Privacy Policy

Preamble

With the following privacy policy, we want to inform you about what types of your personal data (hereinafter also referred to simply as "data") we process for which purposes and to what extent. The privacy policy applies to all personal data processing carried out by us, both as part of the provision of our services and especially on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: Septermber 10, 2024

Table of Contents

Responsible Person

Dorian Cantzen (Extrument)

Hefnersteig 11
13629 Berlin

Email: info@imonity.com
Imprint: https://imonity.com/de/impressum/

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

  • Contact data.
  • Content data.
  • Usage data.
  • Meta, communication, and procedural data.

Categories of Data Subjects

  • Communication partners.
  • Users.

Purposes of Processing

  • Contact requests and communication.
  • Security measures.
  • Reach measurement.
  • Management and response to inquiries.
  • Feedback.
  • Profiles with user-related information.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR, on which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes, and the transmission and automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the application of GDPR and Swiss DSG: These data protection notices serve both to provide information under the Swiss Federal Data Protection Act (Swiss DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that due to the broader territorial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "particularly sensitive personal data" used in the Swiss DSG, the terms "processing" of "personal data" and "legitimate interest" and "special categories of data" used in the GDPR are used. The legal meaning of the terms remains determined by the Swiss DSG within the scope of its application.

Security Measures

We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transfer, ensuring availability, and separation of the data. We also have procedures in place to ensure the exercise of data subjects' rights, the deletion of data, and responses to data threats. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that the data is transmitted to other bodies, companies, legally independent organizational units, or persons or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if processing takes place in the context of using third-party services or disclosing or transmitting data to other persons, bodies, or companies, this only occurs in accordance with the legal requirements. If the level of data protection in the third country is recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the level of data protection is otherwise ensured, particularly through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49 para. 1 GDPR). We will inform you of the legal bases of third-country transfers in individual cases, prioritizing adequacy decisions. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission's information page: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain companies in the USA as safe by adequacy decision dated 10.07.2023. The list of certified companies and further information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We inform you within the framework of the data protection notices which service providers we use are certified under the Data Privacy Framework.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with legal requirements, to request the completion or rectification of data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased immediately or, alternatively, in accordance with legal requirements, to request a restriction of the processing of the data.
  • Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transfer to another controller, in accordance with legal requirements.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, without prejudice to any other administrative or judicial remedy if you consider that the processing of personal data relating to you infringes the GDPR.

Use of Cookies

Cookies are small text files or other storage marks that store information on end devices and read information from end devices. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed content, or used functions of an online offer. Cookies can also be used for different purposes, such as ensuring the functionality, security, and comfort of online offers, as well as creating analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless this is not required by law. Consent is particularly not necessary if the storage and reading of information, including cookies, is absolutely necessary to provide the users with a telemedia service (i.e., our online offer) explicitly requested by them. Absolutely necessary cookies generally include cookies with functions that display and ensure the functionality of the online offer, load balancing, security, storing user preferences, or similar purposes related to providing the main and secondary functions of the online offer requested by users. The revocable consent is clearly communicated to the users and includes information on the respective use of cookies.

Notes on data protection legal bases: The legal basis on which we process the personal data of users using cookies depends on whether we ask users for consent. If the users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed with the help of cookies is based on our legitimate interests (e.g., in the business operation of our online offer and its improvement) or, if necessary, to fulfill our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We inform about the purposes for which cookies are processed in this privacy policy or as part of our consent and processing procedures.

Storage duration: Regarding storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their end device (e.g., browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved, or preferred content can be displayed directly when the user revisits a website. Likewise, the data collected using cookies can be used for reach measurement. Unless we provide users with explicit information on the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General notes on withdrawal and objection (so-called "opt-out"): Users can withdraw the consents they have given at any time and object to processing in accordance with legal requirements. Users can limit the use of cookies in their browser settings (which may limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be made through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal bases: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR).

Further notes on processing, procedures, and services:

  • Processing of cookie data based on consent: We use a consent management solution where users' consent to the use of cookies or the procedures and providers mentioned in the consent management solution is obtained. This procedure serves to obtain, log, manage, and revoke consents, particularly related to the use of cookies and similar technologies used to store, read, and process information on users' end devices. In this procedure, users' consents for the use of cookies and the associated processing of information, including specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated queries and to be able to provide proof of consent in accordance with legal requirements. Storage is server-side and/or in a cookie (so-called opt-in cookie) or by using similar technologies to assign consent to a specific user or their device. Unless specific information is provided on the providers of consent management services, the following general notes apply: The duration of storing the consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information on the scope of consent (e.g., concerning categories of cookies and/or service providers), as well as information on the browser, system, and end device used; Legal bases: Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR).

Provision of the Online Offer and Web Hosting

We process the data of users to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or end device.

  • Types of data processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)). Security measures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR).

Further notes on processing, procedures, and services:

  • Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files." Server log files can include the address and name of the retrieved websites and files, date and time of retrieval, transferred data volumes, message about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to prevent server overloads (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and load of the servers; Legal bases: Legitimate interests (Art. 6 para. 1 sent. 1 lit. f) GDPR). Deletion of data: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidence purposes is excluded from deletion until the final clarification of the respective incident.

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the visitor flows of our online offer and may include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of reach measurement, we can, for example, recognize at what time our online offer or its functions or content are most frequently used or invite for reuse. Likewise, we can understand which areas need optimization.

In addition to web analysis, we may also use test procedures, such as A/B testing, to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles can be created for these purposes, i.e., data summarized for a usage process, and information can be stored and read in a browser or an end device. The collected data includes, in particular, visited websites and elements used there, as well as technical information, such as the browser used, the computer system used, and information about usage times. If users have agreed to the collection of their location data to us or to the providers of the services we use, location data may also be processed.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. Generally, clear data of the users (such as email addresses or names) is not stored as part of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the used software know the actual identity of the users, but only the information stored in their profiles for the respective procedures.

  • Types of data processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creating user profiles). Provision of our online offer and user-friendliness.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal bases: Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR).

Further notes on processing, procedures, and services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offer based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It is used to assign analysis information to a device to recognize which content users have accessed within one or more usage processes, which search terms they used, accessed again, or interacted with our online offer. The time and duration of use, as well as the sources of the users referring to our online offer, and technical aspects of their devices and browsers, are also stored. Pseudonymous profiles of users are created with information from the use of different devices, using cookies. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides rough geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is only used for this geolocation derivation before being immediately deleted. They are not logged, are not accessible, and are not used for further purposes. When Google Analytics collects measurement data, all IP queries are carried out on EU-based servers before traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sent. 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Third-country transfer basis: Data Privacy Framework (DPF); Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and processed data).

Created with the free privacy generator by Dr. Thomas Schwenke