Gumb logo
language world iconEN

Privacy Policy

Gumb Data Protection Agreement

Data Protection Statement

Status September 2023


Data protection is a particularly high priority for us. In the following, we inform you about the collection of personal data when using our website and our apps. Personal data refers to all data with which it is possible to draw conclusions about you personally, for example, name, address, email addresses, user behavior. The processing of a data subject's personal data shall always be in line with the General Data Protection Regulation (GDPR) and in accordance with the Swiss Data Protection Act (DSG) applicable to GUMB AG.


1. Data Controller for Data Processing

The Data Controller within the meaning of the EU General Data Protection Regulation (GDPR) or within the meaning of the Swiss Data Protection Act (DSG) is Gumb AG, Büsingerstrasse 5, CH-8203 Schaffhausen, email: support@gumb.app (see our Legal Notice).


2. Ways of Contacting Gumb Data Protection Officer

You can reach our data protection officer at support@gumb.app or either one of our postal addresses with the addition of  “Data Protection Officer”.

Gumb AG

Büsingerstrasse 5

8203 Schaffhausen

Switzerland


3. Your Rights

We would like to inform you that you have the right to request information about which of your data is processed by us at any time in accordance with Art. 15 GDPR and Art. 25 DSG. The right of access also includes the right to receive a copy of the data, provided that this does not adversely affect the rights and freedoms of other persons (Art. 15 GDPR). You are entitled to request the correction or completion of incorrect or incomplete data concerning you (Art. 16 GDPR, Art. 6 para. 5 DSG).

You are entitled to know, in case of transfer abroad, to which state the personal data will be disclosed and, if applicable, the guarantees according to Art. 16 para. 2 DSG or the application of an exception according to Art. 17 DSG.

You are entitled to data disclosure if your data is processed automatically and the data is processed with your consent or in direct connection with the conclusion or processing of a contract (Art. 20 para. 1 GDPR, Art. 28 para. 1 DSG). You also have the right to data portability (Art. 28 (2) DSG) if the requirements of Art. 28 para. 1 DSG are met, and according to Art. 20 para. 2 of the GDPR when exercising the right to data portability pursuant to Art. 20 para. 1 of the GDPR.

In principle, you are entitled to delete your data (Art. 17 GDPR). However, the right to deletion does not exist, for example, if the processing is necessary for the fulfillment of a legal or contractual obligation.

You are entitled to request the restriction of the processing of your data if certain conditions are fulfilled (Art. 18 GDPR). In principle, you also have the right to receive the transmission of the data provided by you in a structured, common and machine-readable format.

If you wish to exercise any of your rights and/or want additional information about them, please contact us in accordance with point 2.


3.1 Objection or Withdrawal

If you have given us consent to process your data, you can withdraw this at any time. Withdrawal of this kind affects the admissibility of processing your personal data after you have expressed this to Gumb. If we base the processing of your personal data on a weighing of interests, in particular on Art. 6 paragraph 1 sentence 1 (f) GDPR, you can object to the processing. This is the case if, in particular, the processing is not required to fulfill a contract, which we describe in the following description for each function. If you express such an objection, which you can send to the contact details referred to in point 2 above, please explain the reasons why we should not process your personal data as we have done. We will review the situation and either discontinue or adapt the data processing or show our compelling legitimate reasons for continuing our processing. Of course, you can object to the processing of your personal data for the purposes of advertising and data analysis at any time. Please direct your objection to processing for advertising to the contact details mentioned under point 2 above.


3.2 The right to lodge a legal complaint with a supervisory authority

You also have the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).


4. Collection of Personal Data when Visiting our Website

In the case you are using the website purely for information purposes, i.e., if you do not register or provide us with information otherwise, we only collect the personal data that your browser transfers to our server. If you wish to view our website, we collect the following information that is technically necessary for us to display our website and to ensure its stability and security. The legal basis for this is Article 6, paragraph 1 sentence 1 (f) GDPR:IP address, date, and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website/app that the request comes from, browser, operating system, and its interface, language and version of the browser software. We use Google Analytics to collect this information from the website. Please refer to 12.2 for details on Google Analytics. You can also control the tracking via the website cookie banner.


