Data Protection Declaration according to the GDPR

1. Introduction

In the following, we inform about the processing of personal data when using

our website https://zoolo.io
our profiles on social media.

Personal data are all data that can be related to a specific natural person, e.g., their name or IP address.

1.1. Contact data

The controller according to Art. 4 para. 7 EU General Data Protection Regulation (GDPR) is Smart Industries GmbH, Brienner Straße 56, 80333 Munich, Germany, email: info@zoolo.io. We are legally represented by Julius Betzler, Vincent Kugler.

Our data protection officer is heyData GmbH, Kantstr. 99, 10627 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2. Scope of data processing, processing purposes, and legal bases

We provide details on the scope of data processing, processing purposes, and legal bases further below. The following legal bases may generally be considered for data processing:

Art. 6 para. 1 s. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent.
Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the fulfillment of a contract, e.g., if a site visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing operations necessary for pre-contractual measures, such as inquiries about our products or services.
Art. 6 para. 1 s. 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case in tax law.
Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis if we can rely on legitimate interests for processing personal data, e.g., for cookies necessary for the technical operation of our website.

1.3. Data processing outside the EEA

Insofar as we transmit data to service providers or other third parties outside the EEA, we guarantee the security of the data during the transfer, as far as (e.g., for the United Kingdom, Canada, and Israel) existing, adequacy decisions of the EU Commission (Art. 45 para. 3 GDPR).

If no adequacy decision exists (e.g., for the USA), the legal basis for data transfer is, as a rule and unless we provide a deviating note, standard contractual clauses. These are a set of rules adopted by the EU Commission and part of the contract with the respective third party. According to Art. 46 para. 2 lit. b GDPR, they ensure the security of data transfer. Many of the providers have given contractual guarantees beyond the standard contractual clauses, which protect the data beyond the standard contractual clauses. These include, for example, guarantees regarding the encryption of data or regarding an obligation of the third party to inform data subjects if law enforcement agencies want to access data.

1.4. Storage duration

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and there are no legal retention obligations to the contrary. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e., the data will be blocked and not processed for other purposes. This applies, for example, to data that we must retain for commercial or tax reasons.

1.5. Rights of data subjects

Data subjects have the following rights concerning the personal data relating to them:

Right to information,
Right to rectification or erasure,
Right to restriction of processing,
Right to object to processing,
Right to data portability,
Right to revoke consent given at any time.

Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data.

1.6. Obligation to provide data

Customers, interested parties, or third parties are only required to provide us with the personal data necessary for the establishment, implementation, and termination of a business relationship or other relationship or which we are legally obliged to collect. Without this data, we will generally have to refuse to conclude a contract or provide a service or may no longer be able to carry out an existing contract or other relationship.

Mandatory information is marked as such.

1.7. No automated decision-making in individual cases

We do not generally use fully automated decision-making according to Article 22 GDPR for the establishment and implementation of a business relationship or other relationship. If we use these procedures in individual cases, we will inform you separately if this is legally required.

1.8. Contact

When contacting us, e.g., by email or phone, the data provided to us (e.g., names and email addresses) will be stored by us to answer questions. The legal basis for processing is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in answering inquiries addressed to us. We delete the data accruing in this context after storage is no longer necessary or restrict processing if legal retention obligations exist.

1.9. Customer surveys

From time to time, we conduct customer surveys to better understand our customers and their wishes. In doing so, we collect the data requested in each case. It is our legitimate interest to better understand our customers and their wishes, so the legal basis for the associated data processing is Art. 6 para. 1 s. 1 lit. f GDPR. We delete the data once the survey results have been evaluated.

2. Newsletter

We reserve the right to inform customers who have already used our services or purchased goods from us from time to time by email or other electronic means about our offers if they have not objected to this. The legal basis for this data processing is Art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest lies in direct advertising (recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without incurring additional costs, for example, via the link at the end of each email or by sending an email to our email address mentioned above.

Based on the recipients' consent (Art. 6 para. 1 s. 1 lit. a GDPR), we also measure the opening and click rate of our newsletters to understand which content is relevant to our recipients.

We send newsletters with the tools

Mailgun from Mailgun Technologies, Inc., 112 E Pecan St Ste 1135, San Antonio, TX, 78205-1509, USA (Privacy Policy: https://www.mailgun.com/privacy-policy/). The provider processes content, usage, meta/communication data, and contact data within the EU.
Intercom from R&D Unlimited Company 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Ireland (Privacy Policy: https://www.intercom.com/legal/privacy). The provider processes content, usage, meta/communication data, and contact data in the USA.

3. Data processing on our website

3.1. Informational use of the website

When using the website for informational purposes, i.e., when visitors do not separately transmit information to us, we collect the personal data that the browser transmits to our server to ensure the stability and security of our website. Our legitimate interest lies in this, so the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

This data includes:

IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request comes
Browser
Operating system and its interface
Language and version of the browser software.

This data is also stored in log files. It will be deleted when its storage is no longer necessary, at the latest after 14 days.

3.2. Web hosting and provision of the website

Framer B.V., Singel 258, 1016 AB Amsterdam, Netherlands (Privacy Statement: https://www.framer.com/legal/privacy-statement/) within the EU. We also use a content delivery network provided by the provider. The provider processes the personal data transmitted through the website, e.g., content, usage, meta/communication data, or contact data. Our legitimate interest is in providing a website, so the legal basis for data processing is Art. 6 para. 1 s. 1 lit. f GDPR.

3.3. Job Advertisements

We publish job openings within our company on our website, on pages connected to the website, or on third-party websites. The processing of data provided during the application process is carried out to implement the application process. If this is necessary for our decision to establish an employment relationship, the legal basis is Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 BDSG. We have appropriately marked or indicated the data required for the application process. If applicants do not provide this data, we cannot process their application.

