Privacy

XO Life GmbH ("XO Life", "we", "us", "our") protects your privacy and your private data. With this data protection notice, we inform you how we handle data relating to you personally when you visit our websites(www.medwatcher.io, www.impactmonitor.io) and apps (MedWatcher, ImpactMonitor) in connection with the use of our ImpactMonitor platform (hereinafter "ImpactMonitor platform" or "platform"), e.g. name, e-mail address, but also information about your visit and use as well as data about your health.

1. person responsible
‍Responsible for the collection and processing of your personal data within the meaning of Article 4 No. 7 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") is:

XO Life GmbH
Agnes-Pockels-Bogen 1
80992 Munich

Email: info@xo-life.com
Phone: +49 (0) 89 2154 7481

Further information can be found in the imprint

For processing within the scope of individual, product-specific areas (see section 4) in the ImpactMonitor platform, we are in some cases jointly responsible within the meaning of Art. 26 GDPR with the providers of the product for which the respective area is set up ("provider"). The name of the provider can be found in the respective section.

As so-called joint controllers according to Art. 26 GDPR, we are jointly responsible for the processing of your data for the processing operations mentioned in section 4. To ensure your rights and taking into account the requirements of the GDPR, we have entered into an agreement that sets out rules on our joint processing of your personal data. We have agreed on how to ensure your rights and specified how we jointly fulfill our obligations under the GDPR. XO Life GmbH is available to you as a contact partner, in particular for the assertion of your rights under Section 10 of this data protection notice. However, you can contact any of the jointly responsible persons.

2. data protection officer
If you have any questions about the processing of personal data by XO Life, you can contact our data protection officer:

XO Life GmbH
Agnes-Pockels-Bogen 1
80992 Munich

Email: datenschutz@xo-life.com

3. data processing when visiting the MedWatcher website

3.1 Log files
‍In order to make our platform available and to ensure its functionality, the web server automatically records your visit in so-called server log files when you visit our platform. The following data is processed: Browser type and version, app version, the operating system used by the terminal device used, the IP address of the requesting terminal device, the access date and time of the server request, the duration of the visit to the platform, the amount of data transferred, the location from which the user retrieves data from the platform, connection data and sources and from which page the access is made.
‍
‍Purpose
‍Thisdata is processed for the purpose of providing our platform and for statistical evaluations as well as for the purpose of identifying and tracing unauthorized access to the platform and other criminal offenses.
‍
‍Legal basisand legitimate interest
‍Thelegal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interests lie in ensuring IT security and the operation of our website.

‍Recipients
‍Recipientsof the data are our hosting service providers.

‍Storage period
‍Log file informationis stored from the end of your respective website visit and automatically deleted after a restart.

Right to object
‍Dataprocessing is necessary for the security and operation of the website. You can exercise your objection by no longer accessing our website.

Obligation to provide data
‍Theprovision of the aforementioned personal data is neither required by law nor by contract. However, without the provision, the service and functionality of our website cannot be guaranteed. In addition, individual services may not be available or may be restricted.

3.2 General information on cookies
‍Cookies are small text files that can be used to identify the user's end device. Cookies are stored on your device when you use the ImpactMonitor platform. Cookies can transfer information from our web server or third-party web servers to the user's web browser, where it is stored for later retrieval. A cookie usually contains the name of the domain from which the cookie data was sent, as well as information about the age of the cookie and an alphanumeric identifier.

‍Purpose
‍Weuse cookies to ensure the proper functioning of the website and to optimize your website experience.

‍Legal basisand legitimate interest
‍Thelegal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interests consist in the technical provision and guarantee of the operation of our website and IT security as well as in the optimization of the presentation of our offer and direct marketing measures. No processing of personal data in connection with analysis or tracking takes place on our platform for which we require your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

‍Recipients
‍Inaddition to the individual transfers described below,weonly pass on your data to our IT and hosting service providers for a strictly limited purpose - if necessary at all - and only to the extent necessary.

‍Storage period
‍Westore the data for as long as it is required to fulfill the aforementioned purpose or until you delete the cookies.

