DATA PRIVACY STATEMENT

The following data privacy statement is intended to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This data privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online websites, such as our social media profiles (hereinafter collectively referred to as “online services”).

All terms used are not gender-specific.

INTRODUCTION

CONTROLLER

Wagawin GmbH

Haydnstr. 11

80336 Munich

Germany

E-mail: info@wagawin.com

Directors: Nicolas Leonhardt, Andreas Merold

Imprint: https://www.wagawin.com/imprint/

DATA PROTECTION OFFICER – CONTACT DETAILS

Ms Regina Mühlich

Data Protection Officer

Wagawin GmbH

Haydnstr. 11

80336 München

Germany

E-Mail: datenschutz@wagawin.com / privacy@wagawin.com

RELEVANT LEGAL GROUNDS

Below you will find the legal grounds of the General Data Protection Regulation (GDPR) that form the basis for the way in which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may also apply in your and our home state. Furthermore, we will inform you in the data privacy statement if more specific legal grounds apply in individual cases.

SECURITY MEASURES

We undertake appropriate technical and organizational measures in accordance with legal requirements, and taking into account the state of the art, implementation costs and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection commensurate with the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding of availability, and the separation of data. Furthermore, we have established procedures to ensure that the rights of data subjects are observed, that data are erased, and that we respond to any threat to the data. We also consider the protection of personal data as early as in the development or selection of hardware, software, and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

IP address truncation: Wherever it is possible for us, or if it is not necessary to store your IP address, we will truncate your IP address or have it truncated. In the event that your IP address is truncated, which is also known as “IP masking”, the last octet will be deleted (the IP address in this context is an identifier individually assigned to an Internet connection by the online access provider). The reason for truncating an IP address is to prevent or significantly inhibit the identification of a person based on their IP address.

SSL encryption (https): We use SSL encryption to protect the data transmitted via our online services. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

TRANSMISSION AND DISCLOSURE OF PERSONAL DATA

When we process personal data, it may happen that the data are transferred to, or disclosed to, other bodies, companies, legally independent organizational entities, or individuals. The recipients of such data may include, for example, payment institutions in connection with payment transactions, service providers commissioned to perform with IT-related tasks, or providers of services and content that are integrated into a website. We observe the statutory provisions in such cases and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transmission within the organization: We may transfer, or grant access to, personal information to other people within our organization. Where such transfer is for administrative purposes, the transfer of the data is based on our legitimate commercial and business interests, or is performed in order to meet our contractual obligations, or is based the consent of the data subjects, or legal authorization, that has been obtained.

DATA PROCESSING IN THIRD COUNTRIES

We will only process data in a third country (i.e. outside of the European Union (EU), the European Economic Area (EEA)), or if processing takes place in connection with the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, in accordance with legal requirements.

We only process, or allow data to be processed, in third countries that offer a recognized level of data protection, or on the basis of special guarantees – such as contractual obligations based on so-called standard protection clauses of the EU Commission, the existence of certifications, or binding internal data protection regulations – subject to express consent or if transfer is contractually or legally required (Articles 44 to 49 GDPR; please refer to the information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

ERASURE OF DATA

The data we process will be deleted in accordance with statutory provisions as soon as the consent granted for processing is withdrawn or other authorizations cease to apply (e.g. if the purpose for which the data were processed ceases to apply or if they are no longer necessary for such purpose).

The processing of the data will be limited to these purposes, unless the data are not erased because they are required for other, legally permissible purposes. This means that the data are blocked and not available for processing for other purposes. This applies, for example, to data that need to be retained for commercial or tax law reasons, or that need to be stored to assert, exercise, or defend legal claims, or to protect the rights of another natural or legal person.

You can find further information on the erasure of personal data in the individual data protection information of this privacy statement.

USE OF COOKIES

Cookies are text files that contain data from websites or domains visited and are stored by the browser on a user’s computer. The primary purpose of a cookie is to store information about a user during or after their visit to a website. Stored information may include, for example, the language settings for a website, login status, a shopping cart, or the location where a video was viewed. The term “cookies” also covers other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also known as “user IDs”).

A distinction is made between the following cookie types and functions:

• Temporary cookies (also called session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their browser.

• Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, a user’s login status can be saved, or preferred content can be displayed directly when the user revisits a website. Similarly, users’ interests, which are used to measure reach or for marketing purposes, can be stored in such a cookie.

• First-party cookies: First-party cookies are set by us.

• Third-party cookies: Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.

• Necessary (essential or absolutely necessary) cookies: Cookies may be absolutely necessary for the operation of a website (e.g. to store logins or other user entries, or for security reasons).

• Statistical, marketing and personalization cookies: In addition, cookies are also generally used in connection with range measurement and when the interests of a user or their behavior (e.g. viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to display content to users that corresponds to their potential interests. This process is also known as “tracking”, i.e. monitoring the potential interests of users. We will inform you separately in our data privacy statement when we use cookies or “tracking” technologies, or at the time we obtain your consent.

Notes on legal basis: The legal basis on which we process your personal data using cookies depends on whether we ask you for your consent. If this is the case, and you consent to the use of cookies, the legal basis for processing your data is declared consent. Otherwise, data processed using cookies will be processed on the basis of our legitimate interests (e.g. for the commercial operation of our website and its improvement) or if the use of cookies is necessary to meet our contractual obligations.

Storage duration: Please assume that the storage duration can be up to two years unless we provide you with explicit information on the storage duration of permanent cookies (e.g. In connection with a so-called cookie opt-in).

General information on withdrawal and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you may at any time withdraw any consent you may have given or object to the processing of your data by cookie technologies (collectively referred to as an “opt-out”). You can initially declare your objection by means of your browser settings, e.g. by deactivating the use of cookies (this may also limit the functionality of our website). An objection to the use of cookies for online marketing purposes can also be lodge through a number of services, especially in the case of tracking, via websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further information on objections as part of the information on service providers and the cookies they use.

Processing cookie data based on consent: Before we process, or allow data to be processed, in connection with the use of cookies, we ask users for their consent, which can be withdrawn at any time. Until consent has been explicitly given, only those cookies will be used that are absolutely necessary for the operation of our website.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Legal grounds: Consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

• Google Tag Manager

This website uses the Google Tag Manager. which allows website tags to be managed through an interface. The Google Tool Manager only implements tags. This means that cookies are used, and no personal data are collected. The Google Tool Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access these data. If deactivation was performed at the domain or cookie level, it will remain for all tracking tags, provided they are implemented with the Google Tag Manager.

o Provider: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

o Website: https://www.google.com

o Privacy policy: https://policies.google.com/privacy?hl=en

• Facebook Pixel

Our website uses Facebook Pixel, a remarketing service.

Facebook Pixel allows us to understand whether you complete certain actions on our website after you have viewed or clicked on one of our display/video ads on Facebook or another Facebook platform. Using the data from your interaction, we can then subsequently present you with targeted advertising.

The information generated by the pixel is transferred by Facebook to a server in the USA for evaluation and stored there. If you have a Facebook account, the information associated with Facebook Pixel can also be added to your Facebook account.

o Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

o Website: https://www.facebook.com

o Privacy policy: https://www.facebook.com/policy.php

• Google Floodlight Pixel

Our website uses Google Floodlight Pixel, a remarketing service.

Google Floodlight Pixel enables us to understand whether you complete certain actions on our website after viewing or clicking on one of our display/video ads on Google or another Google platform. Using the data from your interaction, we can then subsequently present you with targeted advertising.

The information generated by the pixel is transferred by Google to a server in the USA for evaluation and stored there. If you have a Google account, the information associated with Google Floodlight Pixel can also be added to your Google account.

o Provider: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

o Website: https://www.google.com

o Privacy policy: https://policies.google.com/privacy?hl=en

• LinkedIn Conversion Tracking (LinkedIn Corporation)

LinkedIn Conversion Tracking is an analytics service provided by LinkedIn Corporation that links data from the LinkedIn advertising network to actions taken through this application.

o Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

o Website: https://business.linkedin.com/marketing-solutions/conversion-tracking

o Privacy policy: https://www.linkedin.com/legal/privacy-policy; https://www.linkedin.com/legal/cookie-policy?trk=homepage-basic_footer-cookie-policy

