Privacy Policy

Data protection policy for the services of PenPal GmbH

Privacy Policy when using our platform to connect with other users



Data protection policy for the services of PenPal GmbH


With this date protection policy, we, PenPal GmbH, Hohenzollerndamm 3, 10717 Berlin (hereafter “PenPal” or "we"), undertake to inform you of all data protection aspects of the offering on the penpal.me website (the "Website") and our mobile app ("App") (collectively "Services"). We collect, process and use your personal data only in accordance with the following data protection policy. Personal data in this sense are all individual details about personal or factual circumstances of a specific or identifiable natural person, such as, for example, your name, telephone number, address, and any other information you provide to us when registering, using our services or contacting us ("Personal Information").
We provide services which allow members from around the world to exchange postcards. Anyone can navigate through parts of our Website without having to register, however, it is necessary to register to be able to make use of certain features, in particular those that enable the sending and receiving of postcards. By registering and using our services, you share some of your personal information with us. We are committed to protecting your privacy and have therefore developed this Privacy Policy. We advise everyone to read it carefully, in order to become familiar with our privacy practices.

I. Responsibility for data processing


PenPal is responsible for data processing in accordance with Article 4 No. 7 of EU Regulation 2016/679 ("DSGVO").

II. Collection and storage of personal data and the nature and purpose of their use


1. Processing data for the use of our services
If you access the website via your browser or the app via your mobile device, we only collect personal data that your browser or mobile device automatically transmits to enable you to visit our website or app and the stability and to ensure safety. This can be specifically • your IP address, • your device identifier, i.e. the unique number of the terminal, • content, date and time of the request, • the time zone of the requesting computer or mobile terminal, • the website from which the request was forwarded, • the requested page, • the http status code, • the transferred amount of data, • browser ID, • your operating system, • language and version of the browser software as well as • mobile device identifier (IDFA, IDFV and AAID). The processing of this data serves to • ensure a smooth connection of the website, • the display of our services and products, • the usability of our services, • the evaluation and system security and stability as well as • further administrative purposes. PenPal may use your information to ensure the safety and security of our Website and of our members, for example, by monitoring misuse or suspicious activity, identifying violations of our Terms of Service, protect the community against spam, harassment, and other security risks. The legal basis of this processing of your personal data is Article 6 (1) sentence 1 lit. f DSGVO. Our legitimate interest follows for the aforementioned purposes of data collection.

2. Processing of data when using the contact form
We offer you the opportunity to contact us via a form provided on the website. To use it, you must enter your name and a valid e-mail address. The processing of this data serves our legitimate interest in answering your contact requests properly and is therefore based on Art. 6 para. 1 sentence 1 lit. f DSGVO

3. Processing of data for the use of our services and the purchase of our products
If you wish to use our services and products, you may at different times be asked to provide us personal information such as • your name, • your date of birth, • your address, • your email address, • your home phone number or mobile number, • photographs as well as • indicating payment information. Your personal data will be processed and required by us for the following purposes: • in accordance with Article 6 para. 1 sentence 1 lit. b DSGVO, for the fulfillment of contractual obligations or for the execution of pre-contractual measures: to process your purchases, process your payments and to offer you customer service, to correspond with you, to settle claims by you or us, to ensure technical administration of our website as well as to manage our customer data; • according to Article 6 para. 1 sentence 1 lit. c DSGVO due to legal requirements or pursuant to Art. 6 para. 1 sentence 1 lit. e DSGVO in the public interest: to protect you and us (including our affiliates) from fraud. Your chats, card exchanges with other members, and any content you publish will be processed as necessary for the operation of our services.

