Data protection policy for the services of PenPal GmbH
Data protection policy for the services of PenPal GmbH
With this date protection policy, we, PenPal GmbH, Hohenzollerndamm 3, 10717 Berlin (hereafter “PenPal” or "we"), undertake to inform you of all data protection aspects of the offering on the penpal.me website (the "Website") and our mobile app ("App") (collectively "Services"). We collect, process and use your personal data only in accordance with the following data protection policy. Personal data in this sense are all individual details about personal or factual circumstances of a specific or identifiable natural person, such as, for example, your name, telephone number, address, and any other information you provide to us when registering, using our services or contacting us ("Personal Information").
I. Responsibility for data processing
PenPal is responsible for data processing in accordance with Article 4 No. 7 of EU Regulation 2016/679 ("DSGVO").
II. Collection and storage of personal data and the nature and purpose of their use
1. Processing data for the use of our services
If you access the website via your browser or the app via your mobile device, we only collect personal data that your browser or mobile device automatically transmits to enable you to visit our website or app and the stability and to ensure safety. This can be specifically • your IP address, • your device identifier, i.e. the unique number of the terminal, • content, date and time of the request, • the time zone of the requesting computer or mobile terminal, • the website from which the request was forwarded, • the requested page, • the http status code, • the transferred amount of data, • browser ID, • your operating system, • language and version of the browser software as well as • mobile device identifier (IDFA, IDFV and AAID). The processing of this data serves to • ensure a smooth connection of the website, • the display of our services and products, • the usability of our services, • the evaluation and system security and stability as well as • further administrative purposes. PenPal may use your information to ensure the safety and security of our Website and of our members, for example, by monitoring misuse or suspicious activity, identifying violations of our Terms of Service, protect the community against spam, harassment, and other security risks. The legal basis of this processing of your personal data is Article 6 (1) sentence 1 lit. f DSGVO. Our legitimate interest follows for the aforementioned purposes of data collection.
2. Processing of data when using the contact form
We offer you the opportunity to contact us via a form provided on the website. To use it, you must enter your name and a valid e-mail address. The processing of this data serves our legitimate interest in answering your contact requests properly and is therefore based on Art. 6 para. 1 sentence 1 lit. f DSGVO
3. Processing of data for the use of our services and the purchase of our products
If you wish to use our services and products, you may at different times be asked to provide us personal information such as • your name, • your date of birth, • your address, • your email address, • your home phone number or mobile number, • photographs as well as • indicating payment information. Your personal data will be processed and required by us for the following purposes: • in accordance with Article 6 para. 1 sentence 1 lit. b DSGVO, for the fulfillment of contractual obligations or for the execution of pre-contractual measures: to process your purchases, process your payments and to offer you customer service, to correspond with you, to settle claims by you or us, to ensure technical administration of our website as well as to manage our customer data; • according to Article 6 para. 1 sentence 1 lit. c DSGVO due to legal requirements or pursuant to Art. 6 para. 1 sentence 1 lit. e DSGVO in the public interest: to protect you and us (including our affiliates) from fraud. Your chats, card exchanges with other members, and any content you publish will be processed as necessary for the operation of our services.
4. How we share the collected information between members
The goal of PenPal is to connect the world via real mail, by allowing you to exchange postcards with other members around the world. However, your postal address will never be shared with anyone. Instead, the user sends their postcard to the recipient’s username. We then send the card to the address saved in the recipient’s profile, without the sender ever seeing the address. Sending postcards can take place in a direct postcard exchange as well as via selecting a recipient randomly. The random variation is called PenPal Auto-Match. When the user uses PenPal Auto Match it is not possible for them to request access to a specific user. Instead, the Website randomly selects the recipient of each postcard. We also limit the number of recipients an account can request and have security measures in place to prevent abuse. The number of times your username may be shared is proportional to the number of postcards you have sent yourself. By consequence, until you send your first postcard and become eligible to receive one back, your username is not shared with anyone.
III. Disclosure of your data to processors and third parties
To process your data, we use specialized external service providers such as payment service providers, IT service providers, online marketing providers, marketing automation solution providers, and web analytics tool providers. These are carefully selected and commissioned by us, are bound by our instructions and are checked regularly. Furthermore, we may pass on your personal data to third parties (such as shipping companies, cooperation partners, etc.) if this is necessary to safeguard our legitimate interests under Art. 6 para. 1 sentence 1 lit. f DSGVO is required. Finally, we transfer your information to our affiliate, MyPostcard.com GmbH, 10717 Berlin, Germany to the extent necessary to protect our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. 1 DSGVO is required. These interests include, in particular, the processing of your order, the sending of postcards and the guarantee of smooth business operations. Incidentally, your personal data will only be forwarded to third parties if you have previously consented and submitted them in accordance with Art. 6 para. 1 sent. 1 lit. a DSGVO or a legal permission in accordance with Art. 6 para. 1 sentence 1 lit. c DSGVO is present.
