Home/Privacy Policy

CarVia Privacy Policy

Click here for the imprint.

Privacy Policy – CarVia

 

A General Information, Use of Services

The following information provides an overview of what happens to your personal data and how it is processed, disclosed, or deleted when you use our websites, apps, and services. Personal data is all data that can be used to personally identify you. You are neither contractually nor legally obliged to transmit personal data, but we may need to process such data if you wish to use our services.

We do not process your data beyond what is necessary for the proper provision of our services and only on the basis of your consent, unless such consent is factually impossible or the processing is permitted on the basis of legal requirements.

For the sake of better readability, we refrain from gender-specific formulations in the following; the terms apply equally to all genders.

 

1. Who is responsible for data collection?

The processing of your data is carried out by (hereinafter referred to as "CarVia"):

CarVia GmbH
Fraunhoferstr. 23H
D-80469 Munich

Managing Directors: Joschka Reik, Julian Reik
E-mail: [email protected]
Telephone: +49 (0)89 954573640
Websites: www.carvia.de / www.carvia.com

You can reach us via the above-mentioned communication channels (keyword: data protection).

 

2. What data do we collect?

The following types of personal data may be processed in connection with our services:

  • Master data: first name, last name, address, date of birth, gender, language, e-mail address, telephone number, device ID of the mobile phone, customer number
  • Contract data: driver’s license, ID card, passport details, photos of documents or of yourself taken with your smartphone, self-created passwords, individual tariffs and discounts, contract duration, customer status (including third parties, e.g. in the context of an additional driver)
  • Booking data: vehicle model, pick-up and return times, pick-up and return locations, booked additional services, reservation number, license plate of the rented vehicle
  • Financial data: credit card details, bank account, credit check
  • Communication data: contents of calls or written inquiries, contact history, voluntary information such as additional requests
  • Geodata: data for locating your position during registration, vehicle search, rental start, rental end, telematics data (e.g. Bluetooth token, GSM data, mileage, fuel level, location of the vehicle), driving log
  • Special categories of data in exceptional cases: this includes accidents (e.g. witness statements, health data)

 

3. On what legal basis do we collect your data?

  • Art. 6 (1) (a) GDPR: Processing of personal data is permitted if you have consented to the processing.
  • Art. 6 (1) (b) GDPR: Processing of personal data is lawful if it is necessary for the performance of a contract to which you are a party, or for the implementation of pre-contractual measures (e.g. when booking a vehicle) at your request.
  • Art. 6 (1) (c) GDPR: Processing of personal data is lawful if it is necessary to comply with a legal obligation to which CarVia is subject.
  • Art. 6 (1) (d) GDPR: Processing of personal data is lawful if it is necessary to protect the vital interests of the data subject or of another person.
  • Art. 6 (1) (f) GDPR: Processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller (CarVia) or a third party, provided that your interests or fundamental rights and freedoms are not overridden.
  • Art. 9 (2) (f) GDPR: Special categories of personal data may be processed if the processing is necessary for the establishment, exercise, or defense of legal claims. This includes health data.

 

4. How do we collect your data?

Your data is collected partly by you providing it to us. This may include data you enter in a contact form, provide during registration for CarVia services, or provide when making a booking, particularly in the following categories: master data, contract data, booking data, financial data, communication data.

Other data is collected automatically when you use our websites, app, or services through our IT systems. This is primarily technical data (e.g. internet browser, operating system, or time of page access). The collection of this data takes place automatically and is explained in more detail in specific sections of this Privacy Policy.

Data collected via third parties will be explained separately in the further course of this Privacy Policy.

5. What do we use your data for?

a) Creation of a CarVia account

To use certain services (e.g. CarVia Share via mobile app), the creation of a CarVia account is mandatory. For this purpose, master data, contract data, and financial data are requested. We process your data on the basis of Art. 6 (1) (b), (f) GDPR.

For the verification of documents and identity, photo or video recordings that you create with your mobile phone are used. Biometric features are automatically as well as manually compared by CarVia, and security features such as holograms are checked.

