1. Who is responsible for the processing of my data?
The person responsible within the meaning of the GDPR and other national data protection laws of the EU member states as well as other data protection regulations is: aklamio GmbH Hauptstraße 27-29 Haus 9 (Neubau) Aufgang N 10827 Berlin, Germany Phone: +44 (0) 2080 689 760 E-mail: firstname.lastname@example.org
2. Contact Details of our Data Protection Officer
You can reach our data protection officer at the following contact details: PROLIANCE GmbH datenschutzexperte.de Leopoldstr. 21 80802 München, Germany E-mail: email@example.com
3. General Information on Data Processing
3.1. Scope of the processing and its legal basis
Please note that use of our Platforms is not intended for or directed at persons under the age of 18. We do not knowingly collect personal information from anyone under the age of 18. We collect and use personal data only to the extent necessary to provide our Platforms and Services and to ensure their functionality. If the processing of personal data is necessary and such processing is not permitted by a legal basis, we generally obtain the consent of the data subject. Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis. Is the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis. If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
3.2. Storage and Deletion of Data
We process and store personal data of the data subject only for the period necessary to achieve the purpose of storage or insofar as this has been provided for by the European Directive and Regulation Giver or another legislator in laws or regulations to which the controller is subject. If the storage purpose ceases to apply or if a storage period prescribed by the European Directive and Regulation bodies or another competent legislator expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions.
3.3. Recipients of the Data
In principle, we only process personal data within our company. If and to the extent that we make use of the Services of third parties to provide our Services, we will only transfer personal data to such third parties to the extent that the transfer is necessary for the corresponding service and to the extent that a legal basis exists for the transfer. In the event that we outsource certain parts of data processing (so-called “data processing”), we contractually oblige contractors to process personal data only in accordance with the requirements of the GDPR and the applicable national data protection laws and to protect the rights of third parties. Information on existing data processing relationships is summarized in Section 6 for the sake of clarity.
4. Data Processing Activities in Detail
In the following we will inform you about the various ways in which personal data is processed, its purpose and legal basis, and how long it is stored.
4.1. Data Processing in Connection with General Use of our Services
4.1.1. General Access to Our Platforms
We routinely collect a range of general data and information each time we access our Platforms. This data is stored in the so-called log files of our system. We may record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our Platforms (so-called referrer), (4) the subwebsites which are accessed via an accessing system on our website, (5) the date and time of access to the Website, (6) the Internet Protocol address (IP address) and the Internet service provider of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems. For security purposes, in particular to trace the attack in the event of attacks on our Platforms, we store this data including the IP address for a period of seven days and then make the IP addresses anonymous or delete the data. The IP address is required to set up and during the connection to enable the contents of our Platforms to be delivered to you. The legal basis for the processing and subsequent storage of the IP address is a legitimate interest pursuant to Art. 6 para. 1 f GDPR. The legitimate interest with regard to the transmission of the IP address lies in the fact that this is necessary for the display of the contents of the respective Platform; a display of the website is not possible without the transmission of the IP address. The legitimate interest in limited storage is our security interest. When using this general data and information we do not draw any conclusions about you as a person. Rather, this information is required to (1) correctly deliver the contents of our Platforms, (2) optimize the contents of our Platforms and the advertising for them, (3) ensure the permanent functionality of our information technology systems and the technology of our Platforms, and (4) provide law enforcement authorities with the information necessary for law enforcement in the event of a cyber attack. This anonymously collected data and information is therefore evaluated by Aklamio both statistically and with the aim of increasing data protection and data security in our company in order ultimately to ensure an optimal level of protection for the personal data processed by us. The anonymous data of the log files are stored separately from all personal data provided by a person concerned. The data will not be passed on to third parties.
4.1.2. Data Processing in Connection with Support Services
Help buttons are provided to our Platforms, which can be used by our users for electronic contact for information and support purposes. By clicking the “Send” button you consent to the transmission of the data entered in the input mask to us. In addition, we save the date and time of your contact. Alternatively, you can contact us via the e-mail address provided. In this case, the personal data transmitted with the e-mail and our response will be stored. The personal data voluntarily transmitted to us in this context serve us for the processing of your inquiry and the establishment of contact with you. The legal basis for the transmission of data is Art. 6 para. 1 lit. a GDPR. We store the data for this purpose until the conversation with you is finished. The conversation is terminated when the circumstances indicate that the facts in question have been finally clarified and that there will be no further questions, especially in the future.
