A. Preface

We, Knowron GmbH, Heinrich-Häberle-Str. 20, 82194 Gröbenzell, Germany, ("Knowron") and

J.M. Voith SE & Co. KG / VTA Division Turbo, Alexanderstr. 2, 89522 Heidenheim, Germany

("Voith") (hereinafter collectively: "the companies", "we" or "us") take the protection of your

personal data seriously and would like to inform you at this point about data protection in the

Voith Smart Assistant App (hereinafter "the App").

Within the scope of our responsibility under data protection law, additional obligations have been

imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation

(EU) 2016/679; hereinafter: "GDPR") in order to ensure the protection of personal data of the

person affected by a processing operation (we also address you as data subject hereinafter with

"customer", "user", "you" or "data subject").

Insofar as we decide on the purposes and means of data processing, this includes above all the

obligation to inform you transparently about the nature, scope, purpose, duration, and legal basis

of the processing (cf. Art. 13 and Art. 14 DS-GVO). With this statement (hereinafter: "Privacy

Notice"), we inform you about the manner in which your personal data is processed by us.

To find the parts that are relevant to you, please refer to the following overview for the

breakdown of the privacy notices:

A. Preface ................................................................................................................................................ 1

B. Allgemeines ......................................................................................................................................... 2

I. Begriffsbestimmungen....................................................................................................................... 2

II. Änderung der Datenschutzhinweise ................................................................................................ 2

C. Informationen über die Verarbeitung Ihrer Daten ............................................................................... 3

I. Die Erhebung Sie betreffender personenbezogener Daten.............................................................. 3

II. Rechtsgrundlagen der Datenverarbeitung ....................................................................................... 3

III. Die beim Download erhobenen Daten ............................................................................................ 3

IV. Bei der Nutzung erhobenen Daten ................................................................................................. 4

V. Zeitraum der Datenspeicherung ...................................................................................................... 4

VI. Datensicherheit ............................................................................................................................... 5

VII. Keine automatisierte Entscheidungsfindung (einschließlich Profiling) .......................................... 5

VIII. Zweckänderung ............................................................................................................................ 5

D. Verantwortlichkeit für Ihre Daten und Kontakte .................................................................................. 5

I. Verantwortlicher und Kontaktdaten ................................................................................................... 5

II. Datenerhebung bei der Kontaktaufnahme ....................................................................................... 6

E. Datenverarbeitung durch Dritte ........................................................................................................... 6

I. Auftragsdatenverarbeitung ................................................................................................................ 6

II. Voraussetzungen der Weitergabe von personenbezogenen Daten an Drittländer ......................... 7

III. Gesetzliche Verpflichtung zur Übermittlung bestimmter Daten ...................................................... 7

F. Ihre Rechte .......................................................................................................................................... 7

I. Geltendmachung Ihrer Rechte .......................................................................................................... 7

II. Auskunftsrecht .................................................................................................................................. 8

III. Recht auf Widerspruch gegen die Datenverarbeitung und Widerruf der Einwilligung ................... 8

IV. Recht zur Berichtigung und Löschung ............................................................................................ 8

V. Recht auf Einschränkung der Verarbeitung..................................................................................... 8

VI. Recht auf Datenübertragbarkeit...................................................................................................... 9

VII. Recht auf Beschwerde bei der Aufsichtsbehörde ......................................................................... 9

B. General Remarks

I. Definitions

Following the example of Art. 4 of the GDPR, this privacy notice is based on the following

definitions:

• "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or

identifiable natural person ("data subject"). A person is identifiable if he or she can be

identified, directly or indirectly, in particular by reference to an identifier such as a name, an

identification number, an online identifier, location data or by means of information relating

to his or her physical, physiological, genetic, mental, economic, cultural or social identity

characteristics. The identifiability can also be given by means of a linkage of such

information or other additional knowledge. The origin, form or embodiment of the information

is irrelevant (photographs, video or audio recordings may also contain personal data).

