Privacy Policy

Effective Date: 18.05.2020

As the operator of this website, Buying Labs GmbH (“Buying Labs” or “we”) takes the protection of your personal data very seriously. Safeguarding your privacy when processing personal data is of utmost importance to us. Below, we would like to inform you about the data we collect and process when you visit our website (hereinafter also referred to as the “Website”) or use the services and offerings we provide (hereinafter referred to as “Services”).

Data Controller

The data controller in accordance with the EU General Data Protection Regulation (GDPR) is:

Buying Labs GmbH

Poststraße 9a

20354 Hamburg

[email protected]

Data Protection Officer

Our data protection officer is:

heyData GmbH

Schützenstraße 5

10117 Berlin

[email protected]

Contents

This Privacy Policy includes the following sections:

● Logging of Non-Personal Data When Using Our Website

● Collection and Use of Personal Data

● Legal Basis for Data Processing

● Transfer of Data to Third Parties

● Transfer of Data to Third Countries

● Storage Period and Deletion of Personal Data

● Your Rights

● Right to File a Complaint with the Supervisory Authority

● Data Security

● Contact Form

● Cookies

● Processors

● Profiling

● Changes to This Privacy Policy

● Contact

General Information:

Data is considered personal if it can be attributed to a specific or identifiable individual. This includes information such as name, postal and email addresses, or telephone numbers, but may also encompass usage data such as your IP address.

Logging of Non-Personal Data When Using Our Website

When you visit our website, information is stored and processed in a log file. This process is anonymized, making it impossible to trace back to you.

Depending on the access protocol used, the log record may contain the following:

● Date and time of the page access

● IP address of the requesting device

● Access methods/functions requested by the device

● Accessed function or the name of the retrieved file

● Operating system and browser type, or browser settings

● Amount of data transferred and a message indicating whether the access/retrieval was successful.

We cannot link IP addresses to any potentially existing personal data. The stored data is solely used to identify and track unauthorized access attempts to the web server, for statistical analyses such as visitor numbers and page popularity, and to improve our online services. This data is used exclusively by us and is not shared with third parties.

Collection and Use of Personal Data

To provide certain services, the collection of personal data is unavoidable. We collect and store your personal information (name, address, and company name) and contact details (e.g., email, phone numbers)

If you provide us with personal data for communication purposes, we will store this data only as long as necessary for the respective communication. Once the personal data is no longer needed for these purposes and no longer subject to retention obligations, it will be promptly deleted.

We use the collected data to respond to your inquiries, for customer service and support, and to comply with legal requirements. To provide our services, it may be necessary to share your personal data with companies that assist us in providing these services or processing contracts. These may include technicians, IT and hosting service providers, payment service providers, and operators of business management systems.

You can withdraw your consent to data processing at any time and object to the creation of user profiles. You may also object to the use of your personal data for postal marketing within the legally permissible scope. In both cases, an email to the following address is sufficient: [email protected].

Legal Basis for Processing

In accordance with Article 13 of the GDPR, we inform you about the legal basis for our data processing activities. The legal basis depends on the purpose for which the data is processed.

If you have given us your consent for the processing of your personal data, we base the data processing on your consent under Article 6(1)(a) GDPR.

However, processing your personal data may also be necessary for the fulfillment of a contract with you, for pre-contractual measures at your request, to provide our services, or to fulfill our legal obligations (Article 6(1)(a) to (c) GDPR). We also use your personal data under Article 6(1)(f) GDPR to pursue our legitimate interests, provided that your rights and freedoms do not override these interests.

Data Transfer to Third Parties

We do not transfer your personal data to third parties for purposes other than those listed below. We only share your data if and to the extent that:

● You have given explicit consent under Article 6(1)(a) GDPR,

● The disclosure is necessary for the assertion, exercise, or defense of legal claims under Article 6(1)(f) GDPR and there is no reason to assume that you have an overriding legitimate interest in preventing the disclosure of your data,

● A legal obligation exists under Article 6(1)(c) GDPR, or

● The disclosure is necessary for processing contractual relationships with you under Article 6(1)(b) GDPR, such as when we engage external service providers to support our business operations.

Our employees and partners are obligated to maintain confidentiality and comply with data protection regulations.

Data Transfers to Third Countries

If we share your personal data in accordance with this Privacy Policy, this may include transfers of your data to countries outside the European Economic Area (EEA). If we transfer your data to non-EEA countries, we ensure adequate protection by implementing at least one of the following safeguards:

● Transfer to countries that have been deemed by the European Commission to provide an adequate level of data protection (“adequacy decision”);

● Use of specific contracts approved by the European Commission ensuring the same data protection standards as within the EEA;

● Transfer to entities certified under the “Privacy Shield” framework, providing protection comparable to EU standards; or

● Transfer to organizations with binding corporate rules in place that align with EU data protection standards.

