The persistent cookies we use remain stored on your hard drive for 30 days and are then deleted. On a subsequent visit, this automatically recognises that you have previously visited our site and which entries and settings you prefer.

By using our website, you confirm that you expressly wish to use our web service and, insofar as cookies are accepted according to your browser settings, that you consent to the use of these cookies. Most browsers are set by default to accept all cookies. However, you have the option to configure your browser so that cookies are displayed before they are stored, only certain cookies are accepted or rejected, or cookies are generally rejected or deleted.

Please note that changes to settings only affect the respective browser. If you use different browsers or switch devices, the settings must be reconfigured. Furthermore, you can delete cookies from your storage device at any time. For information on cookie settings, how to change them and how to delete cookies, please refer to your web browser’s help function.

You also have the option to disable cookies in the Cookie Policy on our website.

2.4.2 Klar

We use the Klar service provided by Klar Insights GmbH, Marktstr. 18, 80802 Munich, Germany (Klar) on our website. Through this, we collect data for reach measurement and statistical analysis, provided you have given your consent in accordance with Section 165(3) of the Telecommunications Act 2021 in conjunction with Article 6(1)(a) of the GDPR.

2.4.3 Google Analytics, Google AdWords and Google Tag Manager

On our website, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, or its parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). The service is used for web analytics, performance measurement, conversion tracking and the collection of statistical data, and falls under the category of statistics. In particular, your IP address, details of your website visit and other user data are processed; this affects users of our website. JavaScript calls and cookies are used for this purpose. The legal basis for the processing is your consent in accordance with Section 165(3) of the Telecommunications Act 2021 in conjunction with Article 6(1)(a) of the GDPR. Personal data is transferred to the USA; for which there is Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Privacy Shield (https://eur-lex. europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023D1795).

To manage the tags used on the website, we also use Google Tag Manager, a service provided by Google. Tag Manager itself is a cookie-free domain and serves solely to manage other services integrated into our online offering. However, when you visit the website, your browser establishes a connection to Google’s servers, which are predominantly located in the USA, thereby enabling Google to ascertain that our website has been accessed via your IP address. JavaScript calls are used for this purpose. The legal basis is your consent in accordance with Section 165(3) of the Telecommunications Act 2021 in conjunction with Article 6(1)(a) of the GDPR. Personal data is transferred to the USA; for which there is Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Privacy Shield (https://eur-lex. europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023D1795).

2.4.4 Leadinfo

We use the lead generation service provided by Leadinfo B.V., Rotterdam, Netherlands (Leadinfo). This service identifies visits by businesses to our website using IP addresses and displays publicly available information to us, such as company names or addresses. In addition, Leadinfo sets two first-party cookies to analyse user behaviour on our website and processes domains from form submissions to correlate IP addresses with businesses and improve the services.

On this page: https://www.leadinfo.com/en/legal/opt-out/ you have the option to opt out. If you opt out, your data will no longer be collected by Leadinfo.

2.4.5 Digital analytics tools

With your consent, our website uses the analytics tool Hotjar. This allows us to track user actions on our website after they have accepted via the cookie banner. This enables us to continuously improve and develop our customer journey.

The data collected remains anonymous. This means that we cannot view the personal data of individual users. However, the collected data is stored and processed by Hotjar. We will keep you informed on this matter in accordance with our current information.

Only users aged 16 or over may give their consent. If you are under 16, please contact your parent or guardian.

For information on how to disable cookies on our website, see section 2.4.1. Hotjar itself stores users’ IP addresses in an anonymised form. To do this, it collects only the first 3 octets of the IP address to determine the visitor’s country. Hotjar does not store the remaining characters. All data is processed on servers in Ireland.

2.4.6 Facebook Pixel / Remarketing / Retargeting

With your consent, our website uses the conversion tracking pixel service provided by Facebook, Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA (Facebook). This allows us to track users’ actions after they have been redirected to a provider’s website by clicking on a Facebook advertisement. This enables us to record the effectiveness of Facebook advertisements for statistical and market research purposes.

