CONFIDENTIALITY POLICY APP

As of November 2, 2021

BF Coach GmbH & Ko. KG, Brinkstraße 25, 27245 Kirchdorf, Deutschland („BF Coach“, „we“, „us“ or „our“) informs the
user („you“ or „User“) how he or she, as a responsible party within the scope of the General Terms and Conditions for
Personal Data Protection („DSGVO“), handles personal data about the user in connection with the use of the Application.
Please note that different data protection policies apply to our other services (such as our website) or other
relationships established with users, suppliers or customers. In addition, this statement does not apply to third-party
websites that may be linked while using the Application.

I. Responsible person

BF Coach GmbH & Ko. KG

Brinkstraße 25,

27245 Kirchdorf

Deutschland

E-mail: hello@bf-coach.de

II. General information on data processing

1. Scope of personal data processing

We only collect and use personal information about our users to the extent necessary
to provide the functionality of the application as well as our content and services.

2. Legal grounds for personal data processing

The legal basis for the collection and processing of personal data, with the user’s consent, is Art. 6, par. 1 lit. a of
the Basic EC Regulation on Personal Data Protection (DSGVO). For the processing of personal data necessary to comply
with the terms and conditions of the Agreement to which the data subject is a party, the legal basis is provided by the
Article 6, paragraph 1 of Lt. 6 ch. 1 lit. b of the General Regulation on Personal Data Protection. This also applies to
the processing process necessary to perform the pre-contractual measures. To the extent that the processing of personal
data is necessary to fulfil a legal obligation to which our company is subject, while the legal basis is provided in
Art. 6 Part 1 lit. b of the General Regulation on Data Protection. Article 6, paragraph 1 lit. c of the General
Regulations on Personal Data Protection. If data processing is necessary to protect the legitimate interests of our
company or third parties and if the interests, fundamental rights or freedoms of the data subject do not outweigh the
previous interests, the legal basis for processing is Article 6, paragraph 1 lit. f of the General Regulations on
Personal Data Protection.

3. Deleting and continuing data storage

Personal data of the person concerned will be deleted or blocked as soon as the storage purpose is no longer valid.
Besides, data may be stored if required by European or national legislation in regulations, laws or other EU regulations
to which the responsible person is subject. Data will also be blocked or deleted after the expiration of the storage
period prescribed by the aforementioned standards, unless it is required to continue to store the data in order to
conclude or implement the terms and conditions hereunder.

Personal information is to be usually deleted 30 days after the user account is deleted. However, we will retain your
contact details and information about your preferences in our products or services for a longer period of time if BF
Coach can send you marketing material provided your consent. Contracts, communications and business letters containing
personal data may be subject to legal storage obligations, which often require a retention period of up to 10 years and
must be kept with us accordingly.

III. Processing of registration data

1. Amount of personal data being processed

We’re collecting registration data. In connection with the creation of your user
account in the application, we process the following data: e-mail address, password, gender, profile name and,
optionally, first and last name.

Besides, during the registration process you may provide us with certain information
stored on Google, Facebook or Apple. To do this, log in to one of the services within the application and confirm
access to the application, which will send us the following information from Google or Facebook or Apple once and
will then be used to register your account: name, surname (if you have provided it), email address, IP address used
for registration, gender, etc.

2. Purpose of personal data processing

Registration information is used to set up a personal user account and to access the
application as well as the features it contains. This also allows us to customize the application according to your
specific needs.

3. Legal basis for processing personal data

Processing of personal data is necessary to comply with the terms and conditions of the Agreement (Terms of Use) to
which you are a party or to carry out activities at your request before concluding the Agreement (Article 6, paragraph
1, lit. b of the General Regulations on Personal Data Protection).

Information on how Google or Facebook processes your data can be found on the following pages

links: https://policies.google.com/privacy?hl=de and https://www.facebook.com/policy.php

4. Deletion and continuation of data storage

Personal data of the interested party will be deleted at the end of the contractual relationship, provided that there is
no legal obligation to keep them.

