Privacy Policy

radio.net App

1. Preamble

With the following privacy policy, we would like to inform you about the nature, scope, and purpose of the collection and processing of your personal data when using the mobile radio.net App (hereinafter “App”) offered by radio GmbH, Mühlenkamp 59, 22303 Hamburg (hereinafter also “radio.net,” “we,” “us”) Protecting your personal data during its collection, processing, and storage in connection with your use of our App is an important concern for Radio.net.

2. Controller and Data Protection Officer

The controller responsible for the collection and processing of your personal data under the EU General Data Protection Regulation (Regulation (EU) ²⁰¹⁶⁄₆₇₉) (“GDPR”) is: radio.de GmbH Mühlenkamp 59 22303 Hamburg Deutschland Telefon: + 49 40 - 570 065 150 E-Mail: datenschutz@radio.de If you have any questions regarding data protection, you can contact the Data Protection Officer by email at datenschutz@madsack.de or by mail at: MADSACK Mediengruppe Data Protection August-Madsack-Straße 1 30559 Hannover

3. Personal Data and its Processing

3.1 When Downloading the App

When downloading the App from the Apple App Store (Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA), the Google Play Store (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), the Amazon App Store (Amazon Europe Core S.à.r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg), the Samsung Galaxy Store (Samsung Electronics (UK) Limited, Samsung House, 1000 Hillswood Drive, Chertsey, Surrey KT16 0PS), or the Huawei AppGallery (Huawei Technologies Co., Ltd., Huawei Base, Bantian, Longgang District, Shenzhen, China), your personal data necessary for the download, typically stored in your Apple, Google, Amazon, Samsung, or Huawei account, are transmitted to the respective provider. Radio.net has no influence over the scope of such data collection. Further information is available in the respective provider’s privacy policies.

3.2 When opening the app

To enable optimal use of the App, Radio.net collects, processes, and stores data about your use of the App (“server log files”). Each access to our App is logged. These log files contain: IP address, date and time of access, operating system version, and App version. These data are used solely for anonymized statistical evaluation for the purpose of analyzing usage and improving our services. Our legitimate interest follows from Art. 6(1)(f) GDPR. The data cannot be linked to an identified individual and are not merged with other data sources.

3.3 When using the App

We reference third-party radio streams. To receive these stations’ programs, the respective providers process your IP address, date and time, and device operating system when you play a station. Their privacy practices are described in their respective privacy policies. We have no influence over the storage and further use of data by those providers. To offer you Services tailored to your location (e.g., displaying local stations) the collection of location data is required when you actively use the App. Location is determined based on IP address and, with your consent, via GPS. Processing of your IP address for approximate location occurs under Art. 6(1)(b) GDPR to provide requested services. At no point can conclusions be drawn about your specific location. GPS-based location data are processed only with your consent under Art. 6(1)(a) GDPR. This is initially done via a pop-up window that appears on the screen of your mobile device when you use the app. You can also grant or revoke permission to collect location data at any time in the device settings of your mobile device. However, radio.net hereby points out that it cannot be ruled out that some functions of the app may not be usable or may not be fully usable. When GPS data is collected, it is not possible to draw any conclusions about your specific location at any time, as the location data determined by GPS is technically shortened by radio.net. When location tracking via GPS is active, your mobile device will usually indicate this on the screen by displaying a specific symbol. This data is not merged with other data sources. Radio.net has no influence on the transfer of location data to third parties via iOS, Android, Amazon, Samsung, or Huawei.

3.4 Help center and contacting radio.de

If you require assistance, using our app, you can use our Help Center by clicking on the “FAQ” link in the app settings, where you will find a list of frequently asked questions and relevant help topics. These FAQs are hosted on servers of Zendesk Inc. (see section 5.3). In addition, you may request direct assistance through the “Submit a request” button in the Help Center. For this purpose, we also use the customer service platform provided by Zendesk Inc. You may also contact us by email, postal mail, or telephone. In doing so, we collect, process, and store your contact details and the content of your inquiry pursuant to Art. 6(1) lit. a GDPR, based on your consent, or pursuant to Art. 6(1) lit. b GDPR if your inquiry relates to (pre-)contractual matters, or pursuant to Art. 6(1) lit. f GDPR where radio.net has a legitimate interest in doing so.