The data collected remains anonymous. This means that we cannot view the personal data of individual users. However, the collected data is stored and processed by Facebook. We are informing you of this matter in accordance with our current information. Facebook may link the data to your Facebook account and use the data for its own advertising purposes, in accordance with the Facebook Data Policy https://www.facebook.com/privacy/policy/. Facebook Conversion Tracking also allows Facebook and its partners to show you adverts both on and off Facebook. In addition, a cookie is stored on your computer for these purposes.

Only users aged 16 or over may give their consent. If you are under 16, please contact your parent or guardian.

Please click here to withdraw your consent or edit your privacy settings on Facebook: https://www.facebook.com/settings/.

Remarketing tags from the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA, are also integrated into our website. When you visit our pages, the remarketing tags establish a direct connection between your browser and the Facebook server. Facebook thereby receives the information that you have visited our site using your IP address. This enables Facebook to associate your visit to our pages with your user account. We may use the information obtained in this way to display Facebook Ads. Please note that, as the provider of the website, we have no knowledge of the content of the data transmitted or how it is used by Facebook. Further information on this can be found in Facebook’s privacy policy at https://www.facebook.com/privacy/policy/.

Please click here to withdraw your consent or to edit your privacy settings on Facebook: https://www.facebook.com/settings/.

For information on how to disable cookies on our website, see section 4.

2.4.7 Social media plugins

Our website uses social plugins (plugins) from the social network facebook.com, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). The plugins are marked with a Facebook logo or the label “Facebook Social Plugin”. When you visit a page on our website that contains such a plugin, your browser establishes a direct connection to Facebook’s servers. The content of the plugin is transmitted directly from Facebook to your browser and integrated into the website by your browser.

By integrating the plugins, Facebook receives the information that you have accessed the relevant page of our website. If you are logged into Facebook, Facebook can associate the visit with your Facebook account. If you interact with the plugins, for example by clicking the “Like” button or posting a comment, the relevant information is transmitted directly from your browser to Facebook and stored there.

For the purpose and scope of data collection, as well as the further processing and use of the data by Facebook, and your rights in this regard and settings options for protecting your privacy, please refer to Facebook’s privacy policy https://www.facebook.com/privacy/policy/.

If you do not want Facebook to collect data about you via our website, you must log out of Facebook before visiting our website.

2.4.8 Linkster Influencer Tracking Software

We use the tracking technology of Linkster GmbH, Colonnaden 5, 20354 Hamburg, on this site to measure and visualise insights into partnerships and advertising channels. This is a function for measuring the effectiveness of the relevant advertising measures. Furthermore, the information enables us to attribute advertising success to billing with the relevant advertising partners. When you click on an advertising integration, cookies are set in your browser, which are read out in the event of a transaction. At each touchpoint, your browser sends an HTTP request to the Linkster server, transmitting certain information. This information includes the URL of the website on which the advertising material is placed (referrer URL), the browser identifier (user agent) of your device (including information about the device type and operating system), the IP address of the device (this IP address is anonymised and hashed by us before storage), HTTP headers (a data packet automatically transmitted by your browser containing various technical details), the time of the request and, if previously stored on the device, the cookie and its contents.

A cookie is a small data packet exchanged between your browser and the server. Information relevant to the web application can be stored and transmitted in this data packet, e.g. the contents of a virtual shopping basket.

The tracking technology stores cookies on your device to record actions. A 24-digit, anonymous ID is stored in the cookie. The data linked to this ID is stored in encrypted form in our database on the server.

This includes information about the most recent touchpoints (i.e. when a specific advertisement was displayed or clicked on from a device). The stored touchpoints can, where applicable, be compiled into a sequence (user journey).

When a transaction request is made, the order number and the value of your shopping basket are usually also transmitted and stored by us. In addition, the following data may be transmitted and stored: your customer number, new customer status, your age and gender, as well as the information you provided in a customer survey.

The cookies stored by Linkster GmbH are deleted after 30 days at the latest. The information transmitted to us and the cookies serve exclusively the purpose of correctly attributing the success of an advertising medium and the corresponding billing, and are justified by our legitimate interests pursuant to Article 6(1)(f) of the GDPR.

If you do not wish cookies to be stored in your browser, you can prevent this by adjusting your browser settings accordingly. You can disable the storage of cookies in your browser under Tools/Internet Options, restrict it to specific websites, or set your browser to notify you as soon as a cookie is sent. Please note, however, that in this case you must expect a limited display of the online services and restricted user guidance. You can also delete cookies at any time. In this case, the information stored in them will be removed from your device.