IV. Processing workout data

1. Volume of personal data processed

We collect data on the conditions and purposes of training: date of birth, weight, height, training goals, diet (I eat
everything (except fish)/vegetarian (not eating fish)/vegetarian (eating fish)/vegan), information on existing equipment
for training with weights (weights, dumbbells, barbell bars, barbell disc), information about other existing simulators
(barbell bars, jump rope, exercise bench, rubber band, platform, stairs, rowing ergometer, treadmill, adjustable bar),
information about the training area (place for jumping, free wall, at least 5m2 surface), data on the duration and
frequency of workouts, as well as the days of rest per week, information about other sports activities, as well as their
duration and frequency per week, information for personal evaluation of the training performed.

2. Purpose of personal data processing

The application allows you to customize your training to suit different factors. We use this data to provide you with
workout and nutrition plans that are tailored to your training conditions, your performance, your needs and goals.

3. Legal basis for processing personal data

Processing of personal data is necessary to comply with the terms and conditions of the Agreement (Terms of Use) to
which you are a party or to carry out activities according to your requirements before concluding the Agreement (Article
6, paragraph 1 lit. b of the General Regulations on Personal Data Protection).

4. Deletion and continuation of data storage

Processing of personal data is necessary for implementation of conditions of the Agreement (the relation of use) by the
party.

V. Processing workout productivity data

1. Volume of personal data being processed

We collect information about your well-being, information about your body type, percentage of fat and level of physical
activity in everyday life, information on any tension in certain parts of the body, for women users: information about
the period (voluntary information).

2. Purpose of personal data processing

This data is used to better adjust the training plan to your needs and, where possible, include individual information
about your achievements (for example, if there is tension in any part of your body, we will offer you only a limited
number of exercises).

3. Legal basis for processing personal data

You have provided us with your consent to the processing of your personal data (Art. 6, Sub-Clause 1 lit. a of the
General Regulations on Data Protection, Art. 9, Sub-Clause 2 lit. a of the General Regulations on Data Protection). You
may revoke this consent at any time; revocation of consent does not affect the lawfulness of data processing before
revoking consent. If you do not provide your personal data, this may mean that you will not be able to use the
application or you will use a limited version. Unless stated otherwise, the withdrawal of your personal data does not
entail any legal consequences.

4. Deletion and continuation of data storage

The personal data of the person concerned will be deleted if the consent is withdrawn.

VI. Processing of data for e-mailing

1. Volume of personal data being processed

Within the framework of the account registration process, you can choose whether you want to receive our newsletter. In
this context, we will collect and process the following personal data: first name, last name, e-mail address and
decision to receive the newsletter (Yes/No).

2. Purpose of personal data processing

All the data will be used for e-mailing.

3. Legal basis for processing personal data

When processing personal data, we are guided by your consent (Art. 6, paragraph 1 lit. and the General Data Protection
Regulations). You may revoke the consent at any time. Withdrawal of consent does not affect the lawfulness of personal
data processing before withdrawing consent.

4. Deletion and continuation of data storage

The personal data of the party concerned will be deleted if the consent is withdrawn.