• HubSpot

HubSpot is a global leader in marketing, sales, service and content management software. HubSpot’s diverse platforms help businesses grow, convert, organize and run inbound marketing campaigns at large scales.

o Provider: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141 USA

o Website: https://www.hubspot.com

o Privacy policy: https://legal.hubspot.com/privacy-policy

·       Webflow
Webflow is an in-browser design tool that gives you the power to design, build,and launch responsive websites visually.

o  Provider: Webflow, Inc., 398 11th Street, Floor 2, San Francisco,CA 94103

o  Website: https://webflow.com/

o  Privacy policy: https://webflow.com/legal/privacy

COMMERCIAL AND BUSINESS SERVICES

We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships, as well as associated measures, and within the scope of communication with the contractual (or pre-contractual) partners, e.g. In order to answer inquiries.

We process these data in order to meet our contractual obligations, to safeguard our rights, and for the purposes of the administrative tasks associated with these data, and for the purposes of the business organization. We will only disclose the data of contractual partners to third parties within the scope of applicable legislation to the extent that this is necessary for the aforementioned purposes, to meet legal obligations, or with the consent of data subjects, (e.g. to telecommunications, transport, and other auxiliary service companies involved, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Contractual partners will be informed about other forms of processing, e.g. for marketing purposes, as part of this data privacy statement.

We inform our contractual partners about what data are required for the aforementioned purposes before or during data collection, e.g. in online forms, by special labeling (e.g. colors) or symbols (e.g. asterisks), or personally.

We will delete the data after expiry of legal warranty and comparable obligations, i.e. as a matter of principle after 4 years, unless the data are stored in a customer account, e.g. for as long as they have to be kept for legal archiving reasons (e.g. 10 years legal obligation to retain data for tax purposes, contract documents). We will delete data that has been disclosed to us by the contractual partner in connection with an order in accordance with the specifications of the order, generally after completion of the order.

Where we use third-party providers or platforms to deliver our services, the terms and conditions and privacy policies of the particular third-party provider or platform will apply in the relationship between users and providers.

Customer account: We can create a customer account for contractual partners (e.g. advertisers). In this case, we will inform contractual partners of this as well as of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process and subsequent logins and use of the customer account, we will store the customer’s IP address and the time of access in order to verify registration and prevent possible misuse of the customer account.

If customers have canceled their customer account or the contract, the data concerning the customer account will be deleted, unless there is a legal requirement for the data to be retained. The customer is responsible for backing up their data when the customer account is canceled.

• Types of data processed: Master data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contract data (e.g. subject matter of the contract, duration, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Interested parties, business and contractual partners, customers.

• Purposes of processing: Contractual performance and service, contact requests and communication, office and organizational procedures, administration and answering inquiries, security measures.

• Legal grounds: Fulfillment of contracts and pre-contractual inquiries (Article 6 (1) (b) GDPR), legal obligation (Article 6 (1) (c) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

PROVISION OF ONLINE SERVICES AND WEB HOSTING

In order to make our website available in a secure and efficient manner, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the website can be accessed. To this end, we may call on infrastructure and platform services, computing capacity, storage space, database services, security services, and technical maintenance services.

The data processed as part of the provision of the hosting service may include all the data relating to the users of our website that arise in the course of usage and communication. This regularly includes the IP address, which is necessary to deliver the website content to browsers, and all entries made on our website or from websites.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, date and time of access, data volume transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited website) and, as a general rule, IP addresses and the requesting provider.

Server log files can be used for security purposes, e.g. to avoid overloading servers (especially in the case of abusive attacks, so-called DDoS attacks) and to safeguard server capacity utilization and stability.

• Types of data processed: Content data (e.g. text input, photographs, videos), usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Contact requests and communication, reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-related profiling, use of cookies), remarketing, visitor action evaluation, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures).

• Legal grounds: Legitimate interests (Article 6 (1) (f) GDPR), consent (Article 6 (1) (a) GDPR).

CRM SYSTEM FROM SALESFORCE

We use the CRM system of provider salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany, in order to be able to process user inquiries faster and more efficiently (legitimate interest according to Article 6 (1) (f) GDPR).

salesforce will only use user data for the technical processing of inquiries and will not pass them on to third parties. You must provide at least one correct e-mail address in order to use salesforce. It is possible to use a pseudonym. It may be necessary to collect further data (name, address) in the course of processing service requests.