The collection and processing of tracking data can also be disabled by clicking on this tracking opt-out link:

https://trck.linkster.co/privacy-optout.do Access to your data:

https://trck.linkster.co/privacy-mydata.do

You can see which specific cookies are used by our tracking technology in the following overview:

TRS: Unique, 24-digit identifier (ID) for tracking partnerships. This cookie is stored in the client browser and identifies database records containing the touchpoint data.

TRSCJ: Fallback cookie containing basic touchpoint data for tracking partnerships. This cookie contains all touchpoint data in encrypted form on the client browser.

trs_db_optout: When you click the tracking opt-out link, a special cookie is set, which deactivates tracking in the end device’s current web browser. However, tracking is reactivated as soon as you delete the tracking opt-out cookie

2.4.9 Use of MyFonts

The design of our website also uses external fonts provided by the company MyFonts Inc., 600 Unicorn Park Drive, Woburn, MA 01801, USA (hereinafter: MyFonts). These fonts are integrated via a server request to MyFonts. To deliver the font files to your browser, at least your IP address is transmitted to a MyFonts server when you visit our website. In addition, further information (e.g. name of the website visited, date and time of the request, type of web browser used) may be transmitted to MyFonts. To prevent the execution of JavaScript code from MyFonts, you can disable JavaScript in your browser or install a JavaScript blocker (e.g. https://www.noscript.net/ or https://www.ghostery.com/). Further information on data protection at MyFonts can be found at the following link: https://www.myfonts.com/de/a/font/legal/website-use-privacy-policy.

The security of your data is very important to us. All personal data we collect is transmitted via a secure SSL connection, ensuring it is protected against unauthorised access. In addition, we implement further technical and organisational security measures to prevent the loss, destruction or misuse of data. You should always treat your login details as confidential and close the browser window once you have finished communicating with us, particularly if you share a computer with others. The personal data and information you provide will be protected against unauthorised access by third parties with the utmost care. We will take all reasonable measures to ensure the security of personal data. However, the customer is advised that the World Wide Web is accessible worldwide and that misuse, in particular, cannot be ruled out; consequently, even with the utmost care, unauthorised access by third parties to such data and information cannot be entirely prevented.

Once you have registered online via our webshop, you will receive access to our ‘My Biogena Coach’ app (‘App’) via your registered email address or your club membership number.

The App allows you to view your club status via a digital club card and offers a chat function for digital advice from our coaches. Data processing is carried out for the purpose of providing the App in accordance with Article 6(1)(b) of the GDPR. Provision of the App is contractually required, as we would otherwise be unable to provide it to you. No automated decision-making, including profiling, takes place during use of the App. We use HEYRISE Group GmbH, based in Austria, to provide the App. Personal data may be transferred to the United States of America. All information in the App is stored until you have your account deleted by us.

In addition, you can conveniently make online purchases in our webshop via the chat function and conduct consultations via video calls. Our micronutrient consultants are available via chat and video chat to answer your individual questions about Biogena products and may view chat histories where necessary to deal with your enquiry. Processing is carried out for the purpose of providing the chat function for personal advice and support within the app in accordance with Article 6(1)(b) of the GDPR. The provision of this service is contractually required, meaning that we cannot otherwise provide the chat function and consultations. We use the following data processors to provide the chat function and video chat:

• Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Republic of Ireland.

In this context, personal data is transferred to the United States of America (European Commission Adequacy Decision), Australia (EU Standard Contractual Clauses), Brazil (EU Standard Contractual Clauses), Canada (European Commission Adequacy Decision), Israel (European Commission Adequacy Decision), Japan (European Commission adequacy decision), Mexico (EU Standard Contractual Clauses), Singapore (EU Standard Contractual Clauses), Switzerland (European Commission adequacy decision) and the United Kingdom (European Commission adequacy decision). You have the option of obtaining a copy of the agreed EU Standard Contractual Clauses.

• Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521. In this context, personal data may be transferred to the United States of America. This is based on the relevant adequacy decision of the European Commission.

