ANABOX-Code App - Privacy Notice

ANABOX-Code App Privacy Notice

I. Scope

With this document, the controller fulfils its information obligations towards data subjects pursuant to Article 13 of the General Data Protection Regulation (GDPR). This privacy notice applies to the mobile application "ANABOX-Code" (hereinafter the "App") and has been in effect since May 2026. As our App is further developed or where statutory or regulatory requirements change, it may become necessary to amend this privacy notice. The amended version will be made available to you here.

II. Who is responsible for the processing of personal data?

The controller within the meaning of Article 4 No. 7 GDPR is:

Ligari GmbH, Am Sonnenhang 19, 63225 Langen, Germany.
The full company information (Impressum) is available in the App under "More" / "Imprint".
You can submit data-protection-related requests to us at any time via the feedback form integrated in the App (see section IV.2.e).

III. Is there a data protection officer?

We have not appointed a data protection officer for our company.

IV. For what purposes do we process your data?

IV.1. Download / installation of the App

When you download the App from an app store and install it on your device, information is transmitted to the respective app store. The exact information transmitted (e.g. your app store user ID, email address, customer number etc.) is determined exclusively by the operator of the app store. For your information, we provide links to the privacy notices of the respective app stores below. We have no influence on the data collection by the app stores and are not responsible for it.

Apple

If you download our App from the App Store and install it on your device, the following applies:

Service provider: Apple Inc., One Apple Park Way, Cupertino, California, USA, 95014, https://www.apple.com/
Privacy Policy of Apple: https://www.apple.com/legal/privacy/en-ww/
App Store privacy information: https://support.apple.com/en-us/HT210584
Transfer to third countries: see Apple's privacy policy: https://www.apple.com/legal/privacy/en-ww/

Google Play

If you download our App from the Google Play Store and install it on your device, the following applies:

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://play.google.com/store
Privacy Policy of Google: https://policies.google.com/privacy
Transfer to third countries: see Google's privacy policy

IV.2. Operation of the App

The following sections explain which features the App provides and which data are processed for these features.

IV.2.a. General

To set up and to operate the App, it is not necessary for you as a user to provide personal data such as your name, address or date of birth. Registration with us is neither required nor offered. The App can be used without providing any information about your person. The processing of personal data is therefore always voluntary and based on your consent within the meaning of Article 6(1)(a) GDPR. To the extent that you provide information about your medication or your intake, this constitutes health data within the meaning of Article 9(1) GDPR; in that case, processing is additionally based on your explicit consent in accordance with Article 9(2)(a) GDPR. You may withdraw your consent at any time without giving reasons, with effect for the future. You may also delete your entered data from the App at any time.

While using the App, you may enter the following data, information and personal data within the various features:

Configuration of your Anabox box (box type, activation of individual compartments, weekday and time of the respective reminders).
Designation and, where applicable, description of the medications you have entered.
Free-text notes on individual medications.
Optionally, a photo of the respective medication.
Allocation of medications to the individual compartments of your Anabox box together with the planned quantity.
Intake log (planned and actual time of intake as well as the quantity taken).

All of the data listed above – including the photos – are stored exclusively locally in a database on your device. No transmission of these data to a server operated by Ligari GmbH or to third parties takes place. Upon uninstallation of the App, these data are deleted from your device. There is no synchronisation of your data across multiple devices.

For the features described in section IV.2.e (feedback) and IV.2.f (telemetry), we engage the processor named in section IV.3, which is bound by an agreement pursuant to Article 28 GDPR to comply with data protection law.

Links:

The App contains links to other websites (in particular to the privacy notices of the app stores). Such links are marked as such. When a link is followed from within the App, the external link is opened in a new window in the browser. Please note that Ligari has no influence on whether the operator of the linked websites complies with applicable data protection law. Please therefore also review the privacy policy of the linked websites.

IV.2.b. Datamatrix scan to confirm intake

Optionally, you may confirm the intake of a medication by scanning a datamatrix code printed on the respective compartment of your Anabox box using the camera built into your device, where available. Access to your camera must be granted for this purpose.

Only the value encoded by the datamatrix code (a compartment number) is captured. No photos or images are stored, and no contents of the camera view are transmitted to us or to third parties. The comparison of the scanned compartment number with the expected compartment number is performed entirely locally on your device.

You can revoke the camera permission at any time in the settings of your device.

IV.2.c. Medication photos

Optionally, you may take a photo of a medication using the camera built into your device, where available, or pick an image from your photo library, in order to attach it to a medication entry. Access to your camera or photo library may be required for this purpose.

