1. General This privacy policy informs you about the nature, scope, and purpose of processing personal data within the Quitty App and the associated website, as well as related websites, features, and content. Terms such as 'processing' or 'controller' follow the definitions in Article 4 of the GDPR and the corresponding provisions of the Swiss Data Protection Act (DSG). 2. Controller Quitty AG c/o Treforma AG Grabenstrasse 25 6340 Baar, Switzerland Management: Leutrim Sahitaj Email: kontakt@quitty.ch Phone: +41 XX XXX XX XX Commercial Register Number: CH-170.3.050.306-7 VAT Number: CHE-308.785.748 3. Types of Processed Data We process the following types of personal data: Personal Data: Names, addresses Contact Data: Email addresses, phone numbers Content Data: Text inputs, photographs, videos Usage Data: Visited pages on the website or app, interest in content, access times Meta/Communication Data: Device information, IP addresses Transaction Data: Purchase amount, purchase date, merchant information, product details (for expense analysis and receipt management) Contact Form Through the contact form, we collect the following information: First and last name (required) Email address (required) Phone number (optional)Message (required) Note: The data collected in the contact form is used exclusively for contact purposes and is not shared with third parties. Additionally, we use Google reCAPTCHA on the contact form to protect against spam and abuse.

4. Processing of Special Categories of Data (Article 9 (1) GDPR) In principle, we do not process special categories of personal data unless required by law. 5. Purpose of Processing Personal data is processed for the following purposes: Provision and optimization of the Quitty App and website, as well as its features and content Responding to contact inquiries and communication with users Security measures to prevent misuse Reach measurement and marketing Booking appointments and managing email campaigns Analysis of website usage via Google Analytics Hosting and operating the website through One.com and AWS Cloud Switzerland Use of social media platforms (LinkedIn, Instagram, Twitter, Medium) Integration of Google Maps and Cookiebot by Complianz Processing of transaction data: For managing digital receipts and transactions, including data on purchase amounts, purchase date, merchant information, and product details used for analyzing your expenses. Provision of personalized budgeting recommendations: Based on your spending patterns, we generate recommendations for optimizing your financial planning 6. Used Terminology 'Personal data' refers to any information relating to an identified or identifiable natural person. 7. Relevant Legal Grounds According to Article 13 of the GDPR and Article 4 of the Swiss DSG, we inform you about the legal grounds for our data processing: Consent of the user (Article 6 (1) (a) GDPR) Fulfillment of a contract (Article 6 (1) (b) GDPR) Legal obligations (Article 6 (1) (c) GDPR) Legitimate interest (Article 6 (1) (f) GDPR)

8. Security Measures In accordance with Article 32 of the GDPR and Article 7 of the Swiss DSG, we implement technical and organizational measures to ensure an adequate level of protection. This includes:AES-256 encryption for stored data SSL/TLS encryption for secure transmission Regular security checks and access restrictions Logging and monitoring access to personal data 9. Collaboration with Processors and Third Parties Data is only shared with third parties if permitted by law. We use standard contractual clauses (SCCs) to ensure an adequate level of data protection, even in third countries. 10. Transfers to Third Countries If data transfers occur to third countries (e.g., USA), this is done solely based on standard contractual clauses (SCCs) or other appropriate security measures. 11. Processing of Customer and Prospect Data The personal data of our customers and prospects is used to provide services and communicate with them. This also includes the data provided in the contact form. 12. Collaboration with Authorities and Institutions To fulfill our legal obligations, we may share data with authorities and institutions. This is done strictly in accordance with applicable data protection laws.

