1. Data protection

We take the protection of your personal data very seriously. We treat your personal data confidentially and according to the legal data protection regulations as well as this data protection information.

This data protection information applies to the processing of personal data by us on our website www.spielerplus.de (“website”) and for our web application (hereinafter “web application”) as well as for our mobile apps (hereinafter “apps”) (together hereinafter “applications”). It explains the type, purpose, and scope of the data processing within the framework of the website, the web application, and the mobile apps.

We would like to point out that data transmissions on the Internet can have security gaps. Seamless protection of the data against access by third parties is not possible.

2. Controller

The “Controller” is the natural or legal person, public authority, agency, or other body that alone or with others determines the purposes and means of the processing of personal data.

The controller for the data processing to provide the services within the website www.spielerplus.de and within the applications is:

SPM Sportplatz-Media GmbH
Schleidenstraße 3
22083 Hamburg
E-Mail: [email protected]
Website: https://www.spielerplus.de/
Tel.: +49 40 537 9863 - 30

The respective trainer(s) and admin(s) are responsible for the data processing within a team in the applications.

Regarding this data processing, we (SPM Sportplatz-Media GmbH) only act on behalf of and according to the instructions of the trainer (order processing). You can find the data protection information of the trainer account for the data processing within a team in the settings under “Trainer data protection”

The following data protection information therefore only applies to the processing of personal data for which we (SPM Sportplatz-Media GmbH) are responsible.

3. General information on data processing

a. Scope of the processing of personal data

We categorically collect and use the personal data of our users only to the extent required for the provision of our applications, our contents, and our services. The collection and use of our users’ personal data is regularly only carried out with the consent of the user. Exceptions are made in cases in which prior consent cannot be obtained for factual reasons and where the processing of the data is permitted by legal regulations.

b. Legal basis for the processing of personal data

Insofar as we obtain consent from the data subject for the processing of personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

In the processing of personal data that is required for the performance of a contract in which the contractual party is the data subject, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing that is required to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing is required to safeguard a legitimate interest of our company or a third party and the interests, basic rights, and basic freedoms of the data subject do not outweigh the former interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

c. Data deletion and storage period

The personal data of the data subject are deleted or blocked as soon as the purpose of the storage is no longer applicable. Additionally, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws, or other provisions to which the controller is subject. Data is also restricted or erased if a storage period prescribed by the above-mentioned standards expires, unless there is a need to continue storing the data in order to fulfill or conclude a contract.

d. Note on data transfer to the USA

Our website also includes tools from companies based in the USA. If these tools are enabled, your personal data may be transferred to these companies’ US servers. The processing of personal data in the USA only takes place if the companies have concluded so-called EU standard contract clauses with us and their subcontractors. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

4. Provision of the website and creation of log files

Whenever our website (including the web application) is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected for a limited period of time:

The user’s IP address
The date and time of access
The user’s user agent
The path to the accessed page

The data are stored in the log files of our system. These data are only required for the analysis of any malfunctions and are deleted within 30 days at the latest. The legal basis for the temporary storage of the data and log files is Article 6 (1) (f) GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. The user’s IP address must be stored for the duration of the session for this purpose. The purpose of the storage in log files is to ensure the functionality of the website. We also use the data to optimize the website and ensure the security of our information technology systems. The data are not evaluated for marketing purposes in this context, and no conclusions are drawn about your person. These purposes also include our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR. The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. As a consequence, there is no possibility of objection on the part of the user.

5. Data processing for registered users

When you register and use our applications, the following personal data is collected from you:

• First and last name
• Address
• Date of birth, if applicable
• User name
• E-Mail address
• Order data (which products were ordered from which seller)
• Invoice and contract data
• Profile picture, if applicable
• Team picture, if applicable

We also process the following technical data:

• IP addresses
• Browser types and browser version
• Operating system
• Referrer URL
• Host name of the accessing computer
• Time of the server access
• Metadata
• Device IDs
• Login information for third-party services (e.g., Facebook ID)
• Language settings
• Installed app version

These data are processed for the purpose of implementing the user agreement between us and you (Art. 6 (1) sentence 1 lit. b GDPR). We only process the data until the purpose for which it was stored no longer applies or you request us to delete it. Usually, there is no longer any purpose for storing data when you log out of the application. However, if there are mandatory statutory retention periods, the relevant data are only deleted after the statutory periods have expired (e.g., tax-related retention period for invoice data).

