I.       Controller

The controller in the meaning of the General Data Protection Regulation (GDPR) and the German Data Protection Act (Bundesdatenschutzgesetz – BDSG) is:

Marc Hinz-van Schwamen

pinMy.reviews

Yvonne-Georgi-Weg 5

30855 Langenhagen, Germany

Phone: +49 160 8900246

E-mail: [email protected]

II. General information on data processing

(1)          As a rule, processing of personal data only occurs insofar as it is necessary for the provision of a functioning service together with the content and related services. In general, processing only occurs after the data subject has given their consent. In an exceptional case, processing occurs without the consent of the data subject, if obtaining consent is impossible for actual reasons and the processing of the data is permitted by provisions of laws.

(2)          Article 6(1) a GDPR serves as the legal basis for the processing of personal data, provided that consent of the data subject has been obtained for the processing operations involving personal data.

Article 6(1) b GDPR serves as the legal basis for the processing of personal data if it is necessary for the fulfilment of a contract to which the data subject is party. This also applies for processing operations which are necessary for the implementation of pre-contractual measures.

Article 6(1) c GDPR serves as the legal basis for the processing of personal data if processing of personal data is necessary for the fulfilment of a legal obligation to which the company is subject.

Article 6(1) f GDPR serves as the legal basis for the processing of personal data insofar as the processing is necessary for the protection of a legitimate interest of the company or a third party and the interests, basic rights and basic freedoms of the data subject do not override that interest.

(3)          The personal data of the data subject is erased or blocked as soon as the purpose of the storage no longer pertains. Furthermore, storage may occur if it is required by relevant national or European regulations. Blocking or erasure of the data also occurs if a storage period provided for by the above-mentioned legal regulations ends, unless further storage of the data is necessary for the conclusion or performance of a contract.

(4)          The general Privacy Policy for our website is additionally applicable. It can be accessed at https://pinmy.reviews/privacy/.

III.     Use of the app

(1)          Each time the service is accessed the system automatically records data and information from the computer system of the accessing computer. The following data is collected in this context:

1. IP address
2. Date and time of the enquiry
3. Time zone difference relative to Greenwich Mean Time (GMT)
4. The content of the web page
5. Access status (HTTP status)
6. Transferred volume of data
7. Operating system

The data is stored in the system’s log files. That data is not stored together with other personal data of the user.

(2)          The legal basis for this is Article 6(1) f GDPR.

(3)          The collection and temporary storage of the IP address is necessary to enable the presentation of the website on your end device. For this purpose your IP address must be stored for the duration of the visit to the website. That data is not analysed for marketing purposes.

(4)          The data is erased when the respective session ends. If that data is stored in log files, this happens no later than after seven days. Further storage is possible, in which case the IP addresses of the users are erased or altered so that they can no longer to attributed to the accessing client.

(5)          Recording of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the provision of the website. There is thus no possibility of lodging an objection.

IV. Registration

(1)          Registration is necessary for the use of the service. The data is entered into an input form, transmitted and stored. It is not passed on to third parties. The following data is collected in the course of the registration process:

1. Surname and first name of the user
2. E-mail address
3. IP address of the accessing computer
4. Date and time of the registration
5. (if specified) industry

As part of the registration process consent is obtained from the user to the processing of that data, with reference to the Privacy Policy.

(2)          The registration serves the purpose of the fulfilment of a contract to which the user is party or the implementation of pre-contractual measures. The legal basis for the processing of the data is therefore Article 6(1) b GDPR.

(3)          Registration of the user is necessary in order to set up a customer account. It thus serves the purpose of identification of the user and the fulfilment of the usage contract for the service.

(4)          The data is erased as soon as it is no longer required for the achievement of the purpose for which it was collected. This is the case for the data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures if the data is no longer necessary for the performance of the contract. Also after conclusion of the contract it may be necessary to store personal data of the contract partner in order to fulfil contractual or statutory obligations.

(5)          Data subjects may modify user data in their user profile at any time. Insofar as the data is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, early erasure of the data is only possible if contractual or statutory obligations are not are opposed to such erasure.

V. Google My Business

(1)          When the functions of the application are used, data of the Google My Business API is accessed and used for the visualisation of ratings. In this context, the user’s Google access data is requested from Google in order to import the respective Google My Business entry. When the content of the Google My Business entry is accessed, personal data of the reviewer may be processed if it is specified in the rating itself, particularly the reviewer’s user name.

