PrivacyStatement

1.1 Contact details

The data controller within the meaning of Art. 4 para. 7 EU General Data Protection Regulation (GDPR) is Markteffect .V., Schimmelt 46, Eindhoven,
Netherlands, email:markteffect. We are legally represented by
Hesam Fahimi.

Our data protection officer can be contacted via heyData GmbH,
Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2 Scope of data processing, processing purposes, and legal bases

The scope of data processing, the purposes of processing, and the legal bases
are described below. In principle, the following applies as the legal basis for data processing
:

• Art. 6 para. 1 s. 1 lit. a GDPR serves as our legal basis for processing
  for which we obtain consent.
• Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis insofar as the processing of
  personal data is necessary for the performance of a contract,
  for example if a visitor to a website purchases a product from us or we
  perform a service for them. This legal basis also applies to the
  processing necessary for pre-contractual measures, such as in the
  case of questions about our products or services.
• Art. 6 para. 1 s. 1 lit. c GDPR applies if we process personal data to comply with a legal obligation
  , as may be the case, for example, under
  tax law.
• Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis when we can
  rely on legitimate interests to process personal data,
  for example for cookies that are necessary for the technical operation of
  our website.

1.3 Data processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the
EEA, the security of the data during the transfer is guaranteed by
adequacy decisions of the EU Commission, insofar as these exist (e.g. for Great
Britain, Canada, and Israel) (Art. 45 para. 3 GDPR). 

In the case of data transfers to service providers in the US, the legal basis for the data transfer is an adequacy decision by the EU-
Commission if the service provider has also certified itself under the EU-US Data
Privacy Framework.

In other cases (e.g., if there is no adequacy decision), the legal basis for data transfer is usually
, i.e., unless we indicate otherwise,
standard contractual clauses. These are a set of rules approved by the EU Commission
and form part of the contract with the third party concerned.
According to Art. 46 para. 2 lit. b GDPR, they guarantee the security of the
data transfer. Many of the providers have given contractual guarantees
that go beyond the standard contractual clauses to protect the data.
These include, for example, guarantees regarding the encryption of data
or regarding an obligation on the part of the third party to inform data subjects
if law enforcement authorities want to access the respective data.

1.4 Duration of storage

Unless expressly stated in this privacy policy, the data stored by us
will be deleted as soon as it is no longer required for the intended purpose and no
legal obligations to retain data conflict with the deletion. If
the data is not deleted because it is required for other and legally
permitted purposes, its processing will be restricted, i.e., the data
will be blocked and not processed for other purposes. This applies, for example,
to data that must be retained for commercial or tax reasons
.

1.5 Rights of data subjects

Data subjects have the following rights in relation to us with regard to their personal data:

• Right of access
• Right to rectification or erasure
• Right to restriction of processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time

Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. The contact details of the data protection supervisory authorities are available at
https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.

1.6 Obligation to provide data

In the context of the business or other relationship, customers, potential customers, or third parties must provide us with personal data that is necessary for entering into, executing, and terminating a business or other relationship, or that we are legally required to collect. Without this data, we will generally have to refuse to enter into the contract or provide a service, or we will no longer be able to perform an existing contract or other relationship. 

Mandatory information is marked as such.

1.7 No automated individual decision-making

In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and execute the business or other relationship. Should we use these procedures in individual cases, we will notify you separately if this is required by law.

1.8 Contact

When you contact us, for example by email or telephone, we store the information provided to us (e.g., names and email addresses) in order to answer your questions. The legal basis for processing is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in answering questions addressed to us. We delete the data created in this context once storage is no longer necessary or restrict processing if there are legal retention obligations.

1.9 Customer surveys

From time to time, we conduct customer surveys to get to know our customers and their wishes better. In doing so, we collect the requested data each time. It is in our legitimate interest to get to know our customers and their wishes better, so that the legal basis for the associated data processing is Art. 6 para. 1 s. 1 lit f GDPR. We delete the data as soon as the results of the surveys have been evaluated.

2. Newsletter

We reserve the right to inform customers who have already used our services or purchased goods from us from time to time by email or other means about our offers, provided they have not objected to this. The legal basis for this data processing is Art. 6 para. 1 s. 1 lit. f GDPR. Our legitimate interest is to conduct direct advertising (recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without incurring any additional costs, for example via the link at the end of each email or by sending an email to our above-mentioned email address.
Interested parties have the option of subscribing to a free newsletter. We process the data provided during registration exclusively for the purpose of sending the newsletter.

Registration takes place by selecting the relevant field on our website, by ticking the relevant field in a paper document, or by another clear action, whereby interested parties declare their consent to the processing of their data, so that the legal basis is Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time, for example by clicking on the relevant link in the newsletter or by notifying us at the above-mentioned email address. The processing of data up to the point of revocation remains lawful even in the event of revocation. 