VII Tracking and analysis

1. Google Analytics for Firebase

We use the „Firebase“ tracking service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043
(„Google“). „Firebase“ uses tracking technologies that allow us to analyze your application usage, such as performance
monitoring, error logs and user behavior, including which screens were viewed and how often menus were opened. The
personal information we collect is unique to the identification and use of the device. The purpose of using „Firebase“
is to analyze the use of our application, to improve it on a regular basis and thus to utilize it more efficiently.We
can use the statistics to improve our offer and make it more interesting for you as a user. The use is based on your
consent, article 6, paragraph 1, lit. a, and the General Regulations on Data Protection. If you have given your consent,
you can withdraw it at any time. A revocation of consent does not affect the legality of the data processing prior to
revoking your consent. Using Firebase, information about the use of our application is collected and transmitted to
Google in Ireland or the United States and stored there. „Firebase“ may share these applications with other tools
provided by „Firebase“, such as failure reports, authentication, remote configuration or notifications. Google will use
this information to evaluate your use of our Application and provide us with additional services related to your use of
the Application. Google is subject to the EU-US SEC Privacy Policy at www.privacyshield.gov/participant to receive
personal data that is transferred to the USA. Users can opt out of certain „Firebase“ features by using the appropriate
settings on their mobile device, such as the advertising settings on their mobile device, or by following the
instructions of the Firebase Privacy Policy. For more information about Google Firebase and data protection, visit
www.google.com/policies/privacy/ and firebase.google.com.

2. Facebook App Events

We use „Facebook App Events“ developed by Facebook Inc (1601 S.). California Ave, Palo Alto, CA 94304, USA and Facebook
Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (collectively referred to as „Facebook“). This
allows us to track the scope of our advertising campaigns and the use of the Facebook SDK. Facebook only provides us
with statistical analysis of our application user behavior. We also do not control the information processed by Facebook
through App Events. All data collected remains anonymous to us, so we cannot make any conclusions about the identity of
the user. However, Facebook stores and processes data that allow it to connect to your account and allows Facebook to
use your data for promotional purposes. This enables Facebook and its partners to manage advertising messages within and
outside Facebook. The legal basis for processing is art. 6 h. 1 lit. f of the General Data Protection Regulations. In
the settings of our application, you may opt out of using „App Events“ for the specified purposes (opt-out). Facebook is
certified in accordance with the Personal Data Protection Agreement and thus guarantees compliance with the European
data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). For
more information, please see the Facebook Privacy Policy, https://de-de.facebook.com/policy.php. For more information on
the Facebook iOS SDK, please visit https://developers.facebook.com/docs/ios. For Android, you can find the information
here: https://developers.facebook.com/docs/android.

VIII. Personal data transfer to third parties

Some third party service providers may receive your personal data for processing by following appropriate instructions
(„Personal Data Processing Operator“) to the extent necessary for processing purposes as described above, such as IT /
web service providers, customer support providers, marketing service providers or other service providers who help us
maintain our relationship with you. However, we will continue to be responsible for the processing of your personal
data. The contractual data processors are contractually obliged to take appropriate technical and organisational
security measures to protect your personal data as well as to process it only in accordance with the following
instructions.

IX. Login via Facebook

You will be provided with the opportunity to login by using your Facebook account (Facebook Inc.), (1601 S.). California
Ave, Palo Alto, CA 94304, USA and Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
(collectively referred to as „Facebook“). https://www.facebook.com/business/m/one-sheeters/gdpr-developer-faqs You shall
be registered on Facebook. If you decide to log in with your Facebook account, you will be redirected directly to
Facebook as a first step. We do not receive any personal access data (username and password). Then you link your
Facebook profile to our App. When using Facebook login, the Facebook SDK collects the following data: application events
(this includes general application events such as installation, launching applications and other standard product
metrics logging, such as SDK downloads, SDK performance); some of these events, such as the installation or launch of
applications, are automatically logged), configuration data, error information, user ID (owned by Facebook users), user
actions to detect fraud and irregularities. The legal basis for data collection and storage is your consent according to
Art. 6 Para. 1 lit. a of the General Data Protection Regulations. If you wish to revoke your consent, you can do so in
the settings of Facebook. The use of data is governed by the data policy of Facebook, which can be found at
facebook.com/policy.php.

X. Data subject rights

If your personal data is processed, you act as a data subject within the framework of the General Regulation on Personal
Data Protection and have the following rights towards the responsible person:

1. Right to information

You can request confirmation of the processing of your personal data from the responsible person.

