Last update: October 2021
With the following data protection declaration, we would like to inform you of the types of your personal data we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our service and on our websites, in mobile applications and within external online presences, such as our social media profile. The provisions of our data protection declaration listed here apply without restriction to all CI-HUB GmbH internet offers referenced here by word and internet link.
2. Our full contact details in accordance with the European GDPR can be found at the end of this Privacy Statement.
The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.
Types of data processed according to consent and purpose of use
Categories of data subjects
Purposes of processing
Applicable legal basis
In the following, we share the legal bases of the General Data Protection Regulation (GDPR) based on which we process personal data.
In addition to the regulations of the GDPR, the national data protection regulations in your or our country of residence and domicile apply. In the Federal Republic of Germany, this is the Federal Data Protection Act (BDSG). If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these in the data protection declaration.
4. Data security
Our service is secured in accordance with legal requirements, considering the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons appropriate technical and organizational measures to ensure the personal data a level of protection appropriate to the risk.
Within the website visit, we use the widespread SSL (Secure Socket Layer) procedure in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
5. Transfer and disclosure of personal data
During our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of additional services and content that are integrated into our service. In this case, we observe the legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.
Data transfer within the organization
Furthermore, we may transfer personal data to other companies within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and operational interests or is done if it is necessary to fulfill our contract-related obligations or if there is a consent of the data subjects or a legal permission.
6. Data processing in third countries
We try to avoid it, but insofar as we need to process data in a third country (outside the European Union, the European Economic Area) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this is only done in accordance with the legal requirements.
7. Cookie statement
Cookies are files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie is primarily used to store information about a user during or after his visit within an online offer. Stored information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched. We further include in the term cookies other technologies that perform the same functions as cookies, such as user IDs.
The following cookie types and functions are distinguished:
Unless we provide you with explicit information about the storage period of permanent cookies, please assume that the storage period can be up to two years.
We process data of our contractual, business partners and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually to respond to inquiries). We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization. Within the framework of the applicable law, we only pass on the data of the contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). You will be informed about further forms of processing below in this declaration. We inform the contractual partners in each case which data is required for the aforementioned purposes before or as part of the data collection.
We delete the data after the expiry of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons (e.g., for tax purposes generally 10 years). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order, generally after the end of the order.
If we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.
9. Customer account/User account
Contractual partners can create an account within our online offer upon request (e.g. customer or user account). Customer accounts are not public, protected and cannot be indexed by search engines. Within the scope of registration and subsequent logins and uses of the customer account, we store the IP addresses of the customers along with the access times in order to prove the registration and to prevent any misuse of the customer account. If customers have terminated their customer account, the data relating to the customer account will be deleted, subject to their retention being required for legal reasons. It is the responsibility of the customer to back up their data upon termination of the customer account.
10. Offering of software, platform, and services
We process the data of our users, registered users, and any demanders (users) to be able to provide our contractual services to them as well as on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information necessary for the provision of services and billing as well as contact information to be able to hold any consultations.
11. Use of online platforms
We offer our services on online platforms operated by other service providers. In this context, the data protection notices of the respective platforms apply in addition to our data protection notices. This applies in particular regarding the reach measurement and interest-based marketing methods used on the platforms.
12. Payment service providers
In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers for this purpose in addition to banks and credit institutions.
The data processed by the payment service providers may include inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions necessary for contractual fulfillment. However, the data entered is only processed by the payment service providers and stored with them. We only receive information with confirmation or negative information of the payment, i.e., no personal information. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. This transmission is for the purpose of checking identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection notices of the payment service providers.
For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information, and other data subject rights.
We currently use Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom, exclusively as another payment service provider. Data protection information and general terms and conditions of Paddle Ltd. can be found at https://paddle.com/gdpr and https://paddle.com/privacy.
13. Providing the service and web hosting
To provide our Service securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the Service can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed as part of the provision of the hosting service may include all information relating to the users of our service, which is generated during use and communication. This regularly includes the IP address, which is necessary to provide the content of our services, and all entries made within our services or from websites, as well as the metadata packages for the use of our services.
We use the following third-party providers for this purpose:
14. Collection of access data and log files
We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
15. Registration, login, user, and user account
Users can create a user account. As part of the registration process, users are provided with the required mandatory information and processed for the purpose of providing the user account based on contractual obligation fulfillment. The processed data includes the login information (name, password as well as an e-mail address). The data entered during registration is used for the purposes of using the user account and its purpose.
If users have terminated their user account, their data regarding the user account will be deleted, subject to any legal obligation to retain such data. It is the responsibility of users to back up their data upon termination prior to the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.
Within the scope of the use of our registration and login functions as well as the use of the user account, we or the third-party provider Okta Inc. store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to other third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.
We currently use Okta Inc. 301 Brannan Street, San Francisco, CA 94107 United States for registration, login, and user account management. Privacy Notice and Terms and Conditions https://trust.okta.com/security , as well as https://www.okta.com/privacy-policy/ .
16. Contacting us
When contacting us (via contact form, email, telephone or via social media), the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures. The response to contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.