Additional data is voluntary and not required for an application. If applicants provide further information, the basis is their consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

We ask applicants to refrain from providing information on political opinions, religious beliefs, and similar sensitive data in their resumes and cover letters. This information is not necessary for an application. However, if applicants still provide such information, we cannot prevent their processing as part of the resume or cover letter processing. This processing is then also based on the applicant's consent (Art. 9 para. 2 lit. a GDPR).

Finally, we process applicant data for further application processes if they have given us their consent. In this case, the legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR.

We pass on the applicant data to the responsible personnel department, our order processors in the recruiting area, and the other employees involved in the application process.

If we enter into an employment relationship with the applicant following the application process, we delete the data only after the termination of the employment relationship. Otherwise, we delete the data no later than six months after the rejection of an applicant.

If applicants have given us their consent to use their data for further application processes, we delete their data only one year after receiving the application.

3.4. Booking Appointments

Visitors to our website can book appointments with us. For this purpose, we process the entered data and meta- or communication data. We have a legitimate interest in offering potential customers a user-friendly way to arrange appointments. Therefore, the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If we use a third-party tool for booking, information can be found under "Third-party providers."

3.5. Customer Area

Visitors to our website can open a customer account. We process the data requested during this process to fulfill the respective usage contract for the account, so the legal basis for processing is Art. 6 para. 1 sentence 1 lit. b GDPR.

3.6. Payment Service Providers

To process payments, we use Stripe Payments Europe, Ltd., Ireland, which is itself a data protection controller within the meaning of Art. 4 No. 7 GDPR. To the extent that we receive data and payment data entered by our customers during the order process, we fulfill the contract concluded with our customers (Art. 6 para. 1 sentence 1 lit. b GDPR).

3.7. Technically Necessary Cookies

Our website uses cookies. Cookies are small text files stored in the web browser on a visitor's device. Cookies help make the offer more user-friendly, effective, and secure. If these cookies are necessary for the operation of our website or its functions (hereinafter "Technically necessary cookies"), the legal basis for the associated data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing a functional website to customers and other visitors.

Specifically, we use technically necessary cookies for the following purpose(s):

Cookies that adopt language settings,
Cookies that store login data,
Cookies set by payment providers for payment processing that do not analyze user behavior.

3.8. Third-party providers

3.8.1. Calendly

We use Calendly for scheduling appointments. The provider is Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA. The provider processes usage data (e.g., visited websites, interest in content, access times), contact data (e.g., email addresses, phone numbers), and master data (e.g., names, addresses) in the USA.

The legal basis for processing is Art. 6 (1) sentence 1 lit. a GDPR. The processing is based on consents. Data subjects can withdraw their consent at any time by contacting us, e.g., using the contact details provided in our privacy policy. The withdrawal does not affect the legality of the processing until the withdrawal.

The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of the data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses adopted according to the examination procedure under Art. 93 (2) GDPR (Art. 46 (2) lit. c GDPR), which we have agreed with the provider.

We delete the data when the purpose of their collection has ceased. Further information can be found in the provider's privacy policy at https://calendly.com/pages/privacy.

3.8.2. Intercom

We use Intercom for communication with users. The provider is R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Ireland. The provider processes usage data (e.g., visited websites, interest in content, access times), contact data (e.g., email addresses, phone numbers), and meta/communication data (e.g., device information, IP addresses) in the USA.

The legal basis for processing is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in optimizing interaction with our website visitors.

We delete the data when the purpose of their collection has ceased. Further information can be found in the provider's privacy policy at https://www.intercom.com/legal/privacy.

3.8.3. IP stack

We use IP stack for the security of our applications. The provider is Apilayer Data Products GmbH, Untere Donaustraße, 1020 Vienna, Austria. The provider processes meta/communication data (e.g., device information, IP addresses) in the USA.

The data will be deleted when the purpose of their collection has ceased and there is no legal obligation to retain them. Further information can be found in the provider's privacy policy at https://www.ideracorp.com/Legal/APILayer/PrivacyStatement.

4. Data processing on social media platforms

We are present on social media networks to showcase our company and our services. The operators of these networks regularly process user data for advertising purposes. Among other things, they create user profiles based on their online behavior, which are used, for example, to display advertising on the network pages and elsewhere on the internet that corresponds to the users' interests. To this end, the network operators store information on user behavior in cookies on the users' computers. It cannot be ruled out that the operators will combine this information with further data. Further information, as well as instructions on how users can object to the processing by the site operators, can be found in the privacy policies of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries, which means that they process data there. This may result in risks for users, e.g., because the enforcement of their rights becomes more difficult or state authorities may access the data.

If users of the networks contact us via our profiles, we process the data they provide to answer their inquiries. Our legitimate interest lies in this, so the legal basis is Art. 6 (1) sentence 1 lit. f GDPR.

4.1. LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy can be found here: https://www.linkedin.com/legal/privacy-policy?_l=de_DE. An option to object to data processing can be found in the advertising settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

4.2. Xing

We maintain a profile on Xing. The operator is New Work SE, Dammtorstraße 29-32, 20354 Hamburg. The privacy policy can be found here: https://privacy.xing.com/en/privacy-policy.

5. Changes to this privacy policy

We reserve the right to change this privacy policy with effect for the future. An up-to-date version is always available here.

6. Questions and comments

If you have any questions or comments regarding this privacy policy, please feel free to contact us using the contact information provided above.

Version

1.1

Zuletzt bearbeitet am

Mar 20, 2023