DATA PROTECTION

DATA PRIVACY POLICY

We, CRI Vision GmbH, Blegistrasse 11a, 6340 Baar, operate the website www.magic-luna.com as well as the app "Magic Luna Voice." We are therefore considered responsible for the collection, use, and processing of your data.

Our representative in the EU, or the representative of controllers or processors not established within the Union, in accordance with Art. 27 GDPR, is: ePrivacy GmbH, Burchardstrasse 14, 20095 Hamburg, Germany.

Contact for data protection inquiries: Please use our contact form at www.magic-luna.com

Below, we will outline whether and how we process your data:

1. Data Processing, Storage, and Deletion

We only process personal data that we collect directly through our website, the associated applications, external platforms, so-called "landing pages," and/or within the scope of our business relationship with our customers and other business partners. Processing is carried out only with consent or when there is a corresponding legal basis.

Within the scope of the consent you have given, we process your data only within the limits of this consent unless one of the following legal bases applies. We explicitly point out that you can revoke your consent at any time, although any processing that has already taken place lawfully will not be affected by the revocation.

The following legal bases may apply:

Consent of the data subject;
Fulfillment of the contract with the data subject as a contractual party or necessary pre-contractual measures at the request of the data subject;
Fulfillment of necessary legal obligations of our company;
Performance or execution of a task in the public interest;
Legitimate interests of our company, provided that the interests or fundamental rights of the data subject do not override them.

The collected personal data will be deleted as soon as we no longer need them for the specified purpose or if the purpose of storage ceases to exist. However, storage must take place if Swiss or European legislation prescribes such an obligation. Such obligations exist, among others, in contract and tax law or may arise from the provisions on commercial accounting: business documents, contracts, or accounting records are subject to a retention period of 10 years. These data, which also include personal data, will be blocked if we no longer need them to provide our services. We use them exclusively for accounting and tax purposes.

2. Disclosure to Third Parties and Third-Party Access

As part of order processing, it may be necessary to utilize third-party services. In this case, the contractual provision of services may require the disclosure of data to these external service providers. The legal bases for disclosure are identical to those for lawful processing and can be found in Section 1. In any case, we contractually ensure that third parties entrusted with processing your data comply with data protection requirements. Finally, we may also be required by regulatory or judicial orders to disclose data to third parties or government authorities.

2a. Email Communication via Gmail

We use the email service Gmail, provided by Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland, and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for business communication with customers and business partners. In doing so, personal data such as name, email address, message content, and any attachments are processed and stored on Google’s servers, which may be located in third countries such as the USA.

The data processing is based on our legitimate interest in efficient and reliable communication in accordance with Art. 6 (1) lit. f GDPR. For more information about Google’s data protection, visit: https://policies.google.com/privacy

3. Data Privacy Information Regarding Google Analytics, Google Ads, and Meta Ads:

Google Analytics:

We use the web analytics service Google Analytics provided by Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) ("Google").

The described data regarding the use of the website may be transmitted to the servers of Google LLC in the USA for the stated processing purposes. The IP address is anonymized before transmission within member states of the European Union or in other contracting states of the Agreement on the European Economic Area through the activation of IP anonymization ("anonymizeIP") on this website. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

Users can prevent the collection of data generated by the cookie and related to the use of the website (including their IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link:

http://tools.google.com/dlpage/gaoptout?hl=en - Further information on Google's data protection policies can be found here.

Google Ads:

This website uses the online advertising services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google uses cookies, such as the so-called DoubleClick cookie, which allows your browser to be recognized when visiting other websites. The information generated by the cookies about your visit to these websites (including your IP address) is transmitted to a Google server in the USA and stored there.

http://tools.google.com/dlpage/gaoptout?hl=en - Further information on Google's data protection policies can be found here.

