Data Privacy Policy

Privacy Policy

Version: 10.11.2025
Applies to: niostem websites, online shops, apps, and connected devices

Introduction and Scope of this Policy

We appreciate your interest in our company, Mane Biotech GmbH, and our trademark, niostem. Protecting your personal data is a matter of great importance to us. This Privacy Policy describes how Mane Biotech GmbH (referred to as "we," "us," or "our") collects, uses, discloses, and processes your personal information when you use our Services.

This Policy applies to your use of the following:

· Websites and Digital Properties: Our websites at www.niostem.com, www.niostem.de, and all associated web pages, subdirectories (e.g., /en, /de, /fr), and language versions that link to or are accessible through these domain names (collectively, the "Website").

· Products and Devices: All niostem devices and related hardware.

· Applications and Services: Any associated niostem mobile applications (e.g., the "niostem App") and other online services we provide.

The Website, Products, and Applications are collectively referred to as the "Services".

Please read this Privacy Policy carefully to understand your rights and our practices regarding your personal information and how we will treat it.

1) Who we are (Controller)

Controller: Mane Biotech GmbH ("niostem")
Registered/Business address:
Mane Biotech GmbH
Stüttgerhofweg 1, Cologne, Germany
Commercial Register: Cologne, Germany
Contact: privacy@niostem.com (general privacy)

Data Protection Officer (DPO): Dr. Carlos Chacón
Postal: Stüttgerhofweg 1, Cologne, Germany
Email: dpo@niostem.com

Supervisory authority (lead): Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein‑Westfalen (LDI NRW). You may lodge a complaint with any EU supervisory authority; your local authority remains competent.

2) What data we collect, why, and our legal bases

We collect only what we need for defined purposes. Where we rely on consent (Art. 6(1)(a) GDPR; Art. 9(2)(a) for special categories), you can withdraw it at any time. Where we rely on contract (Art. 6(1)(b)) or legal obligation (Art. 6(1)(c)), some processing is required to provide the service or meet the law.

2.1 Overview tables

A) Website & e‑commerce

Data category	Examples	Purpose	Legal basis	Retention	Recipients/Processors
Account & order data	name, email, delivery address, order history, payment status	account creation, checkout, fulfillment, invoicing, support	Contract; legal obligation (tax/commercial)	Orders & invoices: 10 years (German tax law); account data: 3 years after last activity (unless legal retention applies)	Shopify, payment providers (Stripe, PayPal, Apple/Google Pay, Klarna, Mollie), logistics (DHL, UPS, FedEx, Hermes)
Service communications	order confirmations, shipping notices, service updates	perform contract; keep you informed	Contract	3 years after last activity (evidence of communications)	Email providers (Google, SendGrid, Mailchimp as sender infrastructure)
Support tickets	issue description, attachments, device serial	customer care, troubleshooting	Legitimate interest (service quality) or Contract where linked to an order	3 years after ticket closure (up to 10 years where legal holds apply)	Zendesk
Lead forms & funnels	names, emails, phone (optional), preferences; form metadata; optional health-related self‑reports only where the form explicitly asks	capture enquiries, waitlists, marketing sign‑ups; conversion analytics	Consent (marketing) and Explicit consent for any health‑related answers (Art. 9(2)(a))	Active enquiry + 24 months (marketing contacts follow Newsletter rules); health‑related answers stored only as long as needed for the stated purpose and then deleted or anonymised	Perspective Software GmbH (perspective.co) (processor; EU hosting)
Web server logs	IP, timestamp, URL, user‑agent	security, fraud prevention, diagnostics	Legitimate interest (security)	12 months (unless incident extends)	Hosting/CDN partners (DigitalOcean, CloudWays, All‑inkl.com)
Cookies/trackers (non‑essential)	analytics & marketing identifiers	analytics, conversion measurement, marketing	Consent (TTDSG + GDPR)	per cookie policy (6–24 months typical)	Google Analytics/GA4, Meta, Google Ads/CM360, TikTok, Shopify analytics

B) App & connected device

Data category	Examples	Purpose	Legal basis	Retention	Recipients/Processors
Device pairing & telemetry	Bluetooth identifiers, firmware version, device status, non‑precise connectivity data	enable pairing, updates, diagnostics	Contract	24 months from collection	niostem infrastructure (EU hosting)
Crash & quality logs	error codes, performance metrics	troubleshoot, improve reliability	Legitimate interest (quality & safety)	12 months (aggregated thereafter)	niostem systems (own firmware & software); optional telemetry stack (EU)
App permissions	Bluetooth, camera, photos, local time (no background location)	pair device; optional photo features	Contract (Bluetooth); Consent (camera/photos)	N/A (permissions on device; only data you upload is processed)	N/A
Photos/ images	scalp photos for tracking; face‑cropped/anonymised by default	in‑app tracking; (optional) marketing with separate consent	Consent (Art. 6(1)(a)); special category if health‑related (Art. 9(2)(a))	Originals for tracking: up to 24 months (default); Marketing originals: 12 months; Anonymised edits: while campaign is active + archive 3 years; delete sooner on withdrawal unless already published beyond our control	EU storage; marketing asset managers/processors as listed below
Health‑related inferences	hair density metrics, progress tags	display progress; optional analytics	Explicit consent (Art. 9(2)(a))	24 months (pseudonymised thereafter)	EU hosting; analytics in EU