IV. Transfer of personal data abroad
Insofar as we transfer personal data to countries outside the European Economic Area, we ensure that the recipient of the data guarantees an adequate level of data protection in accordance with Art. 45 DSGVO. In the absence of an adequacy agreement, PenPal will ensure that the recipients of the data have provided suitable guarantees in accordance with Art. 46 DSGVO and, in particular, use the standard European Union model contracts for the transfer of data to other EU countries, as amended. When transmitting data to the US, PenPal will endeavor to oblige the recipient to comply with and abide by the principles of the Privacy Shield (that is, to recognize minimum standards in the handling of personal data).
VI. Use of Mobile Device Identifier (IDFA, IDFV and AAID)
On our app we use the so-called "Mobile Device Identifier" ("Mobile Device Identifier"). These are unique but non-personalized and non-permanent identification numbers for a particular terminal provided by iOS and Android respectively. The data collected via the Mobile Device Identifier will not be linked to other device-related information. We use Mobile Device Identifiers to provide you with personalized advertising and to evaluate your usage. If you enable "no ad tracking" in the "Privacy" - "Advertising" iOS or Android settings, we can only take the following actions: Measure your interaction with banners by counting the number of ads on a banner without clicking frequency capping, click-through rate, unique user identification, security measures, anti-fraud and troubleshooting. You can delete the respective Mobile Device Identifier at any time in the device settings ("Reset Ad-ID"), then a new Mobile Device Identifier is created, which is not merged with the previously collected data. We point out that you may not be able to use all the features of our app if you restrict the use of the respective Mobile Device Identifier. Use of analysis and tracking technologies in our services We use the above-mentioned analysis and tracking technologies as well as third-party technologies listed below and used by us in accordance with Article. 6 para. 1 lit. f DSGVO: • to carry out data analyzes, • to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer, • to constantly improve and manage our offer, • to measure success and optimize our advertising measures, as well as • in order to be able to send you advertising, in particular personalized marketing information. These interests are legitimate within the context of the aforementioned provision.
1. Google Analytics
For the purpose of customizing and continually optimizing our pages, we use Google Analytics, a Google Inc. advertising analytics service, 1600 Amphitheater Parkway Mountain View, CA 94043, USA ("Google"). In this context, pseudonymised user profiles are created and cookies (see section V of this data protection policy) are used. The information generated by the cookie about your use of our services (such as your IP address, browser type / version, operating system used, referrer URL, time of server request) is transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. However, on our website and app, your IP address will be shortened by Google beforehand within member states of the European Union or other parties under the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. Google will use this information on our behalf to evaluate your use of our services, to compile reports about the website and app activities for us, and to provide us with other services related to website and app usage and internet usage. This information may also be transferred to third parties if required by law or if third parties process this data in the order. Google will not merge your IP address with other Google data. You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the functions of our services in full. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of our services (including your IP address) and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. For more information about data protection related to Google Analytics, please see the following link in the Google Analytics Help Center: http://google.com/intl/en/analytics/privacyoverview.html.
2. Google AdWords Conversion Tracking
3. Google Tag Manager
We also use Google Tag Manager. This service allows website tags to be managed through a single interface. Tags are small code elements that serve, among other things, to measure traffic and visitor behavior. Google Tag Manager only implements tags. As a result, no cookies are used and consequently no personal data is collected. Google Tag Manager triggers other tags, which may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
4. Pinterest Conversion Tracking
5. Reddit Conversion Tracking
Our website also uses "Raddit Conversion Pixel," an analysis service of Reddit Inc., 520 Third Street, Suite 305, San Francisco, CA 94107, USA ("Reddit"). For this tool so-called tracking pixels are integrated on our sides. When you visit our pages, this tracking pixel establishes a direct connection between your browser and the Reddit server. Reddit receives thereby et al. the information from your browser that our website received from your device. We point out that we have no influence on the extent of the transmitted data and their further use by Reddit and therefore inform you according to our knowledge: Through the use of Reddit Conversion pixels Reddit receives the information that you have accessed the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a Reddit service, Reddit may associate the visit with your account. Even if you are not registered with Reddit or have not logged in, there is a chance that the vendor will discover and store your IP address and other identifying features. Reddit is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/list. For more information about privacy and how it works, visit https://www.redditinc.com/policies/privacy-policy.
