flowkey logo

Privacy policy

As of January 2024

Table of contents

General

I. Name and address of the controller

II. Contact details of the data protection officer

III. Rights of the data subjects

IV. Hosting

V. Use of cookies

VI. E-mail contact

VII. Company presence

VIII. Use of company presences in job-oriented networks

Website

IX. General information on data processing on the website

X. Provision of the website and creation of log files

XI. Einbindung von Plugins über externe Dienstleister

App

XII. Data processing in the flowkey app

XIII. Provision of the app and creation of the log files

XIV. Registration

XV. Newsletter

XVI. Contact

XVII. Orders via the app

XVIII. Payment

XIX. Shipping service provider

XX. Plugins via external service providers

XXI.Geotargeting

I. Name and address of the controller

The person responsible within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

flowkey GmbH

Alt-Moabit 103

10559 Berlin

Germany

+49 30 208 499 28

[email protected]

https://www.flowkey.com

II. Contact details of the data protection officer

The controller's data protection officer is:

DataCo GmbH

Nymphenburger Str. 86

80636 München

Germany

+49 89 7400 45840

www.dataguard.de

III. Rights of the data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR. GDPR and you have the following rights vis-à-vis the person responsible:

When processing your personal data, you as the data subject have the following rights vis-à-vis the controllers:

  • Right to information about the processing of your data (Art. 15 GDPR);
  • request the right to rectification of inaccurate data processed by the controllers (Art. 16 GDPR); 
  • to enforce the right to erasure of your personal data with a controller(Art. 17 GDPR); 
  • Right to restriction of the processing of your personal data (Art. 18 GDPR);
  • Right to data portability (Art. 20 GDPR);
  • Right to complain to a supervisory authority (Art. 13 (2) (d) and Art. 14 (2) (e) GDPR);

IV. Hosting

The website and our app are hosted on servers by a service provider commissioned by us.

Our service providers are:

  • Netlify, Inc., 2325 3rd Street, Suite 296, San Francisco, California 94107, USA 

The location of the website server is geographically in the following third country: USA

  • AWS- Amazon Web Services The location of the server of the website is geographically in the European Union / in the following third country: Amazon Europe Core S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxemburg 

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The stored information is:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Date and time of the server request
  • IP address

This data will not be merged with other data sources. This data is collected on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimizations of its website – for this purpose, the server log files must be recorded.

V. Use of cookies

Description and scope of data processing

When you visit our website, cookies are set. Cookies are files that are stored in the Internet browser or by the Internet browser on the user's computer system. This storage of information on the user's device can be done using unique identifiers (UID), which enables us to identify or assign it to a natural person. 

The provisions of the German Telecommunications Telemedia Data Protection Act (TTDSG) apply to the storage of information in the end-user’s terminal equipment and/or access to information already stored in the end user's terminal equipment. If the setting and reading of cookies is technically necessary, this is done to ensure the functionality of our website. In this case, the storage of and access to cookies on your terminal equipment is based on Section 25 (2) No. 2 TTDSG. This storage and access to the information in your terminal equipment serves to make it easier for you to use our website and to be able to offer you our services as you wish. Some functions of our website do not work without the use oft hese cookies and therefore could not be offered. The cookies are generally deleted at the end of the session (e.g. logging out or closing the browser) or after a specified period of time. Information about deviating storage periods for cookies can be found in the following sections of this privacy policy. 

Insofar as cookies are used that are not technically necessary, this is done on the basis of your express consent, which you can give via the cookie banner. In this case, the basis for the storage and access to information is § 25 para. 1 TTDSG in conjunction with § 25 para. In conjunction with Art. 6 (1) (a), Art. 7 GDPR. You can revoke your consent at any time with effect for the future or give it again afterwards by configuring your cookie settings accordingly. Alternatively, you can prevent the storage of cookies by setting your browser software accordingly. Please note that the browser settings you make only work for the browser you are using. 

If personal data is processed following the storage of and access to the information on your terminal equipment, the provisions of the GDPR are relevant. Information on this can be found in the following sections of this privacy policy.  

In this way, the following data can be transmitted:

  • Frequency of page views
  • Use of website functions

The user data collected in this way is pseudonymized by technical precautions. Therefore, an assignment of the data to the calling user is no longer possible. The data is not stored together with other personal data of the users.

Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

We need cookies for the following applications:

The user data collected by technically necessary cookies will not be used to create user profiles.

The analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimize our offer.

Legal basis for data processing

The legal basis for the processing of personal data using cookies that are not technically necessary is Art. 6 (1) (a) GDPR.

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) (f) GDPR.

Duration of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted from there to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. The user has the option to revoke his consent to the processing of personal data at any time.

This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

If you use a Safari browser version 12.1 or higher, cookies are automatically deleted after seven days. This also applies to opt-out cookies, which are set to prevent tracking measures. 

VI. E-mail contact

Description and scope of data processing

On our website and through our app, it is possible to contact us via the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored.

The data will be used exclusively for the processing of the conversation.

Purpose of data processing

In the case of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data.

Legal basis for data processing

The legal basis for the processing of the data is Article 6 (1) (a) GDPR if the user has given his consent.

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. Our legitimate interest is to provide the best possible answer to your enquiry, which you send by e-mail. 

If the aim of the e-mail contact is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data sent by e-mail, this is the case when the respective agreement with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

Possibility of objection and removal

The user has the option to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

VII. Company presence

Use of company presences in social networks

Instagram:

Instagram, Part of Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland

On our company page, we provide information and offer Instagram users the opportunity to communicate. If you carry out an action on our Instagram company presence (e.g. Comments, posts, likes, etc.) it may be that you thereby collect personal data (e.g. Real name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by Instagram, which is jointly responsible for the flowkey GmbH corporate presence, we cannot provide any binding information on the purpose and scope of the processing of your data.

We use our corporate presence in social networks for communication and information exchange with (potential) customers. In particular, we use the company's presence for:

  • Information about products
  • Information on services
  • Sweepstakes
  • Customer
  • Vacancies

Every user is free to publish personal data through activities.

The legal basis for data processing is Art. 6 (1) (a) GDPR.

Insofar as we process your personal data in order to evaluate your online behaviour, to offer you competitions or to carry out lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) (a), Art. 7 GDPR.

The legal basis for the processing of personal data for the purpose of communication with customers and interested parties is Art. 6 (1) (f) GDPR. In doing so, we have a legitimate interest in answering your enquiry in the best possible way.  to be able to provide the requested information. 

If the purpose of the contract is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

We store your activities and personal data published via our Instagram company presence until you revoke your consent. In addition, we comply with the statutory retention periods.
We process data from our corporate presence in our systems. These are stored there until the consent is revoked.

Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.

Instagram: https://help.instagram.com/519522125107875

Twitter:

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland

On our company website, we provide information and offer Twitter users the opportunity to communicate. If you carry out an action on our Twitter company website (e.g. Comments, posts, likes, etc.) it may be that you thereby collect personal data (e.g. real name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by Twitter, which is responsible for the flowkey GmbH corporate presence, we cannot provide any binding information on the purpose and scope of the processing of your data.

We use our corporate presence in social networks for communication and information exchange with (potential) customers. In particular, we use the company's presence for:

  • Information about products
  • Information about services
  • Sweepstakes
  • Customer
  • Vacancies

Every user is free to publish personal data through activities.

Insofar as we process your personal data in order to evaluate your online behaviour, to offer you competitions or to carry out lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) (a), Art. 7 GDPR. The legal basis for the processing of personal data for the purpose of communication with customers and interested parties is Art. 6 (1) (f) GDPR. In doing so, our legitimate interest is to answer your inquiry in the best possible way or to be able to provide the requested information. If the purpose of the contract is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

We store your activities and personal data published via our Twitter company presence until you revoke your consent. In addition, we comply with the statutory retention periods.
We process data from our corporate presence in our systems. Data will be stored there until the consent is revoked.

For the processing of your personal data in third countries, we have appropriate safeguards in the form of standard contractual clauses pursuant to Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested from us.

You can find more information about the processing of your personal data by Twitter and the corresponding objection options here:

Twitter: https://twitter.com/de/privacy

YouTube:

YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States

On our company page, we provide information and offer YouTube users the opportunity to communicate. If you carry out an action on our YouTube company website (e.g., Comments, posts, likes, etc.) it may be that you thereby collect personal data (e.g. real name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by YouTube, which is jointly responsible for the flowkey GmbH corporate presence, we cannot provide any binding information on the purpose and scope of the processing of your data.

