Privacy Policy
Last updated: November 6, 2024
Table of Contents
- Data Controller
- Overview of Processing Activities
- Relevant Legal Bases
- Security Measures
- Transfer of Personal Data
- International Data Transfers
- General Information on Data Retention and Deletion
- Data Subject Rights
- Provision of Online Services and Web Hosting
- Use of Cookies
- Contact and Inquiry Management
- Plug-ins and Embedded Features and Content
Data Controller
Authorized Representative: Stephan Keller
Email Address: stephan.keller@keysquare.de
Overview of Processing Activities
The following overview summarizes the types of data processed, their purposes, and the data subjects involved.
Types of Data Processed
- Basic data.
- Location data.
- Contact data.
- Content data.
- Usage data.
- Meta, communication, and procedural data.
- Log data.
Categories of Data Subjects
- Communication partners.
- Users.
Purposes of Processing
- Communication.
- Organizational and administrative processes.
- Feedback.
- Provision of our online services and user-friendliness.
- IT infrastructure.
Relevant Legal Bases
Relevant Legal Bases under the GDPR: Below is an overview of the GDPR legal bases upon which we process personal data. Please note that in addition to the GDPR, national data protection regulations applicable in your or our place of residence may also apply. If specific legal bases are relevant in individual cases, we will inform you of them in this Privacy Policy.
- Consent (Art. 6 para. 1 p. 1 lit. a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
- Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh them.
National Data Protection Regulations in Germany: In addition to the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the German Federal Data Protection Act (BDSG). The BDSG includes specific regulations on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer and automated decision-making on a case-by-case basis, including profiling. Additionally, state data protection laws may apply.
Note on the GDPR and Swiss Data Protection Act Applicability: These data protection notices serve to provide information under both the Swiss Data Protection Act and the GDPR. Therefore, please note that the terms used in the GDPR are applied here due to their broader geographic applicability and clarity. However, the legal meaning of terms remains determined by the Swiss Data Protection Act where applicable.
Security Measures
We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as varying likelihoods and severity of risks to the rights and freedoms of natural persons.
Measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to related input, transfer, availability, and separation. We also have procedures in place to protect data subject rights, delete data, and respond to data threats. Additionally, we consider data protection when developing or selecting hardware, software, and processes, following the principles of privacy by design and privacy by default.
Secure online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. SSL and TLS are pillars of secure data transmission on the internet. They encrypt the information transferred between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the advanced and more secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by HTTPS in the URL, signaling to users that their data is being transmitted securely and encrypted.
Transfer of Personal Data
In the course of processing personal data, it may be transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and conclude contracts or agreements with data recipients to protect your data.
Data transfers within the organization: We may transfer personal data to other departments or units within our organization, or allow access to it. If the data is shared for administrative purposes, it is based on our legitimate business and economic interests, or is required to fulfill our contractual obligations, or if data subject consent or legal permission is in place.
International Data Transfers
Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), European Economic Area (EEA)), or if processing occurs in the context of using third-party services or disclosing/transferring data to others, it only takes place in compliance with legal requirements. Where the level of data protection in the third country is recognized through an adequacy decision (Art. 45 GDPR), it serves as the basis for data transfer. Otherwise, data transfers only occur when the data protection level is otherwise secured, particularly through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in cases of contractual or legally required transmission (Art. 49 para. 1 GDPR). We also inform you of the grounds for third-country transfers with each third-country provider where adequacy decisions apply as primary grounds. Information on third-country transfers and adequacy decisions can be found via the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de. Under the “Data Privacy Framework” (DPF), the EU Commission also recognized the data protection level for certain U.S. companies in its adequacy decision on 07/10/2023. You can view the list of certified companies and more information on the DPF on the U.S. Department of Commerce’s website at https://www.dataprivacyframework.gov/ (in English). We inform you in our privacy notices which service providers we use are certified under the Data Privacy Framework.
General Information on Data Retention and Deletion
We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is revoked or there are no further legal grounds for processing. This applies when the original processing purpose no longer applies or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require a longer retention or archiving of the data.
Data that must be retained for commercial or tax law reasons, or which must be stored for legal prosecution or to protect the rights of others, must be archived accordingly.
Our privacy notices contain additional information on the retention and deletion of data specifically for certain processing activities.
If multiple retention periods or deletion deadlines are specified for a datum, the longest period always applies.
If a period does not explicitly start on a specified date and is at least one year, it starts automatically at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships within which data is stored, the triggering event is the effective date of the termination or other end of the legal relationship.
