Thank you for accessing our data protection declaration. Insofar as we, as the responsible party, process your personal data, we provide the following information

• about our basic handling of your personal data (Section B),

• about which specific processing operations take place (from section C), and

• about the possible existence of rights insofar as you are affected by processing operations (section E).

In some cases, we use terms from the General Data Protection Regulation ("GDPR"). Most terms are defined in Art. 4 of the GDPR.

 

A. Our contact details

MADHEARTBEAT, Lda. NIF 517586100

Startup Madeira - EV 198

Campus da Penteada 9020 - 105 Funchal Madeira

 

represented by

Richard Matos

​

B. Our data processing principles

The principles set out in this section apply to all data processing operations carried out by us as data controller. Insofar as we, in the context of individually listed data processing operations from section C we are able to provide further details in the context of individually listed data processing operations from section C onwards, we will specify our explanations at the relevant points.

 

I. Earmarked

We only process your personal data in pursuit of a legitimate purpose. As a general rule, we only process personal data to provide our services, including our online services (e.g. maintaining our website).

 

II. Legal basis

We only process your personal data if at least one of the following legal bases exists:

 

1. Consent (Art. 6 para. 1 p. 1 lit. a GDPR)

In individual cases, we ask you to give your consent in order to process certain personal data for previously defined and communicated purposes in accordance with Art. 6 para. 1 p. 1 lit. a GDPR.

By granting consent, you give us permission to process the data covered by the consent. Once you have given your consent, you can revoke it at any time without any disadvantages for the future. Please note the more detailed information on your right of revocation under section E.II.

As a rule, we use the electronic "opt-in" procedure (active electronic confirmation of consent) or the "double-opt-in" procedure (additional confirmation of identity by receipt of an e-mail with a confirmation link that you must click on) to document consent.

 

2. Fulfilment of a contract (Art. 6 para. 1 p. 1 lit. b GDPR)

When carrying out pre-contractual measures or a contract with you, we rely on the legal basis of Art. 6 (1) p. 1 lit. b GDPR. This concerns, for example, your contact details, which we need to process the contract and for communication.

 

3. Fulfilment of a legal obligation (Art. 6 para. 1 p. 1 lit. c GDPR)

If we process data in order to comply with a legal obligation (e.g. commercial or tax obligations), the legal basis is Article 6 (1) sentence 1 lit. c GDPR.

 

4. Vital interests (Art. 6 para. 1 p. 1 lit. d GDPR)

If vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) sentence 1 lit. d GDPR is the legal basis.

​

5. Performance of tasks in the public interest or in the exercise of official authority (Art. 6 para. 1 sentence 1 lit. e GDPR)

For the processing of personal data in the performance of tasks in the public interest or in the exercise of official authority, we invoke the legal basis of Art. 6 (1) p. 1 lit. e GDPR.

​

6. Safeguarding legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR)

Pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, we process personal data if we protect our legitimate interests or those of a third party and these interests override your interests, fundamental rights and freedoms. In these cases, you may have the right to object to the processing. Please refer to the more detailed information on your right to object under section E.I.

​

III. Data deletion

We delete your personal data as soon as the purpose of the processing has been achieved or otherwise ceases to apply, unless storage beyond this is provided for by law, for example in accordance with Art. 17 (3) GDPR. In order to ensure timely deletion, if necessary, we follow a deletion concept based on the deletion of personal data after the expiry of certain storage and deletion periods, which we divide according to the following criteria:

• We keep accounting vouchers and balance sheets for 10 years,

• We keep commercial letters, contracts and correspondence within the scope of the initiation and execution of contracts for 6 years,

• We keep documents and associated personal data that may lead to claims (for example, warranty claims) until the expiry of the relevant limitation period (generally three years),

• In the case of other personal data that does not fall under the aforementioned categories, we delete data immediately after the purpose has been achieved.

​

IV. Disclosure of personal data to third parties

We only disclose personal data to third parties if we are legally obliged or entitled to do so. The following categories of recipients are possible, for example:

• Our contractual partners who support us in the fulfilment of our (pre-)contractual obligations towards you (e.g. logistics and payment service providers),

• Administrative authorities (e.g. financial or supervisory authorities),

• courts, and where there is a legitimate interest,

• Web services that help us display our website (such as Google), and

If required, we can provide you with a list of the specific recipients of your personal data.