We use our corporate presence in social networks for communication and information exchange with (potential) customers. In particular, we use the company's website for:

  • Information about products
  • Information about services
  • Sweepstakes
  • Customer
  • Vacancies

Every user is free to publish personal data through activities.

The legal basis for data processing is Art. 6 (1) (a) GDPR.

Insofar as we process your personal data in order to select your online behaviour, to offer you competitions or to carry out lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) (a), Art. 7 GDPR.

The legal basis for the processing of personal data for the purpose of communication with customers and interested parties is Art. 6 (1) (f) GDPR. In doing so, our legitimate interest is to answer your inquiry in the best possible way or to be able to provide the requested information. 

If the purpose of the contract is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

Insofar as we process your personal data in order to evaluate your online behaviour, to offer you competitions or to carry out lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) (a), Art. 7 GDPR. The legal basis for the processing of personal data for the purpose of communication with customers and interested parties is Art. 6 (1) (f) GDPR. In doing so, our legitimate interest is to answer your inquiry in the best possible way or to be able to provide the requested information. If the purpose of the contract is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

For the processing of your personal data in third countries, we have provided appropriate safeguards in the form of standard contractual clauses in accordance with Art. 46 (2) (c) GDPR. A copy of the standard contractual clauses can be requested from us.

You can find more information about the processing of your personal data by YouTube and the corresponding objection options here:

YouTube: https://policies.google.com/privacy?gl=DE&hl=de

You can object to the processing of your personal data, which we collect in the context of your use of our Instagram, Twitter and YouTube corporate presence, at any time and assert your rights as a data subject mentioned under section IV. of this data protection declaration. To do so, send us an informal e-mail to [email protected].

VIII. Use of company presences in job-oriented networks

Scope of data processing

We take advantage of the possibility of company appearances on job-oriented networks. We maintain a corporate presence on the following job-oriented networks:

LinkedIn:

LinkedIn, Unlimited Company Wilton Place, Dublin 2, Ireland

XING:

XING SE, Dammtorstraße 30, 20354 Hamburg, Germany

On our site, we provide information and offer users the opportunity to communicate.

The company's website is used for applications, information/PR and active sourcing.

We do not have any information on the processing of your personal data by the companies jointly responsible for the company's presence. Further information can be found in the privacy policy of:

LinkedIn:

https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

XING:

https://privacy.xing.com/de/datenschutzerklaerung

If you carry out an action on our company website (e.g. Comments, posts, likes, etc.) it may be that you thereby collect personal data (e.g. real name or photo of your user profile).

Legal basis for data processing

The legal basis for the processing of your data in connection with the use of our company website is Art. 6 (1) (f) GDPR.

Purpose of data processing

Our corporate identity serves us to inform users about our services. Each user is free to publish personal data through activities.

Duration of storage

We store your activities and personal data published via our company website for the purpose of revoking your consent. In addition, we comply with the statutory retention periods.

Possibility of objection and removal

You can object to the processing of your personal data, which we collect in the context of your use of our corporate website, at any time and assert your rights as a data subject mentioned under IV. of this data protection declaration. To do so, send us an informal e-mail to the e-mail address given in this privacy policy.

Further information on objection and removal options can be found here:

LinkedIn:

https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

XING:

https://privacy.xing.com/de/datenschutzerklaerung

IX. General information on data processing on the website

Scope of processing of personal data

As a matter of principle, we do not process personal data of our users to the extent necessary to provide a functional website as well as our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is required by law.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis.

In the processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

X. Provision of the website and creation of log files

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer.

The following data is collected:

  • Information about the browser type and version used.
  • The user's operating system
  • The user's Internet service provider
  • The IP address of the user
  • Date and time of access
  • Websites from which the user's system accesses our website.
  • Websites that are accessed by the user's system via our website.

This data is stored in the log files of our system. This data is not stored together with other personal data of the user.

Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. In this case, the user's IP address must be stored for the duration of the session.

The data is stored in log files in order to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

For these purposes, we also have a legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

If the data is stored in log files, this is the case after seven days at the latest. It is possible that the data will be stored for a longer period of time. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. The user can object to this. Whether the objection is successful must be determined in the context of a balancing of interests.

