Last update: August 2021
The Data Privacy Statement below provides information about the type of personal data that is processed, as well as information about the purpose and the extent to which such data is processed by us. The Data Privacy Statement applies to all personal data that is processed by us, both in the context of providing our service as well as (and in particular) on our websites, in mobile applications and in the context of our on-line presence, such as our social media profiles.
TÜV zertifizierter Datenschutzbeauftragter
CI HUB GmbH
Authorised representatives: Jörg Seidler, Andreas Michalski, Jasper Ullrich
E-mail address: firstname.lastname@example.org
The overview below summarises the types of data that are processed and the purposes for which they are processed, and also makes reference to the affected persons (data subjects).
Types of data that are processed
Categories of data subjects
Fundamental legal basis
The legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process personal data, is outlined below.
The national data protection requirements in your / our country of domicile/residence also apply in addition to the GDPR provisions. In the Federal Republic of Germany, that is the Federal Data Protection Act (BDSG). More specific legal foundations that may apply to individual cases are also noted in the Data Privacy Statement.
In order to warrant a protection level that is commensurate with the risk, our service is protected with the appropriate technical and organisational measures in accordance with the statutory provisions and taking into account the state of technology, the implementation costs and the type, scope, circumstances and purposes of processing and the different probabilities of occurrence and the size of the threat to the rights and freedoms of natural persons.
In the context of visiting the website, we use the popular SSL (Secure Socket Layer) method together with the highest level of encryption that is supported by your browser. Usually, this means 256-bit encryption. If your browser does not support 256-encryption, we will instead use 128-bit v3 technology. The key/lock symbol will be displayed in the lower status bar of your browser if a web page is transmitted using encryption.
We also avail ourselves of the appropriate technical and organisational security measures to protect your data against incidental or intentional manipulation, partial or total loss, destruction and unauthorised third-party access. Our security measures are continuously improved in accordance with technological advances.
In the context of processing personal data, it is possible that the data is transmitted or disclosed to other units, companies, legally independent organisational units or persons. Recipients of the data may include e.g. payment institutions in the context of payment transactions, IT service providers or providers of other services and contents that are included in our service. In such cases, we comply with the statutory provisions and will conclude the appropriate contracts/agreements designed to protect your data with the recipients of your data.
Data transmitted within the organisation
We may also transmit personal data to other companies within our organisation, or we may grant them access to this data. Where data is transmitted for administrative purposes, the data is transmitted on the basis of our justified entrepreneurial and business interests, or if this is required in order to comply with our contract-related obligations, if the data subject has consented to the transmission or if legal permission has been granted in this regard.
To the extent that we process data in a third country (outside of the European Union, the European Economic Area) or the data is processed in the context of using third-party services or the disclosure/transmission of data to other persons, units or companies, such action will only be taken in compliance with the statutory provisions.
Cookies are text files that contain the data of visited websites or domains and that are stored on the user’s computer by a browser. The main purpose of a cookie is to store information about users during or after their visit to a website. The information that is stored can include the language settings on a website, the log-in status, a shopping basket or the location at which a video was viewed. Moreover, other technologies that function in the same way as cookies (e.g. user IDs) are also considered cookies.
A distinction is made between the following cookie types and functions:
Unless we provide explicit information about the storage period for permanent cookies, you can assume that the storage period may be up to two years.
Before processing data (or having data processed) in the context of using cookies, we will request the user’s consent, which can be withdrawn at any time. Before such consent is obtained, at most those cookies that are required to operate our on-line product will be utilised. They are used on the basis of our interest and the user’s interest in the expected integrity of our on-line product.
We process the data of our contracting parties, business partners and interested persons in the context of contractual and comparable legal relationships and associated measures, and in the context of communicating with the contracting parties (or prior to the contract in order to respond to inquiries). We process this data to comply with our contractual obligations, to protect our rights, and for the purposes of the administration tasks that are associated with this information, and for business organisation purposes. The data of our contracting parties will only be forwarded to third parties in the context of the applicable laws to the extent that this is required for the aforementioned purposes or to comply with statutory obligations, or if this done with the consent of the contracting parties (e.g. to participating telecommunications, transport and other services, as well as subcontractors, banks, tax/legal advisors, payment services providers or tax authorities). Information regarding additional forms of processing is provided below. The contracting parties will be informed of the type of data that is required for the aforementioned purposes either before or after in the context of the data collection process.
We delete the data after the expiry of the statutory warranty and comparable obligations, i.e. generally after four years, unless the data is saved in a customer account, e.g. as long as it must be retained for legal archiving purposes (e.g. normally ten years for tax purposes). Data that was disclosed to us in the context of an order by the contracting party will generally be deleted after the end of the order, in accordance with the specifications of the order.