6. Minors

Persons who are under the age of 16 must only transmit their personal data to us with the consent of their legal guardians pursuant to Art. 8 GDPR. We do not knowingly collect and process the personal data of minors.

7. Hosting and content delivery networks (CDN)

External hosting

The app or website is hosted by an external service provider (host). The personal data collected via the app or website are stored on the host’s servers. In particular, this may include IP addresses, contact requests, meta- and communication data, contract data, contact data, names, page accesses, and other data generated by an app or website.

The host is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer through a professional provider (Art. 6 (1) (f) GDPR).

Our host will process your data only to the extent necessary to fulfill its service obligations and will follow our instructions with regard to these data.

Conclusion of a contract on order processing

To ensure processing in accordance with data protection regulations, we have concluded a contract for order processing with our host.

We use the Cloudflare service. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”).

Cloudflare offers a globally distributed content delivery network with a DNS (Domain Name System). The transfer of information between your browser and our website is routed through the Cloudflare network. This enables Cloudflare to analyze the data traffic between your browser and our website and to act as a filter between our servers and potentially malicious data traffic from the Internet. Cloudflare may also use cookies in this process, but these are solely used for the purpose described herein.

The use of Cloudflare is based on our legitimate interest in ensuring the most error-free and secure provision of our offer possible (Art. 6 (1) (f) GDRP). This interest outweighs your interest in the non-processing by Cloudflare. These cookies are technically necessary and objecting to their use is not possible. If you do not wish Cloudflare to process your data, please stop using our service. More information on the topic of security and data protection at Cloudflare is available here: https://www.cloudflare.com/privacypolicy/.

We have concluded standard EU contract clauses with Cloudflare. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

8. Tracking

a. Tracktics

If you are obtaining the services of our partner TRACKTICS GmbH, Hanauer Landstraße 291A, 60314 Frankfurt am Main (“TRACKTICS”), TRACKTICS is responsible for the processing of personal data in connection with the services of TRACKTICS as defined by Art. 4 (7) GDPR. You can find the data protection declarations of TRACKTICS at: https://tracktics.com/datenschutzerklaerung/

We only process your personal data (account ID) for the purpose of presenting the TRACKTICS services within the applications that TRACKTICS transmits to us on the basis of a contractual agreement with you or on the basis of a consent given by you. The legal basis for processing these data is Art. 6 (1) (1) (b) GDPR.

b. Other health-data services

Before using the health-data services Apple Health, Google Fit, or Huawei Health and by making the relevant settings, you agree that SPM Sportplatz Media GmbH may process your health data stored with your provider for the purpose of presentation in the applications. This consent can be revoked at any time by managing the settings of the respective operating system. The legal basis for processing these data is Art. 6 (1) (a) GDPR.

9. Contact

You can contact us by email, phone, or fax. In this process, your information from the inquiry and the contact details you provide there will be stored by us exclusively for purposes of processing the inquiry and in case of further questions. The data will not be transmitted to third parties in this context.

The legal basis for the data processing is Art. 6 (1) (f) GDPR. Our interest in answering your inquiry outweighs your interest; since you are writing to us, an answer is also in your interest and you are aware that we have to process your data to answer your inquiry.

If the purpose of the email contact is to conclude a contract, the legal basis for the processing is Art. 6 (1) (b) GDPR.

The data will be deleted as soon as they are no longer required for the purpose of their collection. This is the case when the respective conversation with the user has ended. The conversation has ended when it can be derived from the circumstances that the relevant matter has been resolved conclusively.

You can also contact us with the “Messenger” Facebook plugin. You can find more information about this function and the processing of personal data in this context under item 14 of this data protection information.

