Data privacy
A. Introduction
The Company GmbH // including our subsidiaries (hereinafter collectively: „the company“, „we“ or „us“) takes the protection of your personal data seriously and would like to inform you about data protection in the company. Due to the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: „DSGVO“), additional obligations have been imposed on us to ensure the protection of personal data of the data subject (we also address you as data subject hereinafter with „user“, „you“, „you“, „customer“ or „data subject“).
Insofar as we decide either alone or jointly with others on the purpose and means of data processing, this includes above all the obligation to inform you about the nature, scope, purpose, duration and legal basis of the processing, cf. Art. 13 & Art. 14 of the Data Protection Regulation (DSGVO). With this privacy policy, we inform you about the way in which your personal data is processed by us.
B. Basic principles
1. Definitions
Pursuant to Art. 4 DS-GVO, this data protection declaration is based on the following definitions:
- "Personal data" according to Art. 4 No. 1 DS-GVO means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information regarding his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).
- "Controller" according to Art. 4 No. 7 DS-GVO is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- "Processing" according to Art. 4 No. 2 DS-GVO means any operation which involves the handling of personal data, whether or not by automated means. This includes, in particular, the collection, recording, organisation, arrangement, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended purpose on which a data processing was originally based.
- "Processor" according to Art. 4 No. 8 DS-GVO is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controller's instructions. In terms of data protection law, a processor is not a third party.
- “ Consent" pursuant to Article 4 No. 11 of the GDPR of the data subject means any freely given, specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
- "Third party" according to Art. 4 No. 10 GDPR is any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or processor; this also includes other group- affiliated legal entities
2. Amendment of the privacy statement
In the context of the further development of data protection law as well as technological or organisational changes, our data protection information is regularly checked for the need to adapt or supplement it. You will be informed of any changes.
3. No obligation to provide personal data
The conclusion of a contract is not made dependent on the provision of personal data. In principle, there is no legal or contractual obligation for you to provide us with your personal data. However, it may be that certain services can only be provided to a limited extent or not at all if you do not provide the necessary data. If this should be the case, you will be informed of this separately.
C. Information about the processing of your data
1. the collection of personal data concerning you
(1) When you use our app, personal data is collected about you.
(2) Personal data are all data relating to your person. Among other things, this includes your name, your location data, your IP address, the device identifier, the SIM card number, your address and e-mail address, your fingerprint, pictures, films, audio recordings, but also your user behaviour.
2. Legal basis for data processing
(1) Processing of personal data is legal if the data processing falls under one of the
following justifications:
- Art. 6 (1) p. 1 lit. a DS-GVO ("consent"): if the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative action that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
- Art. 6 para. 1 p. 1 lit. b DS-GVO: If the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;
- Art. 6 para. 1 sentence 1 lit. c DS-GVO: If the processing is necessary for compliance with a legal obligation to which the controller is subject.
- Art. 6 para. 1 p. 1 lit. d DS-GVO: If the processing is necessary to protect the vital interests of the data subject or another natural person;
- Art. 6 para. 1 p. 1 lit. e DS-GVO: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Art. 6 (1) p. 1 lit. f DS-GVO ("Legitimate Interests"): if the processing is necessary to protect the legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject override (in particular if the data subject is a minor).
(2) A processing operation may also be based on several legal bases. Any applicable legal basis shall be explicitly mentioned below.
3. Data collected during download
(1) When downloading this app, the necessary personal data will be transmitted to the corresponding App Store. In particular, the e-mail address, the user name, the customer number of the downloading account, the individual device identification number, payment information and the time of the download will be transmitted to the App Store.
(2) We have no influence on the collection and processing of this data; it is carried out exclusively by the Store. The responsibility for the processing and collection of your data lies solely with the App Store selected by you. Any responsibility on our part is excluded.
4. Data collected during use
(1) In order to be able to provide any benefits of our app, it is inevitable that the personal data we have determined and which is necessary for the operation of the app must be collected when you use the app. We only collect this data if this is necessary for the fulfilment of the contract (Art. 6 para. 1 lit. b DS-GVO). Furthermore, we collect data if this is necessary for the functionality of the app and your interest in the protection of your personal data does not outweigh this (Art. 6 para. 1 lit. f DS-GVO).