We use so-called cookies and similar technologies on our Platforms. For the sake of clarity, the relevant information is summarized in Section 5.
4.2. Data Processing in Connection with the Use of our Services
Aklamio offers you various Services with the aim of sharing the added value for our partners created by your recommendations and purchases. If you wish to use our Services, you must register with Aklamio and create an Aklamio account under which we process personal data. In this section we inform you about the purposes, the respective legal basis and the storage period of these processes.
4.2.1. Aklamio Account
- you can make use of our Services, in particular make recommendations and have cash back processed via our Platforms;
- you can get a detailed overview of the status of your bonuses and your account balance;
- You can arrange for bonuses to be paid out;
- you can create a profile with further input options. It is also possible to upload a photo. The purpose is to make our Services more user-friendly and to improve the user experience; and
- you can manage the email newsletter function and other notification options.
4.2.2. Registration or Log-In via Facebook, Google or PayPal Account
Alternatively, you can register with Aklamio using one of your existing accounts with the following third parties and, if you are already registered, log in at a later time:
- Google Account (“Google Sign-In”). When you register with Aklamio using the Google Sign-In button, we will have access to your Google email address, the name you provided when you created your Google account, and a profile picture, if applicable.
- PayPal account. If you have a PayPal account, you can alternatively register with Aklamio via your PayPal account. In this case, we will have access to your name and email address used to create your PayPal account.
The data transmitted to us by the respective provider will be processed by us in order to create or update an Aklamio account for you and to make it available to you in accordance with Section 4.2.1. Since we use the data to create an Aklamio account, the legal basis for processing is the contract for an Aklamio account pursuant to Art. 6 para. 1 lit. b GDPR, as described under 4.2.1. Your personal data will be stored with us for the purposes and duration described in Section 4.2.1.
4.2.3. Newsletters and Similar Messages
You can register to receive newsletters by confirming your account or by clicking on “E-Mail Settings” in your account. In this case we will use your e-mail address to send you our regular newsletter in which we will inform you about interesting topics. The legal basis is your consent according to art. 6 par. 1 lit. a GDPR. In connection with your newsletter registration, we also store your IP address and the date and time of registration so that we can trace and prove the registration at a later point in time. The legal basis for this storage is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR, whereby the legitimate interest is the possibility of proof of registration. We store your email address to send you newsletters until you unsubscribe from the newsletter service or until we stop sending you the newsletter. We also send you information by email about our Services and campaigns that are similar to those you have already used. The legal basis is a legitimate interest within the meaning of Art. 6 Para. 1 S. 1 f GDPR, namely the pursuit of our business interests. You can stop receiving newsletters or other messages from us at any time by using the appropriate settings in the notification options in your Aklamio account or by using the corresponding opt-out link contained in each email from us.
4.2.4. Objection against Receiving Commercials
You can object to receiving advertising at any time. If we receive an objection from you to the use of your data for advertising purposes, we can include your personal contact data (name, e-mail address, address, telephone number, fax number if applicable) in a blacklist, with the help of which we ensure that we no longer send you unwanted advertising. The legal basis is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. This is to make sure that we can fulfill our obligations from your advertising contradiction. The data will be stored for this purpose until you expressly revoke the advertising objection in writing.
4.2.5. Use of our Referral and Cashback Services
If you make use of our referral or cashback Services, i.e. use our Platforms to make recommendations for Aklamio or for products or online shops of our partner companies or to place orders yourself there in order to receive rewards or cashback, we automatically process various data that is required to collect and process the rewards or cashback. If you would like to make a recommendation, we will provide you with a personal recommendation link for this purpose, which contains a unique, pseudonymised user ID. The pseudonymous user ID is transmitted to us as soon as a friend or other recipient of the recommendation (hereinafter also referred to as “Referred Friend”) follows your recommendation link and enables us to assign the activity of the Referred Friend, e.g. the execution of an order in the recommended shop, to your recommendation. This is necessary to be able to credit your account with any bonus or cashback you may have earned and to show you the history of your referrals in your Aklamio account. To personalize the recommendation, the user of the link will be shown your user name and, if applicable, your profile picture. If you do not wish to do so, you can opt out of posting your name and a photo when you create your profile or remove this information at a later date. If you use our Cashbar for our referral and cashback Services and have activated them, our Services are also available for you. The above information applies accordingly. The Cashbar will tell you whether a certain website you have visited contains offers eligible for rewards. The URL of this website must be transmitted to us when displaying the Casbhar for technical reasons. Information about other websites is not collected by Cashbar. If the person you refer makes the purchase via a telephone hotline or the shop of one of our partner companies, he can be asked for your e-mail address in this connection. This will be sent to us for the purpose of associating the bonus with your referral and crediting your Aklamio account as described above. The legal basis for the processing described above is in all cases art. 6 par. 1 lit. b GDPR, as the data processing is necessary to fulfil your contract with us. The data is stored for the duration described in Section 4.2.1.