3.5 Storage Duration and Deletion

We process and store personal data only for the period necessary to achieve the respective processing purpose, or for as long as required by statutory provisions, but at least for the duration of the applicable statutory limitation periods. If the purpose of storage ceases to apply, if you withdraw your consent, or if a legally prescribed retention period expires, the personal data will routinely be blocked or deleted after 30 days in accordance with statutory requirements.

3.6 Prime Subscription

If you use the App as a Prime Subscriber, we will, in addition to the data and processing activities described above, process an anonymized identification number (“ID”) assigned to you by the respective App Store, which is required for the provision of the Prime Subscription. The legal basis for this processing is Art. 6(1)(b) GDPR. We only use strictly necessary cookies or comparable technologies; that is, information is accessed or stored on your device only if this is strictly required for the service you have requested and we would otherwise be unable to provide that service (§ 25(2) TDDDG). The legal basis for the further processing of these technically necessary personal data in connection with the Prime subscription is Art. 6(1)(b) and/or Art. 6(1)(f) GDPR.

3.6.1 Subscription Purchase

Prime subscription purchases (“in-app purchases”) are concluded and processed directly by the App Store operator, who acts as an independent controller. Their terms and privacy policies apply.

3.6.2 Cross-Platform Use; User Account

To use the Prime subscription across platforms - i.e., not only within the App itself but also, for example, via our website - you are required to create a user account. A user account can only be created through our website. As part of the registration process, you provide your email address and a secure password of your choice. You may also optionally provide us with your first name. Registration is processed by our service provider “GRZ” (Gutenberg Rechenzentrum GmbH & Co. KG). Further information on data processing can be found in GRZ’s privacy policies. The legal basis for the data processing is Art. 6(1)(b) GDPR. You can revoke your consent to the processing of optionally provided data at any time with future effect. GRZ acts as our processor in this context of data processing. We have entered into a data processing agreement with GRZ in accordance with Article 28 GDPR. We store your registration details until you submit a request to delete your online account with us, unless statutory retention obligations require continued storage. To delete your account, simply send an email to datenschutz@radio.de. Further information can be found in our privacy policy for our website.

3.7 Use of the App with Advertising & Tracking

If you choose, by clicking the “Agree and continue” button, to use our Service without a paid subscription, we finance our offering through advertising. For this purpose, advertisers set cookies that enable tracking to deliver and optimize advertising based on your usage behavior and your presumed interests and needs. To provide this offering, we use cookies, device identifiers, and similar technologies on your end devices. To obtain your consent to the processing of data by means of cookies and other information and objects stored on your end device, we use a so-called Consent Management Platform (“CMP”) in order to meet the requirements of the GDPR and provide you, as a user, with the highest possible degree of transparency. In this regard, we participate in the Transparency & Consent Framework (“TCF”) of IAB Europe and adhere to its specifications and guidelines. The Interactive Advertising Bureau (IAB) is an international industry association of the online advertising sector. The storage of information on the end user’s device or access to information is carried out in accordance with § 25(1) TDDDG, Art. 6(1)(a) GDPR. The legal basis for the further processing is your consent under Art. 6(1)(a) GDPR. The legal basis for the transfer of data to the United States is Art. 49(1) lit. a GDPR. You may withdraw your consent at any time with effect for the future by clicking the “Revocation” link at the bottom of the page. Our cookie layer will then reappear, and you can again choose how you would like to use radio.de. Note regarding consent: Some of the services listed in the CMP transfer data to countries outside the European Economic Area (“EEA”), including in particular the United States of America (“USA”).