Based on the consent of the recipients (Art. 6 para. 1 s. 1 lit. a GDPR), we also measure the open rate and click-through rate of our newsletters to understand what is relevant to our audience. 

• We send newsletters using the SendGrid tool from the provider Twilio Ireland Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland. The provider processes content, usage, meta/communication data, and contact details in the US. Further information is available in the provider's privacy policy at https://www.twilio.com/legal/privacy.

3. Data processing on our website

3.1 Cookies

Our website stores information in the terminal equipment of website visitors (e.g., cookies) or accesses information already stored in the terminal equipment (e.g., IP addresses). Details of what information this is can be found in the following sections. 

This storage and access is based on the following provisions:

• technical necessity, insofar as this storage or access is absolutely necessary for us to provide the service expressly requested by website visitors (e.g., to implement a chatbot used by the website visitor or to ensure the IT security of our website) or
• the consent of the website visitor.

The subsequent data processing is carried out in accordance with the following paragraphs and based on the provisions of the GDPR.

3.2 Informative use of the website

During the informational use of the website, i.e. when website visitors do not send us any information individually, we collect the personal data that the browser sends to our server in order to ensure the stability and security of our website. This is our legitimate interest, so the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR. 

This information is:

• IP address
• Date and time of the request
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred in each case
• Website where the request originates from
• Browser
• Operating system and interface
• Language and version of the browser software.

This data placed on behalf of cookies is also stored in log files. It is deleted when it is no longer needed, at the latest after 14 days.

3.3 Web hosting and provision of the website

Our website is hosted by Strato. The provider is STRATO AG, Pascalstraße 10, 10587 Berlin. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact details, within the EU. Further information can be found in the provider's privacy policy at https://www.strato.de/datenschutz/. 

It is in our legitimate interest to offer a website, so the legal basis for the data processing described is Art. 6 para. 1 s. 1 lit. f GDPR. Our website is hosted by Microsoft Azure. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact details, within the EU. Further information can be found in the provider's privacy policy at https://privacy.microsoft.com/en-gb/privacystatement.

It is in our legitimate interest to offer a website, so the legal basis for the data processing described at
is Art. 6 para. 1 s. 1 lit. f GDPR. 

Our website is hosted by TransIP. The provider is TransIP B.V., Vondellaan 47, 2332 AA Leiden, Netherlands. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact details, within the EU. Further information can be found in the provider's privacy policy at https://www.transip.eu/legal-and-security/privacy-policy/. 

It is in our legitimate interest to offer a website, so the legal basis for the data processing described is Art. 6 para. 1 s. 1 lit. f GDPR.

We use the Cloudflare content delivery network for our website. The provider is Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact details, in the USA. Further information can be found in the provider's privacy policy at https://www.cloudflare.com/de-de/privacypolicy/. 

We have a legitimate interest in using sufficient storage and delivery capacity to ensure optimal data throughput, even during high peak loads. Therefore, the legal basis for the data processing described is Art. 6 para. 1 s. 1 lit. f GDPR.

The legal basis for the transfer to a country outside the EEA is an adequacy decision. The security of the data transferred to the third country (i.e., a country outside the EEA) is guaranteed because the EU Commission has decided, as part of an adequacy decision in accordance with Art. 45 para. 3 GDPR, that the third country offers an adequate level of protection.

3.4 Contact form

When you contact us via the contact form on our website, we store the data requested there and the content of the message. The legal basis for processing is our legitimate interest in responding to questions addressed to us. The legal basis for processing is therefore Art. 6 para. 1 s. 1 lit. f GDPR. We delete the data created in this context once storage is no longer necessary or restrict processing if there are legal retention obligations.

3.5 Job openings

We publish job vacancies on our website, on pages linked to the website, or on third-party websites. 

The data provided as part of the application will be processed for the purpose of carrying out the application procedure. Insofar as this is necessary for our decision to enter into an employment relationship, the legal basis is Art. 6 (1) (b). We have marked the data required to carry out the application process accordingly or refer to it. If applicants do not provide this data, we will not be able to process the application. 

Further data is voluntary and not required for an application. If applicants provide further information, this is based on their consent (Art. 6(1)(a) GDPR).

We ask applicants not to include information about political opinions, religious beliefs, and similar sensitive data in their CVs and cover letters. This information is not required for an application. If applicants do provide such information, we cannot prevent it from being processed as part of the processing of the CV or cover letter. Its processing is therefore based on the consent of the applicants (Art. 9(2)(a) GDPR).

Finally, we process applicants' data for further application procedures if they have given us their consent to do so. In this case, the legal basis is Article 6(1)(a) of the GDPR.

We pass on applicants' data to the responsible employees in the HR department, to our processors in the field of recruitment, and to other employees involved in the application process.

