Privacy Policy – 040 Level App

Last updated: June 2026 | Version: 1.2

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Mixcover GmbH Neumann-Reichardt-Str. 27-33 22041 Hamburg Germany

Email: shop@mixcover.de Telephone: +49 40 98241564

Managing Directors: Timo Plogstedt, Philip Bonmann Commercial Register: HRB 173050, Hamburg Local Court (Amtsgericht Hamburg) VAT ID No.: DE350528375

A data protection officer has not been appointed, as this is not legally required. For all data protection matters, please use the contact details listed above (see also Section 16).

2. General Information on Data Processing

As a matter of principle, we collect and use our users' personal data only insofar as this is necessary to provide a functional app as well as our content and services, or where you have consented to such processing. The collection and use of our users' personal data regularly takes place only after the user has given consent. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.

The 040 Level App serves to level (to "align level") motorhomes, caravans, and campervans. For this purpose, the app connects via Bluetooth Low Energy (BLE) to a 040 Level sensor (KBeacon) or, alternatively—if you so choose—uses the motion sensors built into the smartphone (phone IMU). The actual measurement and sensor data (inclination angles, acceleration, temperature, battery) are, as a matter of principle, processed exclusively locally on your device and are not transmitted to us or to third parties.

Insofar as this Privacy Policy refers to a transfer to third countries (in particular the USA), such transfer takes place on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular the EU Standard Contractual Clauses (SCC). You may request a copy of these safeguards from the respective providers or from us.

3. Processing of Children's Data

This app is not directed at children under the age of 16. We do not knowingly collect personal data from children under the age of 16. The app does not use any technical age verification; the voluntary indication of an age group (see Section 7.4) is purely a convenience feature and does not constitute active protection of minors. If you have not yet reached the age of 16, please obtain the consent of your parents or legal guardians before granting the app any optional consents (analytics, location, advertising). Should we become aware that we have processed a child's personal data without valid consent, we will delete such data without undue delay.

4. Local Processing on Your Device (No Transmission)

The following data is stored or processed exclusively locally within the secured app environment of your device and, as a matter of principle, does not leave your device. No transmission to us or to third parties takes place in this respect; there is no third-country transfer.

4.1 Sensor and Measurement Data

When the 040 Level sensor is connected, the app processes in real time (several times per second):

• Signal strength (RSSI), estimated transmission power (TX power)
• Raw acceleration values (ax/ay/az in m/s²)
• Calculated inclination angles (pitch/roll)
• Battery voltage (mV) and battery level (%)
• Temperature (°C/°F)
• Status bits/sensor flags, device name, MAC address of the sensor

This data is not stored permanently; it is held in working memory and continuously overwritten by new measurement values.

Legal basis: Art. 6(1)(b) GDPR (performance of the usage contract for the app – core levelling function).

4.2 Device Detection & Connection Management (BLE Scan)

To locate and connect to sensors, the app processes: device ID (MAC), device name (e.g., "040_level_XXXXX", "KBPro_XXXXX"), RSSI history (ring buffer of the last 20 values), the timestamp of the last sighting, and, where applicable, an Eddystone URL. This information is held in a volatile cache that is deleted when the app is closed; devices that are no longer visible are automatically removed after a short period.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – BLE connectivity).

4.3 Sensor Configuration & Authentication (Provisioning)

To securely connect to and configure the KBeacon sensor, the app processes a device password (held in working memory only, never stored permanently, hard-compiled into the app), the MAC address for calculating authentication, GATT UUIDs, and a configuration version number. The password never leaves the app at any point and is used exclusively vis-à-vis the paired sensor. Only the configuration version number is stored locally, in order to detect whether an update is necessary.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – device provisioning); Art. 32 GDPR (data security).

4.4 Calibration Offsets

To correct for the sensor installation and orientation, the app stores calibration values (pitch/roll offset, fine correction, yaw offset)—both globally and per sensor profile.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – user-related settings data).

4.5 Phone IMU (Smartphone Motion Sensors)

If you do not wish to use an external sensor, the app can alternatively use the motion sensors built into the smartphone (accelerometer/gyroscope). In doing so, it processes acceleration (x/y/z in m/s²), rotation rates (x/y/z in rad/s), and the inclination angles calculated therefrom. This data is processed exclusively locally, held only in working memory, and discarded when the function is closed.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – levelling without external hardware) or, insofar as you actively choose this operating mode, Art. 6(1)(a) GDPR (consent).

