Preamble
--------
With the following privacy policy, we would like to inform you about the types
of your personal data (hereinafter also referred to as "data") that we process
for what purposes and to what extent in the course of providing our application.
Date: 7 November 2023
Controller
----------
Maximilian Gerer
c/o KFA City-Haus Gerer GmbH & Co. KG
Eichendorffstr. 1
83301 Traunreut
Germany
Email: [email protected]
Overview of Processing
----------------------
The following overview summarizes the types of data processed and the purposes
of their processing and refers to the data subjects.
### Types of processed data
- Inventory data.
- Payment data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta/communication and procedural data.
### Categories of data subjects
- Customers.
- Prospective customers.
- Users.
- Business and contractual partners.
### Purposes of processing
- Provision of contractual services and fulfillment of contractual obligations.
- Handling contact requests and communication.
- Security measures.
- Office and organizational procedures.
- Management and responding to inquiries.
- Registration processes.
- Provision of our online services and user-friendliness.
- Information technology infrastructure.
Relevant Legal Bases
--------------------
**Relevant legal bases according to GDPR:** Below you will find an overview of
the legal bases of the GDPR on which we process personal data. Please note that
in addition to the provisions of the GDPR, national data protection regulations
may apply in your or our country of residence or domicile. Furthermore, if more
specific legal bases are relevant in individual cases, we will inform you about
them in the privacy policy.
- **Consent (Art. 6 Abs. 1 S. 1 lit. a) GDPR)** - The data subject has given
their consent to the processing of their personal data for one or more
specific purposes.
- **Performance of a contract and pre-contractual inquiries (Art. 6 Abs. 1 S. 1
lit. b) GDPR)** - The processing is necessary for the performance of a
contract to which the data subject is party or for the execution of
pre-contractual measures taken at the data subject's request.
- **Legal obligation (Art. 6 Abs. 1 S. 1 lit. c) GDPR)** - The processing is
necessary to comply with a legal obligation to which the controller is
subject.
- **Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR)** - The processing is
necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which
require protection of personal data.
**National data protection regulations in Germany:** In addition to the data
protection regulations of the GDPR, there are national regulations regarding
data protection in Germany. This includes in particular the law for the
protection against misuse of personal data during data processing (Federal Data
Protection Act – BDSG). The BDSG contains special provisions on the right to
access, the right to deletion, the right to object, processing of special
categories of personal data, processing for other purposes, and transmission as
well as automated decision-making in individual cases, including profiling.
Furthermore, the data protection laws of the individual federal states may
apply.
**Note on the applicability of the GDPR and Swiss DPA:** These privacy notices
serve both to provide information according to the Swiss Federal Law on Data
Protection (Swiss DPA) and to the General Data Protection Regulation (GDPR). For
this reason, we ask you to note that due to the broader spatial application and
comprehension, the terms of the GDPR are used. In particular, instead of the
terms "processing" of "personal data", "predominant interest" and "sensitive
personal data" used in the Swiss DPA, the terms "processing" of "personal data",
"legitimate interest", and "special categories of data" from the GDPR are used.
However, the legal meaning of the terms will continue to be determined in
accordance with the Swiss DPA where applicable.
Security Measures
-----------------
We take appropriate technical and organizational measures in accordance with the
legal requirements, taking into account the state of the art, the costs of
implementation, and the nature, scope, circumstances, and purposes of
processing, as well as the varying likelihood and severity of the risk to the
rights and freedoms of natural persons, to ensure a level of security
appropriate to the risk.
These measures include ensuring the confidentiality, integrity, and availability
of data by controlling the physical and electronic access to the data, as well
as access, input, transfer, ensuring availability, and their separation.
Furthermore, we have established procedures that ensure the enjoyment of data
subject rights, deletion of data, and reaction to data compromise. Additionally,
we consider the protection of personal data during the development or selection
of hardware, software, and procedures, according to the principle of data
protection through technology design and data protection-friendly default
settings.
IP Address Truncation: If IP addresses are processed by us or by employed
service providers and technologies, and the processing of a full IP address is
not necessary, the IP address is shortened (also known as "IP masking"). In this
case, the last two digits, or the last part of the IP address after a dot, are
removed or replaced by placeholders. The truncation of the IP address aims to
prevent or significantly complicate the identification of a person by their IP
address.