10. Support and feedback

You can contact us by email, phone, or fax. In this process, your information from the inquiry and the contact details you provide there will be stored by us exclusively for purposes of processing the inquiry and in case of further questions. The data will not be transmitted to third parties in this context.

The legal basis for the data processing is Art. 6 (1) (f) GDPR. Our interest in answering your inquiry outweighs your interest; since you are writing to us, an answer is also in your interest and you are aware that we have to process your data to answer your inquiry.

If the purpose of the email contact is to conclude a contract, the legal basis for the processing is Art. 6 (1) (b) GDPR.

The data will be deleted as soon as they are no longer required for the purpose of their collection. This is the case when the respective conversation with the user has ended. The conversation has ended when it can be derived from the circumstances that the relevant matter has been resolved conclusively.

Zendesk

We use the Zendesk CRM system to process user requests. The provider is Zendesk, Inc., 1019 Market Street in San Francisco, CA 94103 USA (“Zendesk”).

We use Zendesk to process your requests quickly and efficiently. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. Requests can be sent by providing only an email address, without the need to also state your name. Messages sent to us remain with us until you request their erasure or the purpose for the data storage no longer applies (e.g., after your inquiry has been successfully processed). Mandatory statutory regulations – retention periods in particular – remain unaffected.

We have concluded standard EU contract clauses with Zendesk. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

If you are not comfortable with our processing of your request through Zendesk, you also have the option to contact us by email, phone, or fax.

For more information, please see the Zendesk privacy policy at https://www.zendesk.de/company/customers-partners/privacy-policy/.

Zendesk chat features

On our website, you have the option to send us messages via a chat window. The chat features are provided by Zendesk. When you use this chat window, we store your IP address in addition to your chat messages. Providing your name is not necessary for the chat.

11. Newsletter data

If you would like to subscribe to the newsletter offered in our applications, we need your email address and information that permit us to confirm that you are the owner of this email address and agree to receive the newsletter. No other data are collected. We exclusively use these data to send the requested information and do not transmit it to third parties. The legal basis for the data processing is your consent (Article 6 (1) (a) GDPR).

You can withdraw your consent to store the data and email addresses and to use them to send the newsletter at any time, for example with the “Unsubscribe” link in the newsletter. The legality of the data processing operations that have already been performed remains unaffected by the revocation.

If you are a regular customer of ours, we can also send information on features, updates, and SpielerPlus content to your email address in the form of a newsletter. The legal basis for the data processing of your email address for this purpose is our legitimate interest in the sending of additional useful information on our offering, which overrides your interest in non-processing (Art. (6) (1) (f) GDPR). You can informally cancel the receipt of future newsletters at any time, such as via the link included in the newsletter.

The data that you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe.

12. Use of cookies and analysis & advertising tools

a. Cookies required for the operation

We use so-called session or flash cookies on our website www.spielerplus.de and in our applications. Cookies are text files that are stored in or by the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string of characters that enables the browser to be uniquely identified when the website is accessed again. Some functions of our website cannot be offered without the use of cookies. These make it necessary for the browser to be identified even after a webpage is changed. The user data collected with the technically necessary cookies are not used to detect the identity of the user or to create user profiles. The legal basis for the processing of personal data with technically necessary cookies is Art. 6 (1) (f) GDPR.

b. Other cookies

We also use cookies on our website for various other purposes.

(1) Consent manager

To this end, we have integrated the consent management tool “consentmanager” (www.consentmanager.de)) from consentmanager GmbH (Eppendorfer Weg 183, 20253 Hamburg, Germany, [email protected]) to request consent for the data processing or the use of cookies or similar functions. With “consentmanager”, you have the option to give or refuse your consent for certain functionalities of our website and applications, e.g., for the purpose of integrating external elements, integrating streaming contents, statistical analysis, range measurement, and personalized advertising. You can use “consentmanager” to give or refuse your consent for all functions or to give your consent for individual purposes or individual functions. You can also change the selected settings later. With this change function, you can revoke your consent at any time.