If such processing is being performed, you may request the following information from the responsible person:

(1) the purpose of processing personal data;

(2) the categories of data that are being processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be
communicated;

(4) the expected storage time of the personal data concerning you or, if it is not possible to specify the specific
data, the criteria for determining the storage time;

(5) the right to modify or delete your personal data, the right to process it, the right to restrict or refuse to
process the personal data;

(6) the right to appeal to the supervisory authority;

(7) any available information about the data source when personal data are not collected from the data subject;

(8) you have the right to receive information about whether your personal data is shared with third parties or
international organizations. You may therefore request information about the relevant safeguards in accordance with Art.
46 of the General Data Protection Regulations in connection with the transfer of your personal data.

2. Right to introduce modifications

You have the right to request the responsible party to modify and/or supplement any personal being processed data
concerning you, if they are incorrect or incomplete. The responsible party shall make changes without delay.

3. Right to data processing restriction

Under the following conditions, you may request a restriction on the processing of personal data concerning you:

(1) in case you challenge the correctness of personal data concerning you within a period of time that allows the
responsible person to check the correctness of personal data;

(2) the processing is illegal and you object to the deletion of personal data and instead require that the use of
personal data be restricted;

(3) the person in charge no longer needs the personal data for the purpose of processing, but you do need it to present,
exercise or defend legal claims; or

(4) if you have filed an objection to the processing of personal data in accordance with Art. 21, paragraph 1 of the
General Regulations on Data Protection, and it is not yet established whether the legitimate motives of the responsible
person outweigh your motives.

If the processing of personal data concerning you has been restricted, such data may be processed, with the exception of
storage, only provided your consent or for the purpose of making, carrying out or defending legal claims or protecting
the rights of another natural or legal person or on the basis of an important public interest of the EU or the Member
States.

If the request for data processing restriction has been limited in accordance with the above conditions, the person in
charge will inform you about it before the restriction is lifted.

4. Right to delete data

а) Data delition commitments

You may request the responsible person to delete the data concerning you without delay, and the responsible person is
obliged to delete your personal data without delay if the deletion request is caused by the following factors:

(1) Personal data concerning you is no longer needed for the purposes for which it was collected or otherwise processed.

(2) You revoke your consent on which the processing of personal data was based in accordance with Art. 6, part. 1 lit. a
or Art. 9, para. 2 lit. a. of the General Data Protection Regulations and there are no other legal grounds for data
processing.

(3) You object to the processing of personal data in accordance with Art. 21 paragraph1 of the General Regulation on
Data Protection and there are no longer any legal grounds for the processing or you object to the processing in
accordance with Art. 21 paragraph 2 of the General Regulation on Data Protection. 2 of the General Data Protection
Regulations.

(4) Your personal data has been processed illegally.

(5) The deletion of personal data relating to you is necessary in order to fulfil a legal obligation under EU law or the
laws of the Member States to which the responsible person is subject.

(6) The personal data concerning you have been collected in connection with the information society services offered in
accordance with art. 8 part. 1 of the General Regulation on data protection.

b) Transfer of information to third parties

If the responsible person has made public personal data concerning you, and in accordance with Art. 17 p. 1 of the
General Regulation on personal data protection is obliged to delete them, the responsible person shall take measures,
including technical ones, taking into account the available technologies and the costs of their implementation, in order
to inform the persons responsible for personal data processing that you, as the data subject, have asked them to delete
all references to these personal data, copies or replicas of these personal data.

c) Exceptions
The right to delete data is deemed to be ivalid in the event that data processing is necessary:

(1) for the exercise of the right to freedom of expression and information;

(2) to fulfil legal obligations requiring processing under EU or Member State legislation to which the responsible
person is subject, or to perform tasks in the public interest or in the exercise of official powers entrusted to the
responsible person;

(3) for reasons of public interest in public health in accordance with Article 9 p. 2 lit. h and i, as well as Article 9
part 3 of the General Regulations on Protection of Data;

(4) to sue, pursue or defend legal claims.