4.1 Data processing operations when using the Apps

If you wish to use our apps, we collect the following personal data that is technically necessary for us to offer you the features of our products (legal basis is Article 6, paragraph 1 sentence 1 (f) GDPR) and to ensure stability and security (legal basis is Article 6, paragraph 1 sentence 1 (f) GDPR):

  • IP Address
  • Device Type
  • Date and time of the request
  • time zone difference to Greenwich Mean Time (GMT)
  • content of the request (concrete page)
  • access status/HTTP status code
  • amount of data transferred in each case
  • website/app that the request comes from, if applicable
  • Browser, if applicable
  • Operating system, and its interface
  • Language and version of the browser software, if applicable

4.2 Contact by Email or Contact Form

If you contact us by email or via a contact form, the information you provide (your email address, possibly your name and your telephone number) will be stored by us to be able to answer your questions. If fields on our contact form are marked as not required to contact you, they will always be marked as optional. This information is used to substantiate your request and to improve the processing of your request. This information is expressly shared on a voluntary basis and with your consent, Art. 6 para.1 (a) of the GDPR or Art. 6 para. 6 DSG.

If this information corresponds to your communication channels (e.g., email address, telephone number), you also agree that we can contact you via this communication channel to respond to your request.

To enhance our customer support and manage and document your inquiries and feature requests, we utilize Zendesk as a platform. This aids us in identifying users' technical difficulties and providing effective assistance. Our goal is to continually refine our service through this process. You can review Zendesk's privacy policy HERE. The legal basis for this data processing is Art. 6 Para. 1 S. 1 (f) GDPR. 

Of course, you can revoke this consent at any time in the future. We delete the data arising in this context after the storage is no longer necessary or restrict the processing if there are legal retention obligations (Art. 5 para. 1 e) of the GDPR or Art. 6 para. 4 DSG).


5. Registration and Service Use

5.1 Registration

You have the opportunity to register with us and create a customer account. For the registration we collect and store the following data:

  • Email address (username)
  • Password

After registration, you will receive personal, password-protected access and can view and manage the data you have provided. Registration is voluntary but may be required to use our services. If you use our service, we store your data and possibly also details of the payment method required to fulfill the contract, until you finally delete your account. Furthermore, we will store the voluntary data you provide for the time of your use of the app, unless you delete it before. All information can be managed and changed in your account. The legal basis for this is Article 6, paragraph 1 sentence 1 (b) and (f) GDPR.


5.2 Service Use

For technical reasons, we also log which planning functions and the number of events have been used in our app, in a pseudonymized form. This data is collected only during the active use of the app and serves for performance optimization and for recommending suitable features to the user. No additional data is acquired. You can object to this type of recommendation at any time. Please refer to the contact details provided in section 2. The legal basis is Art. 6 Para. 1 S. 1 (f) GDPR.


5.3 Preliminary Registration by Users with Special Privileges

Users with special privileges, for instance, board members of a club with admin rights in the app, have the ability to pre-register customer accounts. For this purpose, we only collect and store:

  • Email address
  • First and last name
  • Temporary password

The responsibility for the legality of this preliminary registration, as well as obtaining any necessary consents, rests entirely with the user having these special privileges. Gumb merely provides the technical platform and assumes no liability for actions or omissions of the user with special privileges. Any individual privacy policies of the user with special privileges are independent of Gumb's policies, and we have no influence over them.

As soon as a user with special privileges creates a preliminary account for you, you will be promptly notified by us. In this notification, you'll receive a temporary password, allowing you to directly log into our platform to view and manage the pre-registered data. If you did not consent to the creation of an account in your name or if you're not interested in using our app, you have the option to delete this account on your own. Gumb does not automatically delete your account. However, we reserve the right to deactivate inactive user profiles after a certain period and eventually delete them to uphold your privacy rights and to minimize unnecessary data storage. Before final deletion, we will notify you. Should you desire an immediate deletion of your account, please contact us, specifying your email address, at support@gumb.app.

The legal basis for Gumb's processing of this data is grounded in our legitimate interest, in accordance with Article 6, Paragraph 1, Subsection 1(f) of the GDPR. Any subsequent processing by the user with special privileges should be based on a suitable legal foundation, for which Gumb assumes no responsibility.


6. Online Orders - Shop

When you place an order online on our website or apps, we collect various data required for the conclusion of the contract. The legal basis is the conclusion and execution of a contract in accordance with Article 6, paragraph 1 sentence 1 (b) GDPR. The data is stored for the duration of the contract and according to legal obligations. The legal basis for storing the data due to statutory retention requirements is Art. 6 Para. 1 lit.c GDPR. For payment, we use various payment service providers, which are always identified and accept your input directly and are therefore recipients of your personal data collected in connection with the payment process. The legal basis for the engagement of payment service providers is the contract execution according to Article 6, paragraph 1 sentence 1 (b) GDPR. Data for the purpose of payment is stored for the duration of the payment.