4.2.6. Payout of Rewards
4.2.7. Booking Requests
4.2.8. Processing of Data of Referred Friends and Customers of our Partner Companies
4.3. Processing of Data of Business Customers or their Employees
Our Services are also aimed at companies by making the potential of personal recommendations available to them and thereby generating corresponding added value. In connection with addressing new or existing customers and preparing and executing a contractual relationship, we therefore also process personal data of companies (in this respect, personal data only if the entrepreneur himself is a natural person) (hereinafter also referred to as “Customers”) or of employees of companies (hereinafter also referred to as “Customer Employees”). In the following we inform you about the purposes and the respective legal basis of the processing of data of Customers or Customer employees, the duration of the storage of the data as well as the data categories, as far as we do not collect the personal data directly from you as the person concerned. The data will be deleted as soon as they are no longer necessary to achieve the respective purpose. This is the case if there is no longer a contract with you and we no longer intend to enter into a contract with you, if there is no longer a legitimate interest and if we are also no longer obliged to keep documents which may contain personal data.
4.3.1. Data Processing for Contract Preparation and Execution Purposes
We process personal data for the purpose of contract initiation, contract administration and execution as well as support in the context of ongoing business relationships, so that we can provide our Customers with the contractual Services and can always guarantee an efficient and profitable use of our Services. If the contractual partner is a natural person, the legal basis is that the processing is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. If we process personal data of employees of the contractual partner, the legal basis is a legitimate interest pursuant to Art. 6 para. 1 sentence 1 f GDPR, namely the facilitation of our business activities and the promotion of the business activities of the Customer. There is no conflicting interest on the part of the respective data subject because processing by us within the framework of the existing employment relationship with the data subject is already necessary from the point of view of our Customer (New German Feder Data Protction Law (“BDSG-neu”)). For this purpose we store personal data for the duration of the contract. We store booking documents resulting from the business relationship for a period of ten years and business letters, i.e. any message relating to the preparation, execution or cancellation of a transaction, for a period of six years, the period beginning at the end of the calendar year in which the business letter was received or sent or the booking document was created. We thus fulfil our legal obligations to store data in accordance with § 257 Paragraph 1 No. 2 HGB and § 147 AO. The legal basis in this respect is Art. 6 para. 1 lit. c GDPR.
4.3.2. Aklamio Customer Interface
We set up a web interface (hereinafter referred to as “Customer Interface”) for our Customers, so that they can optimally use and manage the contractual Services. For this purpose, the Customer or the Customer Employees acting as contact persons will be set up a personal access, which they can use by log-in using an e-mail address provided by the persons concerned and a freely chosen password. In connection with the use of the Customer Interface, we automatically process the log-in data of the customer or the authorized Customer Employees in order to prevent misuse and to ensure and check the proper performance of the contractual Services at any time. Furthermore, we process data in the Customer Interface with regard to the respective contractually agreed or offered Services as well as the data concerning the consumption of these Services and their remuneration. If the Customer is a natural person, the legal basis for the processing is the fulfilment of a contract, Art. 6 para. 1 lit. b GDPR. Insofar as the processing concerns personal data of Customer Employees, the legal basis is a legitimate interest pursuant to Art. 6 para. 1 sentence 1 f GDPR, namely the conduct of our business activity and that of the customer. There is no conflicting interest on the part of the respective data subject because processing by us within the framework of the existing employment relationship with the data subject is already necessary from the point of view of our customer (§ 26 BDSG-neu). For this purpose we store the data for the duration of our business relationship with the customer.
