This Data Protection Declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data” for short) within the scope of provision of our services and within our website and the associated web pages, functions and content, as well as external online presences, e.g. our social media profiles (hereinafter jointly referred to as “online service”). We make reference to the definitions set out in Article 4 of the General Data Protection Regulation (GDPR) as regards the terminology used, e.g. “processing” or “controller”.
Aristander.AI UGLychener Str. 43
Germany Email address: firstname.lastname@example.org
Phone number: +49 30 50 59 54 36
Representative: Managing Director Arne Reichelt
Types of data processed
- User data (e.g. personal master data, names or addresses).
- Contact data (e.g. email, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. web pages visited, interest in content, access times).
- Meta/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors to and users of the online service (we hereinafter also collectively refer to data subjects as “users”).
Purpose of processing
- Provision of the online service, its functions and its content.
- Response to contact requests and communication with users.
- Security measures.
- Range measurement/marketing.
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is far-reaching and covers practically any contact with data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable legal bases
In accordance with Article 13 GDPR, we must provide you with information about the legal bases of our data processing. For users within the scope of application of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, the following applies, if the legal basis is not specified in the Data Protection Declaration:
The legal basis for seeking consent is Art. 6 (1) lit. a and Art. 7 GDPR;
The legal basis for processing in order to render our services, implement contractual measures and respond to enquiries is Art. 6 (1) lit. b GDPR;
The legal basis for processing in order to comply with our legal obligations is Art. 6 (1) lit. c GDPR;
In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.
The legal basis for processing in order to perform a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6 (1) lit. e GDPR.
The legal basis for processing in order to uphold our legitimate interests is Art. 6 (1) lit. f GDPR.
The processing of data for a purpose other than that for which the personal data have been collected is governed by the provisions of Art. 6 (4) GDPR.
The processing of special categories of data (as per Art. 9 (1) GDPR) is governed by the provisions of Art. 9 (2) GDPR.
In accordance with the statutory provisions and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures namely include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as entry, input, disclosure, security of availability and separation. We have also set up procedures that guarantee the protection of data subjects rights, the erasure of data and appropriate reaction to risks to data. Furthermore, we consider the protection of personal data when developing or selecting hardware, software and processes, in line with the principle of data protection by design and by default.
Collaboration with processors, joint data controllers and third parties
If we disclose, transfer or otherwise grant access to data to other persons or companies (processors, joint data controllers or third parties) within the scope of our processing of data, this shall take place exclusively on the basis of a legal permit (e.g. where transfer of the data to third parties, such as payment service providers, is necessary for performance of the contract), if users have consented to such, if we have a legal obligation to do so, or on the basis of our legitimate interests (e.g. when using representatives, web hosts, etc.).
If we disclose, transfer or otherwise grant access to data to other companies within our group, this shall take place with administrative purposes as the legitimate interest, as well as on a basis that complies with the statutory provisions.
Transfer to third countries
If we process data in a third country (i.e. outside of the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation), or if such takes place within the scope of use of third-party services or disclosure or transfer of data to other persons or companies, this shall exclusively take place in order to meet our (pre-)contractual obligations, on the basis of your consent, on account of a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual authorisation, we will only process or allow data to be processed in a third country if the statutory prerequisites are met. That is to say, for example, that processing will take place on the basis of special guarantees, such as the officially recognised establishment of a level of data protection that corresponds to that in the EU (e.g. through the “Privacy Shield” in the USA), or compliance with officially recognised special contractual obligations.
Rights of the data subject
You have the right to request confirmation as to whether certain data are being processed, and to obtain further information about the data and be given a copy of the data in accordance with the statutory provisions.
The statutory provisions state that you are entitled to request completion of incomplete data concerning you, or rectification of incorrect data concerning you.
As per the statutory provisions, you are entitled to request that certain data be erased immediately, or, alternatively, that the processing of the data be restricted.
You have the right to request that data concerning you that you provided us with be retained and transferred on to another controller, as per the statutory provisions.
Furthermore, the statutory provisions state that you have the right to lodge a complaint with the responsible supervisory authority.
Right to revocation
You are entitled to revoke consent that you have granted with effect for the future.
Right to objection
You may object to future processing of data concerning you at any time, as per the statutory provisions. In particular, you may object to processing for the purposes of direct advertising.