(2) We collect and process the following data from you:
- Data that you provide to us: To use the app, you need to create a user account. For this, you provide at least your login name.
- Device information: Access data includes the IP address, device ID, device type, device-specific settings and app settings as well as app properties, the date and time of the retrieval, time zone the amount of data transferred and the message whether the data exchange was complete, app crash, browser type and operating system. This access data is processed to enable the technical operation of the app.
- Information with your consent: We process other information, including GPS location data, if you allow us to do so.
- Contact form data: When contact forms are used, the data transmitted through them are processed, including gender, name, address, company, email address and the time of transmission.
5. Cookies
(1) We use cookies when operating our app. Cookies are small text files that are stored on the device memory of your mobile end device and assigned to the mobile app you are using and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer. They serve to make an app more user-friendly and effective.
(2) Cookies contain data that enable recognition of the device used. In part, cookies only contain information on settings that cannot be related to a person. Cookies cannot directly identify a user.
(3) A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:
- Technical cookies: these are mandatory in order to move around within the app, use basic functions and ensure the app's security; they do not collect information about you for marketing purposes nor do they store which websites you have visited;
- Performance cookies: these collect information about how you use our app, which pages you visit and, for example, whether errors occur when using the app; they do not collect information that could identify you - all information collected is anonymous and is only used to improve our app and find out what interests our users;
- Advertising cookies, targeting cookies: these are used to provide the app user with tailored advertising within the app or third party offers and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
- Sharing cookies: These are used to improve the interactivity of our App with other services (e.g. social networks); Sharing cookies are stored for a maximum of 13 months.
(4) Any use of cookies that is not absolutely technically necessary constitutes data
processing that is only permitted with your express consent, pursuant to Art. 6 (1) p. 1 lit. a DS-GVO. This applies in particular to the use of advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data processed by cookies to
third parties if you have given your express consent to do so, pursuant to Art. 6 (1) sentence 1 lit. a DS-GVO.
6. Duration of data storage
(1) We delete your personal data as soon as it is no longer required for the purposes for which we collected or used it. We store your personal data for the duration of the usage or contractual relationship via the app. As a matter of principle, your data will only be stored on our servers in Germany // the European Union // and the USA, subject to possible disclosure.
(2) In the event of a pending legal dispute with you or other legal proceedings, storage may extend beyond the specified period.
(3) Third parties engaged by us will store your data on their systems for as long as is necessary in connection with the provision of the service for us in accordance with the respective order.
(4) Legal requirements for the storage and deletion of personal data remain unaffected by the above (e.g. § 257 HGB or § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
7. Data security
We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties, taking into account the state of the art, implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
8. Automated decision making
There is no intention to use the personal data collected from you for any automated decision making process (including profiling).
9. Change of purpose
(1) Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of the data processing.
(2) In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of the purposes prior to further processing and provide you with all other relevant information.
D. Responsibility for your data and contacts
1. Controller and contact details
(1) The body responsible for processing your personal data within the meaning of Art. 4 No. 7 DS-GVO is us. [Ibiza Heartbeat] , [Gminderstrasse 29, 72762 Reutlingen] , [+4915732044557] , [info@ibizaheartbeat.com]
DSB Contact person on the subject of data protection is available to you at any time from our company data protection officer. The contact details are: [Ibiza Heartbeat] [Gminderstrasse 29, 72762 Reutlingen] [info@ibizaheartbeat.com]
(2) Please contact this point of contact if you wish to assert the rights to which you are entitled against us or if you have any questions or comments on the collection and processing of your personal data.
2. Data collection when contacting us
If you contact us, your e-mail address, name and all other personal data that you have provided in the course of contacting us will be stored by us so that we can contact you to answer your question. This data will be deleted as soon as storage is no longer necessary. If there are legal retention periods, the data remains stored, but processing is restricted.