4.3.3. Data Processing for Commercial Purposes
There is a contact form on our website which can be used by interested parties for the purpose of making electronic contact. By clicking the “Send” button you agree to the transmission of the data entered in the input mask to us. In addition, we store the date and time of your contact. Alternatively, you can contact us via the e-mail address provided. In this case, the personal data transmitted with the e-mail and our response will be stored. The personal data voluntarily transmitted to us in this context serves us to process your inquiry and to contact you. The legal basis for the transmission of data is Art. 6 para. 1 lit. a GDPR. We use the data for this purpose until the conversation with you is finished. We assume that the conversation will be terminated if the circumstances indicate that the request in question has been finally clarified. We process personal data of our customers as well as other entrepreneurs and companies not in a business relationship with us and, in this context, also of the employees there as contact persons for the purpose of direct advertising, if legally permissible. If we have not collected the contact data used for this purpose directly from the person concerned, we also take this data from public sources, such as the website of the respective company or profiles of the respective company or employees posted on social networks. The legal basis is a legitimate interest within the meaning of Art. 6 para. 1 sentence 1 f GDPR. The legitimate interest lies in the processing for the purpose of direct advertising itself (see recital 47 GDPR). We store the data for this purpose for the duration of our interest in concluding a contract with the company concerned or until an objection has been declared. You can object to the processing of personal data concerning you for advertising purposes at any time. You can address your objection at any time to the contact data specified in Section 1. If the advertisement is contained in an e-mail, you can also use the opt-out link contained in it.
4.3.4. Data Processing for Advisory Purposes
We process the personal data of the customer or prospective customer or his employees received in connection with a business relationship or an inquiry of an interested party even after the end of the business relationship or if such a relationship does not come about for the purpose of being able to recommend suitable Services on the basis of the previous inquiries or business relationships to our customers or interested parties in the event of a renewed interest in our Services. The legal basis is a legitimate interest pursuant to Art. 6 para. 1 sentence 1 f GDPR, the performance of our business activities. In this respect, we store personal data for the duration in which we can expect that the respective customer would like to conclude a further or first contract with us in the future. This is not possible if the customer in question indicates that he will under no circumstances ever enter into a business relationship with us.
4.4. Data Processing for Statistical and Analytical Purposes
We also use the data collected from our registered users when using our Platforms for statistical analyses in order to make our Platforms more user-friendly and in particular to improve our Services. For this purpose, we use a pseudonymized user ID as well as non-personal, anonymous data that cannot be related to a person by itself or in combination with one another, e.g. in relation to the usage behavior on our Platforms or in relation to websites from which the person concerned has accessed our Platforms. For these purposes we also process the IP addresses of users in pseudonymised form. With this data alone, a reference to the person concerned can no longer be established. The anonymous or pseudonymised data will not be combined with personal data about the bearer of the pseudonym without separate express consent and will not be used to personally identify the user of our Platforms. With deletion of the Aklamio account of the affected user, the data processed for the aforementioned purposes will be made completely anonymous, since the pseudonymous user identification then no longer allows any reference to the affected person. The legal basis for these processing purposes is a legitimate interest pursuant to Art. 6 para. 1 sentence 1 f GDPR, namely the pursuit of our business purposes, the improvement of our offer and the optimisation of our service quality. No conflicting interest can be identified, as the data is already required for contractual performance and identification is no longer possible after the end of the contract.
4.5. Processing of Applicant Data
4.6. Facebook Pages
We run a Facebook page at https://www.facebook.com/aklamio, https://www.facebook.com/aklamiospain, https://www.facebook.com/aklamiouk and https://www.facebook.com/aklamioitalia. Facebook provides us with anonymous statistical data for these fan pages (so-called “Insights Data”), through which we can obtain information about how visitors to our Facebook pages interact with them. Insights data may be based on personally identifiable information collected in connection with a visit to or interaction of individuals with our Facebook pages and their content. We are jointly responsible with Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”) for this processing of Insights data within the meaning of Art. 26 GDPR and have entered into an agreement with Facebook Ireland to this effect. You can find them at https://www.facebook.com/legal/terms/page_controller_addendum. The legal basis for the operation of the Facebook pages and the use of the Insights data is a legitimate interest within the meaning of Art. 6 para. 1 f GDPR, namely the interest in an up-to-date and supportive information and interaction opportunity for and with our users and visitors as well as a better understanding of the interests of the visitors of our Facebook pages in order to be able to better address such interests.
