Introduction

This Privacy Policy informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") in the context of the provision of our range of services and on our websites, mobile applications, functions and contents connected with them as well as external online representations, e.g. Social Media Profiles (hereinafter collectively referred to as "Services"):

In the second section you will find information about your rights, the relevant legal standards and general information about our data processing.
The third section contains information on the individual processing operations. This section is divided into further areas, such as our key services, reach measurement or marketing.
The fourth and final sectiyon contains explanations and descriptions of the terms used in this Privacy Policy. This means that if you do not know the terms used (e.g. "personal data" or "cookie"), please refer to the last section. All terms used (e.g. "responsible" or "user") are to be understood gender-neutral.

Section I – Controller and Overview of Data Processing

Controller

social sweethearts GmbH

Landsberger Str. 155, Haus 4 / 3. Etage

D - 80687 Munich, Germany

E-Mail: team@socialsweethearts.de

Tel.: +49 (0)211 436 91166

Complete legal information:: http://www.socialsweethearts.de/en_US/imprint

The Controller is hereinafter also referred to as "we" or "us".

Data Protection Officer

Dr. Thomas Schwenke, E-Mail: DSB@extern.socialsweethearts.de.

Description of our services and objectives

social sweethearts offers online services for entertainment purposes, such as games, personality tests or quizzes.

Type of processed data:

Inventory Data (e.g., names, addresses).
Contact details (e.g., e-mail, phone numbers).
Content Data (e.g., text input, photographs, videos).
Contract Data (e.g., subject matter of the contract, duration).
Usage Data (e.g., interests, websites visited, usage behaviour, access times, log data).
Meta/communication Data (e.g., IP addresses).
Job candidate Data (e.g., names, contact details, qualifications, job application documents).

Processing of special categories of Data (Art. 9 (1) GDPR)

No special categories of Data are processed.

Categories of data subjects

Controllers / interested Parties / users of the Controller.
Controller's employees.
Suppliers of the Controller.

In the following, we will also summarise the data subjects as "users".

Purpose of Processing

Provision of our services, its contents and functions.
Erbringung vertraglicher Leistungen, Service und Kundenpflege.
Response to service, contact requests and other communication with users.
Marketing, advertising and market research.
Security measures.

Automated individual decision-making (Art. 22 GDPR):

We do not use exclusively automated individual decision-making.

As of: December 2019

Table of Contents

Introduction

Section I – Controller and Overview of Data Processing

Controller

Data Protection Officer

Description of our services and objectives

Type of processed data:

Processing of special categories of Data (Art. 9 (1) GDPR)

Categories of data subjects

Purpose of Processing

Automated individual decision-making (Art. 22 GDPR):

Section II - Rights of data subjects, legal basis for the processing and general information

Rights of Data Subjects

Right of Withdrawal

Right to Object

Cookies and Right to Object in Direct Marketing

Solely Automated individual decision-making

Erasure of data and archiving obligations

Changes and Updates to this Privacy Policy

Relevant Legal Basis for the Processing;

Security of Data Processing

Disclosure and Transmission of Data

Transfers to Third Countries

Section III - Processing operations

The Key Area of Data Processing

Contractual services

Single sign-on authentication with Facebook

Answering Inquiries and User Service

Administration, Financial Accounting, Office Organization, Archiving

Business and market research

Data protection information for Job Candidates

Application process

Campusjäger (Application process)

Workable (Application process)

Application Process - Talent Pool

BambooHR

Stack Overflow

Webserver and Security

Google Suite and Google Cloud

MongoDB Atlas

Percona

Raygun

Embedded content and functions

Google Services and Content

Playbuzz content distribution

Facebook Features and Content

WhatsApp features and content

Instagram Features and Contents

Pinterest features and content

Twitter features and content

video intelligence video player

External online profiles

Online Presences in Social Media

Organization and Marketing

200 Labs, Inc. (Chatfuel)

Harvest (Iridesco, LLC)

Teads content distribution

Newsletter Mailing and Performance Measurement

ManyChat

Communication via Mail, E-Mail, Fax or Telephone

Sweepstakes and Competitions

Web analytics, online marketing and technology partners

Facebook Pixels and Custom Audiences

Section IV - Definitions

Section II - Rights of data subjects, legal basis for the processing and general information

Rights of Data Subjects

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.

You have correspondingly. In accordance with Article 16 of the GDPR, the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.

You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

In accordance with Art. 77 GDPR, you also have the right to file a complaint with the a supervisory authority.

Right of Withdrawal

You have the right to withdraw consents granted pursuant to Art. 7 (3 GDPR with effect for the future.

Right to Object

You can object to the future processing of the data concerning you in accordance with Art. 21 GDPRat any time. The objection may be lodged in particular against processing for direct marketing purposes.

Cookies and Right to Object in Direct Marketing

We use temporary and permanent cookies, i.e. small files that are stored on the user's devices (for the explanation of the term and function, see last section of this Privacy Policy). In part, cookies serve security purposes or are required for the operation of our online services (e.g., for the appearance of the website) or to save the user's decision when confirming a cookie banner. In addition, we or our technology partners use cookies to measure the reach and for marketing purposes, about which the users will be informed in the scope of the Privacy Policy.

If users do not want cookies to be stored on their computer, they are advised to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online services.

An objection to the use of cookies used for online marketing purposes can be declared for many of the services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/, the EU site http://www.youronlinechoices.com/ or in general http://optout.aboutads.info.

Furthermore, the storage of cookies can be prevented by deactivating them in the browser settings. Please note that in this case not all functions of out online service can be used.

Solely Automated individual decision-making

In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based exclusively on automated processing - including profiling - which has legal effect concerning you or similarly significantly affects you.

We inform you that we do not use exclusively automated individual decision-making.

Erasure of data and archiving obligations

The data processed by us will be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data are not erased because they are necessary for other and legally permissible purposes, their processing is restricted. This means that the data is excluded and not processed for other purposes. This applies, for example, to data that must be retained for commercial or taxation reasons.

In accordance with statutory requirements, the records shall be kept for 6 years in particular in accordance with § 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with § 147 (1) German Financial Act (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).

Changes and Updates to this Privacy Policy

We ask you to keep yourself regularly informed about the contents of our Privacy Policy. We will adapt the Privacy Policy as soon as any changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

Relevant Legal Basis for the Processing;

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not explicitly stated in the Privacy Policy, the following applies: The legal basis for obtaining consents is Art. 6 (1) lit. a and Art. 7 GDPR, the legal basis for processing for the performance of our services and performance of contractual measures as well as for answering inquiries is Art. 6 (1) lit. b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) lit. f GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

The principles for commercial communications outside of business relations, in particular by post, telephone, fax and e-mail, are contained in § 7 of the German Unfair Competition Act (UWG).

Security of Data Processing

We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of data subjects' rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).

The security measures include in particular the encrypted transmission of data between your browser and our server.

Employees are bound to confidentiality with regard to data protection, are instructed, monitored, and informed of possible liability consequences.

Disclosure and Transmission of Data

If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1), lit. b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).

If we commission third parties with the processing of data on the basis of a so-called " Data Processing Agreement", this is done on the basis of Art. 28 GDPR.

If we disclose, transfer or otherwise grant access to data to other companies in our Group of Companies (Undertakings), this is done in particular for administrative purposes as a legitimate interest and in addition on the basis of an Data Processing Agreement.

Transfers to Third Countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognised special contractual obligations (so-called "Standard Contractual Clauses").

Section III - Processing operations

The following section provides an overview of our processing activities, which we have subdivided into other areas of operation. Please note that the areas of operation are for guidance only and that processing activities may overlap (e.g. the same data may be processed in several operations).

For reasons of clarity and comprehensibility, you will find the frequently repeated terms in Section IV of this data protection declaration.

The Key Area of Data Processing

In this section you will find information on our key services and operations, such as responding to enquiries and providing our contractual services as well as the associated ancillary tasks.

Contractual services

We process the data of our customers within the scope of our services in order to provide our contractual services. We receive the data either through user input or when users expressly consent to provide us with data via an interface to Facebook. Furthermore, data resulting from the use of our services are processed (so-called usage or metadata, such as functions and content used or information on user devices).

If we evaluate the interests or behaviour of users, this will lead to a needs-oriented design of our Online Services. For example, users are provided with content or functions that correspond to the content and functions previously used. For this purpose, we use data that we obtain about users in accordance with this Privacy Policy and analyse it with the aid of algorithmic functions. This can result in the formation of user profiles. This analysis is only for our purposes, the results will not be passed on to third parties.

Data processed: Inventory data (e.g. first name, profile picture, gender, app scope ID, language), Contact details (e.g. information provided by the user), Content data (e.g. texts, graphics, videos), Usage data (e.g. interest in functions, frequency of use), Metadata/device data (e.g. Ip address).
Special categories of personal data: In general, no special categories of data are processed unless they are submitted by the user.
Data subjects: Users of our Services.
Purpose of Processing: Provision of our Online Services, their contents and their functions.
Legal basis: Art. 6 (1) b GDPR (performance of contractual services), Art. 6 (1) f GDPR (Processing of the interests and behaviour of the users for the purpose of identifying content that is likely to be of interest to the users; security; marketing).
External disclosure and purpose: For hosting purposes please refer to the section hosting within this privacy policy; furthermore, we work together with various technological partners who, for example, display advertisements on the basis of user data. We make sure that the user's data is pseudonymised (e.g. no clear data such as names or e-mail addresses) and that users have simple rights of revocation at their disposal. We also conclude special data protection agreements with our partners, in which they commit themselves to the protection of user data.
Processing in third countries: The data are also processed outside the EU/EEA, whereby we explain this during the respective processing within the scope of this data protection declaration and communicate which guarantees serve as a basis for processing in third countries..
Deletion of data: User Data will only be stored for as long as necessary; When possible and feasible, users should be enabled to delete User Data by themselves; User Data will be also deleted when the contractual basis or/and authority of the contractual partners or APIs (e.g., Facebook’s) on the basis of which User Data was obtained has been removed, unless the retention of the respective data is explicitly permitted. User Data will be deleted when users delete or terminate their user account and/or request its termination; In this case, all user data must be deleted, unless the data is necessary to prove a later contractual relationship with the user on the basis of accountability (this includes the name of the user, his e-mail address, as well as the time of registration and termination and the IP addresses used by the user). Further, data may be excluded from deletion if necessary, e.g. to serve as proof in ongoing legal proceedings or if the retainment is imposed by statutory provisions or authorities. The storage of data after the end of the contract is based on legitimate interests in accordance with Art. 6 para. 1 letter f GDPR to comply with legal requirements and to protect entrepreneurial interests. In accordance with statutory provisions in Germany, the User Data may be kept for 10 years in accordance with Sections 147 (1) German Financial Act (AO) , Sections 257 (1) No. 1 and 4, (4) German Commercial Code (HGB) (when it is a part of books, records, management reports, accounting documents, trading books, documents relevant to taxation, etc.) and for 6 years in accordance with Sections 257 (1) No. 2 and 3, (4) HGB (when it is a part of commercial letters). Instead of deletion, user data can be anonymized, in particular aggregated to summarized values. However, this is only permitted if this does not contradict any other provisions, e.g. contractual provisions of partners or provisions for the use of APIs.The requirement to retain user data is checked annually. If the data are not deleted because they are necessary for other and legally permissible purposes, their processing must be restricted. This means that the data is excluded and not processed for other purposes.