Within the app, our coaches may also send you proactive messages and push notifications for the purpose of providing advice on Biogena products. Processing is based on your consent (Article 6(1)(a) of the GDPR) to receive messages and push notifications, which you may provide separately where applicable. You have the right to withdraw your consent at any time with future effect. The provision of such data is neither required by law nor contractually mandatory, nor is it necessary for the conclusion of the contract; however, we will be unable to send you Messages or Push Notifications if you do not provide the necessary data. All information in the app is stored until you have your account deleted by us.

Furthermore, we aggregate and anonymise personal data regarding app usage and use information from anonymised conversations to train data models and AI algorithms. Aggregation and anonymisation are carried out to safeguard our legitimate interest (Art. 6(1)(f) GDPR) in improving and further developing the app and our services.

Finally, for the performance analysis and optimisation of the app, we use the developer platform “Google Firebase” with “Google Analytics for Firebase” (user flow optimisation) and “Firebase Crashlytics” (error tracking).

• This enables us, with the help of “Google Analytics for Firebase”, to analyse our users’ interactions within the app. In doing so, so-called “events” are recorded. Accordingly, information is also disclosed to this platform, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

• ‘Firebase Crashlytics’ and the personal data processed via ‘Google Firebase’ may be used in conjunction with other Google services, such as Google Analytics and Google marketing services. In this case, device-related information, such as the ‘Android Advertising ID’ and the ‘Advertising Identifier for iOS’, is also processed to identify mobile devices.

In this context, personal data may be transferred to the United States of America. This is based on the relevant adequacy decision of the European Commission.

Processing is carried out on the basis of your consent (Article 6(1)(a) of the GDPR or Section 165(3) of the TKG 2021), which we may obtain separately where necessary. The provision of such data is neither required by law nor contractually, nor is it necessary for the conclusion of a contract. The personal data processed in this context is stored for two months.

When you confirm your newsletter subscription, we will process your name and email address in order to send you the newsletter containing direct marketing and personalised advertising relating to products, events and services offered by Biogena (Biogena GmbH & Co KG, Nolimits Digital Business GmbH, Biogena Diagnostics Österreich GmbH, Biogena Diagnostics Deutschland GmbH). Personalised advertising refers to advertising tailored to you and your interests. We use existing information for this purpose, such as the region where you live; your registration date; and details of which customer group you belong to (consumer or doctor/therapist), in order to send you only advertising for products that might actually be of interest to you.

Contact will be made once consent has been given (Section 174(3) of the Telecommunications Act 2021). You may withdraw this consent at any time. To subscribe to the newsletter, we use the so-called double opt-in procedure, i.e. we will only send you a newsletter by email once you have expressly confirmed to us that we should activate the newsletter service. We will then send you a confirmation email and ask you to confirm that you wish to receive our newsletter by clicking on a link contained in this email. In this context, data will be processed for the duration of your consent or until you withdraw it. The provision of your data is necessary for the dispatch of the newsletter. If you do not provide the data, we will not be able to send you the newsletter.

Should you no longer wish to receive newsletters from us at a later date, you may opt out at any time free of charge. A written notification to the contact details specified in section 1 (e.g. email, fax, letter) is sufficient for this purpose. Naturally, you will also find an unsubscribe link in every newsletter.

We use data processors for data processing in connection with the newsletter. In this context, personal data is transferred to the United States of America, for which valid certification under the EU-US Data Privacy Framework is in place.

We use the Microsoft Dynamics 365 customer relationship management system provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (Microsoft) to manage our newsletter subscribers and other existing and potential customers. In this context, personal data is transferred to the USA; this is based on Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequacy of the level of protection of personal data under the EU-US Data Privacy Framework (https://eur-lex. europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023D1795)

Health data is processed in connection with order processing both during and after the activation of the test kit with Biogena. Specifically, the test ID of the activated test kit and your answers to the introductory questions are linked to your Biogena Club account. Furthermore, as part of the subsequent processing, we process the processing status of your sample. However, Biogena does not have access to the result of the Wellbeing Check.