7. Participation in Competitions

If you participate in competitions, we collect the information necessary for the execution of the competition. This is usually an individual competition entry (for example, a comment or a photo) as well as names and contact details. We may share your information with our competitors, for example to give you your prize.

The data processing and transmission may vary depending on the competition and is therefore described in detail in the respective conditions of participation. Participation in the competition and the associated data collection is, of course, voluntary. The legal basis for data processing is your consent in accordance with Art. 6 para. 1 a) of the GDPR or Art. 6 para. 6 DSG. Your data will be deleted after the end of the competition.


8. Facebook Connect

We offer you the opportunity to register and sign up through your Facebook account. If you sign up through Facebook, Facebook will ask for your consent to share certain information in your Facebook account with us. This may include your first name, last name, and your email address to verify your identity and gender, as well as the general location, a link to your Facebook profile, your time zone, your date of birth, and your profile picture. This data is collected from Facebook and sent to us in compliance with the provision of the Facebook Privacy Policy. You can control the information we receive from Facebook through the privacy settings in your Facebook account. This data is used to set up, provide and personalize your account. The legal basis for this is Article 6, paragraph 1 sentence 1 (b) and (f) GDPR. 

When you sign up with us via Facebook, your account will automatically be linked to your Facebook account, and information about your activity on our websites and applications may be shared on Facebook and posted on your timeline and displayed in the news feeds of your friends.


9. Google

You can also register and sign in through your Google account. If you sign up through Google, Google will ask for your permission to share certain details of your Google Account with us. This may include your first name, last name, gender, and your email address to verify your identity, as well as a link to your Google profile and your profile picture. This data is collected from Google and sent to us in compliance with the provision of the Google Privacy Policy. By default, when you sign up with Google, information about your activity on our apps is shared with Google in accordance with Google's Terms of Service and Google's Privacy Policy. For more information on managing activities shared in your Google Account, visit the Google Help page. This data is used to set up, provide and personalize your account. The legal basis for this is Article 6, paragraph 1 sentence1 (b) and (f) GDPR.


10. Apple

You can also register and sign in through your Apple account. If you sign in with Apple, Apple will ask you for a confirmation to use your Apple account to sign in to Gumb. Sign in with Apple protects your privacy by allowing you to sign in to our website and apps without having to provide us with information that personally identifies you except information used by your browser for normal web functions. 

We may ask for your name and email address when you use Sign in with Apple. Your name will default to the name associated with your Apple ID and for the email address, you can choose to provide us with any of the email addresses associated with your Apple ID, or to hide your email address. If you decide to hide your email address from us and also disable email forwarding from the Apple generated email address to your personal email address, please understand that we will not be able to reach out to you with our communication messages. The legal basis for this is Article 6, paragraph 1 sentence1 (b) and (f) GDPR.


11. Cookies and Similar Technologies

When using our website, apps or other Gumb services – we, our affiliates, vendors, and business partners may use cookies or similar technologies to enable our services, collect usage data and store preferences. Cookies or similar technologies can either be persistent (i.e., they remain on your device or browser until you delete or reset them) or temporary (i.e., they last only until you close your browser or application). Further information on how to reset or delete them can be found in your browser settings or device manufacture Manual. The Technologies can include-


11.1 Cookies and local storage

When you use our website and our apps, cookies are stored on your devices. Cookies are small text files that are stored on your device memory associated with the browser or app you are using, and that provide certain information to the party that sets the cookie. Cookies cannot run programs or transfer viruses to your device. They serve to make the Internet service more user-friendly and effective overall. We also use cookies to identify you for follow-up visits if you have an account with us. Otherwise, you would have to log in again for each visit. We may use both temporary cookies and persistent cookies to better understand how you use our services, to customize content and advertising or for other purposes as described further on in this section. We may create a unique device or user ID for you and store it in a cookie or other storage option, so we can customize your experience based on your preferences. We may also collect information through other kinds of local storage (also referred to as “Flash cookies”) and HTML5 local storage. This allows us to improve our service offering and your user experience.


11.2 Advertising Identifier (IDFA/AAID)

For advertising purposes, we use what is known as “advertising identifiers” (e.g., “AAID” or ”IDFA”). These are unique but non-permanent valid identification IDs for a particular device provided by device operating systems. With your consent, the data collected through advertising identifiers may be linked to your login. We use advertising identifiers to provide you with personalized advertising and to evaluate your usage of our apps. The advertising identifier of your device can be reset at any time in the device settings. The new advertising identifier cannot be associated with the previous one. In addition, the transfer and use of the advertising identifier can be disabled in the device settings. Please be aware that you may not be able to use all the features of our service if you restrict the use of advertising identifiers. The legal basis for this is Article 6, paragraph 1 sentence 1 (b) and (f) GDPR.