5. Cookies and Similar Technologies
5.1. Technical Cookies
On the one hand, we use technical cookies. These are those that are necessary exclusively to collect some information on our Platforms in order to provide a service requested or desired by you as a user. The legal basis for these cookies is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, namely the pursuit of our business purposes. As far as you as a user are affected by these technologies, the legal basis is also the fulfilment of your contract with us, art. 6 para. 1 lit. b GDPR.
5.1.1. Custom Cookies
5.1.2. Affiliate Networks
As part of our recommendation and cashback Services, we also use the conversion tracking technologies of affiliate networks. Affiliate networks are advertising networks that mediate the placement of online advertising for the websites of online shop operators through sales partners (so-called affiliates) and measure the success of advertising. The affiliate networks provide the necessary technical infrastructure for this. If you as the recipient of a recommendation follow the recommendation link or – as a User – the cash back link to one of our partner online shops that is connected to an affiliate network, you will be directed to the relevant shop via the servers of the respective affiliate network. If you subsequently purchase a product or service, the order is recorded by a previously set cookie and a tag of the affiliate network. Only anonymous information about the visit of the respective shop and your order is collected, which is transferred to the servers of the respective affiliate network and stored there. Your IP address will also be made anonymous or deleted immediately. The information will not be used to create profiles and will not be merged with other existing personal data about you. They are transmitted to us for the purpose of being able to assign your order in the shop to the recommendation.
5.2. Other Third Party Cookies and Technologies
5.2.1. Google Analytics
For the purpose of the demand-oriented design and continuous optimization of our Platforms we use Google Analytics, a web analysis service of Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter also referred to as “Google”). In this context, cookies and tags are used to create pseudonymous user profiles. The cookie collects data about your use of the Platforms such as the browser type/version, the operating system used, the referrer URL (the previously visited page), the IP address of the accessing computer and the time of the server request and transfers it to a Google server in the USA and stores it there. The data is used to evaluate the use of our Platforms, to compile reports on the Platform activities and to provide further Services for the purpose of tailoring our offering to meet requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the company. Under no circumstances will your IP address be merged with other data from Google. We only use Google Analytics with IP anonymization enabled. This means that the IP address of Google users within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area will be reduced. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. You can prevent the collection of data collected by the cookie and related to your use of the Platforms and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en). Further information on Google’s use of data for advertising purposes, options for settings and objections can be found on Google’s websites: “Google’s use of data when using our partners’ websites or apps”, “Google’s use of data for advertising purposes”, “Manage information that Google uses to show you advertising” and “Determine which advertising Google shows you”. If and to the extent data is transferred to Google in the USA and thus to a country outside the EU or the EEA, this transfer is permissible according to Art. 46 GDPR, since Google and Aklamio have agreed to standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request).
5.2.2. Google Re-Captcha
We use the Google service reCAPTCHA for the purpose of distinguishing between input on our web pages by a human being and misuse by automated, machine processing. Via reCAPTCHA, the IP address and any other data required for the service are processed. For this purpose, your input can be transmitted to Google and analysed. Further information about reCAPTCHA can be found under the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html .