Retention Period, Deletion of Personal Data

The data we process is deleted or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless explicitly stated otherwise in this privacy policy, stored data will be deleted as soon as it is no longer required for its intended purpose and there are no legal retention obligations that prevent delegation. If data is not deleted because it is required for

other and legally permissible purposes, its processing will be restricted. This means the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Your Rights

You have various rights concerning data related to your person. You have the right to request, free of charge, information about the personal data we have stored about you. You also have the right to request correction, or restriction of the processing of this data and the right to object to its processing. Whether and to what extent these rights exist in individual cases and under what conditions they apply is determined by the GDPR and the Federal Data Protection Act. Additionally, under the GDPR, you generally have the right to data portability. Furthermore, if you have given your consent to the processing of your personal data, you can withdraw this consent at any time with future effect.

If you have any questions, comments, or requests regarding the collection, processing, use, or deletion of your personal data by us, please contact [email protected].

Right to Lodge a Complaint with the Competent Supervisory Authority

As a data subject, you have the right to lodge a complaint with the competent supervisory authority in the event of a data protection violation. The competent supervisory authority for data protection issues is the state data protection officer of the federal state in which our company is headquartered.

Data Security

For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses SSL or TLS encryption. This ensures that data you transmit through this website is not accessible to third parties. You can recognize an encrypted connection by the “https://” address line in your browser and the padlock symbol in the browser bar.

As part of hosting, all data related to the operation of this website is stored. This is necessary to enable the operation of the website. We process this data based on our legitimate interests pursuant to Article 6(1)(f) GDPR. To provide our services, we use web hosting service providers to whom we transmit the mentioned data.

Contact Form

Data submitted via the contact form, including your contact details, is stored to process your inquiry or to be available for follow-up questions. This data will not be shared without your consent.

The processing of data entered into the contact form is based solely on your consent (Article 6(1)(a) GDPR). You can revoke your consent at any time. A simple email is sufficient for revocation. The legality of data processing carried out before the revocation remains unaffected by the revocation.

Data submitted via the contact form remains with us until you request deletion, revoke your consent to storage, or the necessity for data retention ceases. Mandatory legal provisions – especially retention periods – remain unaffected.

Cookies

Our website uses cookies. These are small text files that your web browser stores on your device. Cookies help us make our offering more user-friendly, efficient, and secure.

Some cookies are “session cookies.” These cookies are automatically deleted at the end of your session. Other cookies remain on your device until you delete them. Such cookies help us recognize you when you return to our website.

You can disable cookies in your device’s system settings. However, disabling cookies may restrict some functionalities of our website.

The setting of cookies necessary for electronic communication processes or the provision of certain functions requested by you is based on Article 6(1)(f) GDPR. As the website operator, we have a legitimate interest in storing cookies to ensure the technically error-free and smooth provision of our services. If other cookies (e.g., for analytical purposes) are set, they will be addressed separately in this privacy policy.

Processors

DATEV

To create our invoices, we use DATEV’s accounting services based on Article 6(1)(b) GDPR. DATEV is located at Paumgartnerstr. 6 – 14, 90429 Nuremberg. When you book a service through us, we create the necessary invoices using DATEV’s online application. The necessary data for this process is transmitted to DATEV’s servers, including:

● Name

● Address

● E-Mail address

● Booking details

We have concluded a data processing agreement with DATEV under Article 28 GDPR, ensuring that DATEV processes user data only according to our instructions and in compliance with EU data protection standards. The data is deleted after statutory retention periods have expired. For further information, please refer to DATEV’s privacy policy.

Gmail, Google Drive, etc.

For customer and user surveys to improve our offerings, we use Google Forms. The data collected via Google Forms is stored in Google Drive. We also collect other data and files uploaded via other forms, which are also stored in Google Drive.

For more information on data processing with Google Forms and Google Drive, please refer to Google’s privacy policy: https://www.google.com/intl/en/policies/privacy/

Further instructions on managing your own data in connection with Google products can be found on the Google website https://www.dataliberation.org/.

Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects concerning you or significantly affects you. This does not apply if the decision:

(1) Is necessary for entering into or performing a contract between you and us,

(2) Is authorized by Union or Member State law with adequate safeguards, or

(3) Is based on your explicit consent.

Changes to This Privacy Policy

We reserve the right to amend this privacy policy at any time with future effect. The latest version is available on our website. Please check our website regularly for updates on our data protection policies.

Please also note that data protection regulations and practices of third parties, such as Stripe, may change continuously. It is therefore advisable and necessary to stay informed about changes in legal regulations and company practices on an ongoing basis.

Contact

If you have questions, comments, or requests regarding this privacy policy, please contact: [email protected].