Please make sure that the photo only shows the medication and no other information, in particular no information relating to identifiable persons (e.g. names of persons, images of persons etc.). Medication photos are stored exclusively locally on your device in the App's database. The photos are not transmitted to a server operated by Ligari GmbH or to third parties.

You can revoke the camera and photo library permissions at any time in the settings of your device.

IV.2.d. Reminders / local notifications and alarms

Optionally, you can be reminded to take the medications you have entered. Access to the notification function of your device must be granted for this purpose. On Android devices, the additional permissions to schedule exact alarms ("Schedule Exact Alarm") and to exclude the App from battery optimisation ("Battery Optimization") may be required so that reminders are triggered on time. On iOS devices, the permission for "AlarmKit" may additionally be requested.

The reminders are scheduled and triggered entirely locally on your device. No data are transmitted to a server operated by Ligari GmbH or to push services operated by Apple or Google for this purpose.

You can revoke the relevant permissions at any time in the settings of your device. Reminders can also be deactivated within the App at any time.

IV.2.e. Feedback feature

Within the App, under "More" / "Feedback", you can access a web-based form which allows you to send us feedback about the App. The form is loaded into a WebView integrated into your device from our server (api.anabox-code.app). When the form is opened, the following technical information is transmitted to our server as URL parameters: the language of the App, the App version, the platform (iOS/Android) and the locale of your device. When the form is submitted, the content you have entered is additionally transmitted (e.g. your message and, where you provide it voluntarily, your email address).

The data actually requested are visible in the form itself. Mandatory fields are marked as such. Without these mandatory fields we cannot process your request. All other fields are voluntary. No person-related evaluation is performed beyond what is required to respond to your request.

Purpose of processing: responding to your request and improving the App on the basis of your feedback.
Legal bases: Article 6(1)(a) GDPR for your voluntary information; Article 6(1)(f) GDPR for responding to your request and for the use of our technical service providers.
Legitimate interests: processing is based on our overriding legitimate interest in the secure, timely and professional handling of your request as well as in the further development and debugging of the App.
Retention period: your data are deleted once your request has been finally processed. This is the case where, based on the circumstances, the matter has been finally clarified, and where no statutory retention obligations apply. Where there is no longer a legal basis for storage, the data are deleted.

The transmission is encrypted via HTTPS/TLS.

IV.2.f. Technical diagnostic data / telemetry

To ensure the stability and quality of our App, the App collects technical data within strictly defined limits and transmits them to our server (api.anabox-code.app). Transmission only takes place after you have explicitly accepted our terms of service and this privacy notice during the onboarding flow.

In particular, we transmit:

Installation event (once per installation): an installation ID generated randomly on your device (a UUID with no relation to your person, your device ID or advertising IDs), the App version, the platform (iOS/Android), the version of the operating system and the locale of your device.
Error reports (only for critical program errors): the same installation ID, the App version, the platform, the version of the operating system, the locale, as well as a technical error message (error type, error text and stack trace) and optionally a short technical context description.

We do not transmit: your name, your email address, your device ID/IMEI, advertising IDs (IDFA/AAID), location data, address book or contact data, or any contents of the App's database (e.g. medication names, photos, notes or intake logs). We also do not record how often the App is opened or which features are used.

We are not able to derive any personal reference from these data. As part of the HTTP transfer, our hosting provider typically processes your IP address briefly; we do not permanently link it to the data above. The transmission is encrypted via HTTPS/TLS.

Purpose of processing: ensuring the reliable operation of the App, detecting and fixing errors, and statistical assessment of the user base.
Legal basis: Article 6(1)(f) GDPR. Our legitimate interest lies in the technical stability, security and further development of the App.

IV.2.g. Cookies

The App itself does not use cookies. The WebView used to display the feedback form (see section IV.2.e) may use technically necessary cookies or comparable mechanisms, to the extent required to display the form. Apart from the technical data listed in section IV.2.f, we do not receive any further device data.

IV.3. Hosting and transfer to third countries (Cloudflare)

The backend API described in sections IV.2.e and IV.2.f (api.anabox-code.app) is operated by us on the infrastructure of Cloudflare, Inc. (Cloudflare Workers and Cloudflare D1). Cloudflare acts as our processor within the meaning of Article 28 GDPR.

Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, and its affiliated entities (in particular Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany).
Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy/
Data processed: the data described in section IV.2.e (feedback content and accompanying technical data) and IV.2.f (installation event, error reports), as well as the IP address and standard connection metadata that are typically processed as part of the HTTP transfer.
Database location (Cloudflare D1): the data described in sections IV.2.e and IV.2.f are stored persistently in a Cloudflare D1 database which has been configured with the "EU" jurisdiction. Cloudflare therefore ensures that the stored data are held exclusively in data centres located within the European Union.
Transfer to third countries during processing: Cloudflare is a US-based company and additionally operates a global edge network on which Cloudflare Workers are executed. Processing of requests (in particular routing and execution of the Worker logic) as well as intra-group support by Cloudflare group entities may take place outside the European Union (in particular in the USA). Such transfers take place on the basis of the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR and on the basis of the EU-US Data Privacy Framework, to the extent that Cloudflare or its US group entity is certified thereunder.
Transmission security: communication between the App and the backend API is exclusively transmitted over an HTTPS/TLS encrypted connection.

IV.4. Minimum age

The App is intended exclusively for persons who have reached the age of 18. Processing of personal data of persons under the age of 18 is not foreseen. If you become aware that a minor has transmitted personal data to us, please contact us via the feedback form within the App so that we can delete the relevant data.

V. What are my data protection rights?

1. As a data subject, you have the following rights:

Confirmation of processing: you have the right to obtain confirmation from us as to whether your personal data are being processed. The conditions are set out in Article 15 GDPR;
Access: you have the right to obtain access to your personal data processed by us. The conditions are set out in Article 15 GDPR;
Rectification: you have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. The conditions are set out in Article 16 GDPR;
Erasure: you have the right to obtain without undue delay the erasure of personal data concerning you. The conditions are set out in Article 17 GDPR;
Restriction of processing: you have the right to obtain restriction of processing of your personal data. The conditions are set out in Article 18 GDPR;
Data portability: you have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You also have the right to have those data transmitted by us to another controller. The conditions are set out in Article 20 GDPR;
Withdrawal of consent: you have the right to withdraw your consent at any time where the processing is based on Article 6(1)(a) or Article 9(2)(a) GDPR. Processing carried out prior to the withdrawal remains lawful. The withdrawal applies to the future only. The conditions are set out in Article 7(3) GDPR;
Complaint: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes applicable data protection law. The conditions are set out in Article 77 GDPR. You may contact the supervisory authority competent for the controller, or the supervisory authority in your country or federal state. A list of all supervisory authorities is available here: https://www.bfdi.bund.de

2. Right to object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on our overriding legitimate interest (Article 6(1)(e) or (f) GDPR), with effect for the future. Profiling within the meaning of Article 4 No. 4 GDPR does not take place. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

3. How to exercise your rights

You may exercise the rights listed above against us at any time via the feedback form integrated in the App (section IV.2.e). Because the telemetry data described in section IV.2.f are stored solely under an installation ID (UUID) generated randomly on your device and we cannot identify you from these data alone, we are, pursuant to Article 11(2) GDPR, not obliged to obtain additional information for the sole purpose of identifying you; access and erasure of these data can therefore only be carried out where you provide us with additional identifying information (in particular the installation ID).

You may also effectively withdraw your consent to the processing of telemetry data at any time by uninstalling the App from your device; from that point onwards, no further telemetry data will be transmitted to us. Previously transmitted data are automatically deleted within the retention period set out in section VI (a maximum of 24 months).

VI. How long are my data stored? Deletion of data

Unless otherwise specified above, the following criteria apply for determining the storage period:

Data entered in the App (box configuration, medications, notes, photos, intake log) remain stored on your device for as long as you have the App installed on your device or until you delete those data within the App. If you uninstall the App from your device, all data entered there will be deleted. We do not back up these data on a server operated by Ligari GmbH.
The telemetry data described in section IV.2.f (installation event and error reports) are stored for as long as is required for the assessment of stability issues and the statistical assessment of the user base, but for no longer than 24 months. After that period, the data are deleted or further processed exclusively in aggregated form.
Data transmitted as part of a feedback request (section IV.2.e) are deleted once the request has been finally processed and where no statutory retention obligations apply.

Otherwise, personal data are stored only for as long as a legal basis for storage exists.

VII. Source of personal data

We exclusively process personal data which we have received directly from you. We do not receive personal data from app stores. The app stores only inform us of the number of downloads of the App.

VIII. No obligation to provide data

The use of the App does not require you to provide us with any personal data. Should this be required in an individual case, we will inform you accordingly.

IX. Changes to this privacy notice

As data protection law evolves and as a result of technical or organisational changes, our privacy notice is reviewed regularly for adjustment or amendment requirements. You will be informed of changes to this privacy notice.

This privacy notice has the status: May 2026.