 

V. Processing of data in so-called third countries

Your personal data is only processed in countries within the EU or the European Economic Area that are subject to the scope of the GDPR. To all other, so-called "third countries", we only transfer your personal data if an adequate level of data protection is guaranteed in the respective third country or at the respective recipient in the third country in accordance with Art. 44 et seq. GDPR is guaranteed. This is the case for example

• in the event of a so-called "adequacy decision" of the European Commission pursuant to Art. 45 of the GDPR and

• by establishing appropriate safeguards pursuant to Art. 46 GDPR, such as the use of so-called "EU standard contractual clauses" pursuant to Art. 46(2)(c) or binding internal data protection rules pursuant to Art. 47 GDPR.

In the case of data transfers to the USA, such an adequacy decision exists. However, a further prerequisite for the assumption of an adequate level of data protection in the case of the USA is the registration of the recipient under the "EU-US Data Privacy Framework". The list of registered companies can be found at https://www.dataprivacyframework.gov/s/.

If we cannot guarantee an adequate level of data protection when transferring data to a third country, we will only process your personal data if you give us your express consent to do so (Art. 49 para. 1 sentence 1 lit. a) GDPR). In this case, we will inform you of the corresponding risks associated with the transfer to third countries.

 

C. Data processing when calling up our website

In this section, we inform you about the personal data processing operations that take place when you visit our website.

 

I. Logfile

When you call up our website, the browser you use on your end device automatically sends information to the server of our website. This information is temporarily stored in a so-called "log file".

​

1. Data collected

The following information is automatically recorded in encrypted form when our website is accessed and stored until automatically deleted:

• the IP address of the requesting computer,

• Information about the type of device (mobile device, desktop computer, etc.), the type of browser and the version used, as well as the operating system of your end device, if applicable,

• the Internet service provider of the user

• Date and time of access to our website,

• Website from which the user accesses our website (so-called "referrer URL"),

• Websites that the user's system calls up via our website and

• Movements of the user on our website.

 

2. Purpose and legal basis

We pursue the following purposes with the collection and processing of the "log data" on the basis of the following legal basis:

• Provision of the contents of our website to the user, which among other things also makes the temporary storage of the IP address necessary to enable the user's communication with our website. The legal basis for this data processing - i.e. for the duration of your website visit - is Art. 6 para. 1 p. 1 lit. b GDPR. In addition, the data processing is based on Art. 6 para. 1 p. 1 lit. f GDPR (cf. para. B.II.6), whereby our legitimate interest follows from the fact that we are able to make the provision of the content possible in the first place.

• Ensuring a smooth connection and comfortable use of our website, evaluation of system security and stability as well as for other administrative purposes. This is achieved by processing and storing the IP address in the log files beyond the communication process. We also base this on Art. 6 para. 1 sentence 1 lit. f GDPR (cf. para. B.II.6).

​

3. Duration of storage and deletion periods

The data is deleted when the purpose for which it was collected no longer applies. In the context of providing the content of our website, the data is therefore generally deleted when you leave our pages and the session is thus ended.

Insofar as the purposes of system security and stability are pursued, log data is stored for a maximum of 3 months beyond the end of the session. Beyond these 3 months, storage or other processing only takes place in such a way that the IP addresses of the users are deleted after the expiry of the aforementioned storage period of seven days or are changed in such a way (e.g. by anonymisation or pseudonymisation) that an allocation of the log data to an IP address and thus to the user is no longer possible.

 

4. Possibility of objection and removal

In principle, you are entitled - as we have explained in section E.I you have a right to object insofar as we rely on legitimate interests. However, since the data processing described above is absolutely necessary for the operation of our website, you can only assert a right of objection insofar as reasons arise from your particular situation that do not permit processing to the aforementioned extent. As a rule, however, we can prove the compelling necessity of the data processing just mentioned.

 

5. Data security

We use the widespread SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser when visiting the website. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

 

II. Cookies

We use cookies on our site. We have already informed you about the use of cookies via our cookie banner. The information provided here is for more comprehensive and supplementary information.

Cookies are small text files that your browser automatically creates and stores on your end device (PC, laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not contain viruses, Trojans or other malware, but information that enables the browser to be uniquely identified when the same website is called up again. We do not obtain any direct knowledge of your identity by setting the cookies, however, depending on the type of cookie placed and the possibility of assigning a cookie to an IP address, it is generally possible to establish a personal reference to the user.

We basically distinguish between two types of cookies:

• Necessary cookies that are required to (optimally) display and offer the services and information you have requested, such as language settings, shopping cart and/or login functions.

• Optional cookies that record and, if necessary, analyse the behaviour of users on our websites and also across website or device boundaries (i.e. e.g. across different domains of different providers), store this information in a cookie on your terminal device and, if necessary, make it available for retrieval by web applications.

​

1. Purpose and legal basis

The use of necessary cookies serves to enable the provision of our website and the complete use of our offer and to make it more pleasant for you. Functions such as language settings, a shopping cart or similar would not be possible without the use of these cookies.