‍Option to object
‍Insofar asthe data processing is based on the legal basis of Art. 6 para. 1 sentence 1 lit. a GDPR, you have the right to revoke your consent at any time. You can do this by withdrawing your consent as described for the respective technology in section 3 or by deleting the cookies in your browser. If the data processing is based on the legal basis of Art. 6 para. 1 sentence 1 lit. f GDPR, you can object to the data processing. You can exercise your right to object by configuring your browser according to your wishes, for example, so that no cookies from third parties (so-called third-party cookies) or no cookies at all are stored or a message always appears before a new cookie is created. In addition, cookies that have already been saved can be deleted at any time via the browser.

You can find out how to configure cookies for the common browsers under the following links:
Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
Chrome: https://support.google.com/chrome/answer/95647?hl=de&hlrm=en
Safari: https://support.apple.com/de-de/guide/safari/sfri11471/13.0/mac/10.15
Opera: https://help.opera.com/de/latest/web-preferences/#cookies

Obligation to provide data
The provision of your personal data is neither legally nor contractually required. However, without the provision, the service and functionality of our website may not be guaranteed. In addition, individual services may not be available or may be restricted.

3.3 Stability testing and monitoring by Sentry
‍We use the Sentry tool from Functional Software, Inc, 132 Hawthorne Street, San Francisco, California 94107, USA ("Sentry") to improve the technical stability of our services by monitoring system stability and detecting code errors. Sentry is used to collect information about crashes and malfunctions of our services on your device. Your IP address is only collected in a shortened, anonymized form and transmitted to Sentry's servers together with technical data of the end device (such as operating system version, screen resolution, device ID).

‍Purpose
‍Withthe help of Sentry,weare able to monitor system stability and detect code errors.

‍Legal basisand legitimate interest
‍Dataprocessing is based on our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest is to create a website that works as error-free as possible and to maintain the security and stability of our website. By anonymizing the IP address, the interest of the user is sufficiently taken into account.

‍Recipient/ transfer to a third country
‍If necessary,your data will be transferred to Sentry servers in the USA and stored there in the event of an error message. The transfer is secured by an order processing agreement. Information on data protection at Sentry can be found here https://sentry.io/privacy/.

‍Storage period
‍Datawill only be stored for as long as is necessary for the (error) analysis of your specific access.

‍Option to object
‍Dataprocessing is necessary for the security and operation of the website. You can exercise your objection by no longer accessing our website.

‍Obligationto provide data
‍Youprovide your data voluntarily. However, it is not possible to visit our website without us carrying out an error analysis.

3.4 Web analysis (Matomo)
‍We use the open source software Matomo from InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, to analyze and statistically evaluate the use of the platform ("Matomo"). Matomo places a cookie on the user's end device. This records three bytes of the IP address, the page called up, the so-called referrer URL (the website from which the user came to the page called up), sub-pages called up, the duration and frequency of the platform visit. During your visit, Matomo records a so-called device fingerprint: This retrieves information about your browser, the operating system you are using and also any do-not-track settings. In addition, location, time and audio settings, screen resolution or installed browser plug-ins can be recorded. The device fingerprint data is anonymized. Matomo runs exclusively on the servers of our platform. The information collected is only stored there. We have configured Matomo so that the IP address is not stored in full and the last byte is masked (e.g. 192.168.1.x). It is no longer possible to assign the shortened IP address to you or your end device.

‍Purpose
‍Theinformation is used to evaluate the use of the website and to enable a needs-based design of our offers and to optimize them.

‍Legal basis
‍The legal basisfor this processing is Art. 6 para. 1 sentence 1 lit. f GDPR. The legitimate interest is that we analyze your activities on the website in order to optimize our offer. By anonymizing the IP address, the interest of users in the protection of their personal data is adequately taken into account.

‍Recipient
‍Ourplatform, including Matomo, is provided by our hosting service provider as part of order processing. The information is not passed on to third parties, as we store the data locally.

‍Storage period
‍Thecookies are stored for up to one year.

‍Option to object
‍Youcan prevent the collection of data generated by the cookie and related to your use and the processing of this data by Matomo by configuring your browser or device accordingly.