4.6 Sensor Profiles (Multi-Profile Management)

You can create multiple configurations per sensor (e.g., "Car 160 cm", "Motorhome 305 cm"). The data stored includes, among other things: profile ID, device ID (MAC), display name, vehicle type, track width (front/rear in cm), wheelbase/axle spacing, configuration of the aids (wedges/cushions/jacks), display settings, sensor orientation, and calibration offsets. These profiles are stored locally and persist until you delete the profile, uninstall the app, or trigger the privacy reset (see Section 13).

Legal basis: Art. 6(1)(b) GDPR (performance of contract – profile/settings data).

4.7 App Settings & Preferences

The following settings are stored locally, including: temperature unit (°C/°F), length unit (cm/inch), sound/vibration on/off, sensor orientation, smoothing/filter parameters, decimal places, theme, language, app mode, senior/magnifier mode, background service on/off, last connected sensor, view mode, tolerance angle, and aids settings.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – settings data).

4.8 Locally Stored Messages ("News")

The contents of push notifications (see Section 8) are stored exclusively locally in the secured app storage, so that you can read them later under "Updates & News" (max. 100 entries). This data does not leave your device. You can delete it at any time (privacy reset or uninstallation); in addition, we can have individual messages removed server-side by means of a deletion command.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – display of received service messages).

4.9 Home/Lock Screen Widget

If you set up a home or lock screen widget, the most recently known inclination values and an update timestamp are held locally for the widget display. No external transmission takes place.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – convenience feature).

4.10 Data Protection Consent Status

In order to implement and demonstrate your consents, we store your consent selection (technical/analytics/location/advertising), a notice status, and the timestamp of your consent locally. This status governs whether optional functions are active and serves as proof of consent.

Legal basis: Art. 7(1) GDPR (proof of consent); Art. 6(1)(c) GDPR in conjunction with Art. 5(2) GDPR (accountability).

5. Crash and Error Reports (Sentry & Firebase Crashlytics)

To ensure the stability, security, and functionality of the app, we process crash and error reports. This processing is carried out on the basis of legitimate interests and is technically necessary; it is not dependent on analytics consent.

Types of data processed:

• Nature, type, and description of the error, stack trace
• Trace logs ("breadcrumbs": e.g., screens accessed, button presses, BLE events, connection drops/timeouts, signal quality)
• Anonymized device ID (only the last 4 characters, e.g., "…F2A7")
• Platform, operating system version, app version/build number, device model, language setting
• Performance metrics (e.g., processing time, frame rate) and indications of erroneous sensor data (only the first bytes as a hex value, no contents)

Full device IDs, IMEI numbers, MAC addresses in plain text, or your actual measurement data (pitch/roll stream) are not transmitted. In the delivered state, error and crash reports are, as a matter of principle, transmitted to Sentry in full (every event); a configurable sampling reduction is technically possible. Pure performance measurements (tracing), by contrast, are collected only on a partial (sampled) basis.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, secure, and error-free app); Art. 32 GDPR (data security). Our legitimate interest prevails; the processing is limited to the necessary minimum and is safeguarded by pseudonymization (anonymization of the device ID).

Recipients / third-country transfer: see Section 9.1 (Sentry) and 9.2 (Firebase Crashlytics).

Storage period: Sentry and Firebase Crashlytics each as a rule 90 days; local debug logs only volatile in working memory (deleted when the app is closed).

Objection: You have the right to object, on grounds relating to your particular situation, to this processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR; see Section 14).

6. Usage Analytics (Firebase Analytics) – Only with Consent

If you consent to usage analytics, we collect the following data in order to improve the app and to understand how its functions are used:

• Screens and functions accessed, dwell time
• Button presses / buttons and settings used (without the contents of your measurements)
• Session start/end, session duration, and frequency of use
• Device information (model, operating system, language, country from the device settings)
• Voluntarily provided age group (see Section 7)
• Vehicle type and aid type (from the app settings)
• Events such as calibration, sensor connection/disconnection (sensor type, duration), completion of onboarding, levelling calculations performed (inclination values rounded, vehicle type, aids)
• Where additional location consent is given: anonymized location data (rounded to approx. 11 km) (see Section 7.3)
• A pseudonymous installation ID automatically generated by Firebase (no name, no email)

The data does not contain any contents of your measurements. In addition, usage counters (e.g., function and session counters) are held locally; these are deleted upon the privacy reset. Analytics events are additionally passed to Sentry as breadcrumb context, but only if analytics consent is active.

Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with Section 25(1) TDDDG (storing of, or access to, information on the terminal device). Consent is voluntary and disabled by default; it is granted during onboarding or under Settings → Privacy & Analytics.

Recipients / third-country transfer: see Section 9.2 (Google Firebase).

Storage period: at Firebase max. 14 months (Google default) or until withdrawal; local counters until the privacy reset or uninstallation.

Withdrawal: at any time in the app under Settings → Privacy & Analytics or by email to shop@mixcover.de.

7. Location Data, Weather, and Voluntary Age Group

7.1 Location Determination for the Weather Display

Upon request, the app can display local weather data for your current location. For this purpose—after you have granted location consent and the additionally required operating system permission—it determines your geographic coordinates (latitude/longitude) and transmits them to the weather service Open-Meteo (see Section 9.3) in order to retrieve current weather data and a forecast. The precise position is not stored permanently; the weather data is merely cached for a short time (in working memory for approx. 30 minutes, and locally for up to 24 hours as a fallback).

Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with Section 25(1) TDDDG.

7.2 Weather Data Used

The data processed for the display includes, among other things, temperature, wind, humidity, visibility, weather code, a place name determined via reverse geocoding, and a 7-day forecast.

7.3 Anonymized Location Statistics

Provided that both location consent and analytics consent are present, the app may transmit a position rounded to one decimal place (approx. 11 km grid, not attributable to a person) to Firebase Analytics in order to evaluate anonymized usage regions. No personal location tracking takes place.

Legal basis: Art. 6(1)(a) GDPR (consent).

7.4 Voluntary Age Group

During onboarding or when signing up for the newsletter, you may voluntarily provide an age group (e.g., "18–30", "30–40"). This serves to better select relevant content and—if provided—is transmitted locally as well as (where analytics consent is active) as a Firebase user property and, in the context of a newsletter sign-up, to Brevo/Shopify. Age groups in spans of at least five years are, taken on their own, not considered directly attributable to a person. The locally stored age group is deleted upon the privacy reset (see Section 13.3).

Legal basis: Art. 6(1)(a) GDPR (voluntary consent).

Withdrawal/objection: at any time via the settings or the privacy reset; for Firebase/Brevo/Shopify-related matters via the respective withdrawal channels (Sections 6, 11, 12).

8. Push Notifications (Firebase Cloud Messaging)

The app can send you push notifications. We distinguish two types:

• Service and product information (e.g., app updates, new functions, product news): You will receive these as soon as you have allowed notifications at the operating system level.
• Offers and advertising (discounts, promotions, news): You will receive these only if you have additionally expressly consented to the "Offers/Advertising" category.

For delivery, we use Firebase Cloud Messaging (FCM) of Google Ireland Limited (see Section 9.2). A pseudonymous push token is generated on your device and transmitted to Google; messages can only be delivered via this token. The token contains no name and no email address. In addition, the following are processed: the subscribed topics (e.g., "all", "app updates", "products", "offers"), the permission status, and click/read status (locally). The contents of individual push notifications are stored exclusively locally (see Section 4.8).

Legal basis: Service/product push: Art. 6(1)(b) GDPR (performance of contract – service information) or Art. 6(1)(f) GDPR in conjunction with Section 25(2) TDDDG. Advertising push ("Offers"): Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG, Section 7(2) UWG. Advertising consent is voluntary, disabled by default, and may be withdrawn at any time.

Recipients / third-country transfer: see Section 9.2 (Google FCM, USA possible; SCC).

Storage period: FCM token until uninstallation/withdrawal of the permission (rotated by Google); local news until the privacy reset.

Withdrawal: at any time via the notification settings of your operating system; advertising push additionally in the app under Settings → Privacy & Analytics.

9. Service Providers and Third-Party Providers Used

9.1 Sentry (Crash and Error Analysis)

Provider: Functional Software, Inc. ("Sentry"), 132 Hawthorne Street, San Francisco, CA 94107, USA. Processing takes place via the EU region (de.sentry.io); depending on the configuration, processing on servers in the USA cannot be ruled out.

