The person responsible in terms of data protection law is marktguru Deutschland GmbH, Sendlinger Straße 23, 80331 Munich, office@marktguru.de, hereinafter “marktguru” or “we” or “us”.

Exceptions are explained in this privacy policy.

Our contact details and that of our data protection officer can be found in section 11 ”contact”.

general

Personal data is any information relating to an identified or identifiable natural person. When we process personal data, this means that we collect, store, use, transfer or delete it to others, for example.

The categories of personal data we process about you depend on how you use our online offering. We have listed the possible categories for you below.

‍

Categories of personal data

contact details: When you contact us (e.g. via a form or by e-mail), we process the data you provide (this is usually first and last name, email address and/or telephone number, content of your request) and the subsequent communication.

Competition data: If you participate in one of our competitions, we process data such as name, address, email address, consent to the competition conditions, participation information.

Socio-demographic data: When you participate in a voluntary survey or market survey, we process the information you provide, such as age group, gender, level of education, household size, household income, citizenship, employment status, primary household earner.

Log data for surveys by third parties: If you participate in a market survey arranged by us by a third party, we will receive information from the third party as to whether the survey has been completed (but we will not receive any information about the information you provided in the market surveys).

Online usage data: Every communication via the Internet generates online usage data. This includes data such as IP address, search request, retrieval time stamp, browser information, device information, cookie ID, device ID, referrer URL, geo-location/location data, user ID, click path.

Log files: Each time you use an online service, your device automatically transmits so-called online usage data. These are temporarily stored in so-called log files to ensure technical safety and functionality.

Adblocker data: Information about whether an ad blocker is available.

‍

Data processed in connection with cookies:

In connection with cookies and similar technologies (“cookies”), we process the following data:

• Online usage data and email address
• Consent to the use of cookies (and related data processing operations)

Transfer of data to third parties

In principle, we will only provide your personal data to third parties if this is necessary to fulfill the contract, we or the third party has a legitimate interest in sharing it, has your consent to do so, or if this is necessary to fulfill a legal obligation.

Details of the third parties are set out in Section 4 below “What do we process your personal data for, on which legal basis, what are our legitimate interests, who receives your personal data? ”

In particular, we may disclose personal data to a third party

• if we should be obliged to do so in individual cases due to legal requirements or by an enforceable administrative or court order;
• in connection with legal disputes (against courts or our lawyers) or tax audits (against auditors);
• in connection with possible criminal offences against the competent investigative authorities;
• in the event of a sale of the business (to the acquirer and his legal and tax advisors).

In the case of transmission based on consent, the explanation can also be provided when consent is obtained.

Transfer of data to service providers

We reserve the right to use service providers when collecting or processing data. Service providers only receive the personal data from us that they need for their specific activity. For example, your email address may be passed on to a service provider so that they can deliver a newsletter you have ordered. Service providers can also be commissioned to provide server capacities. Service providers are usually involved as so-called contract processors who may only process the personal data of users of this online service in accordance with our instructions.

Details of the service providers we use are set out in Section 4 below ”What do we process your personal data for, on which legal basis, what are our legitimate interests, who receives your personal data? ”

We process your data for the following purposes and — insofar as required by applicable law — on the basis of the stated legal bases. Explanations of the data categories can be found in Section 2 Which categories of personal data do we process. In the event that data processing is based on the legal basis of legitimate interest, we will also explain to you our legitimate interest, which we pursue with the processing. In addition, we show which recipients or categories of recipients we share your personal data with.

4.1 General purposes of processing:

1. Enabling the use of the online offer (information about Bonsy app)

• Categories of personal data: log files, online usage data
• Legal basis of processing: legitimate interest (Art. 6 para. 1 lit. f GDPR): We have a legitimate interest in technically improving our online offering and making it available to interested users in order to draw attention to our business activities.
• Recipients or categories of recipients:
  • Contract processor:
    
    • IT service provider (technical support), EU/EEA area, USA
    • IT service provider (hosting), EU/EEA area, USA
    • IT service provider (product support), Armenia

2. Provision of a contact option and answering inquiries sent via this option: by e-mail (including to hello@bonsy.com), via social media channels (Instagram, Facebook)

• Categories of personal data: contact data, log files
• Legal basis of processing: legitimate interest (Art. 6 para. 1 lit. f DSGVO): We have a legitimate interest in answering customer and contact inquiries.
• Recipients or categories of recipients:
  