‍Obligationto provide your data
‍Theprovision of your data is voluntary. We would like to point out that if you object to the use of Matomo, you may not be able to use the website or may not be able to use it to its full extent.

3.5 Push notifications through OneSignal
‍To send push notifications in our iOS and Android apps, we use the technology of the provider OneSignal, 201 San Antonio Circle Suite #140, Mountain View, CA, USA. OneSignal has undertaken to comply with the EU-US Privacy Shield Agreement between the EU and the USA on the collection, use and storage of personal data from EU member states by obtaining EU-US Privacy Shield certification from the US Department of Commerce. We do not send any personal data to OneSignal. The IP address of the device/browser from which the visit is made is not stored on the OneSignal servers by users in the EU. In order to be able to send you push notifications, it is necessary that non-personal data, such as a message, is transmitted to the OneSignal servers. The data collected by the OneSignal SDK is as follows: First Session Time, Last Session Time, the operating system of the device/browser, the language the device/browser reports, whether push notifications are enabled or disabled on the device/browser, the version of the application the user ran in the last session, the name of your mobile application, the mobile carrier used by the device, and the model name of the device/browser. We also send usage-related data, such as the time at which a questionnaire was completed, to OneSignal in the form of a tag. We use this data to send you push notifications that are as relevant and tailored as possible. You can find more information here: https://documentation.onesignal.com/docs/data-collected-by-the-onesignal-sdk

‍Purpose
‍Afteryou log in to your account for the first time, we will ask you for your consent to receive push notifications on your smartphone. The push notifications are sent to alert you to news. Consent is given by device. If you consent, you will regularly receive push notifications from our app.

‍Legalbasis
The legal basis for the use of push notifications is your consent (Art. 6 (1) lit. a GDPR).

‍Recipient
‍Theabove data, which relates to the creation of segments for sending push notifications, is sent to OneSignal in the form of a tag.

‍Storage period
‍Recordsof notifications sent via OneSignal's API are deleted approximately 30 days after delivery.

‍Option to object
‍Youhave the option to unsubscribe from push notifications at any time if you no longer wish to receive them. You can unsubscribe from push notifications in your smartphone settings.

‍Obligationto provide your data
‍Theprovision of your data is voluntary. We would like to point out that if you object to the use of push notifications, you will not be able to use some features or will not be able to use them to their full extent. One example of this is the reminder function for taking tablets.

4 Data processing when using the ImpactMonitor platform
You can add and use various areas on the ImpactMonitor platform. We provide you with our MedWatcher as a general area. You can add further areas that are suitable and relevant for you. These include product and therapy-specific ImpactMonitor areas ("product area") that have been set up for a specific product at the request of the provider. As a user of the product, you have the option of adding and using the corresponding product area in the ImpactMonitor platform.

4.1 Log files
In order to make the ImpactMonitor platform available and to ensure its functionality, your visit to the ImpactMonitor platform is automatically recorded in so-called server log files. The statements in section 3.1 apply accordingly with the proviso that less data is processed in the ImpactMonitor platform, namely: browser type and version, app version, the operating system used by the terminal device used, the IP address of the requesting terminal device in anonymized form (192.168.1.1 becomes 192.168.1.x) as well as the access date and time of the server request and the amount of data transferred. Anonymized log files are not deleted.

4.2 Operation of the ImpactMonitor platform
‍Cookies For the operation of the ImpactMonitor platform via web app, the explanations in Section 3.2 (Cookies), Section 3.3 (Sentry) and Section 3.4 (Matomo) apply accordingly.

4.3 Registering a user account
‍To be able to use the ImpactMonitor platform, you must register as a user with a user account. If you have registered a user account for a product area or the MedWatcher, you can use this user account for the entire ImpactMonitor platform, including all other areas added by you. To register, we process your e-mail address and the password you have assigned. You can add information to your user account in the further course of use. This includes demographic data (age, place of residence) and data on medication taken, medical products and cosmetics used and existing medical conditions, if you provide information on these.

Purpose
‍Thedata is processed in order to create your user account in the ImpactMonitor platform in accordance with the user contract with you.

