Privacy Policy

www.vimpay.de - As of September 3, 2024

Table of Contents

  1. General Information and Mandatory Notices
  2. Data Protection Officer
  3. Data Processing on the Website
  4. Order Processing
  5. Cookies and Analysis Tools
  6. We Say Hello
  7. Data Collection upon Contact
  8. Audio and Video Conferences
  9. Social Media
  10. Special Information for Parents
  11. Changes to the Privacy Policy

 

  1. Data Protection at a Glance

General Information

The following notices provide a simple overview of what happens to your personal data when you use our website. Personal data refers to all data that can personally identify you. Detailed information on data protection can be found in our Privacy Policy listed below.

Who is responsible for data collection on this website?

The responsible entity is the legal person who, alone or jointly with others, determines the purposes and means of processing personal data (e.g., names, email addresses, etc.). Data processing on the website is carried out by the website operator:

PayCenter GmbH
Clemensänger-Ring 24
85356 Freising
Phone: 08161 4060-300
Email: info@PayCenter.de

How do we collect your data?

Your data is collected in two ways: by you providing it to us, for example, during registration, and automatically through our IT systems when you visit the website, primarily technical data (e.g., website version, operating system, or time of page access). This data is collected automatically as soon as you start the website.

For what purposes do we process your data?

  1. If you have given consent for data processing, we process your personal data based on Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data under Art. 9(1) GDPR are processed. In the case of express consent to the transfer of personal data to third countries, the processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or access to information on your device (e.g., via device fingerprinting), data processing is also based on Section 25(1) TDDDG. Consent can be revoked at any time.
  2. If your data is required to fulfill a contract or to carry out pre-contractual measures, we process your data based on Art. 6(1)(b) GDPR.
  3. Furthermore, we process your data if it is necessary to fulfill a legal obligation based on Art. 6(1)(c) GDPR.
    As an electronic money institution, we are subject to various legal obligations, including statutory requirements (e.g., German Banking Act, Anti-Money Laundering Act, tax laws) as well as banking supervisory requirements (e.g., the Federal Financial Supervisory Authority). The purposes of processing include identity and age verification, fraud and money laundering prevention, the fulfillment of tax reporting obligations, and the assessment and management of risks in the company.
  4. Data processing may also be based on our legitimate interest under Art. 6(1)(f) GDPR.
    Examples:
    • Error-free provision of the website
    • Advertising, provided you have previously consented to the use of your data
    • Assertion of legal claims and defense in legal disputes
    • Ensuring IT security and IT operations
    • Prevention of criminal offenses

The specific legal grounds applicable in each case are detailed in the following sections of this Privacy Policy.

Who receives your data?

Within the company, those departments that need your data to fulfill our contractual and legal obligations will have access to it. Service providers and agents employed by us may also receive data for these purposes if they adhere to banking secrecy and our written data protection instructions. These include primarily companies from the categories listed below. 

Regarding the transfer of data to recipients outside the e-money institution, it should first be noted that as an e-money institution, we are required to maintain confidentiality regarding all customer-related facts and evaluations of which we become aware. 

We may only provide information about you if legal provisions require it, you have given your consent, we are authorized to issue a bank reference, and/or our contracted processors guarantee compliance with banking secrecy as well as the requirements of the EU General Data Protection Regulation and the German Federal Data Protection Act. Under these conditions, recipients of personal data may include:

  • Public authorities and institutions (e.g., the German Federal Bank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, Federal Central Tax Office) if there is a legal or official obligation.
  • Other credit and financial service institutions, comparable entities, and processors (see point 5. Order Processing) to whom we transfer personal data for the purpose of conducting business with you.
    In detail: Processing of bank information, support/maintenance of IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, collection, payment card processing, customer management, telephony, video verification, website management, payment processing.
    Other data recipients may include those entities for which you have given consent to data transfer or for which you have released us from banking secrecy in accordance with an agreement or consent.

Will data be transferred to a third country or an international organization?

Data will only be transferred to countries outside the EU or EEA (so-called third countries) if this is necessary to execute your orders (e.g., payment orders), if it is required by law (e.g., tax reporting obligations), if you have given us your consent, or in the context of commissioned data processing. If service providers are used in third countries, they are required to provide suitable guarantees in accordance with Art. 46 GDPR. 