The legal basis for verification is Art. 6 (1) (a), (c) GDPR in conjunction with § 21 (1) No. 2 StVG (German Road Traffic Act). As the vehicle owner, we are obliged to verify our users’ driving licenses. This includes not only the image of the driver’s license but also images of further documents in order to make identity theft more difficult.

 

b) Creation of a vehicle reservation

Reservations can be made via different channels such as website, telephone, e-mail, or app. Depending on the channel, master data, contract data, booking data, financial data, communication data, and geodata are requested. We use payment service providers for the processing of payments.

The legal bases for the above processing are Art. 6 (1) (a) GDPR for consent, Art. 6 (1) (b) GDPR for reservations including billing and customer support, and Art. 6 (1) (c) GDPR for compliance with regulatory requirements.

 

c) General vehicle rental

We process your master data, contract data, booking data, financial data, communication data, and geodata for the conclusion of the rental contract, general customer service, prevention of criminal acts, and billing.

The legal bases for the above processing are:

  • Art. 6 (1) (b) GDPR for the conclusion and performance of rental contracts, including billing and customer service,
  • Art. 6 (1) (c) GDPR for the detection, prevention, and clarification of criminal acts, compliance with regulatory requirements, and commercial and tax law retention obligations,
  • Art. 6 (1) (f) GDPR for billing to third parties as well as fraud prevention and risk management.

We have a legitimate interest in offering our services with the best possible customer orientation and in avoiding economic disadvantages such as vehicle loss or payment defaults.

 

d) Rental of a vehicle via the CarVia app

The CarVia app enables station-free vehicle rental via your smartphone. For locating you and the available vehicles, your location is determined via GPS technology. Location determination also occurs in other situations at your request, in particular when opening the vehicle, during intermediate parking, and when ending the trip.

For fraud prevention purposes, we reserve the right to compare the vehicle location with the driving profile and the device location.

During the trip, an anonymized and encrypted comparison of the data of your smartphone and the vehicle takes place. Telematics data are used, for example, to prevent the end of the rental (e.g. with open windows) or to prevent parking outside the business area (via location tracking).

The legal bases for the above processing are Art. 6 (1) (a), (b), (f) GDPR.

 

e) Customer support

You can contact us via communication channels such as e-mail, website form, chat, telephone, or postal mail. Based on your inquiry, we process personal data that result from the scope and type of the request.

We process your data on the basis of Art. 6 (1) (b) GDPR in order to provide our contractual services to you and to answer your customer inquiries quickly and effectively.

Disclosure of data does not take place, except in cases of a legal obligation pursuant to Art. 6 (1) (c) GDPR and the StVG (German Road Traffic Act).

 

f) Billing

We process our customers’ data in accordance with Art. 6 (1) (b) GDPR in order to invoice our services after performance. We process the data required for this purpose and point out the necessity of their provision if this is not evident to the contracting parties.

The processed data include master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers), contract data (e.g. services used, contract contents, contractual communication, names of contact persons), and payment data (e.g. bank details, payment history).

Disclosure of this data to third parties generally does not occur, except where it is necessary for the enforcement of our claims pursuant to Art. 6 (1) (f) GDPR, or where there is a legal obligation pursuant to Art. 6 (1) (c) GDPR. We expressly reserve the right to use the services of legal service providers (collection agencies, lawyers, etc.) for the enforcement of claims and to transmit customer and contract partner data to them to the necessary extent.

Data is deleted when it is no longer required for the performance of contractual or statutory duties of care and for the handling of any warranty and comparable obligations. Statutory retention obligations remain unaffected.

It is necessary to transfer data to a payment service provider so that the transaction can be carried out. The payment service provider receives the name and address, the stored payment method, and possibly bank details, a pseudonymized ID, and invoice data. CarVia is informed by the payment service provider of a successful or unsuccessful payment.

The payment service provider is:
Stripe, Inc.
510 Townsend Street
San Francisco, CA 94103, USA
Privacy Policy: https://stripe.com/de/privacy

A data processing agreement has been concluded with Stripe. In addition, compliance with the requirements of Art. 44–49 GDPR regarding the transfer of personal data has been verified.