‍Legal basis
‍Thelegal basis for data processing is Art. 6 para. 1 sentence 1 lit. b GDPR, as we need the data for the purpose of fulfilling the user contract with you. If we process your health data within the meaning of Art. 4 No. 15 GDPR, in particular information on medication or medical conditions, the legal basis for this is your express consent in accordance with Art. 9 para. 2 lit. a GDPR.

‍Recipients
‍Yourdata will be passed on to our IT service providers as part of order processing, insofar as this is necessary.

‍Storage period
‍Weprocess your data until you withdraw your consent by deleting individual details or your user account.

‍Revocation option
‍Youhave the option to withdraw your consent at any time by removing individual details about yourself from your profile or deleting your entire user account.

‍Obligationto provide your data
‍Thereis no legal obligation to provide your data. However, if you do not provide us with your data, it will not be possible to create or link your user account.

4.4 Using the functions of the ImpactMonitor platform
‍As a registered user, you have the opportunity to use the various functions of the ImpactMonitor platform. You can provide information on the medication you are taking, other pharmaceutical products or (medical) products used and add clinical pictures. You can add product areas based on your details. Based on your details, MedWatcher and the product areas will suggest suitable questionnaires for you to answer. In this way, you can obtain information on the experiences of users with similar clinical pictures or indications (peer statistics). In the ImpactMonitor platform, you also have the option of directly reporting side effects of the product. We process your activities in the ImpactMonitor platform to show you your progress in our Achievement Program and reward you with points from our points system. In addition, you will receive relevant or interesting information and content about providers, products and product areas. Finally, you have the opportunity to communicate with us, providers or peers by making use of existing interaction features.

‍Purpose
‍Thedata is processed in order to create your user account in the ImpactMonitor platform in accordance with the user contract with you.

‍Legal basis
‍Ifwe process health data from you within the meaning of Art. 4 No. 15 GDPR, the legal basis for this is your express consent in accordance with Art. 9 para. 2 lit. a GDPR. For the remaining data, the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b GDPR, as we process the data for the purpose of fulfilling the user contract with you.

‍Recipient
‍Yourdata will be passed on to our IT service providers as part of order processing, insofar as this is necessary. If you use the interaction functions, people to whom you send messages can view the data transmitted in the message. Registered users can see your public reactions or comments.

‍Storage period
‍Weprocess your data until you withdraw your consent by deleting individual details, messages, reactions or comments or your user account.

‍Option to withdraw consent
‍Youcan withdraw your consent at any time by removing individual details about yourself from your profile, messages, reactions or comments or by deleting your entire user account. Data from analyses that have already been carried out cannot be deleted.

‍Obligationto provide your data
‍Thereis no legal obligation to provide your data. However, if you do not provide us with your data, not all functions of the ImpactMonitor platform may be available to you.

4.5 Pseudonymization and anonymization
‍Cookies We pseudonymize and anonymize your personal health data from your user profile and the health data you provided as part of answering questionnaires (see section 4.4).Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures that ensure that the personal data cannot be assigned to an identified or identifiable natural person.Anonymization involves changing your data in such a way that it can no longer be assigned to your person or can only be assigned with a disproportionately large technical effort.Pseudonymization and also anonymization of your data can, however, never completely rule out the subsequent assignment of information to your person via other sources, e.g., information you provide in social media. A residual risk of traceability to your person therefore remains. This is particularly the case if you publish genetic or other health data yourself, e.g. for genealogical research on the Internet. If your data should fall into unauthorized hands despite extensive technical and organizational protective measures and a reference to your person is then made despite the absence of name information, a discriminatory or otherwise harmful use of the data for you and possibly also close relatives cannot be ruled out.

‍Purpose
‍Weanonymize your data for statistical purposes, in particular to provide you with statistical evaluations in the form of peer statistics (see section 4.4). We also use anonymized data for our own statistical purposes, in particular for product improvement, as well as to provide anonymized overviews to providers (see section 4.6).We pseudonymize your data in order to be able to analyze it for our own statistical purposes, in particular for product improvement, as well as to be able to provide it to providers relevant to you (see section 4.6).