On the other hand, we use optional cookies to statistically record the use of our website and to conduct an analysis of the surfing behaviour of users on our website. This serves to optimise our offer and the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer. This enables us to adapt our offer to the wishes of our user group, for example through market research, and to design it in line with requirements. The data about users collected in this way is pseudonymised by technical precautions. It is then no longer possible for us to assign the data to the calling user; however, a clearer assignment and identification of the user may be possible for the companies whose tools we use when using cookies (such as Google) (more information on this is provided in connection with the tools used) .

The legal basis for the use of our cookies with regard to the provision of our website and the full use of our offer is Art. 6 para. 1 p. 1 lit. b GDPR, insofar as the use is absolutely necessary in terms of contract fulfilment or for the implementation of pre-contractual measures security interests (such as shopping cart function. Insofar as we pursue other functional purposes (appealing design, etc.) and access to your terminal device is necessary for this, we require your consent in accordance with § 25 para. 1 TTDSG for the initial access to your terminal device and for any subsequent data processing in accordance with Art. 6 para. 1 p. 1 lit. a GDPR.

Insofar as we analyse the surfing behaviour of our users by means of optional cookies, and in some cases make use of third-party software, we rely on your previously granted consent. We obtain consent with regard to the initial access to your terminal device in accordance with § 25 para. 1 TTDSG and with regard to the subsequent processing of the data in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. Of course, we will refrain from these types of data processing if you have not given your consent to this or have revoked your consent once given.

​

2. Duration of storage and deletion periods

Session cookies are only stored by your browser for the duration of your browser session and are deleted when you close the browser. Optional cookies remain stored on the terminal device you are using for a longer period of time.

​

3. Right of objection and possibility of removal

You were informed about the use of cookies when you accessed our website and referred to this privacy policy. You were asked to give your consent to the use of optional cookies. You can also revoke any consent you have given at any time (section E.II). You can exercise the revocation by calling up the cookie widget. To do this, please click on the "Cookie settings" function, which can be called up at the bottom right of our pages. In these settings, you can activate and deactivate (or revoke) the cookies you want and do not want.

As a user, you can also use technical settings to decide yourself whether and how cookies are used or stored by your browser. You can configure your browser in such a way that no cookies are stored on your computer or a message always appears before a new cookie is created. You can delete cookies that have already been created or have them automatically deleted by your browser. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.

​

III. Web analysis service Google Analytics

For the purpose of analysis as well as demand-oriented design and continuous optimisation of our websites and their use, we use the web analysis service "Google Analytics" of the company Google based in Ireland (Google Ireland Limited, Gordon House, Barrow Street Dublin 4; hereinafter "Google"). Google Analytics uses cookies (see para. C.II), which enable an analysis of the use of the website by creating pseudonymous user profiles of our customers. Google processes this data on our behalf (Art. 28 GDPR).

Activation only takes place if you have given your consent to this when calling up our website in accordance with Art. 6 para. 1 p. 1 lit. a GDPR and § 25 para. 1 TTDSG. Please note that you have a right of revocation (section F.II).

​

1. Recipient of the data

Since Google acts as an order processor for us, Google is also to be regarded as the recipient. The information generated by the cookie (e.g. browser type, operating system, IP address, etc.) about your website use may be transmitted by Google to a Google server in the USA and stored there. Your IP address will be truncated and anonymised by Google within the Member States of the European Union or in other contracting states to the Agreement on the European Economic Area prior to transmission (so-called "IP masking"). Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The USA is a third country (cf. on the term and further explanations para. B.V), for which the EU Commission has issued an adequacy decision. Google and its parent company Google LLC are registered in the EU-US Data Privacy Framework.

Google uses the aforementioned information to evaluate the use of the website, to compile reports on website activity and to provide other services associated with the use of the website and the Internet for the purposes of market research and demand-oriented design of these websites. If necessary, this information will be transferred to third parties if this is required by law or if third parties process this data on behalf of Google. Google may also merge data from other sources with your data so that Google can identify you despite IP masking.

Further information on data processing by Google can be found at https://support.google.com/analytics/answer/6004245?sjid=9484776245034955392-EU.

​

2. Right of withdrawal and possibility of removal

We only activate the Google Analytics function if you have given your consent to this when accessing our website. Since Google Analytics works with cookies, the explanations under the previous section also apply. C.II apply accordingly. Please note in particular your right of revocation with regard to the consent you have given (for more details, see section E.II).