 

g) Fleet management through vehicle data

CarVia vehicles may transmit information such as mileage, speed, fuel volume, location, and triggering of vehicle sensors via networking functions. This is done by the manufacturers or by CarVia itself and may serve not only maintenance and fleet organization but also the prevention of hazards through misuse.

Our legitimate interest lies in providing our users with regularly maintained, functional, and safe vehicles. The legal basis for the necessary data processing is Art. 6 (1) (f) GDPR.

 

h) Credit check

CarVia uses credit checks to protect itself against payment defaults or user misuse.

In the course of the credit check, your personal data are transmitted to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany (“SCHUFA”).

We reserve the right, based on the result of the credit check, to temporarily deactivate your user account. If you fail to meet your contractual payment obligations to CarVia, we reserve the right to report this to SCHUFA.

Further information on profiling (scoring), the disclosure of your data by SCHUFA, and the general activities and data protection provisions of SCHUFA can be found at: www.schufa.de/datenschutz

The legal basis for the credit check is Art. 6 (1) (f) GDPR. We have a legitimate interest in protecting ourselves against payment defaults.

 

i) Claims settlement

In the event of damage affecting one of our vehicles directly or indirectly (e.g. as a causer without own damage), we collect personal data in order to support the user, clarify the course of damage, settle the damage, and assert our own claims.

Due to statutory or contractual obligations, we may be required to collect, process, or disclose further data, in particular to public authorities or claims adjusters. This may also include health-related data, especially with regard to injuries or alcohol and drug consumption. The legal basis in this case is Art. 9 (2) (f) GDPR.

The legal bases for data processing in other cases are Art. 6 (1) (b), (c), (f) GDPR.

 

j) Prevention of misuse

We reserve the right to take the following measures to prevent misuse:

  • Geofencing: When leaving an area defined by us, the vehicle automatically sends a warning message. Based on telematics and vehicle data, we can then assign the incident to you in order to contact you.
  • Fuel drainage, wheel changes, misuse of fuel and charging cards: Sensors in the vehicles can transmit warning messages when a tank is emptied or a wheel change is carried out. Furthermore, unusual refueling or charging operations using the provided cards may trigger warnings. After detecting unauthorized activity, we can assign the incident to you in order to contact you.

In the event of criminal behavior, we reserve the right to transmit personal data to public authorities.

In the event of violations, in particular against the StVG, we may receive reports from other road users or the police. The transmitted information is recorded by us and reviewed on a case-by-case basis. To comply with our owner obligations pursuant to Art. 21 StVO as well as to protect third parties, we reserve the right to block user accounts in the event of suspected driving misconduct. Further review of the allegations only takes place if the affected user objects or upon request by public authorities. In this context, in addition to the data transmitted by the app during use, data from a black box installed in each vehicle may be evaluated. These data are recorded in a way that is linkable to persons but not directly personalized.

We have a legitimate interest in protecting ourselves against attempted fraud and violations of our General Terms and Conditions. We review and process data in this context on the basis of Art. 6 (1) (f) GDPR and assume that such checks are generally also in the interest of users and do not represent an intrusion into their rights and freedoms.

 

k) Referral program

Registered users may voluntarily recommend CarVia via a code or link in order to secure a bonus (e.g. free minutes) for the referred party and/or themselves. Participation involves processing of parts of your master data and communication data. This also serves the prevention of fraud cases.

If you as a referred person receive a link or code, you have the option to register for our services. If you do not actively do so, no personal data will be transmitted to us. Matching of the referrer with the above-mentioned data takes place when the referred person registers with their master data, for the purpose of assigning the two parties and crediting the bonus.

The legal basis for the data processing is Art. 6 (1) (b) GDPR.

 

6. Disclosure of data

In order to fulfill our contractual and legal obligations as well as to enforce our legitimate interests, we sometimes cooperate with external companies or individuals (processors, joint controllers). This only takes place on the basis of a legal provision (e.g. transfer of data to payment service providers for the performance of the contract, Art. 6 (1) (b) GDPR) and with your consent.

