Effective date: May 2022
SECT.1 - GENERAL INFORMATION
Lofelt GmbH, with registered office at Oppelner Str. 27, 10997 Berlin, Germany, registered at Amtsgericht Berlin-Charlottenburg, HRB 159157 B (hereinafter “Lofelt”, “Us”, “We” or “Our”), knows how important privacy is to its customers (hereinafter “You” or “Your”), and strives to be clear about how personal data is collected, used and disclosed.
We act as “Data Controller” of your Personal Data.
You can contact our data protection officer at [email protected]
“Data Controller” means the entity (in most cases, an organisation, but sometimes a person) that directs the reason why Personal Data is processed in the first place, and it is the entity that first receives Personal Data and is responsible for it.
“Process”, “Processing” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity (again a person or organisation, etc.) that actually does the processing or analysis of Personal Data on behalf of the Data Controller.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
SECT.2 - PERSONAL DATA WE PROCESS
When You access the Site and use our Services, We may collect the following Personal Data:
2.1 Information You provide Us. When using this website or any of Our Services, You may, through various means (e.g., e-mail, website contact form, sign-on through our Services, etc.), voluntarily provide Us Personal Data and/or other information containing Personal Data. In particular, the said Personal Data include: (i) Contact Data provided by You in case You contact Us by email or any other available means; (ii) Account Data provided by You when You register Your user account for the use of the Services, such as: email address, first name, last name, billing information, payment information; (iii) Content Data like information, text, message, software, picture, sound, video, haptic effect, music and any library, data, content or material transmitted or conveyed through the Services.
2.2 Technical Data. From all visitors of our websites, we get information about their IP address, proxy server, operating system, web browser and add-ons, device identifier and features, number of sessions, language and location.
If you log in, we log Your visits and use of Our Services, such as Your interaction with content thereof, Your user status (active/inactive), Your last session, etc. To such purpose, We use log-ins, cookies, device information and internet protocol addresses to identify Your and log Your use.
SECT.3 - PURPOSES AND LEGAL BASIS OF THE PROCESSING
3.1 Purposes. Personal Data above will be processed by Us for the purposes and legal basis specified below (hereinafter, collectively, the “Purposes”):
Personal Data involved as defined in Sect. 2.1
To carry out Our obligations arising from any contracts entered into between You and Us and to provide You with the Services that You requested from Us (e.g., create and manage Your account, provide Our Services, provide information, etc.), including the continuation of the Services in the event of any merger, acquisition, divestiture or similar transactional activity.
This Processing is necessary for the performance of our mutual contractual obligations.
To communicate with You to verify Your account and for informational and operational purposes (e.g., account verification, account management, customer service, system maintenance), including by periodically emailing you Services-related announcements.
This Processing is necessary for the performance of our mutual contractual obligations and/or based on a legitimate interest pursued by Us.
To give You access to Our support and customer care services and to enable You to communicate with Our team as well as in case of any related legal dispute.
This Processing is necessary for the performance of our mutual contractual obligations, and/or necessary for our legitimate interest of the establishment, exercise or defense of legal claims.
To report, measure the Services’ operation, features and performance (e.g., diagnose or fix technology problems).
This Processing is based on a legitimate interest pursued by Us.
Marketing: To provide You with information and/or Services that You requested from Us (e.g., process the subscription to Our newsletter, etc.).
This Processing is based on Your consent.
To ensure compliance with any applicable law (including the GDPR) and our terms and conditions as well as in case of any related legal dispute.
This Processing is necessary for the performance of our mutual contractual obligations, compliance with Our legal obligations and/or our legitimate interest of the establishment, exercise or defense of legal claims.
3.2 Obligation to provide data. Providing Personal Data for the above-mentioned purposes is required to use this website or Our Services. Without this data, we may not be able to establish and/or continue a contractual relationship with You, or to fulfil Your requests, or to comply with legal obligations to which We are subject.
3.2 Automated decision-making. Automated decision-making does not take place on Our Services.
SECT.4 - DATA RETENTION PERIOD
Personal Data collected by Us will be processed for the time strictly necessary to achieve the purposes referred to in above. In particular: (i) Personal Data needed for the provision of Our newsletter service will be processed until You decide to unsubscribe; (ii) Personal Data needed for the provision of our Services will be processed until the lapse of six (6) months from the end of the account termination; (iii) Personal Data whose retention is mandatory under the applicable laws (e.g., tax laws, bookkeeping, etc.) will be retained for a period necessary or permitted to comply with such laws, which may take up to 10 years.
SECT.5 - SECURITY MEASURES
Appropriate technical and organisational measures have been put in place to protect your data.
SECT.6 - RECIPIENTS OF YOUR PERSONAL DATA
6.2 Third-party service providers or consultants. We engage certain trusted third parties to perform functions and provide services to Us, including hosting and maintenance, e-mail, web analytics, database storage and management, operations, customer relationship, and advertising operations. Here is a list of service providers involved in any user-data related operations grouped by scenario, to make this policy easier to understand: lofelt.com/infrastructure-providers-and-subprocessors.