The purpose of integrating “consentmanager” is to enable the users of our website and applications to decide on the above-mentioned matters and, in the context of the further use of our website and applications, to offer the option to change settings that have already been made. In the course of the use of “consentmanager”, personal data and information about the used end devices, like the IP address, are processed.

The legal basis for the processing is Art. 6 (1) (1) (c) in connection with Art. 6 (3) (1) (a) in connection with Art. 7 (1) GDPR and alternatively (f). With the data processing, we help our customers (the controller according to GDPR) to comply with their legal obligations (e.g., obligation to provide evidence). Our legitimate interests in the processing lie in the storage of user settings and preferences with respect to the use of cookies and other functionalities. “consentmanager” stores your data as long as your user settings are active. After two years from the date on which the user settings were made, you will be asked for your consent again. The entered user settings are then stored again for this period.

You may object to the processing. Your right to object exists in case of reasons arising from your particular situation. For purposes of objecting, please send an email to [email protected].

You can also set your browser to inform you whenever cookies are placed, to only permit cookies in individual cases, exclude the acceptance of cookies in certain cases or in general, or activate the automatic deletion of the cookies when the browser is closed. Deactivating cookies or refusing your consent may limit the functionality of this website.

(2) Google Analytics

Our website uses functions of the Google Analytics web analysis service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called cookies. These are text files that are stored on your device that enable an analysis of your use of the website. The information created by the cookie about your use of the website is generally transmitted to a Google server in the USA and stored there. Google has concluded EU standard contractual clauses with its group companies. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 (1) (a) GDPR, since corresponding consent was requested (e.g., consent to the storage of cookies). The consent can be revoked at any time via the website’sconsent manager. There you can also access information about the cookies used by Google.

We have activated the IP anonymization function. This means that Google truncates your IP address within member states of the European Union or in other countries that are parties to the agreement in the European Economic Area before it is transferred into the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. Google will use this information on our behalf to evaluate your use of the application, compile reports about the application activities, and provide other services associated with the application and Internet usage for the operator. The IP address transmitted by your device as part of Google Analytics is not integrated with any other data from Google.

You can prevent the storage of cookies with a corresponding browser setting. However, please be aware that you might not be able to use all of the website’s functions to their full extent in such a case. Furthermore, you can prevent the recording of the data (including your IP address) generated by the cookie and referring to your website use by Google as well as the processing of these data by Google by downloading and installing the browser plug-in available at the following link:

https://tools.google.com/dlpage/gaoptout?hl=de

The website uses the “demographic characteristics” function of Google Analytics. This makes it possible to generate reports that contain information about the age, gender, and interests of the site visitors if you are using a Google account. These data come from interest-based advertising by Google as well as from third-party visitor data. These data cannot be attributed to any particular person. You can disable this function at any time via the ad settings in your Google account, or generally prohibit Google Analytics from collecting your information as described in the “Opting out of data collection” section.

User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

c. Analysis tools

When using our applications, your behavior may be analyzed using certain analytics tools to maintain and improve our services. When using these kinds of tools, we make sure that we comply with the legal data protection regulations. Insofar as personal information is processed in this context, the legal basis is Art. 6 (1) (b) GDPR. When external service providers (commissioned data processors) are used, we conclude the appropriate contracts with service providers to ensure that the data processing corresponds to the German and European data protection standards.

We use the following tools for technical analysis:

(1) Google Analytics

The applications use functions of the Google Analytics web analysis service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called cookies. These are text files that are stored on your computer that enable an analysis of your use of the application. The cookies used for these purposes are:

Cookie Name	Purpose	Recipient	Storage period
_ga	Measurement	Google Analytics	730 days
_gat_*	Measurement	Google Analytics	1 minute
_gid	Measurement	Google Analytics	1 days

The information generated by cookies is usually transferred to a Google server in the USA and stored there. Google has concluded EU standard contractual clauses with its group companies. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR.

The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 (1) (b) GDPR, since this technical analysis is necessary for the safe and timely performance of contractual services.

