In the following we explain how we receive, use, store, share, transfer, and otherwise process your personal data. It also describes your choices regarding use, as well as your rights as a data subject.
- Data Controller;
- Visit to our Website;
- Using the autoRetouch Image Processing App;
- General Information on Data Protection.
- DATA CONTROLLER
- VISIT TO OUR WEBSITE
- 2.1 Logfiles
Each time you access our website, our system automatically collects data and information from the computer system of the accessing computer. In order for the pages to be displayed in your browser, the IP address of the terminal device you are using must be processed. In addition, we collect further information about the browser of your terminal device.
We are obliged under data protection law to also guarantee the confidentiality and integrity of the personal data processed with our IT systems. The data is also used to correct errors on the website.
For these purposes the following data will be logged:
- IP address of the calling computer
- Operating system of the calling computer
- Browser version of the calling computer
- Name of the retrieved file
- Date and time of retrieval
- Transferred amount of data
- Referring URL
This data is temporarily stored in the log files and such log files shall be deleted automatically within a few days. Storage beyond this period is possible, but in this case the IP addresses are partially deleted or alienated, so that it is no longer possible to assign the calling client. A storage of the log files together with other personal data concerning you does not take place in this context.
Our website is hosted by an external service provider within the European Union (while our App is hosted outside of the EU/EEA, please see below for further information).
The legal basis for this data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is the operation of this website and the implementation of the protection objectives of confidentiality, integrity and availability of the data.
Since the collection of data for the display of the websites and the storage of the data in log files is absolutely necessary for the operation of our websites and the maintenance of IT security, you have no possibility of objection in this respect.
- 2.2 Online-Marketing, Contact Forms, Live chat (HubSpot)
We use HubSpot for our online marketing activities. HubSpot is a software company from the USA with branch office in Ireland (HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland). HubSpot is an integrated software solution that we use to cover different aspects of our online marketing. This includes, among others (i) email marketing (newsletter, together with automated mailings, e.g., for provision of downloads), for further detail please see below under Section 3; (ii) landing pages and contact forms; (iii) live chat; (iv) social media publishing & reporting, reporting (e.g., traffic sources, accesses, etc.); and (v) contact management (e.g., user segmentation & CRM).
Your personal information collected in this context is processed on the servers of HubSpot. We use all information collected for the purpose of optimizing our marketing measures.
The live chat system from HubSpot is used to improve the user experience on our website for sending and receipt of notifications). If you use the live chat system, the following data are transferred to the HubSpot servers: (i) Content of all chat messages sent and received; (ii) context information (e.g., page on which the chat was used); and (iii) email address of the user (if it is provided by the user via the live chat).
The legal basis for the use of HubSpot’s services is Article 6 para. 1) lit f) GDPR, our legitimate interest in optimizing our marketing measures and improving our service quality and the user experience on our website.
Personal data is transferred to a third country outside of the EU/EEA. HubSpot is certified under the EU – U.S. Privacy Shield Framework. Accordingly, there are appropriate safeguards for data transfer in accordance with Art. 46 GDPR. A copy of the Privacy Shield certification will be made available to you on request at any time. To do so, please contact us using the contact details provided above.
- 2.3 Customer Database (CRM System)
All requests are stored in our customer relationship management (CRM) system. This data can be used by us for direct marketing measures. You can object to such use for direct advertising at any time. Details about your right of objection can be found below under “Right of objection”.
The CRM system is regularly checked to see whether data can be deleted. If data in the context of a customer or prospective customer relationship is no longer necessary or an opposing interest of the customer outweighs, we will delete the relevant data, unless there are any legal storage obligations.
The legal basis for this storage and processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is the maintenance of communication with our customers, interested parties and suppliers, the maintenance of our customer relationships and the implementation of direct marketing measures. If the purpose of establishing contact is to conclude a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b) GDPR.
- 2.4 Cookies
Cookies are pieces of information that are transmitted from our web server or third-party web servers to your browser where they are stored for later retrieval. Cookies can be small files or other types of information storage. Cookies are used to store information that arises in connection with the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is opened again. A cookie also contains information about its origin and the storage period. This does not mean that we will immediately become aware of your identity.
We store on your device those cookies that are strictly necessary for the operation of this site For all other types of cookies, we obtain your prior explicit consent before doing so.
You can at any time change or withdraw your consent via the Cookie Consent Settings below.