XI. Integration of plugins via external service providers

We use third-party providers such as plugins and content delivery networks on our website for various purposes. These are listed below:

Service: Cloudflare

  • Provider: CloudFlare Germany GmbH
  • Third-country transfer: no
  • Purpose of data processing: Delivery and acceleration of online applications and content
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection: https://www.cloudflare.com/de-de/privacypolicy/
  • Added / updated on: 30.11.2023

Service: DoubleClick

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA): Google is a member of the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Advertising and analysis service
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:

https://policies.google.com/privacy?gl=DE&hl=de 
https://business.safety.google/gdpr/

Added / updated on: 30.11.2023

Service: Fastly

  • Provider: Fastly, Inc.
  • Third country transfer: USA: Fastly is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Delivery and acceleration of online applications and content
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://www.fastly.com/privacy/
  • Added / updated on: 30.11.2023

Service: Facebook pixel

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA): Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Facebook Retargeting

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA) Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Facebook Conversions API

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA) Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Optimization and marketing
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Facebook custom audience

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA) Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Google Analytics

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA) Google is a member of the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/

Added / updated on: 30.11.2023

Service: Google Photos

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA) Google is a member of the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: View photos
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/

Added / updated on: 30.11.2023

Service: Google Optimize

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA) Google is a member of the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Optimization service
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/

Added / updated on: 30.11.2023

Service: OneTrust Consent Management Platform

  • Provider: OneTrust Technology Limited
  • Third-country-transfer: United Kingdom
  • Purpose of data processing: One Trust is used on the website as a processor for the purpose of consent management.
  • Legal basis for data processing: Art. 6 (1) (c) GDPR 
  • Information on data protection and appropriate guarantees for third country transfers:
  • https://www.onetrust.com/privacy/
  • Added / updated on: 04.12.2023

Service: Prismic CMS

  • Provider: Prismic.io Inc.
  • Third-country transfer: USA: In order to make the third-country transfer as data-protection-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries.
  • Purpose of data processing: Website builder and content management system.
  • Legal basis of data processing: Art. 6 (1) (f) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/
  • Added / updated on: 30.11.2023

Service: Taboola

  • Supplier: Taboola Germany GmbH
  • Third-country transfer: no
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://www.taboola.com/de/policies/datenschutzerklaerung
  • Added / updated on: 30.11.2023

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. You can prevent the collection and processing of your personal data by Google by preventing third-party cookies from being stored on your computer, using the "Do Not Track" function of a supporting browser, disabling the execution of script code in your browser, or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

Your personal data will also be transferred to the United States. In order to make the transfer to third countries as data protection-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries. A copy of the standard data protection clauses can be obtained from us. 

For the USA, an adequacy decision "EU-U.S. Data Privacy Framework" pursuant to Art. 45 III GDPR has been in place since July 10, 2023. The European Commission has adopted the EU-US data protection framework and established in the decision that the United States ensures an adequate level of protection of personal data. However, the transfer of personal data to the United States only applies if the respective US data recipient is also certified under the EU-US Data Privacy Framework with the US Department of Commerce. A list of certified companies can be found at the following link: https://www.dataprivacyframework.gov/s/participant-search

XII. Data processing in the flowkey app

In the following, we inform you about the data protection regulations applicable in the flowkey app for Android and iOS ("App"). The app is offered by flowkey GmbH ("flowkey", "we" or "us").

Scope of processing

The app is used to provide our services on a mobile app. The following personal data is requested to create a profile:

  • Name
  • E-mail address
  • Usage
  • purchase history
  • User-ID
  • Device ID
  • Rough location
  • Crash Data

The data is always transmitted via a TSL-secured channel.

Purpose of the processing

The processing serves to fulfill the service, to ensure functionality, to improve the app as well as for marketing and advertising purposes.

Legal basis for the processing of personal data

In the processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Data deletion and storage period

The personal data collected by us for the service will be processed in accordance with Art. 6 (1) (c) GDPR after expiry of the retention and documentation obligations under tax and commercial law (from HGB, StGB or AO), unless you have consented to further storage in accordance with Art. 6 (1) (a) GDPR.