11.3 Web Beacons, Pixels, and SDKs

In addition, we may use other technologies such as web beacons or pixel tags, which can be embedded in web pages, videos, or emails, to collect certain types of information from your browser or device, check whether you have viewed a particular web page, ad, or email message, and determine, among other things, the time and date on which you viewed the content, the IP address of your device, and the URL of the web page from which the content was viewed. We may also use or work with third parties including our business partners and service providers who use Software Development Kits (“SDKs”) to collect information, such as advertising identifiers (e.g., “AAID” or “IDFA”), user IDs and information related to how mobile devices, or other devices such as Personal Computer and Mac devices, interact with our services.


11.4 Cookies and similar technologies that will collect data are categorized as the following:

11.4.1 Strictly Necessary

Strictly Necessary Cookies and similar technologies are necessary for the website or application to function and cannot be switched off in your systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies. Please be aware that this would strongly impact the functionality of our service. These cookies do not store any Personally Identifiable Information.


11.4.2 Functional

Functional cookies and similar technologies enable the website or application to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these, some or all of these services may not function properly.


11.4.3 Performance

Performance cookies and similar technologies allow us to count visits and traffic sources, so we can measure and improve the performance of our website and apps. They help us to know which pages are the most and least popular and see how visitors use our products. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.


11.4.4 Targeting

Targeting cookies and similar technologies may be set through our apps by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements. They are based on uniquely identifying your browser, user ID and internet device. If you do not allow these, you will experience less targeted advertising.


11.4.5 Social Media

Social Media cookies and similar technologies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks or to login directly with your social media account. The social media services are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these, you may not be able to use or see certain functionalities of our service.


11.5 Prevention of Cookies

You can configure your browser settings according to your wishes and e.g., refuse to accept third-party cookies or all cookies. Please be aware that you may not be able to use all the functions of our website or apps in that case. You can configure the settings of your mobile operating system and the app to your liking and e.g., refuse to accept third-party cookies or all cookies. Please be aware that you may not be able to use all the functions of our mobile app in that case. Transfer of cookies to your browser/device can also be controlled using the cookie banner.


To obtain, manage and document your consent preferences we use Cookie-Script as a Consent Management Platform. The legal basis for the processing of the data is Article 6, paragraph 1 sentence 1 (c) GDPR. The aim is to know the consent preferences of the users, follow legal requirements and to act accordingly. The data is deleted as soon as it is no longer required for our purposes. Possible processing of personal data and their duration of storage may vary and is presented in the preference center, which is accessible anytime in the user’s account settings or can be accessed on our website and apps. The preference center provides transparency about the data usage and allows you to configure individual settings according to your wishes and e.g., refuse third-party cookies or usage of data for certain purposes. Please be aware that you may not be able to use our services when refusing to allow cookies or similar technologies.


11.6 Legal Basis and Duration of Storage

The legal bases for possible processing of personal data and their duration of storage vary and are presented in the following sections. More information about Cookies can be gathered from the Cookie banner. Users can also set preferences in the Cookie banner to only allow selected cookies.


12. Analysis Services

For analysis purposes and to optimize our websites and apps, we use various services, which we describe below. For example, we can analyze how many people visit our website, which information is most in demand and how people find our services.

Among other things, we collect information about the website from which a data subject accessed another website (known as the "referrer"), which subpages of our website or apps were accessed or how often a subpage was viewed and how long the person stayed on the subpage. This helps us to design and improve our services in a user-friendly manner.

The data collected is not used for the personal identification of individual users. Anonymous or at most pseudonymous data is collected. The legal basis for this is Art. 6 para. 1 a) of the GDPR or Art. 6 para. 6 DSG.


12.1 Technical usage data

Data regarding your interaction with the application/platform is collected; this includes the webpages you visit, the planners you access, your membership in communities and subgroups, the number of reactions to events, search terms used, as well as the duration, frequency, and periods of sessions within the application. This data is used to provide and enhance the services and features of the application in terms of security, availability, and user-friendliness in accordance with our contractual obligations. This event data is retained for 12 months before being summarized in standardized analysis reports without personal reference. This data may be transferred to countries outside the EU. We take all necessary steps to ensure compliance with applicable data protection laws and regulations. The legal basis for this is Article 6, Paragraph 1 Sentence 1 (b) and (f) of the GDPR.


12.2 Google Analytics & Google Optimize

If you have given your consent, our products use Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Our services also use Google Optimize. Google Optimize analyzes the use of different variations of our website and helps us to improve the usability according to the behavior of our users on the website. Google Optimize is a tool associated with Google Analytics.