This also includes the automatic exchange of data within the Mastercard Automatic Billing Updater (ABU) database to minimize the rejection of card payments when credit card data expires or changes. The data is transmitted to:

  • Mastercard Inc., 2000 Purchase Street, Purchase, NY 10577, USA.

 

Notice on data transfer to third countries that are not secure under data protection law and to U.S. companies that are not DPF-certified

We use tools from companies based in countries that are not secure under data protection law and U.S. tools whose providers are not certified under the EU-U.S. Data Privacy Framework (DPF). If these tools are active, your personal data may be transferred to these countries and processed there. Please note that no level of data protection comparable to that in the EU can be guaranteed in countries that are not secure under data protection law.

We point out that the U.S., as a secure third country, generally provides a level of data protection comparable to that of the EU. Data transfer to the U.S. is permitted if the recipient is certified under the "EU-U.S. Data Privacy Framework" (DPF) or has suitable additional guarantees. Information on transfers to third countries, including the data recipients, can be found in this Privacy Policy.

Recipients of personal data

In the course of our business activities, we work with various external parties. In some cases, this requires the transfer of personal data to these external parties. We only share personal data with external parties if this is necessary for the fulfillment of a contract, if we are legally required to do so (e.g., data transfer to tax authorities), if we have a legitimate interest in sharing the data under Art. 6(1)(f) GDPR, or if other legal grounds permit the data transfer. When using processors, we share customers' personal data only based on a valid order processing agreement. In the case of joint processing, a joint processing agreement is concluded.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke any previously given consent at any time. The legality of data processing that occurred before the revocation remains unaffected by the revocation.

Right to object to data collection in specific cases and to direct advertising (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE LEGAL BASIS ON WHICH THE PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING IS FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (OBJECTION UNDER ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING AT ANY TIME; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL THEN NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION UNDER ART. 21(2) GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work, or the place of the alleged violation. This right to lodge a complaint is without prejudice to other administrative or judicial remedies.

The competent supervisory authority for data protection issues is:

Bavarian State Office for Data Protection Supervision
P.O. Box 1349
91504 Ansbach
Tel.: 0981/180093-0
Fax: 0981/180093-800
poststelle@lda.bayern.de
https://www.lda.bayern.de

Right to data portability

You have the right to receive the data that we process based on your consent or in fulfillment of a contract in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.

Information, correction, and deletion

Within the scope of the applicable legal provisions, you have the right to request information about your stored personal data, its origin, recipient, and the purpose of the data processing free of charge at any time, and, if applicable, a right to correction or deletion of this data. For this purpose, as well as for further questions about personal data, you can contact us at any time.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. For this purpose, you can contact us at any time. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
  • If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
  • If we no longer need your personal data, but you need it to exercise, defend, or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
  • If you have lodged an objection under Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data - apart from their storage - may only be processed with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the European Union or a member state.

SSL or TLS encryption

This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries you send to us as the site operator. You can recognize an encrypted connection by the change in the browser's address line from "http://" to "https://" and by the lock icon in your browser's address line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

 

Analysis tools and third-party tools

When visiting our website, your usage behavior may be statistically analyzed. This is done primarily with so-called analysis programs. The analysis of your usage behavior is anonymous; the usage behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. For more details, please refer to our Privacy Policy under the heading "Analysis Tools".

 

  1. Data Protection Officer

Legally Required Data Protection Officer

We have appointed a data protection officer for our company. For all questions on data protection, you can use the following contact options:

PayCenter GmbH
Clemensänger-Ring 24
85356 Freising
Phone: 08161 4060-300
Email: datenschutz@paycenter.de 

 

  1. Data Processing on the Website

Data processing during registration and later card usage

Users can register and create a user account. The data entered during registration will be used for the purposes of using the service.

We collect, process, and use personal data only to the extent necessary for the establishment, content, or modification of the legal relationship (inventory data). This is done based on Art. 6(1)(b) GDPR, which permits the processing of data to fulfill a contract or pre-contractual measures, as well as on Art. 6(1)(c) GDPR, which makes the processing necessary to fulfill a legal obligation to which the controller is subject. We collect, process, and use personal data related to the use of our website (usage data) only to the extent necessary to enable or charge the user for using the service.

