Status: July 05, 2018
- Name/Co.: byhead solutions UG (limited liability)
- Street No.: Falkenried 2
- Postal code, city, country: 20251 Hamburg, Germany
- Commercial Register/No.: District Court of Hamburg, HRB 131414
- Executive Director: Dr. Andrei Horbach
- Phone number: +494024861749
- E-Mail: firstname.lastname@example.org
Type of data processed:
- User data (e.g.: names, addresses).
- Contact data (e.g.: E-mail, phone numbers).
- Content-related data (e.g.: text entries, fodder, rations).
- Contract-related data (e.g.: object of a contract, contract duration, customer categories).
- Payment-related data
- Usage data (e.g.: websites visited, interest in contents, access times).
- Meta/communication data (e.g.: device information, IP addresses).
Processing of special categories of data (Art. 9 (1) GDPR):
- No special categories of data are processed.
Categories of data subjects affected by processing:
- Customers / interested parties / suppliers.
- Visitors to and users of the online offering.
Hereinafter, data subjects affected shall also be referred to collectively as “users”.
Purpose of the processing:
- Provision of online offerings, their contents and functions.
- Delivery of contractual services, customer service and support.
- Responding to contact requests and communicating with users.
- Marketing, advertising and market research.
- Security measures.
Table of contents:
- Relevant legal basis
- Security measures
- Cooperation with processors and third parties
- Transfers to a third country
- Rights of the data subjects
- Right of revocation
- Right to object
- Cookies and the right to object direct marketing
- Erasure of data
- Provision of contract-related services
- Visibility of profiles and portions of contents
- Contacting us
- Saving access data and log files
- Cookies & media measurement
- Google Sign-In
- Use of mobile apps, use of Google Firebase
- Integration of services and third-party content
Relevant legal basis
- Subject to the provisions under Art. 13 GDPR, we hereby inform you of the legal basis underlying our data processing. Insofar as the legal basis is not detailed in the data privacy statement, the following applies: The legal basis for obtaining consent is Art. 6 (1) a and Art. 7 GDPR; the legal basis for processing to perform our services and carry out contractual measures as well as to reply to queries is Art. 6 (1) b GDPR; the legal basis for processing to comply with legal obligations is Art. 6 (1) c GDPR, and the legal basis for processing to pursue our legitimate interests is Art. 6 (1) f GDPR. In cases where processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Art. 6 (1) d GDPR.
- Pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; these measures shall include, in particular, guaranteeing the confidentiality, integrity and availability of data by controlling physical access to the data, as well as controlling access, entry and sharing of this data, and securing its availability and removal. In addition, we have implemented processes that guarantee the safeguarding of the rights of persons affected, the deletion of data and a reaction to threats to data. Furthermore, we already take the protection of personal data into consideration at the development stage, i.e.: in our selection of hardware, software and processes, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).
- These security measures include, in particular, encrypted transmission of data between your browser and our sever.
Cooperation with processors and third parties
- If we disclose or transfer data to other persons and companies (processors or third parties), or allow them access to this data, this is only done on the basis of a legal authorization. For example: if a transfer of data to third parties, such as a payment service provider, in accordance with Art. 6 (1) b GDPR, is required to fulfil a contractual agreement; if you have provided your consent; if there is a legal obligation to do so; or on the basis of our legitimate interests (e.g.: when using the services of a contractor, a web host, etc.).
- If we contract third parties to process data on the basis of a so-called “processing contract”, this shall be performed on the basis of Art. 28 GDPR.
Transfers to a third country
- If we process data in a third country (i.e.: outside of the European Union (EU) or the European Economic Area (EEA) or if this is done through the contracting of services by third parties, or if data is disclosed or transferred to third parties, this only occurs if it is for the purposes of fulfilling our (pre)contractual commitments, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual authorization, we will only process or have data processed in a third country if the specific provisions pursuant to Art. 44 et seq. GDPR have been met. In other words, the processing is done, for example, on the basis of special guarantees, such as the officially approved establishment of one of the levels of data protection applicable in the EU (e.g.: for USA, through the “Privacy Shield”) or by complying with officially approved special contractual obligations (so-called “standard contractual clauses”).