12.2.1 Scope of processing

Google Analytics and Google Optimize uses cookies that enable an analysis of your use of our apps. The information collected by the cookies about your use of our apps is usually transferred to a Google server in the USA and stored.

We use the function User-ID. The User ID allows us to assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and to analyze user behavior across devices.

We use Google Signals. This allows Google Analytics and Google Optimize to collect additional information about users who have activated personalized ads (interests and demographic data). Furthermore, ads can be delivered to these users in cross-device remarketing campaigns.

We use the function 'anonymizeIP' (so-called IP-Masking): Due to the activation of IP-anonymization on our website or apps , your IP-address will be shortened by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser / Device Operating System within the framework of Google Analytics is not merged with other data from Google.


During your app use the following data will be collected:

  • The pages you call up, your "click behavior“
  • Achievement of "website / apps goals" (conversions, e.g., newsletter registrations, downloads, purchases)
  • Your user behavior (for example clicks, dwell time, bounce rates)
  • Your approximate location (region)
  • Your IP addresses (in abbreviated form)
  • Technical information about your browser and the end devices you use (e.g., language settings, screen resolution)
  • Your internet provider
  • The referrer URL (via which website/advertising medium you came to this website/apps)

12.2.2 Purposes of processing

On behalf of the operator of this app, Google will use this information to evaluate your (pseudonymous [NOT USER ID]) use of the app and to compile reports on the app activity. The reports provided by Google Analytics serve to analyze the performance of our apps and the success of our marketing campaigns.


12.2.2 Recipient

The data recipient is 

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

as a data processor. For this purpose, we have concluded a contract with Google. Google LLC, headquartered in California, USA, and, if applicable, US authorities can access the data stored at Google.


12.2.3 Transfer to third countries

A transfer of data to the USA cannot be excluded. However, we pay attention to ensure their compliance to GDPR guidelines.


12.2.4 Duration of storage

The data sent by us and linked to cookies is automatically deleted after 2 months. Data is automatically deleted once a month as soon as the storage period is reached.


You can also prevent the collection of data generated by the cookie and related to your use of the app (including your IP address) to Google and the processing of this data by Google by

  • not giving your consent to the settings of the cookie or
  • downloading and installing the browser add-on to disable Google Analytics HERE.

By setting your browser software accordingly you can also prevent the storage of cookies. If your browser is set to refuse all cookies, the functionality of this and other websites and apps may be limited.


12.2.5 Legal basis and right of withdrawal

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 a) of the GDPR or Art. 6 para. 6 DSG. You can revoke your consent at any time with future effect by changing your selection in the cookie preference in the account settings or by opening our apps to the cookie preference center.


For more information about Google Analytics terms of use and Google's privacy policy, please visit 

this page and the policies.


12.3 Google Firebase: Storage, Crashlytics, and Analytics

Our website utilizes Google Firebase Storage, a cloud storage service by Google, to host and deliver simple images and other media content. This allows us to provide media content efficiently and in high quality, while ensuring a fast and reliable user experience.

In addition, we use Firebase Crashlytics. This tool assists us in identifying and rectifying crashes and errors on our website or app. By collecting and analyzing error reports, we ensure a stable and error-free use of our services.

Furthermore, we employ Firebase Analytics to gather user statistics. These analyses give us valuable insights into user behavior, enabling us to continuously enhance the user experience. It's important to note that Firebase Analytics is closely linked with Google Analytics, and data collected through Firebase Analytics can also be integrated into Google Analytics.

All these services might use servers located outside the European Union. However, Google has committed to the EU-US Privacy Shield, thus ensuring adequate data protection.

The use of Google Firebase (Storage, Crashlytics, and Analytics) is based on our legitimate interest in a stable and efficient technology infrastructure in accordance with Article 6, Paragraph 1 lit. f GDPR.

For more detailed information on the data protection practices of Google Firebase, we recommend consulting Google's Privacy Policy and Firebase Privacy Policy.


12.4 Sentry.io: Error Monitoring and Performance Monitoring

To optimize our technical performance, we use the service Sentry.io. It is essential to emphasize that Sentry.io processes strictly technical data and does not store any personal data or information about our users. This service assists us in tracking technical errors and monitoring the performance of our application. With Sentry.io, we gain detailed insights about product errors and performance bottlenecks. This enables us to promptly address technical issues and improve the stability and speed of our application.

For the security of this technical data: Sentry undergoes annual penetration tests conducted by an independent third-party agency. In this context, Sentry provides the agency with an isolated copy of sentry.io and an overview of the application architecture. Customer data is never made accessible to the agency during these tests.