5. Right to be informed

If you have exercised your right to rectify, delete or restrict the processing of personal data, the responsible person
is obliged to notify all recipients to whom your personal data has been disclosed of the rectification, deletion or
restriction of the processing of personal data, unless this is impossible or requires disproportionate efforts.

In relation to the person responsible, you have the right to be informed about these recipients.

6. Right to data transfer

You have the right to receive the personal data concerning you that you have provided to the responsible person
in a structured, general and machine-readable format. You also have the right to transfer this data to another
responsible person without interference from the responsible person to whom this personal data has been transferred,
provided the following:

1) processing is based on consent pursuant to Art. 6, paragraph.1 lit. a of the General Regulation on Data Protection or
Art. 9, paragraph 2 lit. a of the General Regulation on Data Protection or on agreement pursuant to Art. 6, paragraph 1
lit. b of the General Regulation on Data Protection and

(2) processing is being performed using automated procedures.

In exercising this right, you also have the right to request that personal data concerning you be transferred directly
from one responsible person to another if this is technically feasible. This shall not affect the freedoms and rights of
others.

The right to transfer data does not extend to the processing of personal data necessary for the performance of a task,
in the public interest or in the exercise of official powers entrusted to the responsible person.

7. Right of objection

You have the right to object at any time, for reasons arising from your particular situation, to the processing
of your personal data, which is carried out in accordance with article 6, paragraph 1, lit. e or f of the Act on the
Protection of Intellectual Property Rights; this also applies to the creation of a user profile based on this provision.

The person in charge of the processing will no longer process personal data concerning you, unless he or she is able to
present valid reasons for the processing which are justified by reasons of protection and which outweigh your interests,
rights and freedoms or if the processing serves to present, exercise or defend legal claims.

If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to
the processing of your personal data for such marketing purposes, including the creation of a user profile, insofar as
such direct marketing is to be concerned.

If you object to the processing of personal data for direct marketing purposes, your personal data will no longer be
processed for these purposes.

You are able to exercise your right to object to the use of information society services, contrary to Directives
2002/58/EC, through automated procedures using technical specifications. You can send us an e-mail.

8. The right to revoke the consent statement in accordance with the Data Protection Act

You have the right to withdraw your consent to data protection at any time. Withdrawal of your consent does not
affect the lawfulness of the processing which took place on the basis of your consent until it has been revoked.

9. Automated solution for each case, including the creation of a user profile

You have the right not to obey a decision based solely on automated processing, including the creation of a profile that
is legally valid for you or materially affects you in a similar way. This does not apply in cases where the decision:

(1) is required in order to conclude or execute the Agrement signed by you and the reponsible person

(2) is permitted under EU or Member State law to which the responsible person is subject, while that law contains
appropriate measures to protect your rights, freedoms and legitimate interests; or

(3) is made provided your explicit consent.

However, these decisions may not be based on special categories of personal data in accordance with Art. 9 p. 1 of the
General Regulations for the Protection of Personal Data, except in cases where the art. 9 p. 2 lit. a or g of the
General Regulation on Personal Data Protection and take appropriate measures to protect your rights, freedoms and lawful
interests.

In the cases referred to in paragraphs (1) and (3), the responsible person should take measures to protect your rights,
freedoms and legitimate interests, which should include at least the right to interference by the responsible person, to
express his or her opinion and to challenge the decision.

10. The right to appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedies, you have the right to file a complaint with
the supervisory authority, in particular in the Member State in which you reside, against your place of work or the
place where the alleged violation occurred, if you believe that the processing of personal data relating to you violates
the General Regulations on Personal Data Protection.

The supervisory authority to which the complaint was filed shall inform the applicant about the status and results of
the complaint consideration, including the possibility to apply to court in accordance with Article 78 of the General
Regulation on Personal Data Protection.