4. How we share the collected information between members
The goal of PenPal is to connect the world via real mail, by allowing you to exchange postcards with other members around the world. However, your postal address will never be shared with anyone. Instead, the user sends their postcard to the recipient’s username. We then send the card to the address saved in the recipient’s profile, without the sender ever seeing the address. Sending postcards can take place in a direct postcard exchange as well as via selecting a recipient randomly. The random variation is called PenPal Auto-Match. When the user uses PenPal Auto Match it is not possible for them to request access to a specific user. Instead, the Website randomly selects the recipient of each postcard. We also limit the number of recipients an account can request and have security measures in place to prevent abuse. The number of times your username may be shared is proportional to the number of postcards you have sent yourself. By consequence, until you send your first postcard and become eligible to receive one back, your username is not shared with anyone.

III. Disclosure of your data to processors and third parties


To process your data, we use specialized external service providers such as payment service providers, IT service providers, online marketing providers, marketing automation solution providers, and web analytics tool providers. These are carefully selected and commissioned by us, are bound by our instructions and are checked regularly. Furthermore, we may pass on your personal data to third parties (such as shipping companies, cooperation partners, etc.) if this is necessary to safeguard our legitimate interests under Art. 6 para. 1 sentence 1 lit. f DSGVO is required. Finally, we transfer your information to our affiliate, MyPostcard.com GmbH, 10717 Berlin, Germany to the extent necessary to protect our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. 1 DSGVO is required. These interests include, in particular, the processing of your order, the sending of postcards and the guarantee of smooth business operations. Incidentally, your personal data will only be forwarded to third parties if you have previously consented and submitted them in accordance with Art. 6 para. 1 sent. 1 lit. a DSGVO or a legal permission in accordance with Art. 6 para. 1 sentence 1 lit. c DSGVO is present.

IV. Transfer of personal data abroad


Insofar as we transfer personal data to countries outside the European Economic Area, we ensure that the recipient of the data guarantees an adequate level of data protection in accordance with Art. 45 DSGVO. In the absence of an adequacy agreement, PenPal will ensure that the recipients of the data have provided suitable guarantees in accordance with Art. 46 DSGVO and, in particular, use the standard European Union model contracts for the transfer of data to other EU countries, as amended. When transmitting data to the US, PenPal will endeavor to oblige the recipient to comply with and abide by the principles of the Privacy Shield (that is, to recognize minimum standards in the handling of personal data).

V. Use of cookies


PenPal uses so-called "cookies" on the website i.e. smaller files with text information stored on your hard drive while the offer is being retrieved ("cookies"). Bits of information are stored in the cookie, each resulting in connection with the specific terminal used. However, this does not mean that we immediately receive your identity details. On the one hand, we use cookies to make the navigation and use of our website as user-friendly as possible. We need the cookies in order to identify and authorize you after successfully logging in for the entire duration of your visit. These cookies are automatically deleted from your hard drive after the end of the browser session (session cookies). In addition, we also use cookies that remain on your hard drive for a certain period after the browser session (persistent cookies). These cookies make it easier for you to use our website and our services and products, for example by saving certain entries and settings in such a way that you do not have to constantly repeat them. In addition, these cookies enable us to statistically record the use of our website, to optimize our offer and to make our websites and our offers more personal for you (see also section VII of this data protection policy). The persistent cookies are stored on your hard drive and are deleted by the browser after a given time, which may differ depending on the cookie. The cookies may also be third party cookies since we use a few advertisers to help make the internet offer and website more interesting to you (see also section VII of this data protection policy). The data processed by the cookies are for the purposes mentioned above to protect our legitimate interests as well as those required by third parties according to Art. 6 para. 1 sentence 1 lit. f DSGVO. We will inform you about the use of cookies when you (first) visit our website. You can prevent the use of cookies at any time with effect for the future by deleting cookies and refusing to accept cookies in your browser settings. You can also set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, accept cookies for certain cases or generally exclude them and activate the automatic deletion of cookies when closing the browser. In this case, you may not be able to utilize all the benefits of our services. Instructions for making such changes can be found at www.allaboutcookies.org/manage-cookies/.

