PRIVACY POLICY

Last updated: November 2025

Welcome to OneCEO!

OneCEO is owned and operated by OneCEO LLC.

OneCEO values your privacy and the protection of your personal data. This privacy policy describes what information we collect from you, how we collect it, how we use it, how we obtain your consent, how long we keep it in our databases and, if necessary, with whom we share it.

By downloading, installing, and using the OneCEO mobile application, you agree to the practices described in this privacy policy. Use of the platform is also subject to our terms and conditions. In this privacy policy, the words “platform” and “application” refers to the OneCEO mobile application and the OneCEO website together, "we", "us", "our", and "OneCEO", refers to OneCEO LLC, and "you", and "user", refers to you, the user of OneCEO.

This privacy policy may change from time to time. Your continued use of the platform after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates. This privacy policy has been developed and is maintained in accordance with all applicable national and international privacy and data protection laws and regulations.

1. GENERAL INFORMATION

The personal data of the users that are collected and processed through the platform:

• OneCEO mobile application (Available on Google Play and App Store).

• OneCEO website (https://oneceo.app)

Will be under responsibility and in charge of:

• OneCEO LLC.

• Email: support@oneceo.com

2. HOW WE OBTAIN YOUR CONSENT

By using the OneCEO mobile application, the user gives their express and informed consent to the processing of their personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG/DSGVO). This consent constitutes the legal basis for the processing of data in accordance with Article 6(1)(a) of the GDPR, without prejudice to other legal bases applicable to the fulfillment of contractual or legal obligations. Consent is given freely, specifically, informed, and unequivocally, and may be withdrawn at any time through the mechanisms provided in the application or by contacting us through the means indicated in this privacy policy.

The user grants their consent to the processing of their personal data when performing any of the following activities, among others:

• Visiting, accessing, or browsing the OneCEO website or mobile application.

• Downloading, installing, and using the mobile application on Android or iOS devices.

• Registering or logging into the application, either by email or through third-party accounts such as Google or Apple.

• Completing or modifying your user profile within the application.

• Using the main features of the application, including habit tracking, goal setting, and virtual headquarters management.

• Creating journal entries, writing texts, or uploading photos or any other multimedia content.

• Purchasing a monthly or annual subscription, managed through the RevenueCat payment processor.

• View and manage personal statistics in the administration panel (e.g., email address, number of habits completed, CEO coins accumulated, or number of journal entries).

• Communicate with us through contact forms, email addresses, or other available means of communication.

• Participate in surveys, beta tests, or any other activity related to improving the service.

The purpose of processing personal data derived from the above activities is to operate and improve the OneCEO application, provide the requested service, manage subscriptions, personalize the user experience, and comply with contractual and legal obligations. At any time, the user has the right to access, rectify, delete, and object to the processing of their data, as well as to withdraw their consent, in accordance with Articles 7 and 15 to 21 of the GDPR.

3. TYPES OF DATA COLLECTED

OneCEO collects and processes different types of personal data provided directly by the user or generated automatically during use of the mobile application or website. Data is collected when the user interacts with the main features of the application, including registration, habit management, journal entry creation, subscription to paid plans, and communication with the support team.

3.1. Personal data. This includes basic information necessary to identify the user or enable the provision of the offered services, such as name, email address, and, in some cases, phone number. This data is provided directly by the user when registering or communicating with us.

3.2. Registration and login data. This is collected when the user creates or accesses their account, either via email and password or through their Google or Apple account. This may include unique identifiers from the authentication provider, session tokens, metadata associated with the account, and any other information necessary to enable secure access to the app.

3.3. Payment and billing data. When you purchase a monthly or annual subscription, payment information is securely processed by third parties, such as RevenueCat and payment providers integrated into app stores (Google Play and App Store). OneCEO does not directly store credit card or payment method data, but may receive limited billing or transaction status information, such as subscription identifiers, purchase date, and renewal status.

3.4. Usage and activity data. During use of the application, data related to user behavior is collected, such as login frequency, habits created and completed, number of CEO coins earned, virtual headquarters progress level, session duration, activity statistics, and general usage metrics. This data allows us to improve the functionality and performance of the application.

3.5. User content. Users can create content within the application, including journal entries, texts, personal reflections, and photographs. This content is stored on Supabase servers and is linked exclusively to the user's account. OneCEO does not access the content of the journal or uploaded images, except in cases strictly necessary to ensure technical integrity or compliance with the law.