3.7.1 Third Countries

Some of our third-party providers are based in countries outside the European Union (“EU”) or the European Economic Area (“EEA”) (“Third Countries”), including the United States of America (“USA”). For certain companies in the USA, there is an adequacy decision of the European Commission pursuant to Art. 45 GDPR (“EU-U.S. Data Privacy Framework”, “DPF”). Where we cooperate with service providers certified under the DPF, data transfers take place on the basis of this adequacy decision. A current list of certified companies is available at https://www.dataprivacyframework.gov. For all other recipients in the USA and recipients in other third countries for which no adequacy decision exists, data transfers are carried out pursuant to Art. 46 GDPR on the basis of appropriate safeguards, in particular the European Commission’s standard contractual clauses (“SCCs”). In such cases, we implement additional technical and organizational measures to ensure an adequate level of protection for your data. Despite these measures, in certain third countries - including the USA, where no DPF certification exists - it cannot be ruled out that government authorities may access the transferred data on the basis of local laws and that data subjects’ rights may not be enforceable to the same extent as in the EU. We continuously assess these risks and adjust our safeguards accordingly.

3.7.2 Storage period

Your data collected for advertising purposes will be stored for as long as the advertising purpose continues or until we receive a revocation of your consent or your objection to the processing of your data for advertising purposes. You can obtain information about the duration of the storage of your data individually by contacting our data protection officer (see section 2).

4. Cookies and Similar Technologies

When you access and use the App, so-called Cookies and Similar Technologies are employed. The use of Cookies and Similar Technologies facilitates your use of our services and enables us to better understand your user behavior, allowing us to provide content and services tailored to your needs.

4.1. What are Cookies?

Cookies are small text files that are stored on your computer by your browser. Session cookies are used only for the duration of the respective session. They store information relating to your username, user permissions, session validity and, when the search function is used, the search terms entered. These cookies are deleted once the session ends, meaning when you close our App. Other cookies remain stored on your device for a longer period (up to twelve months) and enable us, our service providers and our advertising partners to recognise your browser upon your next visit (persistent cookies). In addition, similar technologies (in particular device identifiers, local storage objects and web beacons) are used on our App. For ease of reference, we refer to such technologies collectively as “Cookies” throughout this notice. The legal basis for the use of Cookies that are strictly necessary for the provision of the service you have requested - and without which we would be unable to provide that service - is § 25(2) TDDDG. Beyond that, we use cookies only on the basis of the consent you have previously provided (§ 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR). You may withdraw your consent at any time with effect for the future.

4.2 Similar Technologies

PPID (“Publisher Provided Identifier”) enables publishers to transmit an identifier to Google Ad Manager that is used for frequency capping, audience segmentation and audience-based targeting, sequential ad rotation, and other functions relating to the delivery of audience-tailored advertising across devices. Opt-out: As a user, you may prevent Google from collecting PPID by clicking the following link: Delete PPID. Tracking pixels are small, “invisible” graphics that are often used for statistical analyses in the context of online marketing. SDKs (software development kits) are software libraries and interfaces that enable the integration of various services and functionalities. Device identifiers allow for the unique identification of end-user devices. IDFA (Identifier for Advertisers) - also referred to as the Ad ID (iOS operating system) or the Advertising ID (Android operating system) - enables advertising partners to create user profiles and display personalized advertisements to users. Through click-through URLs containing tracking parameters, it can be recorded when a user clicks on a link or other element. In connection with the various Google Firebase services, additional device-related information - such as Instance IDs, UUIDs (Universally Unique Identifiers), IDFV (Identifier for Vendors, iOS), and the Android ID (Android) - may be relevant. The functionalities of these identifiers are described in more detail in section 5.2.1. You may disable or limit the transmission of IDFA and the Advertising ID as well as IDFV (iOS) or the Android ID (Android) through the settings on your mobile device. However, radio.net cannot rule out that certain content or features of the App may not be available or may not function properly if these identifiers are restricted. Further information regarding the technologies used by us and our third-party providers, the purposes for which they are used, and the categories of data processed can be found in section 5.