Single sign-on authentication with Facebook

We use Facebook's single sign-on method, which allows users to register within our online service.

Data processed: Inventory data (name, e-mail address, password (only processed on Facebook and cannot be viewed by us), user ID, user handle);
External disclosure and purpose: Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, Europe: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Retention of data: Information stored with us is not automatically matched with the user account on Facebook; for example, if the user's e-mail address changes, users must manually change it in your user account with us. The link to our user account can be removed within Facebook's settings; if users wish to delete their data with us, they must cancel their registration with us.

Answering Inquiries and Communication via Freshdesk

We use Freshdesk Customer Support solutions for communication with our users.

Data processed: Inventory data, contact details, usage data, content data, metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit.f GDPR.
Data subjects: Users, Employees
Purpose of processing: Answering users' contact requests and keeping track of ongoing communications and evaluating communications in order to improve their own performance and communication with users in the future.
Special security measures: DPA.
Opt-Out: Opt-Out for marketing communications contained in the email or via a request to support@freshworks.com. Opt-Out for third party cookies in the cookie policy: https://www.freshworks.com/list-of-cookies
Necessity / interest in processing: Providing contractual services, answering and maintaining communications with users.
External disclosure: San Francisco, USA, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066
Privacy Policy: https://www.freshworks.com/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses, E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnbQAAS&status=Active
Retention of data: User requests are stored by Freshdesk for as long as it is necessary to answer the request and follow-up questions, which usually means a period of 6 months after the end of communication. For the purpose of analyzing requests to improve our services or communication, we only process pseudonymous and if possible anonymous data. Furthermore, the statutory archiving obligations shall apply.

Answering Inquiries and User Service

We process the information in the inquiries, which we receive via our contact form and other means, e.g. via e-mail, in order to answer the inquiries. For these purposes, the inquiries may be stored in our Customer Relationship Management (CRM) system or in similar procedures that serve us to manage inquiries. For customer relationship management purposes (CRM) we use so-called CRM software. With the help of the software we can answer the inquiries more effectively and faster.

Data processed: Inventory data, contact data, contract data, payment data, usage data, metadata.
Data subjects: users, prospective users, business partners, website visitors.
Purpose of processing: Answering inquiries.
Legal basis: Art. 6 (1) b./f. GDPR.
Necessity / interest in processing: Necessary to answer queries, optimization, user-friendliness, business interests.
External disclosure and purpose: DUSOFFICE, owner Sebastian Schmidt Grafenberger Allee 277 -287 40237 Düsseldorf (call answering service).
Special security measures: Data Processing Agreement with DUSOFFICE.
Privacy Policy DUSOFFICE: https://www.telefonservice-dusoffice.de/dusoffice/datenschutz.html.
Retention of data: We delete the requests if they are no longer required. We review the requirement every two years; requests from users who have a user account are stored permanently and are linked to the user account details for deletion. In the case of statutory archiving obligations, the erasure takes place after their expiry (end of commercial law (6 years) and tax law (10 years) storage obligation).

Administration, Financial Accounting, Office Organization, Archiving

We process data within the framework of administrative tasks as well as the organization of our company, financial accounting and compliance with legal obligations, such as archiving.

Data processed: Data that we process in the course of our Online Services.
Special categories of personal data: none.
Legal basis: Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR.
Data subjects: users, prospective users, business partners, website visitors.
Purpose of processing: administration, financial accounting, office organization, archiving.
Necessity / interest in processing: The processing is necessary to maintain our business and our services.
-External disclosure and purpose: financial administration, tax consultants, other fee agencies, payment service providers to carry out contractual or legal payment transactions.
External disclosure and purpose: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland USA for efficient and location-independent administration and communication; financial administration, tax consultants, auditors, other fee offices, payment service providers for contractual or legal payment transactions.
Privacy policy Google: https://policies.google.com/privacy.
Processing in third countries: USA, as far as Google services are used.
Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Retention of data: The erasure of the data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

Business and market research

In order to operate our business economically and to identify market trends and user requirements, we analyse the data available to us on business transactions, contracts, enquiries, etc., in order to ensure that we are able to offer our users the best possible service. For this purpose, we combine the personal data of users from registrations and orders with the behaviour-related data of users.

In the context of the economic evaluation we bring together the data of the users independently of the used devices (e.g. if users use our online offer on a mobile or on a stationary device).

Data processed: Inventory data, contact data, contract data, payment data, usage data and metadata, e.g. activity data from e-mails via our online channels, e.g. data on the page accessed, the page history, the device used, the approximate location and data for pseudonymous identification of the user profile).
Legal basis: Art. 6 (1) f. GDPR.
Data subjects: users, prospective users, business partners, visitors and users of the online offer.
Purpose of processing: business analysis, marketing, advertising, market research.
Type, scope and mode of operation of the processing: profiling, online behavioural advertising, first party cookies.
Necessity / interest in processing: Increased user-friendliness, optimization of the service, business efficiency.
Retention of data: If a user account was created, with its cancellation, otherwise after two years from conclusion of contract. For the rest, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.

Data protection information for Job Candidates

This section informs job candidates about the processing of their data during the application process.

Application process

Candidates can send us their applications via e-mail. Please note, however, that e-mails are generally not sent in encrypted form and that the candidates themselves must ensure that they are encrypted. We can therefore accept no responsibility for the transmission of the application between the sender and the reception on our server.
Instead of applying by e-mail, candidates can still send us their application by post.

Data processed: Inventory data, contact data, content data (content of application folder, correspondence, internal comments).
Special categories of personal data: Yes, if required for the application procedure or submitted by candidates (e.g. health data).
Legal basis: Art. 6 para. 1 lit. b. GDPR, § 26 Federal German Data Protection Act (BDSG).
Data subjects: Applicants
Purpose of processing: application procedure, selection of applicants.
Special security measures: Restriction of access to application documents to jobs that are involved in the application process; Encrypted transmission option.
Necessity / interest in processing: Precondition for the selection of suitable candidates.
Retention of data: The data provided by the candidates may be further processed by us for employment purposes in the event of a successful application; otherwise, if the application for a job offer is not successful, the candidates' data will be deleted or made anonymous. Candidates' data will also be deleted if an application is withdrawn, which the applicants are entitled to do at any time. Candidates will be deleted after a period of six months, subject to justified revocation, so that we can answer any follow-up questions to the application and meet our obligations under the General Equal Treatment Act (AGG).

Campusjäger (Application process)

We use the services of the recruitment platform Campusjäger for the purposes of searching for job candidates, making and contacting them, as well as forwarding application documents and selecting job applicants.

Data processed: Personal information (including, but not limited to, name, identification number(s), photograph(s), address, birth date, gender, marital status, number of children, emergency contact, telephone number(s), academic and professional qualifications, CV/resume, employment history, language proficiency, etc.).
Special categories of personal data: Health status, disability information, data on religious affiliation.
Legal basis: Art. 6 para. 1 lit. b. GDPR, § 26 Federal German Data Protection Act (BDSG).
Data subjects: job candidates.
Special security measures: SSL encryption for sensitive data.
Necessity / interest in processing: Business interests, HR-Efficiency, performance of the services pursuant to the contract
External disclosure: Campusjäger GmbH, Leopoldstr. 7c, 76133 Karlsruhe, Germany.
Privacy Policy: https://www.campusjaeger.de/datenschutz.
Processing in third countries: None.
Retention of data: The duration of data storage is determined by the HR processes within which the data is processed. User may withdraw their consent to processing of their personal information or request a deletion or their personal information at any time.

Workable (Application process)

To conduct the online application process, we use the services of third party provider Workable Software Limited, 21a Kingly Street, 2nd Floor, London, W1B 5QA, UK.

The use of Workable is based on our legitimate interests as well as the interests of the candidates in the implementation of a fast and effective application process (within the meaning of Art. 6 para. 1 lit f. GDPR
"Workable" is based in the European Union. Candidate data will be processed on a server of Amazon Web Services (AWS), Inc, 410 Terry Avenue North, Seattle, Washington 98109-5210, USA in the USA. In addition, Workable's US subsidiary in the USA may be commissioned to process the data. To ensure compliance with EU data protection standards, Workable UK has concluded Data Processing Agreements with AWS and the US subsidiary based on the EU Commission's Model contracts for the transfer of personal data to third countries - Standard Contractual Clauses for Data transfers between EU and non-EU countries (further information: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en). Furthermore, AWS is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active).
Workable's privacy policy: https://www.workable.com/privacy.

Application Process - Talent Pool

As part of the application process, we offer job candidates the opportunity to be included in our talent pool for a period of two years. In this case, the following information is added to the general information on the application procedure:

Candidates are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and they can revoke this consent at any time for the future and declare their objection within the meaning of Art. 21 GDPR.

Legal basis: Art. 6 (1) b. and Art. 7 GDPR, § 26 Federal German Data Protection Act (BDSG).
Purpose of processing: Reservation of candidates for future application processes.
Special security measures: The application documents in the talent pool will only be processed within the scope of future job vacancies and the search for employees.
Retention of data: After the deadline of two years.

BambooHR

We use BambooHR for keeping track of the employees’ and job candidates’ data, employee self-onboarding and other HR-related tasks.

Data processed: Employees and Job Candidates: Personal information (including, but not limited to, name, identification number(s), photograph(s), address, birth date, gender, marital status, number of children, emergency contact, telephone number(s), academic and professional qualifications, CV/resume, employment history, language proficiency, etc.); Information in connection with the employee’s job (including, but not limited to, title, grade, location, reporting lines, team affiliation, hire date, working hours, contract details, performance and evaluation data, employee discipline information, work history, benefits and insurance, assets assigned, training, time-off documentation, etc.); Payroll related information (including, but not limited to, salary and compensation information, tax and social security information, bank details, pensions, share options, bonuses, other benefits, etc.).
Referees / References: Contact details: address, telephone number (fixed and mobile), email address, fax number, emergency contact information.
Special categories of personal data: Health status, disability information, data on religious affiliation.
Legal basis: Art. 6 (I) lit. f GDPR, Art. 28 (III) S. 1 GDPR
Data subjects: Employees, job candidates, referees / references.
Type, scope and mode of operation of the processing: Session cookies, permanent cookies, internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data, third party cookies, web-beacons
Special security measures: SSL encryption for sensitive data.
Necessity / interest in processing: Business interests, HR-Efficiency, performance of the services pursuant to the contract
External disclosure: BambooHR, 335 South 560 West Lindon, UT 84042-1911, USA
Privacy Policy: https://www.bamboohr.com/privacy.php
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses, E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnsZAAS&status=Active
Retention of data: The duration of data storage is determined by the HR processes within which the data is processed. User may withdraw their consent to processing of their personal information or request a deletion or their personal information at any time by making the change on the member information page, though BambooHR contact us page, by telephone or by postal mail. The said requests are processed promptly and in any event within 30 days of user call or receipt of user request.

Stack Overflow

Stack Overflow offers a recruitment platform that we use for the direct communications with the job candidates. We have a company profile with a few job slots in the Stack Overflow network, through which the job candidates can apply for the open positions in our company.