3.6. Contact and communication data. If the user communicates with OneCEO via contact forms, email, or any other channel, the data necessary to respond to the request is collected, such as name, email address, and message content.

3.7. Technical and device data. During use of the application or website, automatic technical information is collected, such as IP address, device type and version, operating system, system language, mobile advertising identifiers, time zone, server logs, and other technical data necessary for the operation, security, and optimization of the service.

3.8. Data derived from cookies or similar technologies. Cookies or equivalent technologies may be used on the website and within the application to store user preferences, maintain active sessions, and collect aggregate analytical data (see our cookie policy).

3.9. Statistical and aggregated data. OneCEO may collect and process aggregated or anonymized data for statistical, analytical, or service improvement purposes. This data does not allow the user to be personally identified.

4. HOW LONG WE KEEP YOUR DATA

OneCEO retains users' personal data only for as long as necessary to fulfill the purposes for which it was collected, as well as to meet contractual, legal, tax, or security obligations. Retention periods may vary depending on the nature of the data and the purpose of its processing, ensuring at all times the principle of minimization and limitation of storage.

4.1. Personal and account data. Data associated with user registration, such as name, email address, and login credentials, is retained for as long as the account remains active. If the user decides to delete their account, the data will be deleted or anonymized within a reasonable period of time, unless its retention is necessary for compliance with legal obligations or the resolution of disputes.

4.2. Registration and login data. Authentication information, access tokens, and metadata related to login are retained only for as long as necessary to keep the session active and ensure system security. Subsequently, they are deleted or replaced with anonymous identifiers.

4.3. Payment and billing data. Information related to transactions and subscriptions, managed by external processors such as RevenueCat, is retained for the time required for accounting, administrative, and tax compliance purposes. Billing data may be retained for the applicable legal periods for auditing or financial documentation purposes.

4.4. Usage and activity data. Usage metrics, habit statistics, and user progress are stored while the account is active to enable continuity of the personalized experience. Once the account is deleted, such data may be retained in aggregate or anonymized form for statistical or analytical purposes.

4.5. User content. Journal entries, photographs, and other personal content are retained for as long as the user maintains an active account or until they decide to delete them manually. When an account is deleted, the content stored in Supabase will be permanently deleted, unless temporary copies need to be retained in backup systems for technical or security reasons.

4.6. Contact and communication data. Messages and emails sent by users are retained for as long as necessary to handle inquiries or complaints, and then for a limited period for follow-up or documentary evidence purposes before being permanently deleted.

4.7. Technical and device data. Server logs, IP addresses, technical identifiers, and other data related to system performance are retained for a limited period for maintenance, error diagnosis, fraud prevention, and service improvement purposes.

4.8. Data derived from cookies or similar technologies. Cookies and equivalent technologies are retained for the period set in the user's preferences or according to the lifecycle defined in the technical configuration of the website or application.

4.9. Statistical and aggregated data. Anonymized or aggregated data may be retained indefinitely, as it does not allow the user to be identified and is used exclusively for analysis, research, or service improvement purposes.

Once personal data is no longer necessary for the purposes indicated, OneCEO will apply secure deletion or anonymization procedures to ensure that the information cannot be reconstructed or misused.

5. PURPOSES OF DATA COLLECTION

OneCEO collects and uses users' personal data for specific, explicit, and legitimate purposes related to the technical operation of the application, the provision of contracted services, and the continuous improvement of the user experience. Each category of data serves a specific purpose, as detailed below:

5.1. Personal data. This data is used to identify the user, manage their account, offer personalized support and communication, and ensure the proper provision of OneCEO services. This data also allows us to keep users informed about service updates, changes in functionality, or notifications related to their account or subscription.

5.2. Registration and login data. This data is necessary to authenticate user access, protect account security, and maintain system integrity. It is used to manage active sessions, detect unauthorized access, enable password recovery, and ensure interoperability with third-party services such as Google or Apple.

5.3. Payment and billing data. This data is processed for the purpose of managing user subscriptions and transactions, confirming payments, issuing receipts, resolving billing issues, and ensuring service continuity. Information received from payment processors is used solely for administrative, accounting, and support purposes.