Legal basis
‍Legal basis forthe pseudonymization and anonymization and analysis of your health data in. S. d. Art. 4 No. 15 DSGVO for this purpose is your express consent pursuant to Art. 9 (2) lit. a DSGVO.

‍Receivers
‍Yourdata will be passed on to our IT service providers as part of order processing, insofar as this is necessary.

‍Storageperiod
‍Wewill process your data until you revoke your consent by deleting individual details about yourself or your user account. We cannot delete anonymized data because it can no longer be assigned to you.

‍Revocation option
‍Youcan revoke your consent at any time by deleting individual details about yourself from your profile or your entire user account.

‍Obligationto provide your data
‍There is no legal obligation to provide your data. However, if you do not provide us with your data, not all functions of the ImpactMonitor platform may be available to you.

4.6 Aggregation and transmission of data to providers
‍As a user of the ImpactMonitor platform, you are a user of medicines, medical devices or other pharmaceutical, cosmetic or medical products. Providers, i.e. manufacturers or distributors of these products (e.g. pharmaceutical companies, medical device manufacturers or other companies in the life science industry) or members of the medical profession, self-help groups or research institutions, have an interest in the (health) data you provide when using the ImpactMonitor platform, in particular when answering questionnaires (see section 4.2), e.g. to conduct market research, carry out or validate product safety checks or for scientific research purposes. In order to be able to offer you the free functions of the ImpactMonitor platform, we therefore only pass on your data, including adverse reaction reports, to providers in pseudonymized and anonymized form (see section 4.3). In doing so, we ensure that providers cannot identify you and cannot assign the transmitted data to you personally. If you use several product areas in the ImpactMonitor platform, your data from the various product areas will be merged before transmission in order to give providers a more comprehensive picture of the use of their products and thus increase patient safety. Providers will still not be able to identify you. You will not be involved in any commercial benefit that may result from the processing of your data.
‍
‍Purpose
‍Weprocess your pseudonymized and anonymized (health) data in order to transmit it to providers.

‍Legal basis
‍The legal basisfor the processing of your health data within the meaning of Art. 4 No. 15 GDPR for this purpose is your express consent pursuant to Art. 9 para. 2 lit. a GDPR.

‍Recipients
‍Recipients ofyour data are our IT service providers as well as the aforementioned providers in countries of the European Union or the European Economic Area or in other countries where the European Commission has determined an adequate level of data protection, in particular pharmaceutical companies, medical device manufacturers and other companies in the life science industry as well as members of medical professions, self-help groups and research institutions for whom your data is relevant.

‍Storage period
‍Weonly transfer your data until you withdraw your consent by deleting individual details about yourself or your user account. We cannot delete anonymized data as it can no longer be assigned to you.

‍Option to withdraw consent
‍Youhave the option to withdraw your consent at any time by deleting individual personal details from your profile or your entire user account.

‍Obligationto provide your data
‍Thereis no legal obligation to provide your data. However, if you do not provide us with your data, not all functions of the ImpactMonitor platform may be available to you.

4.7 Communications
‍Under certain circumstances, we may send you e-mails to introduce you to our products and services or exciting new offers, possibly to give you a little treat with a voucher or to determine your satisfaction. You will receive these advertising e-mails without having to give your consent if we receive your e-mail address from you in connection with the registration of a user account and you have not objected to receiving advertising e-mails. In this case, we may send you advertising about our services that are similar to the services you have used or relate to these services. If you give your consent in your system or device settings, we will also send you messages via push and browser notifications in the ImpactMonitor platform. If you have given your consent to the processing of your health data for advertising purposes, we can send you advertising tailored to your needs. We can then inform you, for example, about new product areas for indications you have specified or products you use.

‍Purpose
‍Wesend you messages for the purpose of direct marketing to inform you about our offers and services.