4.3 Transparency and Consent Framework

To provide you with the highest possible level of transparency and control over the processing of your data, we follow the Transparency and Consent Framework of IAB Europe (the “IAB Standard”), including its specifications and guidelines. The IAB Standard provides participating advertising partners with a common language to communicate users’ decisions regarding the delivery of relevant online advertising and content. A significant proportion of our advertising partners are vendors certified under the IAB Standard (an overview of participating advertising partners can be found here). You can obtain information about the Transparency and Consent Framework on the IAB Europe website at iabeurope.eu/. We have integrated a Consent Management Platform (the “CMP”) into our App that is aligned with the requirements of the IAB Standard and is offered by Sourcepoint Technologies, Inc. (for more information about Sourcepoint Technologies, Inc., see Section 5.2). Through the CMP, you receive information about the cookies and similar technologies used and can configure their use with respect to specific service providers. You can also grant and withdraw consent to the setting of cookies via the CMP. When you access our App and make settings through the CMP, a cookie is placed on your device in which your chosen settings are stored. The use of the CMP is based on Art. 6(1) lit. c GDPR, in order to obtain and document your consent for certain data processing operations, and on Art. 6(1) lit. f GDPR, based on our legitimate interest in providing you with a convenient way to control the processing of your personal data.

5. Processing of Personal Data by Third Parties

Personal data collected in connection with your use of our App are processed solely by radio.net and the third parties listed in our Privacy Manager. Radio.net does not disclose personal data to any other third parties. Personal data will only be disclosed to other third parties in the exceptional case in which radio.net is legally required to do so pursuant to an administrative or court order.

5.1 Amazon Web Services Inc.

Radio.net cooperates with the following external web hosting provider in order to process your data securely and efficiently. This constitutes a legitimate interest of radio.net within the meaning of Art. 6(1)(f) GDPR. The web hosting provider is Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA (“Amazon Web Services”). Amazon Web Services is certified under the ISO 27001, ISO 27017, and ISO 27018 standards, which address matters such as data security, data protection, and resilience. The data centers used by Amazon Web Services are located in Germany, within the AWS Region Frankfurt. The Amazon Web Services privacy notice can be found at: https://aws.amazon.com/de/privacy/

5.2 App Analysis Services

5.2.1 Google Firebase

The App uses various functionalities of Google Firebase (“Firebase”), a technology provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland (“Google”). Firebase enables us to perform various analyses regarding the installation and use of our App. We use Firebase Crashlytics and Firebase Crash Reporting, which helps us to identify and resolve App crashes. Stack traces are used to associate crashes with a specific version of the App, display them within the Firebase interface, and make them analyzable; they may also be used to send alerts (e.g., via email) to radio.net. Crashlytics installation UUIDs are processed to measure the number of users affected by a given crash. Minidump data - small memory snapshots containing crash information - are used to process crashes on Android devices. Minidump data are stored while a crash session is being processed and then discarded. The data listed above are stored by Firebase for 90 days. We also use Firebase Dynamic Links and Firebase Remote Config. Dynamic Links uses device specifications and IP addresses on iOS to open newly installed apps to a specific page or context. Dynamic Links stores device specifications and IP addresses only temporarily in order to provide the service. Firebase Remote Config allows radio.net to activate or deactivate certain content or functions within the App based on Firebase Installation IDs. Firebase stores these Installation IDs until we delete them; thereafter they are removed from live and backup systems within 180 days. Finally, we use Google Analytics for Firebase, which uses tracking data to generate analytics regarding App usage. For this purpose, Google Analytics uses Mobile Ad IDs, IDFVs (iOS), Android IDs (Android), Instance IDs, and Analytics App Instance IDs. Certain advertising-identifier-linked data (e.g., IDFVs, Android IDs) are stored by Google Analytics for 60 days; aggregated reporting is retained without automatic deletion. All other data referenced above may be stored for up to 14 months. The legal basis for the collection of personal data via Firebase Remote Config is Art. 6(1)(f) GDPR, as we have a legitimate interest in optimally presenting content and features to you and Firebase Remote Config is technically necessary for achieving this. All other processing of your personal data through Firebase takes place on the basis of your consent pursuant to Art. 6(1)(a) GDPR. You may provide or withdraw your consent at any time via our Consent Management Platform (CMP) Further details regarding the purpose and scope of data collection and processing by Google, as well as your rights and configuration options, may be found in the Firebase privacy documentation: https://firebase.google.com/terms/data-processing-term https://firebase.google.com/support/privacy/manage-iids https://firebase.google.com/support/privacy