Possibility of objection and removal

You can object to the processing of your personal data at any time in writing or by sending an informal email to [email protected]. All other rights for you as a data subject can also be addressed to this email address. 

XIII. Provision of the app and creation of the log files

Description and scope of data processing

Each time our app is accessed, our system automatically collects data and information from the operating system of the calling mobile device.

The following data is collected:

  • Information about the browser type and version used
  • The user's operating system
  • The IP address of the user
  • Date and time of access

This data is stored in the log files of our system. This data is not stored together with other personal data of the user.

Purpose of data processing

The temporary storage of the IP address through the system is necessary to enable the app to be delivered to the user's mobile device. For this purpose, the user's IP address must be stored for the duration of the session.

The data is stored in log files in order to ensure the functionality of the app. In addition, we use the data to optimize the app and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the app, this is the case when the respective session has ended.

If the data is stored in log files, this is the case after seven days at the latest. It is possible that the data will be stored for a longer time period. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

Possibility of objection and removal

The collection of data for the provision of the app and the storage of the data in log files is absolutely necessary for the operation of the application.

XIV. Registration

Description and scope of data processing

On our app, we offer users the opportunity to register by providing personal data. The data is entered into an input mask and transmitted to us and stored. The data will not be passed on to third parties. The following data is collected as part of the registration process: Email address.

As part of the registration process, the user's consent to the processing of this data is obtained.

Purpose of data processing

Registration of the user is necessary for the fulfilment of a contract with the user or for the implementation of pre-contractual measures.

To use our app, it is necessary to register with your own profile.

Legal basis for data processing

The legal basis for the processing of the data is Art. 6 (1) (a) GDPR.

If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 (1) (b) GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.

This is the case for the data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the execution of the contract. Even after the conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations.

Possibility of objection and removal

Asa user, you have the option to cancel the registration at any time. You can have the data stored about you changed at any time. To delete or change your personal data, please contact your company admin.

If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

XV. Newsletter

Description and scope of data processing

On our app you have the possibility to subscribe to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us.

  • Email
  • Name
  • Forename
  • Date and time of registration

There is no disclosure of data to third parties in connection with data processing for the dispatch of newsletters. The data will be used exclusively for sending the newsletter.

Purpose of data processing

The collection of the user's e-mail address serves to deliver the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.

Legal basis for data processing

The legal basis for the processing of the data after registration for the newsletter by the user is Art. 6 (1) (a) GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, the user's email address will be stored for as long as the subscription to the newsletter is active.

The other personal data collected as part of the registration process will generally be deleted after a period of seven days.

Possibility of objection and removal

The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, there is a corresponding link in each newsletter.

This also makes it possible to revoke the consent to the storage of the personal data collected during the registration process.

XVI. Contact 

Description and scope of data processing

In addition to contacting us by e-mail, there is a contact form on our app that can be used to contact us electronically. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored.

At the time the message is sent, the following data is stored:

  • Email
  • Name 
  • First name 

Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored.

The data will be used exclusively for the processing of the conversions.

Purpose of data processing

The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data.

The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

Legal basis for data processing

The legal basis for the processing of data transmitted while sending an e-mail is Art. 6 (1) (f) GDPR. Our legitimate interest arises from the purpose of data processing. If the aim of the e-mail contact is to conclude or execute a contractual relationship, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The additional personal data collected during the sending process will be processed at the latest after termination of the contractual relationship or contract. End of general use of the app deleted.

Possibility of objection and removal

The user has the option to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail to [email protected] , he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

XVII. Orders via the app

We offer a webshop for keyboards / pianos in our app. For this we use a specially developed webshop software:

The app and the webshop are hosted on external servers by a service provider commissioned by us. AWS – Amazon Web Services

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The stored information is:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

This data will not be merged with other data sources. This data is collected on the basis of Art. 6 (1) (f) GDPR.  The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – for this purpose, the server log files must be recorded. As part of the provision of the webshop, existing customers can be contacted regarding technical status updates or functional changes.

We have concluded a contract for order processing with the corresponding service provider, in which we oblige the corresponding service provider to protect user data and not to pass it on to third parties.

XVIII. Payment

We offer our customers various payment options for processing. For this purpose, we redirect customers to the platform of the corresponding payment service provider, depending on the payment option. After completion of the payment process, we receive the customer's payment data from the payment service providers or our house bank and process them in our systems for the purpose of invoicing and accounting.