5.2.3. Remarketing and Conversion Tracking
220.127.116.11. General Information
On our Platforms, we use advertising technologies based on the use of previously visited pages of our Platforms or other websites. This enables us to target visitors to our Platforms with personalized, interest-based advertising. The sites on which we advertise include the Google Display Network, Facebook, LinkedIn and Xing social networks. To perform the analysis of website usage, which forms the basis for displaying interest-based advertising, we use tags that are integrated into the website. These tags are used to store or read a cookie from the advertising network on the user’s device. If you subsequently visit another website of the aforementioned networks, you will see advertisements that are most likely related to previously accessed areas of our Platforms. These cookies record which websites you have visited and which offers you have clicked, technical information about the browser and operating system, referring websites as well as the visit time. With the exception of the IP address, which is immediately anonymized, no data will be processed by which you can be personally identified. The data is processed pseudonymously within the framework of this technology, i.e. the relevant data is recorded cookie-related within pseudonymous user profiles; from the perspective of the respective provider, the data is not processed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. The information collected by the cookies about the visit of the websites is transferred to the servers of the providers of the respective advertising network and stored there. The information will not be merged with other existing personal data about you. We receive no knowledge of the content of the transmitted data and their use by the advertising networks. We can only select which segments of users (e.g. by age, interests) our advertising should be displayed. We use Google’s “Google Tag Manager” to integrate and manage the described tags in our Platforms. The legal basis for such processing is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, namely the pursuit of our business purposes, which also includes the targeted advertising of our Services. We also use the cookies and tags described above to statistically record the use of our Platforms and newsletters and to evaluate them for the purpose of optimising our Services for you. We collect certain activities, such as accessing or filling out the contact form on our website or opening our newsletter to determine whether an advertisement was successful (conversion tracking). Here, too, the legal basis for such processing is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, namely the pursuit of our business purposes Some of the following providers are located in the USA. Insofar as data are therefore transmitted there, this transmission is permitted under Art. 46 GDPR, as Aklamio, which each of these providers, have entered into standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request). You can prevent the use of the cookies described here by using the contradiction possibilities of the providers shown below. After the objection, an opt-out cookie is usually stored on your terminal. If you delete your cookies, you must set the opt-out cookie again. Further information on the processing and use of the data by the providers as well as the relevant rights and setting options for the protection of your privacy can be found in the respective data protection information of the providers.
18.104.22.168. Providers and Means of Objection
22.214.171.124. Newsletter Tracking
For statistical evaluation of our newsletter campaigns, our newsletter can contain tags with which we can recognize whether and when you have opened an e-mail. Furthermore, we can trace which links were called up in the e-mail. Your IP address will also be recorded. However, this is not stored. No other personal data is also recorded. The legal basis for this processing is a legitimate interest within the meaning of Art. 6 Para. 1 letter f GDPR, whereby the legitimate interest is the evaluation and optimisation of our newsletter. You can opt out of receiving all types of newsletters at any time by using the settings provided in the notification options in your Aklamio account or the opt-out link in the respective emails.
5.3 Visual Website Optimizer (VWO)
Based on your consent, § 25 TTDSG, as well as our legitimate interests, Art. 6 para. 1 p.1 lit. f GDPR, we use the Visual Website Optimizer from Wingify Software Private Limited KLJ Tower North Netaji Subhash Place, Pitam Pura Delhi, 110034 (“VWO“) We use VWO to test and optimize the usability of our website. VWO collects statistics on user behavior and processes personal data (IP addresses; visitor type (new or returning; geo-information such as country, city or region; device information; duration of the visit as well as user behavior) on servers in the USA. Cookies and pixel tags are used for significant test results. VWO stores user activities, device and browser information as well as a unique user ID (_vwo_uuid) in cookies, but anonymizes both the IP address and person-related content. We have entered into a data processing agreement with VWO including standard contractual clauses of the European Commission. VWO thus assures to process personal data exclusively in accordance with our instructions and to ensure the protection of the rights of the data subject.
6. Recipients and Use of Data Processors
We use the Services of the contractors listed in this section to provide our Services. The legal basis for the use of these contract processors is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest is in the pursuit of our business purposes, in particular the provision of the Services described in this data privacy declaration. Insofar as we also implement measures to protect the security of personal data stored by us with the involvement of data processors, such as Amazon WebServices Inc, there is an additional legitimate interest in ensuring our technical and organisational measures in this regard. No conflicting interest is apparent, in particular because we have concluded a contract with the respective contractors in accordance with Art. 28 GDPR. The data is stored by these service providers for the duration for which otherwise storage is legal for purposes according to this data privacy declaration, i.e. in particular for the execution of existing contracts, for analysis purposes, for communication or for advertising communication.
For the purpose of hosting our Platforms and back-up Services, we use the Services of Amazon WebServices, Inc, 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA by way of data processing, so that personal data stored on our Platforms is transferred to this processor. The data will be processed in the EU and the USA. As far as data are transmitted to the USA and thus to a state outside the EU or the EEA, this transmission is permissible according to Art. 46 GDPR, as Amazon WebServices Inc. and Aklamio have entered into standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request).