To the extent that we use third-party providers or platforms to render our services, the terms and conditions and the data privacy information of the respective third-party providers or platforms apply with regard to the relationship between the users and the providers.
Contracting parties can create an account within the context of our on-line product (e.g. customer/user account). The customer accounts are not public and cannot be indexed by search engines. In the context of the registration process and the subsequent log-ins and use of the customer account, we store the customers’ IP addresses as well as the access times in order to verify the registration and prevent the possible misuse of the customer account. When customers terminate their accounts, the data associated with the customer account will be deleted unless this information must be retained for legal reasons. It is the customers’ responsibility to save their data when they terminate their account.
We process the data of our users, registered and possible trail users in order to render our contractual services to these users, and on the basis of our justified interests in order to warrant and enhance the security of our product. Mandatory information is designated as such during the order process or a comparable conclusion of a contract, and it includes the information that is required to provide the service and for settlement purposes, as well as contact information that may be required for communication purposes.
We offer our services on on-line platforms that are operated by other service providers. In this context, the data privacy information of the respective platforms applies in addition to our data privacy information. This applies in particular to the processes for measuring reach and interest-based marketing that are used on these platforms.
In the context of contractual and other legal relationships, and on the basis of statutory obligations or otherwise on the basis of our justified interests, we provide the data subjects with efficient and secure payment options and use banks, credit institutions and other payment service providers for this purpose.
The data that is processed by the payment service providers includes inventory data (e.g. name and address), bank data (e.g. account number or credit card number, passwords, TANs and audit sums), as well as contractual information, information related to totals and recipient-related information. This information is required to execute the transactions. However, the data that is entered is only processed by the payment service provider and stored at the same. We only receive information confirming the payment (or non-payment). In some cases, the payment service provider may transmit the data to credit reporting agencies. This is done to verify the identity and the credit rating. To this end, we refer to the Terms and Conditions and the data privacy information of the payment service providers.
The Terms and Conditions and the data privacy information of the respective payment service providers apply to the payment transactions; this information can be accessed on the respective websites or transaction applications. We also refer to these for additional information and for the assertion of withdrawal, information and other rights of data subjects.
At this time, we only use Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom as an additional payment service provider. The data privacy information and General Terms and Conditions of Paddle Ltd. can be found at https://paddle.com/gdpr and https://paddle.com/privacy.
For the secure and efficient provision of our service, we use the services of one or more web hosting providers, and it is from their servers (or the servers managed by them) that the service can be accessed. For this purpose, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data that is processed in the context of providing the hosting service may include all of the data relating to the users of our service, which is generated during use and communication activities. This regularly includes the IP address, which is required to provide the contents of our service, as well as all information that is entered as part of our service or by websites, along with the meta data packages for the use of our services.
We use the following third-party providers for this purpose:
We (or our web hosting provider) collect data each time the server is accessed (so-called server log files). The server log files can include the address and name of the accessed web pages and files, the date and time of access, the transmitted data volumes, report of successful access, browser type including version, the user’s operating system, the referrer URL (the previously visited page), and normally the IP addresses and the requesting provider.
Users can create a user account. During the registration process, the required information is provided to the users and processed for the purpose of making available the user account on the basis of the contractual performance. In particular, the data that is processed also includes the log-in information (name, password and an e-mail address). The information that is entered during the registration process is utilised in order to use the user account and for the purpose of the same.
When users terminate their account, their data relating to the user account will be deleted, subject to a statutory retention obligation. It is the users’ responsibility to save their data before the end of the contract when they terminate their account. We are entitled to irrevocably delete all of the user’s data that was saved during the term of the contract.
In the context of utilising our registration and log-in functions and the use of the user account, we (or third-party provider Okta Inc.) will save the IP address and the time of the respective user’s action. This information is saved on the basis of our justified interests and also in the interests of the users to protect against misuse or another unauthorised action. In general, this data is not forwarded to other third parties unless this is required to pursue our claims or a statutory obligation exists in this regard.
For the purposes of registration, log-in and user account administration, we use the services of Okta Inc., 301 Brannan Street, San Francisco, CA 94107 United States. The data privacy information and General Terms and Conditions of Paddle Ltd. can be found at https://paddle.com/gdpr and https://www.okta.com/privacy-policy/ .
When you contact us (using the contact form, e-mail, telephone or via social media), we process your information if this is required to respond to the contact inquiries and other required measures. We respond to contact inquiries in the context of contractual or pre-contractual relationships in order to comply with our contractual obligations, or to respond to (pre)contractual inquiries, and for the remainder on the basis of our justified interests to respond to the inquiries.