6. Facebook Advertising Tracking
We also use Facebook's "Custom Audiences" remarketing feature, 1 Hacker Way, Menlo Park, CA 94025, USA, ("Facebook"). As a result, users of our website can be shown interest-based advertisements ("Facebook Ads") as part of their visit to the social network Facebook or other websites that also use the process. For this marketing function, we use "Facebook pixels" on our websites, i.e. on our sides so-called tracking pixels are integrated. When you visit our pages, the tracking pixel establishes a direct connection between your browser and the Facebook server. This gives Facebook et al. the information from your browser that our website called from your device. We point out that we have no influence on the extent of the data transmitted and their further use by Facebook and therefore inform you according to our knowledge: Through the integration of Facebook Custom Audiences, Facebook receives the information that you have visited the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a service of Facebook, Facebook can assign the visit to your account. Even if you are not registered with Facebook or have not logged in, there is a chance that the provider will find out and store your IP address and other identifying features. Facebook is certified under the Privacy Shield so that there is an adequate level of data protection under the European Commission's implementing agreement. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC. You may object to the use of Facebook Website Custom Audiences at any time in the future through https://www.facebook.com/settings/?tab=ads and http://www.youronlinechoices.com/preferencemanagement/. For more information about privacy and your related options, visit https://www.facebook.com/settings/?tab=ads and https://www.facebook.com/about/privacy.
7. Bing Ads Tracking
9. Use of Technologies from Branch Metrics, Inc. in our App
Our sites also use the Branch.io app analytics service Branch Metrics, Inc., 1400 Seaport Blvd, Building B, 2nd Floor, Redwood City, CA 94063, USA ("Branch") to analyze app usage. When using the app Branch collects on our behalf installation and usage data. We use this information to understand how you interact with our app. Branch uses your IDFA or Android ID as well as your IP or Mac address. An identification of your person is not possible. The analyzes are used exclusively for the purposes of our own market research as well as the optimization and needs-based design of our app. The information collected is transmitted to Branch servers in the United States. Branch is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000KzTJAA0&status=Active. They may object to the use of Branch at any time by setting the slider for anonymous statistics in the app under "Settings". For more information about Branch's privacy, please visit the following link: https://branch.io/policies/#privacy.
10. Use of Google Analytics for Firebase in our app
VII. Use of social plug-ins
VIII. Newsletter / Marketing
IX. Sending push messages
1. Sending push messages through the website
To keep you up-to-date on current topics, we offer a service to receive push messages through our website. For this purpose, an anonymous ID is stored in order to analyze the use of the push service. If you would like to prevent the receipt of push notifications and thus the associated data collection for the future, you can block the notifications in the website settings of your internet browser for this website.
2. Sending push messages in the app
X. Duration of storage
We store your personal data as long as this is necessary to achieve the respective storage purpose. Subsequently, your data will be deleted by us, unless, according to Art. 6 para. 1 p. 1 lit. c DSGVO we are obliged to retain it for a longer period of time due to tax, commercial or other statutory storage or documentation obligations or you have agreed to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a DSGVO.
XI. Your rights
You are entitled at any time according to Art. 15 DSGVO to discosure of information about your personal data stored with us. In particular, you may demand disclosure of information about the purposes of processing, the categories of data we have stored about you, the categories of recipients of such data, the planned duration of storage, your right to rectification, cancellation, limitation of processing or opposition, the existence of a right of appeal to a regulatory authority, the source of your data, if not collected from you, and the existence of an automated decision-making process including profiling and, where appropriate, meaningful information about their details. In addition, according to Art. 16 DSGVO, you may request the correction of incorrect data and, pursuant to Art. 17 DSGVO, the deletion of personal data, as far as the processing of the exercise of the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. Furthermore, you have the right to demand, pursuant to Art. 18 DSGVO, blocking or restriction of the processing of your personal data, in so far as the accuracy of the data is disputed by you, the processing is unlawful, you reject its deletion and we no longer need the data, however you need them for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR. Furthermore, according to Art. 20 DSGVO, you have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format or to request its transfer to another person responsible. If your personal data are based on legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit., in accordance with Art. 21 DSGVO, you have the right to object to the processing of your personal data at any time if there are reasons for this arising from your particular situation or the objection is directed against processing for direct marketing purposes. In the latter case, you have a fundamental right of objection, which is implemented by PenPal without specifying any particular situation. If you believe that the processing of your personal data by us is not in accordance with applicable law, you may file a complaint with a supervisory authority pursuant to Art. 77 DSGVO. If the processing of your data relies on a consent granted by DGSVO according to Art. 6 para. 1 lit, you have the right to revoke this consent at any time with future effect.
XII. Data security
When visiting our services, we use the common SSL method in conjunction with the highest encryption level supported by your browser. Incidentally, we use appropriate technical and organizational security measures to protect your data against manipulation, loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
XIII. Your contact for data protection
If you have any questions about the collection, processing or use of your personal data, information, correction, blocking or deletion of data and revocation of granted consent, please contact our data protection officer at firstname.lastname@example.org.