If we enter into an employment relationship with the applicant after the application process, we will only delete the data after the employment relationship has ended. In all other cases, we will delete the data no later than six months after rejecting an applicant.

If applicants have given us permission to use their data for further application procedures, we will only delete their data one year after receiving the application.

3.6 Single Sign On

Users can log in to our website via one or more single sign-on procedures. To do so, they use the login details already created for a provider. The prerequisite for this is that the user is already registered with the provider in question. When a user logs in using the single sign-on procedure, we receive information from the provider that the user is logged in with the provider, and the provider receives information that the user is using the single sign-on procedure on our website. Depending on the settings in the user's account on the provider's website, the provider may provide us with additional information. The legal basis for this processing is Art. 6 (1) (1) (f) GDPR. We have a legitimate interest in offering users a simple login option. At the same time, the interests of users are safeguarded, as use is voluntary only.

Providers of the procedure(s) offered:

• Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement)

3.7 Technically necessary cookies

Our website uses cookies. Cookies are small text files that are stored in the web browser on the end device of a website visitor. Cookies help to make the website more user-friendly, effective, and secure. Insofar as these cookies are necessary for the operation of our website or its functions (hereinafter referred to as "technically necessary cookies"), the legal basis for the associated data processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in providing customers and other website visitors with a functional website. Specifically, we place technically necessary cookies for the following purpose or purposes:

• Cookies to store login details
• Cookies to remember search terms

3.8 External providers

3.8.1. heyData
We have integrated a data protection seal into our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g., IP addresses) within the EU.

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing website visitors with confirmation of our compliance with data protection regulations. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seals, which is why a mere image copy of the certificate is not a viable alternative for confirmation.

After collection, the data is masked so that there is no longer any personal reference. More information can be found in the provider's privacy policy at https://heydata.eu/datenschutzerklaerung.

3.8.2 LinkedIn Ads
We use LinkedIn Ads for advertising. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The provider processes usage data (e.g., web pages visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses) in the EU. 

The legal basis for processing is Art. 6 para. 1 s. 1 lit. a GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time by contacting us, for example via the contact details in our privacy policy. The withdrawal does not affect the lawfulness of processing until the withdrawal. 

We delete the data when the purpose for which it was collected no longer applies. More information is available in the provider's privacy policy at https://www.linkedin.com/legal/privacy-policy?

3.8.3 Microsoft Clarity
We use Microsoft Clarity for analytics to identify opportunities. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. The provider processes usage data (e.g., web pages visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses) in the EU. 10 / 13 

The legal basis for processing is Art. 6 para. 1 s. 1 lit. a GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time by contacting us, for example using the contact details in our privacy policy. 

The withdrawal does not affect the lawfulness of the processing prior to the withdrawal.
The data will be deleted when the purpose for which it was collected no longer applies and there is no longer any obligation to retain it. Further information is available in the provider's privacy policy athttps://privacy.microsoft.com/de-de/privacystatement.

4. Data processing on social media platforms

We are represented on social media networks in order to present our organization and our services there. The administrators of these networks regularly process their users' data for advertising purposes. Among other things, they create user profiles based on their online behavior, which are used, for example, to display advertisements on the pages of the networks and elsewhere on the internet that match the interests of the users. To this end, the administrators of the networks store information about user behavior in cookies on the users' computers. Furthermore, it cannot be ruled out that the operators may combine this information with other data. Users can find more information and instructions on how to object to processing by the operators of the
sites in the data protection declarations of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries, so that they process data there. This may pose risks for users, for example because it is more difficult to enforce their rights or because government agencies have access to the data. 

When users of the networks contact us via our profiles, we process the data provided to us in order to respond to their inquiries. This is our legitimate interest, so the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

4.1 Facebook

We maintain a profile on Facebook. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://www.facebook.com/policy.php. You can object to data processing via the ad settings: https://www.facebook.com/settings?tab=ads.We are jointly responsible for the processing of data from visitors to our profile on the basis of an agreement within the meaning of Art. 26 GDPR with Facebook. Facebook explains exactly which data is processed at https://www.facebook.com/legal/terms/information_about_page_insights_data. Data subjects can exercise their rights both against us and against Facebook at
. However, according to our agreement with Facebook, we are obliged to forward requests to Facebook. Data subjects will therefore receive a faster response if they contact Facebook directly.

4.2 Instagram

We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://help.instagram.com/519522125107875.

4.3 LinkedIn

We maintain a profile on LinkedIn. The administrator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://https://www.linkedin.com/legal/privacy-policy?_l=de_DE. You can object to data processing via the ad settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

5. Changes to this privacy policy

We reserve the right to change this privacy policy in the future. An up-to-date version is always available here.

6. Questions and comments

If you have any questions or comments about this privacy policy, please do not hesitate to contact us at support@heydata.eu, addressed to Markteffect.