Cooperation on the basis of a data processing agreement is governed by Art. 28 GDPR.

If we or an authorized third party process or transfer data in a third country outside the EU (European Union) or the EEA (European Economic Area), your consent, the performance of (pre-)contractual obligations, legal requirements, or our legitimate interest must justify this. Regardless of this, data processing will only take place if the conditions of Art. 44 et seq. GDPR (special guarantees, standard contractual clauses, officially recognized level of data protection) are met.

 

7. Retention periods for your data

The duration for which we store your personal data depends on factors such as the purpose of data processing or legal requirements.

For legally prescribed periods, we comply with the regulations on retention duration. The period may range from three to thirty years. In particular, commercial and tax law may provide for retention periods of six to ten years. The legal basis for this storage is the respective statutory provisions as well as Art. 6 (1) (c) GDPR.

Data that we process for the performance of a contract are generally stored for the duration of the contractual relationship.

Data of blocked users may be stored permanently in order to prevent re-registration. This is a legitimate interest pursuant to Art. 6 (1) (f) GDPR.

 

8. What rights do you have regarding your data?

a) Right of access

Pursuant to Art. 15 GDPR, you have the right to obtain information free of charge at reasonable intervals about the origin, recipient, and purpose of your stored personal data.

b) Right to rectification

Pursuant to Art. 16 GDPR, you have the right to have inaccurate data corrected by us and incomplete data completed.

c) Right to erasure

Pursuant to Art. 17 GDPR, you have the right to request the erasure of your personal data. Regardless of this, we will delete your personal data when the purposes for which the data were collected no longer apply or when data has been unlawfully processed.

d) Right to restriction of processing

Pursuant to Art. 18 GDPR, you have the right to restrict the processing of personal data if you contest the accuracy of the data. We must verify this situation and will not process your data further until the objection has been clarified.

e) Right to data portability

Pursuant to Art. 20 GDPR, you have the right to request that we provide your data in a machine-readable format to you or a third party of your choice.

f) Right to notification

If you request correction, deletion, or restriction of the processing of your data, we are obliged to notify all recipients to whom we have disclosed this data. This does not apply if this proves impossible or only involves disproportionate effort.

g) Right to object

Pursuant to Art. 21 GDPR, you have the right to object to the processing of personal data. In this case, we will suspend processing and review whether there are compelling legitimate grounds that override your interests.

You have the right to object at any time to the processing of personal data for direct marketing purposes. We will then no longer use your data for advertising purposes.

h) Right to withdraw consent

You have the right to withdraw your consent to data processing at any time. The lawfulness of data processing carried out on the basis of consent before its withdrawal remains unaffected.

i) Right to lodge a complaint

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that we have violated data protection law. You may contact the data protection authority at your place of residence, place of work, or the location of the alleged infringement.

The competent authority for CarVia is:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
D-91522 Ansbach
Germany

 

B Data collection on our website and our social media accounts

To provide and promote information about CarVia and our services, to display communication channels, to conduct analyses and market research, and to ensure the security of our online presence, we process data from you as a user.

The data collected during use may include demographic characteristics, preferences, visited websites, metadata such as device information, approximate locations, and IP addresses.

The details of data processing and integrated service providers can be found in the following sections.

1. Cookies

Our websites use so-called cookies in part. Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our offering more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called “session cookies.” They are automatically deleted after the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser during your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. Deactivating cookies may restrict the functionality of this website.

Cookies that are necessary to carry out the electronic communication process or to provide certain functions you have requested are stored on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services. If other cookies (e.g. cookies for analyzing your surfing behavior) are stored, these will be treated separately in this Privacy Policy.

 

2. Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

This data will not be merged with other data sources. The legal basis for data processing is Art. 6 (1) (f) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.

 

3. SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the browser address line changes from “http://” to “https://” and by the lock symbol in your browser line.