13. Use of Online Services and Platforms To market our services, we use online services and platforms in compliance with applicable data protection standards. 14. Data Storage and Deletion Personal data is only stored as long as necessary for the purposes of processing or required by legal retention periods. Transaction data, for example, is stored for [x years] and then anonymized or deleted. Contact data is deleted [e.g., 1 year after the last interaction], unless further legal retention obligations exist. 15. Anonymization and Pseudonymization To improve our service and comply with data protection regulations, we use anonymization and pseudonymization of usage data whenever possible. This means that your data is either fully anonymized or stored in such a way that identification of your person is only possible with additional information. 16. Consent and Objection Regarding Cookies and Tracking Methods Our website uses Google Analytics and similar technologies to analyze user behavior. Upon first visit, you can configure your cookie settings through our cookie banner and change your preferences at any time via the 'Cookie Settings' link on the website. You have the right to withdraw your consent for analysis and tracking at any time.

17. Right to Withdraw, Object & Complaint Procedure Users have the right to withdraw their consent to processing at any time, as well as the right to access, rectify, delete, and restrict their data. Complaints can be filed with the competent data protection authority. 18. Data Protection Officer Our data protection officer is: Leutrim Sahitaj Grabenstrasse 25 6340 Baar, Switzerland 19. Changes in the Handling of Personal Data & Procedures in Case of Data Breaches Changes to the processing of personal data will be regularly published on our website. In the event of a data breach, we will inform the affected individuals and the competent data protection authority according to legal requirements. 20. Cookies and Reach Measurement We use cookies and similar technologies to improve the user experience and analyze traffic on our website. Further details can be found in our cookie policy. 21. Google Maps We use Google Maps from Google LLC, USA. Privacy Policy: Google Privacy Policy, Opt-Out: Google Ads Settings.

22. Additional Services and Integrations Stripe API: We use the payment services of Stripe Inc., USA, to process payments securely. Privacy Policy: Stripe Privacy Policy. 23. Embedding of Third-Party Services and Content We use third-party content to provide additional features such as videos and fonts. 24. Social Media Our website uses plugins from social media platforms: Facebook (Facebook Inc., USA) Instagram (Instagram Inc., USA) LinkedIn (LinkedIn Corporation, USA) Twitter (Twitter Inc., USA) Medium (A Medium Corporation, USA) Note: The use of these platforms may result in data transfers to countries outside of Switzerland and the EU. A similar level of protection as within the EU and Switzerland may not be guaranteed. Therefore, the use of these plugins occurs only after active consent.

25. Automated Decision Making and Profiling In the context of analyzing your spending patterns and providing personalized budget recommendations, we use automated processing techniques. These analyses are based on the data you provide in the app and are intended to help you manage your finances better. You have the right to object to the use of your data for profiling purposes at any time. 26. Reference to Terms of Use The use of the Quitty App is subject, in addition to this privacy policy, to our terms of use. Please read these carefully, as they contain important information about your rights and obligations. 27. Right to Data Export and Portability You have the right to receive a copy of your data stored with us, including receipts and transaction data, in a structured, commonly used, and machine-readable format. If you wish to transfer your data to another financial or budgeting app, we will assist you in the portability of your data.

28. Protection of Minors Our app is not intended for use by individuals under 16 years of age. Personal data of minors is only processed with the explicit consent of the legal guardians, if required. 29. Notification of Data Breaches In the event of data breaches that could pose a high risk to your rights and freedoms, we will promptly inform you and implement measures to mitigate the damage. This includes promptly blocking the affected data and, if necessary, notifying the relevant data protection authority. 30. Changes to the Privacy Policy We reserve the right to occasionally update this privacy policy to comply with current legal requirements or changes to our services. The latest version of the privacy policy will be published on our website, so you are always informed about the current status of data processing. If significant changes are made that affect your consent or introduce new processing purposes, we will explicitly notify you and may request your consent again.

31. Contact & Questions For questions regarding the privacy policy, you can reach us at: Email: [kontakt@quitty.ch - please confirm] Phone: [+41 XX XXX XX XX - please confirm] 32. Useful Links · General Data Protection Regulation (GDPR) · Swiss Data Protection Act (DSG) Updated on: 12/01/2025