Data no longer required for the original purpose, but retained due to legal requirements or other reasons, are processed exclusively for the purposes that justify their retention.
Additional notes on processing activities, procedures, and services:
- Data Retention and Deletion: The following general retention periods apply for storage and archiving under German law:
- 10 years – Retention period for books and records, financial statements, inventories, annual reports, opening balance sheets, as well as other documents required for their understanding, including booking receipts and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).
- 6 years – Other business documents: received trade or business letters, copies of sent trade or business letters, other documents relevant for taxation, such as timesheets, operating accounting records, calculation records, price markings, as well as payroll records, unless they are already booking receipts and cash strips (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, para. 4 HGB).
- 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as associated inquiries, are retained for the regular statutory limitation period of three years (§§ 195, 199 BGB).
Data Subject Rights
Data Subject Rights under the GDPR: As a data subject, you have several rights under the GDPR, particularly those set out in Art. 15-21 GDPR:
- Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object to the processing of personal data concerning you for such marketing purposes at any time; this also applies to profiling to the extent that it is related to such direct marketing.
- Right to withdraw consent: You have the right to withdraw consent at any time.
- Right of access: You have the right to request confirmation of whether data concerning you is being processed and to access that data, as well as other information and a copy of the data in accordance with legal requirements.
- Right to rectification: You have the right, under the law, to request the completion or correction of data concerning you.
- Right to erasure and restriction of processing: You have the right, under the law, to request the immediate deletion of data concerning you or alternatively to request restriction of data processing under legal requirements.
- Right to data portability: You have the right to receive data concerning you that you provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.
- Right to lodge a complaint with a supervisory authority: You have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.
Provision of Online Services and Web Hosting
We process user data to provide our online services. For this purpose, we process the user’s IP address, which is necessary to deliver the content and functions of our online services to the user’s browser or device.
- Types of Data Processed: Usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, types of devices used, operating systems, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, participants); Log data (e.g., log files related to logins, data retrieval, or access times). Content data (e.g., textual or visual messages and posts, including related information such as authorship or creation timestamp).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness. Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
- Retention and Deletion: Deletion in accordance with “General Information on Data Retention and Deletion.”
- Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Additional notes on processing activities, procedures, and services:
- Provision of Online Services on Rented Storage Space: To provide our online services, we use storage space, processing capacity, and software that we rent or otherwise procure from a corresponding server provider (also referred to as a “web host”); Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
- Email Dispatch and Hosting: The web hosting services we use include the dispatch, receipt, and storage of emails. For these purposes, recipient and sender addresses and other email-related information (e.g., involved providers) and email content are processed. These data may also be processed to detect SPAM. Please note that emails are generally not encrypted when sent on the internet. Although emails are typically encrypted during transit, they are not stored encrypted on the servers from which they are sent and received (unless end-to-end encryption is used). We therefore cannot be responsible for the transmission path of emails between the sender and the reception on our server; Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Use of Cookies
Cookies are functions that store and retrieve information on user devices. Cookies can be used for various purposes, such as functionality, security, and convenience of online services, as well as traffic analysis. We use cookies in compliance with legal requirements. Where required, we obtain user consent in advance. Where consent is not necessary, we rely on our legitimate interests. This applies if storing and retrieving information is essential to provide expressly requested content and functions. This includes storing settings and ensuring functionality and security of our online services. Consent can be revoked at any time, and we provide clear information on the scope and type of cookies used.
Notes on Data Protection Legal Bases: Whether we process personal data using cookies depends on obtaining consent. Where consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests as outlined in this section and in the context of each specific service and procedure.
Storage Duration: Regarding storage duration, the following types of cookies are distinguished:
- Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
- Persistent cookies: Persistent cookies remain stored even after the user closes their device. For example, the login status can be saved, and preferred content displayed immediately when the user revisits a website. User data collected through cookies may also be used for reach measurement. Unless we specify a type and storage duration for cookies (e.g., in the context of obtaining consent), users should assume they are persistent and may last up to two years.
General Information on Revocation and Objection (Opt-out): Users can withdraw consent and object to processing as per legal requirements, also through their browser’s privacy settings.
- Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, participants).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR). Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).