We offer users who do not consent to data collection and storage on salesforce.com’s external system alternative ways to submit service requests via email, phone, fax, or mail.

For more information, users should refer to salesforce’s privacy policy at https://www.salesforce.com/de/company/privacy/.

MAKING CONTACT

When contacting us (e.g. via a contact form, by e-mail, by telephone, or via social media), the data of the requesting persons will be processed to the extent necessary to answer the contact requests and provide any requested measures.

The response to contact requests within the context of contractual or pre-contractual relations is made in order to meet our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of a legitimate interest in responding to such inquiries.

• Types of data processed: Master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos).

• Data subjects: Communication partners.

• Purposes of processing: Contact requests and communication.

• Legal grounds: Contract performance and pre-contractual inquiries (Article 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (f) GDPR).

VIDEO CONFERENCES, ONLINE MEETINGS, WEBINARS, AND SCREEN SHARING

We use platforms and applications of other providers (hereinafter referred to as “third-party providers”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings. We observe statutory provisions when selecting third-party providers and their services.

In this regard, data of communication participants will be processed and stored on the servers of third-party providers insofar as they are part of communication processes with us. Such data may include, in particular, registration and contact data, visual and vocal contributions, as well as entries on chats and shared screen content.

Third-party providers, their software, and platforms may process usage data and metadata for security, service optimization, or marketing purposes where users are referred to them in the course of communication, business, or other relationships with us. We would therefore ask you to note the data protection information of the relevant third-party providers.

Notes on legal basis: The legal basis for processing is consent, where we ask users for their consent to the use of third-party providers or certain functions (e.g. consent to a recording of conversations). Furthermore, such use may form part of our (pre-contractual) services, provided that the use of third-party providers has been agreed in this respect. Otherwise, user data are processed on the basis of our legitimate interest in efficient and secure communication with our communication partners. We would also refer you in this context to the information on the use of cookies in this data privacy statement.

• Types of data processed: Master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Communication partners, users (e.g. website visitors, users of online services).

• Purposes of processing: Contractual performance and service, contact requests and communication, office and organizational procedures.

• Legal grounds: Consent (Article 6 (1) (a) GDPR), performance of the contract and pre-contractual inquiries (Article 6 (1) (b) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

• Microsoft Office 365 Teams: Videoconferencing system.

• Service provider:  Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

• Website: https://www.microsoft.com/de-de/microsoft-365/microsoft-teams/group-chat-software

• Privacy policy: https://privacy.microsoft.com/de-de/privacystatement

APPLICATION PROCESS

The application procedure requires that applicants provide us with the data necessary in order to perform an assessment and make a selection. You can find out what information is required from the job description or, in the case of online forms, from the information provided there.

As a general rule, the information required includes personal details, such as name, address, a contact option, and proof of the qualifications required for the position. We will also be happy to inform you on request about the information required.

Applicants can send us their applications using an online form where available. The data will be encrypted according to the state of the art and transmitted to us. Applicants can also send us their applications by e-mail. Please note, however, that e-mails over the Internet are generally not sent in encrypted form. E-mails are generally encrypted in transit, but not on the servers from which they are sent and where they are received.

Application documents relating to applications for advertised vacancies will be deleted six months after the end of the selection procedure; unsolicited applications will be deleted six months after receipt of the application, provided that there are no statutory retention obligations that prevent deletion.

You can find further information at https://www.wagawin.com/career/#career-open-positions

You will also find information on your rights as a data subject at the end of this data privacy statement.

PROMOTIONAL COMMUNICATION BY E-MAIL, POST, OR TELEPHONE

We process personal data for the purposes of promotional communication, which can take place over a number of different channels, such as e-mail, telephone, post, in accordance with statutory provisions.

Recipients have the right to withdraw their consent at any time or to object to promotional communication at any time.

After withdrawal or objection, we may store the data required to prove consent for up to three years on the basis of our legitimate interests before deleting it. The processing of this data is limited to the purpose of a possible defense against claims that may be asserted. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time.