For support Services, we use the Services of Zendesk Inc, 1019 Market St., San Francisco CA 94103-1612, USA and aklamio Spain Services S.L., calle Orense, nº 6 10-A Madrid, 28020, Spain, on the basis of data processing relationships. These companies can receive personal data from us within the framework of the data processing relationship. The data is transmitted to Zendesk Inc. in the USA and thus to a country outside the EU or the EEA. This transmission is permitted under Art. 46 GDPR, as Zendesk Inc and Aklamio have entered into standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request).
6.3. E-Mail Service Providers
We use the services of the following service providers for sending e-mails on the basis of data processing relationships:
- Emarsys eMarketing Systems AG, Marchstrasse 1, 1150 Vienna, Austria
- Google LLC (“Google”), Amphitheatre Parkway, Mountain View, CA 94043, USA
The above-mentioned service providers can receive and process your personal data within the scope of the existing data processing with us. The data is transmitted to Google in the USA and thus to a country outside the EU or the EEA. This transmission is permitted under Art. 46 GDPR, as Google and Aklamio have entered into standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request).
6.4. Proxy Caching
We use the services of Amazon Web Services, Inc. for the purpose of proxy caching through data processing. “Proxy Caching” means a technology used in the interest of user-friendliness in which the content of websites, but not personal data, is cached by the proxy caching provider for approximately one hour so that this content can be delivered to visitors more quickly. Amazon Web Services, Inc. does not store any personal data in the context of proxy caching. However, some of the data flows are routed through Amazon Web Services servers, so that visitors are not connected directly to our servers, but first to those of Amazon WebServices; Amazon Web Services will then make a request to our servers and finally deliver the content to visitors. These data flows can therefore also include personal data. The data is transmitted to Amazon Web Services, Inc. in the USA and thus to a country outside the EU or the EEA. This transmission is permitted under Art. 46 GDPR, as Amazon Web Services, Inc. and Aklamio and Aklamio have entered into standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request).
6.5. Administration and Communication
For internal administration and communication purposes, we use the following contract processors, who can receive personal data within the scope of existing data processing with us:
- Slack Technologies Limited, 4th Floor, One Park Place, Hatch Street Upper, Dublin 2, Ireland
- Trello, Inc, One Exchange Plaza, 25th Floor, New York, NY 10006, USA
The data is transmitted to Trello Inc. in the USA and thus to a country outside the EU or the EEA. This transmission is permitted under Art. 46 GDPR, as Trello Inc and Aklamio have entered into standard contractual clauses within the meaning of Art. 46 GDPR (available from us upon your request).
6.6. Customer Management
We use the Services of Salesforce.com EMEA Limited, Floor 26 Salesforce Tower, 110 Bishopsgate, EC2N 4AY London, UK (hereinafter also referred to as “Salesforce”) on the basis of an data processing relationship for customer service and to improve the quality of service for our corporate customers. Salesforce may receive and process personal customer information under our existing data processing agreement. Salesforce provides several tools to analyze indexed content and draw conclusions.
6.7. User Experience Optimization
7. What are my Rights?
If personal data is processed by you, you are “concerned” within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the person responsible:
7.1. Right to Information
You can ask us to confirm whether personal data concerning you is being processed by us. If such processing is available, you can request the following information from us: (1) the purposes for which the personal data are processed; (2) the categories of personal data being processed; (3) the recipients or categories of recipients to whom the personal data concerning you have been or are still being disclosed; (4) the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period; (5) the existence of a right to correction or deletion of personal data concerning you, a right to limitation of the processing by the controller or a right to object to such processing; (6) the existence of a right of appeal to a supervisory authority; (7) any available information on the origin of the data if the personal data are not collected from the data subject; (8) the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to be informed about the appropriate guarantees according to Art. 46 GDPR in connection with the transmission. This right to information may be limited to the extent that it is likely to make it impossible or seriously impair the realisation of statistical purposes and the limitation is necessary for the fulfilment of statistical purposes.
7.2. Right to Correction
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay. Your right to correction may be limited to the extent that it is likely to render the statistical purposes impossible or seriously prejudicial and the limitation is necessary for the fulfilment of the statistical purposes.
