Privacy

As of 1st June 2021

Responsible: Thomas Niemann

Company: pay & relax GmbH

Street & No.: Lautenschlagerstr. 16

Zip code, City, Country: 70173 Stuttgart, Germany

Commercial register no.: HRB 752781

Managing director: Thomas Niemann, Felix Hagspiel

Phone number: +49(0)711-25 25 96 40

E-mail address: [email protected]

This data protection declaration informs you about the type, scope and purpose of the processing of personal data within our online offer and the websites, functions and content connected to it (hereinafter jointly referred to as “online offer”). The privacy policy applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) used on which the online offer is executed.

The terms used, such as “personal data” or their “processing” we refer to the definitions in Article 4 of the General Data Protection Regulation (DSGVO).

The personal data of users processed within the scope of this online offer includes inventory data (e.g., e-mail address, names and addresses of users), contract data (e.g., services used, names of clerks, payment information), usage data (e.g., the visited web pages of our online offer) and content data (e.g., details of escrow payment, chat messages, images).

The term “user” includes all categories of data subjects. They include our business partners, customers, interested parties and other users of our online offer. The terms used, such as “user”, are to be understood as gender-neutral.

We process users’ personal data only in compliance with the relevant data protection provisions. This means that user data will only be processed if a legal permission exists. I.e., in particular if the data processing is necessary for the provision of our contractual services as well as online services, or is required by law, a consent of the user is available, as well as due to our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO, in particular in the case of range measurement, creation of profiles for advertising and marketing purposes, and collection of access data and use of third-party services.

We point out that the legal basis of the consents Art. 6 para. 1 lit. a. and Art. 7 DSGVO, the legal basis for processing for the performance of our services and implementation of contractual measures Art. 6 para. 1 lit. b. DSGVO, the legal basis for processing to fulfill our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to protect our legitimate interests Art. 6 para. 1 lit. f. DSGVO is.

2. Security measures

We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

The security measures include in particular the encrypted transmission of data between your browser and our server.

3. Transfer of data to third parties and third-party providers

Data is only passed on to third parties within the framework of legal requirements. We only pass on users’ data to third parties if this is necessary, for example, on the basis of Art. 6 para. 1 lit. b) DSGVO for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f. DSGVO in the economic and effective operation of our business.

If we use subcontractors to provide our services, we take appropriate legal precautions and corresponding technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal provisions.

If content, tools or other means from other providers (hereinafter collectively referred to as “third party providers”) are used within the scope of this data protection declaration and their named registered office is located in a third country, it is to be assumed that a data transfer to the third party providers’ countries of domicile takes place. Third countries are countries in which the GDPR is not directly applicable law, i.e. basically countries outside the EU or the European Economic Area. The transfer of data to third countries takes place either if there is an adequate level of data protection, user consent or otherwise legal permission.

4. Provision of contractual services

We process inventory data (e.g., names and addresses as well as contact data), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 lit b. DSGVO.

Website visitors can create a user account on our website, with which they can in particular create, view and manage their trust payments. For the opening of the user account as well as for the disbursement of the funds, the following personal data are collected:

  • Name, first name

  • e-mail address

  • Password

  • Date of birth

  • Nationality

  • Address (street, house number, postal code, city, country)

  • Mobile number

  • Bank details (e.g. IBAN, BIC)

For so-called business accounts, the following data is also collected:

  • Name of the company

  • Sales tax identification number or tax number

  • Address of the company

For registration we use the so-called double-opt-in procedure. This means that registration is not completed until the user confirms registration by clicking a link in a verification e-mail sent for this purpose.

The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regard to the user account will be deleted, subject to their retention being necessary for reasons of commercial or tax law in accordance with Art. 6 para. 1 lit. c DSGVO.

For the purpose of carrying out trustee payments, personal data will be processed as follows

  • First and last name

  • Status of identification (identification open / identification completed)

  • Chat messages

as well as information and status messages on the escrow payments are exchanged between the parties involved.