C) Marketing

Data category	Examples	Purpose	Legal basis	Retention	Recipients/Processors
Newsletter/ subscriber lists	name, email, subscription status, preferences	send email newsletters & product updates	Consent (opt‑in; double‑opt‑in)	active subscription + 24 months; suppression list kept indefinitely to honour opt‑out	Mailchimp (EU data centre where available)
Ad audiences & pixels (only with consent)	hashed email for custom audiences; pixel IDs	reach interested users; measure conversions	Consent	audience lifetime as configured (typically 180–540 days), or until you withdraw; logs up to 24 months	Meta Pixel/CAPI, Google Ads/CM360, TikTok

Data category

Examples

Purpose

Legal basis

Retention

Recipients/Processors

Newsletter/

subscriber lists

name, email, subscription status, preferences

send email newsletters & product updates

Consent (opt‑in; double‑opt‑in)

active subscription + 24 months; suppression list kept indefinitely to honour opt‑out

Mailchimp (EU data centre where available)

Ad audiences & pixels (only with consent)

hashed email for custom audiences; pixel IDs

reach interested users; measure conversions

Consent

audience lifetime as configured (typically 180–540 days), or until you withdraw; logs up to 24 months

Meta Pixel/CAPI, Google Ads/CM360, TikTok

We do not use SMS marketing. We may send strictly necessary service messages about your orders or device (no consent required).

3) Special categories (health data) & photos

Some app features may create health‑related information (e.g., hair density trends). We use this only with your explicit consent and only for the selected purposes (progress display; optional analytics; optional research—see Section 6).
Photos: We applies face‑cropping/anonymisation by default. For any use beyond your private tracking (e.g., marketing), we ask for a separate opt‑in consent. You may withdraw at any time by emailing dpo@niostem.com. On withdrawal, we stop future use and remove content under our control; prior third‑party reposts may not be fully retractable.

Original vs. edited assets

Originals for in‑app tracking: retained up to 24 months by default (or shorter if you delete them).
Originals used for marketing (with your consent): retained 12 months.
Anonymised/edited assets: retained for the active campaign + 3 years archive for compliance, then deleted unless needed for legal claims.

4) Where we process data & international transfers

We preferentially store and process data in the European Economic Area (EEA). Some providers are headquartered outside the EEA; where data may be accessed from or transferred to a third country, we implement Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs). We also apply technical and organisational measures (encryption in transit/at rest; strict access controls; data minimisation).

4.1 Our main processors and tools

Hosting/CDN & infrastructure: DigitalOcean, CloudWays, All‑inkl.com, InfluxData (influxdata.com), Shopify, Perspective Software GmbH (perspective.co) for landing pages & lead forms.
Analytics (consent‑based): Google Analytics/GA4, Shopify analytics, Perspective funnel analytics.
Advertising (consent‑based): Meta Pixel & Conversions API, Google Ads/CM360, TikTok, WooCommerce integrations, Perspective conversion tracking.
CRM/Helpdesk: Zendesk.
Email delivery: Mailchimp, Twilio, SendGrid (no SMS marketing).
Payments: Stripe, PayPal, Apple Pay, Google Pay, Klarna, Mollie.
Logistics/Fulfilment: DHL, UPS, FedEx, Hermes.

Where these providers rely on non‑EEA support or infrastructure, we use SCCs and, where applicable, additional safeguards. For ad/analytics tools, we only activate data flows after your consent via our cookie banner/preferences.

5) Cookies and similar technologies (TTDSG & GDPR)

Non‑essential cookies and trackers are only set with your prior consent. We use a Consent Management Platform (CMP) that lets you accept, reject, or customise categories (e.g., Analytics, Marketing). You can change your choice anytime in Cookie Settings (link in footer/app settings).

5.1 Categories

Strictly necessary: required for security, load balancing, cart/checkout. (No consent)
Analytics: to understand usage and improve products (GA4, Shopify). (Consent)
Marketing/Ads: to measure and optimise campaigns (Meta, Google Ads/CM360, TikTok). (Consent)

5.2 Cookie details

Our Cookie Policy lists each cookie/SDK, provider, purpose, duration, and legal basis. Typical durations: 1–24 months. Some technologies use local storage or SDK identifiers with similar rules.