Payment by credit card

It is possible to complete the payment process by credit card.

If you have chosen to pay by credit card, payment data will be passed on to payment service providers for payment processing. All payment service providers comply with the requirements of the "Payment Card Industry (PCI) Data Security Standards" and have been certified by an independent PCI Qualified Security Assessor.

As part of the payment by credit card, the following data is regularly transmitted:

  • Purchase amount
  • Date and time of purchase
  • First name and surname
  • Address
  • Email-Address
  • Credit card
  • Validity period of the credit card
  • Security Code (CVC)
  • IP address
  • Telephone number / mobile phone number

Payment data will be passed on to the following payment service providers:

Adyen N.V.  German Branch Friedrichstraße 63 Eingang Mohrenstraße 17 10117 Berlin 

Further information on the data protection guidelines as well as revocation and removal options vis-à-vis the payment service providers can be found here: https://www.adyen.com/de_DE/richtlinien-und-haftungsausschluss/privacy-policy

Payment through PayPal

It is possible to process the payment process with the payment service provider PayPal. In addition to a direct payment method, PayPal also offers purchase on account, by direct debit, by credit card and payment in installments.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.

If you choose PayPal as your payment method, your data required for the payment process will be automatically transmitted to PayPal.

In particular, this involved the following data:

  • Name
  • Address
  • Email
  • Telephone / mobile phone number
  • IP address
  • Bank account
  • Card Number
  • Expiry date and CVC code
  • Data on goods and services
  • Transaction amount and tax levies
  • Information on previous purchasing behaviour

The data transmitted to PayPal may be transmitted by PayPal to credit agencies. The purpose of this transmission is to check identity and creditworthiness.

PayPal may also pass on your data to third parties if this is necessary for the fulfilment of contractual obligations or if the data is to be processed on behalf of the customer. When transferring your personal data within companies affiliated with PayPal, the Binding Corporate Rules apply, which are approved by the competent supervisory authorities.  You can find them here:
https://www.paypal.com/de/webapps/mpp/ua/bcr
Other data transfers may be based on contractual protection provisions. For more information, please contact PayPal.

All PayPal transactions are subject to PayPal's Privacy Policy. You can find them at:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full/.

Payment via ApplePay:

It is possible to start the payment process with the payment service provider ApplePay (Apple Inc.  One Apple Park Way, Cupertino, CA 95014, United States).

If you choose ApplePay as your payment method, your data required for the payment process will be automatically transmitted to ApplePay. 

In particular, this involved the following data:

  • Name
  • Address
  • Email
  • Telephone / mobile phone number
  • IP address
  • Bank account
  • Card Number
  • Expiry date and CVC code
  • Data on goods and services
  • Transaction amount and tax levies
  • Information on previous purchasing behaviour

The data transmitted to ApplePay may be transmitted by ApplePay to credit agencies. The purpose of this transmission is to check identity and creditworthiness.

ApplePay may also pass on your data to third parties to the extent necessary to fulfil its contractual obligations or to the extent that the data is to be processed on behalf of ApplePay. Other data transfers may be based on contractual protection provisions. For more information, please contact ApplePay.

All ApplePay transactions are subject to ApplePay's Privacy Policy. You can find them at:
https://support.apple.com/de-at/HT203027

Purpose of data processing

The transmission of payment data to payment service providers serves to process the payment, e.g. if you purchase a product/subscription

Legal basis for data processing

The legal basis for data processing is Art. 6 (1) (b) GDPR, as the processing of the data is necessary for the execution of the concluded purchase contract.

Duration of storage

All payment data as well as data on any chargebacks that may occur will only be stored for as long as they are required for payment processing and possible processing of chargebacks and debt collection as well as for combating abuse. 

Furthermore, payment data may be stored for a longer period if and as long as this is necessary to comply with statutory retention periods or to prosecute a specific case of misuse.

Your personal data will be deleted upon expiry of the statutory retention obligations, i.e. after 10 years at the latest.

Possibility of objection and removal

You can revoke your consent to the processing of your payment data at any time by notifying the person responsible or the payment service provider used. However, the payment service provider used may still be entitled to process your payment data if and for as long as this is necessary for contractual payment processing.