The use of Sentry.io is based on our legitimate interest in continuous technical optimization in accordance with Article 6, Paragraph 1 lit. f GDPR.

For more detailed information on Sentry.io's data protection practices, please consult their privacy policy.


12.5 Hotjar

Gumb uses the web analytics service Hotjar to analyze usage. Hotjar Ltd. (St. Julian's Business Center, 3, Elia Zammit Street, St. Julian’s STJ 1000, Malta) complies with the Data Protection Act, Chapter 440 of the Laws of Malta (“Applicable Law”), which implements all relevant European Union directives on data protection. Hotjar is a service that analyzes users’ behavior and feedback on web pages using a combination of analysis and feedback tools. Hotjar gives Gumb a “complete picture” of how to improve the website performance and end-user experience. For this purpose, the following information is collected: The IP address of the device (collected and stored in an anonymized format), screen/display resolution, type of device, operating system, browser type, geographic location (country only), preferred language, and mouse events (movements, position, and clicks). The collected data is transferred and stored using an encrypted connection to servers located in Ireland (EU). The sole purpose of this data collection is to improve the user experience on the Hotjar-based websites. No personal data is collected or stored. For more information on how Hotjar complies with data protection regulations, please click here: www.hotjar.com/privacy. You can refuse permission for Hotjar to collect your data when you visit Gumb at any time on Hotjar's opt-out page and click on “Disable Hotjar”. The legal basis is Art. 6, para. 1 a) of the GDPR or Art. 6 para. 6 DSG.


12.6 Prismic for Support Page

In the specialized help section of our website, we use Prismic.io, a CMS backend (Content Management System). Its primary function is to host and deliver simple images, help article texts, and other relevant media content. By leveraging Prismic.io, we ensure that our users receive high-quality help articles and media content swiftly and reliably, providing an optimal user experience.

Please note that Prismic.io might utilize servers located outside the European Union. However, Prismic has committed to the EU-US Privacy Shield, ensuring appropriate data protection standards.

Our decision to use Prismic.io stems from our legitimate interest in relying on a stable and efficient technology infrastructure, in accordance with Article 6, Paragraph 1 lit. f of the GDPR.

For more in-depth information regarding Prismic's data protection practices, we recommend consulting Prismic's privacy policy.


13. Advertising

We use cookies for marketing purposes to target our users with interest-based advertising. In addition, we use cookies to restrict the likelihood that an ad will be displayed and to measure the effectiveness of our advertising operations. The technology for advertising is provided by Google Ad Manager. This information may also be shared with third parties such as ad networks. A list of all advertising networks can be found here. The legal basis for this is Article 6, paragraph 1 sentence 1 (f) GDPR. Gumb’s direct marketing operations have a legitimate interest in the objectives pursued with the data processing. You have the right to object at any time to the processing of your data for the purpose of such advertising. For this purpose, you can prevent cookies from being set in your browser settings, via the cookie banner or privacy settings in our apps. The legal basis is Art. 6, para. 1 a) of the GDPR or Art. 6 para. 6 DSG.


13.1 Facebook Advertising

We use the pixel of Facebook Ireland Limited for targeting (Facebook Website Custom Audiences) and conversion tracking purposes. Through the pixel, information about the use of our products is collected and shared with Facebook. This information can be assigned to you thanks to further information that Facebook Ireland Limited has stored about you, e.g., due to your ownership of an account on the social network Facebook. Based on this information interest-related advertisements can be displayed to you in your Facebook account. 

We have not enabled “automatic advanced matching” as part of Facebook’s pixel feature. Therefore, we do not share hashed information such as email, name, gender, city, state, zip code, and date of birth or phone number with Facebook. The pixel of Facebook gets only activated in your browser if you have agreed to marketing cookies via our cookie consent banner. You can revoke consent at any time via our consent banner. The legal basis for this is article 6, section 1 letter (a), (f) of the GDPR.

For more information on the purpose and scope of data collection and the further processing and use of data by Facebook and your options to protect your privacy, please refer to Facebook’s privacy policy, which can be found here and here. If you wish to object to the use of Facebook Website Custom Audiences, you can do so on this page.


13.2 Google Ads

13.2.1 Google Retargeting

Our products use “Google Ads Remarketing” to advertise Gumb on Google’s search results as well as on third-party websites. The provider is Google Ireland Limited, Gordon House, 4 Barrow St., Dublin, D04 E5W5, Ireland (hereinafter "Google"). For this purpose, Google sets a cookie in your device's browser that automatically enables interest-based advertising based on a pseudonymous cookie ID and on the pages you visit.