• Types of data processed: Master data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).

• Data subjects: Communication partners.

• Purposes of processing: Direct marketing (e.g. by e-mail or by post).

• Legal grounds: Consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

WEB ANALYSIS AND OPTIMIZATION

Web analysis (also known as “reach measurement”) is used to evaluate the streams of visitors to our website and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. We can use reach analysis, for example, to identify at what time our website or its functions and content are most frequently used or accessed for reuse. We can also identify which areas require optimization.

In addition to web analytics, we can also use test procedures, e.g. to test and optimize different versions of our online service or its components.

To this end, so-called user profiles may be created and stored in a file (a “cookie”), or similar procedures may be used for the same purpose. This information may include, for example, content viewed, web pages visited, the elements used on those pages as well as technical information such as the browser and computer system used, and information on usage times. Where users have consented to the collection of their location data, these data may also be processed, depending on the provider.

Users’ IP addresses are also stored. However, we use an IP masking technique (i.e. pseudonymization by truncating the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) are stored as part of web analysis, A/B testing, and optimization – instead, pseudonyms. This means that we as well as the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purposes of the procedures in question.

Notes on legal basis: Where we ask users to give their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data are processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). We would also refer you in this context to the information on the use of cookies in this data privacy statement.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-related profiling, use of cookies), visitor action evaluation, profiling (creation of user profiles).

• Security measures: IP-masking (pseudonymization of the IP address).

• Legal grounds: Consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

• Matomo: Web analysis/range measurement. The information generated by the cookie about your use of this website is not disclosed to any third party.

• Service provider: Matomo

• Website: https://matomo.org

• Deletion of data: The cookies have a maximum storage period of 13 months.

If you wish to prevent processing for analysis purposes, you can object at any time at the click of a mouse. In this case, an opt-out cookie without usage data will be stored in your browser, meaning that no session data will be collected for analysis.

Note: deleting cookies will result in the removal of the opt-out cookie, which may then need to be reactivated.

CLOUD SERVICES

We use software services accessible over the Internet and running on the servers of their providers (“cloud services”, also referred to as “software-as-a-service”) for the following purposes: document storage and management, calendar management, e-mailing, spreadsheets and presentations, sharing documents, content and information with designated recipients or publishing web pages, forms and other content and information, chatting, and participating in audio and video conferences.

This may involve the processing and storage of personal data on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as set out in this data privacy statement. These data may include, in particular, master data and contact details of users, data on activities, contracts, other processes and their contents. Cloud service providers also process usage data and metadata that they use for security purposes and service optimization.

Where we use cloud services to provide other users or publicly accessible websites with forms etc. or other documents and content, providers may store cookies on users’ devices for web analysis purposes or to remember user settings (e.g. in the case of media management).

Notes on legal basis: Where we ask for consent to use cloud services, the legal basis for processing is consent. Furthermore, their use can be a component of our (pre-)contractual services, provided that the use of cloud services has been agreed in this regard. Otherwise, user data are be processed on the basis of our legitimate interests (i.e. interest in efficient and secure administration and collaboration processes).

• Types of data processed: Master data (e.g. names, addresses), contact details (e.g. e-mail addresses, phone numbers), content data (e.g. text input, photographs, video clips), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Customers, employees (e.g. employees, applicants, former employees), interested parties, communication partners.

• Purposes of processing: Office and organizational procedures.

• Legal grounds: Consent (Article 6 (1) (a) GDPR), Performance of the contract and pre-contractual inquiries (Article 6 (1) (b) GDPR), Legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

• Microsoft Cloud Services: Cloud storage services; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA;

• Website: https://microsoft.com/de-de;

• Privacy policy: https://privacy.microsoft.com/de-de/privacystatement,

• Security information: https://www.microsoft.com/de-de/trustcenter;

PRESENCE IN SOCIAL NETWORKS (SOCIAL MEDIA)

We maintain an online presence within social networks and process user data in this respect in order to communicate with users who are active there or to offer information about us.

We would point out that users’ data may be processed outside the EU. This may entail risks for users, for example by making it more difficult to enforce users’ rights. We would also point out that US providers who offer comparable guarantees of a secure level of data protection undertake to comply with EU data protection standards.