(2)          The legal basis for the processing of the data is consent of the data subject granted as part of the creation of the Google My Business account / the Google user account before the rating is submitted in accordance with Article 6(1) a GDPR. Insofar as personal data of the user of the app him/herself is affected, an additional legal basis for the processing is Article 6(1) b GDPR, as the processing of the above-mentioned data serves the purpose of the fulfilment of a contract to which the data subject is party.

(3)          The purpose of the processing is the provision of the service booked by the customer involving the visualisation of publicly accessible ratings.

(4)          The data is erased as soon as it is no longer required for the achievement of the purpose for which it was collected. This is the case for data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer necessary for the performance of the contract. Also after the conclusion of the contract it may be necessary to store personal data of the contract partner in order to fulfil contractual or statutory obligations (particularly retention periods under tax regulations).

(5)          We have no influence over the data processing at Google My Business of information entered by users. In particular, we do not collect any data from reviewers ourselves. In this respect Google alone is the controller for the processing. Information on the third-party provider: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

You can find further information on the use of data by Google, setting and objection options and data protection on the following Google website: https://policies.google.com/privacy?hl=en&gl=en.

VI. Sending newsletters with Sendinblue

We offer the option of subscribing to a newsletter. For sending the newsletter we use the newsletter service provided by Sendinblue. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Sendinblue is a service that can be used to organise and analyse the sending of newsletters.

To enable us to map proof of consent and delivery in compliance with the law, for each user profile which is created with an e-mail address confirmed via the double opt-in procedure we keep the following data concerning the events of registration, alteration, confirmation and delivery of the newsletter:

• E-mail address
• Date and time
• IP address

Sendinblue enables us to carry out statistical surveys, including conversion tracking, with regard to the newsletters. For that purpose, the newsletter e-mails contain web beacons or tracking pixels, i.e. single-pixel image files through which we can determine whether the newsletter e-mail has been opened and which hyperlinks in the e-mail have been clicked on.

You can prevent the data processing by not subscribing for the newsletter. You can withdraw your consent at any time by unsubscribing from the newsletter, in which case the above-mentioned data will be erased. In order to receive the newsletter again, re-registration is therefore necessary.

VII. Payment with Stripe

We work with payment service provider Stripe, Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, D02 H210, Dublin, Ireland. As part of the payment process we directly refer you to the Stripe website on which the payment is processed. The data to be entered by you on that site is not recorded, processed or stored by us. In this respect, exclusively Stripe’s privacy policy applies, which you can access at https://stripe.com/en-de/privacy.

VIII. Encrypted data transmission

All data is transferred via TLS technology over an encrypted connection. The certificate required for this, which is installed on the servers, was issued by an independent organisation.

An encrypted connection can be recognised by the fact that the address line of the browser switches from http:// to https://.

As soon as the encrypted TLS connection is created, your entries that you transmit to us can no longer be read by third parties.

IX. Rights of the data subjects

If personal data is processed, the users are “data subjects” in the meaning of the GDPR and are entitled to the following rights with respect to the controller:

1.         Right to information

The data subject may request confirmation from the controller as to whether personal data is processed.

If such processing occurs, the following information may be requested from the controller:

(1)          the purposes for which the personal data is processed;

(2)          the categories of personal data which are processed;

(3)          the recipients / categories of recipients with respect to which the relevant personal data has been or will be disclosed;

(4)          the planned duration of the storage of the personal data or, if it is not possible to provide specific information in that regard, criteria for the establishment of the storage period;

(5)          the existence of a right to rectification or erasure of personal data, a right to restriction of processing by the controller or a right to object to that processing;

(6)          the existence of a right to lodge a complaint with a supervisory authority;

(7)          all available information on the origin of the data if the personal data is not collected from the data subject;

(8)          the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and – at least in those cases – meaningful information on the logic involved, as well as the consequences and the intended effects of such processing for the data subject.

There is a right to request information as to whether the personal data is transmitted to a third country or international organisation. In this context, the person in question may request information on the appropriate guarantees referred to in Article 46 GDPR in connection with the transmission.

2.         Right to rectification

There is a right to rectification and/or completion with respect to the controller if the processed personal data is incorrect or incomplete. The controller must promptly carry out the rectification.

3.         Right to restriction of processing

Subject to the following conditions, the restriction of processing of personal data may be demanded:

(1)          if you dispute the correctness of the personal data for a period that enables the controller to check the correctness of the personal data;

(2)          the processing is unlawful and the erasure of the personal data is refused and instead the restriction of the use of the personal data is demanded;

(3)          the controller no longer needs the personal data for the purposes of the processing, but it is needed for the establishment, exercise or defence of legal claims, or

(4)          if an objection to the processing has been lodged in accordance with Article 21(1) GDPR and it is not yet clear whether the legitimate reasons of the controller override the reasons of the data subjects.