Use of SEON Technologies Ltd

When using our flowkey Plus service for subscribing to a piano, we carry out a risk and credit assessment. The credit report may contain probability values (so-called score values).

For this purpose, the data entered as part of the order will be:

  • Name
  • Address
  • Email-adresse
  • Telephone / mobile phone number
  • Expiry date and CVC code 

to SEON Technologies Ltd, Rákóczi út 42, 1072 Budapest, Hungary.

The audit is carried out on the basis of the performance of the contract (Art. 6 (1) (b) GDPR) as well as to avoid payment defaults and prevent cases of fraud (legitimate interest according to Art. 6 (1) (f) GDPR).

We have entered into an order processing agreement with SEON Technologies Ltd in accordance with Art. 28 GDPR. 

You can find more information on the data protection guidelines as well as revocation and removal options vis-à-vis the payment service providers here: https://seon.io/resources/legal-and-security/privacy/#privacy-policy

Use of MongoDB Inc.

When using our flowkey Plus service for subscribing to a piano, we store your personal data in our cloud-database MongoDB to know where to deliver the piano.

For this purpose, the data entered as part of the order will be:

  • Address
  • Telephone / mobile phone number

to MongoDB Inc., 1633 Broadway, 38th Floor, New York, NY 10019, USA.

The data processing is carried out on the basis of the performance of the contract (Art. 6 (1) (b) GDPR) as well as to ensure proper delivery of the piano (legitimate interest according to Art. 6 (1) (f) GDPR).

We have entered into an order processing agreement with SEON Technologies Ltd in accordance with Art. 28 GDPR. 

You can find more information on the data protection guidelines as well as revocation and removal options vis-à-vis MongoDB here: https://www.mongodb.com/legal/privacy-policy?tid=134321274

XIX. Shipping service providers

Description and scope of data processing

If you order products or services on our website for the delivery of which a shipping service provider is used, you will receive your order and shipping confirmation via your email address and, depending on the respective shipping service, the notification that your shipment has arrived and/or the notification of the package announcement as well as possible delivery options.

The data will be transmitted to the following service providers:

DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany

OGOship, Palkkatilanportti 1, 00240 Helsinki, Finland 

The data transmitted is usually the following:

  • Name
  • Salutation
  • Address
  • Email-Address
  • Telephone number

Purpose of data processing

The purpose of processing the personal data is to give our shipping service providers the opportunity to inform customers about the shipment progress by email and thus increase the probability of a successful delivery.

Legal basis for data processing

The legal basis for the transmission of the e-mail address to the respective shipping service provider and its use is Art. 6 (1) (f) GDPR, based on our legitimate interest in being able to offer the notification service to our customers and thus to make the dispatch as customer friendly as possible.

Duration of storage 

The transmitted data will be deleted by the respective shipping service provider if the package could be delivered.

Possibility of objection and removal

The notification service by the shipping service provider can be terminated by the affected user at any time. For this purpose, you can use the opt-out link contained in the email of the shipping service provider or you can send us an informal email to [email protected] immediately after placing your order before the order is processed.

XX. Plugins via external service providers

We integrate certain plugins on our app via external service providers. When you access our app, a connection is established to the servers of the providers we use in order to retrieve content and store it in the cache of the user's browser. As a result, personal data can be stored and evaluated in server log files, especially device and browser information (in particular the IP address and the operating system). We use the following services:

Service: Algolia

  • Provider: Algolia, Inc.
  • Third-country transfer: USA: In order to make the third-country transfer as data-protection-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries.
  • Purpose of data processing: search function
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://www.algolia.com/policies/privacy/
  • Added / updated on: 30.11.2023

Service: Cloudflare

  • Provider: CloudFlare Germany GmbH
  • Third-country transfer: no
  • Purpose of data processing: Delivery and acceleration of online applications and content
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection: https://www.cloudflare.com/de-de/privacypolicy/
  • Added / updated on: 30.11.2023

Service: Customer.io

  • Provider: Peaberry Software Inc.,
  • Third-country transfer:  USA: In order to make the third-country transfer as data-protection-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries.  
  • Purpose of data processing: Sending system mails after registration as well as marketing mails
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://customer.io/legal/privacy-policy/
  • Added / updated on: 30.11.2023