We use the following cookies:
- Necessary cookies
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. These cookies are required to enable you to navigate through the web pages and use key functions. They support basic functions, such as order processing in the online shop and access to secured areas of the web page. They also serve the purpose of performing an anonymous analysis of user patterns, which we use to continuously develop and improve our web pages for you. We automatically store necessary cookies on your device if they are strictly necessary for the operation of this website. The legal basis for such necessary cookies is Art. 6 para. 1 lit. b) GDPR.
- Preference Cookies
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. The legal basis for such preference cookies is your consent (Art. 6 para. 1 lit. a) GDPR).
- Statistic Cookies:
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously. The legal basis for such statistic cookies is your consent (Art. 6 para. 1 lit. a) GDPR).
- Marketing Cookies:
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers. The legal basis for such marketing cookies is your consent (Art. 6 para. 1 lit. a) GDPR).
You may edit your cookie settings here:Cookie Settings
You also have the option of preventing the setting of cookies by making the appropriate settings via your browser. However, we would like to point out that the use of our websites may then only be possible to a limited extent.
- 2.5 Google Analytics
We use web analytics services on our website or parts of our website to understand how our website is used by its visitors and to improve the overall look and feel of the website.
We use Google Analytics web analytics. Google Analytics is a web analytics service provided by Google Ireland Limited (“Google”). Google Analytics sets cookies. In addition, data is transmitted to the USA. As part of IP anonymization, the IP address collected by Google from users of our website within the European Economic Area is shortened before it is transmitted to the USA. Only in exceptional cases is the unabridged IP address transmitted to Google in the USA and abbreviated there. The IP addresses transmitted are not combined with other data from Google.
When Google Analytics is used, personal data is transferred to a third country outside the EU. Google has a Privacy Shield certification, available here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active. Accordingly, there are suitable guarantees for data transmission in accordance with Art. 46 GDPR.
The legal basis for this data processing when using web analytics is your consent (Art. 6 para. 1 lit. a) GDPR).
- 2.6 Retargeting/Remarketing Services
Retargeting/remarketing services allow us to target advertisements on our site and on our site to only show you ads that potentially match your interests. A cookie is used in your browser to indicate which websites on which such marketing services are active have visited you and what content you have been interested in. In addition, additional information such as IP address, browser, operating system time stamp, referring website are collected. If you subsequently visit other websites on which such marketing services are active, advertisements tailored to your interests may be displayed.
The legal basis for this data processing when using retargeting/remarketing services is your consent (Art. 6 para. 1 lit. a) GDPR).
When using the service provider LinkedIn Ads, personal data is transferred to a third country outside the EU. There is an agreement on order processing in accordance with Art. 28 GDPR. The service provider has a Privacy Shield certification. Accordingly, there are suitable guarantees for data transfer in accordance with Art. 46 GDPR. We will be happy to provide you with proof of the Privacy Shield certification of the service provider at any time on request. Please contact us using the contact details provided for the Controller.
You can generally, not only for our website, turn off LinkedIn’s analysis of your usage behavior and the display of interest-based recommendations here: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Facebook Custom Audience
We also use the retargeting service Facebook Custom Audiences of Facebook, Inc. in the USA. Facebook Custom Audiences uses a so-called tracking pixel. This pixel is retrieved from a Facebook URL with certain parameters when you visit our website and transmits information to Facebook, which uses Facebook for targeted advertising. However, this does not address individual persons, but only groups of users who exhibit similar behavior. Facebook uses a so-called hashing process, in which personal data is encrypted in such a way that Facebook can no longer assign it to individual users.
When using the service provider Facebook, personal data is transferred to a third country outside the EU. The service provider is certified under the EU – U.S. Privacy Shield. Accordingly, there are suitable guarantees for data transfer in accordance with Art. 46 GDPR. We will be happy to provide you with proof of the Privacy Shield certification of the service provider at any time on request. Please contact us using the contact details provided for the Controller.
Google Marketing Services
Further information on the use of data by Google, setting and opposition possibilities can be found here:
- Google’s use of data when you use the websites or apps of our partners: https://www.google.com/intl/de/policies/privacy/partners
- Use of data for advertising purposes: http://www.google.com/policies/technologies/ads
- Manage information Google uses to display advertisements to you: ttp://www.google.de/settings/ads
When Google Marketing Services are used, personal data is transferred to a third country outside the EU. There is an agreement on order processing in accordance with Art. 28 GDPR. Google has a Privacy Shield certification, available here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active. Accordingly, there are appropriate safeguards for the data transfer in accordance with Art. 46 GDPR.