The user consents to pay & relax GmbH that we may transmit the data to the persons or companies involved in the escrow payment.

The payments initiated via PAYLAX are processed via the electronic payment system by our payment service provider MANGOPAY S.A., 10 Boulevard Royal, L-2449 Luxembourg (“MANGOPAY”). For this purpose, your data (see 4.2.) will be forwarded to MANGOPAY. Required data beyond this (e.g. identification data or company documents for identification, credit card data for payment processing with credit card) are not stored by PAYLAX, but forwarded directly to MANGOPAY.

For more information about the data processing of MANGOPAY, please refer to the privacy policy of MANGOPAY. (https://www.mangopay.com/de/privacy/)

5. PAYLAX Connect

Via the PAYLAX Connect interface, it is possible for third-party platforms (e.g. online marketplaces or online stores) to integrate PAYLAX as a payment method.

If the user on a third-party platform agrees to the connection of his PAYLAX account with the third-party platform via PAYLAX Connect, the third-party platform receives the following data of the user:

  • PAYLAX user ID

  • Identification status of the account (Open / Started / Failed / Successful)

  • Whether the account is a business account

  • For business accounts, type of company ( retailer / organization or association / legal entity)

  • First and last name

  • E-mail address

  • Name of the company

  • Country of residence or registered office of the company

  • Whether the email address has already been verified

The user can remove the connection with the third party platform at any time via his PAYLAX account.

6. Contacting us

When contacting us (by e-mail or telephone), the information is processed for the purpose of handling the contact request and its processing in accordance with Art. 6 para. 1 lit. b) DSGVO.

The user’s/customer’s details may be stored in our Customer Relationship Management System (“CRM System”) or comparable inquiry organization.

7. Collection of access data and log files

We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO, we collect data about each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud).

8. Cookies & Reach Measurement

Cookies are pieces of information that are transmitted from our web server or third-party web servers to the web browsers of the users of our online offering and stored there for later retrieval. Cookies may be small files or other types of information storage.

We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status and thus the use of our online offer at all). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and log out, for example.

Users are informed about the use of cookies in the context of pseudonymous range measurement as part of this privacy policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

You can object to the use of cookies that are used for range measurement and advertising purposes via the Network Advertising Initiative deactivation page (http://optout.networkadvertising.org/) and additionally the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

9. Google Analytics

We use Google Analytics, a web analytics service provided by Google Inc. on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f. DSGVO) Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google uses cookies. The information generated by the cookie about the use of the online offer by the users is usually transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous usage profiles of the users can be created from the processed data.

We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (so-called “Remarketing Audiences”, or “Google Analytics Audiences”). With the help of Remarketing Audiences, we also want to ensure that our ads correspond to the potential interest of users and do not have a harassing effect.

We only use Google Analytics with IP anonymization enabled. This means that the IP address of users is truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

For more information about Google’s data use, settings and opt-out options, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use our partners’ websites or apps”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Manage information Google uses to serve you ads”).

If you do not agree with the collection, you can prevent it with the one-time installation of the browser add-on to disable Google Analytics https://tools.google.com/dlpage/gaoptout

10. Newsletter

With the following instructions, we inform you about the contents of our free newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.

Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. Insofar as the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our products, offers, promotions and our company.

Double opt-in and logging: Registration for our newsletter is carried out in a so-called double opt-in process. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

Dispatch service provider: The newsletter is dispatched using “MailChimp”, a newsletter dispatch platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the privacy policy of the shipping service provider here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with the European level of data protection (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

Furthermore, according to its own information, the shipping service provider may use this data in pseudonymous form, i.e. without assigning it to a user, to optimize or improve its own services, e.g. to technically optimize the shipping and display of the newsletters or for statistical purposes to determine which countries the recipients come from. However, the dispatch service provider does not use the data of our newsletter recipients to address them itself or to pass them on to third parties.