VI. Use of Mobile Device Identifier (IDFA, IDFV and AAID)


On our app we use the so-called "Mobile Device Identifier" ("Mobile Device Identifier"). These are unique but non-personalized and non-permanent identification numbers for a particular terminal provided by iOS and Android respectively. The data collected via the Mobile Device Identifier will not be linked to other device-related information. We use Mobile Device Identifiers to provide you with personalized advertising and to evaluate your usage. If you enable "no ad tracking" in the "Privacy" - "Advertising" iOS or Android settings, we can only take the following actions: Measure your interaction with banners by counting the number of ads on a banner without clicking frequency capping, click-through rate, unique user identification, security measures, anti-fraud and troubleshooting. You can delete the respective Mobile Device Identifier at any time in the device settings ("Reset Ad-ID"), then a new Mobile Device Identifier is created, which is not merged with the previously collected data. We point out that you may not be able to use all the features of our app if you restrict the use of the respective Mobile Device Identifier. Use of analysis and tracking technologies in our services We use the above-mentioned analysis and tracking technologies as well as third-party technologies listed below and used by us in accordance with Article. 6 para. 1 lit. f DSGVO: • to carry out data analyzes, • to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer, • to constantly improve and manage our offer, • to measure success and optimize our advertising measures, as well as • in order to be able to send you advertising, in particular personalized marketing information. These interests are legitimate within the context of the aforementioned provision.

1. Google Analytics
For the purpose of customizing and continually optimizing our pages, we use Google Analytics, a Google Inc. advertising analytics service, 1600 Amphitheater Parkway Mountain View, CA 94043, USA ("Google"). In this context, pseudonymised user profiles are created and cookies (see section V of this data protection policy) are used. The information generated by the cookie about your use of our services (such as your IP address, browser type / version, operating system used, referrer URL, time of server request) is transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. However, on our website and app, your IP address will be shortened by Google beforehand within member states of the European Union or other parties under the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. Google will use this information on our behalf to evaluate your use of our services, to compile reports about the website and app activities for us, and to provide us with other services related to website and app usage and internet usage. This information may also be transferred to third parties if required by law or if third parties process this data in the order. Google will not merge your IP address with other Google data. You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the functions of our services in full. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of our services (including your IP address) and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. For more information about data protection related to Google Analytics, please see the following link in the Google Analytics Help Center: http://google.com/intl/en/analytics/privacyoverview.html.

2. Google AdWords Conversion Tracking
To statistically record the use of our website and to evaluate it for the purpose of optimizing our website, we also use Google conversion tracking. This is a service provided by Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA ("Google"). Google places a cookie on your computer (see section V of this data protection policy) if you have reached our website via a Google ad. These cookies lose their validity after 30 days and are not used for personal identification. If you visit one of our pages and the cookie has not expired yet, we and Google may recognize that you have clicked on the ad and have been redirected to our site. Each Adwords customer receives a different cookie, so that the cookies are not tracked through the websites of Adwords customers. The information generated by the conversion cookie about your use of our services, including your IP address, is transmitted to and stored by Google on servers in the United States. As described above, Google is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. However, on our website and app, your IP address will be shortened by Google beforehand within member states of the European Union or other parties under the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. Google will use this information on our behalf to create visitor statistics for our website. These visit statistics are used by us to determine the total number of users who have been sent to us through AdWords ads, thereby optimizing our AdWords ads. This information may also be transferred to third parties if required by law or if third parties process this data in the order. Neither we nor any other Google AdWords advertiser receives any information from Google that could personally identify you. You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the functions of our services in full. You may also object to Google's interest-based advertising. To do this, you must go to the link www.google.com/settings/ads from each of the internet browsers you use and set the desired settings there. For more information about Google's privacy policy, please visit the following links: http://google.com/intl/en/policies/privacy and https://www.google.com/privacy/ads/.

3. Google Tag Manager
We also use Google Tag Manager. This service allows website tags to be managed through a single interface. Tags are small code elements that serve, among other things, to measure traffic and visitor behavior. Google Tag Manager only implements tags. As a result, no cookies are used and consequently no personal data is collected. Google Tag Manager triggers other tags, which may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.