You can generally, not only for our website, opt out of receiving interest-based advertising through Google marketing services by using the setting and opt-out options provided by Google: http://www.google.com/ads/preferences
- 2.7 Social Media Buttons
On our website social media buttons of the social media networks Facebook, Twitter, YouTube, Pinterest, Instagram and LinkedIn are integrated.
If you click on one of these social media buttons, you will be redirected to our pages at the respective social media network. In this case, the provider of the respective social media network receives the information that your browser has called the corresponding page on our website, even if you do not have a profile on the respective social media network or are not logged in there. This information (including your IP address) is transmitted directly from your browser to a server of the respective provider. If you click on a social media button and are either logged in to the respective social media network or then log in to the page of the respective social media network, the transmitted information can be assigned to your account at the social media network.
For information on the purpose and scope of data collection and processing by the providers of the respective social media network, the provider identification, a contact option and your rights and settings regarding data protection, please refer to the respective data protection information of the providers of the social media networks.
The legal basis for the integration and use of the social media buttons is Art. 6 Para. 1 lit. f) GDPR. Our overriding legitimate interest is the marketing of our offers and our website.
- 2.8 Social Media Pages
We maintain a publicly accessible profile on the social media networks Facebook, Twitter, YouTube, Pinterest, Instagram and LinkedIn (“Social Media Pages”).
If you visit one of our social media pages and are logged in to the respective social media network, the provider of the respective social media network can analyze your usage behavior and assign the information collected to your account at the social media network and enrich it there. Even if you are not logged in or if you do not have an account at the respective social media network, personal data may be collected by the provider of the respective social media network, for example your IP address or data collected via a cookie.
The operators of the social media networks can use this data to create user profiles. Your user profile can then be used to display interest-based ads both on social media network websites and on other websites.
If you visit one of our social media pages, we are jointly responsible with the social media network provider for the collection and processing of your personal data there. With regard to information about the collection and processing of your personal data that takes place there, we refer you to the data protection information of the respective social media network. We do not have any further information in this respect.
We will be happy to provide you with information on appropriate safeguards for data transfer to third countries in accordance with Art. 46 GDPR at any time on request.
You can assert your rights of data subjects in accordance with Chapter III of GDPR (right to information, correction, deletion, restriction of processing, data transferability, etc.) both against us and against the provider of the respective social media network. In this context, we would like to point out that we can only influence the processing of personal data and the implementation of the rights affected within the framework of our social media pages within the scope of the possibilities made available to us by the respective provider.
The legal basis for our use of social media pages is Art. 6 Para. 1 lit. f) GDPR. Our overriding legitimate interest is the presence and marketing of our products and services on the Internet.
- 2.9 Videos
Our website uses features provided by the YouTube video portal. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
If you visit one of our pages featuring a YouTube plugin, a connection to the YouTube servers is established. The YouTube server is informed about which of our pages you have visited. In addition, YouTube will receive your IP address. This also applies if you are not logged in to YouTube when you visit our plugin or do not have a YouTube account. The information is transmitted to a YouTube server in the United States, where it is stored.
Google’s certification under the EU – U.S. Privacy Shield also covers the YouTube services and is accessible here:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active. Accordingly, there are appropriate safeguards for the data transfer in accordance with Art. 46 GDPR.
The legal basis for this data processing in the context of our use of YouTube is your consent (Art. 6 Para. 1 lit. a) GDPR).
- 2.10 Fonts
We use font libraries on this website in order to present the contents of our website in a correct and graphically appealing manner across all browsers. Calling up font libraries automatically triggers a connection to the library operator. The operator receives the information that the font required for our website has been called up from your IP address.
You can prevent the use of such libraries and the associated data transmission by installing a Java script blocker (e.g. www.noscript.net).
We use Google Web Fonts of Google Ireland Limited (https://www.google.com/webfonts/). When using Google Web Fonts, data is transferred to the USA. Further information on data processing by Google can be found in Google’s data protection information: https://www.google.com/policies/privacy.
Google has a Privacy Shield certification, available here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active. Accordingly, there are appropriate guarantees for data transmission in accordance with Art. 46 GDPR.
Legal basis for this data processing Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is the optimization and economic operation of our website and our customer interactions taking place via it.
- 2.11 Third-Party Links
- 2.12 Email Newsletter
On our website, you can register to receive a newsletter by email. During registration, the data from the input mask, the IP address of the respective computer and the date and time of registration are transmitted to us. Your consent will be obtained for the processing of the data during registration and reference will be made to this data protection information.