Furthermore, user data in social networks are generally processed for market research and advertising purposes. This may result in the creation of usage profiles based on user behavior and user interests derived from this. The usage profiles may in turn be used, for example, to place advertisements within or outside of the networks that are likely to match the interests of users. To this end, cookies are generally saved on user devices that store user behavior and interests. Furthermore, data may also be stored in usage profiles independently of the user devices (in particular when users are members of the platforms in question and are logged in there).

We would direct you to the data privacy statements and information of the operators of the networks in question for a more detailed description of the relevant forms of processing and the options to object (opt-outs).

We would also point out that any requests for information and the claims to assert data subject rights should be best addressed to the providers themselves. Only the providers have access to the relevant user data and are able to take corresponding measures directly and provide information. Should you still require assistance, please do not hesitate to contact us.

• Types of data processed: Master data (e.g. names, addresses), contact details (e.g. e-mail addresses, phone numbers), content data (e.g. text input, photographs, video clips), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Contact requests and communication, tracking (e.g. interests-/behavior-based profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of repeat visitors).

• Legal grounds: Legitimate interests (Article 6 (1) (f) GDPR).

Services Used and their Providers:

• LinkedIn: Social network;

• Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;

• Website: https://www.linkedin.com;

• Data privacy statement: https://www.linkedin.com/legal/privacy-policy;

• Objection possibility (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• Twitter: Social network;

• Service provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA;

• Data privacy statement: https://twitter.com/de/privacy,

• (Settings) https://twitter.com/personalization;

• YouTube: Social network;

• Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,

• Parent company: Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA;

• Privacy policy: https://policies.google.com/privacy;

• Objection possibility (opt-out): https://adssettings.google.com/authenticated.

• Xing: Social network;

• Service provider: XING AG, Dammtorstrasse 29– 32, D -20354 Hamburg;

• Parent company (operator): New Work SE, Dammtorstrasse 29 – 32, D-20354 Hamburg;

• Website: https://www.xing.com/;

• Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.

YouTube

Our website uses cookies from the video platform “YouTube”. The provider is Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland (“YouTube”).

To ensure data protection on our website, the video platform “YouTube” is deactivated when you visit our website the first time. This prevents personal data from being automatically transferred to YouTube when you visit our website.

The  video platform “YouTube” is only activated when you play the individual YouTube video by clicking on the video placeholder and thereby consent  to the setting of cookies and the processing of your personal data by YouTube (consent pursuant to Art. 6 (1) (a) DSGVO).

After activation, the YouTube server is informed which of our pages you have visited. In addition, YouTube collects your IP address. This also applies if you are not logged into YouTube or do not have an account with YouTube. The information collected by YouTube may also be transferred to the parent company YouTube LLC, Amphitheatre Parkway, Mountain View, CA 94043 in the USA.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

For more information on the processing of your personal data by YouTube, please see YouTube’s privacy policy at: https://policies.google.com/privacy?hl=en

The use of YouTube and the associated data processing is based on your consent (Art. 6 (1) (a) DSGVO). You have the option to revoke your consent in the cookie settings at any time for the future at https://www.wagawin.com/cookie-summary/

RIGHTS OF DATA SUBJECTS

As a data subjects, you are entitled to various rights under the GDPR that arise in particular from Articles 15 to 21 GDPR:

• Right of objection: You have the right to lodge an objection at any time for reasons arising from your specific situation against the processing of personal data relating to you based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to processing of the personal data relating to you for the purpose of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

• Right to withdraw consent: You have the right to withdraw consent that you have already given at any time.

• Right to information: You are entitled to request confirmation as to whether relevant data are processed and to information about these data as well as to additional information and a copy of the data in accordance with statutory provisions.

• Right to rectification: You are entitled to request the completion of the data relating to you or the rectification of inaccurate data relating to you in accordance with statutory provisions.

• Right to erasure and restriction of processing: In accordance with statutory provisions, you are entitled to request that data relating to you be immediately erased or, as an alternative, that the processing of your data be restricted in accordance with statutory provisions.

• Right to data portability: You have the right to request to receive the personal data relating to you that you provided to us, in a structured, commonly used, and machine-readable format, or to request transmission of those data to another controller in accordance with statutory provisions.