Data processed: Inventory data, contact details, content data, usage data, metadata.
Legal basis: Art. 6 (1) lit. f) with regard to our company's general recruitment and § 26 of the German Federal Data Protection Act (BDSG) with regard to specific application requests and processes.
Data subjects: Applicants, Employees.
Purpose of processing: Company presentation, recruitment and initiation of application procedures.
Type, scope and mode of operation of the processing: Cookies, third party cookies, web analytics, remarketing/ retargeting, online behavioral advertising, tracking.
Special security measures: Data Protection Agreement (https://stackoverflow.com/legal/gdpr/data-processing-agreement-processor).
Opt-Out: Unsubscribe and opt out options in the email communications and the Account Settings.
Necessity / interest in processing: Legitimate business purposes, Addressing job candidates on a platform used by them (also with a professional context).
External disclosure: Stack Exchange, Inc., 110 William Street, 28th Floor, New York, NY 10038, United States
Privacy Policy: https://stackoverflow.com/legal/privacy-policy.
Processing in third countries: USA
Guarantee when processing in third countries: EU-U.S. Privacy Shield Framework:
https://www.privacyshield.gov/participant?id=a2zt0000000CbWGAA0&status=Active
Retention of data: With regard to the data processed by us during the application process, we would like to refer you to the above information on the application procedure. With regard to the user data stored at Stack-Overflow, we refer you to the deletion instructions there and the possibility of data deletion on request.

Webserver and Security

Our services are operated on web servers. In the following section we will inform you about their use and data processed during the operation of our servers.

Amazon Web Services

We use Amazon Web Services including infrastructure and platform services, computing capacity, storage and database services, telecommunications services, security services, technical maintenance services, and cloud hosting services.

Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data, traffic data.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR, Art. 28 (III) S. 1 GDPR.
Data subjects: users, prospects, business partners, employees, website visitors.
Necessity / interest in processing: Use of an efficient and secure server infrastructure.
External disclosure: See https://aws.amazon.com/compliance/third-party-access
Privacy Policy: https://aws.amazon.com/privacy, :https://www.amazon.com/gp/help/customer/display.html?nodeId=468496
Processing in third countries: USA
Guarantee when processing in third countries: E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active
Retention of data: The data on the server is processed for the purposes of our contract-related services. Please refer to the information on the key area of our services.

Hetzner

Hetzner is an Internet hosting company and data center operator. We use Hetzner’s infrastructure and platform services, computing capacity, storage and database services, security services, technical maintenance services

Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data, traffic data.
Legal basis: Art. 6 (1) lit. f GDPR, Art. 28 (3) S. 1 GDPR.
Data subjects: Customers, prospects, business partners, employees, website visitors.
Purpose of processing: Webhosting, E-Mail-Services, Security.
Necessity / interest in processing: Security, business interests)
External disclosure: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Deutschland.
Privacy Policy: https://www.hetzner.de/rechtliches/datenschutz
Retention of data: Determined by the processes within the framework of which the data is stored on the server.

Cloudflare

Cloudflare provide hosting and content delivery network, DDoS mitigation, internet security and distributed domain name server services. Our complete Project Traffic is routed through Cloudflare.

Data processed: All website traffic (inventory data, contact data, content data, contract data, usage data, meta/communication data).
Legal basis: Art. 6 (I) 1 lit. f GDPR, Art. 28 (III) S. 1 GDPR
Data subjects: All users who use our online services.
Necessity / interest in processing: User-friendliness, business interests.
External disclosure: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Processing in third countries: USA
Guarantee when processing in third countries: DPA, E.U.-U.S. Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0&status=Active
Retention of data: Only short intermediate storage within the scope of data caching and data delivery.

Datadog

Digital Performance Monitoring, Error-Logging and Management.

Data processed: The monitoring of cloud-based infrastructure, applications and logs – do not require the processing of personal data aside from the basic identifying information of individual end users (IP-Addresses).
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Employees, website visitors.
Necessity / interest in processing: Interest in stability and security of the technical infrastructure.
Privacy Policy: https://www.datadoghq.com/legal/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses, E.U.-U.S. Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000GnxPAAS&status=Active.
Retention of data: The data is only temporarily stored if it is necessary to monitor the stability of the security of the servers.

Godaddy

Domain name registrar and web hosting services.

Data processed: Inventory data, contact data, content data, contract data, usage data, meta/communication data, traffic data.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR, Art. 28 (III) S. 1 GDPR.
Data subjects: Users, prospects, business partners, employees, website visitors.
Necessity / interest in processing: Use of an efficient and secure server infrastructure.
External disclosure: GoDaddy.com LLC, 14455 North Hayden Road Suite 219 Scottsdale, AZ 85260 USA
Privacy Policy: https://www.godaddy.com/agreements/showdoc.aspx?pageid=PRIVACY&isc=gofddede06
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses, E.U.-U.S. Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000TN9xAAG&status=Active
Retention of data: The data on the server is processed for the purposes of our contract-related services. Please refer to the information on the key area of our services.

Google Suite and Google Cloud

We use the Google Cloud and the Google Suite Service for the following purposes: Google Drive for document storage (marketing, sales, evaluations, accounting, personnel, contracts, finance), Google Calendar for calendar management - Google Docs, spreadsheets and presentations for online document collaboration; storage of data, websites and public documents.

Data processed: Data relating to users and employees (master data, contact data, process data, content data); usage data and metadata used by Google for security and service optimisation purposes.
Data Subjects: Employees, customers / interested parties, contractual partners, other third parties.
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, online behavioural advertising, tracking.
Legal Basis: Art. 6 (1) lit. b GDPR when relation to contractual services, Art. 6 (1) lit. f GDPR (when based on our legitimate interests concerning our administration, security and business interests), § 26 BDSG in case of Employees
Special security measures: Pseudonymization, Data Processing Agreement.
External disclosure and purpose: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://www.google.com/policies/privacy.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active, EU Standard Contractual Clauses.
Retention of data: Determined by the processing operations during which the data is stored on the server.

MongoDB Atlas

MongoDB Atlas is a cloud-based DaaS (Data as a service) solution offered by MongoDB.

Data processed: Inventory data, contact details, content data, usage data, metadata
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Users.
Purpose of processing: Provision of database services.
Necessity / interest in processing: Technical efficiency and security.
External disclosure: MongoDB, Inc., 229 W 43rd Street, 5th Floor, New York, NY 10036, United States
Privacy Policy: https://www.mongodb.com/legal/privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: Standard Contractual Clauses, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TOLrAAO&status=Active
Retention of data: User may request deletion of their Personal Data by MongoDB.

New Relic

New Relic provides a digital intelligence platform lets developers, ops, and tech teams measure and monitor the performance of their applications and infrastructure. We use New Relic services for server and application monitoring.

Data processed: Usage data, metadata, IP address.
Legal basis: Art. 6 (1) f. GDPR (providing interesting information to users, commercial interests)
Data subjects: Users/ Website visitors.
Purpose of processing/ Necessity / interest in processing: User-friendliness including efficient support, technical efficiency, optimization, security, legitimate business interests.
Type, scope and mode of operation of the processing: Profiling (for security reasons)
Opt-Out: https://newrelic.com/termsandconditions/cookie-policy; https://newrelic.com/termsandconditions/privacy; Personal Data Request Form” with additional options that are provided to https://newrelic.com/content/dam/new-relic/privacy/personal-data-request-form.pdf
External disclosure: New Relic, Inc., 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA
Privacy Policy: https://newrelic.com/termsandconditions/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses, E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TNPiAAO&status=Active
Retention of data: Only as long as storage is required. See also cookie policy: https://newrelic.com/termsandconditions/cookie-policy - some cookies are kept for 630 days and longer (including some targeting and analytics cookies). “Data Erasure” in “Personal Data Request Form”: https://newrelic.com/content/dam/new-relic/privacy/personal-data-request-form.pdf.

Percona

Percona is a developer of a number of open source software projects for MySQL, MariaDB, MongoBD and RocksDB users. Percona provides us with support, consultancy and managed services for RemoteDBA (Database administration).

Data processed:Of employees and contractors:Names and contact information, including: phone numbers, email addresses, business mailing addresses, usernames, IP addresses; Of users: Names and business contact information, including: phone numbers,email addresses, business mailing addresses, usernames, IP addresses, job titles.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Employees, users
Purpose of processing: Percona provides us with support, consultancy and managed services for RemoteDBA.
Type, scope and mode of operation of the processing: Cookies, third party cookies, web-analytics and tracking (Google Analytics & Google AdWords, HubSpot, Bizible), cross-device-tracking, embedding, social plugins, profiling
Special security measures: Data Protection Agreement.
Necessity / interest in processing: Providing contractual services, improving user experience, legitimate business purposes
External disclosure: Percona LLC., 8081 Arco Corporate Drive, Suite 170, Raleigh, NC 27617, United States
Privacy Policy: https://www.percona.com/20180524-privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses
Retention of data: Percona stores Personal Information on servers located in the United States of America. Percona keeps Personal Information obtained through cookies for 30 days. Once that time period has expired, the information will be disposed of and any cookies will be reset. Other Personal Information obtained will be stored for the duration of the contractual relationship and 120 days after the relationship has ended and/or consent (if applicable) is withdrawn. EU Customers have a right of erasure which could be exercised by sending a corresponding request to privacy@percona.com.

Raygun

Raygun provides error, crash and performance monitoring for software teams. We use Raygun as PHP error and exception handler.

Data processed: Customer information (User's first and last name, User's email address, User's IP address);
Company information: (Business contact information (company, email, phone, physical business address), Personal contact information (email, phone), Title, Position, Employer Connection data.
Special categories of personal data: none.
Legal basis: Art. 6 (1) f. GDPR (providing interesting information to users, commercial interests)
Data subjects: Prospects, customers, business partners and vendors
Employees or contact persons, customers, business partners and vendors
Employees, agents, advisors, independent contractors
authorized users (individuals authorized by data exporter to use the Raygun Products)
Purpose of processing: error, crash and performance monitoring).
Type, scope and mode of operation of the processing: Cookies
Special security measures: IP addresses are not saved anonymously currently but we are going to put in an option to disavow IP addresses as well as location details (Sydney, Australia etc) from being recorded.
Necessity / interest in processing: Providing & improving services, security.
External disclosure: Raygun Limited, L7, 59 Courtenay Place, Te Aro, Wellington, 6011, New Zealand.
Privacy Policy: https://raygun.com/privacy
Processing in third countries: New Zealand, USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses.
Retention of data: Data is kept for as long as it is necessary and then erased. An erasure can be requested individually.

Embedded content and functions

In this section we inform you which contents, software or functions (briefly "contents") of other providers we embed in the context of our website on the basis of Art. 6(1) lit. f GDPR (so-called "embedding"). The embedding is done to make our online offer more interesting for our users or for legal reasons, e.g. to be able to present videos or social media contributions within our online offer at all. Embedding can also be used to improve the speed or security of online content, e.g. when software elements or fonts are obtained from other sources. The processed data includes in all cases the user's usage and metadata and also the IP address necessarily transmitted to the provider for embedding the content, the data subjects include the visitors to our website. The data subject categories include the users of our website, users and interested parties. Further explanations can be found in the definitions of terms, in particular on the functions and security measures, at the end of this Privacy Policy. The data retention is determined by the data protection conditions of the providers of the embedded content.

Google Services and Content

We use the following services and contents of the provider Google: YouTube - Videos; Google Maps - Maps; Google Fonts - Fonts; Google - Recaptcha.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, online behavioural advertising, tracking.
Special security measures: Pseudonymization, opt-out.
Opt-Out: http://tools.google.com/dlpage/gaoptout?hl=de, https://adssettings.google.com/.
External disclosure and purpose: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://www.google.com/policies/privacy.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Retention of data: The data will be deleted in accordance with Google's conditions.

