Gumb Data Protection Agreement
Status September 2020
Gumb is taking the protection of your personal data very seriously. This privacy act declaration governs the storage, processing and disclosure of personal user data by Gumb in accordance with the EU General Data Protection Regulation (GDPR). It is valid part in addition and within the scope of Gumb's General Business Terms and Conditions
Controller Responsible for Data Processing
Controller in accordance with Article 4 paragraph 7 EU General Data Protection Regulation (GDPR) is Gumb AG, Buesingerstrasse 5, CH-8203 Schaffhausen, Email: email@example.com (see our Imprint).
Ways of Contacting
You can reach us at https://gumb.app/contact-us/
You have the following rights with respect to the personal data relating to you:
• Right of access
• Right to rectification or deletion
• Right to restriction of processing
• Right to object to processing
• Right of data portability
If you claim any of your rights and/or you would like more information about it, please contact us at firstname.lastname@example.org.
Objection or Withdrawal
If you have given us consent for processing your data, you can withdraw this at any time. Withdrawal of this kind affects the admissibility of processing your personal data after you have expressed this to Gumb.
If we base the processing of your personal data on a weighing of interests, in particular on Art. 6 paragraph 1 sentence 1 (f) GDPR, you can object to the processing. This is the case if, in particular, the processing is not required in order to fulfill a contract, which we describe in the following description for each function. If you express such an objection, which you can send to the contact details referred to in point 2 above, please explain the reasons why we should not process your personal data as we have done. We will review the situation and either discontinue or adapt the data processing or show you our compelling legitimate reasons for continuing our processing.
Of course, you can object to the processing of your personal data for the purposes of advertising and data analysis at any time. Please direct your objection to processing for advertising to the contact details mentioned under point 2 above.
Right to Complain to a Supervisory Authority
You also have the right to complain to a supervisory authority about the processing of your personal data by us.
Collection of Personal Data when Visiting our Website
In the case you are using the website purely for information purposes, i.e. if you do not register or provide us with information otherwise, we only collect the personal data that your browser transfers to our server. If you wish to view our website, we collect the following information that is technically necessary for us in order to display our website and to ensure its stability and security. The legal basis for this is Article 6 paragraph 1 sentence 1 (f) GDPR:
IP address, date and time of the request, time zone difference to Greenwich mean time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, web site that the request comes from, browser, operating system, and its interface, language and version of the browser software.
Collection of Personal Data When Using Our Mobile App
Data processing operations of the App Store operator
When downloading the mobile app, the required information is transferred to the App Store, in particular the username, email address and customer number of your account, time of download, payment information and the individual device code. We have no influence on this data collection and are not responsible for it. We only process the data as far as is necessary for downloading the mobile app to your mobile device.
Data processing operations when using the App
If you wish to use our apps, we collect the following personal data that is technically necessary for us to offer you the features of our mobile app and to ensure stability and security (legal basis is Article 6 paragraph 1 sentence 1 (f) GDPR):
• IP Address
• Date and time of the request
• time zone difference to Greenwich mean time (GMT)
• content of the request (concrete page)
• access status/HTTP status code
• amount of data transferred in each case
• web site that the request comes from
• Operating system, and its interface
• Language and version of the browser software
Contact by Email or Contact Form
When you contact us by email or through a contact form, the information you provide (your email address, your name and telephone number if applicable) will be stored by us to answer your questions. If our contact form request fields that are not required for us to contact you, these will always be marked as optional. This information serves to substantiate your request and to improve the handling of your request. This information is expressly disclosed on a voluntary basis and with your consent, Article 6 paragraph 1 (a) GDPR. If this information corresponds to communication channels (for example, email address, telephone number), you also agree that we may also contact you via this communication channel to answer your request. Of course, you can withdraw this consent for the future at any time.
We delete the data that arises in this context after storage is no longer required, or we limit the processing if there are legal retention requirements.
Registration and Service Use
You have the opportunity to register with us and create a customer account. For the registration we collect and store the following data:
• Email address (username)
After registration, you will receive personal, password-protected access and can view and manage the data you have provided. Registration is voluntary but may be required to use our services.
If you use our service, we store your data and possibly also details of the payment method required to fulfill the contract, until you finally delete your account. Furthermore, we will store the voluntary data you provide for the time of your use of the portal, unless you delete it before. All information can be managed and changed in your account. The legal basis for this is Article 6 paragraph 1 sentence 1 (b) and (f) GDPR.
Furthermore, for technical and contractual reasons, we log anonymously how communities are managed and how often and in which way appointments are planned. This data is only collected during active use. Technical support or the “Community-Management” are recommended to the user based on this data. Additional data will not be purchased and the data will not be passed on to third parties. You can object to this kind of recommendation at any time. Please refer to the email address provided in point 4.1 for this purpose. The legal basis is Article 6 paragraph 1 sentence (f) GDPR.