• Purpose: crash/error analysis, performance and stability monitoring, processing of in-app feedback (see Section 10).
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest); in the case of feedback with an email address provided, additionally Art. 6(1)(a)/(b) GDPR.
• Third-country safeguards: EU Standard Contractual Clauses pursuant to Art. 46 GDPR; data processing agreement pursuant to Art. 28 GDPR.
• Storage period: as a rule 90 days.
• Privacy policy: https://sentry.io/privacy/

9.2 Google Firebase (Analytics, Crashlytics & Cloud Messaging / FCM)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"); for the USA: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Firebase project: "level-app-ad57e".

• Services/purpose: Firebase Analytics (usage analytics, only with consent – Section 6), Firebase Crashlytics (crash reports, legitimate interest – Section 5), Firebase Cloud Messaging (push – Section 8).
• Legal basis: Analytics/FCM advertising: Art. 6(1)(a) GDPR; Crashlytics/service push: Art. 6(1)(f) or (b) GDPR.
• Third-country safeguards: Processing on Google servers in the USA is possible. Google has subjected itself to the EU Standard Contractual Clauses pursuant to Art. 46 GDPR; data processing agreement pursuant to Art. 28 GDPR.
• Storage period: Analytics max. 14 months; Crashlytics as a rule 90 days; FCM token until withdrawal/uninstallation.
• Privacy policy: https://policies.google.com/privacy
• Firebase privacy: https://firebase.google.com/support/privacy

9.3 Open-Meteo (Weather Data)

Provider: Open-Meteo, an open-source weather data service that can be used free of charge and without an API key (open-meteo.com). According to our knowledge, hosting takes place within the EU or Switzerland. Only geographic coordinates are transmitted for the purpose of retrieving the weather data; no names, email addresses, or device/user identifiers are transmitted, and no user profiles are created. Since this is a free service without registration, there is, as a rule, no formal data processing agreement with Open-Meteo pursuant to Art. 28 GDPR; the risk is nevertheless low, as only anonymous coordinates with no connection to your person are transmitted.

• Legal basis: Art. 6(1)(a) GDPR (location consent) or Art. 6(1)(b) GDPR (performance of contract – weather function).
• Third-country safeguards: According to our knowledge, processing takes place within the EU or Switzerland (for Switzerland an adequacy decision pursuant to Art. 45 GDPR exists). A transfer to insecure third countries is not envisaged.
• Privacy notices/terms of use: https://open-meteo.com/en/terms

9.4 Brevo (Newsletter and Transactional Email)

Provider: Sendinblue SAS ("Brevo"), 106 boulevard Haussmann, 75008 Paris, France. Processing on EU servers (France).

• Purpose: dispatch of the double-opt-in confirmation and the newsletters; feedback notifications to us.
• Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 7(2) No. 3 UWG (newsletter); Art. 6(1)(f) GDPR (internal feedback notification).
• Third-country safeguards: Processing within the EU; data processing agreement pursuant to Art. 28 GDPR.
• Privacy policy: https://www.brevo.com/de/legal/privacypolicy/

9.5 Shopify (Product Display & Newsletter Customer Record)

Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland; parent company: Shopify Inc., Canada.

• Purpose: retrieval of public product information for the in-app product feed (only technical connection/product data, no customer data); after a confirmed newsletter sign-up, storage as a customer record with newsletter status.
• Legal basis: Art. 6(1)(b) GDPR (product feed) or Art. 6(1)(f) GDPR (legitimate interest in product information); customer record: Art. 6(1)(a) GDPR (consent).
• Third-country safeguards: A transfer to third countries (e.g., USA/Canada) may take place; Shopify has agreed to appropriate safeguards pursuant to Art. 46 GDPR (EU Standard Contractual Clauses). For Canada, an adequacy decision of the EU Commission (Art. 45 GDPR) additionally exists for organizations subject to PIPEDA. Data processing/data handling agreement pursuant to Art. 28 GDPR.
• Privacy policy: https://www.shopify.com/legal/privacy

9.6 Mixcover GmbH's Own Server (Relay)

Newsletter sign-ups and in-app feedback are first transmitted to and stored on our own server (operated by Mixcover GmbH, server location within the EU). From there—depending on the function—forwarding takes place to Brevo, Shopify, Sentry, as well as an internal notification of our team via the messenger service Telegram.