In order to check that the actual owner of an email address has registered to receive a newsletter, we use the so-called “double opt-in” procedure. After registering an email address, a confirmation email is sent to the registered email address. Registration for the newsletter is only completed when a confirmation link contained in the confirmation email is activated. The IP address of the computer and the date and time of activation of the confirmation link are also transmitted to us.
Registration for the newsletter can be terminated at any time by using the unsubscribe link contained in each newsletter or by contacting us at the contact details provided for the Controller.
Legal basis for the processing of the data after registration for the newsletter is your consent according to art. 6 para. 1 lit. a) GDPR.
Email Newsletter as Part of an Existing Customer Relationship
If you register as a user of our Platform and enter your email address, we may subsequently use this to send you an email newsletter, provided that you have not objected to such use. In such a case, only direct advertising for our own similar goods or services will be sent via the email newsletter. You can object to the use of your email address at any time without incurring any costs other than the transmission costs according to the basic rates by using the unsubscribe link contained in each newsletter or by contacting us at the contact details provided for the Controller.
The legal basis for the dispatch of the newsletter as a result of the sale of goods or services is Art. 6 Para. 1 lit. f) GDPR in conjunction with the respective laws on electronic communication (e.g. § 7 para. 3 UWG in Germany).
Email Newsletter Analysis
With our newsletters, a statistical evaluation of usage data can be carried out. For this purpose, we may record both the openings of the email and the internal clicks. This information serves the purpose of measuring and optimizing the success of our newsletter campaigns by making the contents of the newsletter more relevant to our target group.
The legal basis for this analysis is your consent (Art. 6 para. 1 lit. a) GDPR).
Email Newsletter Service Provider
We use the online marketing service provider HubSpot for the dispatch and analysis of our email newsletters. For further information on HubSpot please refer to Section 2.2 above.
- 2.13 Job Applications
We collect and process personal data of applicants for the purpose of processing the application process. If an applicant submits his or her application documents to us electronically, they are processed electronically.
If we conclude an employment contract with an applicant, the data transmitted will be processed in order to carry out the employment relationship in compliance with the statutory provisions. If no employment contract is concluded with the applicant, the application documents will be deleted immediately after completion of the application procedure, unless a deletion is of legitimate interest, such as the defense of claims or a preservation of evidence under applicable anti-discrimination laws (e.g. the German General Equal Treatment Act (AGG)).
Legal basis for the processing of the personal data is Art. 6 para. 1 lit. b) GDPR (and, for Germany, § 26 BDSG).
- USING THE AUTORETOUCH IMAGE PROCESSING APP
- Setting up a Customer Account
If you create a customer account for the use of our Platform, we will collect and process your personal data as a Data Controller in order to enable you to use our Platform.
In this context we process the data of our customers in the context of the performance of our Platform services. This may involve the processing of data name and first name of the contact person(s), address(es), contact data (e.g. e-mail address, telephone number), contract data (e.g. subject of contract, duration), payment data and data collected in the context of the performance of our services and/or required for the provision of our services.
Your personal data will be processed as long as you use your customer account. If you close/delete your customer account or if your account is deleted due to inactivity the data processed via your customer account is deleted (subject to data retention obligations, for details please refer to Section 7.7 below).
The legal basis for this storage and processing is the fulfilment of the contract or the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b) GDPR.
- Usage Analytics
To better understand how you use our Platform and to continuously improve our Platform and our services, we may use additional analytic tools, allowing us to monitor user behavior on our Platform. Such data is used to generate aggregated, anonymized usage reports.
The legal basis for such usage analytics is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in the improvement and development of our Platform and our services.
- Heat Mapping (Hotjar)
The legal basis for this data processing when using Hotjar is your consent (Art. 6 para. 1 lit. a) GDPR).
In addition, you can also opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.
- Payments and Order Processing (Paddle)
For the collection and processing of payment data and the processing of all orders, we use the external service providers Paddle.com Market Limited, a company incorporated in England and Wales (“Paddle”). All payments and the order process are conducted by our online reseller Paddle. Paddle is the Merchant of Record for all our orders and processes your personal data as an independent controller. We do not store any of your purchasing information on our servers or within our Platform.
For more information on how Paddle handles your personal data, please consult the Paddle Buyer Privacy Notice (https://paddle.com/privacy-buyers/) and the Paddle GDPr Readiness overview (https://paddle.com/gdpr/).