The processing of this health data is based on the explicit consent you gave when activating the test kit. You have the right to withdraw this consent at any time (e.g. by emailing [email protected]), although the withdrawal only applies prospectively and Biogena will not be able to continue processing the order upon withdrawal. The provision of the data is necessary for the processing of the order. You are obliged to provide the data. Otherwise, you will not be able to use the BIOGENA Wellbeing Check. In any case, your health data will be processed for the duration of the order processing. Please also note, with regard to your transaction for the purchase of the test kit, the information on retention periods for online registration in our webshop in section 2.2.1 and on the purchase process in section 2.2.2 of this Privacy Policy. Please also note the information on the data processors used in section 2.2 of the Privacy Policy.

Please note that our online shop uses etracker to process data relating to vouchers. You may object to the data processing described above at any time. Objecting will not result in any adverse consequences.

Competitions are organised by Biogena GmbH & Co KG, Strubergasse 24, 5020 Salzburg (Biogena). Entry to competitions is permitted solely in accordance with the terms and conditions set out here. By entering, the participant expressly accepts these terms and conditions:

1. Competitions are not affiliated with Meta and are in no way sponsored, endorsed or organised by Meta. The recipient of the information provided by the participant is not Meta, but Biogena as the operator of the Biogena GmbH & Co KG Facebook page or Instagram page and organiser of the competition. The information provided will be used solely for the purposes of the competition.

2. Please refer to the relevant competition medium (post, newsletter, poster) for the start and end dates (competition period) of the competition.

3. The prizes defined in the competition medium are to be won; exchanges, cash redemption and legal recourse are excluded. Prizes are usually sent by post.

4. Voluntary participation in the competition takes place via a comment (image or text) on our Facebook post regarding a competition and/or a ‘Like’. Multiple comments from the same user will be counted as a single entry.

5. Eligible to enter are persons resident in Austria or Germany who are at least 18 years old at the time of entry and are Facebook fans of Biogena GmbH & Co KG. You can become a fan by clicking the ‘Like’ button on the Biogena GmbH & Co KG Facebook page. Employees, authorised representatives, legal successors and agents of Biogena GmbH & Co KG, agencies involved, and their relatives are not eligible to participate.

6. The prize draw will take place after the end of the competition period, behind closed doors and ensuring the principle of random selection. Participation in the prize draw requires a comment or a ‘Like’.

7. The winner will be notified via the Facebook comment function on the Facebook post or via Facebook Messenger. The winner must provide their contact and address details within 5 working days (from the date of notification of the win) via a private message to the Biogena GmbH & Co KG Facebook page or by email to [email protected]. Should the winner fail to confirm acceptance of the prize within this period, their claim to the prize shall lapse without replacement. A replacement winner will then be determined using the same procedure. There is no obligation to accept the prize.

8. Comments that violate Facebook guidelines, Austrian law, our netiquette and/or copyright will be removed without notice upon discovery. The participant will thereby be excluded from the prize draw.

9. The organiser reserves the right to cancel or terminate the competition at any time without prior notice and without giving reasons. Legal recourse is excluded.

10. Insofar as personal data of participants is collected in the context of the competition, this data will be collected, processed and used by the organiser solely for the purpose of conducting the competition and will be deleted upon its conclusion. The participant is solely responsible for the accuracy and completeness of the data submitted.

The foyer of Biogena’s head office at Strubergasse 24, 5020 Salzburg, as well as the entrance and sales areas of Biogena Stores, are under video surveillance for the purpose of protecting people and property from vandalism and criminal acts. The following companies are responsible for this:

• Biogena GmbH & Co KG, Strubergasse 24, 5020 Salzburg (Head Office)

• Biogena Stores Österreich GmbH, Strubergasse 24, 5020 Salzburg (Stores Austria)

• Biogena Stores Deutschland GmbH, Hauptstraße 41, 83395 Freilassing (Stores Germany)

The image data collected is stored for a period of 72 hours only. Image data will only be retained for longer than 72 hours if this is necessary for the pursuit of legal claims. Disclosure to other recipients is not permitted. The data is stored on a network hard drive. Access to the data is password-protected and is only granted when necessary.

The monitored areas are clearly signposted. Further information on video surveillance is available at the reception of our head office or at the checkout areas of our stores. For information on your data subject rights and the contact details of our Data Protection Officer, please refer to point 1.

This privacy policy may be amended from time to time. The amended version will then also be published here. You should therefore read through the privacy policy again when you next visit our website.

Date: 22 May 2026