The collected customer data will be deleted after the order has been completed or the business relationship has been terminated. It is the user's responsibility to back up their data before canceling the contract. We are entitled to irreversibly delete all user data stored during the contract term, provided this does not conflict with statutory retention periods. 
Statutory retention periods remain unaffected. These include the retention obligations under commercial and tax law: German Commercial Code (HGB), German Banking Act (KWG), and the German Anti-Money Laundering Act (GwG). The retention periods specified there are two to ten years. If data is retained as evidence, it is subject to the statute of limitations under the German Civil Code (BGB) §§195ff. and may be retained for up to 30 years, with the regular limitation period being three years.
IP addresses are deleted after 90 days at the latest.

Data will generally not be shared with third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. 6(1)(c) GDPR. 

If a verification procedure (legitimization) is required for registration under Section 11 of the German Anti-Money Laundering Act (GwG), the personal data collected during identification will only be stored by the identifying company (Deutsche Post AG or IDnow GmbH) to the extent necessary for the proper determination, billing, and evaluation as well as for proof of the correctness of service charges (charge data). We also use the data provided as part of the Postident procedure to compare the personal master data stored in our database for the purposes of the legally required verification.

To use the service, we may collect the following data from you:

  • Company name
  • First and last name
  • Address
  • Date of birth
  • Identification data
  • Email address
  • Account details
  • Mobile phone number
  • PEP status
  • Direct debit mandates
  • IP address at the time of registration
  • IP address of the login
  • Recipient account numbers
  • Account transactions
  • Tax ID

 

Server Log Files

petaFuel GmbH automatically collects and stores information in so-called server log files. The following information is transmitted to us through the website:

  • Operating system used
  • Browser used
  • URL accessed
  • Date and time of the server request
  • IP address

This data is not merged with other data sources.

The basis for data processing is Art. 6(1)(f) GDPR, which permits the processing of data to safeguard legitimate interests. We use this data to operate and improve the website and to prevent fraud.

The data will be automatically deleted after 90 days at the latest.

 

Friendly Captcha

We use Friendly Captcha (hereinafter "Friendly Captcha") on this website. The provider is Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is used to check whether the data entered on this website (e.g., in a contact form) is made by a human or an automated program. To do this, Friendly Captcha analyzes the behavior of the website visitor based on various characteristics. Friendly Captcha evaluates various information (e.g., anonymized IP address, referrer, visit time, etc.) for analysis. For more information, visit: https://friendlycaptcha.com/legal/privacy-end-users/.

The storage and analysis of data are based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated spying and spam. If appropriate consent has been requested, processing is based solely on Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting). Consent can be revoked at any time.

Order Processing

We have concluded a data processing agreement (AVV) with the above-mentioned service provider. This is a legally required contract that ensures that this provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

 

  1. Order Processing

We occasionally hire other companies to provide services on our behalf and within the scope of our business purpose. These companies may only process the personal data necessary to provide the respective service. These companies are obligated to treat the data confidentially. They are expressly prohibited from using the information for any other purpose. We have concluded an order processing agreement with the following companies and transfer personal data to the extent necessary:

  • petaFuel GmbH (MasterCard processor, technical service provider): petaFuel GmbH, Clemensänger-Ring 24, 85356 Freising
  • Deutsche Post AG (PostIdent, VideoIdent): Deutsche Post AG, Charles-de-Gaules-Str. 20, 53113 Bonn
  • Deutsche Post Direkt GmbH (Address verification): Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf
  • Melissa Data GmbH (Address verification): Melissa Data GmbH, Cäcilienstr. 42-44, 50667 Cologne
  • Infoscore Consumer Data GmbH (Address verification): Infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden
  • IDnow (Video identification): IDnow GmbH, Auenstr. 100, 80469 Munich
  • Authada GmbH (Legitimation via eID): Authada GmbH, Julius-Reiber-Str. 15a, 64293 Darmstadt
  • Google Inc., Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland
  • Burak Esen & Simon Pröbstl GbR (Advertising), Schlossstr. 3, 85354 Freising

 

  1. Cookies and Analysis Tools

Use of Cookies

Our websites use "cookies." Cookies are small data packets that do no harm to your device. They are either temporarily stored for the duration of a session (session cookies) or permanently stored (persistent cookies) on your device. Session cookies are automatically deleted after your visit. Persistent cookies remain stored on your device until you delete them yourself or an automatic deletion is triggered by your web browser.