  • Third party:
    
    • If the request comes via our social media channels (Instagram, Facebook): Meta Business Suite — Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour 2 Dublin, Ireland
  • Contract processor:
    
    • IT service provider (technical support), EU/EEA area, USA
    • IT service provider (hosting), EU/EEA area, USA
    • customer support (email, telephone, EU/EEA area)
    • customer support (ticket system), Israel, EU/EEA area, USA
      

‍3. Consent and opt-out management

• Categories of personal data: Direct marketing consent, consent to the use of cookies‍
• Legal basis of processing: Fulfilment of a legal obligation (Art. 6 para. 1 lit. c GDPR)‍
• Recipients or categories of recipients:
  • Contract processor: ‍
    • IT service provider (CMP provider), EU/EEA area
    • IT service provider (hosting), EU/EEA area, USA
    • IT service provider (technical support), EU/EEA area
    • customer support (email, telephone, EU/EEA area)

4. Identification and, if necessary, blocking of users who have installed a so-called ad blocker and are thus blocking advertising

• Categories of personal data: log files, ad blocker data
• Legal basis of processing: legitimate interest (Art. 6 para. 1 lit. f DSGVO) in making our fully or partially ad-financed offers available only to users who do not block advertising‍
• Recipients or categories of recipients:
  • Contract processor: ‍
    • IT service provider (technical support), EU/EEA area

5. Identifying faults and ensuring system security, including detecting and tracking illegal accesses and attempts to access our web servers

• Categories of personal data: log files, online usage data
• Legal basis of processing: Fulfilment of our legal obligations (Art. 6 para. 1 lit. c DSGVO) to comply with data security; legitimate interest (Art. 6 para. 1 lit. f DSGVO) in resolving faults, ensuring system security and detecting and tracking unauthorised access attempts or accesses‍
• Recipients or categories of recipients:
  
  • Contract processor:
    
    • IT service provider (technical support), EU/EEA area, USA
    • IT service provider (hosting), EU/EEA area, USA
    • IT service provider (product support), Armenia

6. Safeguarding and defending our rights

• Categories of personal data: Details of litigation in which you are involved, information required to process the litigation
• Legal basis of processing: legitimate interest (Art. 6 para. 1 lit. f GDPR): We have a legitimate economic interest in asserting and defending our rights.
• Recipients or categories of recipients:
  • Third party: ‍
    
    • Our legal advisors (EU/EEA area, UK), courts, authorities
  • Contract processor: ‍
    • IT service provider (technical support), EU/EEA area, USA

7. Sale of all or part of the business

• Categories of personal data: all information relevant to the sale, e.g. registration data, declarations of consent, direct marketing
• Legal basis of processing: legitimate interest (Art. 6 para. 1 lit. f GDPR) in transferring customer data to the acquirer in connection with the sale of our business operations; as a rule, this requires that customers have agreed to a transfer of contract or have not objected to a transfer after sufficient information
• Recipients or categories of recipients:
  • Third party: ‍
    
    • Our legal advisors (EU/EEA area, UK), (potential) acquirers of (part of) business
  • Contract processor: ‍
    • IT service provider (technical support), EU/EEA area
    • IT service provider (hosting), EU/EEA area, USA

8. Conducting surveys, including collecting feedback.
We can also invite users to participate in the survey by electronic mail (e.g. email, SMS, MMS, messenger message) if we have received separate consent to do so.

• Categories of personal data: Depending on the survey/feedback:
  ‍Personal data (e.g. name, email address, if provided by you), responses to surveys and feedback, online usage data (e.g. IP address, device information, browser type, access times), log files; app configuration data, socio-demographic data
• Legal basis of processing: The data is processed on the basis of:
  • For contact by electronic mail: Art. 13 para. 1 ePrivacy Directive in conjunction with Section 7 Paragraph 2 No. 2 UWG (Art. 95 DSGVO) (consent)
  • To process the surveys:
    