Service: Fastly

  • Provider: Fastly, Inc.
  • Third country transfer: USA: Fastly is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Delivery and acceleration of online applications and content
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://www.fastly.com/privacy/ 
  • Added / updated on: 30.11.2023

Service: Facebook pixel

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA): Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Facebook Retargeting

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA): Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Facebook Conversions API

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA): Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Optimization and marketing
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
  • Added / updated on: 30.11.2023

Service: Facebook custom audience

  • Provider: Meta Platforms Ireland Ltd.
  • Third country transfer: Ireland (USA): Meta is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries
    https://www.facebook.com/about/privacy
    https://www.facebook.com/legal/EU_data_transfer_addendum/update
     
  • Added / updated on: 30.11.2023

Service: Google Ads Conversion Tracking

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA): Google is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/
  • Added / updated on: 30.11.2023

Service: Google Analytics

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA): Google is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/
  • Added / updated on: 30.11.2023

Service: Google Tag Manager

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA): Google is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tag configuration and integration of Google services
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/
  • Added / updated on: 30.11.2023

Service: Google Webfonts

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA): Google is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Fonts
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/
  • Added / updated on: 30.11.2023

Service: Intercom

  • Provider: Intercom Inc.
  • Third country transfer: USA: Intercom is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Support via e-mail, push notifications, live chat
  • Legal basis of data processing: Art. 6 (1) (f) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://www.intercom.com/legal/privacy
  • Added / updated on: 30.11.2023

Service: JQuery

Service: Polyfill

  • Provider: The Financial Times Limited
  • Third country transfer: United Kingdom***
  • Purpose of data processing: Compatibility for older system environments
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries: https://polyfill.io/v3/privacy-policy/
  • Added / updated on: 30.11.2023

Service: Taboola

Service: Hotjar

Service: Youtube

  • Provider: Google Ireland Ltd.
  • Third country transfer: Ireland (USA): Google is committed to the Trans-Atlantic Data Privacy Framework (TDPF; EU-US Data Protection Agreement) in order to ensure an adequate level of data protection for data processing.
  • Purpose of data processing: Tracking
  • Legal basis of data processing: Art. 6 (1) (a) GDPR
  • Information on data protection and appropriate safeguards for transfers to third countries:
    https://policies.google.com/privacy?gl=DE&hl=de 
    https://business.safety.google/gdpr/
  • Added / updated on: 30.11.2023

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. You can prevent the collection and processing of your personal data by Google by preventing third-party cookies from being stored on your computer, using the "Do Not Track" function of a supporting browser, disabling the execution of script code in your browser, or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

Your personal data will also be transferred to the United States. In order to make the transfer to third countries as data protection-friendly as possible, standard contractual clauses have been concluded with providers in unsafe third countries. A copy of the standard data protection clauses can be obtained from us. 

For the USA, an adequacy decision "EU-U.S. Data Privacy Framework" pursuant to Art. 45 III GDPR has been in place since July 10, 2023. The European Commission has adopted the EU-US data protection framework and established in the decision that the United States ensures an adequate level of protection of personal data. However, the transfer of personal data to the United States only applies if the respective US data recipient is also certified under the EU-US Data Privacy Framework with the US Department of Commerce. A list of certified companies can be found at the following link: https://www.dataprivacyframework.gov/s/participant-search

XXI. Geotargeting

We use the IP address and other information provided by the user (in particular postcode as part of registration or ordering) to address regional target groups (so-called "geotargeting").

For example, the regional target group approach is used to automatically show you regional offers or advertising that are often more relevant to users. The legal basis for the use of the IP address and, if applicable, other information provided by the user (in particular postcode) is Art. 6 (1) (f) GDPR, based on our interest in ensuring a more precise target group approach and thus providing offers and advertising with higher relevance for users.

Part of the IP address as well as the additional information provided by the user (in particular postal code) are only read out and not stored separately.

You can prevent geo-targeting, for example, by using a VPN or proxy server that prevents accurate localization. In addition, depending on the browser used, you can also deactivate location localization in the corresponding browser settings (as far as the respective browser supports this).

We use geotargeting on our app for the following purposes: Determination of the time zone at the user's location for the purpose of time-of-day-related app functions such as greetings.

This privacy policy was created with the support of DataGuard.