Additional notes on processing activities, procedures, and services:
- Processing of Cookie Data Based on Consent: We use a consent management solution to obtain user consent for the use of cookies or the procedures and providers mentioned in the consent management solution. This procedure allows for obtaining, recording, managing, and withdrawing consents, especially regarding the use of cookies and similar technologies used to store, retrieve, and process information on user devices. In this process, user consent for the use of cookies and related data processing, including specific processing and providers named in the consent management process, is obtained. Users can also manage and withdraw their consents. Consent declarations are stored to avoid re-requests and to provide proof of consent as required by law. Storage occurs server-side and/or in a cookie (known as an opt-in cookie) or through similar technologies to assign the consent to a specific user or device. If no specific information on consent management service providers is available, the following general notes apply: The consent storage duration is up to two years. A pseudonymous user identifier is created, which is stored together with the consent timestamp, the scope of the consent (e.g., affected categories of cookies and/or service providers), and information about the browser, system, and device used; Legal Bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).
Contact and Inquiry Management
When contacting us (e.g., by mail, contact form, email, phone, or via social media) and in the context of existing user and business relationships, we process the information provided by the contacting persons to the extent necessary to respond to contact inquiries and any requested measures.
- Types of Data Processed: Basic data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, including information related to authorship or creation time); usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, device types, operating systems, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, participants).
- Data Subjects: Communication partners.
- Purposes of Processing: Communication; organizational and administrative processes; feedback (e.g., collecting feedback via online forms). Provision of our online offering and user-friendliness.
- Retention and Deletion: Deletion in accordance with “General Information on Data Retention and Deletion.”
- Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Additional notes on processing activities, procedures, and services:
- Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to respond to and handle the respective request. This typically includes information such as name, contact details, and any other information necessary for appropriate handling. We use this data solely for the stated purpose of contact and communication; Legal Bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Plug-ins and Embedded Features and Content
We integrate functional and content elements into our online offering that are retrieved from the servers of their respective providers (hereinafter referred to as “third parties”). These may include graphics, videos, or maps (hereinafter collectively referred to as “content”).
Embedding content always requires that the third-party providers of such content process the user’s IP address, as they cannot transmit the content to their browser without the IP address. The IP address is therefore necessary to display this content or function. We strive to use only content whose providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The pixel tags can be used to evaluate information about visitor traffic on this website. The pseudonymous information may also be stored in cookies on the user’s device and contain technical details about the browser and operating system, referring websites, visiting time, and other details about using our online offering, as well as be combined with similar information from other sources.
Notes on Legal Bases: Where we ask users for their consent for the use of third-party services, the legal basis for data processing is user consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). We also refer you to the information on the use of cookies in this Privacy Policy.
- Types of Data Processed: Usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, device types, operating systems, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, participants). Location data (information on the geographical position of a device or person).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness.
- Retention and Deletion: Deletion in accordance with “General Information on Data Retention and Deletion.” Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for up to two years).
- Legal Bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Additional notes on processing activities, procedures, and services:
- Inclusion of Third-Party Software, Scripts, or Frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g., function libraries used for the presentation or user-friendliness of our online offering). The respective providers collect users’ IP addresses and may process them for the purpose of transmitting the software to the users’ browser, as well as for security, evaluation, and optimization purposes. – We integrate software into our online offering that we retrieve from servers of other providers (e.g., function libraries used for the presentation or user-friendliness of our online offering). The respective providers collect users’ IP addresses and may process them for the purpose of transmitting the software to the users’ browser, as well as for security, evaluation, and optimization purposes; Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
- Google Fonts (retrieved from Google Server): Retrieval of fonts (and icons) for technically secure, maintenance-free, and efficient use of fonts and icons with respect to currency and loading times, their uniform presentation, and compliance with any licensing restrictions. The font provider is informed of the user’s IP address to provide the fonts in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts depending on the device and technical environment used. These data may be processed on a server of the font provider in the USA. When users visit our online offering, their browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by each user to access the internet, (2) the requested URL on the Google server, and (3) HTTP headers, including the user-agent, which describes the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the web page where the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, nor are they analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user-agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. These data are logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user-agent must adjust the font generated for each browser type. The user-agent is primarily logged and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts “Analytics” page. Finally, the referrer URL is logged so that the data can be used for production maintenance and to generate an aggregated report on the top integrations based on the number of font requests. According to Google, none of the information collected by Google Fonts is used to create user profiles or target ads at end users; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for Third-Country Transfers: Data Privacy Framework (DPF). Further Information: https://developers.google.com/fonts/faq/privacy?hl=de.
- Google Maps: We integrate the maps of the “Google Maps” service provided by Google. The processed data may include, in particular, the IP addresses and location data of users; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for Third-Country Transfers: Data Privacy Framework (DPF).
Contact Us
keySquare Network UG & Co. KG
Wichertstraße 16/17
10439 Berlin
Germany
info@keysquare.de