Cookies can be set by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g., cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g., the shopping cart function or displaying videos). Other cookies can be used to analyze user behavior or for advertising purposes.

Cookies that are necessary to carry out the electronic communication process, to provide certain functions requested by you (e.g., for the shopping cart function), or to optimize the website (e.g., cookies to measure web traffic) are stored based on Art. 6(1)(f) GDPR, unless another legal basis is provided. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services. If consent for the storage of cookies and comparable recognition technologies has been requested, processing is based solely on this consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG); consent can be revoked at any time.

You can set your browser to inform you about the use of cookies and to allow cookies only in individual cases, to exclude the acceptance of cookies in certain cases or in general, and to enable the automatic deletion of cookies when the browser is closed. If cookies are deactivated, the functionality of this website may be limited.

Which cookies and services are used on this website can be found in this Privacy Policy.

 

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to embed tracking or statistics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies, or perform any independent analysis. It is used solely for managing and deploying the tools integrated through it. However, Google Tag Manager collects your IP address, which may be transmitted to Google's parent company in the United States.

The use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in quickly and easily integrating and managing various tools on their website. If appropriate consent has been requested, processing is based solely on Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting). Consent can be revoked at any time.

The company is certified under the "EU-U.S. Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States to ensure compliance with European data protection standards in data processing in the U.S. Every company certified under the DPF is required to comply with these data protection standards. For more information, visit: https://www.dataprivacyframework.gov/participant/5780.

 

Matomo

This website uses the open-source web analytics service Matomo.

With the help of Matomo, we are able to collect and analyze data about the usage of our website by visitors. This allows us to, among other things, determine when certain page views were made and from which region they come. We also collect various log files (e.g., IP address, referrer, used browsers, and operating systems) and can measure whether our website visitors perform certain actions (e.g., clicks, purchases, etc.).

The use of this analysis tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in analyzing user behavior to optimize both their website and their advertising. If appropriate consent has been requested, processing is based solely on Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting). Consent can be revoked at any time.

IP anonymization

When using Matomo, we employ IP anonymization. In this process, your IP address is shortened before analysis so that it can no longer be clearly associated with you.

Cookie-free analysis

We have configured Matomo so that Matomo does not store cookies in your browser.

Matomo processes the following data:

  • Anonymized IP addresses by removing the last 2 bytes (e.g., 192.68.0.0 instead of 192.68.100.54)
  • Pseudonymized location (based on the anonymized IP address)
  • Date and time
  • Title of the accessed page
  • URL of the accessed page
  • URL of the previous page (if allowed)
  • Screen resolution
  • Local time
  • Files clicked and downloaded
  • External links
  • Page load time
  • Country, region, city (with low accuracy based on IP address)
  • Main language of the browser
  • Browser user agent

You can object to the storage and evaluation of this data by Matomo at any time by unchecking the box for "Matomo" on the following page.

Object to Matomo evaluation

In this case, an opt-out cookie will be permanently stored in your browser, which instructs Matomo not to collect any data for storage and evaluation. However, if you deliberately or accidentally delete this cookie, the objection to data storage and evaluation will be lifted, and it can be renewed via the link mentioned above.

Alternatively, most browsers have a "Do Not Track" option, which informs websites that you do not wish your user activity to be tracked. Matomo respects this option.

Storage duration: up to 30 days

Legal basis: Art. 6(1)(f) GDPR

 

  1. We Say Hello

If you wish to receive reminders of all upcoming "We Say Hello" appointments, you have the option of providing us with your mobile phone number. We will then send you a notification via SMS before each appointment.