Playbuzz content distribution

Playbuzz is a content partner with whose help we can present relevant content for the users within our online services. Playbuzz itself states that no personal user data will be stored or otherwise processed by Playbuzz itself.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: permanent cookies, third party cookies, tracking, interest-based marketing, profiling, remarketing.
Legal basis: Art. 6 (1) lit. f. GDPR.
Special protective measures: Data Processing Agreement.
Opt-Out: https://www.playbuzz.com/PrivacyPolicy.
External disclosure: - Playbuzz Ltd, 26th Floor Rubinstein Building, 37 Menachem Begin Rd, Tel Aviv, Israel, 6522042.
Privacy Policy: https://www.playbuzz.com/PrivacyPolicy.
Processing in third countries: Israel
Guarantee for processing in third countries: Acknowledged level of data protection.
Retention of data: Playbuzz stores data for as long as necessary to provide its own services. Playbuzz will store and use the data as necessary to comply with its legal obligations, resolve disputes and enforce Playbuzz's policies. The retention periods shall be determined taking into account the nature of the information collected and the purpose for which it is collected, the requirements applicable to the situation and the need to destroy obsolete, unused information at the earliest opportunity.

Facebook Features and Content

Functions and contents of the Facebook service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Public Public profile https://www.facebook.com/help/203805466323736/ (includes your name, gender, username and user ID (account number), profile picture, cover picture and networks); usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
Opt-Out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choices (US).
External disclosure and purpose: Facebook Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Retention of data: The data will be deleted in accordance with Facebook conditions.
Single sign-on authentication with Facebook
We use Facebook's single sign-on method, which allows users to register within our online service.
Data processed: Inventory data (name, e-mail address, password (only processed on Facebook and cannot be viewed by us), user ID, user handle);
External disclosure and purpose: Facebook Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
- Guarantee when processing in third countries: Privacy Shield www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Retention of data: The data will be deleted in accordance with Facebook's conditions.

WhatsApp features and content

Within our online services, functions and contents of the WhatsApp-Messenger can be incorporated. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
External disclosure and purpose: WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy Policy: https://www.whatsapp.com/legal.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active.
Retention of data: The data will be deleted in accordance with WhatsApp's policy.

Instagram Features and Contents

Functions and contents of the Instagram service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
External disclosure and purpose: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
Privacy Policy: https://help.instagram.com/519522125107875
Processing in third countries: USA
Guarantee when processing in third countries: Privacy Shield www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Retention of data: The data will be deleted in accordance with Instagram's policies.

Pinterest features and content

Functions and contents of the Pinterest service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing
External disclosure and purpose: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA, or, if you are based in the EU or in Switzerland, Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
Privacy Policy: https://about.pinterest.com/de/privacy-policy.
Processing in third countries: USA.
Retention of data: The data will be deleted in accordance with Pinterest’s policies.

Twitter features and content

Functions and contents of the Twitter service can be integrated within our online services. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.

Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
Type, scope and functioning of processing: social plug-ins, permanent cookies, third party cookies, interest-based marketing, tracking, remarketing.
Opt-Out: https://twitter.com/personalization.
Disclosure external: Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
Privacy Policy: https://twitter.com/de/privacy.
Processing in third countries: USA.
Guarantee for processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000000TORzAAO&status=Active.
Deletion of data: The data will be deleted in accordance with Twitter’s policies.

video intelligence video player

Video player embedded in our web pages.

Data processed: Usage Data, Meta Data (IP-Address); the personal data processed by vi (cookie id, ip address, device id, geo-location) are used to identify ad campaigns eligible for delivery and to prove the user with the best user experience possible; furthermore, the IP Address is processed to determine Geographic Location; the IP Address is processed for a short period of 24 hours only when the video player registers different events such as: player loaded, ad started, content started etc.
Legal basis: Art. 6 (I) lit. f GDPR..
Data subjects: Website visitors.
Purpose of processing: Embedding of a Video Player, playing video content in user’s browser.
Type, scope and mode of operation of the processing: third-party-cookies.
Opt-Out: https://www.vi.ai/gdpr/.
Necessity / interest in processing: improving user experience, business Interests.
External disclosure: video intelligence AG, Muhlebachstr. 70, 8008 Zurich, Switzerland.
Privacy Policy: https://www.vi.ai/privacy-policy/.
Processing in third countries: Switzerland.
Guarantee when processing in third countries: Asserted data protection level..
Retention of data: The personal data (IP-Address) is aggregated after 24h to only summarize these events for our webpage, and IP address gets deleted from the systems.

External online profiles

In this area you will find information about our data processing in the context of operating external online activities, e.g. in social media.

Online Presences in Social Media

We maintain online presences within social networks and platforms in order to communicate with the customers, prospective customers and users active there and to be able to inform them about our services there.

We would like to point out that data of users outside the European Union and the Switzerland may be processed. This can pose risks for users because, for example, the enforcement of users' rights could be made more difficult. With regard to US providers certified under the Privacy Shield, we would like to point out that they undertake to comply with the data protection standards of the EU and Switzerland.

Furthermore, user data is usually processed for market research and advertising purposes. Thus, for example, user profiles can be created from the user behaviour and the resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to these).

The processing of users' personal data is based on our legitimate interests in effective user information and communication with users. If the users are asked by the respective providers for a consent to the data processing (i.e. declare their consent e.g. by ticking a checkbox or confirming a button), the legal basis of the processing is a consent.

For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the information provided by the providers linked below.

Also in the case of requests for information and the assertion of user rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, then please contact us.

Social networks/platforms that might be used by us: Facebook, Instagram, LinkedIn, Pinterest, Twitter, Xing, YouTube.
Data processed: Inventory data, contact data, content data, usage data, metadata.
Special categories of personal data: In principle, no, except as provided voluntarily by users.
Legal basis:Art. 6 (1) f. GDPR
Data subjects: Users of social media networks/ platforms (this can include users and prospective users).
Purpose of processing: Information and communication.
Type, scope and mode of operation of the processing: By providers of the respective platforms as a general rule: permanent cookies, tracking, targeting, remarketing, online behavioural advertising.
Necessity / interest in processing: Expectations of users active on the platforms, business interests.
External disclosure and purpose: To the social networks/platforms.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield (except Pinterest).
Retention of data: The deletion policies of the respective networks/ platforms apply.
Links to the information of the respective platforms:

Facebook (Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU or in Switzerland, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Privacy policy: https://www.facebook.com/about/privacy/, Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy policy: https://policies.google.com/privacy, Opt-out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy policy/ Opt-Out: http://instagram.com/about/legal/privacy/.
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Privacy policy: https://twitter.com/privacy, Opt-out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) - Privacy policy https://www.linkedin.com/legal/privacy-policy , Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA, or, if you are based in the EU or in Switzerland, Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. Datenschutzerklärung, Opt-Out: https://about.pinterest.com/de/privacy-policy.
Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland) - Privacy policy/ Opt-out: https://privacy.xing.com/de/datenschutzerklaerung.

Organization and Marketing

In this section you will find information on data processing carried out by us for the purpose of optimising our marketing and market research activities, as well as managing our ventures.

200 Labs, Inc. (Chatfuel)

Chatfuel provide a messenger bot framework that answers questions from users or informs them about messages.

Data processed: Inventory data, contact details, Facebook-ID, usernames and the content of the communication, usage data, metadata
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR
Data subjects: Users who communicate with the chat bot.
Purpose of processing: Communication with users.
Type, scope and mode of operation of the processing: Cookies, web beacons, tracking, remarketing/retargeting, cross-device-tracking, web analytics, demographic data, profiling, third party cookies.
Necessity / interest in processing: Security and efficiency of chatbot usage, performance of contract, legitimate business interest (evaluating business performance, financial reporting, security, email marketing), user consent (particularly marketing campaigns), to comply with legal obligations.
External disclosure: 200 Labs, Inc., d/b/a Chatfuel, 555 De Haro Street, Suite 280, San Francisco, CA 94107 USA
Privacy Policy: https://chatfuel.com/PrivacyPolicy-EU.pdf
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses
Retention of data: We will store personal information for as long as necessary to fulfil the purposes for which we collect the personal information, in accordance with our legal obligations and legitimate business interests. In general, information obtained in the course of providing our Service will be blocked from general access within a few days and deleted latest within 3 years after the end of us providing our Service, unless an earlier deletion is requested or has been agreed upon, or statutory retention requirements require a longer retention or we need to retain such data for own legitimate interests, for example, the defense against IT security threats. For example, national commercial or financial codes may require to retain certain information for up to 10 years.
User has the right to obtain the erasure of their personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed. When you unsubscribe from the chatbot messages, your data will be deleted from the message recipient directory. Chat logs are made anonymous by us, i.e. the user names and user IDs are automatically deleted after 14 days.

ADYOULIKE

ADYOULIKE is a technology partner with whom we manage the real-time display of ads on our online services.

Data processed: Usage data, Metadata, ADYOULIKE does not use or store IP-addressess for advertising targeting purposes ( In line with industry best practices, ADYOULIKE does use IP addresses for fraud detection purposes. The goal is to identify situations that can be associated with robots as a large volume of clicks in a limited time; or to extract geographic information.)
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Realtime bidding, Ads Display.
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: IP-Masking, Data Processing Agreement, Opt-Out.
Opt-Out: https://www.adyoulike.com/privacy_policy.php.
External disclosure: ADYOULIKE, 37- 39 rue Boissière, Paris (75116), France.
Privacy Policy: https://www.adyoulike.com/privacy_policy.php.
Retention of data: The collected browsing data is kept for a maximum of thirteen months (13 months) after the date of collection. The cookies expire three months after their last update.

Amazon

With the help of Amazon we market advertising material and advertising spaces within our online services.

Data processed: Usage data and metadata (including IP-Adresses: Full IP address, which is used for fraud detection and traffic quality, and is sent to approved third parties in accordance with Amazon’s Privacy Policy. For all other internal uses related to the serving of interest-based ads, the IP address is truncated · A pseudonymized identifier. In web, this is the Cookie ID, which is used by Amazon advertising systems for a variety of purposes including 1/ to recognize user pseudonymously, 2/ to maintain opt out status, 3/ for fraud detection and traffic quality, 4/ for targeting, and 5/ for frequency capping.)
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Marketing of commercial space/areas in online-services
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling.
Special security measures: IP-Masking, Opt-Out, According to Amazon, the data is mainly processed on servers in local areas of users, i.e. for European users in the European Union.
Opt-Out: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496.
External disclosure: Amazon.com, Inc., 2021 Seventh Ave Seattle, Washington 98121, USA.
Privacy Policy: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496.
Processing in third countries: USA
Guarantee when processing in third countries: Privacy Shield.

Appnexus

Appnexus is a technology partner with whom we manage the real-time display of ads on our online services.

Data processed: Usage data, Metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Realtime bidding, Ads Display.
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: IP-Masking, Data Processing Agreement, Opt-Out.
Opt-Out: https://www.appnexus.com/en/company/platform-privacy-policy#choices.
External disclosure: AppNexus, 28 West 23rd Street, 4th Fl, New York, New York 10010, USA.
Privacy Policy: https://www.appnexus.com/en/company/platform-privacy-policy.
Processing in third countries: USA
Guarantee when processing in third countries: EU Standard Contractual Clauses, Privacy Shield.
Retention of data: The pseudonymous data is usually deleted for 30-90 days, but can be stored for up to 18 months until it is aggregated and thus made anonymous.

Bitly

Bitly is a URL shortening service and a link management platform.