4. Pinterest Conversion Tracking
We use the Remarketing feature of Pinterest Inc., 808 Brannan St., San Francisco, CA 94103, USA, which is offered and operated ("Pinterest"). With the Pinterest Remarketing feature, we can engage you with Pinterest platform advertising based on your interests. For this Pinterest uses so-called "tags". Through this tag, website visits and data on use of the website are recorded in a non-personal, non-personal form. If you visit Pinterest below, advertisements will be displayed based on your interests. Pinteret receives thereby et al. the information from your browser that our website received from your device. We point out that we have no influence on the extent of the transmitted data and their further use by Pinterest and therefore inform you according to our knowledge: By the inclusion of tags Pinterest receives the information that you have accessed the corresponding website of our internet presence. If you are registered with a Pinterest service, Pinterest may associate the visit with your account. Even if you are not registered with Pinterest or have not logged in, there is a possibility that the vendor may discover and store your IP address and other identifying features. The information generated by the tags about your use of our services is transmitted to and stored by a server of Pinterest in the USA. Pinterest is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/list. Pinterest supports the Do Not Track (DNT) option. Alternatively, you can disable the use of cookies for interest-based advertising through the Network Initiative by following the instructions at https://networkadvertising.org/managing/opt_out.asp. For more information about Pinterest Remarketing and Pinterest's privacy policy, visit https://policy.pinterest.com/privacy-policy.

5. Reddit Conversion Tracking
Our website also uses "Raddit Conversion Pixel," an analysis service of Reddit Inc., 520 Third Street, Suite 305, San Francisco, CA 94107, USA ("Reddit"). For this tool so-called tracking pixels are integrated on our sides. When you visit our pages, this tracking pixel establishes a direct connection between your browser and the Reddit server. Reddit receives thereby et al. the information from your browser that our website received from your device. We point out that we have no influence on the extent of the transmitted data and their further use by Reddit and therefore inform you according to our knowledge: Through the use of Reddit Conversion pixels Reddit receives the information that you have accessed the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a Reddit service, Reddit may associate the visit with your account. Even if you are not registered with Reddit or have not logged in, there is a chance that the vendor will discover and store your IP address and other identifying features. Reddit is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/list. For more information about privacy and how it works, visit https://www.redditinc.com/policies/privacy-policy.

6. Facebook Advertising Tracking
We also use Facebook's "Custom Audiences" remarketing feature, 1 Hacker Way, Menlo Park, CA 94025, USA, ("Facebook"). As a result, users of our website can be shown interest-based advertisements ("Facebook Ads") as part of their visit to the social network Facebook or other websites that also use the process. For this marketing function, we use "Facebook pixels" on our websites, i.e. on our sides so-called tracking pixels are integrated. When you visit our pages, the tracking pixel establishes a direct connection between your browser and the Facebook server. This gives Facebook et al. the information from your browser that our website called from your device. We point out that we have no influence on the extent of the data transmitted and their further use by Facebook and therefore inform you according to our knowledge: Through the integration of Facebook Custom Audiences, Facebook receives the information that you have visited the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a service of Facebook, Facebook can assign the visit to your account. Even if you are not registered with Facebook or have not logged in, there is a chance that the provider will find out and store your IP address and other identifying features. Facebook is certified under the Privacy Shield so that there is an adequate level of data protection under the European Commission's implementing agreement. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC. You may object to the use of Facebook Website Custom Audiences at any time in the future through https://www.facebook.com/settings/?tab=ads and http://www.youronlinechoices.com/preferencemanagement/. For more information about privacy and your related options, visit https://www.facebook.com/settings/?tab=ads and https://www.facebook.com/about/privacy.