5.4. Usage and activity data. This data is used to analyze how users interact with the application, optimize performance, improve existing features, and develop new tools. This data allows us to understand user progress (completed habits, CEO coins earned, frequency of use, etc.) and offer a more personalized, motivating experience that is consistent with the user's personal goals.

5.5. User content. User-generated content (diary entries, photographs, and other personal materials) is collected and stored for the sole purpose of allowing it to be viewed, organized, and managed within the user's personal account. Such content remains private and accessible only to the account holder, except in exceptional circumstances where it is necessary for security or compliance with legal obligations.

5.6. Contact and communication data. This data is used to respond to inquiries, requests for technical assistance, suggestions, or complaints, as well as to provide customer support and resolve incidents. In addition, it may be used to send notifications or operational communications directly related to OneCEO services.

5.7. Technical and device data. This is collected to ensure the proper functioning and security of the application, prevent fraud, perform technical maintenance, diagnose errors, optimize performance, and ensure compatibility with different devices and operating systems.

5.8. Data derived from cookies or similar technologies. This allows us to remember user preferences, maintain active sessions, offer personalized features, and analyze usage patterns for statistical and service improvement purposes.

5.9. Statistical and aggregate data. Used for analytical and research purposes to improve the quality, stability, and performance of the application. Once anonymized, this data can be used to identify general trends and develop growth strategies without compromising the privacy of individual users.

5.10. Deletion or anonymization of information. OneCEO retains personal data only for as long as necessary to fulfill the purposes of processing, after which it applies secure deletion or anonymization procedures. Deletion is performed by secure overwriting, logical truncation, or automated purging of databases and backup copies, ensuring that the information cannot be reconstructed or recovered. In the event that certain data is retained for statistical or service improvement purposes, anonymization techniques are applied that remove any personal identifiers, replacing them with random codes and eliminating any possibility of re-identification. These processes are executed under internal control, properly documented, and periodically audited to ensure the integrity and confidentiality of the information managed by OneCEO.

6. HOW WE SHARE INFORMATION

The personal information of our customers and users is an important and fundamental part of our platform. Under no circumstances will we sell or share information with third parties that has not been previously authorized by the user or owner of the personal data. We share user information only and exclusively as described below.

6.1. Third-Party Service Providers. OneCEO uses external providers to ensure the technical operation and delivery of its service. These third parties may have limited access to certain personal data solely to perform their duties under strict confidentiality and security obligations. The application is hosted on Supabase, where user data and content are stored; subscriptions and payments are managed through RevenueCat, integrated with Google Play and the App Store. Analytical tools may also be used to improve performance and detect errors, without accessing personal content. All selected providers comply with high data protection standards and only process information in accordance with OneCEO's instructions.

6.2. Newsletter and email marketing: By providing us with your email address, you consent and agree that we may send you marketing content and newsletters, notifications and information related to our platform. Therefore, your email address may be shared with third party bulk email services for the sole and exclusive purpose of sending you relevant communications. If you wish to stop receiving communications from OneCEO, you can unsubscribe at any time by using the "unsubscribe" option available in the same emails or by sending your request through our contact information.

6.3. Business Transfers. In the event that OneCEO creates, merges with, or is acquired by another entity, your information will most likely be transferred. OneCEO will email you or place a prominent notice on our platform before your information becomes subject to another privacy policy.

6.4. Protection of OneCEO and others. We release personal information when we believe release is appropriate to comply with the law, enforce or apply our Terms and conditions and other agreements, or protect the rights, property, or safety of OneCEO, our users or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.

6.5. With Your Consent. Other than as set out above, you will receive notice when personally identifiable information about you might go to third parties, and you will have an opportunity to choose not to share the information.

7. PROTECTING YOUR INFORMATION

We grant access to your personal information only to those outside persons or services that have a legitimate need to know it and in accordance with our privacy policy. We adhere to industry-recognized security standards to protect your personal information, both during transmission and in storage. However, it is important to note that no method of transmission over the Internet or electronic storage is foolproof and 100% secure. Therefore, while we at OneCEO strive to implement commercially viable data protection methods, we cannot ensure absolute security of your personal information. We undertake not to sell, distribute or transfer your personal data to unauthorized third parties, unless we have your explicit consent or are required by law to do so.