Data processed: usage data, metadata; Bitly Link Metrics is collected when the end user interacts with a Bitly link, and could be shared with the Bitly customers.
Legal basis: Article 6 (1) (f) GDPR.
Data subjects: Users.
Purpose of processing: Providing information about services and the account, web analytics and research, analyzing trends.personalizing services and developing new products and services
Type, scope and mode of operation of the processing: Cookies, third party cookies, tracking, demographic data, web analytics, online behavioral advertising, web beacons, cross-device tracking
Opt-Out: Opt-out links in the Privacy Policy:
https://bitly.com/pages/privacy
Necessity / interest in processing: Performance of the services pursuant to the contract, legitimate business interests, user friendliness of links.
External disclosure: Bitly, Inc., 139 Fifth Avenue, 5th Floor, New York, NY 10010, United States
Privacy Policy: https://bitly.com/pages/privacy
Processing in third countries: US
Guarantee when processing in third countries: EU-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TXSuAAO&status=Active.
Retention of data: Bitly retains the personal information they receive for as long as the customer uses their Services or as necessary to fulfill the purpose(s) for which it was collected, provide Bitly Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

Contentful

Contentful provides software for creating websites and managing content, with which we primarily operate and test our new developments.

Data processed: End users: Only the IP address of incoming content is logged to protect against misuse (e.g. denial of service attacks). Contentful is not responsible for data content uploaded by the user and is neither interested in this data nor analysing this data in any way. Embedded software development kits (SDK) are not collecting any personal data of end users (in particular, no tracking - there is, however, tracking via third party services - as stated in this privacy policy). Employees: Usage Data.
Special categories of personal data: none.
Legal basis: Art. 6 (1) f GDPR.
Data subjects: Users, employees, website visitors.
Purpose of processing: Content Management, business interests.
Type, scope and mode of operation of the processing: Cookies, third party cookies, embedding (SDK - see above), web analytics and tracking according to other information in the privacy policy.
Special security measures: DPA.
Necessity / interest in processing: Providing contractual services, optimizing and debugging.
External disclosure: Contentful GmbH, Ritterstraße 12-14, 10969 Berlin.
Privacy Policy: https://www.contentful.com/legal/de/privacy
Processing & Guarantees in third countries: User data is stored with AWS and a few Content Delivery Network (CDN) providers (names not specified) across the world. They have signed DPAs with the said subprocessors. Privacy Shield of AWS:
https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.
Retention of data: User data will be deleted upon being no longer required in order to provide services to the user or for other legitimate purposes. User can delete his account, upon which their profile will be deleted as well. To the extent that Contentful is legally obliged to archive, such data will be blocked and will not be available for productive use. A deletion can also be requested from Contentful or the controller.

Harvest (Iridesco, LLC)

We are using a time tracking tool provided by Harvest (Iridesco, LLC).

Data processed:Inventory data concerning freelancers, metadata and usage data as well as content data concerning the types of activities, time spent and analyses based on them.
Legal basis:Article 6 (1)(b) GDPR.
Data subjects:Freelancers
Purpose of processing: Harvest is used to track the time of freelancers. The purpose is to track working times and identify any bottlenecks. Thus, for example, it can be determined whether structural weaknesses exist at the client's or the freelancers', as well as how these can be addressed as optimally as possible for both parties. The use takes place via an integration in the project management software Trello. Every freelancer can use Trello to view an overview of activities and times.
External disclosure: Iridesco LLC, d/b/a Harvest, 16 W 22nd St, Fl 8, New York, NY 10010, United States
Privacy Policy: https://www.getharvest.com/privacy-policy
https://www.getharvest.com/privacy-policy/privacy-shield
Processing in third countries: USA
Guarantee when processing in third countries: EU-U.S. Privacy Shield Framework: https://www.privacyshield.gov/participant?id=a2zt00000008UqaAAE&status=Active
Retention of data: The data is stored as long as it is necessary for order processing and storage for commercial and tax reasons or to deal with legal claims. This is usually the time of cooperation and another 4 years thereafter as well as up to 10 years for legal archiving purposes.

Hootsuite

Hootsuite is a social media management platform that offers a number of integrating solutions for measuring & benchmarking, performance optimization, visualization & analyse, creating and publishing content and nurturing communities.

Data processed: User Generated Content (such as messages, posts, comments, pages, profiles, feeds or communications on social media sites / networks); Contact details (such as name, email address, telephone number); additional individual information (such as age, gender, employer, profession, geographic location, education information or other content); Communications, data, other information or content not described above that is sent by or received through Hootsuite Services.
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit. f GDPR, Art. 28 (3) S. 1 GDPR.
Data subjects: Employees, business partners and their employees, users of social networks and persons whose data is processed by social networks, messages, feeds which are transmitted by us to Hootsuite via inputs, interfaces or otherwise for processing on behalf.
Type, scope and mode of operation of the processing: Cookies, tracking, web beacons and software tokens, remarketing/retargeting, third party cookies, web analytics (including Google Analytics: universal analytics, cross-device-tracking, third party cookies, Google Display Advertising)
Necessity / interest in processing: Efficiency, business interests.,
External disclosure: HootSuite Media Inc., 5 East 8th Avenue. Vancouver, V5T 1R6, Canada.
Privacy Policy: https://hootsuite.com/legal/privacy
Processing in third countries: Canada, USA
Guarantee when processing in third countries: Standard Contractual Clauses, With regards to Google services, as in the case of Google:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
Retention of data: The deletion periods are determined according to the deletion periods for processing communications and customer data; in other respects, deletion takes place if the data is not required and no archiving obligations exist, which is regularly checked every two years or on an ongoing basis. Please note that certain Personal Information may need to be retained by Hootsuite for a period of time following cancellation of your account where this is necessary for our legitimate business purposes or required or authorized by applicable law.

Intercom

Intercom is an a US-based software company that offers customer relationship management solutions. By using Intercom customer messaging platform, we are able to to chat with our prospective and existing customers within their app, send targeted messages to new users, and maintain a knowledge base.

Data processed: Username, password, email address, IP address, data analytics, device data, usage data, social media profiles, location data, and interactions with end users via the communication platform.
Legal basis: Art. 6 (1) lit. f GDPR, Art. 28 (3) S. 1 GDPR.
Data subjects: Users using the functions of intercom on the website.
Type, scope and mode of operation of the processing: Cookies, flash cookies, third party cookies, web beacons, clicktracking, collecting demographic information about their user base as a whole, embedding (such as “share this” button or interactive mini-programs), social plugins (Facebook Plugins - “like” button: tracking, remarketing/retargeting).
Opt-Out: https://docs.intercom.com/pricing-privacy-and-terms/privacy/intercom-inc-privacy-policy
Necessity / interest in processing: Security, business interests, user service.
External disclosure: Intercom Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States
Privacy Policy: https://docs.intercom.com/pricing-privacy-and-terms/privacy/intercom-inc-privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TNQvAAO&status=Active
Retention of data: Deletion periods are determined according to the deletion periods for processing communications and customer data; in other respects, deletion takes place if the data is not required and no archiving obligations exist, which is regularly checked every two years or on an ongoing basis.
User may request his personal data to be deleted at any time by sending a request to team@intercom.com.

MonetizeMore

MonetizeMore is a technology partner with whom we manage the display of ads on our online services. MonetiseMore itself only processes anonymous IP addresses of users. In the context of the services of MonetiseMore further technology partners are integrated, to whose data processing in the context of this privacy policy is referred.

List of providers, types, functions and lifetime of cookies used: http://cdn.pubguru.com/privacy.html.

Data processed: Usage data, Metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: User/ website visitors.
Purpose of processing: Ads Display.
Type, scope and mode of operation of the processing:permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: IP-Masking, Data Processing Agreement, Opt-Out.
Opt-Out: https://www.monetizemore.com/privacy-policy/.
External disclosure: MonetizeMore, 770 Fisgard St., Victoria, BC V8W 0B8, Canada
Privacy Policy: https://www.appnexus.com/en/company/platform-privacy-policy.
Processing in third countries: Canada
Guarantee when processing in third countries: Acknowledged level of data protection.
Retention of data: According to to privacy policies of the included technology partners as stated in this privacy policy.

Taboola

Taboola develops and markets service for online content publishers and advertisers that recommends digital content to website users. We use Taboola Content Discovery Platform as a cross-promotion tool.

Data processed: Inventory data, contact details, content data, payment information, usage data-
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit. f. GDPR.
Data subjects: Please_specify_the_relevant_categories_of_data_subjects.
Type, scope and mode of operation of the processing: Cookies, third party cookies, third party web beacons, cross-device-tracking, remarketing/retargeting, tracking, profiling, online behavioral advertising, web beacons, web analytics, social plugins (such as Facebook “like” button), widgets, third party online advertising, web analytics
Special security measures: Taboola only collects pseudonymised personal data - each user is assigned a unique and randomly-generated hashed Taboola User ID.
Opt-Out: https://www.taboola.com/privacy-policy#user-choices-and-optout.
Opt-Out specifically for use of cookies: https://www.taboola.com/cookie-policy
In addition, users may opt out of Taboola's services by using the opt out links provided by the NAI, DAA, or EDAA.
Necessity / interest in processing: Marketing and advertising.
External disclosure: Taboola, Inc., 1115 Broadway, 7th Floor, New York, New York 10010, USA
Privacy Policy: https://www.taboola.com/privacy-policy
Processing in third countries: USA
Guarantee when processing in third countries: Privacy Shield certification in progress.
Retention of data: Taboola stores user information collected directly for ad serving purposes for a maximum of eighteen (18) months after the last interaction of the user with the Taboola services and anonymizes it by removing personal identifiers or aggregating the data. Taboola stores anonymous or aggregated data that cannot identify a person or a device and is used for reporting and analysis purposes for as long as this is commercially necessary. Taboola keeps opt-out information longer than this period, so Taboola can continue to comply with opt-out requests. Individual requests for deletion of user data: https://accessrequest.taboola.com/access.

Teads content distribution

With the help of Teads we market advertising material and advertising spaces within our online services.

Data processed: Usage data, metadata, advertising identifiers and/or other device identifiers. The IP address is shortened by the last two digits (IP-Masking).
Type, scope and mode of operation of the processing: permanent cookies, third party cookies, tracking, interest-based marketing, profiling, remarketing.
Special protective measures: Data Protection Addendum, Pseudonymization, Encryption of personal data, Access control, Security policy, Security auditing.
Opt-Out: https://teads.tv/privacy-policy/.
External disclosure: Teads SA, 5, rue de la BoucherieL-1247, Luxembourg.
Privacy Policy: https://teads.tv/privacy-policy/.
Processing in third countries: None.
Retention of data: For pseudonymous data 12 months from collection, longer-term for anonymous data.

Newsletter Mailing and Performance Measurement

We will only send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter "newsletters") with the consent of the recipients or a legal permission. Subscribers' data is logged as we are required to provide documentation of registrations. We also keep track of whether newsletters have been opened and whether links have been clicked. This information is stored on a per-user basis for technical reasons, but is not used to monitor individual users, but rather, for example, to adapt content and services to users. Information that we should collect in addition to the e-mail address (e.g. name) is used to personally address the users or to adapt the contents of the newsletter to the users.