We have activated the IP anonymization function. This means that Google truncates your IP address within member states of the European Union or in other countries that are parties to the agreement in the European Economic Area before it is transferred into the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. Google will use this information on our behalf to evaluate your use of the application, compile reports about the application activities, and provide other services associated with the application and Internet usage for the operator. The IP address transmitted by your browser as part of Google Analytics is not integrated with any other data from Google.

You can prevent the storage of cookies with a corresponding browser setting. However, please be aware that you might not be able to use all of the application’s functions to their full extent in such a case. Furthermore, you can prevent the recording of the data (including your IP address) generated by the cookie and referring to your application use by Google as well as the processing of these data by Google by downloading and installing the browser plug-in available at the following link:

https://tools.google.com/dlpage/gaoptout?hl=de

The applications use the “demographic characteristics” function of Google Analytics. This makes it possible to generate reports that contain information about the age, gender, and interests of the site visitors if you are using a Google account. These data come from interest-based advertising by Google as well as from third-party visitor data. These data cannot be attributed to any particular person. You can disable this function at any time via the ad settings in your Google account, or generally prohibit Google Analytics from collecting your information as described in the “Opting out of data collection” section.

User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

(2) Sentry

We use the service Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94107, USA, to ensure the technical stability of our service by monitoring the systems and to improve the service by identifying code errors. Sentry does not process data for advertising purposes and serves the sole purpose of system monitoring and improvement. User information, such as details of the device or the time the error occurred, is processed anonymously and not used in a manner that allows identification of the individual. This data is deleted after the analysis.

For more information, please see the Sentry data processing addendum at https://sentry.io/legal/dpa/.

We have concluded standard EU contract clauses with Sentry. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

(3) AddApptr

When you use our applications, we use the AddApptr service provided by AddApptr GmbH, Alsterufer 4, 20354 Hamburg, Germany (“AddApptr”). This tool is used for interest-based advertising, which is selected and provided by AddApptr when using our free services. For this purpose, AddApptr processes the following categories of data:

Website information (category, language, display size), user information (user ID, age, login, being a minor, admin role), team information (sport, men’s or women’s team), device information (mobile device, device screen, screen orientation, device system, system version, browser type, browser version), localization (country, city, zip code).

Furthermore, AddApptr may also process mobile identification (ID for Advertising for iOS (IFDA from Apple), Google Advertising ID (GAID), and Huawei Advertising Identifier (HAID)) and geolocation/location if you have given your consent through relevant settings on your device.

AddApptr/the AddApptr Tool (SDK) pseudonymizes aforementioned data for processing. Linking the data to a user is only possible by us. As a rule, AddApptr also does not disclose any data to third parties. However, the AddApptr SDK utilizes various other tools (SDKs), e.g., from Google, SmartAd, or MoPub. These third-party SDKs collect information independently. Some of this data is also transferred to the USA. AddApptr has concluded EU standard contractual clauses with these partners. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR. For a list of AddApptr’s partners and more information about AddApptr’s Privacy Policy, please visit https://drive.google.com/drive/folders/1fbXcWlUFCdhA-UITTgKXJepo3EvHfgO8.

The legal basis for the placement of interest-based advertising by AddApptr is your consent, which you gave us upon establishing the contractual relationship between you and us (Article 6 (1) (a) GDPR). The data will be stored until the contractual relationship ends or you revoke your consent by sending an email to [email protected]. The legality of data processing operations carried out before such a revocation remains unaffected. Please note that if you revoke your consent, we are permitted to terminate the contractual relationship immediately after weighing the mutual interests in accordance with § 327q BGB (German Civil Code, as amended from time to time).

In case of switching from a non-premium team to a premium team without logging in again (within the session), the advertising setting will, for technical reasons, remain unchanged. To solve this, simply log out, then log in to the premium team.

(4) Report-URI

The Applications use functions of the web analytics service Report-URI. The provider is Report-URI Ltd, 22 Shireburn Avenue, Clitheroe, Lancashire, BB7 2PN, United Kingdom. The service is used to detect, prevent and report technical irregularities and breaches of security / Content Security Policy (CSP). The service is an effective means against attacks from outside (cross-site scripting).