Rights of the data subjects
- You have the right to obtain confirmation as to whether or not data concerning you are being processed, and to request information on this data, as well as additional information and a copy of the data pursuant to Art. 15 GDPR.
- Pursuant to Art. 16 GDPR, you have the right to request the completion of data concerning you or the rectification of inaccurate personal data concerning you.
- Pursuant to Art. 17 GDPR, you have the right to obtain the erasure of personal data concerning you without undue delay, or, pursuant to Art. 18 GDPR, the right to obtain restriction of processing of your data.
- You have the right to receive personal data concerning you and which you have provided to us, pursuant to Art. 20 GDPR, and to transmit those data to another controller.
- Furthermore, in accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right of revocation
You have the right to withdraw your consent with future effect, in accordance with Art. 7 (3) GDPR.
Right to object
- You have the right to object to the future processing of your data pursuant to Art. 21 GDPR. This objection can be raised in particular against processing of data for direct marketing purposes.
Cookies and the right to object direct marketing
Erasure of data
- In accordance with statutory requirements, data is kept for 6 years in accordance with Art. 257 (1) Commercial Code (trading books, inventory, opening balance sheets, year-end reports, business correspondence, accounting records, etc.) and for 10 years in accordance with Art. 147 (1) German Fiscal Code (accounts, records, status reports, accounting records, trade and business correspondence, documents needed for tax purposes, etc.).
Provision of contract-related services
- We process user data (e.g.: names, addresses and user contact information), contract-related data (e.g.: services that have been engaged in, names of contact persons, payment information) for the purposes of meeting our contractual obligations and services pursuant to Art. 6 (1) b GDPR. Those entries marked as mandatory on online forms are required in order to close a contract.
- Users can create a user account which allows them to view their settings or process their contents (such as components, rations, texts). Users are informed of which information is mandatory during the registration process. User accounts are not publicly accessible and cannot be indexed by search engines. If users cancel their account, the data pertaining to the user account is deleted, provided it does not have to be saved for accounting or taxation reasons as per Art. 6 (1) c GDPR. It is the responsibility of the user to save their data prior to the end of the contract when cancelling their account. We reserve the right to irrevocably delete all data saved over the duration of the contract.
- During registration and when logging in, as well as when our online services are being used, we save the IP address and the time of access of the respective user activity. We save this information on the basis of our legitimate interests and those of the user in order to protect the user from abuse and other unauthorized use. As a rule, this data is not transferred to third parties, unless required to pursue our claims or if there is a legal obligation to do so in accordance with Art. 6 (1) c GDPR.
- We process usage data (e.g.: which pages related to our online offering a user has visited, interest in our products) and content-related data (e.g.: entries in the contact form or the user profile) for advertising purposes within a user profile, i.e.: in order to display product information to a user based on services the user has already used.
- Deletion occurs once legal warranty obligations and similar obligations have ended. The necessity of storing this data is verified every three years; in cases where there is a legal obligation to store data, data is deleted on termination (end of the legal obligation to keep accounting-related data: 6 years; end of the legal obligation to keep taxation-related data: 10 years); information in a customer account is kept until it has been deleted.
- Backups are to be kept for as short a period as possible. However, with respect to the use of software, particularly newly developed software subject to constant upgrades, it may be necessary to retroactively eliminate inconsistencies and to thereby also protect the integrity of user data. It can therefore take up to 30 days to fully deactivate a user account and delete this data from the backup files following account cancellation. Data will continue to be saved beyond this period if required for billing purposes or to serve legitimate contractual interests, which override the data subject’s interests in deleting this data (e.g.: blocking an e-mail address if a user has been banned from the website) or due to regulatory provisions.
Visibility of profiles and portions of contents
- User profiles within our applications cannot be viewed by other users.
- However, users can choose to share their data contents (e.g.: information on the fodder rations in Dairy Ration) with other users or make this content public based on the options specified in the application.
- We inform the user that information that is shared with other users can be linked to the user. Links depend on the information that a user shares and provides, e.g.: if personal information or an e-mail address is included when sharing this data. In addition, we indicate that some information cannot be retracted, for example, if this is shared via other platforms or is acknowledged by a third party.