TLS/SSL encryption (https): To protect the data of users transferred via our
online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the
standard technology for securing Internet connections by encrypting data
transmitted between a website or app and a browser (or between two servers).
Transport Layer Security (TLS) is an updated, more secure version of SSL. Hyper
Text Transfer Protocol Secure (HTTPS) is displayed in the URL when a website is
secured by an SSL/TLS certificate.
Transmission of Personal Data
----------------------------
In the course of our processing of personal data, it may happen that the data is
transmitted to other places, companies, legally independent organizational units
or persons, or that it is disclosed to them. Recipients of this data may
include, for example, service providers entrusted with IT tasks or providers of
services and content that are integrated into a website. In such cases, we
comply with the legal requirements and conclude appropriate contracts or
agreements that serve to protect your data with the recipients of your data.
International Data Transfers
-----------------------------
Data processing in third countries: If we process data in a third country (i.e.,
outside of the European Union (EU), the European Economic Area (EEA)) or if
processing takes place within the framework of using services from third parties
or the disclosure or transfer of data to other individuals, bodies or companies,
this happens only in compliance with legal requirements. If the level of data
protection in the third country has been recognized by means of an adequacy
decision (Article 45 GDPR), this forms the basis of the data transfer.
Otherwise, data transfers only take place if the level of data protection is
assured by other means, in particular through standard contractual clauses
(Article 46 (2) (c) GDPR), explicit consent, or in the case of contractual or
legal requirements for transfer (Article 49 (1) GDPR). Furthermore, we inform
you about the basis of third-country transfers for each provider from the third
country, with adequacy decisions being the primary basis. Information on
third-country transfers and existing adequacy decisions can be obtained from the
information provided by the EU Commission:
https://commission.europa.eu/law/law-topic/data-protection/international-dimensi
on-data-protection_de
EU-US Trans-Atlantic Data Privacy Framework: Within the so-called "Data Privacy
Framework" (DPF), the EU Commission has also recognized the level of data
protection for certain companies from the USA as secure under the adequacy
decision of 07/10/2023. The list of certified companies as well as further
information on the DPF can be obtained from the website of the US Department of
Commerce (in English). We inform you within the framework of the privacy notices
which of our service providers are certified under the Data Privacy Framework.
Deletion of Data
----------------
The data we process will be deleted in accordance with legal requirements as
soon as the consent allowed for processing is revoked or other permissions are
no longer applicable (e.g., if the purpose of processing these data is no longer
applicable or they are not required for the purpose). If the data are not
deleted because they are required for other and legally permissible purposes,
their processing is restricted to these purposes. That is, the data are blocked
and not processed for other purposes. This applies, for example, to data that
must be retained for commercial or tax reasons or whose storage is necessary for
the assertion, exercise or defense of legal claims or to protect the rights of
another natural or legal person. Our privacy notices may also contain additional
information on the storage and deletion of data prevailing specific to the
individual processing activities.
Rights of the Data Subjects
----------------------------
Rights of data subjects under the GDPR: As data subjects, you have various
rights under the GDPR, which arise particularly from Articles 15 to 21 GDPR:
- **Right to object: You have the right, on grounds relating to your particular
situation, to object at any time to the processing of personal data concerning
you which is based on Article 6(1)(e) or (f) GDPR; this also applies to
profiling based on these provisions. If personal data concerning you are
processed for direct marketing purposes, you have the right to object at any
time to the processing of personal data concerning you for such marketing;
this also applies to profiling to the extent that it is related to such direct
marketing.**
- **Right to withdraw consent:** You have the right to withdraw consent at any
time.
- **Right to access:** You have the right to request confirmation as to whether
data concerning you are being processed and to receive information about these
data as well as further information and a copy of the data in accordance with
legal requirements.
- **Right to rectification:** You have the right, in accordance with legal
requirements, to request the completion of the data concerning you or the
correction of the inaccurate data concerning you.
- **Right to erasure and restriction of processing:** In accordance with legal
requirements, you have the right to demand that data concerning you be deleted
without delay, or alternatively, to demand a restriction of the processing of
the data in accordance with legal requirements.
- **Right to data portability:** You have the right to receive data concerning
you, which you have provided to us, in a structured, common and
machine-readable format in accordance with legal requirements, or to request
their transfer to another controller.