We currently additionally use the third-party service of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA for communication. The terms and conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
17. Communication via Messenger
We use messengers for communication purposes and therefore ask you to observe the following information on the functionality of the messengers, on encryption, on the use of the metadata of the communication and on your objection options.
You can also contact us by alternative means, e.g. via telephone or e-mail. Please use the contact options provided to you or the contact options provided within our service.
However, we additionally point out to our communication partners that although the messenger providers cannot view the content, they can learn that and when communication partners communicate with us as well as process technical information about the device used by the communication partners and, depending on the settings of their device, also location information (metadata).
If we ask communication partners for permission before communicating with them via Messenger, the legal basis of our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us on their own initiative, for example, we use Messenger in relation to our contractual partners as well as in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partners in communicating via Messenger. Furthermore, we would like to point out that we do not transmit the contact data provided to us to the messengers for the first time without your consent.
You can revoke any consent given at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e., e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume to have answered any information provided by the communication partners, if no reference back to a previous conversation is to be expected and the deletion does not conflict with any legal retention obligations.
Finally, we would like to point out that for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case if, for example, contractual internals require special confidentiality or an answer via Messenger does not meet the formal requirements. In such cases, we refer you to our other communication channels.
We currently use the service of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA for communication via Messenger. The General Terms and Conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
We send newsletters, emails and other electronic notifications only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described during a registration, they are decisive for the consent of the users. Apart from that, our newsletters contain information about our services and us. To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of personal address in the newsletter, or further information, if this is necessary for the purposes of the newsletter.
Double opt-in procedure: The registration for our newsletter is generally carried out in a so-called double opt-in process. In this context, you will receive an e-mail after registration in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with other e-mail addresses. The registrations for our newsletter are logged to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Likewise, the changes to your data stored with the shipping service provider are logged.
Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove consent formerly given. The processing of this data will be limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blocking list for this purpose alone. The logging of the registration process takes place based on our legitimate interests for the purpose of proving its proper course. Insofar as we commission a service provider to send e-mails, this is done based on our legitimate interests in an efficient and secure dispatch system. Our newsletters are sent based on the recipients’ consent or, if consent is not required, based on our legitimate interests in direct marketing, if and insofar as this is permitted by law. If we commission a service provider to send e-mails, this is done based on our legitimate interests. The registration process is recorded based on our legitimate interests to prove that it has been carried out in accordance with the law.
The content of our newsletter is information about us, our services, promotions and offers. The newsletters contain a so-called “web beacon”, this is a pixel-sized file that is retrieved from the server of our dispatch service provider when the newsletter is opened. During this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval, are initially collected. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can indeed be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. Rather, the evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The evaluation of the newsletter and the measurement of success are carried out, subject to the express consent of the users, based on our legitimate interests for the purpose of using a user-friendly as well as secure newsletter system, which serves both our business interests and meets the expectations of the users. Unfortunately, a separate revocation of the performance measurement is not possible, in which case the entire newsletter subscription must be cancelled.
We use the newsletter service of HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA for this purpose. The General Terms and Conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy , api.hubspot.com , track.hubspot.com and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.
19. Website analysis and optimization
Web analytics (also referred to as “reach analysis”) is used to evaluate the flow of visitors to our service offering and may include behavior, interests or demographic information about visitors as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online service or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization. In addition to web analysis, we may also use test procedures, for example, to test and optimize different versions of our online offering or its components. For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose may be used. This information may include, for example, content viewed, websites visited and elements used there, and technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.
The IP addresses of users are also stored. However, we use an IP masking procedure (pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
For this purpose, we use Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The general terms and conditions and data protection information for this service can be found at https://optimize.google.com; https://policies.google.com/privacy; https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=ActiveEine. The corresponding opt-out option for the opt-out plug-in can be found at https://tools.google.com/dlpage/gaoptout?hl=de and for the settings for the display of advertising content at https://adssettings.google.com/authenticated.
20. Plug-Ins for Social Media
We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us. We point out that this may involve processing user data outside the area of the European Union. Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users if the users are members of the respective platforms and log in to them with different devices. For a detailed presentation of the respective forms of processing and the options to object (opt-out), please refer to the data protection statements, and information provided by the operators of the respective networks.
We use the following third-party providers for this purpose:
21. Design, organization, implementation and auxiliary tools.
If we ask users for their consent to use the third-party providers, the legal basis for processing data is consent. Furthermore, their use may be a component of our (pre)contractual services if the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed based on our legitimate interests.
We use the following service providers for this purpose:
22. Erasure of personal data
23. Rights of the data subject
You have the right:
If your personal data is processed based on legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, for example, if there are grounds for doing so that arise from your situation. If you wish to exercise your right to object, an e-mail to email@example.com will suffice. The contact details of the controller are
Name and address of the data controller:
CI HUB GmbH
E-mail address: firstname.lastname@example.org
Phone: + 49 172 6900970
Webhosting Provider: IONOS by 1&1 Internet SE located in 56410 Montabaur, Germany
Contact data of the Data protection officer:
24. Topicality and change of this data protection statement