- When contacting us (using our contact form or via e-mail), user data is processed to process and handle the contact request, in accordance with Art. 6 (1) b GDPR.
- User data can be saved to our Customer Relationship Management System (CRM System) or a similar organization that fields inquiries.
- We delete the inquiries once they are no longer required. We verify the necessity every two years; we permanently save inquiries from customers having an account and refer to the data in the customer account for deletion purposes. If there is a legal obligation to retain data, data is deleted on termination (end of the legal obligation to keep accounting-related data: 6 years; end of the legal obligation to keep taxation-related data: 10 years).
Saving access data and log files
- On the basis of our legitimate interests, pursuant to Art. 6 (1) f GDPR, we save data each time the server on which this service is located (so-called server log files) is accessed. This access data includes the name of the website accessed, the file, date and time it was accessed, the amount of data transferred, notifications regarding a successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited site), IP address and the provider through which it was accessed.
- For security reasons (e.g.: to resolve abuse or fraud), log file information is saved for a maximum of seven days, after which it is deleted. Data that must be saved longer for evidentiary purposes are exempt from deletion and are saved until the respective incident has been resolved.
Cookies & media measurement
- Cookies contain information that is transferred from our web server or third-party web servers to the users’ web browser, where they are saved for future access. Cookies are small files or other packets of data.
- We use “session cookies”, which are only saved while a user is accessing our online presence (e.g.: to save your login status or to make it possible to use the shopping cart function, thereby making it possible to use our online offering). A unique, randomly generated identification number is saved to a session cookie, a so-called session ID. A cookie also contains information about its source and the storage period. These cookies cannot save any other data. Session cookies are deleted when you have finished using our online offering and you have, for example, logged out.
- If users do not want to have cookies saved to their device, they will be asked to deactivate the respective option in their browser settings. Saved cookies can be deleted by changing browser settings. Excluding cookies can limit the functionality of this online offering.
- As a part of our online offerings, on the basis of our legitimate interests, we use the Facebook-Connect service offered by the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are a resident of the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (”Facebook”). The legal basis is Art. 6 (1) f GDPR.
Facebook is certified under the Privacy Shield Framework and hereby guarantees compliance with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
The user can use Facebook-Connect to register for our service. To register, the user is transferred to the Facebook page, where s/he can register using her/his Facebook access data. This links the user’s Facebook profile to our service. This transfers the public data from the user’s Facebook profile and the user’s e-mail address to us. Of this data, we only use the name, e-mail address and the user’s Facebook ID. This information is required to close the contract, in order to be able to identify the user. When you register for our service using Facebook-Connect, you agree to having this data transferred to us. Every time someone registers via Facebook, we inform Facebook that this user is using our service. The user can delete the link from our service to Facebook via https://www.facebook.com/settings?tab=applications.
- For more information on Facebook-Connect and Facebook’s privacy settings, please access Facebook Inc.’s data policy (https://www.facebook.com/about/privacy) and their terms of service (https://www.facebook.com/legal/terms).
As a part of our online offerings, on the basis of our legitimate interests, we use the Google Sign-In service offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The legal basis is Art. 6 (1) f GDPR.
Google is certified under the Privacy Shield Framework and hereby guarantees compliance with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
The user can use Google Sign-In to register for our service. To register, the user is transferred to the Google page, where s/he can register using her/his Google access data. This links the user’s Google profile to our service. This transfers the public data from the user’s Google profile and the user’s e-mail address and profile URL to us. Of this data, we only use the name, e-mail address and the user’s Google ID. This information is required to close the contract, in order to be able to identify the user. When you register for our service using Google Sign-In, you agree to having this data transferred to us. Every time someone registers via Google Sign-In, we inform Google that this user is using our service. The user can delete the link from our service to Google via https://myaccount.google.com/permissions.
Use of mobile apps, use of Google Firebase
If you install our mobile apps through the iTunes store or Google Play, some of your data will be transferred to the store operators: User name, e-mail address, download time, individual device identifiers. We have no influence over the saving of this data and cannot be held liable. We use this data to install the app on your device.
Our apps use the Google Firebase platform under Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to save and manage data, prepare contents, and for the purposes of user account management.
Google is certified under the Privacy Shield Framework and hereby guarantees compliance with European privacy laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
You can opt out of the use of Firebase Analytics through your app settings.