• Complaint to a supervisory authority: Furthermore, you have the right in accordance with statutory provisions to lodge a complaint with a supervisory authority, especially in the Member State of your usual place of residence, place of work or place of the alleged breach, if you think that the processing of the personal data relating to you breaches the GDPR.

The regulatory agency responsible for us: Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Supervisory Office for Data Protection – BayLDA), Promenade 18, 91522 Ansbach.

CHANGES AND UPDATES TO OUR DATA PRIVACY STATEMENT

We would ask you to keep yourself up to date with the content of our Data Privacy Statement on a regular basis. We amend our data privacy statement whenever changes to the data processing that we perform make this necessary. We will inform you as soon as such changes require your cooperation (e.g. consent) or necessitate some other form of personal notification.

Where we provide addresses and contact information of companies and organizations in this data privacy statement, please note that these addresses may change over time and so please check the information before contacting us.

Updated: Wednesday, July 22, 2020

PRODUCT PRIVACY POLICY

1. INTRODUCTION

Wagawin GmbH (“Wagawin”, “we”, “us”) respects your privacy and we are responsible for taking care of it. This privacy policy will tell you about your relationship with us. We therefore ask you to read them carefully. This privacy statement is intended for end users of Wagawin’s advertising services, called “LivingAds”.

Why you should read this privacy statement:

Many website operators and app developers make their content available free of charge. But of course they also have to pay their bills. That’s why they broadcast advertisements to you. We help to place advertisements on websites and in apps. As you know, advertising is often annoying and boring. That’s why we create interactive advertising and try to show you the advertising that is interesting for you.

To accomplish this, however, we need some information about you that the Data Protection Act (DS-GVO) classifies as personal data. If we store personal data about you, this is only an identification number or a cookie that is stored in your browser. We will never be able to find out your name, birthday or address and therefore will not store it. Your personal data will only be processed by us if this is necessary to fulfil the contract, if we or the third party have a legitimate interest in the processing or if you have given your consent.

To ensure that your are well informed about your privacy rights we want

• To inform you about the way in which we use your personal data

• To ensure that you understand what information we collect, what we do with it, and most importantly, do not do with it

• To show us responsible for the protection of your data and rights within the framework of this privacy statement /li>

2. OUR SERVICE CALLED “LIVINGADS“

Wagawin provides advertising & marketing services for our Advertiser clients (“Advertisers”). When it comes to mobile advertising, we think interaction matters. Therefore we provide ad formats, called LivingAds, that allow users to interact with advertising content. Our service helps our advertisers’ ads to generate higher awareness and higher performance as we show ads to users that are interacting with advertising content. Furthermore, we aim to make advertising more useful and relevant to users by showing ads that are best tied to their specific interests. Our platform uses interaction data, as well as other data described below, to help Advertisers provide ads to you that are more relevant to you.

3. WHAT PERSONAL DATA WE COLLECT

Publishers can choose how to receive LivingAds. No matter if publishers use our SDK or API or provide their traffic programmatically, we collect device and browser information for the purpose described below. This is technical information about the device or browser you use to access the Advertiser’s website. For example, your device’s IP address, cookie string data, operating system, and (in the case of mobile devices) your device type and mobile device’s unique identifier such as the Apple IDFA or Google Advertising ID. Knowing this basic information, we collect certain data about the ads we served (or attempted to serve) to you. It includes things like how many times an ad has been served to you, what page the ad appeared on, and whether you clicked on or interacted with the ad.

4. HOW WE PROCESS THE PERSONAL DATA WE COLLECT

We use this data to help our Advertisers identify and serve ads to you that are more relevant to you. We also use this data to operate, improve and enhance our services including enhancing the data points we or our Advertising Partners have about a particular user, browser, or device to serve the most relevant ads to you and, in turn, improve performance of an Advertiser’s ad campaigns. Specifically, we use this data for:

• Re-Targeting: Selecting ads that are more likely to be relevant to you based on the interests previously associated with your device and the time of day you may be most interested in viewing these specific ads

• Frequency capping: Making sure that you don’t see the same ad too many times

• Sequencing: If you are being served a sequence of ads, making sure we show you the right ad next in the sequence

• Attribution: Monitoring when, where, and at what price we served certain ads on behalf of an Advertiser so that we can measure our influence on the marketing result of the Advertiser’s campaigns and overall marketing strategy

• Reporting: Providing Advertisers insights into how their ads are performing and gain insights into their customers. Reporting may include ad metrics such as impressions, interactions, clicks, and conversions (however the Advertiser may define a “conversion,” for example, a sale or a white paper download).