We also use the third-party service of HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA, for communication purposes. The General Terms and Conditions and the data privacy information for HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
We use Messenger for communication purposes and therefore request that you familiarise yourself with the information below with regard to Messenger’s integrity, encryption, use of communication meta data and your right to object.
You can also contact us using alternative methods, e.g. by telephone or e-mail. Please use the available contact options or the contact options indicated in our service.
At the same time, we also advise our communication partners that while the providers of Messenger do not view the contents, they are able to deduce that/when communication partners are communicating with us, and that technical information about the device used by the communication partners and (depending on the settings of their device) location information (meta data) will also be processed.
To the extent that we request the communication partners’ consent via Messenger before the start of communication, consent forms the legal basis of our processing of their data. For the remainder, if we do not ask for consent and they e.g. initiate the contact, we use Messenger (both with regard to our contracting parties and in the context of initiating a contract) as a contractual activity and, in the case of other interested persons and communication partners, on the basis of our justified interests in rapid and efficient communication and to meet the needs of our communication partners for communicating via Messenger. We furthermore advise that we do not forward the contact details that have been provided to us to Messenger for the first time without your consent.
You can withdraw your consent and object to communicating with us via Messenger at any time. If we communicate via Messenger, we will delete the messages in accordance with our general deletion guidelines (e.g. as described above, after the end of contractual relationships, in the context of archiving requirements etc.) and otherwise as soon as we can assume that we have responded to the inquiries of the communication partners, if it is not expected that reference will be made to a previous conversation, and if the deletion is not opposed by any statutory retention obligations.
Finally, we would like to note that we reserve the right to decline to answer inquiries via Messenger for reasons pertaining to your security. That is the case if e.g. internal information pertaining to a contract must be kept secret, or if responding via Messenger does not satisfy the formal requirements. In such cases, we will direct you to our other communication channels.
We use the service of HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA, for communicating via Messenger. The General Terms and Conditions and the data privacy information for HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
We only send out newsletters, e-mails and other electronic notifications with the recipient’s consent or with legal permission. Insofar as the contents of a newsletter are described in detail in the context of registering for a newsletter, such contents are authoritative for the user’s consent. For the remainder, our newsletters contain information about us and our services. In general, you only need to provide your e-mail address to register for our newsletter. However, we may ask you to provide a name (for a personalized salutation in the newsletter) or other information, if this is required for the purpose of the newsletter.
Double opt-in procedure: In general, people registering for our newsletters do so by using double-opt in procedure. After registering, you will receive an e-mail asking you to confirm the registration. This confirmation is required to prevent people from registering using someone else’s e-mail address. Newsletter registrations are logged so the registration process can be verified in accordance with the legal requirements. This includes storing the time of registration and confirmation, and the IP address. Similarly, changes to your data that is stored with the delivery service provider are also logged.
Deletion and restriction to processing: On the basis of our justified interests, we can store no-longer-valid e-mail addresses for up to three years before they are deleted, in order to verify that consent was provided previously. The processing of this data will be restricted to the possible defence against claims. Single requests for deletion can be made at any time, as long as the previous consent is confirmed at the same time. In the event of obligations for the permanent compliance with objections, we reserve the right to store the e-mail in a restricted list solely for this purpose. The registration procedure is logged on the basis of our justified interests for the purpose of verifying an orderly process. Where we engage a service provider with the delivery of e-mails, we do so on the basis of our justified interests in an efficient and secure delivery system. Our newsletters are sent out on the basis of the recipients’ consent, or, if consent is not required, on the basis of our justified interests in direct marketing, insofar and to the extent that this is legally permitted. Where we engage a service provider with the delivery of e-mails, we do so on the for basis of our justified interests. The registration process is documented on the basis of our justified interests, in order to verify that the process was completed in accordance with the law.
The contents of our newsletters are comprised of information about us, our services, campaigns and offers. The newsletters include a so-called “web beacon”, which is a file the size of a pixel, which is retrieved by the server of our delivery service provider when the newsletter is opened. Technical information, such as information about the browser and your system, along with your IP address and the time of access, is initially collected in the context of this retrieval. This information is used for the technical improvement of our newsletter using the technical data or the target groups and their reading behaviour on the basis of their access locations or access times. This analysis also includes a determination of whether the newsletters are opened, when they are opened and which links are clicked. While this information can be assigned to individual newsletter recipients for technical reasons, it is not our intention, nor that of the delivery service provider, to monitor individual users. Rather, we use the analyses to identify the reading habits of our users and to adjust our contents accordingly, or to send different contents according to the interests of our users. Subject to the user’s explicit consent, the newsletter analysis and the success measurement are performed on the basis of our justified interests in a user-friendly and secure newsletter system, which serves not just our business interests but also corresponds to the users’ expectations. Unfortunately, the success measurement cannot be withdrawn separately, as the entire newsletter subscription must be terminated in that case.
