NachhaltigkeitsheldenNachhaltigkeitshelden
Back to home

Privacy Policy

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to briefly as "data") we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering"). The terms used are not gender-specific.

Controller

Nachhaltigkeitshelden GmbH
Simbacher Str. 17
81673 Munich

Represented by:

Thomas Klir,
Kevin Tscholitsch

Contact details:

E-mail: datenschutz@nachhaltigkeitshelden.de

Overview of processing activities

The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

Categories of data subjects

Purposes of processing

Material legal bases

In the following, we share the legal bases of the General Data Protection Regulation (GDPR) on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection requirements in your or our country of residence and registered office may also apply. Should more specific legal bases be material in individual cases, we will inform you of these in the privacy policy.

National data protection provisions in Germany: In addition to the data protection provisions of the General Data Protection Regulation, national data protection provisions apply in Germany. This includes in particular the Federal Data Protection Act (BDSG). The BDSG contains in particular special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, the processing for other purposes and the transmission as well as automated decision-making in individual cases including profiling. Furthermore, it regulates data processing for employment purposes (§ 26 BDSG). Furthermore, state data protection laws of the individual federal states may apply.

Security measures

We take, in accordance with statutory requirements, taking into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and extent of the threat to the rights and freedoms of natural persons, appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

The measures include in particular the security of the confidentiality, integrity and availability of data through control of the physical and electronic access to the data as well as access to it, input, transmission, ensuring availability and separation. Furthermore, we have established procedures to ensure that data subjects can exercise their rights, delete data and respond to threats to data.

SSL encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can identify such encrypted connections by the https:// prefix in your browser's address bar.

Transmission and disclosure of personal data

In the course of our processing of personal data, data is transmitted or disclosed to other bodies, companies, legally independent organisational units or persons. Recipients of this data may include, for example, financial institutions as part of payment transactions, service providers assigned IT tasks or providers of services and content embedded in a website. In such cases, we comply with statutory requirements and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transmission within the organisation: We may transmit personal data to other bodies within our organisation or grant them access to this data. If this transmission is for administrative purposes, the transmission of the data is based on our legitimate business and commercial interests or is carried out to the extent necessary to fulfil our contractual obligations or if there is consent from the data subjects or a legal permission.

Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if processing takes place in the context of using services from third parties or disclosure or transmission of data to other persons, bodies or companies, this only occurs in accordance with statutory requirements.

Unless expressly consented to, or transmission required by contract or law, we only process or have data processed in third countries with a recognised level of data protection, contractual obligations through so-called standard data protection clauses of the EU Commission, where certifications or binding internal data protection rules exist (Art. 44 to 49 GDPR).

Use of cookies

Cookies are text files containing data from websites or domains visited and stored by a browser on a user's computer. A cookie primarily serves to store information about a user during or after their visit within an online offering. The stored information may include, for example, language settings on a website, login status, a shopping cart or the point where a video was watched. We also include other technologies in the term cookies that fulfil the same functions as cookies (e.g. if user information is stored using pseudonymous online identifiers, also referred to as "user IDs").

The following cookie types and functions are distinguished:

Notes on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is your declared consent. Otherwise, data processed using cookies will be processed on the basis of our legitimate interests or, if the use of cookies is necessary to fulfil our contractual obligations.

Storage duration: Unless we provide you with explicit information about the storage duration of permanent cookies (e.g. as part of a so-called cookie opt-in), please assume that the storage duration may be up to two years.

General information on revocation and objection (opt-out): Depending on whether processing is based on consent or legal permission, you have the option at any time to revoke a given consent or to object to the processing of your data by cookie technologies. You can first declare your objection by means of the settings in your browser, for example by deactivating the use of cookies. An objection to the use of cookies for the purposes of online marketing can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Data processed: Usage data, meta-/communication data.
Data subjects: Users (e.g. website visitors, users of online services).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Commercial and business services

We process data of our contractual and business partners, e.g. customers and prospects (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as associated measures and in the context of communication with the contractual partners (or pre-contractually), e.g. to respond to requests.

We process this data to fulfil our contractual obligations, to secure our rights and for the purpose of administrative tasks associated with this information as well as business organisation. We only disclose the data of contractual partners to third parties to the extent permitted by applicable law, insofar as this is necessary for the aforementioned purposes or to fulfil legal obligations or with the consent of the data subjects (e.g. to involved telecommunications, transport and other ancillary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after the expiry of 4 years, unless the data is stored in a customer account, for example as long as it must be kept for legal archival reasons (e.g. for tax purposes generally 10 years).