    • legitimate interest (Art. 6 para. 1 lit. f GDPR), as we have a legitimate interest in carrying out and evaluating surveys to improve our offerings (e.g. to optimize our apps based on user interactions and develop new services), or
    • Consent (Art. 6 para. 1 lit. a GDPR)
  Please note your right to object when processing data for direct marketing purposes or for personal reasons (see and “Your right to object to direct marketing”in section 9).“Your right to object for personal reasons”
  ‍
• Recipients or categories of recipients:
  • Contract processor: ‍
    • IT service provider (technical support), EU/EEA area, USA
    • IT service provider (hosting), EU/EEA area, USA
    • IT service provider (survey tool), EU/EEA area, USA
    • IT service provider (email delivery) EU/EEA area, USA
    • customer support (email, phone), EU/EEA area, USA
    • customer support (ticket system), Israel, EU/EEA area, USA

9. Competition processing in social media: Carrying out competitions on social media (Instagram) in accordance with the respective competition conditions

• Categories of personal data: Sweepstakes data
• Legal basis of processing: Contract performance (Art. 6 para. 1 lit. b GDPR)
• Recipients or categories of recipients:
  • Third party: ‍
    
    • Social media platform on which competitions are held (Instagram): Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour 2 Dublin, Ireland
    • Draw tool: Comment Picker, Nieuwveen, the Netherlands (for more information see. Privacy Policy by Comment Picker)
    • Where applicable, respective co-organizer
    • postal service provider, EU/EEA area
  • Contract processor: ‍
    
    • IT service provider (technical support), EU/EEA area, USA
    • IT service provider (server hosting), EU/EEA area, USA
    • customer support (email, phone), EU/EEA area, USA
    • customer support (ticket system), Israel, EU/EEA area, USA
    • IT service provider (filing tool, EU/EEA area, USA)

Please note your right to object when processing data for direct marketing purposes or for personal reasons (see section 9 ”Your right to object to direct marketing” and ”Your right to object for personal reasons”).

4.2 Purposes of processing in connection with cookies

We also share personal data with third parties or contract processors based in countries outside the European Economic Area (EEA).
Before such a transfer, we ensure that the recipient has an appropriate level of data protection — for example by:

• eine Appropriateness decision by the EU Commission (Art. 45 GDPR),
• the conclusion of EU standard contractual clauses (Art. 46 GDPR, module 1 or 2), with the implementation of so-called Transfer impact assessments (TIA) and, if applicable, Implementation of additional technical or organizational protective measures.

As far as possible, we specifically select providers who operate data centers in the EU or in the EEA to process and store personal data.

These are third parties or contract processors in the following countries: USA; Israel; Armenia.

For the USA, the European Commission has come to the conclusion that there is an appropriate level of data protection there, provided that the data recipient participates in the Data Privacy Framework (DPF) and has current certification for this purpose. Insofar as the recipients of your personal data are based in the USA and participate in the DPF, we therefore rely on this adequacy decision (Art. 45 GDPR).

To which countries outside the European Economic Area (if you are in the EEA) do we share data?

We disclose personal data to third parties or contract processors in the following countries where there is an adequate level of data protection under applicable law: USA (if the recipient is certified under the EU-U.S. Data Privacy Framework).

We also disclose personal data to third parties or contract processors in the following countries where there is no adequate level of data protection under applicable law. The transfer or notification is based on the respective security measure or exemption provision: USA (based on standard contractual clauses, unless the processor is certified in accordance with the U.S. Data Privacy Framework), Israel (Data Processing Addendum), based on standard contractual clauses), Armenia (standard contractual clauses).

We can provide you with an overview of recipients in third countries and a copy of the specifically agreed regulations to ensure an appropriate level of data protection. Please use the information in section 11 ”contact”.

We store your data for as long as is necessary to provide our online offering and related services or as long as we have a legitimate interest in continuing to store it (for example due to an ongoing legal dispute). In all other cases, we delete your personal data with the exception of data that we must continue to store in order to comply with legal (e.g. tax or commercial) retention periods.

We will block data that is subject to a storage period until the period expires.

Specifically, the following retention periods apply to personal data processed as part of this online offering:

• contact details: Until the communication is completed and then for a further three years, starting at the end of the calendar year.
• Data processed in connection with cookies: Details of the storage periods of personal data can be found in our CMP linked above. Under “Provider”, you will find information on how long the personal data collected will be stored.
• Log files: Up to 10 days, as long as there is no security incident that requires longer storage.
• Data processed in connection with surveys/feedback: Until the survey is completed and then for a further six months, starting at the end of the calendar year.‍
• Competition processing on social media: Three years, starting with the end of the calendar year in which the competition ended, with the exception of such data that we must continue to keep in order to comply with legal retention periods.