• "Processing" (Art. 4 No. 2 GDPR) means any operation which involves the handling of

personal data, whether or not by automated (i.e. technology-based) means. This includes, in

particular, the collection (i.e. acquisition), recording, organization, arrangement, storage,

adaptation or alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment, combination, restriction, erasure or

destruction of personal data, as well as the change of a purpose or intended use on which a

data processing was originally based."Verantwortlicher" (Art. 4 Nr. 7 DS-GVO) ist die

natürliche oder juristische Person, Behörde, Einrichtung oder andere Stelle, die allein oder

gemeinsam mit anderen über die Zwecke und Mittel der Verarbeitung von

personenbezogenen Daten entscheidet.

• "Third party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority,

agency or other body other than the data subject, the controller, the processor and the

persons who, under the direct responsibility of the controller or processor, are authorized to

process the personal data; this also includes other group-affiliated legal entities.

• "Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, authority, institution or other

body that processes personal data on behalf of the controller, in particular in accordance

with the controller's instructions (e.g. IT service provider). In particular, a processor is not a

third party in the sense of data protection law.

• "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given specific,

informed and unambiguous indication of his or her wishes in the form of a statement or other

unambiguous affirmative act by which the data subject signifies his or her agreement to the

processing of personal data relating to him or her.

II. Amendment of the data Protection Notice

(1) In the context of the further development of data protection law as well as technological or

organizational changes, our data protection information is regularly reviewed to determine

whether it needs to be adapted or supplemented. You will be informed of any changes.

(2) This data protection notice is valid as of September 2021.

C. Information about the processing of your data

I. The collection of your personal data

(1) When you use our app, we collect personal data about you..

(2) Personal data is all data that relates to your person (see above under General). For example,

your name, location data, IP address and e-mail address are personal data, but your user

behavior also falls into this category.

II. Legal basis of data processing

(1) By law, in principle, any processing of personal data is prohibited and only permitted if the

data processing falls under one of the following justifications:

• Art. 6 (1) p. 1 lit. a GDPR ("consent"): If the data subject has voluntarily, in an informed

manner and unambiguously indicated by a statement or other unambiguous affirmative

action that he or she consents to the processing of personal data relating to him or her for

one or more specific purposes;

• Art. 6 para. 1 p. 1 lit. b GDPR: If the processing is necessary for the performance of a

contract to which the data subject is a party or for the implementation of pre-contractual

measures taken at the request of the data subject;

• Art. 6 para. 1 p. 1 lit. c GDPR: If the processing is necessary for compliance with a legal

obligation to which the controller is subject (e.g. a legal obligation to keep records);

• Art. 5 (1) p. 1 lit. d GDPR: If the processing is necessary to protect the vital interests of the

data subject or another natural person;

• Art. 6 (1) p. 1 lit. e of the GDPR: Where processing is necessary for the performance of a

task carried out in the public interest or in the exercise of official authority vested in the

controller, or

• Art. 6 (1) p. 1 lit. f GDPR ("Legitimate Interests"): If the processing is necessary to protect

the legitimate (in particular legal or economic) interests of the controller or a third party,

unless the conflicting interests or rights of the data subject override (in particular if the data

subject is a minor).

(2) For the processing operations carried out by us, we indicate below the applicable legal basis

in each case. A processing operation may also be based on several legal bases.

III. Data collected during download

(1) When downloading this app, certain personal data required for this purpose will be

transmitted to the corresponding app store (e.g. Apple App Store or Google Play).

(2) In particular, the email address, user name, customer number of the downloading account,

individual device identification number, payment information and the time of the download will be

transmitted to the App Store during the download.

(3) We have no influence on the collection and processing of this data, which is carried out

exclusively by the app store selected by you. Accordingly, we are not responsible for this

collection and processing; the responsibility for this lies solely with the operator of the respective

app store.

IV. Data collected during use

(1) We can inevitably only make the benefits of our app available to you if we collect certain

personal data about you that is necessary for the operation of the app.