8. DATA BREACH NOTIFICATIONS

In the event of a security breach that compromises the confidentiality of our users' personal data, OneCEO undertakes to notify those affected in a timely manner. This notification will be made through the means of contact that have been provided by the user on our platform. We will take all reasonable measures to protect the information and remedy any situation that jeopardizes the security of your data.

9. INTERNATIONAL DATA TRANSFER

OneCEO may transfer users' personal data outside their country of origin due to the use of hosting, storage, and processing services provided by third parties operating servers located in different countries. These transfers are necessary to ensure the continuous operation of the platform and to provide an efficient user experience. Although OneCEO is headquartered in Germany, the technological infrastructure used may involve the storage or processing of data in jurisdictions with data protection laws that differ from those of the European Union or your country of origin.

OneCEO is committed to ensuring that all international transfers of personal data comply with applicable data protection regulations, including appropriate security measures to safeguard user information. This includes, but is not limited to, implementing standard contractual clauses, assessing the adequacy of data protection in the receiving country, and complying with applicable privacy standards on third party services.

By using OneCEO, users consent to the transfer, storage and processing of their data on servers located outside their country of residence, acknowledging that such transfers are necessary for the operation of the platform. OneCEO undertakes to take all reasonable steps to protect the integrity and security of personal data during such international transfers.

10. PRIVACY RIGHTS

In accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG/DSGVO), OneCEO users have the right to exercise control over their personal data and to request actions related to its processing. The recognized rights include:

• Right of access: the user may request confirmation as to whether their personal data is being processed and obtain a copy of it along with information about its origin, categories, purposes, and recipients.

• Right of rectification: the user may request the correction or updating of inaccurate or incomplete personal data.

• Right to erasure (“right to be forgotten”): users may request the deletion of their personal data when it is no longer necessary for the purposes of processing or when they withdraw their consent.

• Right to restriction of processing: users may request that their data be temporarily blocked while its accuracy is verified, an objection is analyzed, or a complaint is reviewed.

• Right to portability: users may request that their personal data be provided to them in a structured, commonly used, and machine-readable format, or that it be transferred directly to another data controller.

• Right to object: users may object at any time to the processing of their personal data on grounds relating to their particular situation, in particular when the processing is based on legitimate interests.

• Right to withdraw consent: The user may withdraw their consent to the processing of their data at any time, without affecting the lawfulness of the processing carried out previously.

• Right to lodge a complaint: The user has the right to lodge a complaint with a competent data protection supervisory authority, in particular the data protection authority of the relevant German federal state or the supervisory authority of their habitual residence within the European Economic Area.

To exercise any of these rights, users may send a written request via the contact details indicated in this privacy policy, clearly specifying the right they wish to exercise and providing the information necessary to verify their identity. OneCEO will respond to all requests within a maximum period of 30 calendar days from receipt, which may be extended in complex cases for an additional period of up to two months, notifying the user of the reason for the delay. Requests will be handled at no cost to the user, except in cases of manifestly unfounded or excessive requests, in which OneCEO may charge a reasonable fee or refuse to comply with them as permitted by applicable regulations.

11. CHILDREN’S ONLINE PRIVACY PROTECTION

We comply with the requirements of national and international data protection regulations regarding the protection of personal data of minors. We do not collect any information from children under the age of 13 (minimum age allowed to collect and process information without parental or legal guardian consent). If we become aware that a child under the age of 13 has provided us with personal information, we will take steps to delete such information.

12. THIRD PARTIES

Except as otherwise expressly included in this privacy policy, this document addresses only the use and disclosure of information that OneCEO collects from you. If you disclose your information to third parties, whether other users or third parties, different rules may apply to their use or disclosure of the information you disclose to them. OneCEO does not control the privacy policies of third parties, and you are subject to the privacy policies of those third parties where applicable. OneCEO is not responsible for the privacy or security practices of other websites, platforms or services, including those linked from our platform. Please review the privacy policies of any third-party websites, platforms or services you access through the OneCEO platform.

13. CHANGES TO PRIVACY POLICY

We reserve the right to change our privacy policy at any time. Changes will be promptly notified to our users through any electronic means and posted on the platform. Your continued use of our platform following such changes will signify your acceptance of the changes.

14. CONTACT INFORMATION

If you have questions or concerns about this privacy policy and the handling and security of your data, please contact us through our contact information below:

OneCEO LLC.

Email: (Insert contact email).