Registration data: To sign up for the newsletter, it is sufficient to provide your e-mail address.

Statistical collection and analyses - The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include the determination of whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The use of the dispatch service provider, performance of the statistical surveys and analyses as well as logging of the registration process, are carried out on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO. Our interest is directed towards the use of a user-friendly as well as secure newsletter system that serves our business interests as well as meets the expectations of the users.

Cancellation/revocation - You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. This will simultaneously terminate your consents to its dispatch by the dispatch service provider and the statistical analyses. A separate cancellation of the dispatch by the dispatch service provider or the statistical analysis is unfortunately not possible. A link to cancel the newsletter can be found at the end of each newsletter. If users have only registered for the newsletter and cancelled this registration, their personal data will be deleted.

11. integration of third-party services and content

We use within our online offer on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the display of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.

The following presentation provides an overview of third-party providers and their content, along with links to their privacy statements, which contain further information on the processing of data and, in part already mentioned here, opt-out options:

We use the service Sentry (Sentry, 1501 Mariposa St #408, San Francisco, CA 94107, USA) to improve the technical stability of our service by monitoring system stability and identifying code errors. Sentry does not evaluate data for advertising purposes. User data, such as device details or time of error, are collected anonymously and are not used in a personalized manner. For more information, please refer to Sentry’s privacy policy: https://getsentry.com/privacy/.

External fonts from Google, Inc, https://www.google.com/fonts (“Google Fonts”). The integration of Google Fonts is done by a server call at Google (usually in the USA). Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

Maps of the service “Google Maps” of the third party provider Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

Within our online offer, functions of the service Twitter can be integrated. These functions are offered by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “Re-Tweet” function, the websites you visit are linked to your Twitter account and made known to other users. In the process, data is also transferred to Twitter. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Twitter. Privacy policy of Twitter at http://twitter.com/privacy. You can change your privacy settings on Twitter in the account settings at http://twitter.com/account/settins.

We use functions of the XING network. The provider is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Each time one of our pages containing Xing functions is called up, a connection to Xing servers is established. As far as we are aware, no personal data is stored in this process. In particular, no IP addresses are stored or usage behavior evaluated. Privacy policy: https://www.xing.com/app/share?op=data_protection.

Our website uses the web analytics service Hotjar from Hotjar Ltd. Hotjar Ltd. is a European company based in Malta (Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe, Tel.: +1 (855) 464-6788).

This tool can be used to track movements on the websites on which Hotjar is used (so-called heat maps). For example, it is possible to see how far users scroll and how often they click on which buttons. The tool also makes it possible to obtain feedback directly from website users. Above all, Hotjar’s services can improve the functionality of the Hotjar-based website by making it more user-friendly, more valuable, and easier to use for end users.

We pay special attention to the protection of your personal data when using this tool. For example, we can only track which buttons are clicked, mouse history, how far scrolled, device screen size, device type and browser information, geographic location (country only) and preferred language to display our website. Areas of the websites in which personal data of you or third parties are displayed are automatically hidden by Hotjar and are therefore not traceable at any time. In order to exclude a direct personal reference, IP addresses are only stored and processed anonymously. However, Hotjar uses various third-party services such as Google Analytics and Optimizely. It may therefore be the case that these services collect data transmitted by your browser as part of web page requests. This would be, for example, cookies or your IP address. In these exceptional cases, this processing is carried out in accordance with Art. 6 (1) lit. a DSGVO on the basis of the consent you have given for the purpose of statistical analysis of user behavior for optimization and marketing purposes.

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The data will be deleted no later than 12 months after it has been collected.

Hotjar offers each user the option of using a “Do Not Track header” to prevent the use of the Hotjar tool so that no data is recorded about the visit to the respective website. This is a setting that all common browsers support in current versions. To do this, your browser sends a request to Hotjar with the instruction to deactivate the tracking of the respective user. If you use our websites with different browsers/computers, you will have to set up the “Do Not Track header” separately for each of these browsers/computers.