Customer account: Contractual partners can create an account within our online offering (e.g. customer or user account, briefly "customer account"). Customer accounts are not public and cannot be indexed by search engines. In the context of registration as well as subsequent logins and use of the customer account, we store the IP addresses of customers together with the access times in order to prove registration and to prevent any misuse of the customer account.

Shop and e-commerce: We process our customers' data to enable them to select, purchase or order the chosen products, goods and associated services, as well as to allow payment and delivery or execution.

Payment service providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer the data subjects efficient and secure payment options and use, in addition to banks and credit institutions, other payment service providers for this purpose (collectively "payment service providers").

The data processed by the payment service providers includes master data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, sum and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them.

Services and service providers used:

PayPal: Payment services and solutions (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Website: https://www.paypal.com/de; Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Provision of online offering and web hosting

In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offering can be accessed.

The data processed in the context of providing the hosting offering may include all information concerning users of our online offering that arises in the context of use and communication. This regularly includes the IP address, which is necessary to deliver the contents of online offerings to browsers, and all entries made within our online offering or on websites.

Email transmission and hosting: The web hosting services we use also include the transmission, receipt and storage of emails. For these purposes, the addresses of recipients and senders as well as other information relating to the email transmission and the contents of the respective emails are processed.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the web pages and files retrieved, date and time of retrieval, data volumes transmitted, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and generally IP addresses and the requesting provider.

We use the following host: STRATO AG, Pascalstr. 10, 10587 Berlin.

Registration, login and user account

Users can create a user account. In the context of registration, users are informed of the required mandatory information and this is processed for the purpose of providing the user account on the basis of contractual obligations. The processed data includes in particular login information (name, password and an email address).

Users can be informed by email of events relevant to their user account, such as technical changes. If users have terminated their user account, their data with regard to the user account will be deleted, subject to a legal retention obligation. It is the responsibility of users to backup their data after termination before the end of the contract.

In the context of using our registration and login functions and the use of the user account, we store the IP address and the time of each user action. Storage is based on our legitimate interests as well as those of users in protection against misuse and other unauthorised use.

Web analysis, monitoring and optimisation

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows to our online offering and can include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify at what times our online offering or its functions or content are most frequently used.

The IP addresses of users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users.

Services and service providers used:

Google Analytics: Reach measurement and web analysis; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy.

Online marketing

We process personal data for the purposes of online marketing, which in particular may include the marketing of advertising space or the display of advertising and other content based on the potential interests of users and the measurement of their effectiveness.

Services and service providers used:

Google Ads and conversion measurement: We use the online marketing method "Google Ads" to place ads in the Google advertising network. Service provider: Google Ireland Limited; Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy.

Google AdSense with personalised ads: We use the Google AdSense service with personalised ads, with the help of which ads are displayed within our online offering. Service provider: Google Ireland Limited; Privacy policy: https://policies.google.com/privacy.

Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the European Union. This may create risks for users, as it may, for example, make it more difficult to enforce users' rights.

Services and service providers used:

Instagram: Social network; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.

Facebook: Social network; Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy.

Plugins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). This may include, for example, graphics, videos or social media buttons as well as posts.

Integration always requires that third-party providers of such content process the IP address of users, as they would not be able to send the content to their browser without the IP address.

Google Fonts: We integrate the fonts ("Google Fonts") of the provider Google. Service provider: Google Ireland Limited; Privacy policy: https://policies.google.com/privacy.

Google Maps: We integrate the maps of the "Google Maps" service from the provider Google. The data processed may in particular include IP addresses and location data of users. Service provider: Google Ireland Limited; Privacy policy: https://policies.google.com/privacy.

Instagram plugins and content: This may include, for example, content such as images, videos or texts and buttons with which users can share content from this online offering within Instagram. Service provider: Instagram Inc.; Privacy policy: https://instagram.com/about/legal/privacy.

Deletion of data

The data processed by us is deleted in accordance with statutory requirements as soon as the consents given for processing are revoked or other permissions expire (e.g. if the purpose of processing this data has ceased or they are not required for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

Amendment and update of the privacy policy

We ask you to regularly review the contents of our privacy policy. We adapt the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require any action on your part (e.g. consent) or any other individual notification.

Rights of data subjects

As a data subject, you have various rights under the GDPR, which in particular result from Art. 15 to 21 GDPR:

Created with Datenschutz-Generator.de by Dr. Thomas Schwenke