5.2.2. InfoOnline

Radio.net uses the “Scalable Central Measurement System” (“SZM”), an analytics service provided by INFOnline GmbH, Brühler Str. 9, 53119 Bonn, Germany (“InfoOnline” and “SZM”), to determine statistical usage metrics for our App. Anonymous measurement values are collected; your identity remains protected at all times, and no advertising is displayed through the system. The purpose of reach measurement is to determine usage intensity and the number of users of an app. These anonymized statistics help us improve our services and make them more engaging for users. SZM uses an SDK (see section 4) to recognize end-user devices and generate various cookie-based measurement data. IP addresses are not stored and are processed only in anonymized form. Individual users are never identified. Further information about SZM can be found at: https://www.infonline.de/datenschutz The use of SZM is based on your consent under Art. 6(1)(a) GDPR, which you can grant or withdraw at any time via our CMP. Our App also participates in the reach-measurement systems of AGOF, IVW, and agma. These organizations publish statistical usage data at regular intervals. All measurements are anonymous

5.2.3 Adjust GmbH

The App uses various functionalities of Adjust, a technology provided by Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany (“Adjust”). Adjust enables us to analyze the installation and use of our App. Adjust uses device specifications and IP addresses to open newly installed apps to a specific page or context. Device specifications and IP addresses are stored only temporarily. Adjust stores additional processed data - including Mobile Advertising IDs, IDFVs (iOS), Android IDs (Android), IDFA (iOS), Adjust Device ID (ADID), App Set ID, and Install Referrer - for 12 months before they are automatically deleted. Adjust also uses tracking data to create usage analytics. The legal basis for the collection of personal data by Adjust is Art. 6(1)(f) GDPR, as we have a legitimate interest in displaying content and functionality as effectively as possible, and Adjust is technically necessary for this purpose. We also use Adjust Third Party Sharing. Adjust shares Device IDs and App Tokens with third-party marketing partners to measure campaign performance. Possible recipients include AppleAds, Meta (Facebook), Google Ads, Google Marketing Platform, Snapchat, Tencent, TikTok, X (Twitter), Yahoo Gemini, and Yahoo Japan Search. Processing conducted under Adjust Third Party Sharing is based on your consent pursuant to Art. 6(1)(a) GDPR. You may grant or withdraw your consent at any time via our CMP. Details about data processing by Adjust can be found here: https://www.adjust.com/terms/general-terms-and-conditions/

5.2.4 Qonversion Inc

The App uses various functionalities of Qonversion, a technology of Qonversion Inc., 1160 Battery St East Suite 100, San Francisco, CA 94111, USA (“Qonversion”). Qonversion enables us to analyze subscription-related events within the App. Qonversion temporarily processes device specifications and IP addresses only for the provision of the service. Qonversion also processes Mobile Advertising IDs, IDFVs (iOS), Android IDs (Android), IDFA (iOS), and the Qonversion User ID. The legal basis for this processing is Art. 6(1)(f) GDPR, as we have a legitimate interest in analyzing subscription retention and conducting A/B testing for subscription pricing and sales page design. Further information is available at: https://qonversion.io/privacy-policy

5.3 Ticketing System and Help Center for Customer Inquiries

radio.net uses Zendesk, a customer service platform provided by Zendesk Inc., 1019 Market Street, San Francisco, CA 94103, USA (“Zendesk”; see also section 3.4). Zendesk is used for handling customer inquiries. Necessary data - including your contact details and the content of your inquiry - are collected via our App and processed to address your support ticket. The processed data may be stored on Zendesk servers located outside the EU, including in the U.S. or the Asia-Pacific region. Zendesk processes personal data solely in accordance with our instructions under a data processing agreement and on the basis of Standard Contractual Clauses pursuant to Art. 46(5)(2) GDPR. The legal basis for the use of Zendesk is Art. 6(1)(a) GDPR (where you have given your explicit consent) and Art. 6(1)(f) GDPR (where we have a legitimate interest in using a third-party service to streamline our operational processes). Further information on Zendesk’s privacy practices can be found at: https://www.zendesk.de/company/customers-partners/privacy-policy/ https://support.zendesk.com/hc/de/articles/360022366953