Additional data processing only takes place if you have consented to Google, linking your Internet and app browsing history to your Google account and using information from your Google account to personalize ads that you see on the web.

Data processing from our apps will only be enabled if you have agreed to the use of marketing cookies via our cookie consent banner. You can revoke consent at any time via our consent banner. The legal basis for this is article 6, section 1 letter (a), (f) of the GDPR.

Further information and the privacy policy regarding advertising and Google can be found here.


13.2.2 Google Conversion Tracking

We use conversion tracking as part of the “Google Ads” service. When you click on an ad placed by Google, a cookie for conversion tracking is stored on your device. These cookies lose their validity after 30 days, do not contain any personal data and are therefore not used for personal identification. The information obtained using the conversion cookie is used to create conversion statistics for Google Ads customers who have opted in for conversion tracking. Google Ads conversion tracking will only be enabled if you have agreed to the use of marketing cookies via our cookie consent banner. You can revoke consent at any time via our consent banner. The legal basis for this is article 6, section 1 letter (a), (f) of the GDPR.


13.3 YouTube with expanded data protection integration

Our website embeds videos of the website YouTube. The website operator is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in the expanded data protection mode. According to YouTube, this mode ensures that YouTube does not store any information about visitors to this website before they watch the video. Nevertheless, this does not necessarily mean that the sharing of data with YouTube partners can be ruled out as a result of the expanded data protection mode. For instance, regardless of whether you are watching a video, YouTube will always establish a connection with the Google DoubleClick network.

The YouTube videos on our website are embedded using a method that does NOT automatically establish a connection to YouTube. Only after your confirmation by clicking the button, a connection to YouTube’s servers will be established. As a result, the YouTube server will be notified, which of our pages you have visited. If you are logged into your YouTube account while you visit our site, you enable YouTube to directly allocate your browsing patterns to your personal profile. You have the option to prevent this by logging out of your YouTube account.

As soon as you start to play a YouTube video on this website, a connection to YouTube’s servers will be established. As a result, the YouTube server will be notified, which of our pages you have visited. If you are logged into your YouTube account while you visit our site, you enable YouTube to directly allocate your browsing patterns to your personal profile. You have the option to prevent this by logging out of your YouTube account.

Furthermore, after you have started to play a video, YouTube will be able to place various cookies on your device or comparable technologies for recognition (e.g., device fingerprinting). In this way YouTube will be able to obtain information about this website’s visitors. Among other things, this information will be used to generate video statistics with the aim of improving the user-friendliness of the site and to prevent attempts to commit fraud.

Under certain circumstances, additional data processing transactions may be triggered after you have started to play a YouTube video, which are beyond our control.

The use of YouTube is based on our interest in presenting our online content in an appealing manner. Pursuant to Art. 6(1)(f) GDPR, this is a legitimate interest. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

For more information on how YouTube handles user data, please consult the YouTube Data Privacy Policy under: https://policies.google.com/privacy?hl=en.


13.4 Google Web Fonts (local embedding)

Our website uses so-called Web Fonts provided by Google to ensure the uniform use of fonts on this site. These Google fonts are locally installed so that a connection to Google’s servers will not be established in conjunction with this application.

For more information on Google Web Fonts, please follow this link: https://developers.google.com/fonts/faq and consult Google’s Data Privacy Declaration under: https://policies.google.com/privacy?hl=en.


14. Data Transfer

We host our systems with Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA ("AWS"). For technical reasons, infrastructure maintenance may sometimes be conducted from the USA. AWS adheres to the EU-US Privacy Shield.

The legal basis for the aforementioned data processing is Article 6, Paragraph 1 f) GDPR, based on our legitimate interest. We aim to provide you with the technical infrastructure to offer our products and services.

Within AWS, we use specific services to ensure an optimal user experience and the highest security standards:

S3: This is our primary cloud storage service. We use it to securely and scalable store data, ensuring fast and reliable access to your data at all times.

Amazon Pinpoint: This service allows us to communicate with you through various channels, such as email, SMS, or push messages. It also helps us understand user behavior better and optimize our services accordingly.

Cognito: This is our identity management tool. It ensures secure access to our services and verifies that only authorized users have access to their data. Through 'Federated Identities', a secure and seamless user experience is created, providing you with various login options.

Amazon Simple Email Service (SES): A service specifically designed for sending and receiving emails, ensuring that the communications you receive from us are secure and reliable.

Additionally, AWS employs other services for specific functions, especially for Android mobile devices. This includes 'Amazon (Mobile) Analytics', which helps us understand the usage of our services better and continuously improve the user experience.