- We would like to inform you of the contents of our newsletter as well as the registration, shipping and statistical analysis process, as well as your right to object. By subscribing to our newsletter, you declare that you are in agreement with receiving the newsletter and the processes described below.
- Newsletter contents: We only send out newsletters, e-mails and other electronic notifications containing marketing material (hereinafter referred to as “newsletter”) on consent of the recipient or on the basis of legal authorization. Provided the contents of a newsletter are clearly defined when registering for a newsletter, these are relevant to the user’s consent. In addition, our newsletters contain information on our products, offerings, campaigns and our company.
- Double Opt-In and recording of data: Registering for our newsletter is done via a so-called double opt-in process. In other words, after you register, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary, to ensure that nobody with an unknown e-mail address can register. Newsletter registrations are recorded, in order to be able to prove the registration process in accordance with the statutory provisions. This includes saving the registration and confirmation time, as well as the IP address. Any changes you make to data saved with the e-mail marketing provider are also recorded.
- Furthermore, the delivery service provider can, for its own information purposes, use this data in pseudonymized format, i.e.: without associating it to a user, to optimize or improve its own services, e.g.: to technically improve the sending and display of the newsletter or for statistical purposes, in order to determine what countries the recipients come from. However, the delivery service provider does not use the information of our newsletter recipients to address them directly or to transmit this information to third parties.
- Registration data: To register for the newsletter, you only have to provide us with your e-mail address. We ask that you provide your name so that we can personally address you in the newsletter; however, this is optional.
- Performance assessment - The newsletter contains a so-called “web beacon”, which is a one-pixel file that is accessed by the delivery service provider’s server when the newsletter is opened. When this file is first accessed, technical information, such as information about the browser and your system, as well as your IP address and the access time, is saved. This information is used to technically improve the services using the technical data or the target groups and their reading behavior based on their access location (determined using the IP address) or the access times. The statistical query also includes determining whether the newsletters were opened, when they were opened and which links were clicked. For technical reasons, this information may be assigned to the individual newsletter recipients; however, it is neither our objective nor that of the delivery service provider to observe individual users. Rather, the evaluations allow us to determine our readers’ reading habits and to adapt our contents to them or to send them different contents based on our users’ interests.
- The sending of the newsletter and the performance assessment is carried out on the basis of the recipient’s consent, in accordance with Art. 6 (1) a, Art. 7 GDPR in conjunction with § 7 (2) 3 German Act on Unfair Competition or on the basis of the legal authorization in accordance with § 7 (3) German Act on Unfair Competition.
- The recording of the registration process is done on the basis of our legitimate interests in accordance with Art. 6 (1) f GDPR and serves as evidence of the consent to receive the newsletter.
- Termination/Revocation - You can unsubscribe from our newsletter at any time; in other words, you can revoke your consent. There is an unsubscribe link at the end of every newsletter. If users register for the newsletter and unsubscribe from it, their personal data will be deleted.
Integration of services and third-party content
- Within our online offering, on the basis of our legitimate interests (i.e.: our interests in the analysis, optimization and profitable operation of our online offering pursuant to Art. 6 (1) f. GDPR) we make use third party content or service offerings, in order to integrate their contents and services, such as videos or fonts (hereinafter collectively referred to as “contents”). This always presumes that the third-party providers of this content perceive the users’ IP addresses, since, without the IP address, they would not be able to send the content to the user’s browser. The IP address is thereby required to display content. We strive to only use content whose respective providers exclusively use IP addresses for delivering content. In addition, third party providers can use so-called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. The pixel tags can be used to evaluate information such as user traffic to the pages on these websites. Furthermore, pseudonymized information can be saved to cookies on the user’s device and contain technical information such as the browser and the operation system, linked websites, access time and other information on the use of our online offering, and also link to information such as this from other sources.
The following graphic is an overview of the third-party providers as well as their contents, in addition to links to their privacy policies, which contain further information on how they process data and, as already mentioned here, their opt-out settings:
- If our customers use third party payment providers (e.g.: PayPal or Sofort), the terms and conditions and data protection policies of the respective provider apply, which can be accessed on their respective website or transaction applications.