We also use the newsletter service of HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA, for this purpose. The General Terms and Conditions and the data privacy information for HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
The web analysis (also: “reach measurement”) is used to analyse the visitor streams for our services and may comprise behaviour, interests or demographic information about visitors as pseudonym values. Using the reach analysis, we can detect, for example, at which time our on-line product or its functions or contents are used the most. Similarly, we can also see which areas need to be optimised. In addition to the web analysis, we can also use test procedures for testing and optimising e.g. various versions of our on-line product or its components. For this purpose, we may create so-called user profiles and store them in a file (“cookie”), or we may use similar methods with the same purpose. This information may include contents viewed, web pages visited and the elements used in the same, as well as technical information such as the browser, computer system and usage information. Where users have consented to the collection of their location data, such data can also be processed depending on the provider.
User IP addresses are also stored. However, we use an IP Masking process (pseudonyms by shortening the IP address) to protect the users. Generally, in the context of web analyses, A/B testing and optimisation, we do not store users’ clear data (e.g. e-mail addresses or names), only pseudonyms. That means that we, as the provider of the software, do not know the actual identity of the users, only the information that is stored in their profiles for the purpose of the respective procedure.
We use Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for this purpose. The General Terms and Conditions and the data privacy information of this service can be found at https://optimize.google.com; https://policies.google.com/privacy; https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active; a corresponding opt-out for the opt-out plug-in can be found at https://tools.google.com/dlpage/gaoptout?hl=de and at https://adssettings.google.com/authenticatedfor the settings for displaying advertising content.
We maintain an on-line presence in social networks and in this context process the data of users in order to communicate with active users or to provide information about ourselves. Please note that user data may also be processed outside of the territory of the European Union for this purpose. Moreover, the data of users in social networks is normally processed for market research and advertising purposes. For example, usage profiles can be created on the basis of user behaviour and the resulting interests of users. In turn, the usage profiles can be used to e.g. push advertisements inside and outside of the networks, which probably correspond to the user’s interests. For this purpose, cookies are normally saved on the users’ computers, which store the users’ usage behaviour and interests. Moreover, the usage profiles can also contain data independent of the devices used by the users, if they are members of the respective platforms and log into these platforms with different devices. For a detailed presentation of the relevant processing forms and the opt-out options, we refer to the data privacy statements and the information of the respective network operators.
We use the following third-party providers for this purpose:
We use the services, platforms and software of other parties for the organisation, administration, planning and provision of our services. When selecting the third-party providers and their services, we observe the legal requirements. In this context, personal data may be processed and stored on the servers of the third-party providers. This may affect a variety of data that we process in accordance with this Data Privacy Statement. In particular, this data may include the basic data and contact data of users, data about events, contracts, other processes and their contents. Where users, in the context of communication activities, business or other dealings with us, are referred to the third-party providers or their software/platforms, these providers may process usage data and meta data for security purposes, to optimise services or for marketing purposes. Therefore we expressly ask that you observe the data privacy information of the respective third-party providers.
Where we ask users to consent to the use of third-party providers, the consent forms the legal basis for processing the data. Additionally, their use may be a part of our (pre)contractual services, if the use of the third-party providers was agreed in this context. Otherwise, the data of the users is processed on the basis of our justified interests.
We use the following service providers for this purpose:
The data processed by us will be deleted in accordance with the legal requirements as soon as the consent for processing this data has been withdrawn or other permissions do not apply (e.g. loss of purpose for processing this data or the requirement to do so no longer exists). If the data is not deleted because it is required for other and legally permissible purposes, the processing of this data will be restricted to these purposes. This applies in the same way for data that must be stored for reasons pertaining to commercial or tax law, or which must be stored in order to assert, exercise or defend against legal claims or to protect the rights of another natural person or legal entity. Detailed information can be found in the respective sections of this Data Privacy Statement.
You have the right:
Insofar as your personal data is processed on the basis of justified interests pursuant to Art. 6 para. 1 sent. 1 f GDPR, you have the right, pursuant to Art. 21 GDPR, to object to the processing of your personal data if there are reasons for your action that arise from your special situation. To exercise your right of withdrawal, all you have to do is write an e-mail to email@example.com.
The further development of our website and offerings, or changes to statutory or official requirements may make it necessary to amend this Data Privacy Statement. We will inform you as soon as these changes require an action on your part (e.g. consent) or another type of individual notification. You can retrieve and print out the current Data Privacy Statement from the website at any time.