5.4 Consent Management Platform - Sourcepoint Technologies, Inc.

We use the Consent Management Platform (“CMP”) provided by Sourcepoint Technologies, Inc., 228 Park Avenue South, #87903, New York, NY 10003-1502, USA (“Sourcepoint”). When you first open the App and configure your preferences via the CMP, your choices are stored in NSUserDefaults (iOS) or Shared Preferences (Android). These configuration settings are transmitted to Sourcepoint servers located in France. Sourcepoint processes personal data solely in accordance with our instructions under a data processing agreement. If a transfer to a country outside the EU/EEA is required in individual cases, such transfers are carried out pursuant to the safeguards of Art. 45 et seq. GDPR, in particular through data transfer agreements incorporating the EU Standard Contractual Clauses. The use of Sourcepoint is based on Art. 6(1)(f) GDPR, as we have a legitimate interest in ensuring proper documentation of consent and using a suitable service provider for this purpose. Sourcepoint is a member of IAB Europe. Further information is available at: http://www.sourcepoint.com/privacy-policy https://documentation.sourcepoint.com/web-implementation/sourcepoint-gdpr-and-tcf-v2-support

5.5 Push-Messages

Airship

radio.net uses the push notification service provided by Airship Group, Inc., 1225 West Burnside, Suite 401, Portland, OR 97209, USA (“Airship”). Push notifications allow us to provide features and services tailored to your usage - for example: “Your favorite station misses you - tune in now!” You receive push notifications only if you have granted the necessary permissions in your device’s operating system settings. You may modify or withdraw these permissions at any time. Airship processes your IP address, device information (such as device ID and operating system), push notification token, and usage data. Processing by Airship is based on your consent pursuant to Art. 6(1)(a) GDPR, which may be granted or withdrawn at any time via our CMP. Further privacy information: https://www.airship.com/legal/privacy/

5.6 Advertising Marketing

We cooperate with various advertising marketers. Advertising marketers commercialize online advertising space within digital offerings - including within our App. In doing so, we comply with all applicable data protection requirements and, where necessary, have entered into data processing agreements. To the extent personal data are transferred to countries outside the EU or the EEA for advertising marketing purposes, such transfers are always carried out on the basis of appropriate safeguards pursuant to Art. 45 et seq. GDPR, in particular through data transfer agreements incorporating the Standard Contractual Clauses approved by the European Commission.

5.6.1 Google Ad Manager

radio.net uses Google Ad Manager, a tool provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland (“Google”), to commercialize advertising space. Google Ad Manager uses technologies to display advertising that is relevant to you. For this purpose, a pseudonymous identifier (ID) is assigned to your device via a cookie and/or a similar pseudonymous end-user identifier to determine which ads were displayed in your App and which ads were viewed. The use of the Ad Manager end-user identifier enables Google, its partners, and other third parties acting on Google’s behalf to deliver ads solely on the basis of previous visits to our App or other digital content. When an ad is requested, Google generally also collects the IP address of the App user, which is transmitted to advertising partners for the purpose of ad delivery. The use of Google Ad Manager is based on your consent pursuant to Art. 6(1)(a) GDPR, which you may grant or withdraw at any time via our Consent Management Platform (CMP). Further information about Google Ad Manager can be found at: https://support.google.com/admanager/answer/9035987 General information about Google’s privacy practices is available at: https://policies.google.com/privacy

5.6.2 Marketing Through IAB TCF v2.0-Verified Vendors

For digital advertising marketing of our services, we use vendors certified under the IAB Transparency & Consent Framework (TCF) v2.0 (for more information on the IAB Standard, see section 4). Our cooperation with these vendors is not continuous; some vendors only act through our contractual cooperation with the service providers listed in section 5.6.3. For this reason, the specific vendors engaged in our services may vary over time. A list of IAB-certified vendors with whom cooperation is currently possible can be found under the link provided in our App. There, you may also review the scope and legal basis of each vendor’s processing activities and configure your preferences regarding the processing of your data by these vendors.