‍Legal basisand legitimate interest
‍The legal basisfor the processing of your data for sending the emails, for which we do not require consent, is Art. 6 para. 1 lit. f GDPR. Our legitimate interests consist in sending you advertising in the form of direct marketing. Based on the existing contractual relationship between you and us and the information provided by us in this privacy policy, we assume that you consent to the advertising we send you, in particular because you can unsubscribe at any time by simply clicking at the end of the email if you are not interested. The legal basis for the communications by means of push and broser notifications is your consent in accordance with Art. 6 para. 1 lit. a GDPR. The legal basis for the processing of your health data is your consent in accordance with Art. 9 para. 2 lit. a GDPR.
‍
‍Recipient
‍Wepass onyourdata to our IT service providers strictly for the intended purpose, if at all necessary and only to the extent required in the context of order processing.

‍Storage period
‍Yourdata will be stored for the sending of communications for as long as it is required for this purpose or until you object to the processing of your data for this purpose or revoke your consent.

‍Option to object/revoke consent
‍Youcan unsubscribefrom ouremails at any time. For this purpose, you will find a corresponding opt-out link in every advertising email. You can deactivate push and browser notifications in your device or system settings.

‍Obligationto provide your data
‍Wereceive your email data as part of the contractual relationship between you and us. It is not possible to create a user account without providing this data. However, you can object to the processing of your data for the purpose of sending e-mails at any time in accordance with the above information. Consent to receive push and browser notifications is voluntary.

5. data processing when contacting us via e-mail or telephone.
You can contact us via the e-mail addresses and telephone numbers provided by us. If you make use of this option, your personal data transmitted with the e-mail or by means of a telephone call will be processed.

‍Purpose
‍Weprocess your data for the purpose of processing your inquiry.

‍Legal basisand legitimate interest
‍Ifthe purpose of contacting you is to conclude a contract or if your contact concerns an existing contract, Art. 6 (1) lit. b DSGVO is the legal basis for the processing. The legal basis for processing your data in the other cases is Art. 6 para. 1 p. 1 lit. f DSGVO. The legitimate interest in these cases results from the fact that we can only perform the action requested by you (e.g. answering inquiries) by processing your data accordingly.

‍Receivers
‍Inthe course of processing your inquiry, your data will be transmitted to our IT and service providers as well as to our employees who process your inquiry as part of order processing.

‍Durationof storage
‍Wegenerally store your data until we have completely answered your inquiry.

‍Possibility of objection
‍Thedata processing is necessary for processing your inquiry. You can prevent us from collecting your data by not sending us an inquiry.

‍Obligation toprovide your data
‍Thereis no legal obligation to provide your data. However, if you do not provide us with your data, it is already not possible to contact us or not via any means of communication.

6. further information on XO Life
For more information about XO Life, visit www.xo-life.com.

7. data security
Within your visit to our website(section 3), we use the common TLS (Transport Layer Security) procedure in conjunction with the highest encryption level supported by your browser. We use HTTP Strict Transport Security (HSTS) and automatic forwarding to ensure that all pages of our website are transmitted in encrypted form. You can recognize this by the closed display of the key or lock symbol in the lower status bar of your browser. When data is stored, it is protected on the storage medium using modern encryption methods. We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

We maintain the highest security standards, particularly in connection with the processing of your data in the ImpactMonitor platform(section 4). In addition to the pseudonymization and anonymization of data(section 4.5), our servers are provided in ISO 27001 certified data centers in Germany.

Despite the high data security standards we have established, a residual risk to the security of your personal data can unfortunately not be completely excluded.

8. transfer to a so-called third country
Unless otherwise stated in this Privacy Notice, we do not transfer your data to countries outside the European Economic Area.

9 How long we store your personal data
Unless a shorter storage period results from the other provisions of this data protection notice, we store your personal data only for as long as is necessary to fulfill the respective purposes, and thereafter only to the extent and to the extent that we are obligated to do so due to mandatory statutory retention obligations. If we no longer need your data for the purposes described in this data protection notice, it will only be stored during the respective statutory retention period and not processed for other purposes.

10. your rights
If we process your personal data, you have the following rights against us:

10.1 Right to information
‍You may request confirmation from us as to whether personal data concerning you is being processed by us. If such processing exists, you can request information from us about the information listed in Art. 15 DSGVO. If you exercise your right without telling us what specific information you want, we will provide you with all the information pursuant to Art. 15 DSGVO.