Cookies and right to object to direct advertising
“Cookies” are small files stored on users computers. These may contain a range of different information. Cookies primarily serve to store information on users (or on the devices on which the cookies are saved) during or after their visit to an online service. Temporary cookies – also called “session cookies” or “transient cookies” – are cookies that are deleted once users leave the online service and close their browser. Such cookies may contain the contents of a shopping cart in an online shop or a login status, for example. “Permanent” or “persistent” cookies are those that remain saved after the browser has been closed. For example, the login status can be stored for when the user re-visits the site after several days. Such cookies may also contain users interests, which are used for reach measurement or marketing purposes. “Third-party cookies” are cookies offered by providers other than the party responsible for running the online service (this party’s cookies would be referred to as “first-party cookies”).
We may use temporary and permanent cookies and aim to provide clarification on such within the scope of our Data Protection Declaration.
If users do not wish for cookies to be stored on their computers, they are asked to deactivate this option in the system settings of their browser. Stored cookies can be deleted in your browser’s system settings. The exclusion of cookies may limit the functionality of this online service.
Erasure of data
The data that we process is erased in accordance with the statutory provisions, or the processing thereof is restricted. Unless expressly specified in this Data Protection Declaration, the data that we have stored shall be erased as soon as they are no longer needed for their intended purpose and as long as there are no statutory retention obligations in place to contradict erasure.
If the data are not erased because they are needed for other, legally permissible purposes, their processing shall be restricted. That is to say, the data will be blocked off and not processed for other purposes. This applies, for example, to data that must be retained for reasons pertaining to commercial or taxation legislation.
We ask that you regularly check the content of our Data Protection Declaration. We will adapt the Data Protection Declaration as soon as changes in our data processing render such necessary. We will inform you wherever the changes require cooperation on your part (e.g. consent) or separate individual notification.
We also process:
- Contract data (e.g. subject of contract, term, customer category)
- Payment data (e.g. bank details, payment history)
of our customers, prospective customers and business partners in order to be able to provide contractual services, customer care, marketing, advertising and market research.
We process the data of our contractual partners and prospective customers, as well as our principals, customers, clients and contractual partners (jointly referred to as “contractual partners”), in accordance with Art. 6 (1) lit. b GDPR, in order to be able to provide them with our contractual or pre-contractual services. The data processed and the nature, scope, purpose and necessity of processing are determined by the underlying contractual relationship.
The data processed include master data on our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers), contract data (e.g. services chosen, contract content, contractual communication, names of points of contact) and payment data (e.g. bank details, payment history).
We do not process special categories of personal data, unless they form part of commissioned or contractual processing.
We process data that are required in order to form and implement the contractual services, and highlight the necessity of the information if it is not evident to the contractual partner. Disclosure to external persons or companies shall only take place if required within the scope of a contract. When processing data transferred to us in the course of an assignment, we act in accordance with the instructions of the principal, as well as the statutory provisions.
We may store the IP address and the time of user actions when our online services are used. The storage takes place on the basis of our legitimate interests, as well as users interest in being protected against misuse and other unauthorised use. These data shall not be passed on to third parties, unless necessary in order to pursue our claims as per Art. 6 (1) lit. f GDPR, or unless there is a legal obligation to do so as set out in Art. 6 (1) lit. c GDPR.
The data will be deleted when the data is no longer required for the fulfilment of contractual or statutory welfare obligations and for the handling of any warranty and comparable obligations, whereby the necessity of storing the data is reviewed every three years; otherwise the statutory storage obligations apply.
External payment service providers
We use external payment service providers, through whose platforms we and our users can make payment transactions: Stripe (https://stripe.com/de/privacy), Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full)
Within the scope of performance of contracts, we engage payment service providers on the basis of Art. 6 (1) lit. b GDPR. Otherwise, we engage external service providers on the basis of our legitimate interests as per Art. 6 (1) lit. f GDPR, in order to be able to offer our users an effective and secure method of payment.
The data processed by the payment service providers include user data, e.g. name and address, bank data, e.g. account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, total and recipient-related information. This information is necessary in order to be able to implement the transactions. However, the entered data are only processed and stored by the payment service provider. That is to say, we do not receive any account or credit card-related information – only information containing confirmations or rejections of payment. In some cases, the payment service provider may transfer the data to credit reference agencies. This transfer is for the purpose of identity and credit checks. Please refer to the payment service provider’s T&Cs and data protection policy.
The terms and conditions and data protection policies of the relevant payment service providers apply to payment transactions; these can be accessed on the relevant web pages or via transaction applications. We also refer to the same as regards further information and assertion of revocation, access and other data subject rights.
Business analyses and market research
In order to run our business efficiently and to be able to identify market trends and wishes of contractual partners and users, we analyse the data that we have on business transactions, contracts, enquiries, etc. In this context, we process user data, communication data, contract data, payment data, usage data and meta data on the basis of Art. 6 (1) lit. f GDPR, with the data subjects including contractual partners, prospective customers, customers, visitors to and users of our online service.