7. Bing Ads Tracking
We use the Microsoft Bing Ads online advertising program of Microsoft Online Inc., 6100 Neil Road, Reno, NV 89511 USA ("Microsoft"). This technology will redirect users who have already visited our sites through targeted advertising on the Microsoft Partner Network pages and Microsoft search results pages. The advertising is shown by the use of cookies (see section V of this data protection policy), with the help of which the user behavior when visiting the website can be analyzed and subsequently used for targeted and interest-based advertising. The information collected is transmitted to Microsoft servers in the United States. Microsoft is certified under the Privacy Shield so that there is an adequate level of data protection under the European Commission's implementing agreement. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK. In addition, through cross-device tracking, Microsoft may be able to track your usage behavior across multiple of your electronic devices, enabling it to display personalized advertising on or in Microsoft websites and apps. You can disable this behavior at http://choice.microsoft.com/en-us/opt-out. You can prevent the collection of data generated by the cookie and related to your use of the website as well as the processing of this data by deactivating the setting of cookies. This may limit the functionality of the site. More information about privacy at Microsoft can be found at https://privacy.microsoft.com/en-us/privacystatement.

8. Hotjar
We also use the Hotjar Ltd web analytics service Hotjar Ltd, Level 2, St Julian's Business Center, 3, Elia Zammit Street, St Julian's STJ 1000, Malta, Europe ("Hotjar") to better understand your usage patterns and to optimize our services accordingly. In particular, Hotjar uses cookies (see section V of this Data Protection Policy) to collect information about user behavior and user devices (in particular the IP address of a device, screen size, device type, browser information, geographic information, and the preferred language used to display our website). Hotjar stores this data in a pseudonymous user profile. Neither Hotjar nor we will use this information to identify you. Nor will Hotjar or we merge the data with other data about individual users. You may object to the creation of user profiles, the storage of data on your use of our website by Hotjar and the use of tracking cookies by Hotjar on other sites at any time at the following link: https://www.hotjar.com/opt-out. More information about Hotjar's privacy can be found at https://www.hotjar.com/privacy.

9. Use of Technologies from Branch Metrics, Inc. in our App
Our sites also use the Branch.io app analytics service Branch Metrics, Inc., 1400 Seaport Blvd, Building B, 2nd Floor, Redwood City, CA 94063, USA ("Branch") to analyze app usage. When using the app Branch collects on our behalf installation and usage data. We use this information to understand how you interact with our app. Branch uses your IDFA or Android ID as well as your IP or Mac address. An identification of your person is not possible. The analyzes are used exclusively for the purposes of our own market research as well as the optimization and needs-based design of our app. The information collected is transmitted to Branch servers in the United States. Branch is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000KzTJAA0&status=Active. They may object to the use of Branch at any time by setting the slider for anonymous statistics in the app under "Settings". For more information about Branch's privacy, please visit the following link: https://branch.io/policies/#privacy.

10. Use of Google Analytics for Firebase in our app
Our app also uses the Google Firebase technologies of Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). Google Firebase is part of the Google Cloud Platform and offers the following services in addition to a real-time database: Firebase Analytics allows you to analyze the use of our offer. This information about the use of our app are collected, transmitted to Google and stored there. Google uses the advertising ID of the device. Google will use the information provided to evaluate the use of our app anonymously and to provide us with other services related to the use of apps. In Device Settings, you can restrict the use of the Advertising ID (iOS: Privacy / Advertising / No Ad Tracking, Android: Account / Google / View). Firebase Cloud Messaging is used to deliver push messages or so-called in-app messages (messages that are only displayed inside the app). In this case, the mobile terminal is assigned a pseudonymized push reference, which serves as the destination for the push messages or in-app messages. The push messages can be deactivated in the settings of the mobile device at any time and also reactivated. Google Firebase uses servers located in the EU for these services wherever possible. However, it can not be ruled out that data will also be transmitted to the USA. As described above, Google is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. For more information about Google's privacy policy, please visit the following link: https://policies.google.com/privacy/update?hl=en.