5.6.3 Forms of Advertising Marketing

The advertising marketing conducted by us and/or within our App takes place in various forms. Below we explain the types of marketing used and the categories of recipients (“advertising partners”) that may process personal data in this context. The service providers listed in this section operate on the basis of specific agreements with us and exclusively on the basis of your consent under Art. 6(1)(a) GDPR, which you may grant or withdraw at any time via our Consent Management Platform (CMP). Most of these providers are certified under the IAB Standard. Please note that additional advertising partners within the IAB network may process your data (see section 5.6.2).

5.6.3.1 Direct campaigns

We occasionally conduct direct campaigns with various rotating advertisers or agencies for limited durations and specific targeting parameters. Such advertising partners act as independent controllers with respect to the data processing they perform. Possible technical implementations include: Redirects and VAST creatives: Using Google Ad Manager, we establish a technical connection between our advertising space and the advertiser’s ad server. A tracking pixel or click-through URL may also be directly integrated. Physical ad creatives (video spots or image files): Some files are stored directly within Google Ad Manager; in these cases, no personal data are transmitted to advertising partners. Tracking pixels: An “invisible” graphic is delivered simultaneously with the ad creative. The graphic is stored on an external server of the advertising partner, often operated by a third-party service provider. Click-through URLs with tracking parameters: If you click the advertisement, you may be directed through a tracking provider to the advertiser’s landing page. Tracking occurs only if you click on the ad creative. Categories of personal data that may be processed: Online identifiers (IP addresses, cookie IDs, device IDs) Transaction data (e.g., timestamp of an ad impression or ad click) Nature and scope of processing: Shortened IP addresses and cookie or device IDs are used to generate monthly reporting and to deliver ad creatives within our digital offering. rAdvertising partners of radio.net for reach-based advertising marketing: smartclip Europe GmbH – Privacy Notice: https://privacy-portal.smartclip.net/ SMARTSTREAM.TV GmbH – Privacy Notice: https://www.smartstream.tv/de/produktdatenschutz Goldbach Germany GmbH – Privacy Notice: https://goldbach.com/de/de/datenschutz/goldbach-germany Goldbach Austria GmbH – Privacy Notice: https://goldbach.com/at/de/datenschutz/datenschutz-goldbach-austria YOC AG – Privacy Notice: https://yoc.com/de/datenschutz/ SpotX – Privacy Notice: https://www.spotx.tv/privacy-policy/ Weischer.Media GmbH & Co. KG – Privacy Notice: https://weischer.media/de/de/datenschutzerklaerung/

5.6.3.3 Programmatic Advertising and Real Time Bidding

Through Google Ad Manager, we are connected to various advertising networks that bid on advertising inventory within our App. Some of these networks participate in Google ADX, a digital real-time marketplace, and place bids on our advertising inventory there; other networks may be separately enabled for this purpose. The selection and delivery of advertising is carried out subsequently via Google Ad Manager. The entire process occurs automatically both with respect to the distribution of advertising contact opportunities (“programmatic advertising”) and with respect to price determination between supply and demand (“real-time bidding”). Technical implementation Redirects and VAST creatives – Through Google Ad Manager, we establish a technical connection between our advertising inventory and the advertiser’s ad server. In this context, a tracking pixel and click-through URLs may also be directly integrated Categories of Personal Data That May Be Processed: Online identifiers (IP addresses, cookie IDs, device IDs) Usage and behavioral data (URL, keywords, user agent) Technical browser parameters (browser identifier, operating system, screen resolution, device classes, device manufacturer) Nature and Scope of Processing: Personal data are used to create usage profiles and to deliver and display advertising campaigns within our digital services. radio.net Partners for Programmatic Advertising and Real-Time Bidding Google ADX (Under this link you will find an overview of the advertising partners connected to Google ADX.) Privacy Notice: https://policies.google.com/privacy?hl=de Google Adsense Privacy Notice: https://policies.google.com/privacy?hl=de Index Exchange Privacy Notice: https://www.indexexchange.com/privacy/ Rubicon (Magnite / Rubicon Project) Privacy Notice: https://rubiconproject.com/rubicon-project-advertising-technology-privacy-policy/ Xandr (AppNexus) Privacy Notice: https://www.xandr.com/privacy/platform-privacy-policy/ Sovrn Privacy Notice: https://www.sovrn.com/privacy-policy/ Pubmatic Privacy Notice: https://pubmatic.com/legal/privacy/ RhythmOne Privacy Notice: https://www.rhythmone.com/privacy-policy/ Improve Digital Privacy Notice: https://www.improvedigital.com/platform-privacy-policy/ Media.net Privacy Notice: https://www.media.net/privacy-policy/ YOC AG Privacy Notice: https://yoc.com/de/datenschutz/ Smart (Smart AdServer) Privacy Notice: https://smartadserver.com/end-user-privacy-policy Ströer SSP GmbH Privacy Notice: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/crossmedia/stroeer-ssp/stroeer-ssp-datenschutz/