• Fraud Detection: By using the ad metrics mentioned above, we focus on real users and dismiss fraudulant traffic

• Maintenance: The maintenance of the system and the ongoing operations.

5. MANAGEMENT OF COOKIES AND AD IDS

If you wish to return your browser to a cookie-free state for this domain, find your browser in the list below and follow the instructions. Once complete, your browser will have no cookies from this domain and you can re-attempt some of the tests for the demos.

• Google Chrome: https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=en

• Firefox: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored

• Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

• Internet Explorer Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy

• Safari (Mobile): https://support.apple.com/en-us/HT201265

• Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

Depending on your operating system, manage your Ad IDs as follows:

• GAID (Android): https://support.google.com/ads/answer/2662922?hl=en

• IDFA (iOS): https://support.apple.com/en-us/HT205223

By reseting your GAID/IDFA or removing all cookies of the domain *.wagawin.com, we cannot match you data with your device anymore.

6. OPT OUT POSSIBILITY

You can also object to the processing of your data by Wagawin via the following link: https://de.wagawin.com/web/optout

7. SHARING OF PERSONAL DATA

We may share your personal data with our subcontractors to track conversions (e.g. app installs).

Information on how you have interacted with a particular ad is only given to third parties by us if we or the third party have a legitimate interest in passing it on or if you have given your consent.

When we are under a legal obligation to do so, for example to comply with a binding order of a court, or where disclosure is necessary to exercise, establish or defend the legal rights of Wagawin, we share your data with the responsible authority.

We store all personal data of EU citizens on servers within the European Union. In the selection of data centers we ensure that country-specific data protection laws are fulfilled.

8. RETENTION OF PERSONAL DATA

We store user data for the purpose of the bullets stated in section 4 and may save such data for longer period for invoicing, reporting, discrepancy reasons and to prevent fraud, but in any case, for no longer than 12 months.

After this time or at the time you wish your data to be removed (see section 10) we employ measures to delete it. Personal data collected for other purposes is held no longer than necessary for our business purposes but is anonymized. For example, we retain anonymized impression and click data to ensure we can meet auditing requirements related to services provided or to meet legal requirements.

9. SECURITY

We apply technical, administrative and organizational security measures to protect the data we collect against accidental or unlawful destruction and loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against other unlawful forms of processing.

10. DATA SUBJECT REQUESTS FOR DATA ACCESS OR DELETION

Article 15 and 17 of the GDPR provides data subjects with the right to access and/or delete personal data that is related to him/her or is about him/her. Wagawin will cooperate with its partners (i.e. Publishers) to help them to fully comply with any access and/or deletion request of a data subject and shall provide its partners with the requested information or confirmation of deletion of such information, as soon as possible.

The GDPR gives you specific rights to your personal data we process; these rights include obtaining copies of it, requesting changes to it, restricting the processing of it, deleting it, or receiving it in a common electronic format so it can be moved to another controller. To exercise your rights, just contact us on the address stated in section 11.

In case that we process your data based on our legitimate interests pursuant to art. 6 para. 1 letter f GDPR, you can contradict the future processing of your data for other purposes not being based on legitimate interest. You also have the right to desire only a limitation of the processing based on certain purposes (art. 18 GDPR).

11. NOTE ON THE RESPONSIBLE BODY

The responsible body for data processing on this website is:

Wagawin GmbH,

represented by its managing directors Nicolas Leonhardt und Andreas Merold,

Haydnstraße 11

D-80336 München

Telephone: +49 (0) 89 62 42 21 00

E-Mail: privacy@wagawin.com

The responsible body is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (names, email addresses, etc.).

In the event of violations of data protection laws, you have the right to lodge a complaint with the Bayerisches Landesamt für Datenschutzaufsicht.

‍