You can also prevent the collection of data by Google Analytics by either downloading and installing a browser add-on or setting an opt-out cookie via the following internet address: http://tools.google.com/dlpage/gaoptout?hl=de. Setting an opt-out cookie has the effect of preventing the future collection of your data by Google Analytics when you visit this website. However, if you delete your cookies in the future, this will also delete the opt-out cookie and you may have to activate it again.

​

IV. Social media

You can access our profile on the social networks Facebook, Instagram and TikTok via the corresponding link on our website. In this case, the social networks may link the IP address of your browser session to your own profile on the respective social network via one of their cookies.

​

1. Facebook

We maintain a presence ("fan page") on the social network Facebook of the company Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook thereby initially receives, among other things, the information that you have visited our site with your IP address.

​

a) Data processing and responsibilities

Facebook uses the aforementioned information under its own responsibility in order to evaluate the use of the website, to compile reports on the website activities and to provide further services related to the use of the website and the internet for the purposes of market research and the demand-oriented design of these websites. If necessary, this information is transferred to third parties if this is required by law or if third parties process this data on our behalf. Facebook may also combine data from other sources of its own with your data.

For the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please also refer to Facebook's privacy policy (https://www.facebook.com/about/privacy/).

Data is processed as soon as you access our profile on Facebook ("Facebook page") via the corresponding link on our website. When you access our Facebook profile, Facebook may process data stored in cookies as well as log data that originate from our website and are transmitted to Facebook.

However, when you visit our profile, Facebook mainly processes data on how and whether you have interacted with our profile (for example, postings, followings, etc.).

If you are also a member of the social network Facebook, Facebook processes the data you have already provided (e.g. name, age, gender, etc.), creates analyses and statistics and then provides us with these in aggregated form. This aggregated data does not have any personal reference. Facebook refers to this as "Page Insights". You can find more information about this at https://www.facebook.com/privacy/policy?section_id=0-WhatIsThePrivacy.

We are jointly responsible with Facebook for this "Page Insights" data processing described above (Art. 26 GDPR). We have transparently defined our obligations and rights with regard to data processing in a contract with Facebook, which can be found at https://www.facebook.com/legal/controller_addendum.

From this you can see that Facebook has also primarily taken on the task of protecting your data subject rights (cf. para. F) if you wish to exercise them. You can do this simply via your profile settings on Facebook or via a direct contact. You are also free to contact us regarding your data subject rights. However, we would like to point out that due to a lack of insight into the specific data processing, we will generally forward your request to Facebook.

The data processing subsequent to the "Page Insights" (i.e. the use of aggregated statistics and analyses) is carried out by us under our own responsibility. We are also responsible for the use and further processing of your personal and publicly visible interactions on our profile page (e.g. likes, postings, sharing of posts, etc.) as well as for any contact made with us.

Facebook is solely responsible for all data processing carried out outside of "Page Insights".

​

b) Purpose and legal basis

We operate our profile on Facebook in order to be able to present our services in an appealing way and to provide them with a corresponding reach.

The analysis services through "Page Insights" are used to create aggregated statistics for us. This enables us to better understand our visitors and customers and to improve our offer. Likewise, we can target our advertising on this basis (which has no personal reference).

We base this processing on your consent (given to Facebook) (Art. 6 para. 1 p. 1 lit. a GDPR).

Insofar as we communicate with you on our own authority, the processing serves to answer the enquiries as well as to prepare the conclusion of a contract and, if necessary, even to implement it (Art. 6 para. 1 p. 1 lit. b GDPR), as in other cases of contacting you (cf. para. C.VIII). The remaining use is otherwise based on legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR), which lie in being able to improve our offers and services in line with the target group. Please note your right of revocation with regard to the processing of personal data that we base on our legitimate interests (cf. F.I.1).

​

c) Data transfer to the USA

Some of the data processing also takes place in the USA. The USA is a third country (for the term and further explanations, cf. point B.V), for which the EU Commission has issued an adequacy decision. Google and its parent company Google LLC are registered in the EU-US Data Privacy Framework.

​

2. Instagram

We maintain a presence on the social network Instagram of the company Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Among other things, Instagram initially receives the information that you have visited our site with your IP address.

​

a) Data processing and responsibilities

Instagram uses the aforementioned information to evaluate the use of the website, to compile reports on website activities and to provide other services associated with the use of the website and the internet for the purposes of market research and demand-oriented design of these websites. If necessary, this information is transferred to third parties if this is required by law or if third parties process this data on our behalf. Instagram may also combine data from other sources of its own with your data.

For the purpose and scope of the data collection and the further processing and use of the data by Instagram, as well as your rights in this regard and setting options for protecting your privacy, please also refer to Instagram's privacy policy (https://privacycenter.instagram.com/policy).