This means we comply with the requirements of Art. 32 GDPR. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

 

4. Contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We will not pass on this data without your consent.

The processing of the data entered into the contact form thus takes place exclusively on the basis of your consent, if this has been requested (Art. 6 (1) (a) GDPR). In other cases, processing is carried out on the basis of Art. 6 (1) (b) GDPR, if necessary for the performance of (pre-)contractual measures, or on the basis of Art. 6 (1) (f) GDPR (legitimate interest in processing your inquiry).

You can withdraw your consent at any time. An informal message by e-mail to us is sufficient. The lawfulness of the data processing carried out until the withdrawal remains unaffected by the withdrawal.

The data you enter in the contact form will remain with us until you request its deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

 

5. Data transfer upon contract conclusion for goods dispatch

We only transfer personal data to third parties if this is necessary within the framework of contract processing, for example to the company entrusted with the delivery of the goods or the credit institution entrusted with payment processing. Any further transfer of data will not take place, or only if you have expressly consented to the transfer. Your data will not be passed on to third parties without express consent, for example for advertising purposes.

The legal basis for data processing is Art. 6 (1) (b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.

 

6. Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called “cookies” and similar technologies. Cookies are text files that are stored on your computer and allow an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a server of Google in the USA and stored there. Your IP address is usually shortened when using Google Analytics in order to make identification more difficult.

The storage of Google Analytics cookies is based on Art. 6 (1) (a) GDPR, in accordance with the corresponding user consent. An opt-out cookie will be set, which prevents the collection of your data during future visits to this website: Disable Google Analytics.

Our aim in using Google Analytics is to further optimize our service and to be able to offer more to potential users. The Google Analytics statistics help us to better understand our customers and support us in achieving this goal.

Google Analytics sets the following cookies:

  • Name: _ga (Google Analytics js) → Purpose: Google uses this cookie to store the ID of users and to distinguish users. Expiry: after 2 years
  • Name: _gid → Expiry: after 24 hours
  • Name: gat_gtag_UA<property-id> → Purpose: When Google Analytics is provided via Google Tag Manager, this cookie receives this name. Expiry: after 1 minute

Storage duration: We have limited the storage period to 14 months in order to comply with the principle of storage limitation pursuant to Art. 5 GDPR. This retention period applies to data linked to cookies, user identifiers, and advertising IDs. Report results are based on aggregated data and are stored independently of user data.

More information on how Google Analytics handles user data can be found in Google’s Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=en

 

6.1 Browser plugin

You can prevent the storage of cookies by adjusting your browser software settings accordingly; however, please note that in this case you may not be able to use all functions of this website to their full extent.

In addition, you can prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link:
https://tools.google.com/dlpage/gaoptout?hl=en

 

6.2 Objection to data collection

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set that prevents the collection of your data during future visits to this website: Disable Google Analytics.

More information on how Google Analytics handles user data can be found in Google’s Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=en

 

6.3 Data processing agreement

We have concluded a data processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

 

6.4 Demographics in Google Analytics

This website uses the “demographics” function of Google Analytics. This allows reports to be created that contain statements about the age, gender, and interests of site visitors. These data come from interest-based advertising by Google as well as from visitor data from third-party providers. These data cannot be assigned to a specific person.

You can disable this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described under “Objection to data collection.”

 

7. Google Tag Manager

We use the service called Google Tag Manager provided by Google. “Google” is a group of companies and consists of Google Ireland Ltd. (service provider), Gordon House, Barrow Street, Dublin 4, Ireland, as well as Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and other affiliated companies of Google LLC.

We have concluded a data processing agreement with Google. Google Tag Manager is a support service and processes personal data only for technically necessary purposes. Google Tag Manager ensures the loading of other components, which in turn may collect data. Google Tag Manager does not access these data. The service helps us to conduct evaluations of the website via a central interface and to organize other data, e.g. from Google Analytics, Facebook, or Instagram.

We use Google Tag Manager on the basis of Art. 6 (1) (f) GDPR and our legitimate interest in optimally designing the content on our websites for users.

Further information on Google Tag Manager can be found in Google’s Privacy Policy.

Please note that U.S. authorities, such as intelligence services, may gain access to personal data due to U.S. laws such as the Cloud Act, which are inevitably exchanged with Google when this service is integrated based on the Internet protocol (TCP).