- **Complaint to supervisory authority:** You have the right to lodge a
complaint with a supervisory authority, in particular in the Member State of
your habitual residence, place of work or place of the alleged infringement,
if you consider that the processing of personal data relating to you infringes
the requirements of the GDPR.
Use of Cookies
---------------
Cookies are small text files or other storage identifiers that store information
on end devices and read information from end devices, such as to save the login
status in a user account, a shopping cart content in an e-shop, the accessed
content or used functions of an online service. Cookies can also be used for
various purposes, e.g., for functionality, security and convenience of online
services as well as for creating analyses of visitor flows.
**Consent notices:** We use cookies in accordance with legal regulations.
Therefore, we obtain prior consent from users, unless it is not legally
required. Consent is particularly not necessary when storing and reading the
information, including cookies, is absolutely necessary to provide the telemedia
service (i.e., our online service) explicitly requested by the users. Cosmetics
that are absolutely necessary usually include cookies with functions for
displaying and running the online service, load balancing, security, storing
preferences and user selections, or similar purposes associated with the
provision of the main and ancillary functions of the online service requested by
the users. The revocable consent is communicated clearly to the users and
contains information on the respective cookie usage.
**Notes on data protection legal bases:** The data protection legal basis on
which we process the users' personal data with the help of cookies depends on
whether we ask users for consent. If the users consent, the legal basis for
processing their data is the declared consent. Otherwise, the data processed
with the help of cookies are processed based on our legitimate interests (e.g.,
in a business operation of our online service and improving its usability) or if
this is part of fulfilling our contractual obligations, if the use of cookies is
necessary to fulfill our contractual responsibilities. We clarify the purposes
for which the cookies are processed by us in the course of this privacy policy
or within the scope of our consent and processing procedures.
**Storage duration:** Regarding the storage duration, the following types of
cookies are distinguished:
- **Temporary cookies (also: session or session cookies):** Temporary cookies
are deleted at the latest after a user has left an online offer and closed his
end device (e.g., browser or mobile application).
- **Permanent cookies:** Permanent cookies remain stored even after closing the
end device. For example, the login status can be saved or preferred contents
can be displayed directly when the user visits a website again. The data
collected by cookies can also be used for reach measurement. Unless we inform
users explicitly about the type and duration of storage of cookies (e.g., in
the context of obtaining consent), users should assume that the cookies are
permanent and the storage duration can be up to two years.
**General notes on revocation and objection (so-called "Opt-Out"):** Users can
revoke their given consents at any time and object to the processing according
to legal requirements. For example, users can restrict the use of cookies in
their browser settings (which may also limit the functionality of our online
service).
- **Legal bases:** Legitimate Interests (Article 6 (1) (f) GDPR). Consent
(Article 6 (1) (a) GDPR).
**Further information on processing activities, procedures, and services:**
- **Processing of cookie data based on consent:** We use a procedure for cookie
consent management, within the framework of which users' consents to the use
of cookies, or to the processing and providers mentioned in the context of the
cookie consent management procedure, can be obtained as well as managed and
revoked by users. The declaration of consent is stored to avoid having to
repeat the query and to be able to prove the consent according to the legal
obligation. The storage can take place server-side and/or in a cookie
(so-called Opt-In-Cookie, or using comparable technologies) to be able to
assign the consent to a user or their device. Subject to individual
information about the providers of cookie management services, the following
notes apply: The duration of consent storage can be up to two years. Here, a
pseudonymous user identifier is created and stored with the time of consent,
information on the scope of consent (e.g., which categories of cookies and/or
service providers), as well as the browser, system and used end device;
**Legal bases:** Consent (Article 6 (1) (a) GDPR).
This website uses Mouseflow: a website analytics tool that provides session
replay, heatmaps, funnels, form analytics, feedback surveys, and similar
features/functionality. Mouseflow may record your clicks, mouse movements,
scrolling, form fills (keystrokes) in non-excluded fields, pages visited and
content, time on site, browser, operating system, device type
(desktop/tablet/phone), screen resolution, visitor type (first time/returning),
referrer, anonymized IP address, location (city/country), language, and similar
meta data. Mouseflow does not collect any information on pages where it is not
installed, nor does it track or collect information outside your web browser. If
you'd like to opt-out, you can do so at https://mouseflow.com/opt-out. If you'd
like to obtain a copy of your data, make a correction, or have it erased, please
contact us first or, as a secondary option, contact Mouseflow at
[email protected].