The legal basis for this data processing is your consent in accordance with Art. 6 (1) (a) of the EU GDPR. You can revoke your consent at any time by rejecting or disabling the relevant cookies in your web browser settings.

http://tools.google.com/dlpage/gaoptout?hl=en - Further options for blocking ads can be found here.

Google Ads: Meta Pixel, Meta Conversion API and Custom Audience:

Our website uses the visitor action pixel and the conversion API from Meta (Meta Platforms Ireland Ltd., Harbour 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland) for conversion measurement. The Meta Pixel and the conversion API allow us to track your behavior after you have been redirected to our website by clicking on a Facebook or Instagram ad. The collected data is anonymous for us as the operator of this website and therefore does not allow us to draw conclusions about your identity.

We use the Meta Pixel and the conversion API to evaluate the effectiveness of Meta ads for statistical and market research purposes and to optimize future advertising campaigns.

Additionally, we use Custom Audience to ensure that our Meta ads are only displayed to individuals who have already shown interest in our offers or have similar interests. For this purpose, we may transmit email addresses in an encrypted and pseudonymized form (so-called hashing) to Meta, allowing a comparison with the Meta database to identify matching users. Through this process, Meta does not gain access to new email addresses that can be used for its own purposes.

For the exchange of data collected or received by Meta via the Meta Pixel and the conversion API or similar functions, for displaying advertising information relevant to visitors, improving ad delivery, and personalizing features and content, we are jointly responsible with Meta. Therefore, you may also direct access requests or other data protection inquiries directly to Meta.

For any further data processing beyond this, we are not responsible. Your data may be processed by Meta in this regard. In particular, a connection to your user profile may be possible, and Meta may use the collected data for its own advertising purposes.

4. Email Marketing and Newsletter

If you sign up for our email newsletter (e.g., when creating or within your customer account), the following data will be collected. Required fields are marked with an asterisk (*):

Email address
Salutation
First and last name

To prevent misuse and ensure that the owner of an email address has indeed provided their consent, we use the so-called double opt-in procedure for registration. After submitting the registration, you will receive an email from us containing a confirmation link. To complete your newsletter subscription, you must click on this link. If you do not click on the confirmation link within the specified timeframe, your data will be deleted, and no newsletter will be sent to this address.

By registering, you consent to the processing of this data in order to receive communications from us about our company, our offers in the field of "sale of tarot cards with licenses for public use," as well as related products and services. This may also include invitations to participate in sweepstakes or requests to review one of the aforementioned products and services. The collection of salutation and name allows us to verify the association of the registration with an existing customer account and to personalize the content of the emails. Linking to a customer account helps us make the offers and content in the newsletter more relevant to you and better align with your potential needs.

We use your data for email dispatch until you revoke your consent. You may revoke your consent at any time, particularly via the unsubscribe link included in all our marketing emails.

Our marketing emails may contain a web beacon or 1x1 pixel (tracking pixel) or similar technical tools. A web beacon is an invisible graphic linked to the user ID of the respective newsletter subscriber. For every marketing email sent, we receive information about which addresses have not yet received the email, to which addresses it was sent, and for which addresses delivery failed. Additionally, we can see which addresses have opened the email and for how long, as well as which links were clicked. Finally, we also receive information on which addresses have unsubscribed. We use this data for statistical purposes and to optimize our marketing emails in terms of frequency, timing, structure, and content. This allows us to tailor the information and offers in our emails more effectively to the individual interests of recipients.

The web beacon is deleted when you delete the email. To prevent the use of web beacons in our marketing emails, please configure your email program settings so that HTML in messages is not displayed if this is not already the default setting. You can find information on how to configure this setting in the help section of your email software, such as here for Microsoft Outlook.

By subscribing to the newsletter, you also consent to the statistical analysis of user behavior for the purpose of optimizing and adapting the newsletter. This consent constitutes our legal basis for data processing within the meaning of Art. 6 (1) (a) of the EU GDPR.