(2) We only collect this data if it is necessary for the fulfillment of the contract between you and

us (Art. 6 para. 1 lit. b of the GDPR). Furthermore, we collect this data if it is necessary for the

functionality of the app and your interest in the protection of your personal data is not outweighed

(Art. 6 para. 1 lit. f GDPR).

(3) We collect and process the following data from you as a joint controller:

• Device information: Access data includes the IP address, random user ID, device type, the

date and time of the retrieval, time zone the amount of data transferred and the operating

system. This access data is processed in order to technically enable the operation of the

app. The legal basis is therefore Art. 6 para. 1 lit. b DSGVO.

• Visit statistics: We collect statistics about the usage of the app by means of an internal

analysis tool in order to continuously improve the app and to detect errors/bugs at an early

stage. In addition, the data is used to evaluate the errors in the accessed machines. For this

purpose, your user ID, IP address, accessed app page as well as entries on the respective

page are recorded. The legal basis for the processing of this data is Art. 6 para. 1 lit. f of the

GDPR.

• Information with your consent: We only process other information (e.g. GPS location data)

or photos if you allow us to do so. The legal basis for the collection of this data is therefore

Art. 6 para. 1 lit. a GDPR.

• Text-based user input: When you submit problems or feedback to us, only the data you

enter, such as machine model number and error description, as well as your random user ID

and IP address, will be transmitted. If you have consented to the collection of your GPS

location data, this data will also be transmitted. In the case of transmission of the problem or

feedback, this constitutes the necessary legitimate interest in the data processing. The legal

basis for the transmission of this data is Art. 6 para. 1 lit. f GDPR.

(4) In addition, Knowron collects and processes the following data from you as an independent

data controller. This data will not be passed on to Voith:

• Crash logs: If you are a test user of our app and download the app via Apple Testflight, so-

called crash logs are also transmitted to our servers in the event of an error in the app.

These crash logs include your user ID, device type, device-specific settings and app settings

as well as app properties, the date and time of the download, time zone, the amount of data

transferred and the operating system. This data is technically necessary for us to offer you

the functions of our mobile app and to ensure stability and security. The legal basis for the

processing of the data is therefore our legitimate interest according to Art. 6 para. 1 p.1 lit. f

of the German Data Protection Act (GDPR).

V. Data storage period

(1) (1) We delete or anonymize your personal data as soon as they are no longer required for the

purposes for which we collected or used them (see C. IV). As a rule, we store your personal data

for the duration of the usage or contractual relationship via the app. In principle, your data is only

stored on our servers in Germany, subject to any transfer that may take place in accordance with

the provisions in E. I, E. II, E. III. We store visitor statistics for 36 months.

(2) However, storage may take place beyond the specified time in the event of a (threatened)

legal dispute with you or other legal proceedings.

(3) Third parties engaged by us (see E. I) will store your data on their system for as long as it is

necessary in connection with the provision of the service for us in accordance with the respective

engagement.

(4) Legal requirements for the storage and deletion of personal data remain unaffected by the

above (e.g. § 257 HGB or § 147 AO). If the storage period prescribed by the statutory provisions

expires, the personal data will be blocked or deleted unless further storage by us is necessary

and a legal basis for this exists.

VI. Data security

(1) We use appropriate technical and organizational security measures to protect your data

against accidental or intentional manipulation, partial or complete loss, destruction or against

unauthorized access by third parties, taking into account the state of the art, implementation

costs and the nature, scope, context and purpose of the processing, as well as the existing risks

of a data breach (including its probability and impact) for the data subject. Our security measures

are continuously improved in line with technological developments.

(2) We will be pleased to provide you with more detailed information on request. Please contact

Knowron (see D. I. (2))

VII. No automated decision making (including profiling)

We do not intend to use any personal data collected from you for any automated decision

making process (including profiling).

VIII. Change of purpose

(1) Processing of your personal data for purposes other than those described above will only be

carried out if permitted by law or if you have consented to the changed purpose of the data

processing.