11. Amplitude
We use the analytical service, “Amplitude” of Amplitude, Inc., 631 Howard Street, SanFrancisco, California 94105, USA. Amplitude enables us to better understand and optimize user behavior. As a result, technical errors can be remedied faster and potential for target group-oriented improvement can be identified. For this purpose, Amplitude stores usage data such as device and browser type in use by the user, button click behaviour, and the occurrence of input errors. Amplitude processing is limited to pseudonymous personal data. Use of Amplitude is in accordance with Art. 6, para. 1, sentence 1, lit. f., DSGVO. Amplitude is certified under the US-EU Privacy Shield. Further information can be found in the Amplitude privacy policy: https://amplitude.com/privacy

12. Leanplum
In the context of our app, we use Leanplum, a service of Leanplum Inc. which has its European headquarters at TOO Herengracht 280, 1016 BX Amsterdam, The Netherlands. Leanplum helps to build long-term and sustainable customer relationships. Leanplum focuses on a personalized customer approach and data analysis to do so. The collected usage data are processed as pseudonymized, IP addresses are deleted after their collection and data is only linked with your personal data with us internally when you have logged into the app. The legal basis for this processing is Art. 6, para. 1, p. 1, lit. f., GDPR. Information regarding use of our app is transmitted to Leanplum servers in the USA. Leanplum is subject to the EU-US Privacy Shield. For more information regarding privacy, please refer to the Leanplum Privacy Policy: https://www.leanplum.com/privacy/

VII. Use of social plug-ins


We use so-called social plug-ins of social networks (eg Facebook, Instagram, YouTube, Pinterest, Twitter and Tumblr) on our website (Facebook, Instagram, YouTube, Pinterest, Twitter and Tumblr together "social networks" and the corresponding plug-ins total "plug-ins"). Through these plug-ins we offer you the opportunity to interact with social networks and other users so that we can improve our offer and make it more interesting for you while giving us the opportunity to make our company better known. The legal basis for the use of the social plug-ins is Art. 6 (1) sentence 1 lit. f DSGVO. The responsibility for the privacy-compliant operation is to be guaranteed by the respective provider. We use plug-ins of the network Facebook, such as the "Like" button. These plug-ins are offered and operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Facebook") and are clearly marked with the Facebook logo. We also use Instagram plug-ins operated by Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA ("Instagram") and marked with the Instagram logo. We also use plug-ins from the YouTube network, which belongs to Google Inc., San Bruno, California, USA ("YouTube") and is recognizable by the YouTube logo. We also use plug-ins from the Pinterest network, which is offered and operated by Pinterest Inc., 808 Brannan St., San Francisco, CA 94103, USA (“Pinterest”) and are marked with the "pin-it" button. Finally, Twitter's plug-ins are included, offered and operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA ("Twitter"), and feature the Twitter logo or the addition, "Tweet". If you visit one of our websites containing such a plug-in, your browser establishes a direct connection to the servers of the respective social network. The content of the plug-in is transmitted from the corresponding social network directly to your browser and integrated into the webpage, without our having any influence on the content of the plug-in. Regardless of whether you have an account on the social network or are logged into the respective social network, websites containing social network plug-ins transmit and transfer information to the appropriate social network in the US, including your operating system and its version, browser type and version, IP address, domain name and / or date / time stamp for your visit. The respective social network sets a cookie with an identifier that is valid for two years each time the website is called up. Since your browser sends this cookie automatically every time you connect to a server, the social network would be able to create a profile of the web pages accessed by the user of the identifier. As long as you are logged in parallel to the respective social network, the corresponding social network can assign the profile to your local account and thus to your person. But even if you are not logged into the respective social network at the time of using our website, such an assignment - for example, in a later log in to the appropriate social network - not excluded. If you interact with the plug-ins, for example, the "Like" - or press the "Tweet" button or leave a comment, the information is transmitted from your browser directly to the appropriate social network and stored there, the extent of which we have no influence. The information will also be published on the social network and displayed to your contacts there. The social network can use the obtained information for the purpose of advertising, market research and needs-based design of the pages of the social network. For this purpose, the social network generates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements displayed on the social network, to inform other users of the social network about your activities on our website and to provide other services related to the use of the social network. We point out that we do not receive any final knowledge of the content of the transmitted data and their use by the social network. For more detailed information on the nature, purpose and extent of further processing and use of your data by the respective social network, please refer to the privacy policy of the corresponding social network (for Facebook: http://de-de.facebook.com/policy.php for Instagram: https://help.instagram.com/519522125107875?helpref=page_content; for YouTube: https://policies.google.com/privacy?hl=en; for Pinterest: https://policy.pinterest.com/de/privacy-policy; for Twitter: http://twitter.com/privacy, where you can also learn more about your rights and settings options for protecting your privacy Facebook / Instagram, YouTube / Google and Twitter are under Privacy Shield is certified so that there is an adequate level of data protection under the European Commission's implementing agreement, which can be viewed here: for Facebook / Instagram https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC, for YouTube / Google https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI, for Twitter https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active. As a user, in order to prevent a social network from collecting information about you during your visit to our website, you may log out of the respective social network at the beginning of your visit to the website, delate any existing cookie of the corresponding social network from your browser and choose "Block third-party cookies" in your browser settings. In this case, your browser will not transfer cookies to embedded servers of other third-party content. However, such settings could mean that in addition to plug-ins, under certain circumstances, other cross-page features may also no longer be available.