Contents of the newsletter: As indicated in the registration form, otherwise information about our services and our company.
Data processed: Inventory data (e-mail address), usage data (registration time, confirmation time double opt-in, IP address, opening of e-mail, time and place, time and click on a link in the newsletter).
Special categories of personal data: no.
Legal basis: Art. 6 (1) a., Art. 7 GDPR and § 7 (2) no. 3 UWG (sending and performance measurement), Art. 6 (1) f GDPR (logging, sending provider).
Data subjects: E-mail recipient
Purpose of processing: newsletter dispatch, optimization, proof of consent.
Type, scope and mode of operation of the processing: Web-Beacon.
Necessity / interest in processing: Only the e-mail information is required for sending, the other information is voluntary and serves to personalize and optimize the content based on the interests of the user; the obligation to provide evidence of consent is the reason for logging; performance measurement is based on legitimate interests in the optimization of the content for users and based on business interests
Opt-Out: An unsubscribe link is included in every newsletter.
External disclosure: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA (Mailchimp).
Privacy Policy: https://mailchimp.com/legal/privacy/.
Processing in third countries: USA.
Guarantee for processing in third countries: Data Processing Agreement & Privacy Shield.
Retention of data: We may store the e-mail addresses we have unsubscribed for up to three years on the basis of our legitimate interests before we delete them for the purpose of sending the newsletter in order to be able to prove a previously given consent. The processing of these data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that at the same time the former existence of a consent is confirmed.

ManyChat

ManyChat provides a Facebook messenger bot for our fan-page which our users could sign up to. User can decide whether to get a daily notification from the messenger bot, for instance, after subscribing to a health challenge, user may use the messenger bot to remind them about it on a daily basis.

Data processed: (i) All Users: identification, publicly available social media profile information, e-mail, usage data and meta data (IP addresses, usage data, cookies data, browser data).
(ii) Subscribers: identification and publicly available social media profile information (name, date of birth, gender, geographic location), chat history, navigational data (including chatbot usage information), application integration data, and other electronic data submitted, stored, sent, or received by end users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion.
Special categories of personal data: none.
Legal basis: Art. 6 (1) a., Art. 7 GDPR and § 7 (2) no. 3 UWG (sending and performance measurement), Art. 6 (1) f GDPR (logging, service provider).
Data subjects: Website users, employees
Purpose of processing: Providing, supporting and improving the services, communicating with the users and subscribers, compliance, processing payments made through the services, web-analytics, improving user and subscriber experience
Type, scope and mode of operation of the processing: Cookies, third party cookies, tracking, web-analytics, third party analytics, clicktracking, web beacons, profiling, online behavioral advertising, demographic data, remarketing/retargeting
Special security measures: DPA, Opt-In, Opt-Out
Opt-Out: On request.
Necessity / interest in processing: Legitimate business interests, performing contractual obligations, user consent, complying with legal requirements
External disclosure: ManyChat, Inc.,535 Everett Ave, Palo Alto, CA 94301, USA.
Privacy Policy: https://manychat.com/privacy.html, Information on used administration and opt-out tools: https://support.manychat.com/support/solutions/articles/36000060439-managing-user-data).
Processing in third countries: Amazon Web Services in Frankfurt
Guarantee when processing in third countries: DPA, AWS (Privacy Shield)
Retention of data: Erasure on request. ManyChat will retain personal information they process on behalf of their Users for as long as needed to provide their Services or for an indefinite time to comply with their legal obligations, resolve disputes, prevent abuse, and enforce our agreements. If required by law, ManyChat will delete personal information by erasing it from ManyChats database.

Communication via Mail, E-Mail, Fax or Telephone

Sending information material, contacting us by telephone.

Data processed: Inventory data, address and contact data, contract data.
Special categories of personal data: no.
Legal basis: Art. 6 (1) a, Art. 7 GDPR, Art. 6 (1) f GDPR in connection with legal requirements for advertising communications.
Data subjects: users, prospective users, communication partners.
Purpose of processing: Commercial communication.
Type, scope and mode of operation of the processing: Contact is only established with the consent of the contact partners or within the scope of legal permissions.
Necessity / interest in processing: Information and business interests.
External disclosure and purpose: No.
Processing in third countries: No.
Retention of data: With objection/ revocation or expiration of the legal basis of eligibility.

Sweepstakes and Competitions

In the course of sweepstakes and competitions (" sweepstakes" for short) we processed the data of the participants for the execution of the sweepstakes. Further information on the processing of your data within the scope of the individual sweepstakes as well as any consent to the publication of their names or contributions to the sweepstakes will be provided to the users within the conditions of participation of the respective sweepstakes.
content data (e.g. contributions to competitions).
Special categories of personal data: no.
Legal basis: 6 (1) b GDPR.
Data subjects: Participants
Purpose of processing: Conducting lotteries, notification of prizes, sending prizes, possibly presentation of winners.
External disclosure and purpose: Shipping companies for the purpose of sending the prizes, possibly partners and sponsors of prizes.
Processing in third countries: No, except for sending prizes abroad.
Retention of data: As soon as the data is not required for the competition (e.g. for inquiries regarding prizes); when winners or contributions to the competition are published, they remain permanently online; otherwise, in the event of a legal obligation (end of commercial law (6 years) and tax law (10 years) retention obligation)..

Optimization

In this section you will find information on data processing carried out by us for the purpose of optimising our website. Above all, it serves us to improve the usability and functionality of the website.

Amazon Personalize

We use the Amazon Personalize service to optimize a better user experience of Facebook instant games and related messenger bots, e.g. optimized content recommendations, better quiz results, ideal sending time, ideal content and ideal frequency for notifications, etc.

Processed data: Usage data (interactions with our Facebook Instant Game), pseudonymous user ID.
Legal basis: Art. 6 (I) lit. f DSGVO, Art. 28 (III) p. 1 GDPR.
Data subjects: Users of the instant game.
Necessity / interest in the processing: optimization of the user experience.
External disclosure: Amazon Web Services (AWS), Inc., 410 Terry Avenue North, Seattle, Washington 98109-5210, USA.
Privacy policy: https://aws.amazon.com/privacy.
Processing in third countries: USA
Guarantee for processing in third countries: E.U.-U.S. Privacy policy: https://www.privacyshield.gov/participant?id=a2zt000000000TOWQAA4&status=Active.
Special security measures: Data Processing Agreement, pseudonymisation with an encrypted value (i.e. AWS cannot assign the processed data to any natural person).
Storage of data/ Opt-Out: As soon as a user logs off from our Instant-Game, the corresponding attribution possibility by means of the pseudonym key ends for us.

Fabric

We use Google's Fabric service (and its sub-services Answer and Crashlytics) as part of the development and operation of our apps on the Android system to track the use of the apps, Analyze its functionality and stability for security, app functionality, and user experience improvement purposes. The data of the users are processed here pseudonymously, whereby an individual user identification is used.

Data processed: usage data, metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit f. GDPR
Data subjects: App-Users
Purpose and Necessity / interest in processing: Provision and maintenance of apps.
Type, scope and mode of operation of the processing: Tracking, web analytics.
Security measures: Pseudonymisation.
Opt-Out: On Request.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy Policy: https://policies.google.com/privacy, https://docs.fabric.io/android/fabric/data-privacy.html#fabric-s-privacy-and-security-certifications.
Processing in third countries: USA
Guarantee when processing in third countries: EU-U.S. Privacy Shield Framework: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

Retention of data: Function Answer: 90 days, Crashlytics: 180 days.

Google Firebase

We use Google Firebase to enable the users of our instant game on Facebook to have their own guestbook in which their friends can write. Google Firebase is used to save data records in the guestbooks.

Data processed: Inventory data, contact details, content data, usage data, metadata. For full list of personal data being collected, please refer to https://firebase.google.com/support/privacy
Special categories of personal data: none.
Legal basis: Art. 6 (1) lit b. GDPR
Data subjects: instant game users
Purpose of processing/Necessity / interest in processing: Providing the contractual services
Type, scope and mode of operation of the processing: Cookies, third party cookies, tracking, cross-device tracking, web analytics
Opt-Out: On Request.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy Policy: https://policies.google.com/privacy, https://policies.google.com/privacy.
Processing in third countries: USA
Guarantee when processing in third countries: EU-U.S. Privacy Shield Framework: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

Retention of data: On expiry of the Term, Google will delete all Customer Data (including existing copies) from Google's systems in accordance with applicable law. Google will, after a recovery period of up to 30 days following such expiry, delete all Customer Data as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.

Mixpanel

Various tools, including machine learning based tools for analyzing user behavior.

Processed data: Inventory data, contact data, content data, usage data, billing information, metadata
Special categories of personal data: none.
Legal basis: Art. 6 (1) f. DSGVO.
Data subjects: Employees, website users
Purpose of processing: development and improvement of services, applications and websites, improvement of usability, provision of contractual services, support and communication with customers, web analysis, compliance.
Type, scope and functionality of processing: cookies, tracking, click tracking, web beacons, cross-device tracking, web analytics (third party internal tools & services), profiling, remarketing/retargeting, social media cookies/ widgets (such as Facebook and LInkedIn buttons and interactive miniprograms running on the Mixpanel website), third party cookies
Special security measures: DPA.
Opt-Out: For Cookies and Tracking/Profiling:
https://mixpanel.com/legal/privacy-overview
https://mixpanel.com/legal/privacy-policy
Need/interest in processing: improvement of online services, economic interests.
External disclosure: Mixpanel, Inc., 405 Howard Street, Floor 2, San Francisco, CA 94105, USA
Privacy policy: https://mixpanel.com/legal/privacy-policy
Processing in third countries: USA
Guarantee for processing in third countries: DPA & standard contractual clauses, E.U.-U.S. Data protection: https://www.privacyshield.gov/participant?id=a2zt000000000TOacAAG&status=Active
Retention of data: Mixpanel does not store the data for longer than is necessary to provide its services. The standard retention period for end user data/customer content is 5 years. Events that occurred more than 5 years ago are automatically and continuously deleted from all projects. This statement does not apply to the end-user data of Mixpanel customers and the Mixpanel process for analysis purposes.

Optimizely

In order to continuously improve our website, we carry out tests on individual pages - for example to find out the optimal placement of content. For such test purposes we also process statistical data and use the web analysis service "Optimizely".

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Third-party cookies, A/B testing, tracking, profiling.
Special security measures: opt-out, Pseudonymization.
Opt-Out: https://www.nametests.de/?optimizely_opt_out=true.
External disclosure and purpose: Optimizely Inc, 631 Howard Street, Suite 100, San Francisco, CA 94105, USA.
Privacy Policy: https://www.optimizely.com/de/privacy/.
Processing in third countries: USA.
Guarantee when processing in third countries: www.privacyshield.gov/participant?id=a2zt0000000TNkWAAW&status=Active.

Web analytics, online marketing and technology partners

In this section we inform you which services of technology partners are used for web analytics and online marketing purposes. Their application is based on Art. 6 (1) letter f GDPR and our interest in increasing user convenience, optimizing our services and their economic efficiency. The processed data includes in all cases the usage data and the metadata. Further explanations can be found in the definitions of terms, in particular on the functions and security measures, at the end of this Privacy Policy. The retention of the data is determined, unless otherwise stated, in accordance with the Privacy Policies of the technology partners.

Criteo

We use Criteo's services for personalized marketing purposes, e.g. to display advertisements within other websites based on the presumed interests of users or products already seen..