Data is processed as soon as you access our Instagram profile ("Instagram page") via the corresponding link on our website. When you access our Instagram profile, Instagram may process data stored in cookies as well as log data that originates from our website and is transmitted to Instagram.

However, when you visit our profile, Instagram mainly processes data on how and whether you have interacted with our profile (for example, postings, followings, etc.).

If you are also a member of the social network Instagram, Instagram processes the data you have already provided (e.g. name, age, gender, etc.), creates analyses and statistics and then provides them to us in aggregated form. This aggregated data does not have a personal reference. Instagram refers to this as "Page Insights". You can find more information on this at https://www.facebook.com/privacy/policy?section_id=0-WhatIsThePrivacy.

We are jointly responsible with Instagram for this "Page Insights" data processing described above (Art. 26 GDPR). We have transparently defined the obligations and rights regarding the data processing in a contract with Instagram, which is available at https://www.facebook.com/legal/controller_addendum.

From this you can see that Instagram has also primarily taken on the task of protecting your data subject rights (cf. para. F) if you wish to exercise them. You can do this simply via your profile settings on Instagram or via a direct contact. You are also free to contact us regarding your data subject rights. However, we would like to point out that due to a lack of insight into the specific data processing, we will generally forward your request to Instagram.

The data processing subsequent to the "Page Insights" (i.e. the use of aggregated statistics and analyses) is carried out by us under our own responsibility. We are also responsible for the use and further processing of your personal and publicly visible interactions on our profile page (e.g. likes, postings, sharing of posts, etc.) as well as for any contact made with us.

Instagram is solely responsible for all data processing undertaken outside of "Page Insights".

​

b) Purpose and legal basis

We operate our profile on Instagram in order to be able to present our services in an appealing way and to provide them with a corresponding reach.

The analysis services through "Page Insights" are used to create aggregated statistics for us. This enables us to better understand our visitors and customers and to improve our offer. Likewise, we can target our advertising on this basis (which has no personal reference).

We base this processing on your consent (given to Instagram) (Art. 6 para. 1 p. 1 lit. a GDPR).

Insofar as we communicate with you on our own authority, the processing serves to answer the enquiries as well as to prepare the conclusion of a contract and, if necessary, even to implement it (Art. 6 para. 1 p. 1 lit. b GDPR), as in other cases of contacting you (cf. para. C.VIII). The remaining use is otherwise based on legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR), which lie in being able to improve our offers and services in line with the target group. Please note your right of revocation with regard to the processing of personal data that we base on our legitimate interests (cf. F.I.1).

​

c) Data transfer to the USA

Some of the data processing also takes place in the USA. The USA is a third country (for the term and further explanations, cf. point B.V), for which the EU Commission has issued an adequacy decision. Google and its parent company Google LLC are registered in the EU-US Data Privacy Framework.

​

3. TikTok

We maintain a presence on the social network of the companies TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP. Among other things, TikTok initially receives the information that you have visited our site with your IP address.

​

a) Data processing and responsibilities

TikTok collects and processes in principle under its own responsibility comprehensive data from its users for business purposes. We have no influence on the data collection and further processing by TikTok. Furthermore, it is not apparent to us to what extent, where and for how long the data is stored, to what extent TikTok complies with existing deletion obligations, what evaluations and links are made with the data and to whom the data is passed on. Details of how TikTok itself describes its own data processing can be found in TikTok's privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de. You can contact TikTok's data protection officer via the online contact form provided by TikTok at https://www.tiktok.com/legal/report/DPO.

Data is processed as soon as you access our TikTok profile via the corresponding link on our website. When you access our TikTok profile, TikTok may process data stored in cookies as well as log data that originate from our website and are transmitted to TikTok.

However, when you visit our profile, TikTok mainly processes data on how and whether you have interacted with our profile (for example, postings, followings, etc.). If you are also a member of the social network TikTok, TikTok processes the data you have already provided (e.g. name, age, gender, etc.), creates analyses and statistics and then makes these available to us in aggregated form. This aggregated data does not have a personal reference. TikTok refers to this as "TikTok Insights". You can find more information about this at https://ads.tiktok.com/help/.

We are jointly responsible with TikTok for these "TikTok Insights" data processing operations described above (Art. 26 GDPR). We have transparently defined the obligations and rights with regard to the data processing in a contract with Facebook, which is available at https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.

From this you can see that TikTok has also primarily taken on the task of protecting your data subject rights (cf. para. F) if you wish to exercise them. You can easily do this via your profile settings at TikTok or via a direct contact. You are also free to contact us regarding your data protection rights. However, we would like to point out that due to a lack of insight into the specific data processing, we will generally forward your request to TikTok.