(2) In the event of further processing for purposes other than those for which the data were

originally collected, we will inform you of these other purposes prior to further processing and

provide you with all other relevant information in this regard.

D. Responsibility for your data and contacts

I. Responsible person and contact details

(1) The entities jointly responsible for the processing of your personal data within the meaning of

Art. 4 No. 7 GDPR are

Knowron GmbH

Heinrich-Häberle-Str. 20,

82194 Gröbenzell

Deutschland

E-Mail: privacy@knowron.com

Tel: +49 152 04157723

and

J.M. Voith SE & Co. KG / VTA Division Turbo

Alexanderstr. 2

89522 Heidenheim

Deutschland

E-Mail: info@voith.com

Tel: +49 7321 37-0

(2) You can contact both Knowron and Voith for any questions regarding data protection. The

contacted company will inform the other company of your inquiry so that your inquiry can be

jointly processed and

(3) the Knowron company data protection officer is available to you at all times as a contact

person on the subject of data protection at our company. His contact details are:

Tim Westhoff

Heinrich-Häberle-Str 20

82194 Gröbenzell

privacy@knowron.com

(4) Contact this contact point in particular if you wish to assert the rights to which you are entitled,

as explained in Chapter F, vis-à-vis Knowron.

(5) If you have any further questions or comments regarding the collection and processing of

your personal data, please contact the aforementioned contacts.

II. Data collection when contacting us

(1) If you contact us by e-mail or via a contact form, then your e-mail address, your name and all

other personal data that you have provided in the course of contacting us will be stored by us so

that we can contact you to answer the question.

(2) We delete this data as soon as storage is no longer necessary. If there are legal retention

periods, the data remains stored, but we restrict the processing.

E. Data processing by third parties

I. Commissioned data processing

(1) It may happen that commissioned service providers are used for individual functions of our

app. As with any larger company, we also use external domestic and foreign service providers to

handle our business transactions (e.g., for the areas of IT, logistics, telecommunications, sales

and marketing). These service providers only act on our instructions and are contractually

obligated to comply with the data protection provisions as set out in Art. 28 GDPR.

(2) The following processors may have access to your personal data:

• Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, US

• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043

• 2, Newark, Delaware-2035 Sunset Lake Road Suite BLLC, IPdata,

(3) The following categories of recipients, which are usually processors, may receive access to

your personal data:

• Service providers for the operation of our app and the processing of data stored or

transmitted by the systems (e.g. for data center services, IT security). The legal basis for the

transfer is then Art. 6 para. 1 p. 1 lit. b or lit. f GDPR, insofar as they are not order

processors;

• Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The

legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. c GDPR;

• - Persons employed to carry out our business operations (e.g. auditors, banks, insurance

companies, legal advisors, supervisory authorities, parties involved in company acquisitions

or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para.

1 p. 1 lit. b or lit. f GDPR.

• Partners who receive pseudonymized or also anonymized statistics about the use of the

app. The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. f GDPR.

(4) In addition, we will only disclose your personal data to third parties if you have given your

express consent to do so in accordance with Art. 6 (1) p. 1 lit. a DS-GVO.

II. Conditions for the transfer of personal data to third countries

(1) In the course of our business relationships, your personal data may be transferred or

disclosed to third party companies. These may also be located outside the European Economic

Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfill contractual

and business obligations and to maintain your business relationship with us. We will inform you

about the respective details of the transfer in the following relevant places.

(2) Some third countries are certified by the European Commission as having a level of data

protection comparable to the EEA standard by means of so-called adequacy decisions (a list of

these countries and a copy of the adequacy decisions can be obtained here:

http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html).

However, in other third countries to which personal data may be transferred, there may not be a

consistently high level of data protection due to a lack of legal provisions. If this is the case, we

ensure that data protection is adequately guaranteed. This is possible via binding company

regulations, standard contractual clauses of the European Commission for the protection of

personal data, certificates or recognized codes of conduct. Please contact Knowron (see D. I) if

you would like to receive more detailed information on this matter.