7.3. Right to Limitation of Processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted: (1) if you dispute the accuracy of the personal data concerning you for a period of time that enables us to verify the accuracy of the personal data; (2) the processing is unlawful and you refuse to delete the personal data and instead demand the restriction of the use of the personal data; (3) we no longer need the personal data for the purposes of processing, but you do need them to assert, exercise or defend legal claims, or (4) if you have filed an objection against the processing pursuant to Art. 21 para. 1 GDPR and it is not yet clear whether our justified reasons outweigh your reasons. If the processing of personal data concerning you has been restricted, such data may only be processed – apart from being stored – with your consent or for the purpose of asserting, exercising or defending rights or for the protection of the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State. If the restriction of the processing has been restricted according to the above-mentioned conditions, you will be informed by us before the restriction is lifted. Your right to restrict processing may be limited to the extent that it is likely to make it impossible or seriously prejudicial to the fulfilment of statistical purposes and the restriction is necessary for the fulfilment of statistical purposes.
7.4. Right to cancellation
7.4.1. Duty to Delete
You may request that the personal data concerning you be deleted immediately and we are obliged to delete this data immediately if one of the following reasons applies: (1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed. (2) You revoke your consent, on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing. (3) You file an objection against the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 para. 2 GDPR. (4) The personal data concerning you have been processed unlawfully. (5) The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject. (6) The personal data concerning you have been collected in relation to information society Services offered pursuant to Art. 8 para. 1 GDPR.
7.4.2. Information to Third Parties
If we have made the personal data concerning you public and we are obliged to delete it pursuant to Art. 17 para. 1 GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data, that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to cancellation does not exist insofar as the processing is necessary (1) to exercise freedom of expression and information; (2) for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller; (3) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or (5) to assert, exercise or defend legal claims.
7.5. Right to Data Transferability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person responsible without obstruction by us, provided that (1) processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and (2) processing is carried out by means of automated methods. In exercising this right, you also have the right to request that the personal data concerning you be transmitted directly by a responsible person to another responsible person, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on us.
7.6. Right of Objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. We will then no longer process the personal data concerning you, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing. If you object to the processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes. You have the possibility to exercise your right of objection in connection with the use of Information Society Services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC. You also have the right to object to the processing of personal data concerning you for statistical purposes pursuant to Art. 89 para. 1 GDPR for reasons arising from your particular situation. Your right of objection may be limited to the extent that it is likely to make the realization of the statistical purposes impossible or seriously impaired and the limitation is necessary for the fulfillment of statistical purposes.
7.7. Right to Revoke Consent
You have the right to revoke your consent to data processing activities at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
7.8. Automated Decision in Individual Cases including Profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly affects you in a similar manner. This does not apply if the decision (1) is necessary for the conclusion or performance of a contract between you and the person responsible, (2) the legislation of the Union or of the Member States to which the person responsible is subject is admissible and that legislation contains appropriate measures to safeguard your rights, freedoms and legitimate interests; or (3) with your express consent. However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests. With regard to the cases referred to in (1) and (3), we will take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person by the person responsible, to state his own position and to challenge the decision.
7.9. Right of Appeal to a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you are staying, working or suspected of infringing, if you believe that the processing of personal data concerning you is contrary to the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
7.10. Is there an Obligation to Provide Personal Data?
If you create an Aklamio account (see point 4.2.1. above), you must provide certain data within the scope of the contract to be concluded with us. If you wish to withdraw any bonuses credited to your account, you must provide the required withdrawal details. If you make a booking request to our support team, you must provide the information necessary to track your order. Furthermore, the provision of personal data is neither required by law nor by contract, nor are you obliged to provide personal data. However, the provision of personal data for the use of our Services may also be necessary in individual cases. If you do not provide us with the data we consider necessary, we may not be able to provide our Services to you in full. If you as a corporate customer wish to use our Services (cf. above under Section 4.3.1), you must provide certain data within the framework of the user agreement to be concluded with us. We will then point these out in each case. Furthermore, the provision of personal data is neither required by law nor by contract, nor are you obliged to provide personal data. However, the provision of personal data for the use of our Services may also be necessary in individual cases. If you do not provide us with the information we deem necessary, we may not be able to provide the Services to you in full.
7.11. Amendment of the Data Privacy Declaration; Change of Purpose
We reserve the right to change this data privacy declaration in compliance with data privacy regulations. The current version can be found here or at any other easily accessible location on our website or Platform. If we intend to process data for purposes other than those for which it was collected, we will inform you in advance in compliance with the statutory provisions.