 

8. Google Analytics Remarketing

Our websites use the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising messages that have been customized depending on your previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC).

If you have given the corresponding consent, Google links your web and app browsing history with your Google account for this purpose. This way, the same personalized advertising messages can be displayed on every device on which you sign in with your Google account.

To support this function, Google Analytics collects Google-authenticated IDs of users, which are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising.

You can permanently object to cross-device remarketing/targeting by deactivating personalized advertising in your Google account; to do this, follow this link: https://www.google.com/settings/ads/onweb/.

The summary of the data collected in your Google account takes place exclusively on the basis of your consent, which you can give or revoke at Google (Art. 6 (1) (a) GDPR). For data collection processes not merged in your Google account (e.g. because you do not have a Google account or have objected to merging), data collection is based on Art. 6 (1) (f) GDPR. The legitimate interest results from the fact that the website operator has an interest in the anonymized analysis of website visitors for advertising purposes.

Further information and the privacy policy can be found in Google’s Privacy Policy: https://www.google.com/policies/technologies/ads/

 

9. Google AdWords and Google Conversion Tracking

This website uses Google AdWords. AdWords is an online advertising program provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

As part of Google AdWords, we use so-called conversion tracking. If you click on an ad placed by Google, a conversion tracking cookie is set. Cookies are small text files that your internet browser places on the user’s computer. These cookies expire after 30 days and are not used for personal identification. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user clicked on the ad and was redirected to this page.

Each Google AdWords customer receives a different cookie. The cookies cannot be tracked via the websites of AdWords customers. The information collected using the conversion cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information with which users can be personally identified.

If you do not wish to participate in tracking, you can object to this use by easily deactivating the Google conversion tracking cookie via your internet browser under user settings. You will then not be included in the conversion tracking statistics.

The storage of “conversion cookies” is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its web offering and its advertising.

Further information on Google AdWords and Google Conversion Tracking can be found in Google’s Privacy Policy: https://www.google.de/policies/privacy/.

You can set your browser to inform you about the setting of cookies and to allow cookies only in individual cases, to exclude the acceptance of cookies in certain cases or in general, and to activate the automatic deletion of cookies when closing the browser. The functionality of this website may be restricted if cookies are deactivated.

 

10. Google reCAPTCHA

We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on our websites. The provider is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

The purpose of reCAPTCHA is to check whether data entry on our websites (e.g. in a contact form) is carried out by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website, or user’s mouse movements). The data collected during the analysis are forwarded to Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.

Data processing is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in protecting its websites against abusive automated spying and against spam.

Further information on Google reCAPTCHA and Google’s Privacy Policy can be found at the following links:
https://www.google.com/intl/en/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html

 

11. Facebook Pixel

Our website uses the visitor action pixel from Facebook for conversion measurement. The provider is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”).

This allows the behavior of site visitors to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This makes it possible to evaluate the effectiveness of Facebook ads for statistical and market research purposes and to optimize future advertising measures.

The collected data is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook may use the data for its own advertising purposes in accordance with the Facebook Data Policy. As a result, Facebook can enable ads to be placed on Facebook pages and outside of Facebook. We as the website operator cannot influence this use of data.

With the help of the “Custom Audiences” function, it is possible for us to display Facebook ads only to those users who have shown interest in our online offering or who have certain characteristics that we transmit to Facebook (e.g. visited websites).

Further information on the protection of your privacy can be found in Facebook’s Data Policy: https://www.facebook.com/about/privacy/.

You can also deactivate the remarketing function “Custom Audiences” in the ad settings section under: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.

If you do not have a Facebook account, you can disable usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

 

12. Newsletter

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. No further data is collected, or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.

The processing of the data entered in the newsletter registration form is carried out exclusively on the basis of your consent (Art. 6 (1) (a) GDPR). You can withdraw your consent to the storage of the data, the e-mail address, and its use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter. The lawfulness of the data processing already carried out remains unaffected by the withdrawal.