III. Legal obligation to transmit certain data

We may be subject to a specific legal or statutory obligation to provide the lawfully processed

personal data to third parties, in particular public bodies (Art. 6 (1) p. 1 lit. c GDPR).

F. Your Rights

I. Assertion of your rights

(1) You can assert your rights both against Knowron GmbH and Voith as jointly responsible

parties. If you assert one of your rights as a user against one of the two responsible parties, this

party shall inform the other party of this without delay.

(2) The responsible party contacted by you in each case will, for example, take over

communication with you, gather the necessary information, check the claim asserted and

implement it accordingly. The responsible parties are obliged to support each other in the

fulfillment of such claims. To this end, they shall keep each other informed on an ongoing basis

and intend to reach agreement on all essential steps. In doing so, you can assert rights against

both persons responsible. If measures become necessary in accordance with the asserted data

subject right (e.g., correction, deletion, restriction, notification of recipients, transfer and

surrender), the two responsible parties shall implement this on their own responsibility.

II. Right to information

(1) You have the right vis-à-vis us within the scope of Art. 15 GDPR to obtain information about

the personal data concerning you.

(2) This requires a request from you to be sent either by e-mail or by post to one of the

responsible persons (see D. I).

III. Right to object to data processing and revoke consent

(1) In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of

personal data concerning you. We will stop processing your personal data unless we can

demonstrate compelling legitimate grounds for the processing which override your interests,

rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending

legal claims.

(2) Pursuant to Article 7 (3) of the GDPR, you have the right to withdraw your consent - i.e. your

voluntary will, made clear in an informed and unambiguous manner by means of a declaration or

other unambiguous confirming action, that you agree to the processing of the personal data in

question for one or more specific purposes - given once (also before the GDPR applies, i.e.

before 25.5.2018) at any time vis-à-vis us, if you have given such consent. This has the

consequence that we may no longer continue the data processing based on this consent for the

future.

(3) n this regard, please contact one of the responsible persons (see D. I).

IV. Right to rectification and deletion

(1) (1) Insofar as personal data concerning you is incorrect, you have the right pursuant to Art. 16

GDPR to demand that we correct it without undue delay. With a request in this regard, please

contact the contact point indicated above (see D. I. (2)).

(2) Under the conditions set out in Article 17 of the GDPR, you have the right to request the

deletion of personal data concerning you. With a request in this regard, please contact one of the

data controllers (see D. I). In particular, you have the right to erasure if the data in question is no

longer necessary for the collection or processing purposes, if the data retention period (see C. V)

has expired, if there is an objection (see F. III), or if there is unlawful processing.

V. Right to restriction of processing

(1) In accordance with Art. 18 of the GDPR, you have the right to demand that we restrict the

processing of your personal data..

(2) With a request in this regard, please contact one of the responsible persons (see D. I).

(3) You have the right to restrict processing in particular if the accuracy of the personal data is

disputed between you and us; in this case, you have the right for a period of time required to

verify the accuracy. The same applies if the successful exercise of a right of objection (see F. III)

is still disputed between you and us. You are also entitled to this right in particular if you are

entitled to a right to erasure (see F. IV) and you request restricted processing instead of erasure..

VI. Right to data portability

(1) Pursuant to Art. 20 of the GDPR, you have the right to receive from us the personal data

concerning you that you have provided to us in a structured, common, machine-readable format

in accordance with applicable regulations.

(2) With a request in this regard, please contact one of the responsible persons (see D. I).

VII. Right to complain to the supervisory authority

(1) In accordance with Art. 77 GDPR, you have the right to complain about the collection and

processing of your personal data to the competent supervisory authority.

(2) The competent supervisory authority for Knowron GmbH is the Bavarian State Office for Data

Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, e-mail:

poststelle@lda.bayern.de.

The competent supervisory authority for Voith is the State Commissioner for Data Protection and

Freedom of Information Baden-Württemberg,Lautenschlagerstraße 20, 70173 Stuttgart, e-mail:

poststelle@lfdi.bwl.de.