We use the email marketing software “WIX.com” to send our newsletters and other marketing emails. As a result, your data is stored in a «WIX.com» database, which allows the company to access your data when necessary for the provision of the software and for support in using the software. The legal basis for this processing is our legitimate interest in accordance with Article 6 (1) (f) of the EU GDPR in using third-party services. Your data is stored on Wix’s servers. Further information can be found in Wix’s privacy policy at https://www.wix.com/about/privacy

5. Provision of Our Services and Creation of Log Files

Our system automatically collects and stores information in so-called log files as soon as you access our website. This includes:

Browser type and version
Operating system
IP address
Internet service provider
Date and time

The aforementioned data cannot be directly assigned to a specific person. The data collected and stored in this manner is not merged with other personal data but remains in our system. The legal basis for collecting and storing this data in log files is the legitimate interests of our company.

The storage of log files serves exclusively to ensure the functionality of our services. Additionally, it helps optimize our services and ensures the security of our information technology systems. Log files are automatically deleted after each session.

The collection and storage of your data in log files is absolutely necessary for the operation of our website; therefore, there is no possibility to object to this processing.

6. Cookies / Tracking and Other Technologies Related to the Use of Our Website

We use cookies and similar technologies on our website. These are primarily small text files that your browser stores on your computer (in the corresponding browser folder or under program data). This allows your browser to be uniquely identified when you visit our website again. Cookies store and transmit display settings and login information. We use cookies to make our website user-friendly and secure. The legal basis for this is the legitimate interests of our company.

Since cookies are stored on your computer system, you have full control over their use. You can disable or restrict the transmission of cookies through your browser settings. You can also delete stored cookies at any time via your browser settings, which can also be automated. However, please note that disabling cookies may prevent you from using all the services on our website.

When you visit our website, a cookie banner appears, allowing you to confirm the use of cookies, such as those for Google Tag Manager. We point out that the use of these cookies requires your consent, which constitutes the legal basis for their use. You can provide your consent via the cookie banner.

7. Forms / Contact Forms

Our website contains forms and contact forms that allow you to get in touch with us and submit data. Among others, the following information you provide will be transmitted to us and stored: first and last name, phone number, address, email address, subject and message. Of course, we also receive any documents or materials that you choose to send us.

The information you submit is used solely to process your inquiry/message. By sending the request/message, you consent to the described data processing (legal basis: consent). You can revoke your consent at any time; however, any processing that has already taken place will not be affected by the revocation.

7a. Automated Email Sending via Gmail

We use the Gmail email service from Google as a technical delivery provider for automated confirmations or replies to submitted forms. The data entered in the form is transmitted via email and stored on Google’s servers as part of the communication process. This may also involve transfers to third countries such as the USA.

The processing is based on your consent in accordance with Art. 6 (1) lit. a GDPR, provided when submitting the form, or – in the case of contract-related communication – on Art. 6 (1) lit. b GDPR.

8. Google Tag Manager

We use Google Tag Manager on our website, a marketing product from Google. In Europe, the company responsible for Google Tag Manager is: Google Ireland Limited, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland. We use Google Tag Manager to integrate, manage, and use tracking tool code snippets. The use of Google Tag Manager requires your consent, which you provide by agreeing to the individual tracking tools via the cookie banner (see the explanations regarding the respective tracking tools).

Google Tag Manager does not set cookies itself. However, your data is collected by the individual tracking tools that we manage through Google Tag Manager. Google may also process your data in the United States.

The legal basis for data processing and data transfers to the United States is the so-called standard contractual clauses. Through these clauses, Google commits to complying with applicable European law and data protection standards, even when data is processed in a third country such as the United States.

For more information about Google Tag Manager, please refer to its Data Privacy policy: https://policies.google.com. General information about Google Tag Manager can be found at: https://support.google.com/tagmanager.