The legal basis for storing and processing your data is Art. 6(1)(a) GDPR (consent of the data subject). Your personal data will remain with us until you request its deletion, revoke your consent to storage, or the purpose for storing the data no longer applies (e.g., if there are no further "We Say Hello" appointments). You have the right to receive information about the origin, recipient, and purpose of your stored personal data at any time free of charge. You also have the right to object, the right to data portability, and the right to lodge a complaint with the competent supervisory authority. Furthermore, you may request the correction, deletion, or, under certain circumstances, restriction of the processing of your personal data.

For the We Say Hello meeting, we use Jitsi Meet. More information can be found under Audio and Video Conferences

 

  1. Data Collection upon Contact

If you contact us by email, contact form, phone, or fax, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of processing your request. We do not share this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR, if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), if this has been requested; consent can be revoked at any time.

The data sent by you to us via contact inquiries remains with us until you request its deletion, revoke your consent to storage, or the purpose for storing the data no longer applies (e.g., after your request has been processed). Mandatory statutory provisions - in particular, statutory retention periods - remain unaffected.

General automatic deletion periods:

  • Tickets from non-customers: 6 months
  • Tickets from customers: 1 year
  • Tickets related to data protection: 3 years

 

  1. Audio and Video Conferences

Data Processing

We use online conference tools, among others, to communicate with our customers. The tools we use are listed below. When you communicate with us via video or audio conference over the internet, your personal data is collected and processed by us and the provider of the respective conference tool.

The conference tools collect all the data you provide/use to use the tools (email address and/or phone number). The conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants, and other "contextual information" related to the communication process (metadata).

In addition, the provider of the tool processes all technical data required to handle the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.

If content is exchanged, uploaded, or otherwise provided within the tool, it will also be stored on the servers of the tool providers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other information shared during the use of the service.

Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policies of the respective provider. Further information on data processing by the conference tools can be found in the privacy policies of the tools used, which we have listed below.

Purpose and Legal Basis

The conference tools are used to communicate with prospective or existing contract partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to simplify and accelerate communication with us or our company in general (legitimate interest within the meaning of Art. 6(1)(f) GDPR). If consent has been requested, the tools in question are used solely based on this consent; the consent can be revoked at any time with effect for the future.

Storage Duration

The data directly collected by us via the video and conference tools will be deleted from our systems as soon as you request its deletion, revoke your consent to storage, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no control over the retention period of your data, which is stored by the operators of the conference tools for their purposes. For details, please refer directly to the operators of the conference tools.

Conference Tools Used

We use the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams privacy policy: https://privacy.microsoft.com/en-us/privacystatement.

The company is certified under the "EU-U.S. Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States to ensure compliance with European data protection standards in data processing in the U.S. Every company certified under the DPF is required to comply with these data protection standards. For more information, visit: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active.

Order Processing

We have concluded a data processing agreement (AVV) for the use of the above-mentioned service. This is a legally required contract that ensures that this provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Jitsi Meet

We use Jitsi Meet. If you communicate with us via Jitsi Meet, all data related to this communication process will be processed exclusively on our servers (On Premise).

Webex

We use Webex. The provider of this service is Webex Communications Deutschland GmbH, Hansaallee 249 c/o Cisco Systems GmbH, 40549 Düsseldorf, Germany.

It cannot be ruled out that data processed with WebEx may be transferred to third countries (e.g., to the USA). Webex has Binding Corporate Rules (BCR), which have been approved by the Dutch, Polish, Spanish, and other relevant European data protection regulatory authorities. These are binding internal company regulations that legitimize internal data transfers to third countries outside the EU and EEA. Details can be found here: https://www.cisco.com/c/de_de/about/trust-center/data-protection-and-privacy-policy.html and https://konferenzen.telekom.de/fileadmin/Redaktion/conference/cisco-webex/Webex_Compliance_Deutsch_V1.0.pdf.

Details on data processing can be found in the Webex privacy policy: https://www.cisco.com/c/de_de/about/legal/privacy-full.html.

Order Processing

We have concluded a data processing agreement (AVV) for the use of the above-mentioned service. This is a legally required contract that ensures that this provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

 

  1. Social Media

We maintain publicly accessible profiles on social networks. The individual social networks we use are listed below.