The analyses are used for the purposes of business assessments, marketing and market research. We may look at the profiles of registered users, which contain information such as the services that they have chosen. The analyses are designed to increase user-friendliness, optimise our offering and ensure economic efficiency. The analyses are for our use only and are not disclosed externally, unless they are anonymous analyses with summarised values.
If the analyses or profiles are personal, they are erased or anonymised upon termination of the user account, or two years after the end of the contract. Otherwise, general business analyses and trend forecasts are compiled anonymously wherever possible.
Users can create a user account. During the registration process, users are informed which information is mandatory, and such is processed on the basis of Art. 6 (1) lit. b GDPR for the purposes of providing the user account. The data processed particularly include login information (name, password and email address). The data entered during the registration process are used to facilitate use of the user account and implementation of its purpose.
Users may be kept up-to-date with information relevant to their user account, e.g. technical changes, by email. When users cancel their user accounts, data relating to the user account is erased, notwithstanding any statutory retention obligations. When cancellation takes place, users are responsible for backing up their data before the end of the contract. We are entitled to permanently erase all of the user’s data stored during the term of the contract.
We store the IP address and the time of user actions in the course of use of the registration and login functions and of user accounts. The storage takes place on the basis of our legitimate interests, as well as users interest in being protected against misuse and other unauthorised use. These data shall not be passed on to third parties, unless necessary in order to pursue our claims, or unless there is a legal obligation to do so as set out in Art. 6 (1) lit. c GDPR. IP addresses are anonymised or erased after no more than 7 days.
Getting in touch
When contact is made with us (e.g. via contact form, email, telephone or social media), the information provided by the user is processed in order to allow us to handle and implement the contact request, as per Art. 6 (1) lit. b (within the scope of contractual/pre-contractual relations), Art. 6 (1) lit. f (other enquiries) GDPR. The information provided by the user may be stored in a customer relationship management system (“CRM system”) or similar enquiry organisation system.
We delete enquiries as soon as they are no longer needed. We check for necessity of storage every two years; otherwise, the statutory archiving obligations apply.
The following provisions aim to inform you about the content of our newsletter as well as the subscription, dispatch and statistical assessment methods as well as your rights to objection. By subscribing to our newsletter you agree to receive the newsletter and to the methods described.
Content of the newsletter: We only send newsletters, emails and other electronic messages containing advertising information (hereinafter referred to as “newsletter”) if we have consent from the recipient or a legal permit. If the content of the newsletter is paraphrased in detail in the course of a subscription process, this shall be decisive as regards consent from the user. In addition, our newsletters contain information about us and our services.
Double opt-in and recording: We use what is known as the “double opt-in” method when you subscribe to our newsletter. This means that after signing up you will receive an email asking you to confirm your subscription. This confirmation is needed so that no one is able to sign up with another person’s email address. We record your newsletter subscription to have evidence of the subscription process in accordance with legal requirements. This includes storing the time of subscription and confirmation as well as your IP address. We also record the changes made to your data stored with the dispatcher.
Login details: You only need to provide your email address for subscribing to the newsletter. We optionally ask for a name so that we can address you in person in the newsletter.
The dispatch of the newsletter and the associated success measurement are based on the recipient’s consent in accordance with Art. 6 (1) lit. a and Art. 7 GDPR in conjunction with Section 7 (2) no. 3 of the German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb – UWG), or, if consent is not required, on the basis of our legitimate interests in direct marketing as per Art. 6 (1) lit. f GDPR in conjunction with Section 7 (3) UWG.
The subscription process is recorded on the basis of our legitimate interests as per Art. 6 (1) lit. f GDPR. Our interests are based on use of a user-friendly and secure newsletter system that both serves our business interests and meets users expectations, and also allows us to provide evidence of consent.
Cancellation/revocation – You may unsubscribe from our newsletter at any time, i.e. withdraw your consent. An unsubscribe link is contained at the bottom of every newsletter. We may store cancelled email addresses for up to three years before erasing them on the basis of our legitimate interests, in order to allow us to provide evidence of previously provided consent. The processing of this data shall be restricted to the purpose of possible defence against claims. An individual erasure request may be submitted at any time, as long as you confirm that you previously provided consent.
Hosting and email dispatch
The hosting services that we use serve to facilitate provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services and technical maintenance services, which we use for the purpose of operating this online service.