Data processed: Usage data, metadata, (cookie IDs, hashed e-mail addresses, mobile advertising IDs, other technical IDs that allow Criteo to individually record the online behaviour of individuals without making them directly identifiable).
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Website users
Type, scope and mode of operation of the processing: Opt-out, IP masking (complete IP addresses are only used for the purpose of fraud detection and allocation of sales to users for the purpose of measuring success), pseudonymisation.
Special security measures: IP masking (full IP addresses are only used for fraud detection purposes, and assignment of sales to users for performance measurement purposes).
Opt-Out: Yes, via https://www.criteo.com/privacy
External disclosure: Criteo GmbH, Gewürzmühlstr. 11, 80538 Munich, Germany.
Privacy Policy: https://www.criteo.com/de/privacy

Echobox

We use Echobox for Publisher to connect our Google Analytics and Facebook Fanpage Accounts with their App for the purpose of analysis and evaluation of the information.

Data processed: Users' name, profile photo, email address, IP address, activity log, password and contact information. Usage data and metadata, provided they are provided by Google Analytics or Facebook or are available on the basis of publicly available information.
Special categories of personal data: none.
Legal basis: Art. 6 Abs. 1 lit. f. GDPR.
Data subjects: Employees, Users.
Purpose of processing: Analytics.
Type, scope and mode of operation of the processing: Cookies, third party cookies, web beacons, Facebook pixels, tracking, clicktracking, cross-device tracking, web analytics.
Special security measures: DPA..
Opt-Out: Opt-out links in the Privacy Policy: https://www.echobox.com/privacy
Necessity / interest in processing: Business interest and optimization of services as well as user friendliness.
External disclosure: 107 Cheapside, London, EC2V 6DN, United Kingdom
Privacy Policy: https://www.echobox.com/privacy
Processing in third countries: UK.
Guarantee when processing in third countries: DPA & Standard Contractual Clauses (for sub-processors).
Retention of data: Echobox retains personal information for as long as necessary to fulfil the purposes it was collected for, including for the purposes of Echobox legitimate business interests and satisfying any legal or reporting requirements. To determine the appropriate retention period for personal information, Echobox consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of personal information, the purposes for which it is processed and the applicable legal requirements.

e-dialog GmbH

Search engine optimization (SEO), Optimization, Management of Google Services. Please note: Google Services are used in a sub-subprocessing relationship, e-dialog GmbH is the direct subprocessor.

Data processed: Usage data, metadata, Customer Personal Data may include the types of personal data described at https://privacy.google.com/businesses/adsservices
Legal basis: Art. 6 (I) lit. f GDPR.
Data subjects: Website visitors.
Purpose of processing:
Type, scope and mode of operation of the processing: Third party cookies, clicktracking, profiling, remarketing, web-analytics, demographic data, facebook pixel.
Special security measures: Durch die Aktivierung der IP-Anonymisierung auf dieser Website, wird Ihre IP-Adresse von Google jedoch innerhalb von Mitgliedstaaten der Europäischen Union oder in anderen Vertragsstaaten des Abkommens über den Europäischen Wirtschaftsraum zuvor gekürzt. Nur in Ausnahmefällen wird die volle IP-Adresse an einen Server von Google in den USA übertragen und dort gekürzt.
Opt-Out: Same opt-out options as in the case of Google services.
Necessity / interest in processing: Economic interests.
External disclosure: List of subprocessors: e-dialog GmbH, Woldeforster Str. 6, 17109 Demmin, Germany.
Privacy Policy: https://www.e-dialog.at/datenschutz
Processing in third countries: USA
Guarantee when processing in third countries: With regards to Google services, as in the case of Google:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
Retention of data: With regards to Google services, as in the case of Google.

Google Tag Manager

Google Tag Manager is a tool that allows us to manage so-called website tags via an interface (and thus integrate Google Analytics and other Google marketing services into our online serviced,). The Tag Manager itself (which implements the tags) does not process any personal data of the users. With regard to the processing of users' personal data, reference is made to the following information on the Google services. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

Google Analytics

We use Google Analytics for purposes of web analytics/ measurement and target group building.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Universal analytics, cross-device-tracking, permanent cookies, third party cookies, tracking, interest based marketing, profiling, custom audiences, remarketing.
Special security measures: pseudonymisation, IP masking, conclusion of order processing contract, opt-out.
Opt-Out: http://tools.google.com/dlpage/gaoptout?hl=en (browser add-on), https://adssettings.google.com/ (setting for advertisements).
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Retention of data: 14 months.

Google AdWords

We use Google AdWords to place ads to measure the success of the ads we place on Google's and Google partner's websites.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Universal analytics, permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: Pseudonymisation, IP masking, conclusion of order processing contract, opt-out.
Opt-Out: https://adssettings.google.com/.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Processing in third countries: USA.
- Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Retention of data: The data may be processed by Google for up to two years before it is anonymised or deleted.

Google Doubleclick

We use Google Doubleclick to place ads and to measure the success of the ads we place on Google's and Google partner's websites.

Data processed: Usage data, metadata.
Type, scope and mode of operation of the processing: Universal analytics, permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, cross-device-tracking.
Special security measures: Pseudonymisation, IP masking, conclusion of order processing contract, opt-out.
Opt-Out: https://adssettings.google.com/.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://policies.google.com/privacy.
Processing in third countries: USA.
- Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Retention of data: The data may be processed by Google for up to two years before it is anonymised or deleted.

Facebook Pixels and Custom Audiences

We use the Facebook pixel to form target groups and measure the success of the ads we place on Facebook and to build target groups for ads.

Data processed: Usage data, metadata; if users are registered with Facebook, the data is linked to their Facebook profiles and data belonging to them (in particular inventory data).
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, conversion measurement, interest based marketing, profiling, custom audiences from website, cross-device-tracking.
Special security measures: Encrypted communication between Facebook and our website.
Opt-Out: https://www.facebook.com/settings?tab=ads, http://www.youronlinechoices.com/uk/your-ad-choices/ (EU), http://www.aboutads.info/choices (US).
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy Policy: https://www.facebook.com/policy.php.
Processing in third countries: USA.
Guarantee when processing in third countries: Privacy Shield www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Retention of data: The data will be deleted by Facebook and will be deleted if the user's data is deleted as part of the termination.

OpenX

OpenX Services include the Ad Exchange, a Web-based marketplace that enables publishers, advertisers, and ad networks to efficiently market, buy and sell digital and mobile advertising and ad inventory. OpenX also offers services, such as the Ad Server, through which OpenX acts as a service provider to enable Publishers, advertisers, ad networks, and other clients to manage their advertising inventory and to collect and use data to provide advertising on their digital and mobile properties and across the Internet. In this case, Publishers may use our services to process data, which they collect or source.

Data processed: Usage data (IP addresses), metadata, location data.
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, remarketing, online behavioural advertising, profiling.
Special security measures: Opt-Out, Data Processing Agreement.
Opt-Out: https://www.openx.com/legal/interest-based-advertising.
External disclosure and purpose: OpenX Technologies, Inc. 888 E. Walnut Street Pasadena, California 91101, USA
Processing in third countries: USA.
Privacy Policy: https://www.openx.com/legal/privacy-policy/.
Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt0000000TNodAAG&status=Active.
Retention of data: https://docs.openx.com/Content/publishers/reporting_doc_retainingdata.html.

Outbrain

We use the Outbrain service for personalised marketing purposes, e.g. to display advertisements within our websites based on the presumed interests of users.

Data processed: Usage data, metadata, IP-Address (truncated), usaage of a pseudonymous Unique User ID (UUID).
Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, remarketing, online behavioural advertising, profiling.
Special security measures: Opt-Out, IP-Masking (Pseudonymisation).
Opt-Out: https://www.outbrain.com/legal/amplify-terms#privacy-policy.
External disclosure and purpose: Outbrain Inc, 39 West 13th Street, 3rd floor, New York, NY 10011, USA.
Privacy Policy: https://www.outbrain.com/legal/amplify-terms#privacy-policy.
Processing in third countries: USA.
Retention of data: The stored personal data will be deleted after 13 months.

Squarespace

Squarespace provides Software as a Service for website building and hosting. We use Squarespace for building landing pages.

Data processed: Inventory data, contact details, content data, usage data, metadata. Squarespace uses this data in anonymous, aggregated or pseudonymized form which does not focus on the end user individually. Squarespace use this data to evaluate, provide, protect or improve our Services (including by developing new products and services).
Special categories of personal data: none.
Legal basis: Art. 6 (1) f. GDPR.
Data subjects: Employees, website visitors, users of the websites built and hosted by Squarespace for us.
Purpose of processing: Creating web pages.
Type, scope and mode of operation of the processing: Cookies, tracking, cross-device-tracking, clicktracking, web beacons, profiling, online behavioral advertising, remarketing/retargeting, web analytics, third party cookies, demographic data, embedding, plugins/social plugins.
Special security measures: DPA.
Opt-Out: on request.
Necessity / interest in processing: Performing contractual services, customer consent, legitimate business interests (e.g. developing and promoting Squarespace business, analyzing and improving safety & security of services), compliance with applicable laws
External disclosure: Squarespace, Inc. 8 Clarkson St, New York, NY 10014, USA
Privacy Policy: https://www.squarespace.com/privacy
Processing in third countries: USA
Guarantee when processing in third countries: DPA & Standard Contractual Clauses, E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnjcAAC&status=Active
Retention of data: The precise periods for which Squarespace keeps your personal information vary depending on the nature of the information and why Squarespace needs it. Factors Squarespace considers in determining these periods include the minimum required retention period prescribed by law or recommended as best practice.

Taboola

We use the Taboola service for personalised marketing purposes, e.g. the presentation of advertisements within other online offers based on the presumed interests of users.

Data processed: Usage data, metadata.
Type, scope and functioning of processing: permanent cookies, third party cookies, fingerprints, tracking, remarketing, interest-based marketing, web beacons, profiling.
Special protective measures: IP masking, opt-out.
Opt-Out: https://www.taboola.com/privacy-policy#users-2-5.
External disclosure: Taboola, Inc., Kings Court, 2-16 Goodge Street, 2nd fl., London W1T 2QA, UK.
Privacy Policy: https://www.taboola.com/privacy-policy.
processing in third countries: no.

Webflow

We use Webflow services to build static websites, which may include online forms.

Data processed: Inventory data, contact details, content data (survey responses, forum or blog posts), usage data, billing information, metadata.
Special categories of personal data: none.
Legal basis: Art. 6 (1) f. GDPR.
Data subjects: Website Visitors, Employees.
Purpose of processing: Ensuring network and information security, providing service communications, improving quality control, providing customer service, enhancing user experience, research & development including web analytics, marketing.
Type, scope and mode of operation of the processing: Cookies, third party cookies, web beacons, web analytics, tracking, clicktracking, cross-device tracking, facebook pixel and remarketing service, profiling, online behavioral advertising, remarketing/retargeting
Opt-Out: Opt-Out options in particular for third party analytics and advertising in Cookie Policy: https://webflow.com/legal/cookie-policy
Necessity / interest in processing: Increased usability, legitimate business purposes.
External disclosure: Webflow, Inc., 208 Utah, Suite 210, San Francisco, CA 94103, United States
Privacy Policy: https://webflow.com/legal/eu-privacy-policy
Processing in third countries: USA.
Guarantee when processing in third countries: DPA & Standard Contractual Clauses in case of the transfer of user data originating in the EU to third countries, E.U.-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TT9jAAG&status=Active
Retention of data: Webflow limits their storage of the Personal Information to the amount of time necessary to fulfil the purposes for which Webflow collected the Personal Information, including for the purposes of satisfying any legal, accounting, or reporting obligations, or to resolve disputes. The standard retention periods for Personal Information are:
- Browser interaction data, such as cookies and trackers, is kept for a period of up to one year from expiry of the cookie or date of collection. - Product analytics data is kept for up to 5 years, and automatically deleted on an ongoing basis.