Social networks such as Facebook, X, etc., can typically analyze your user behavior extensively when you visit their websites or a website with integrated social media content (e.g., like buttons or advertising banners). By visiting our social media presences, numerous data protection-relevant processing operations are triggered. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, data collection occurs, for example, through cookies stored on your device or by recording your IP address.

With the collected data, the operators of the social media portals can create user profiles in which your preferences and interests are stored. This way, interest-based advertising can be displayed both inside and outside of the respective social media presence. If you have an account with the respective social network, interest-based advertising can be displayed on all devices where you are logged in or have been logged in.

Please also note that we cannot track all processing activities on the social media portals. Depending on the provider, additional processing activities may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policies of the respective social media portals.

Legal Basis

Our social media appearances are intended to ensure the broadest possible presence on the internet. This is a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The analysis processes initiated by social networks may be based on different legal grounds, which must be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6(1)(a) GDPR).

Responsible Party and Assertion of Rights

If you visit one of our social media presences (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing triggered during this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability, and complaint) against both us and the operator of the respective social media portal (e.g., Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full control over the data processing activities of the social media portals. Our options are largely determined by the corporate policies of the respective provider.

Storage Duration

The data directly collected by us via the social media presence will be deleted from our systems as soon as you request its deletion, revoke your consent to storage, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no control over the storage duration of your data, which is stored by the operators of the social networks for their purposes. For details, please refer directly to the operators of the social networks (e.g., in their privacy policy, see below).

Your Rights

You have the right to receive information about the origin, recipient, and purpose of your stored personal data at any time free of charge. You also have the right to object, the right to data portability, and the right to lodge a complaint with the competent supervisory authority. Furthermore, you may request the correction, restriction, or deletion of your personal data under certain circumstances.

Individual Social Networks

Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter Meta). According to Meta, the collected data is also transferred to the USA and other third countries.

We have concluded a joint processing agreement (Controller Addendum) with Meta. This agreement specifies for which data processing operations we or Meta are responsible when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can independently adjust your advertising settings in your user account. Click the following link and log in: https://www.facebook.com/settings?tab=ads.

The data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details, please refer to Facebook's privacy policy: https://www.facebook.com/about/privacy/.

The company is certified under the "EU-U.S. Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States to ensure compliance with European data protection standards in data processing in the U.S. Every company certified under the DPF is required to comply with these data protection standards. For more information, visit: https://www.dataprivacyframework.gov/participant/4452

X (formerly Twitter)

We use the short messaging service X (formerly Twitter). The provider is the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The entity responsible for processing data for persons living outside the USA is Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

You can independently adjust your X privacy settings in your user account. Click the following link and log in: https://x.com/settings/account/personalization.

The data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://gdpr.x.com/en/controller-to-controller-transfers.html.

For details, please refer to X's (formerly Twitter) privacy policy: https://x.com/de/privacy.

Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

The data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details on how they handle your personal data, please refer to Instagram's privacy policy: https://privacycenter.instagram.com/policy/.

The company is certified under the "EU-U.S. Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States to ensure compliance with European data protection standards in data processing in the U.S. Every company certified under the DPF is required to comply with these data protection standards. For more information, visit: https://www.dataprivacyframework.gov/participant/4452

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube's privacy policy: https://policies.google.com/privacy?hl=en.

The company is certified under the "EU-U.S. Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the United States to ensure compliance with European data protection standards in data processing in the U.S. Every company certified under the DPF is required to comply with these data protection standards. For more information, visit: https://www.dataprivacyframework.gov/participant/5780

TikTok

We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. For details on how they handle your personal data, please refer to TikTok's privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=en.

The data transfer to unsafe third countries is based on the EU Commission's standard contractual clauses. Details can be found here: https://www.tiktok.com/legal/privacy-policy?lang=en.

 

  1. Special Information for Parents

Although our website is generally not directed at children under the age of 16, we strictly comply with applicable laws regarding obtaining parental or guardian consent before collecting, using, or disclosing information from children. We strongly recommend that parents take an active role in monitoring their children's online activities. If you believe that we have collected personal data from a person under the age of 16, please notify us at datenschutz@petafuel.de.

 

  1. Changes to the Privacy Policy

We reserve the right to amend this Privacy Policy at any time within the framework of the law. The current version can be accessed on the website under the "Privacy Policy" link.