To this end, we and/or our hosting provider process user data, contact data, content data, contract data, usage data and meta and communication data from customers, prospective customers and visitors to this online service on the basis of our legitimate interests in efficient and secure provision of this online service in accordance with Art. 6 (1) lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of data processing contract).
Collection of access data and log files
We and/or our hosting provider collect data via every access to the server on which this service is located (known as server log files), on the basis of our legitimate interests as per Art. 6 (1) lit. f GDPR. Access data include the name of the web page accessed, the file, the date and time of access, the quantity of data transferred, notification of successful access, the browser type and version, the user’s operating system, the referrer URL (previously visited page), the IP address and the accessing provider.
For security reasons (e.g. for resolving misuse or fraudulent actions), log file information is stored for a maximum period of 7 days, after which it is deleted. Data which needs to be stored for longer periods as evidence is not deleted until the respective incident has been resolved in full and final.
Google Tag Manager
Google Tag Manager is a solution that allows us to manage what are known as “website tags” via an interface (allowing us to, for example, integrate Google Analytics and other Google marketing services into our online service). The Tag Manager itself (which implements the tags) does not process personal data of users. Reference is made to the following information on Google services in terms of processing of users personal data. Use policy: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google is certified under the Privacy Shield Agreement and therefore provides a guarantee of compliance with European Data Protection Law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to analyse the use of our online service by users, to compile reports on the activities within this online service and to provide us with other services associated with the use of this website and the use of the Internet. In doing so, pseudonymous user profiles may be created from the processed data.
We only use Google Analytics with activated IP anonymisation.
This means users’ IP addresses will be truncated beforehand within a member state of the European Union or in other contracting states to the Agreement on the European Economic Area. The full IP address is only transferred to a Google server located in the USA and abbreviated there in exceptional circumstances.
The IP address transferred by the user’s browser is not compiled with other Google data. Users can prevent the storage of cookies by selecting the appropriate settings in their browser software; users can also prevent Google from collecting data generated by the cookie and relating to their use of the online service and from processing this data by downloading and installing the browser plug-in available using the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Users personal data shall be deleted or anonymised after 14 months.
Google AdWords and conversion measurement
We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) on the basis of our legitimate interests (i.e. interest in analysing, optimising and efficiently running our online service within the meaning of Art. 6 (1) lit. f GDPR).
Google is certified under the Privacy Shield Agreement and therefore provides a guarantee of compliance with European Data Protection Law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the online marketing process Google “AdWords” in order to place ads in the Google Advertising Network (e.g. in search results, in videos, on web pages, etc.) so that they are shown to users that are likely to be interested in the ads. This allows us to target ads for and on our site to only present users with ads that potentially match their interests. For example, if a user sees ads for products he has been interested in on other websites, this is referred to as “remarketing”. For these purposes, when our and other websites are accessed (on which the Google Advertising Network is active), Google directly runs a code from Google and so-called “(re)marketing tags” (invisible graphics or code, also known as “web beacons”) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user’s device (comparable technologies can also be used instead of cookies). In this file it is noted which websites the user visits, which content he is interested in and which offers he has clicked on; furthermore, it notes technical information about the browser and operating system, referring websites, visiting time as well as further information about the use of the online service.
We also receive an individual “conversion cookie”. Google uses the information gathered using the cookie to compile conversion statistics for us. However, we are only informed of the total number of users that have clicked on our advert and were redirected to a page with a conversion tracking tag. We receive no information that could be used to personally identify a user.
Users’ data is processed pseudonymously within the framework of the Google Advertising Network. This means that Google does not store and process, for example, the name or email address of the user; it processes the relevant cookie data within pseudonymous user profiles. From Google’s point of view, this means that the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a Google user has explicitly allowed data to be processed without this pseudonymisation. The information collected about the user is transmitted to Google and stored on Google servers in the USA.
Integration of third-party services and content
On the basis of our legitimate interests (i.e. interest in analysing, optimising and efficiently running our online service within the meaning of Art. 6 (1) lit. f GDPR), we use content and services of third-party providers in order to integrate their content and services, e.g. videos or fonts (hereinafter jointly referred to as “content”), into our online service.
This always requires the third-party providers to know users IP addresses, as without an IP address they cannot send content to their browsers. An IP address is therefore essential for display of this content. We strive to only use content whose provider only uses the IP address to deliver content. Third-party providers may also use what are known as “pixel tags” (invisible graphics, also called “web beacons”) for statistical and marketing purposes. The pixel tags make it possible to evaluate information such as user traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user’s device, which, among other things, contain technical information about the browser and operating system, referring web pages, time of visit and other information on use of our online service, as well as being combined with such information from other sources.