The data processing subsequent to the "TikTok Insights" (i.e. the use of aggregated statistics and analyses) is carried out by us under our own responsibility. We are also responsible for the use and further processing of your personal and publicly visible interactions on our profile page (e.g. likes, postings, sharing of posts, etc.) as well as for any contact made with us.

TikTok is solely responsible for all data processing carried out outside of "TikTok Insights".

​

b) Purpose and legal basis

We operate our profile on TikTok in order to be able to present our services in an appealing way and to provide them with an appropriate range.

The analytics services through "TikTok Insights" are used to create aggregated statistics for us. This allows us to better understand our visitors and customers and improve our offer. Likewise, we can target our advertising on this basis (which has no personal reference).

We base this processing on your consent (given to TikTok) (Art. 6 para. 1 p. 1 lit. a GDPR).

Insofar as we communicate with you on our own authority, the processing serves to answer the enquiries as well as to prepare the conclusion of a contract and, if necessary, even to implement it (Art. 6 para. 1 p. 1 lit. b GDPR), as in other cases of contacting you (cf. para. C.VIII). The remaining use is otherwise based on legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR), which lie in being able to improve our offers and services in line with the target group. Please note your right of revocation with regard to the processing of personal data that we base on our legitimate interests (cf. F.I.1).

​

c) Data transfer to third countries

The data processing takes place in the USA, Malaysia and Singapore, all of which are third countries (for the term and further explanations, see para. B.V). According to TikTok, it has implemented safeguards in the sense of Art. 46 et seq. of the GDPR in order to guarantee an adequate level of data protection. However, we cannot exclude the possibility that data may also be transferred to the People's Republic of China. Please note that

• investigative authorities in, for example, the United States or the People's Republic of China may, under certain circumstances, have access to such data without any ability on our part or on the part of TikTok to intervene; and

• therefore it cannot be fully guaranteed that your data is fully subject to the level of data protection of the GDPR.

As you have given your consent to TikTok to carry out the processing on third country servers, you also have a right of withdrawal against TikTok.

​

V. Contact form and e-mail contact

We offer you the opportunity to contact us on our website via our contact form. In any case, the IP address of the user and the date and time of sending your message will be stored as part of the contact. We collect and store the following personal data as mandatory data (marked with a " * " as a mandatory field):

• First name

• Last name

• E-mail

• Your message

If you decide to contact us via the email address provided on our website, we will store your email address and any other data you (voluntarily) provide. Data will only be passed on to third parties if this is necessary to process your request.

​

1. Purpose and legal basis

We process the aforementioned data for the purpose of processing your request. Other data is only processed for technical or security reasons (for example, prevention of misuse and ensuring our system security). The legal basis is Art. 6 para. 1 p. 1 lit. a GDPR (consent), Art. 6 para. 1 p. 1 lit. b GDPR (fulfilment of a contract or pre-contractual measures) and with regard to the latter purpose Art. 6 para. 1 p. 1 lit. f GDPR, as we have a legitimate interest in the integrity of our website.

​

2. Duration of storage and deletion periods

All aforementioned data will be deleted as soon as we have processed your request and further clarification is no longer necessary. The deletion is subject to any obligations and rights pursuant to section B.III.

​

3. Possibility of objection and removal

After you have contacted us, you can withdraw your request at any time and object to further processing of the data. Furthermore, you may have the right to object in accordance with Art. 21 GDPR (cf. para. F.I.1).

​

D. Regiondo booking tool

​

1. Use of our booking tool

In order to use the order function of our booking tool, we require data to carry out the booking process. Mandatory data is marked as such, other information is voluntary. We process the data you provide to process your order. In addition, you can use the payment method of your choice, for which data entries are also required. The legal basis for this is Art. 6 para. 1 p. 1 lit. b DS-GVO.

​

2. Entering data for PayPal

In order to process the order, we use the service provider PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal L-2449 Luxembourg) as part of the use of our booking tool. Payments are processed via your personal PayPal account. 

If you choose the payment service provider PayPal, we will transmit your order data to PayPal, usually i.e. first name, surname, address, email address, IP address, telephone number, mobile phone number or other data that are necessary for processing the payment and that you have provided to us. This is covered by Art. 6 para. 1 p. 1 lit. b) GDPR, as our purpose is to be able to process the order completely. 

Please note that PayPal is its own data controller within the meaning of the GDPR and that PayPal may pass on data to its own partners. PayPal is also responsible for obtaining consent for certain data transfers (such as for credit checks). For more information, please visit PayPal's privacy policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full. 

​

3. Storage

As already communicated above, we are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, we restrict processing after approximately three years, i.e. after expiry of any warranty and other rights. Your data will then only be retained for compliance with legal obligations.