3.5 Image Processing via the Platform
“Content” means the image file(s) that you upload to the Platform for use of our Services. Content containing images of individual persons may be considered Personal Data. When you process such images via our Platform, we act as a data processor on your instruction. Such data processing is governed by the autoRetouch Data Processing Addendum that is an integral part of your contractual relationship with us.
3.6 Platform Optimization
To continuously improve our Platform and our Services we may also use the Content to test, analyze, train and improve our Platform and its software algorithm. We will never publicly display, disseminate, sell or use the Content other than in connection with the Services as described above. For the purpose of Platform optimization, we process the Content as an independent Controller.
The Content may be processed by image processing agencies and other service providers worldwide to analyze and optimize our algorithm. We entered into data processing agreements (according to Art. 28 GDPR) with these agencies, including Standard Contractual Clauses.
As set out in our Terms and Conditions, you are obliged to provide any required information to data subjects identifiable via the Content processed by us both as a data processor and as a data controller (for testing and training of our software algorithm), including the information required under Art. 13 and 14 GDPR.
The legal basis for such usage for Platform optimization is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in the improvement and development of our Platform and our services.
- GENERAL INFORMATION ON DATA PROTECTION.
In the following we provide some general information on data protection at autoRetouch and your rights with regard to data protection.
4.1 Recipients of Data
Within our company, only those internal departments or organisational units receive your data that need your data to fulfil their tasks, to fulfil contracts with, for data processing with your consent or to safeguard our legitimate interests.
Data will only be transferred to third parties in strict compliance with all legal requirements. We will only transfer your data to third parties if, for example, this is necessary for contractual purposes on the basis of Art. 6 para. 1 lit. b) GDPR or to safeguard our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in the effective conduct of our business operations.
Insofar as we use service providers or third-party providers within the context of the provision of the website and/or the provision of our services, we take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of your personal data.
If we use content or tools from service providers or third-party providers in the course of providing the website and/or our services, personal data might be transferred to a third country. Third countries are countries in which the GDPR is not a directly applicable law, i.e. countries outside the EU or the European Economic Area (EEA). Data will only be transferred to third countries if there is either an adequate level of data protection, consent or other legal permission, in particular an appropriate safeguard pursuant to Art. 46 GDPR.
4.2 Your Rights
You have the right to free information about your personal data processed and stored by us, their origin and recipient and the purpose of data processing and a right to correction, blocking or deletion of this data. You also have the right to limit the processing and to object to the processing.
You also have the right to have your data, which we process automatically, handed over to you or to a third party in a common, machine-readable format.
To assert your rights, please contact us using the contact details given above.
You also have the right to appeal to the relevant data protection supervisory authority.
4.3 Withdrawal of Consent
Some data processing operations are only possible with your express consent. You can withdraw your consent at any time. For this purpose, an informal email notification to us is sufficient. The legality of the data processing carried out until the withdrawal remains unaffected by the revocation.
4.4 RIGHT OF OBJECTION
As a matter of principle, you are only entitled to this right of objection if there are reasons arising from your particular situation (Art. 21 para. 1 GDPR). After exercising your right of objection, your personal data will not be further processed for these purposes unless we can prove compelling reasons for processing worthy of protection which outweigh your interests, rights and freedoms, or if the processing serves the assertion, exercise or defence of legal claims.
If the processing is carried out for the purpose of direct advertising, you can exercise your right of objection in this regard at any time (Art. 21 para. 2 GDPR) and your personal data will then no longer be processed for the purpose of direct advertising, irrespective of the reasons for the objection.
4.5 Obligation to Provide Data
The provision of personal data is neither required by law nor by contract, nor are you obliged to provide personal data. However, the provision of personal information is required for the conclusion and performance of a contract to the extent that certain details are absolutely necessary in order to conclude and perform a contract.
4.6 Automated Decision Making
We do not perform automated decision making, including profiling.
4.7 Retention and Deletion
We adhere to the principles of data avoidance and data minimization. We therefore only store your personal data for as long as is necessary to achieve the purposes stated here or as required by the retention periods provided for by law.
If the storage purpose no longer applies or if a retention period provided for by law expires, the personal data will be blocked or deleted routinely and in accordance with the statutory provisions.
4.8 Technical and Organisational Measures of Data Security
We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of the data protection laws are complied with and to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
Our website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data, which you send to us.
4.9 Age Restriction
This website is not intended or designed for use by children under the age of 16. We do not knowingly collect personally identifiable information from or about anyone under the age of 16.