10.2 Right of rectification
‍You have a right against us to have your personal data corrected or completed if the processed personal data concerning you is inaccurate or incomplete.

10.3 Right to restriction of processing
‍You may request the restriction of the processing of personal data concerning you under the following conditions:
- If you dispute the accuracy of the personal data concerning you. This applies for a period of time that allows us to verify the accuracy of the personal data.
- The processing is unlawful. You object to the erasure of the personal data and instead request the restriction of the use of the personal data.
- We no longer need your personal data for the purpose of processing. However, you need them for the assertion, exercise or defense of legal claims.
- If you have objected to the processing pursuant to Article 21 (1) DSGVO and it is not yet clear whether our legitimate grounds for further processing override your interests. If the processing of personal data concerning you has been restricted, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

If the processing has been restricted in accordance with the above-mentioned conditions, you will be informed by us before the restriction is lifted.

10.4 Right to deletion

10.4.1 Obligation to delete
‍You may request us to delete the personal data concerning you without delay. For our part, we have a duty to delete this data without delay if one of the reasons listed in Art. 17 DSGVO applies. Anonymous data cannot be deleted.

10.4.2 Information to third parties
‍If we have made the personal data concerning you public in an individual case and we are obliged to erase it pursuant to Article 17 (1) of the GDPR, we shall take reasonable measures, including technical measures, taking into account the available technologies and the costs of implementation, to inform the data controllers processing the personal data that you, as the data subject, have requested them to erase all links to or copies or replications of such personal data. However, as a matter of principle, we do not make your personal data public.

10.4.3 Exceptions
‍The right to erasure does not exist insofar as the processing of personal data concerning you is necessary
- for the exercise of the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing under Union or German law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the field of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) DSGVO;
- for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Art. 89(1) DSGVO, insofar as the erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
- to assert, exercise or defend legal claims.

10.4.4 Right to information
‍If you have asserted the right to rectification, erasure or restriction of processing of your personal data against us, we are obliged to notify all recipients of your personal data of this rectification or erasure of the data or restriction of processing. This does not apply if the notification proves impossible or would involve a disproportionate effort. You have the right against us to be informed about these recipients.

10.5 Right to data portability
‍You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller, provided that:
- the processing is based on consent pursuant to Art. 6(1)(a) DSGVO or Art. 9(2)(a) DSGVO or on a contract pursuant to Art. 6(1)(b) DSGVO and
- the processing is carried out with the aid of automated procedures. If you so request and insofar as it is technically feasible for us and the freedoms and rights of other persons are not thereby impaired, we shall transfer the personal data relating to you directly to the other controller.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

10.6 Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO; this also applies to the creation of user profiles based on these provisions.
‍
We will no longer process the personal data concerning you after your objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
‍
If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to processing of personal data concerning you for the purposes of such marketing; this also applies to user profiling insofar as it is related to such direct marketing.

10.7 Automated decision-making in individual cases including user profiling
‍Where certain decisions on our part are based solely on automated processing - including user profiling - you have the right not to be subject to such a decision which produces legal effects concerning you or similarly significantly affects you. However, this does not apply if:
- the decision is necessary for the conclusion or performance of a contract between you and us,
- the decision is permitted by Union or German law and that law contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
- this form of decision-making is carried out with your explicit consent.

10.8 Right to complain to a supervisory authority
‍Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of data protection law, including the GDPR.

10.9 Revocation of consent given
‍If you have given your consent under data protection law, you have the right to revoke this consent at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. If you have given several declarations of consent under data protection law, please tell us which of the consents you are revoking. If we do not receive such a specification even upon request, we will assume that your revocation applies to all consents granted up to that point. We will then terminate the data processing activities based on the consents.

11. links to third party websites
Please note that our website may contain links to content of other providers to which this data protection notice does not apply. We have no influence on these websites and also not on whether they comply with the applicable data protection provisions.

12. updating the data protection information
The constant development of technology and the Internet makes it necessary to adapt our data protection information from time to time. We reserve the right to change this data protection notice at any time with effect for the future. The latest version is available on our platform. Please visit the platform regularly and inform yourself about the current data protection information.

Last update: April 2024