For more information, see the Report-URI privacy policy: https://report-uri.com/home/privacy_policy

or Data Security: https://cdn.report-uri.com/pdf/Report%20URI%20-%20Data%20Protection%20(1v03).pdf.

13. Plugins, tools, hosting

a. YouTube

The applications integrate videos on YouTube. The operator of the website is Google Ireland Limited (“YouTube”), Gordon House, Barrow Street, Dublin 4, Ireland.

When you start a YouTube video via the applications, a connection to the YouTube servers is established. In this process, the YouTube server is informed which of our pages you have visited. If you are logged in to your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Additionally, YouTube can store various cookies on your device after starting a video. These cookies can help YouTube obtain information about visitors to the application. Among other things, this information is used to collect video statistics, improve the user experience, and prevent fraud. The cookies remain on your device until you delete them.

It is possible that launching a YouTube video triggers further data processing operations over which we have no influence. The use of YouTube is based on your consent to YouTube (e.g., consent to the storage of cookies), Art. 6 (1) (a) GDPR. You can find additional information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de

Google has concluded EU standard contractual clauses with its group companies. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

b. Google Maps

The applications use the map service Google Maps via an API. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. To use the Google Maps functions, it is necessary to store your IP address. This information is generally transferred to a Google server in the USA and stored there. The provider of this website has no influence on this data transfer.

Google Maps is used in the interest of an attractive presentation of our online offers and to make it easy to find the locations we indicate in the application. This represents a legitimate interest in the sense of Art. 6 (1) (f) GDPR. Insofar as corresponding consent was requested, the use is based on Art. 6 (1) (a) GDPR. Consent can be revoked at any time.

You can find more information on how user data are handled in Google’s privacy policy: https://policies.google.com/privacy?hl=de

Google has concluded EU standard contractual clauses with its group companies. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

c. Google Web Fonts

For the uniform display of fonts, these applications use so-called web fonts, which are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

Google Fonts are installed locally. There is no connection to Google’s servers. You can find more information on Google Web Fonts at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://policies.google.com/privacy?hl=de.

d. Google Tag Manager

We use the Google Tag Manager service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

This service makes it possible to manage website tags through one interface. The Google Tag Manager only implements tags. This means: No cookies are used and no personal data are collected. The Google Tag Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation was carried out in respect to a domain or cookie, it will remain effective for all tracking tags insofar as these are implemented with the Google Tag Manager.

e. Amazon Web Services

For the processing of data, we use Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. We have entered into an order processing contract with Amazon Web Services EMEA SARL.

If your personal data is processed by Amazon Web Services EMEA SARL outside the EEA, Amazon Web Services EMEA SARL has agreed to comply with the provisions of the relevant data protection laws. This includes, for example, the transfer of data in accordance with the framework agreements for the EU-US and Swiss-US data protection shield (“Privacy Shield” in respect to transfers to the USA) or in accordance with data transfer agreements that include the standard contractual clauses approved by the EU Commission.

Amazon Web Services EMEA SARL has concluded EU standard contractual clauses with its group companies. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

14. eCommerce and Payment Providers

Data transmission when concluding a contract for services and digital contents

We transfer personal data to third parties only if this is necessary for the execution of the contract; for example, to the credit institution responsible for processing payments.

The basis for the data processing is Article 6 (1) (b) GDPR, which permits data processing in order to fulfill a contract or pre-contractual measures.

There is no further transmission of the data unless you expressly consented to the transmission. There is no transfer of data to third parties without express consent.

PayPal (Braintree)

We offer payment via the “Braintree” payment gateway from PayPal, among other things. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).

If you select payment via PayPal, the payment information you enter will be transmitted to PayPal.

The transmission of your data to PayPal is based on Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (processing for the performance of a contract). You have the option of revoking your consent to the data processing at any time. A revocation does not affect the validity of data processing operations performed in the past.

PayPal has concluded EU standard contractual clauses with its group companies. This provides sufficient guarantees for adequate data protection within the meaning of Art. 46 GDPR in the event of data processing outside the EU.