By disclosing this information, we want to ensure you are fully aware of how and where your data is processed within our technical infrastructure. For more detailed information on the privacy practices of these specific AWS services, we recommend consulting AWS's privacy policy.

Your data will not be shared with other third parties unless we are legally obligated to do so, the data transfer is necessary for the execution of the contractual relationship, or you have previously expressly consented to the sharing of your data.

External service providers and partner companies, such as online payment providers, only receive your data if this is necessary to process your order. In these cases, however, the amount of data transferred is limited to the required minimum.

Insofar as our service providers come into contact with your personal data, we ensure in the context of order processing in accordance with Art. 28 GDPR or Art. 9 DSG that they comply with the provisions of the data protection law in the same way. In addition, please note the respective privacy policy of the provider. The respective provider is responsible for the content of external services, where we check the appropriateness of the services for compliance with legal requirements.

We attach great importance to the processing of your data within the EU/EEA. However, we may use providers who process data outside the EU/EEA. In these cases, we ensure that the recipient ensures an adequate level of data protection before transferring your personal data. This means that a level of data protection comparable to standards within the EU is achieved through EU standard contracts or an adequacy decision.


15. Data Security

We have taken extensive technical and operational security precautions to protect your data from accidental or intentional manipulation, loss, destruction, or access by unauthorized individuals. Our security procedures are regularly reviewed and adapted to technological developments (Art. 32 GDPR, Articles 7, 8 DSG).


16. Job Applications

You can apply for a job with us online via our application portal. We process your personal data exclusively for the purpose of your application for an employment relationship, insofar as this is necessary for the decision on the establishment of an employment relationship with us. The legal basis for this is Article 6 para.1 b) of the GDPR and § 26 para. 1 with para. 8 p. 2 BDSG (job advertisement and implementation of pre-contractual measures) and Art. 6 para. 1 f) of the GDPR for unsolicited applications. Your personal data will be treated confidentially.

The following data can be processed by us in the application process:

  • Master data (title, first name, surname, if necessary date of birth)
  • Contact data (address, telephone, or mobile phone number, private email address)
  • Application data (e.g., profile picture as well as other documents such as CV, cover letter, overall application, certificates).

If we are unable to offer you a position, you reject an offer of a position or withdraw your application, we reserve the right to store the data you have transmitted based on our legitimate interests (Art. 6 para. 1 f) of the GDPR) for up to 6 months as of the end of the application process (rejection or withdrawal of the application). The data is then deleted and the physical application documents destroyed. In particular, data is stored for evidence purposes in the event of a legal dispute. If the data will be foreseeably required after the 12-month period has expired (e.g., due to an impending or pending legal dispute), deletion will only take place if the purpose of further storage is no longer applicable.

Data can also be stored for a longer period of time if you consent to this in accordance with (Art. 6 para. 1 (a) of the GDPR or Art. 6 para. 6 DSG) or if statutory storage obligations preclude the deletion.

If we do not make you a job offer, you may be able to join our applicant pool. In case of admission, all documents and information from the application will be transferred to the applicant pool to contact you in case of suitable vacancies.

Admission to the applicant pool is based exclusively on your express consent (Art. 6 para. 1 (a) of the GDPR or Art. 6 para. 6 DSG). The submission agreement is voluntary and has no relation to the ongoing application procedure. You can revoke your consent at any time. In this case, the data from the applicant pool will be irrevocably deleted, provided there are no legal reasons for storage. The data from the applicant pool will be irrevocably deleted no later than two years after consent has been granted.


16.1 Wellfound

We utilize the platform services of Wellfound, a leading job portal specializing in developer roles. For operational reasons, certain backend operations or data storage of Wellfound may sometimes be based in locations apart from the EU. It is pertinent to note that Wellfound strictly complies with the principles of the General Data Protection Regulation ("GDPR") and the California Consumer Protection Act ("CCPA").

The legal basis for the aforementioned data processing is Article 6, Paragraph 1 f) GDPR, based on our legitimate interest. Our primary objective is to optimize our recruitment processes, ensuring we connect with highly qualified developer candidates in a seamless and efficient manner.

Within Wellfound, there are specific functionalities and mechanisms designed to ensure an optimal user experience, as well as maintain the highest standards of data protection and privacy. See HERE their private policy.


17. Updating the Privacy Policy

Occasionally, we will update this Privacy Policy. If it is updated, we will update the date at the top of this Privacy Policy. We encourage you to check our website and apps occasionally to inform yourself of any changes to this Privacy Policy.