6.3 Third parties required by laws or authorities. We may disclose Your Personal Data to a third party if: (i) We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request (including to meet national security or law enforcement requirements), or (ii) to protect ourselves, Our customers, or the public from harm or illegal activities.
6.4 Third Parties recipients of anonymised, de-identified and aggregated data. We may transform Your Personal Data in such a manner (i.e., through anonymisation, de-identification and aggregation) that these data can no longer be attributed to You. Such anonymised, de-identified or aggregated data will be shared to third parties for various purposes, including for business or marketing purposes or to assist third parties in understanding Our users’ interest, habits and usage patterns for certain programs, content, services and functionalities of our Site and/or Services.
6.5 Sharing of personal data in the event of merger, acquisition, divestiture or similar transactional activity. We may disclose Your Personal Data to a third party (including to a buyer, investor and its legal counsel) in the event of or related to a business acquisition or other changes to Our business portfolio or Our Services, including merger, acquisition, divestiture or similar transactional activity. In each case such third parties may be seated outside the European Economic Area, in which case We will adhere to legal requirements for international data transfers (see Sect. 7 below in this regard).
SECT.7 - WHERE YOUR PERSONAL DATA MAY BE TRANSFERRED
We will ensure that the jurisdiction in which the recipient third party is located ensures an adequate level of protection of Your Personal Data; if it is not the case, our non-EU service providers mentioned in Sect. 6 above shall be signatories of a data transfer agreement which shall include the “Standard Contractual Clauses for data transfers between EU and non-EU countries” adopted by the European Commission.
SECT.8 - YOUR RIGHTS
8.1 Right of access. You are always entitled to receive confirmation as to whether Your Personal Data is being processed or not and, where that is the case, access and receive a copy of such Personal Data in an intelligible form. Furthermore, You are also entitled to receive information concerning: (i) the purposes of the processing; (ii) the categories of Personal Data concerned; (iii) the recipients (or categories thereof) to whom the Personal Data have been or will be disclosed; (iv) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from Us the rectification or the erasure of Personal Data or the restriction of the Processing of Your Personal Data or to object to such processing; (vi) the right to lodge a complaint with a Supervisory Authority; (vii) the source of the Personal Data; (viii) the existence of automated decision-making; (ix) where Personal Data is transferred to a third country or to an international organization, the appropriate safeguards relating to the transfer.
8.2 Right to withdraw consent. You are always entitled to withdraw, at any time, Your consent to the Processing of Your Personal Data. The preceding will not affect the lawfulness of Your Personal Data Processing based on consent before the withdrawal.
8.3 Right to rectification, erasure and restriction. You are always entitled to obtain from Us, without undue delay: the rectification or integration of Your Personal Data that are inaccurate or incomplete; the erasure of Your Personal Data that have been processed unlawfully or whose retention is unnecessary for the Purposes; the restriction of Processing, in case You challenge either the accuracy of Your Personal data or the lawfulness of the Processing, or in case We no longer need the Personal Data for the Purposes, but they are required by you for the establishment, exercise or defence of a legal claim.
8.4 Right to data portability. You have the right to receive Your Personal Data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller without hindrance from Us, where technically feasible.
8.5 Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects. We may use automated decision-making only if it is authorized by legislation and if You have provided Us with an explicit consent or if it is necessary for the performance of a contract. You can always request a manual decision-making process instead, express Your opinion or contest decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect You.
8.6 Right to lodge a complaint. You have the right to lodge a complaint before the Supervisory Authority, if You believe that the Processing of Your Personal Data is against the GDPR. The Supervisory Authority competent for Us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (located at Friedrichstr. 219, 10969 Berlin, tel.: +49 (0)30 13889-0, fax: +49 (0)30 2155050, email: [email protected])
8.7 Right to object:
You have the right to object at any time to processing of Your personal data which is based on our legitimate interest under Article 6(1) (f) GDPR.
8.8 Contacts. Requests to exercise the rights above can be sent by e-mail to [email protected] or by post to Lofelt GmbH, Oppelner Str. 27, 10997 Berlin, Germany. Any access request is always completed within one (1) month; however, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two (2) further months. If this is the case, We will write to You within one (1) month and keep You informed of the delay and the reasons thereof.
SECT.9 – COOKIES and similar technologies
The cookies that We use are strictly necessary to enable You to use Our website and the services offered on it. The legal basis for the processing of Your data in this regard is Section 25(2) no. 2 Telecommunication Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutz-Gesetz, TTDSG). The following table indicates which cookies We use and why We use them:
Protects our authorisation services subdomain from being accessed by bots.
Enables authenticated sessions for users by implementing the Auth0 session layer.
Guards against CSRF attacks. A fallback cookie for single sign-on on browsers that don’t support the sameSite=None attribute.
Device identifier for attack protection.
Fallback cookie for anomaly detection on browsers that don’t support the sameSite=None attribute.
Enables Lofelt to maintain url state and data between pages so functionality is properly displayed
Enables Lofelt to maintain authentication, permission and product subscription state between pages so functionality is properly displayed.
Used by Stripe fraud prevention and is required when using Stripe payment services.
Used by Stripe for fraud prevention and is required when using Stripe payment services.
SECT.10 - AMENDMENTS TO THIS POLICY