F. Data processing by third parties
1. Commissioned data processing
(1) If commissioned service providers are used for individual functions of our app, they will only act on our instructions. In accordance with Art. 28 DS-GVO, they are contractually obliged to comply with the provisions of data protection law.
(2) The following categories of recipients, which are usually order processors, may receive access to your personal data: Gminderstrasse 29
- Service providers for the operation of our app and the processing of data stored or transmitted by the systems. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f DS-GVO, insofar as these are not order processors;
- State authorities, insofar as this is necessary for the fulfilment of a legal obligation. The legal basis for the transfer is Art. 6 para. 1 p. 1 lit. c DS-GVO;
- Persons employed to carry out our business operations. The legal basis for the disclosure is Art. 6 para. 1 p. 1 lit. b or lit. f DS-GVO.
(3) We will only pass on your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 para. 1 p. 1 lit. a DS-GVO.
(4) Insofar as we pass on your personal data to our subsidiaries, this is done on the basis of existing order processing relationships.
2. Requirements for the transfer of personal data to third countries
(1) In the course of our business relationships, your personal data may be transferred or disclosed to third party companies. These may also be located outside the European Economic Area (EEA). Such processing takes place exclusively for the fulfilment of contractual and business obligations and for the maintenance of your business relationship. We will inform you about the respective details of the transfer in the relevant places below.
(2) The European Commission certifies data protection comparable to the EEA standard in some third countries by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct. Please contact our data protection officer if you would like more information on this.
3. Legal obligation to transfer data
In individual cases, we are subject to a legal obligation to provide lawfully collected personal data to third parties, in particular to public authorities, pursuant to Art. 6 (1) p. 1 lit. c DS-GVO).
G. Your rights
1. Right to information
Within the scope of Art. 15 DS-GVO, you have the right to obtain information about the personal data concerning you. This requires a request from you to be sent either by e-mail or by post to the addresses given above.
2. Objection to data processing and revocation of consent
(1) In accordance with Art. 21 DS-GVO, you have the right to object to the processing of personal data concerning you at any time. We will stop processing your personal data unless we can demonstrate compelling grounds for the processing which override your interests, rights and freedoms, or if the processing serves the assertion, exercise or defence of legal claims.
(2) Pursuant to Article 7 (3) of the GDPR, you have the right to revoke your consent – i.e. your voluntary, informed and unambiguous will, expressed by a declaration or other unambiguous affirmative action, that you agree to the processing of the personal data in question for one or more specific purposes – at any time. This has the consequence that we may no longer continue the data processing which was based on this consent.
(3) To give notice, please contact the contact point indicated above.
3. Right to rectification and deletion
(1) Insofar as personal data concerning you is incorrect, you have the right to demand that we correct it without delay in accordance with Art. 16 DS-GVO. Under the conditions set out in Article 17 of the GDPR, you also have the right to request the deletion of personal data relating to you. In particular, you have the right to erasure if the data in question is no longer necessary for the collection or processing purposes, if the data storage period has elapsed, if there is an objection or if there is unlawful processing. To make a request in this regard, please contact the contact point indicated above.
(2) To exercise these rights, please contact the contact point indicated above.
4. Right to restriction of processing
(1) According to Art. 18 DS-GVO, you have the right to request us to restrict the processing of your personal data.
(2) With a request in this regard, please contact the contact point indicated above.
(3) You have the right to restrict processing in particular if the accuracy of the personal data is disputed between you and us; in this case, you have the right for a period of time that is required to verify the accuracy. The same applies if the successful exercise of a right of objection is still disputed between you and us. You also have this right in particular if you have a right to erasure and you request limited processing instead of erasure.
5. Right to data portability
(1) In accordance with Art. 20 DS-GVO, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, common, machine-readable format.
(2) With a request in this regard, please contact the contact point indicated above.
6. Right to complain to the supervisory authority
(1) Pursuant to Art. 77 DS-GVO, you have the right to complain about the collection and processing of your personal data to the competent supervisory authority.
(2) The jurisdiction depends on our registered office, your usual place of residence or your place of work.