Internal team notification via Telegram: The provider is Telegram FZ-LLC (Dubai, United Arab Emirates). Telegram serves exclusively for the internal notification of our team (e.g., "new feedback received") and is not a communication channel addressed by the user. We limit the contents transmitted to Telegram to the bare minimum; in the interest of data minimization, we avoid transmitting plain-text contents with a personal reference (in particular an email address voluntarily provided by you) server-side as far as possible. The United Arab Emirates is a third country without an adequacy decision of the EU Commission. Insofar as personal data is nevertheless transmitted via Telegram in an individual case, we base this on appropriate safeguards pursuant to Art. 46 GDPR (EU Standard Contractual Clauses) or—where applicable—on a derogation pursuant to Art. 49(1) GDPR; otherwise, only anonymized or non-attributable notices are transmitted.

• Legal basis: Art. 6(1)(a) GDPR (newsletter), Art. 6(1)(b) and (f) GDPR (support/feedback, internal notification).
• Telegram privacy policy: https://telegram.org/privacy

9.7 Disclosure to Other Third Parties

Your personal data will not be disclosed to any further third parties, unless: you have expressly consented; the disclosure is necessary for the performance of the contract; we are legally obligated to disclose it; or the disclosure is necessary for the enforcement of our rights.

10. In-App Feedback (Error Reports & Feature Requests)

Via the feedback function, you can report errors or send feature requests to us. In doing so, we process: your feedback text, the type (bug/request), optionally your email address (for follow-up questions), app version/build, platform and OS version, language, timestamp, as well as—if attached by you—a screenshot. The transmission takes place to our own server (lager.mix-cover.de or lagerbestands-tool, EU) and in parallel to Sentry; on the server side, an internal Telegram notification takes place (see Section 9.6, including the third-country notice regarding Telegram FZ-LLC/UAE), as well as an email dispatch to our team via Brevo.

Providing an email address is voluntary and only necessary if you would like a response.

Legal basis: Art. 6(1)(b) GDPR (processing of your support request) as well as Art. 6(1)(f) GDPR (legitimate interest in product improvement); in the case of an optional email address being provided, Art. 6(1)(a) GDPR (consent to being contacted).

Recipients / third-country transfer: own server (EU), Brevo (EU), Sentry (see 9.1, possibly USA with SCC), internal Telegram notification (see 9.6, UAE = third country; data minimization, where applicable SCC/Art. 49 GDPR).

Storage period: on our server up to 12 months (for trend and error analysis); Sentry as a rule 90 days; an attached screenshot only until processing is complete.

11. Newsletter Sign-Up

If you sign up for the newsletter in the app, we process your email address, optionally your first and last name, as well as—if you provide it—your voluntary age group, exclusively for the purpose of dispatching the newsletter (news, product news, offers from 040 Parts). In addition, we store the language selected in the app (for the newsletter in your language), the platform of your device (only roughly: iOS or Android), the app version, the point in time, and your consent (marketing checkbox). The sign-up runs via our own server (EU); for the email dispatch we use Brevo (Section 9.4) and, after confirmation, we store you as a customer with newsletter status in our Shopify shop (Section 9.5).

For reasons of data economy, in the event of a temporarily missing internet connection, only your email address is cached locally (offline queue) and the sign-up is completed at the next app start; first/last name is deliberately not stored locally in this case. A telephone number or your precise device model is not collected for the newsletter.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 7(2) No. 3 UWG. The sign-up takes place by means of the double-opt-in procedure: you receive a confirmation email and are only added to the distribution list after confirmation.

Recipients / third-country transfer: own server (EU), Brevo (EU), Shopify (see 9.5, possibly USA/Canada with SCC or adequacy decision).

Storage period: until withdrawal of consent or unsubscription; the offline queue locally only until successful dispatch.

Withdrawal: at any time via the unsubscribe link in every email or by message to shop@040parts.com or shop@mixcover.de.

12. Shopify Product Feed (New Products in the App)

To display new products (labelled "New"), the app retrieves public product data via the Shopify Storefront interface (product ID, title, abbreviated description, price, image URL, shop link). To control the display, technical values are stored locally (e.g., the retrieved product cache, products already seen, session counters, dismissal status); these do not leave your device. Any conversion measurement ("seen"/"dismissed") takes place only where analytics consent is active. The locally stored control values, including the product cache, are deleted upon the privacy reset (see Section 13.3).