If the processing of the personal data has been restricted, that data, except for its storage, may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person for reasons of important public interest of the European Union or a member state.

If the restriction of the processing subject to the above conditions has been restricted, the data subject will be notified by the controller before the restriction is annulled.

4.         Right to erasure

a)         Erase requirement

There is a right to demand that the controller promptly erase the personal data, and the controller must promptly erase that data if one of the following reasons applies:

(1)          The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

(2)          The consent on which the processing is based under Article 6(1) a or Article 9(2) a GDPR is withdrawn and there is no other legal basis for the processing.

(3)          An objection to the processing is lodged in accordance with Article 21(1) GDPR and there are no overriding legitimate reasons for the processing, or an objection to the processing is lodged in accordance with Article 21(2) GDPR.

(4)          The personal data has been unlawfully processed.

(5)          The erasure of the personal data is necessary for the fulfilment of a legal obligation under EU law or the laws of the member states to which the controller is subject.

(6)                          The personal data was collected in relation to the offer of information society services in accordance with Article 8(1) GDPR.

b)         Information to third parties

If the controller has made the personal data public and is obliged under Article 17(1) GDPR to erase it, taking account of available technology and the cost of implementation the controller must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to or copy or replication of that personal data.

c)         Exceptions

The right to erasure does not exist insofar as processing is necessary

(1)          for exercising the right of free freedom of expression and information;

(2)          for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3)          for reasons of public interest in the area of public health in accordance with Article 9(2) h and i and Article 9(3) GDPR;

(4)          for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5)          for the establishment, exercise or defence of legal claims.

5.         Right to notification

If the right to rectification, erasure or restriction of the processing has been asserted with respect to the controller, it must notify all recipients to which the personal data has been disclosed of that rectification or erasure of the data or the restriction of the processing, unless this proves to be impossible or involves disproportionate expenses.

The data subject has a right with respect to the controller to be informed of those recipients.

6.         Right to data portability

Data subjects have the right to receive the personal data which has been provided to the controller in a structured, commonly-used, machine-readable format. They are also entitled to transmit that data to another controller without hindrance by the controller to which the personal data was provided, if

(1)          the processing is based on consent under Article 6(1) a GDPR or Article 9(2) a GDPR or on a contract in accordance with 7 and

(2)          the processing occurs with the aid of an automated process.

In exercising this right the data subject is further entitled to have the personal data transmitted directly by one controller to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be adversely affected as a result.

The right to data portability does not apply for processing of personal data which is necessary for the performance of a task in the public interest or for the exercise of official authority vested in the controller.

7.         Right to object

The data subject has the right to object to the processing of the personal data that occurs on the basis of Article 6(1) e or f GDPR at any time for reasons that arise from the particular situation of the data subject. This also applies to profiling based on those provisions.

The controller must then cease to process the personal data, unless it can provide proof of compelling reasons for the processing meriting protection that override the interests, rights and freedoms of the data subjects or the processing serves the purpose of the establishment, exercise or defence of legal claims.

If the personal data is processed in order to conduct direct advertising, the data subject has the right to object at any time to the processing of the personal data for the purposes of such advertising. This also applies to profiling, insofar as it is related to such direct advertising.

If the processing for the purposes of direct advertising has been objected to, the personal data will no longer be processed for those purposes.

In connection with the use of information society services, notwithstanding Directive 2002/58/EC, the option exists of exercising the right of objection by way of an automated process in which technical specifications are utilised.

8.         Right to withdraw the declaration of consent under data protection laws

The data subject has the right to withdraw the declaration of consent under data protection laws at any time. The withdrawal of consent does not affect the legality of the processing that occurred on the basis of the consent up to the time of the withdrawal.

9.         Automated decision-making in an individual case, including profiling

The data subject has the right to not be subjected to decision-making that is exclusively based on automated processing, including profiling, which produces legal effects with respect to the data subject or similarly significantly affects them. This does not apply if the decision-making

(1)          is necessary for entering into, or the performance of, a contract between the data subject and a data controller,

(2)          is authorised by European Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, or

(3)          occurs with the explicit consent of the data subject.

However, those decisions must not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2) a or g applies and suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject are in place.

With regard to the cases referred to in (1) and (3), the controller must implement suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10.      Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of his or her habitual residence, place of work or the place of the alleged infringement if the data subject considers that the processing of personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged must inform the complainant on the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.