Online Orders – Website and In-App purchase
When you place an order online on our website (and in-app), we collect various data required for the conclusion of the contract. The legal basis is the conclusion and execution of a contract in accordance with Article 6 paragraph 1 sentence 1 (b) GDPR. The data is stored for the duration of the contract and according to legal obligations. For payment, we use various payment service providers, which are always identified and accept your input directly and are therefore recipients of your personal data collected in connection with the payment process. The legal basis for the engagement of payment service providers is the contract execution according to Article 6 paragraph 1 sentence 1 (b) GDPR. Data for the purpose of payment is stored for the duration of the payment.
Participation in Competitions
If you participate in competitions, we will collect information necessary to conduct the competition. These are usually an individual competition entry (for example, a comment or a photo), as well as name and contact details. It may be that we pass on your data to our competition partners, e.g. to give you your prize. The data processing and data transfer may vary depending on the competition and is therefore described in detail in the respective conditions of participation. Participation in the competition and the associated data collection is of course voluntary. The legal basis for data processing is your consent according to Article 6 paragraph 1 sentence 1 (a) GDPR. Your data will be deleted after the end of the competition.
Use of Social Plugins
Our website and apps use social plugins from the providers Facebook, Twitter and Google. By default, these plugins collect data from you and transfer it to the servers of the respective provider. To protect your privacy, we have taken technical measures to ensure that your information can not be collected by the providers of the plug-in without your consent. When a page containing integrated plugins is accessed, these are initially deactivated. The plugins are only activated by clicking on the respective symbol and you give your consent that the data listed in point 5 are transferred to the respective provider.
In the case of Facebook, (for example in Germany) the IP address is anonymized immediately after collection, according to the provider. By activating the plugin, personal data will be transferred by you to the respective plugin provider and stored there (with US providers in the USA). Since the plugin provider carries out the data collection, in particular via cookies, we recommend that you delete all cookies via your browser's security settings before clicking to activate the plugin.
Data Processing Operations of the Plugin Providers
We have no influence on the collected data and data processing operations, nor are we aware of the full extent of data collection, the purpose of the processing or the retention periods. As a general rule, we also have no information about deleting the data collected by the plugin provider.
Purpose and Legal Basis of the Data Processing by the Plugin Providers
The plugin provider stores the data collected about you as usage profiles and uses them for purposes of advertising, market research and/or needs-based website design. Such an evaluation is carried out in particular (also for non-logged-in users) for the presentation of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles; you must contact the respective plug-in provider to exercise this. Through the plugins, we offer you the opportunity to interact with the social networks and other users, so that we can improve our service and make it more interesting for you as a user. The legal basis for the use of the plugins is Article 6 paragraph 1 sentence 1 (f) GDPR.
Data Transfer to the Plugin Providers
The data transfer takes place regardless of whether you have an account with the plugin provider and are logged in there. If you are logged in to the plugin provider, your data collected from us will be assigned directly to your existing account with the plugin provider. If you click the button once it has been activated and, for example, if you link to the page, the plugin provider also stores this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this will prevent you from being assigned to your profile with the plug-in provider.
Further Information and Addresses of the Plugin Providers
For more information on the purpose and scope of the data collection and its processing by the plug-in provider, please refer to the privacy statements of these providers below. There you will also find further information about your rights and settings options for the protection of your privacy.
Addresses of the respective plugin providers and URLs with their privacy notices:
a) Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland; http://www.facebook.com/policy.php; further information about data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications
b) Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
c) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
d) Amazon Europe Core S.à.r.l., die Amazon EU S.à.r.l, die Amazon Services Europe S.à.r.l. and Amazon Media EU S.à.r.l., all four based in 5, Rue Plaetis, L-2338 Luxembourg, as well as Amazon Instant Video Germany GmbH, Domagkstr. 28, 80807 Munich, Germany (together "Amazon Europe"); https://www.amazon.de/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=201909010. Amazon complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
We offer you the opportunity to register and sign up through your Facebook account. If you sign up through Facebook, Facebook will ask for your consent to share certain information in your Facebook account with us. This may include your first name, last name, and your email address to verify your identity and gender, as well as the general location, a link to your Facebook profile, your time zone, your date of birth, and your profile picture.
This data is collected from Facebook and sent to us in compliance with the provision of the Facebook Data Policy. You can control the information we receive from Facebook through the privacy settings in your Facebook account.
These data are used to set up, provide and personalize your account. The legal basis for this is Article 6 paragraph 1 sentence 1 (b) and (f) GDPR.
When you sign up with us via Facebook, your account will automatically be linked to your Facebook account, and information about your activity on our websites may be shared on Facebook and posted on your timeline and displayed in the news feeds of your friends.
These data are used to set up, provide and personalize your account. The legal basis for this is Article 6 paragraph 1 sentence1 (b) and (f) GDPR.