In principle, you are not required to provide us with your personal data. However, the use of certain services on this online offer may require the provision of personal data, such as registration or participation in a competition. If this is the case, we will let you know. Mandatory fields are regularly marked with an *. If you do not wish to provide us with the necessary data, you will unfortunately not be able to use the corresponding services.

This online offer uses cookies.

Cookies are small text files that are sent when you visit a website and are stored in the user's device's browser. If the corresponding website is accessed again, the browser sends back the content of the cookies and thus enables the user's terminal device to be recognized. Certain cookies are automatically deleted at the end of the browser session (so-called session cookies), others are stored in the browser of the user terminal device for a specified period of time or permanently and then delete themselves (so-called temporary or permanent cookies).

Cookies generally do not store any data that makes you identifiable as a person (i.e. no names, email addresses or IP addresses). Instead, cookies typically contain a code (so-called identifier) as well as information on the storage period and, if applicable, certain technical features (e.g. security features).

How can you assert your rights?

Please use the information in section 11 to assert your rights ”contact”. Please ensure that we are able to uniquely identify you.

Your rights to information and correction

You can request that we confirm to you whether we are processing personal data relating to you and you have a right of access to your data processed by us. If your data is incorrect or incomplete, you can request that your data be corrected or completed. If we have passed on your data to third parties, we will inform them of the correction, insofar as this is required by law.

Your right to delete

If the legal requirements are met, you can request us to delete your personal data immediately. This is particularly the case when

• your personal data is no longer required for the purposes for which it was collected;
• the legal basis for processing was exclusively your consent and you withdrew it;
• you have objected to processing for advertising purposes (“advertising objection”);
• you have objected to processing based on the legal basis Legitimate interest for personal reasons and we cannot prove that there are overriding legitimate reasons for processing;
• your personal data has been processed unlawfully; or
• Your personal data must be deleted to comply with legal requirements.

If we have passed on your data to third parties, we will inform them of the deletion, insofar as this is required by law.

Please note that your right to delete is subject to restrictions. For example, we do not have to or may not delete any data that we still have to keep due to legal retention periods. Data that we need to assert, exercise or defend legal claims is also excluded from your right of deletion.

Your right to restrict processing

If the legal requirements are met, you can demand that we restrict processing. This is particularly the case when

• the accuracy of your personal data is disputed by you, and then until we have had the opportunity to verify the accuracy;
• the processing is not lawful and you request a restriction of use instead of deletion (see previous section);
• we no longer need your data for processing purposes, but you need them to assert, exercise or defend your legal claims;
• You have filed an objection for personal reasons, and then until it is clear whether your interests prevail.

If there is a right to restrict processing, we mark the data concerned to ensure in this way that it is only processed within the narrow limits that apply to such restricted data (namely in particular to defend legal claims or with your consent).

Your right to data portability

You have the right to receive personal data that you have given us to fulfill the contract or on the basis of consent in a structured, common and machine-readable format. In this case, you can also request that we transfer this data directly to a third party, insofar as this is technically feasible.

Your right to withdraw consent

If you give us a Consent to processing You can withdraw your data at any time with effect for the future. The lawfulness of processing your data until you withdraw your consent remains unaffected.

10.1 Privacy policy for the Bonsy app‍

The privacy policy for the “Bonsy” app can be found here: https://www.bonsy.com/datenschutz-app.

‍
10.2 Privacy notice for social media channels

The privacy policy for Bonsy's social media channels can be found here: https://www.bonsy.com/social-media-privacy-policy.

‍

For information and suggestions on the subject of data protection, we or our data protection officer are available to you at the email datenschutz@bonsy.com gladly available.

You can also contact our data protection officer at the following postal address:

Maximilian Hartung
EDPS — Data Protection Officer
SECUWING GmbH & Co. KG | Datenschutzagentur.de
Frauentorstrasse 9
86152 Augsburg Germany
epost@datenschutz-agentur.de
T +49 (0) 821 90786450

If you would like to get in touch with us by other means, you can also reach us as follows:

marktguru Germany GmbH
Sendlinger Strasse 23
D — 80331 Munich