5.7 Additional Marketing Tools

Google Ads

radio.net uses Google Ads, a service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin D04 E5W5, Ireland (“Google Ads”), for the display of advertising. When you open our App, both radio.net and Google are able to recognize this. This allows radio.net to determine the total number of users who open the App. The measurement and statistical evaluation described above are carried out by Google Analytics for Firebase (see section 5.2.1). The use of Google Analytics for Firebase is based on your consent pursuant to Art. 6(1)(a) GDPR, which you may provide or withdraw at any time via our Consent Management Platform (CMP).

Maze

radio.net uses Maze for the conducting of surveys and user tests. Maze is a service provided by MAZE.DESIGN INC., 800 Menlo Ave, Suite 220, Menlo Park, CA 94025, USA. You may be offered the voluntary option to participate in a survey or user test while using the App. If you participate in a survey or user test, you will be redirected to Maze. Maze’s privacy notice can be found at: https://maze.co/privacy-policy

6. Your Rights Concerning the Protection of Your Personal Data

Pursuant to the GDPR, as well as the applicable provisions of Union law and national law, you are entitled - to the extent permitted by the respective legal provision - to the following rights. Unless otherwise indicated, you may assert these rights against radio.net, for example, by sending a message to datenschutz@radio.de or using the contact details provided above. radio.net will fulfill your rights if the legal requirements for doing so are met:

Right of Access

In accordance with Art. 15 GDPR, you may request confirmation from Radio.net as to whether personal data concerning you are being collected, processed, and stored by Radio.net. Where such collection, processing, and storage exist, you may request, inter alia, information regarding the purposes for which the personal data are collected and processed, and the planned duration of storage of the personal data relating to you.

Right to Rectification and Completion

If the personal data collected, processed, and stored relating to you are inaccurate or incomplete, you have the right under Art. 16 GDPR to request rectification and/or completion of your personal data.

Right to Restriction of Processing

You may request the restriction of processing of personal data concerning you. In accordance with Art. 18 GDPR, you may request such restriction under the conditions set forth therein.

Right to Erasure

Under Art. 17 GDPR, you may request that Radio.net erase the personal data relating to you without undue delay. Radio.net may be obligated to delete these data without undue delay where the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed, or where you withdraw the consent on which the collection, processing, and storage were based. The right to erasure does not apply, inter alia, where the processing is required for compliance with a legal obligation under Union or Member State law to which Radio.net is subject, or where the processing is necessary for the establishment, exercise, or defense of legal claims.

Right to Data Portability

Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us as the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to whom the personal data were provided.

Right to Object

Under Art. 21 GDPR, you have the right to object to the processing of personal data concerning you. In accordance with Art. 21(1) GDPR, you may object at any time, on grounds relating to your particular situation, to the processing of personal data that is carried out based on Art. 6(1)(f) GDPR.

Right to Withdraw Consent

If you have provided consent to the collection and processing of your personal data, you have the right to withdraw such consent at any time in accordance with Art. 7(3) GDPR. Any processing carried out prior to the withdrawal remains unaffected.

Right to Lodge a Complaint with a Supervisory Authority

Under Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority - in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement - if you believe that the collection and processing of personal data relating to you violates the GDPR.

7. Miscellaneous

In the course of the further development of the services offered and the implementation of new technologies, radio.net reserves the right to update this Privacy Policy at any time. We therefore kindly ask you to review the Privacy Policy available here on a regular basis. Status: November 2025