9. Advertising via Google AdMob (personalised advertising)

Our app «Magic Luna Voice» is financed through personalised advertising integrated via the Google AdMob service. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data processing may also be carried out by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When the app is launched for the first time, a consent banner is displayed that informs you about the processing of personal data for advertising purposes. By confirming your selection, you consent in accordance with Art. 6(1)(a) GDPR to the processing of personal data by Google and its advertising partners. If you do not wish to receive personalized advertising, you can disable it under “Manage options” by turning off all active settings; in this case, no personalized ads will be displayed.

Google processes in particular the following categories of data:

Device information (e.g., operating system, model)
Advertising ID (AAID/IDFA)
IP address
Approximate location (e.g., country/region)
Usage information (e.g., ad requests, impressions, clicks)

Transfer to third countries:

Processing of personal data in the United States is possible. The legal basis for this is the adequacy decision of the European Commission under Art. 45 GDPR (EU–US Data Privacy Framework) for certified US companies, as well as the EU Standard Contractual Clauses (SCCs) implemented by Google pursuant to Art. 46(2)(c) GDPR.

Further information can be found in Google’s privacy policy: https://policies.google.com/privacy

9a. Use of Firebase (Google Analytics for Firebase / Firebase Crashlytics) and connection with Google services

Our app «Magic Luna Voice» uses Firebase services provided by Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In particular, Google Analytics for Firebase (usage statistics) and Firebase Crashlytics (error reporting and app stability) are used.

Firebase processes in particular the following categories of data:

Device information (e.g. operating system, model)
IP address
App instance ID
App events (e.g. session duration, crashes)

Connection with Google services:
Firebase data may be linked with other Google services, in particular AdMob and Google Ads, in order to display personalised advertising and measure its performance. The legal basis for this processing is your consent pursuant to Art. 6(1)(a) GDPR, obtained via the consent banner displayed when the app is first launched.

Statistics and stability:
The use of Analytics for Firebase and Crashlytics is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in ensuring the technical stability and functionality of the app.

Transfer to third countries:
Processing of personal data in the United States is possible. The legal basis is the adequacy decision of the European Commission under Art. 45 GDPR (EU-US Data Privacy Framework) for certified US companies, as well as the EU Standard Contractual Clauses (SCCs) implemented by Google pursuant to Art. 46(2)(c) GDPR.

Storage period:
Data collected through Firebase are stored only for as long as necessary for statistics, stability and functionality.

Further information is available in Google’s Privacy Policy: https://firebase.google.com/support/privacy

10. Use of Azure OpenAI for AI-based text generation

Our app «Magic Luna Voice» uses the AI service Azure OpenAI provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, to automatically generate content based on user inputs.

The content you enter is not stored or processed on our own servers. Your inputs are transmitted via a TLS-encrypted connection to the servers of Microsoft Azure OpenAI, where they are processed.

Processing takes place within the European Azure region “Sweden Central” in accordance with the Azure data residency policies. As a result, processing occurs exclusively within the European Union.

Technical note:

System and support data (e.g., billing, diagnostic, or error log data) may, in exceptional cases, be processed outside the EU, particularly in the United States. Such transfers are carried out on the basis of the EU Standard Contractual Clauses (SCCs) implemented by Microsoft pursuant to Art. 46 (2)(c) GDPR, together with additional technical and organizational safeguards. Microsoft does not use customer data from Azure OpenAI for training or fine-tuning of models.

Role of Microsoft:

Microsoft acts as a data processor in accordance with Art. 28 GDPR.

Legal basis for this processing is Art. 6 (1)(b) GDPR (performance of the user agreement for the provision of the app).