In-app purchases

If you make an in-app purchase within the applications, the transaction and payment will be carried out solely between you and the Apple App Store on the basis of the terms and conditions and privacy policy applicable there, which you can access here: https://www.apple.com/legal/internet-services/itunes/de/terms.html and https://www.apple.com/legal/privacy/de-ww/.

If you make an in-app purchase on an Android device in the Google Play Store, the transaction and payment will be carried out solely between you and the Google Play Store on the basis of the terms and conditions and privacy policy applicable there, which you can access here: https://play.google.com/intl/de_de/about/play-terms.html und https://www.google.de/intl/de/policies/privacy/.

The legal basis for the above-mentioned processing is Art. 6 (1) (1b) GDPR (processing is required to fulfill a contract with the affected person).

If you make an in-app purchase on a Huawei device in the Huawei App Gallery, the transaction and payment will be carried out solely between you and the Huawei App Gallery on the basis of the terms and conditions and privacy policy applicable there, which you can access here: https://consumer.huawei.com/minisite/cloudservice/hiapp/terms.htm?country=DE&branchid=2&language=de_DE und https://consumer.huawei.com/minisite/cloudservice/hiapp/privacy-statement.htm?country=US&branchid=2&language=de_de

15. Encryption

SSL or TLS encryption

For security reasons and to protect the transmission of confidential contents, such as orders or inquiries that you send to us as the operator, we use SSL or TLS encryption. You can recognize an encrypted connection when the browser’s address bar changes from “http://” to “https://” and by the lock symbol in your browser line.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Encrypted payment transactions on this website

If there is an obligation to provide us with your payment information (e.g., account number for direct debit authorization) after the conclusion of a cost-based contract, this information is required for payment processing.

The payment transactions via conventional payment methods (PayPal) are carried out exclusively through an encrypted SSL or TLS connection. You can recognize an encrypted connection when the browser’s address bar changes from “http://” to “https://” and by the lock symbol in your browser line.

When the communication is encrypted, the payment data that you transmit to us cannot be read by third parties.

16. Data protection officer

We have assigned a data protection officer for our company.

Dr. Christian Rauda
Fachanwalt für Informationstechnologierecht
GRAEF Rechtsanwälte Digital PartG mbB
20149 Hamburg
Germany

Phone: +49.40.80 6000 9-0
Fax no.: +49.40.80 6000 9-10
E-Mail: [email protected]

17. Your rights

If your personal data are being processed, you are a data subject as defined by the GDPR, and you have the following rights in relation to the controller:

a. Right of access

You can request confirmation from the controller as to whether we are processing your personal data.

If such processing has taken place, you can request information from the controller on the following topics:

1. the purposes for which the personal data are processed;
2. the categories of personal data being processed;
3. the recipients or categories of recipients to whom your personal data have been or will be disclosed;
4. the planned duration of the storage of the personal data concerning you, or, if no specific information on this is available, criteria for determining the storage period;
5. the existence of a right to the rectification or erasure of the personal data or restriction of processing of personal data concerning you, or a right to object to this processing;
6. the existence of a right to appeal to a supervisory authority;
7. any available information about the source of the data if the personal data are not being collected from the data subject;
8. the existence of an automated decision-making process including profiling as defined by Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as on the scope and intended effects of such processing on the data subject.

You have the right to request information as to whether your personal data are being transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

b. Right to rectification

You have the right to request that the controller correct and/or complete the data if the processed personal data concerning you is incorrect or incomplete. The controller must immediately make the correction.

c. Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of your personal data:

1. if you contest the accuracy of the personal data concerning you for a period that enables the controller to verify the accuracy of the personal data;
2. if the processing is unlawful and you object to the erasure of the personal data and instead request a restriction of their use;
3. if the controller no longer needs the personal data for the processing purposes, but you need them to assert, pursue, or defend legal claims; or
4. if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet established whether the legitimate reasons of the controller outweigh your reasons.

If the processing of your personal data has been restricted, these data – with the exception of storage – may only be processed with your consent or for the purpose of asserting, pursuing, or defending legal claims or for protecting the rights of another natural or legal person or for reasons related to an important public interest of the Union or a member state.