5.3 Proof of consent

We store a consent record (timestamp, preferences, pseudonymous identifier) to demonstrate compliance. You may withdraw or modify consent at any time via Cookie Settings.

6) Research & product improvement

We may use pseudonymised/anonymised datasets to improve algorithms, evaluate efficacy, and generate aggregate insights. Internal research relies on pseudonymisation/anonymisation wherever possible. For external research partners (future), we will either use anonymised data or obtain separate, specific consent if re‑identification risk exists or if required by law/ethics. Research outputs are aggregate; individual identification is not intended.

7) Sharing data (recipients)

We share data with:

Processors acting on our instructions (the vendors listed in 4.1).
Payment providers & banks to process transactions.
Logistics providers to deliver your orders.
Advertising & analytics providers (only if you consent) for measurement and targeting.
Authorities when legally required.
We do not sell your personal data.

Joint controllership (where applicable): Some platforms (e.g., Meta for certain insights) may qualify as joint controllers for limited processing. In such cases, we make the Art. 26 arrangement available on request and outline main responsibilities.

8) Retention: how long we keep data

We apply the shortest period compatible with the purpose and legal obligations. When a period ends, we delete or irreversibly anonymise data.

Category	Default retention
Orders, invoices, accounting	10 years (German tax/commercial law)
Customer account (inactive)	3 years after last activity (deletion earlier on request unless legal holds apply)
Consent records (cookies, marketing, health, photos)	6 years (evidence of compliance)
Support tickets & communications	3 years after closure (extend if legal claim likely)
Device telemetry & pairing logs	24 months
Crash/quality logs	12 months (aggregated afterward)
Marketing audiences (ads)	lifetime set by platform or until you withdraw consent
Newsletter subscriber data	while subscribed + 24 months; suppression list indefinitely to respect opt‑out
Photos for tracking (originals)	up to 24 months (or you delete sooner)
Photos for marketing (originals)	12 months; edited assets campaign + 3 years

9) Your rights

You have rights under GDPR: access, rectification, erasure, restriction, portability, objection (where applicable), and withdrawal of consent at any time. You also have the right to lodge a complaint with a supervisory authority.

How to exercise: email dpo@niostem.com. We respond within one month (extendable by two months for complex requests with notice).

Verification: we may (1) verify control of your email/account; (2) ask for order/device details; and only if necessary (risk of impersonation) request a limited ID check with redactions (keep for max 30 days for audit then delete). If you act for someone else, provide signed authority.

10) Children

Our services are intended for adults (18+). We do not knowingly collect data from children. If you believe a minor has provided data, contact dpo@niostem.com and we will delete it.

11) Security

We apply appropriate technical and organisational measures, including: encryption in transit/at rest; role‑based access control and least‑privilege; multi‑factor authentication for admin systems; logging and monitoring; vulnerability management and patching; regular backups; vendor due diligence and SCCs where needed; employee confidentiality and training; incident response procedures. If a personal data breach likely results in a risk to you, we will notify you and the competent authority as required by law.

12) Automated decision‑making & profiling

We do not perform solely automated decision‑making that produces legal or similarly significant effects. We may use profiling for marketing (e.g., analytics segments, ad audiences) only with your consent; you can withdraw consent at any time via Cookie Settings or dpo@niostem.com.

13) Third‑party links & social media

Our sites/apps may link to third‑party services. Their privacy practices are their own; please review their policies. Social media widgets and pixels load only after consent (where applicable).

14) Changes to this policy

We may update this Policy periodically. We will post the latest version here and indicate the effective date. For material changes, we will provide prominent notice and, where needed, request consent again.

Effective date: 2025‑11‑10

Cookie Policy (Summary)

This Cookie Policy complements our Privacy Policy.

1) Managing your preferences

On your first visit, we show a cookie banner. You can accept all, reject all, or customise. Change your choices anytime in Cookie Settings (footer website). We record your consent choices.

2) Categories & examples

Strictly necessary (no consent): session cookies (cart, checkout), load balancers, security tokens.
Analytics (consent): GA4 (_ga, _gid), Shopify analytics, Perspective funnel analytics.
Marketing (consent): Meta (_fbp), Google Ads/CM360, TikTok (_tt_enable_cookie), Perspective conversion tracking, and related SDK IDs.

3) Durations

Strictly necessary: session/short‑term. Analytics/Marketing: typically 1–24 months (see Cookie Settings for up‑to‑date list).

4) Third‑country transfers

Analytics/marketing tools may transfer limited data outside the EEA. Where this occurs, we apply SCCs and additional safeguards.

5) Withdrawing consent

Use Cookie Settings or browser settings to delete cookies. Withdrawing consent does not affect processing already performed lawfully based on consent before withdrawal.

Data Privacy Policy

SUPPORT

RESOURCES

LEGAL

COMPANY

DOWNLOAD THE APP