We use the following types of cookies, the scope and operation of which are explained below:
These cookies are automatically deleted when you close the browser or app. These include the session cookies in particular. These store a so-called session ID, with which various requests from your browser or app can be assigned to the shared session. This will allow your device to be recognized when you return. The session cookies are deleted when you log out or close the browser.
These cookies are automatically deleted after a specified period, which may differ depending on the cookie. You can delete the cookies in the security settings of your browser at any time.
Prevention of Cookies
You can configure your browser settings according to your wishes and e.g. refuse to accept third-party cookies or all cookies. Please be aware that you may not be able to use all functions of this website in that case. You can configure the settings of your mobile operating system and the app to your liking and e.g. refuse to accept third-party cookies or all cookies. Please be aware that you may not be able to use all functions of our mobile app in that case.
Legal Basis and Duration of Storage
The legal bases for possible processing of personal data and their duration of storage vary and are presented in the following sections.
For the purposes of analyzing and optimizing our websites and apps, we use various services, which are outlined below. So we can e.g. analyze how many people visit our site, what information is most in demand, and how people find the service. Among other things, we collect data on which website a data subject came to another website from (known as a referrer), which subpages of the website were accessed or how often a subpage was viewed and long the person remained on the subpage. This helps us to design and improve our services in a user-friendly way. The data collected is not intended to personally identify individual users. Anonymous or, at most, pseudonymized data is collected. The legal basis for this is Article 6 paragraph 1 sentence 1 (f) GDPR.
Google Analytics & Google Optimize
Our website and apps use Google Analytics, a web analytics service provided by Google Inc, (1600 Amphitheater Parkway Mountain View, CA 94043, USA). Usage involves the Universal Analytics operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID, thus analyzing the activities of a user across devices.
Our services also use Google Optimize. Google Optimize analyzes the use of different variations of our website and helps us to improve the usability according to the behavior of our users on the website. Google Optimize is a tool associated with Google Analytics.
You can prevent the storage of cookies by setting your browser software or settings of your mobile operating system and the app; however, please be aware that in this case you may not be able to use all functions of this website or the app in full. In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing https://tools.google.com/dlpage/gaoptout?hl=de. Opt-out cookies prevent future collection of your data when you visit this website. To prevent Universal Analytics tracking across devices, you must opt out on all systems you use. If you wish that Gumb deactivate Google Analytics, please, send your request to our support team: Email: email@example.com.
The legal basis is Article 6 paragraph 1 sentence 1 (f) GDPR.
Usage Statistics with the Help of Hotjar
Gumb uses the web analytics service Hotjar to analyze usage. Hotjar Ltd. (St Julian's Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) complies with the Data Protection Act, Chapter 440 of the Laws of Malta (“Applicable Law”), which implements all relevant European Union directives on data protection. Hotjar is a service that analyzes users’ behavior and feedback on web pages using a combination of analysis and feedback tools. Hotjar gives Gumb a “complete picture” of how to improve the website performance and end-user experience. For this purpose, the following information is collected: The IP address of the device (collected and stored in an anonymized format), screen/display resolution, type of device, operating system, browser type, geographic location (country only), preferred language, and mouse events (movements, position and clicks). The collected data is transferred and stored using an encrypted connection to servers located in Ireland (EU). The sole purpose of this data collection is to improve the user experience on the Hotjar-based websites. No personal data is collected or stored. For more information on how Hotjar complies with data protection regulations, please click here: www.hotjar.com/privacy. You can refuse permission for Hotjar to collect your data when you visit Gumb at any time on Hotjar's opt-out page https://www.hotjar.com/legal/compliance/opt-out and clicking on “Disable Hotjar”. The legal basis is Article 6 paragraph 1 sentence 1 (f) GDPR.
We host our systems at Amazon Web Services, Inc. 410 Terry Avenue North, Seattle WA 98109, USA ("AWS"). For technical reasons, the infrastructure may be maintained from the USA. AWS is subject to the EU-US Privacy Shield.
The legal basis for the above-mentioned data processing is Art. 6 para. 1 f) DSGVO based on our legitimate interest. We want to provide you with the technical infrastructure to offer our products and services.
We have put extensive technical and operational safeguards in place to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security procedures are regularly reviewed and adapted to developments in technology.
You can apply to our company electronically, in particular via email or via our application portal online. Of course, we will only use your information to process your application and will not pass it on to third parties. Please note that unencrypted emails are not transferred with access protection.
The legal basis for this is Article 6 paragraph 1 sentence 1 (b) and (f) GDPR as well as Section 26 of the Federal Data Protection Act (BDSG).
If you have applied for a certain position and it has already been filled or we consider you suitable or even more suitable for a different position, we would like to forward your application within the company. Please let us know if you do not agree to your application being forwarding.
Your personal data will be deleted no later than 6 months after completing the application process, unless you have expressly given us your consent to store your data for longer or it has led to a contract being concluded. The legal basis for this is Article 6 paragraph 1 sentence 1 (a) GDPR as well as Section 26 BDSG.