​

4. Encryption

To prevent unauthorised access by third parties to your personal data, in particular financial data, the ordering process is encrypted.

​

E. Contracts

If you are our contractual partner, we have provided the essential information regarding our data processing of your personal data as a data controller in our GTC. Please note that in this context, we have not updated our General Information under section B also applies to data processing in contracts. The following information is therefore only provided as a supplement to our General Terms and Conditions and to our General Information under clause B. If you have any further questions, please contact us using the above (letter A) above.

​

I. Purpose and legal basis

The purpose of collecting the personal data obtained in the course of concluding and performing the contract is to enable us to fulfil our obligations under the contract. For example, we need your contact details in order to provide you with our services. The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR. Data will only be passed on to third parties under the conditions set out in section B.IV and B.V. Categories of recipients in our contracts are, for example, payment service providers and logistics service providers. Failure to provide the data on your part may result in the contract not being concluded and/or implemented.

Furthermore, we use the data to serve you as a customer and for statistical market and opinion research purposes. This is necessary to continuously improve our products and services and to adapt them to the needs of our customers. We only engage in direct advertising if you have consented to this or if there is another legal basis for this under the Union law of the member states.

The legal basis for the aforementioned data processing is, in the case of consent, Art. 6 para. 1 sentence 1 lit. a GDPR, insofar as this is necessary for the fulfilment of the contract and the implementation of pre-contractual measures, Art. 6 para. 1 sentence 1 lit. b GDPR, in all other aforementioned cases Art. 6 para. 1 sentence 1 lit. f GDPR (safeguarding of legitimate interests), whereby our legitimate interest lies in the marketing and continuous improvement of our products and services as well as in their adaptation to the needs of our customers.

​

II. Duration of storage and deletion periods

As a matter of principle, we only store personal data as long as this serves a legitimate purpose. If the purpose of the processing no longer applies, we have taken technical and organisational measures to ensure that personal data is deleted or made unidentifiable or that processing is restricted.

We will only store data after the purpose of processing has ceased to apply if this is provided for by the European or national legislator in Union regulations, laws or other provisions to which our company is subject. Such cases are, for example, the existence of legitimate interests in storage, such as during the course of limitation periods for the purpose of legal defence against any claims or, for example, the fulfilment of statutory retention obligations. If the further storage just described is no longer covered by the aforementioned standards, we will immediately delete the data or restrict its processing, unless the further storage of the data is necessary for the conclusion of a contract or for other purposes.

​

III. Possibility of objection and removal

In particular, you have the right to revoke your consent to the collection and further processing of your data on the basis of your consent (cf. F.II). The processing of data required for the performance of the contract or the implementation of pre-contractual measures is not subject to any right of objection; however, you may object to the processing of data on the grounds of legitimate interest under the conditions set out in clause F.I.1 conditions set out in section F.I.1.

With regard to our direct advertising, we refer to your right of revocation (in the case of consent given) in accordance with section F.II and to your right of objection according to clause F.I.2.

Incidentally, you have the right to use the options already described under point F above are also available to you.

​

F. Your rights as a data subject

If you are affected by our processing of your personal data, you may have the following rights:

​

I. Right of objection (Art. 21 GDPR)

In the case of data processing for certain purposes, you have the right to object in accordance with Art. 21 GDPR. If you wish to object, please contact us using the contact details provided. You will not incur any additional costs other than the transmission costs according to the base rates of your telecommunications provider. A right of objection exists in the following cases:

​

1. Processing for legitimate interest (Art. 6 para. 1 p. 1 lit. f, 21 para. 1 GDPR):

If personal data is processed to safeguard legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR), you may object to the processing of personal data relating to you at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject, or the processing serves the assertion, exercise or defence of legal claims.

​

2. Processing for the purpose of direct marketing (Art. 21 para. 2 GDPR, § 7 para. 3 UWG):

Insofar as we process data for the purpose of direct advertising and/or related profiling, you may object at any time to the processing of your personal data for the purpose of such advertising and/or profiling. If you object, we will refrain from any further processing of your data for the purpose of direct advertising and/or profiling.

​

3. Processing for the performance of a task in the public interest or for the exercise of official authority (Art. 6 para. 1 sentence 1 lit. e, 21 para. 1 GDPR):

If personal data is processed for the performance of tasks in the public interest or for the exercise of official authority (Art. 6 (1) sentence 1 lit. e GDPR), you may object to the processing of personal data relating to you at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.

​

4. Processing for scientific or historical research purposes or for statistical purposes (Art. 21(6)):

If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out in the public interest.