Section IV - Definitions

This section provides an overview of the terms used in this Privacy Policy. Many of the terms are taken from the law and defined above all in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily for understanding. The terms are sorted alphabetically.

A/B Tests - A/B Tests are designed to improve the usability and performance of online services. For example, users are shown different versions of a website or its elements, such as input forms, on which the placement of the content or labels of the navigation elements can differ. Subsequently, it is possible to determine which of these websites or elements are more suited to the needs of the users on the basis of the users' behaviour, e.g. longer stays on the website or more frequent interaction with the elements of the website.
Affiliate Links - Affiliate links are links that are used to refer users to websites with product or other offers. The operators of the respective linking websites can receive a commission if users follow the affiliate links and then take advantage of the offers. For this it is necessary that the providers can track whether users who are interested in certain offers subsequently purchase them at the initiative of the affiliate links. Therefore, the functionality of affiliate links requires that they be supplemented by certain values that become part of the link or are otherwise stored, e.g. in a cookie. The values include in particular the initial website (referrer), the time, an online identification of the operator of the website on which the affiliate link was located, an online identification of the respective offer, an online identification of the user, as well as tracking specific values such as, for example, advertising material ID, partner ID and categorisations.
After-Sales - "After Sales" is a marketing procedure in which, for example, customers of an online shop are presented with advertising offers from other companies (which are usually based on the services or products purchased in the online shop). Furthermore, the functionality of after-sales corresponds to the functionality of affiliate links.
Aggregated Data - Aggregated data is pooled data that cannot be traced back to a person and is therefore not personal. For example, visit times on a website can be saved as median values.
Anonymous data - Anonymity occurs when a person cannot at least be identified by the controller using the reasonable means at his disposal on the basis of data. In particular, aggregated data may be anonymous.
Clicktracking - "Clicktracking" allows to track the movements of users within an entire website. Since the results of these tests are more accurate if the user interaction can be monitored over a certain period of time (e.g. if a user likes to return), cookies are usually stored on the user's computers for these test purposes.
Consent – „consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Conversion - "Conversion", or "Conversion measurement" refers to a procedure with which the effectiveness of marketing measures can be determined. As a rule, a cookie is stored on the user's devices within the websites on which the marketing activities take place and then retrieved again on the target website (e.g. this enables us to trace whether the ads we placed on other websites were effective).
Cookies - Cookies are small files that are stored on the user's computer. Different data can be stored in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her visit to an website. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an website and closes his browser. In such a cookie, for example, the content of a shopping basket in an online shop or a login status within a community can be stored. Cookies are referred to as "permanent" or "persistent" if they are stored even after the browser is closed. For example, the login status can be saved permanently. Likewise, the interests of users used for web analytics or marketing purposes (see e.g. "Remarketing") may be stored in such a cookie. As a "third party cookie", cookies are offered by providers other than the operator of the website (otherwise, if they are only the operators cookies, they are referred to as "first party cookies").
Cross-Device-Tracking - Cookies and fingerprints are device-related. Cross-device tracking is required to evaluate the interests of users using smartphones for advertising on desktop PCs. Logins in social networks such as Facebook, for example, can be used for this purpose. Alternatively, location data, IP addresses and user behavior are used to achieve up to 98% more precise user restriction. Cookies and web beacons are usually used for cross-device tracking purposes.
Custom Audiences - Custom audiences are people who are targeted for advertising purposes, e.g. the display of advertisements. For example, based on a user's interest in certain products or topics on the Internet, it may be concluded that the user is interested in advertisements for similar products or the online shop in which he has viewed the products. "Lookalike audiences" are users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are usually used for the purpose of creating custom audiences and lookalike audiences. "Custom Audiences from Website" means that the target groups are formed on the basis of visitors of the own website. "Custom Audiences from File" means that, for example, a list of e-mail addresses is uploaded to the respective advertising network or platform to form the target group.
Data subject - See "Personal data".
Demographic Data - Demographic data are general information about groups of people or persons, e.g. characteristics such as age, gender, place of residence and social characteristics such as occupation, marital status or income. Demographic data is collected within the scope of web analytics and in online marketing for the purposes of online behavioural marketing or for business analyses that are used, for example, to determine the target groups.
Embedding - Embedding involves integrating external content or software functions (see "Plug-ins") into one' s own website in such a way that they are displayed or executed on this website. No copy of the content is created because it is called from the original server (e.g. videos, images, posts on social networks, widgets with ratings). With embedding, it is technically necessary for the provider of the content to obtain the IP address of the user in order to display the embedded content in the user's browser. Furthermore, the content provider may, for example, store cookies on the user's devices.
Advanced matching - The "advanced matching" is a Facebook pixel option, which means that inventory data such as phone numbers, email addresses or Facebook IDs of users are transmitted to Facebook in encrypted form to form target groups for Facebook ads and are used only for this purpose.
Error tracking - During error tracking, e.g. incorrectly executed program code is detected in order to eliminate it and thus guarantee the functionality and security of websites.
Fingerprints and other online identifiers - "Fingerprints" correspond in their function to cookies, whereby the storage of a file on the user's device is not required. These digital fingerprints can be individually created as cross sums of individual factors of devices, e.g. computing power or browser plug-ins for devices, and thus used for web analytics, profiling, remarketing, online- and behavioral advertising.
First-Party Cookies – See „Cookies”.
Heatmaps - "Heatmaps" are mouse movements of the users, which are combined to an overall picture, with the help of which e.g. it is possible to recognize which website elements are preferred and which website elements users prefer less.
IP address - The IP address ("IP" stands for Internet Protocol) is a sequence of numbers that can be used to identify devices connected to the Internet. When a user visits a website on a server, he informs the server of his IP address. The server then knows that it must send the data packets containing the content of the website to this address.
IP Masking - IP masking is a method in which the last octet, i.e. the last two numbers of an IP address, are deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing methods, especially in online marketing.
Online behavioral advertising (OBA) - online behavioral advertising is the term used when profiling is used to assess the potential interest of users in advertising. Cookies and web beacons are usually used for these purposes.
Lookalike Audiences – See “Custom Audiences”.
Opt-in - The term "opt-in" means, depending on the context, the same as registration or consent.. If a registration (e.g. by entering an e-mail address in an online form field) is confirmed by sending an e-mail with a confirmation link to the owner of the e-mail address, this is referred to as a Double-Opt-In (DOI).
Opt-Out - The term Opt-Out means unsubscription and may be an objection (e.g. against tracking) or a cancellation (e.g. for newsletter subscriptions).
Opt-Out-Cookie - An "Opt-Out-Cookie" is a small file (see "Cookies") which is stored in your browser and in which it is noted that, for example, a tracking service should not process your data. The "opt-out cookie" only applies to the browser in which it was saved, i.e. in which you clicked the opt-out link. If cookies are deleted in this browser, you must click the opt-out link again. Furthermore, an opt-out link can only be limited to the domain on which the opt-out link was clicked.
Permanent Cookies – See „Cookies”.
Personal Data - "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Plugins/ Social Plugins - Plugins (or "Social Plugins" in the case of social functions) are external software functions that are integrated into a website. For example, they can be used to output interaction elements (e.g., a "I like" button) or content (e.g., external commenting function or postings in social networks).
Processor - "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Profiling - "Profiling" means any automated processing of personal data consisting in the use of such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this includes information regarding age, gender, location and movement data, interaction with websites and their contents, shopping behaviour, social interactions with other people) (e.g. interests in certain contents or products, click behaviour on a website or the location). Cookies and web beacons are often used for profiling purposes.
Privacy Shield - The EU-US Privacy Shield is an informal agreement in the field of data protection law negotiated between the European Union and the United States of America. It consists of a number of assurances from the US government and a decision by the EU Commission. Companies certified under the Privacy Shield offer a guarantee to comply with European data protection law (https://www.privacyshield.gov).
Pseudonymisation/ Pseudonyms - "Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; E.g. if an exact interest profile of the computer user is stored in a cookie (a "marketing avatar"), but not the name of the user, then data is processed pseudonymously. If his name is stored, e.g. as part of his e-mail address or his IP address is stored, then the processing is no longer pseudonymous.
Third countries - Third countries are countries in which the GDPR is not directly applicable law, i.e. in general states that do not belong to the European Union (EU) or the European Economic Area (EEA).
Web Analytics - Web Analytics is used to evaluate the visitor flows of a website and can include their behaviour, interests or demographic information, e.g. age or gender. With the help of range analysis, website owners, for example, can see what types of people visit their website at what time and what content they are interested in. This enables them, for example, to better optimize the content of the website to the needs of their visitors. Cookies and web beacons are often used for Web Analytics purposes.
Remarketing/ Retargeting - "Remarketing" or "Retargeting" is used when, for example, for advertising purposes is noted which products a user is interested in on a website in order to remind the user on other websites of these products, e.g. in advertisements. Cookies are usually used for retargeting purposes.
Session Cookies – See „Cookies”.
Single-Sign-On - Single-Sign-On" or "Single-Sign-On-Authentication" is a procedure that allows users to log on to an online service, using other online services, they are members with. A requirement for Single-Sign-On authentication is that users are registered with the respective Single-Sign-On provider and enter the required credentials on the web form provided for this purpose. Authentication takes place directly with the respective single sign-on provider. As part of such authentication, we receive a user ID with the information that the user is logged in under this user ID at the respective single sign-on provider and an ID that can no longer be used by us (so-called "user handle"). Whether we receive further data depends solely on the single sign-on procedure used, the selected data shares as part of authentication and also which data users have authorised in the privacy or other settings of the user account with the single sign-on provider. Depending on the single sign-on provider and the choice of users, it can be different data, usually the e-mail address and the user name. The password entered as part of the single sign-on procedure is neither visible to us nor is it stored by us. Users are asked to note that their data stored with us can be automatically synchronized with their user account with the Single-Sign-On provider, but this is not always possible or actually occurs. If, for example, the e-mail addresses of users change, users must change these manually in their user account at our site. If users decide that they no longer want to use their user account link with the Single-Sign-On provider for the Single-Sign-On procedure, they must cancel this link within their user account held with the Single-Sign-On provider. If users wish to erase their data from our system, they must cancel their registration at our service.
Special categories of personal data - Data identifying racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data relating to a natural person's sex life or sexual orientation.
Third Party - “Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Third-Party Cookies – See „Cookies”.
Tracking - Tracking is defined as when the behaviour of users can be traced across several online offers, e.g. for remarketing purposes. The behavioral and interest information collected with regard to the online services used is stored as user profiles in cookies or on the servers of marketing service providers (e.g. Google or Facebook).
Universal Analytics - "Universal Analytics" is a Google Analytics process in which the user analysis is based on a pseudonymous user ID and a pseudonymous profile of the user with information from the use of various devices is created ("cross-device tracking").
Controller – “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processing – “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Tracking pixels – See Web-Beacons.
Web beacons - Web beacons (or "pixels", "measuring pixels" or "tracking pixels") are small, pixel-sized graphics that are integrated into Web pages or HTML e-mails. For example, they allow to determine whether an e-mail has been opened (at least if the image display in e-mails is enabled) or how often a website is accessed by a user.
Widgets – See Embedding.