If the restriction of processing was restricted in accordance with the above conditions, the controller will inform you before the restriction is lifted.

d. Right to erasure

(1) Obligation to delete

You may request that the controller erases your personal data without delay. The controller is then obligated to immediately delete the data if one of the following reasons applies:

1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
2. You revoke your consent on which the processing pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR was based and there is no other legal basis for the processing.
3. You Object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
4. The personal data concerning you have been processed unlawfully.
5. The erasure of the personal data concerning you is necessary to comply with a legal obligation under Union law or the law of the member states to which the controller is subject.
6. The personal data concerning you have been collected in relation to services offered by an information society pursuant to Art. 8 (1) GDPR.

(2) Information to third parties

If the controller has made your personal data public and is Obligated to their erasure pursuant to Art. 17 (1) GDPR, the controller, in consideration of the available technology and implementation costs, will take appropriate measures, including technical ones, to inform the persons responsible for the data processing that you, as a data subject, have requested the erasure of all links to these personal data or copies or replications thereof.

(3) Exceptions

The right to erasure does not exist if the processing is required

1. to exercise the right to freedom of expression and information;
2. to comply with a legal obligation that requires the processing according to a law of the Union or member states to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
4. for archival purposes, scientific or historic research purposes in the public interest, or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law referred to in section a) is likely to render impossible or seriously interfere with the attainment of the objectives of such processing; or
5. to assert, exercise, or defend legal claims.

e. Right to be notified

If you have asserted the right to the rectification, erasure, or restriction of processing towards the controller, the controller is obligated to notify all recipients to whom your personal data have been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort.

You are entitled to receive information from the controller about these recipients.

f. Right to data portability

You have the right to receive the personal data concerning you that you provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to have this data transmitted to another responsible person without interference from the controller to whom the personal data has been communicated, provided that

1. processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR; and
2. the processing is carried out by automated means.

In exercising this right, you also have the right to request that your personal data be transferred directly from one controller to another, insofar as this is technically feasible. This must not affect the freedoms and rights of other people.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

g. Right to object

You have the right to object, for reasons arising from your particular situation, at any time to the processing of your personal data that is carried out pursuant to Art. (6) (1) (e) or (f) GDRP; this also applies to profiling based on these provisions.

The controller will no longer process your personal data, unless the controller can demonstrate compelling legitimate reasons for the processing that outweigh your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend legal claims.

If personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling to the extent that it is linked to such direct marketing.

If you object to the processing for the purposes of direct marketing, your personal data will no longer be processed for those purposes.

You have the option of exercising your right to object in relation to the use of information society services – notwithstanding Directive 2002/58/EC – by using automated procedures that involve technical specifications.

h. Right to revoke the data protection declaration of consent

You have the right to revoke your data protection declaration of consent at any time. Revoking the consent does not affect the legality of the processing that has occurred on the basis of the consent up until it was revoked.

i. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – that has a legal effect on you or significantly affects you in a similar manner.

This does not apply if the decision

1. is required for the conclusion or performance of a contract between you and the controller;
2. is permissible according to statutory regulations of the Union or member states to which the controller is subject and these regulations provide for appropriate measures to safeguard your rights, freedoms, and your legitimate interests; or
3. is made with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) applies and appropriate measures have been taken to safeguard rights and freedoms and your legitimate interests.

With respect to the cases referred to in (1) and (3), the controller will take appropriate measures to safeguard the rights and freedoms and your legitimate interests, which include at least the right to obtain the intervention of a person on behalf of the controller, to express his or her own point of view and to challenge the decision.

j. Right to lodge a complaint with a supervisory authority

Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state in which you reside, your place of work, or the place of the alleged infringement, if you believe that the processing of the personal data concerning you is in breach of the GDPR.

The supervisory authority to which the complaint has been lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

18. Amendments to this data protection information

We reserve the right to change these data protection regulations at any time in compliance with the legal requirements.

Current as of: January 2022