​

II. Right of withdrawal in the case of consent granted (Art. 7 (3) GDPR)

You can revoke consent once given at any time with effect for the future - in full or in part - without incurring any costs by contacting us using our contact details. The lawfulness of the processing of the data covered by the consent on the basis of the consent until the revocation remains unaffected by the revocation.

​

III. Right of access (Art. 15 GDPR)

You have the right to request information about your personal data processed by us. This right to information includes

• the purposes of processing;

• the categories of personal data that we process;

• the categories of recipients to whom your data has been or will be disclosed;

• in the case of a transfer of personal data to so-called "third countries" (cf. B.V) outside the scope of the GDPR, whether and how we ensure an adequate level of protection by means of appropriate safeguards (Art. 45, 46 GDPR) at the data recipient in the third country;

• the planned storage period, insofar as we are able to assess this; if an assessment and indication of the storage period are not yet conclusively possible, we will at least provide information on the criteria for determining the storage period (e.g. periods of limitation, statutory retention periods, cf. also para. B.III);

• Your right to rectification, erasure, restriction of processing and to object to the processing of personal data concerning you (details below);

• the existence of a right of appeal to a supervisory authority;

• the origin of the data if it was not collected by us; and

• the existence of an automated decision in individual cases within the meaning of Article 22 of the GDPR, including profiling, which also includes details of the decision-making criteria (i.e. the logic used) of the automated decision and the effects and consequences for the data subject.

You have the right to request a copy of your personal data processed by us. You will not incur any costs for the first copy of the data, but we will charge a reasonable fee for further copies of the data. If you exercise this right, we will generally provide the copy of the data in electronic form, unless otherwise specified. The provision is subject to the rights and freedoms of other persons who may be affected by the transmission of the data copy.

​

IV. Right of rectification (Art. 16 GDPR)

You have the right to request us to correct your inaccurate data without delay. Likewise, you may request us to complete your incomplete personal data by means of supplementary declarations or notifications from you.

​

V. Right to erasure (Art. 17 GDPR)

You have the right to demand that we delete your personal data stored by us without delay, insofar as

• you have given your consent (cf. B.II.1) to the data processing, unless there is another legal basis for the data processing;

• the storage or other processing of your personal data is no longer necessary for the purposes for which they were collected and processed;

• you have objected to data processing pursuant to Art. 21 GDPR and there are no overriding legitimate grounds for further processing; in the case of direct advertising pursuant to Art. 21 (2) GDPR, the deletion shall take place unconditionally due to objection;

• your personal data have been processed unlawfully;

• it is a child's data collected in relation to information society services pursuant to Article 8(1) of the GDPR.

If we have made personal data public, we will also inform other data controllers of their request for deletion, including the deletion of links, copies and/or replications, to the extent technically possible and reasonable.

The aforementioned rights to erasure of your personal data do not exist insofar as the processing

• to exercise the right to freedom of expression and information;

• for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;

• for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) GDPR and Art. 9(3) GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, insofar as your right to erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or

• for the assertion, exercise or defence of legal claims

is required.

​

VI. Right to restriction of processing (Art. 18 GDPR)

You have the right to request that we restrict the processing of your personal data (i.e. limit processing to mere storage) if one of the following cases applies:

• You have disputed the accuracy of your personal data. For the duration of our verification of accuracy, you can request that your data not be used for other purposes and be restricted in this respect.

• The processing is unlawful and you object to the erasure of the personal data Art. 17 (1) p. 1 lit. d GDPR and instead request the restriction of the use of the personal data Art. 18 GDPR.

• We no longer need the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims. In this case, you can request the restriction of processing to the aforementioned purposes.

• You have objected to the processing in accordance with Article 21 (1) of the GDPR. As long as it has not yet been determined whether our legitimate interests or reasons for processing outweigh yours, you can request that we only process your data to check the aforementioned weighing.

If we have restricted the processing of your personal data at your request, we may and will only process such data - apart from storing them - with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

If a processing restriction is lifted, you will be informed in advance.

​

VII. Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that

• the processing is based on consent pursuant to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) sentence 1 lit. b GDPR and

• the processing is carried out with the aid of automated procedures.

Where technically feasible, you may also request us to transfer your personal data directly to another controller.

The exercise of the right to data portability does not affect the right to data erasure (Art. 17 GDPR). However, the right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

You cannot exercise the right to data portability if it affects the rights and freedoms of other individuals.

​

VIII. Right of appeal (Art. 77 GDPR)

We always process personal data in accordance with the law. However, if you have reason to believe that we have violated applicable data protection law, you may at any time contact the competent supervisory authority of the Union or the member states and lodge a complaint. The competent supervisory authority is that of your usual place of residence, your place of work or the place of the alleged infringement.