Legal basis: Art. 6(1)(b) GDPR (performance of contract – product display) or Art. 6(1)(f) GDPR (legitimate interest in product information); local tracking with conversion measurement: Art. 6(1)(a) GDPR.

Recipients / third-country transfer: Shopify (see 9.5).

Storage period: product cache locally 24 hours; "seen"/"dismissed" values until the privacy reset.

13. Device Permissions, Data Security, and Privacy Reset

13.1 Device Permissions

The app requests the following operating system permissions—in each case only when needed: Bluetooth (connection to the sensor), location (weather/camping spot), camera and photo library (optional screenshot with feedback), microphone or audio playback (acoustic notices/background mode), and notifications (push). You can revoke granted permissions at any time in the device settings.

13.2 Data Security

We employ technical and organizational security measures pursuant to Art. 32 GDPR in order to protect your data against loss, manipulation, and unauthorized access. Transmissions to service providers are encrypted (HTTPS/TLS). Local app data is stored in the secured app storage of the operating system, to which other apps have no access. Device IDs/MAC addresses are pseudonymized prior to any external transmission (only the last 4 characters).

13.3 Privacy Reset (Right to Erasure)

Via the privacy reset in the settings, you can delete all locally stored personal data—in particular sensor profiles (including stored MAC addresses), the weather cache, analytics counters, your voluntarily provided age group, the local Shopify product cache and the associated display control values, stored news, the offline newsletter queue, as well as all consent settings. We thereby directly implement your right to erasure (Art. 17 GDPR) for the locally held data. You can also achieve a complete deletion of all local data by uninstalling the app.

14. Your Rights as a Data Subject

Pursuant to Art. 15–21 GDPR, you have the following rights:

• Right of access (Art. 15 GDPR): confirmation and information as to whether, and which, data concerning you we process.
• Right to rectification (Art. 16 GDPR): rectification of inaccurate data or completion of incomplete data.
• Right to erasure (Art. 17 GDPR): erasure of your data ("right to be forgotten"), insofar as no statutory retention obligations conflict with this.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR): receipt of your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): objection, on grounds relating to your particular situation, to processing operations based on Art. 6(1)(f) GDPR (legitimate interest).

Withdrawal of consents: You can withdraw consents you have given at any time with effect for the future (Art. 7(3) GDPR). The lawfulness of the processing carried out up until the withdrawal remains unaffected.

• In the app: Settings → Privacy & Analytics → Manage consents
• By email: shop@mixcover.de

Following withdrawal, no new data will be collected on the basis of the withdrawn consent; data already collected will be deleted, insofar as no statutory retention obligation exists.

15. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

The supervisory authority responsible for us as the controller is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI) Hamburg Web: https://datenschutz-hamburg.de

16. Contact for Data Protection Inquiries

For questions on data protection, the exercise of your rights, or the withdrawal of consents, please contact:

Mixcover GmbH Attn: Timo Plogstedt Neumann-Reichardt-Str. 27-33, 22041 Hamburg Email: shop@mixcover.de Telephone: +49 40 98241564

We generally process inquiries within the statutory deadline (as a rule one month, Art. 12(3) GDPR).

17. Storage Periods at a Glance

After the respective storage period expires, the data is routinely deleted, provided that no statutory retention obligation exists.

18. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy in order to keep it in line at all times with the current legal requirements or with changes to our services. The respective current version is available in the app under Settings → Privacy as well as online at app.040parts.com/<language>/privacy. In the event of material changes, you will be informed at the next app start and—insofar as legally required—asked to consent anew.

19. Applicable Law & Place of Jurisdiction

The law of the Federal Republic of Germany applies, to the exclusion of the UN Convention on Contracts for the International Sale of Goods, insofar as no mandatory statutory provisions—in particular of consumer protection or data protection law—conflict therewith. To the extent legally permissible, the exclusive place of jurisdiction for all disputes arising out of or in connection with this Privacy Policy is Hamburg. Mandatory statutory places of jurisdiction—in particular for consumers—remain unaffected.

20. Authoritative Language Version

This Privacy Policy is provided in several languages. In the event of any discrepancies or differences in interpretation between the language versions, the German version is legally authoritative.

This Privacy Policy applies exclusively to the 040 Level App. It does not apply to linked external websites or third-party services.

Last updated: June 2026 | Version 1.2