For more information, see Mouseflow’s Privacy Policy at
https://mouseflow.com/legal/company/privacy-policy/
For more information on Mouseflow and GDPR, visit
https://mouseflow.com/legal/gdpr/.
For more information on Mouseflow and CCPA/VCDPA visit
https://mouseflow.com/legal/ccpa.
Commercial Services
-------------------
We process data of our contractual and business partners, e.g., customers and
interested parties (collectively referred to as "contractual partners") within
the framework of contractual and comparable legal relationships and associated
actions and within the framework of communication with the contractual partners
(or pre-contractually), e.g., to respond to inquiries.
We process these data to fulfill our contractual obligations, including
obligations to provide the agreed services, any updating obligations, and remedy
in the event of warranty and other service disruptions. In addition, we process
the data to preserve our rights and for the purposes of administrative tasks
connected to these obligations and organizational company administration.
Furthermore, we process the data based on our legitimate interests in proper and
business-like management and safety measures to protect our contractual partners
and our business operations from misuse, endangering their data, secrets,
information, and rights (e.g., by involving telecommunications, transport and
other assistance services as well as subcontractors, banks, tax and legal
advisors, payment service providers or financial authorities). Within the
framework of the applicable law, we transfer the data of contractual partners to
third parties only to the extent that this is necessary for the aforementioned
purposes or for the fulfillment of legal obligations. Contractual partners are
informed about other forms of processing, e.g., for marketing purposes, within
the framework of this privacy policy.
We inform contractual partners about which data is required for the
aforementioned purposes before or during data collection, e.g., in online forms,
by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or in
person.
We delete the data after the expiration of statutory warranty and comparable
obligations, i.e., generally after a period of 4 years, unless the data is
stored in a customer account, e.g., as long as they must be kept for archival
reasons that are required by law. The statutory retention period for
tax-relevant documents and business books, inventories, opening balances,
financial statements that are necessary to understand these documents, work
instructions and other organizational documents, and bookkeeping records is ten
years, and for received commercial and business letters and copies of sent
commercial and business letters is six years. The period begins at the end of
the calendar year in which the last entry was made in the book, the inventory,
the opening balance, the financial statements or the situation report was
established, the commercial or business letter was received or sent, or the
booking record was created, the recording was made, or the other documents were
created.
If we use third-party providers or platforms to provide our services, the terms
and conditions and privacy notices of the respective third-party providers or
platforms apply to the relationship between the users and the providers.
- **Data types processed:** Inventory data (e.g., names, addresses); Payment
data (e.g., bank details, invoices, payment history); Contact data (e.g.,
email, phone numbers); Contract data (e.g., subject matter of the contract,
term, customer category); Usage data (e.g., visited websites, interest in
content, access times); Meta/communication data (e.g., IP addresses, time
information, identification numbers, consent status).
- **Individuals affected:** Customers; Interested parties, Business and
contractual partners.
- **Purposes of processing:** Provision of contractual services and fulfillment
of contractual obligations; Security measures; Contact requests and
communication; Office and organizational procedures. Administration and
response to inquiries.
- **Legal bases:** Contract performance and pre-contractual inquiries (Article 6
(1) (b) GDPR); Legal obligation (Article 6 (1) (c) GDPR). Legitimate Interests
(Article 6 (1) (f) GDPR).
**Further information on processing activities, procedures and services:**
- **Customer account:** Within our online offer, customers can create an account
(e.g., customer or user account, referred to as "customer account"). If
registration of a customer account is required, customers are informed of this
as well as the information required for registration. Customer accounts are
not public and cannot be indexed by search engines. As part of the
registration and subsequent logins and use of the customer account, we store
the IP addresses of the customers along with access times to prove
registration and prevent possible misuse of the customer account. If the
customer account is terminated, the customer account data is deleted after the
termination date, unless it needs to be retained for other purposes than
providing the customer account or due to legal reasons for storage (e.g.,
internal storage of customer data, order processes or invoices). It is the
customers' responsibility to secure their data upon termination of the
customer account; **Legal bases:** Contract performance and pre-contractual
inquiries (Article 6 (1) (b) GDPR).