Further information:
Detailed information about Microsoft’s data processing can be found in the following documents:

Microsoft Privacy Statement: https://privacy.microsoft.com/privacy

Microsoft Data Protection Addendum: https://learn.microsoft.com/legal/gdpr

Microsoft Data, Privacy, and Security for Azure OpenAI Service: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy

11. Right to Information

As a data subject, you have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, you have the right to request access to the following information:

The purposes for which the personal data is being processed;
The categories of personal data that are being processed;
The recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in third countries or international organizations;
The planned retention period for which your personal data will be stored, or, if this is not possible, the criteria used to determine this period;
The existence of a right to rectification or deletion of your personal data, or restriction of processing, or the right to object to such processing;
The existence of a right to lodge a complaint with a supervisory authority;
Any available information about the origin of the personal data, if it was not collected from you;
The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject.

Furthermore, you have the right to request information on whether personal data concerning you has been transferred to a third country or an international organization. In such cases, you have the right to be informed about the appropriate safeguards relating to the transfer.

12. Right to Rectification and Deletion

You have the right to request that we immediately rectify and/or complete inaccurate and/or incomplete personal data concerning you.

You also have the right to request that we immediately delete personal data concerning you, provided that one of the following reasons applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
You revoke your consent, and there is no other legal basis for the processing;
You object to the processing for reasons arising from your particular situation, and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes;
Your personal data has been processed unlawfully;
The deletion of your personal data is required for compliance with a legal obligation;
Your personal data was collected in relation to services offered by the information society pursuant to Article 8 (1) GDPR.

13. Right to Restriction of Processing

As a data subject, you have the right to request the restriction of processing if one of the following conditions applies:

The accuracy of the personal data is disputed. Restriction can be requested for the period necessary for us to verify the accuracy of the personal data;
The processing is unlawful, and instead of deletion, you request restriction;
We no longer require the personal data for processing purposes, but you need it to assert, exercise, or defend legal claims;
You object to the processing.

If the processing of your personal data is restricted, we may only process your data—with the exception of storage—with your consent or for the assertion, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of public interest.

If you have requested a restriction of processing in accordance with the conditions mentioned above, we will inform you before this restriction is lifted.

14. Obligation to Inform and Notify Third Parties

If we have made your personal data public and are obliged to delete it, we will take appropriate measures, including technical measures, considering the available technology and implementation costs, to inform those responsible for data processing and/or processors that you have requested the deletion of your personal data.

We will notify all recipients to whom your personal data has been disclosed about any corrections, deletions, or restrictions of processing, unless this proves to be impossible or involves a disproportionate effort.

15. Exceptions to the Right to Deletion

The right to erasure does not exist if processing is necessary for the exercise of the right to freedom of expression and information and/or for the establishment, exercise, and/or defense of legal claims.

16. Right to Data Portability

As the data subject, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You also have the right to transmit these data to another controller without hindrance from us, to whom the personal data have been provided, provided that the processing is based on consent or a contract and the processing is carried out by automated means.

Furthermore, you have the right to have the personal data concerning you transmitted directly from us to another controller, where technically feasible. The rights and freedoms of others must not be adversely affected by this.

17. Right to Object

As a data subject, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data, if such processing is carried out under Article 6 (1) (e) or (f) of the GDPR. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms. An additional exception exists if the processing is necessary for the assertion, exercise, or defense of legal claims.

If we process your personal data for direct marketing purposes, you have the right to object to this processing at any time. If you object to such processing, we will no longer use your personal data for this purpose.

You also have the right to withdraw your consent at any time. Such a withdrawal does not affect the lawfulness of any processing that has already taken place prior to withdrawal.

18. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular at your place of residence (EU/CH), your workplace, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR or the Swiss Data Protection Act.

The competent authority for Switzerland is: Federal Data Protection and Information Commissioner, Feldeggweg 1, 3003 Bern.

The supervisory authority with which the complaint has been lodged informs the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy.

19. Official Language Version

The German version of this Data Privacy Policy is the original version. In the event of any discrepancies in another language version, only the German version is legally binding.

Notice of Changes:

We reserve the right to update this Privacy Policy in order to reflect changes in legal requirements or the introduction of new services. The most current version will be published on our website.

CRI Vision GmbH, October 2025 - Version 1.5