When visiting a Hotjar-based website, you can prevent Hotjar from collecting your data at any time by going to our opt-out page at https://www.hotjar.com/legal/compliance/opt-out/ and clicking Disable Hotjar.

For more information about Hotjar Ltd. and about the Hotjar tool, please visit: https://www.hotjar.com.

The privacy policy of Hotjar Ltd. can be found at: https://www.hotjar.com/privacy/

To accept and manage contact requests, we use the Freshdesk customer service system (hereinafter “Freshdesk”), a service provided by Freshworks Inc, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA (hereinafter “Freshworks”). When you contact us (by e-mail), your details are stored in Freshdesk for the purpose of processing the contact request and handling it.

pay & relax GmbH has concluded an order processing contract with Freshworks for the use of Freshdesk. Through this contract, Freshworks assures that they process the data in accordance with the Basic Data Protection Regulation and ensure the protection of the rights of the data subject.

The corresponding data processing is based on Art. 6 para. 1 p.1 lit. b DSGVO and may be necessary for the execution of the contract with you or pre-contractual measures. In addition, the data processing is based on our legitimate interests pursuant to Art. 6 para. 1 S.1 lit. f DSGVO. Our legitimate economic interest lies in optimizing the management of contact requests and improving customer care in order to provide our services.

More information about “Freshdesk” and data protection at Freshworks can be found at https://www.freshworks.com/privacy/.

We use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich Germany (Cloudflare) to increase the security and delivery speed of our website. This corresponds to our legitimate interest (Art. 6 para. 1 lit. f DSGVO). A CDN is a network of [globally] distributed servers that is able to deliver optimized content to the user. For this purpose, personal data may be processed in server log files by Cloudflare.

Cloudflare is a recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f DSGVO not to operate a content delivery network ourselves.

You have the right to object to the processing. Whether the objection is successful is to be determined as part of a balancing of interests.

The processing of the data provided under this section is not required by law or contract. The functionality of the website is not guaranteed without the processing.

Your personal data will be stored by Cloudflare for as long as necessary for the purposes described.

For more information on objection and removal options vis-à-vis Cloudflare, please visit: Cloudflare DPA

Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf

We use the CRM, sign-up and marketing automation system “HubSpot”, from the provider HubSpot Inc. (25 First Street, 2nd Floor, Cambridge, MA 02141, USA) with offices in Ireland (One Dockland Central, Dublin 1, Ireland) and Germany (Am Postbahnhof 17, 10243 Berlin) based on our legitimate interests (efficient and fast processing of user inquiries, applications and optimization of our online offering). For this purpose, we have concluded a contract with HubSpot with so-called standard contractual clauses, in which HubSpot undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level.

For more info on HubSpot’s privacy policy, please click here: https://legal.hubspot.com/de/dpa and https://legal.hubspot.com/de/privacy-policy.

External code of the JavaScript framework “jQuery” provided by the third-party provider jQuery Foundation, https://jquery.org.

12. Rights of the users

Users have the right to obtain, upon request and free of charge, information about the personal data that we have stored about them.

In addition, users have the right to correct inaccurate data, restrict processing and delete their personal data, if applicable, to assert their rights to data portability and, in the event of the assumption of unlawful data processing, to file a complaint with the competent supervisory authority.

Likewise, users may revoke consents, in principle with effect for the future.

13. Deletion of data

The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations. If the user data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for reasons of commercial or tax law.

According to legal requirements, data is stored for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

14. Right of objection

Users may object to the future processing of their personal data in accordance with the legal requirements at any time. The objection can be made in particular against processing for purposes of direct advertising.

15. changes to the data protection declaration

We reserve the right to change the data protection declaration in order to adapt it to changed legal situations, or in the event of changes to the service as well as data processing. However, this only applies with regard to declarations on data processing. Insofar as user consents are required or components of the data protection declaration contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users.

Users are requested to inform themselves regularly about the content of the data protection declaration.