- **Shop and e-commerce:** We process the data of our customers to enable them
to select, purchase, or order the chosen products, goods and associated
services, as well as their payment and delivery or execution. If necessary for
the execution of an order, we use service providers, especially postal,
freight and shipping companies, to carry out the delivery or execution towards
our customers. For the processing of payment transactions, we utilize the
services of banks and payment service providers. The required details are
identified as such during the ordering or comparable purchase process and
include the information needed for delivery, provision, billing, and contact
information to potentially hold consultations; **Legal bases:** Contract
performance and pre-contractual inquiries (Article 6 (1) (b) GDPR).
Use of Third-Party Services: OpenAI
Gerer Flashcards utilizes the OpenAI API to process the content you upload for
the purpose of generating flashcards. To ensure the protection of your data in
accordance with data protection laws and regulations, we have entered into a
Data Processing Agreement (DPA) with OpenAI. This DPA outlines the obligations
and responsibilities of both parties and ensures that the processing of your
data is compliant with the applicable legal framework.
- Data Processing: OpenAI processes the content of your documents solely to
create the flashcards based on the information provided.
- Data Sharing: Your data is shared with OpenAI strictly for the necessary
processing as outlined above and is not used for any other purposes.
- Data Security: Measures have been implemented by OpenAI to ensure the security
of your data, as specified in the DPA and their Privacy Policy.
- Data Usage: OpenAI will use the content you provide exclusively for the
purpose of improving their services in accordance with the DPA, and such data
will not be used to personally identify you.
- Data Retention: We do not retain your documents any longer than necessary, and
OpenAI's data retention policies comply with the terms of the DPA.
- Your Rights: You have certain rights regarding your personal data, as outlined
in our Privacy Policy. For more information on your rights and how to exercise
them, please contact us.
Please review OpenAI's Privacy Policy for more detailed information on the
processing of your data:
https://openai.com/policies/privacy-policy
By using Gerer Flashcards, you consent to the processing of your data by OpenAI
as described in these documents.
Registration, Login, and User Account
-------------------------------------
Users can create a user account. During registration, the necessary mandatory
details are communicated to users and processed for the purpose of providing the
user account based on contractual obligations. The data processed particularly
include login information (username, password, and an email address).
In the context of using our registration and login functions as well as the use
of the user account, we store the IP address and the time of the respective user
action. The storage is based on our legitimate interests as well as those of the
users in protection against misuse and other unauthorized use. This data is
generally not transferred to third parties unless it is necessary for pursuing
our claims or there is a legal obligation to do so.
Users can be informed about operations relevant to their user account, such as
technical changes, by email.
- **Types of data processed:** Inventory data (e.g. names, addresses); contact
data (e.g. email, telephone numbers); content data (e.g. entries in online
forms); meta, communication and process data (e.g. IP addresses, timestamps,
identification numbers, consent status).
- **Affected persons:** Users (e.g. website visitors, users of online services).
- **Purposes of processing:** Provision of contractual services and fulfillment
of contractual obligations; security measures; administration and answering
inquiries. Providing our online offer and user-friendliness.
- **Legal bases:** Contract fulfillment and pre-contractual inquiries (Art. 6
Para. 1 S. 1 lit. b) GDPR). Legitimate interests (Art. 6 Para. 1 S. 1 lit. f)
GDPR).
**Additional information on processing operations, procedures, and services:**
- **Registration with pseudonyms:** Users may use pseudonyms instead of real
names as usernames; **Legal bases:** Contract fulfillment and pre-contractual
inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- **User profiles are not public:** User profiles are not publicly visible or
accessible.
- **Deletion of data after termination:** When users have terminated their user
account, their data relating to the user account will be deleted, subject to
legal permission, obligation, or user consent; **Legal bases:** Contract
fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
- **No obligation to retain data:** It is the users' responsibility to secure
their data upon termination before the end of the contract. We are entitled to
irretrievably delete all data of the user stored during the duration of the
contract; **Legal bases:** Contract fulfillment and pre-contractual inquiries
(Art. 6 Para. 1 S. 1 lit. b) GDPR).
Changes and Updates to the Privacy Policy
-----------------------------------------
We ask you to regularly inform yourself about the content of our privacy policy.
We adjust the privacy policy as soon as the changes in the data processing we
carry out require it. We will inform you as soon as the changes require your
participation (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations
in this privacy policy, please note that the addresses may change over time and
to check the details before contacting.