The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and deleted after you unsubscribe. Data that has been stored by us for other purposes (e.g. e-mail addresses for the member area) remains unaffected.

Irrespective of your subscription to our newsletter, we send important customer information via e-mail circulars. We consider it mandatory that the information contained therein (changes to terms of use, tariffs, technical and organizational information) reaches you; therefore, automatic unsubscription via link is not possible. Pursuant to Art. 21 GDPR, however, you may object, in which case you undertake to inform yourself about the content of the circulars.

 

13. Plugins and Tools

13.1 YouTube

Our website uses plugins from YouTube, a site operated by Google. The operator is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube’s servers is established. The YouTube server is informed which of our pages you have visited.

If you are logged into your YouTube account, you enable YouTube to directly associate your browsing behavior with your personal profile. You can prevent this by logging out of your YouTube account.

The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

Further information on the handling of user data can be found in YouTube’s Privacy Policy: https://www.google.de/intl/en/policies/privacy.

 

13.2 Google Web Fonts

This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.

For this purpose, the browser you are using must connect to Google’s servers. In this way, Google learns that our website has been accessed via your IP address. The use of Google Web Fonts is in the interest of a uniform and attractive presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

If your browser does not support web fonts, a standard font from your computer will be used.

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google’s Privacy Policy: https://www.google.com/policies/privacy/.

 

13.3 Google Maps

This site uses the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer.

The use of Google Maps is in the interest of an attractive presentation of our online offers and easy location of the places specified by us on the website. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

More information on the handling of user data can be found in Google’s Privacy Policy: https://www.google.de/intl/en/policies/privacy/.

 

14. PayPal

We offer payment via PayPal on our website, among other options. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).

If you choose payment via PayPal, the payment data you enter will be transmitted to PayPal.

The transmission of your data to PayPal takes place on the basis of Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (processing for the performance of a contract). You have the option of withdrawing your consent to data processing at any time. A withdrawal does not affect the validity of data processing operations carried out in the past.

 

15. HubSpot

We use HubSpot, a digital marketing tool, on our website. The service provider is the American company HubSpot, Inc., 25 First St 2nd Floor Cambridge, MA, USA (European headquarters: 1 Sir John Rogerson’s Quay, Dublin 2, Ireland).

HubSpot processes your data, among other locations, in the USA. We point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may entail various risks for the lawfulness and security of data processing.

As a basis for data processing with recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, in particular in the USA) or for data transfer there, HubSpot uses so-called Standard Contractual Clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even when transferred and stored in third countries (such as the USA). Through these clauses, HubSpot undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

The Data Processing Agreement, which complies with the Standard Contractual Clauses, can be found here: https://legal.hubspot.com/dpa

For more information about the data processed through the use of HubSpot, please see the Privacy Policy at: https://legal.hubspot.com/privacy-policy

 

16. Applications

We offer you the opportunity to apply for job vacancies on our websites and on external job portals by providing personal data. The personal data you transmit to us in this context will be stored by us. The data processed is evident from the respective input forms. Only fields that are mandatory for the use of the respective offer are marked as required in the forms.

We pass on your personal data within the scope permitted by law to our service provider, Personio GmbH, Rundfunkplatz 4, 80335 Munich, Germany (https://www.personio.de/), which supports us in the selection of applicants. This company is itself obliged to comply with applicable data protection regulations, in particular, it may process the data exclusively for the fulfillment of its tasks on our behalf and only according to our instructions.

For your participation in the application process, the provision of personal data is necessary, which comes from the documents you provide to us, such as cover letters, CVs, application photos, certificates, or other professional qualification records. This may include personal master data such as first name, last name, address, date of birth, contact details such as telephone number or e-mail address, as well as data relating to your educational and/or professional background, such as school and work certificates, data on education, internships, or previous employers.

The processing of personal data is carried out on the basis of Art. 88 (1) GDPR in conjunction with § 26 BDSG (German Federal Data Protection Act). If the application leads to employment, your personal data will be transferred to the personnel file.

In the event of a rejection of an application, the data will be anonymized 90 days after the rejection.