VIII. Newsletter / Marketing


With your consent, which you may submit as part of your registration on our website, we will send you newsletters or marketing about our products and services or the products and services of our affiliates that we consider could be of interest to you by e-mail or telephone. You may opt-out of the use of your data for direct marketing purposes at any time and unsubscribe from the newsletter by clicking on the link provided in each newsletter e-mail or by emailing us at newsletter@penpal.me. We reserve the right, even without your consent by e-mail, to send you offers for products or services similar to those already purchased by you. You have the right to object to the processing of your data for promotional purposes at any time by sending an e-mail to newsletter@penpal.me or via a link in our newsletter, without any costs other than transmission costs according to the basic rates. The legal basis for the processing of your data for the purpose of sending newsletters is Art. 6 para. 1 sentence 1 lit. a or lit. f DSGVO. We use MailChimp, a newsletter shipping platform owned by Rocket Science Group, LLC, 675 Ponce De Leon Ave. NE # 5000, Atlanta, GA 30308, USA ("MailChimp") and Braze, to send email and newsletters. Your personal data will be transmitted to servers of MailChimp and Braze in the USA and stored there. The Rocket Science Group, LLC, is certified under the Privacy Shield so that there is an appropriate level of data protection under the European Commission's Implementing Agreement. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG. The newsletters contain a so-called "web-beacon", i.e. a pixel-sized file that is retrieved from the MailChimp server when the newsletter is opened. This call will initially collect technical information, such as information about the browser and your system, as well as your IP address and time of retrieval. This information is used to improve the technical performance of services based on their specifications or audience and their reading habits, based on their locations (which can be determined using the IP address) or access times. Statistical surveys also include determining if the newsletters will be opened, when they will be opened, and which links will be clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our desire nor that of MailChimp or Braze to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. MailChimp and Braze use this information to send and evaluate the newsletters on our behalf. Furthermore, MailChimp and Braze may, according to their own information, use this data to optimize or improve their own services, e.g. for the technical optimization of the dispatch and the presentation of the newsletter or for economic purposes, to determine from which countries the recipients come. However, neither MailChimp nor Braze use your data to write to you or pass it on to third parties. The privacy policy of MailChimp can be found here: https://mailchimp.com/legal/privacy. The privacy policy of Braze can be found here: https://www.braze.com/privacy/?utm_source=adwords-search&utm_medium=paid-search&utm_content=brand-new-v3&utm_campaign=brand-tofu-emea&utm_ad_group=braze-brand&_bt=268755654428&_bk=braze&_bm=p&_bn=g&gclid=Cj0KCQjw6J7YBRC4ARIsAJMXXsenMW5WBxfK5Sx9igwHI3TKYsyKPPlu5LANKi098gzPpyRqhCkPsSgaAoJCEALw_wcB.

IX. Sending push messages



1. Sending push messages through the website
To keep you up-to-date on current topics, we offer a service to receive push messages through our website. For this purpose, an anonymous ID is stored in order to analyze the use of the push service. If you would like to prevent the receipt of push notifications and thus the associated data collection for the future, you can block the notifications in the website settings of your internet browser for this website.

2. Sending push messages in the app
To send push messages to Android and iOS apps, the services of Braze, a program of Braze Inc. NYC, 318 West 39th Street, 5th Floor, New York, NY 10018, United States ("Braze"), as well as OneSignal, a program used by OneSignal, 2194 Esperanca Avenue, Santa Clara, CA 95054, USA ("OneSignal") are used. Braze stores data under an anonymized ID about the use of the app, but no personal data. If you do not want to receive push notifications in the Android or iOS app, you can prevent them from being sent in the system settings of your mobile device. In the app, you can prevent appropriate tracking for the future by selecting the item "Privacy" in the menu and set the slide switch accordingly ("Disagree data processing"). For more information about Braze's Privacy Policy, please visit: https://www.braze.com/privacy/?utm_source=adwords-search&utm_medium=paid-search&utm_content=brand-new-v3&utm_campaign=brand-tofu-emea&utm_ad_group=braze-brand&_bt= 268755654428 & qflk = braze & _bm = p & _bn = g = gclid Cj0KCQjw6J7YBRC4ARIsAJMXXsenMW5WBxfK5Sx9igwHI3TKYsyKPPlu5LANKi098gzPpyRqhCkPsSgaAoJCEALw_wcB. For more information on OneSignal's privacy policy, visit https://onesignal.com/privacy_policy.

X. Duration of storage


We store your personal data as long as this is necessary to achieve the respective storage purpose. Subsequently, your data will be deleted by us, unless, according to Art. 6 para. 1 p. 1 lit. c DSGVO we are obliged to retain it for a longer period of time due to tax, commercial or other statutory storage or documentation obligations or you have agreed to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a DSGVO.

XI. Your rights


You are entitled at any time according to Art. 15 DSGVO to discosure of information about your personal data stored with us. In particular, you may demand disclosure of information about the purposes of processing, the categories of data we have stored about you, the categories of recipients of such data, the planned duration of storage, your right to rectification, cancellation, limitation of processing or opposition, the existence of a right of appeal to a regulatory authority, the source of your data, if not collected from you, and the existence of an automated decision-making process including profiling and, where appropriate, meaningful information about their details. In addition, according to Art. 16 DSGVO, you may request the correction of incorrect data and, pursuant to Art. 17 DSGVO, the deletion of personal data, as far as the processing of the exercise of the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. Furthermore, you have the right to demand, pursuant to Art. 18 DSGVO, blocking or restriction of the processing of your personal data, in so far as the accuracy of the data is disputed by you, the processing is unlawful, you reject its deletion and we no longer need the data, however you need them for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR. Furthermore, according to Art. 20 DSGVO, you have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format or to request its transfer to another person responsible. If your personal data are based on legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit., in accordance with Art. 21 DSGVO, you have the right to object to the processing of your personal data at any time if there are reasons for this arising from your particular situation or the objection is directed against processing for direct marketing purposes. In the latter case, you have a fundamental right of objection, which is implemented by PenPal without specifying any particular situation. If you believe that the processing of your personal data by us is not in accordance with applicable law, you may file a complaint with a supervisory authority pursuant to Art. 77 DSGVO. If the processing of your data relies on a consent granted by DGSVO according to Art. 6 para. 1 lit, you have the right to revoke this consent at any time with future effect.

XII. Data security


When visiting our services, we use the common SSL method in conjunction with the highest encryption level supported by your browser. Incidentally, we use appropriate technical and organizational security measures to protect your data against manipulation, loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

XIII. Your contact for data protection


If you have any questions about the collection, processing or use of your personal data, information, correction, blocking or deletion of data and revocation of granted consent, please contact our data protection officer at privacy@penpal.me.