Privacy policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. The privacy statement applies to all processing of personal data carried out by us, both as part of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: 30 April 2024

Table of contents

• Preamble

• Responsible

• Contact information of the Data Protection Officer

• Overview of the processing

• Relevant legal bases

• Security measures

• Transmission of personal data

• International data transfers

• Data deletion

• Rights of the data subjects

• Reading and saving information on your end device

• Provision of the online offer and web hosting

• Collaboration tools

• Special notes on applications (apps)

• Purchase of applications via app stores

• Registration, login and user account

• Community functions

• Processing of Image Information, calendar access

• Notifications (push, in-app, email)

• Embedded partner content

• Contact and enquiry management

• Newsletter and electronic Communications

• Surveys and polls

• Presence in social networks (social media)

• Amendment and update of the privacy policy

• Terminology and Definitions

Responsible

Holi Moli GmbH
Eifflerstraße 43
22769 Hamburg, Germany

Person authorised to represent: Piet Mahler

Email address: support@holi.social

Imprint: https://holi.social/imprint

Contact information of the Data Protection Officer

ISiCO Datenschutz GmbH
Am Hamburger Bahnhof 4
10557 Berlin, Germany

Email address: holi.social@isico-datenschutz.de

For all questions on the subject of data protection in connection with our products/services or the use of our website, you can also contact our data protection officer at any time. This person can be contacted at the above postal address and at the email address given above (keyword: "Data Protection Officer"). We expressly point out that if you use this email address, the contents will not be exclusively noted by our data protection officer. If you wish to exchange confidential information, we therefore ask you to first contact us directly via this email address.

Overview of the processing operations

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

• Inventory data.

• Contact details.

• Content data.

• Contract data.

• Usage data.

• Meta, communication and procedural data.

• Picture and/or video recordings.

Categories of persons concerned

• Customers.

• Interested parties.

• Communication partner.

• Users.

• Business and contractual partners.

• Participants.

Purposes of the processing

• Provision of contractual services and customer service.

• Contact requests and communication.

• Safety measures.

• Direct marketing.

• Reach measurement.

• Managing and responding to enquiries.

• Collection of feedback.

• Marketing.

• Creation of profiles with user-related information.

• Provision of our online services and usability.

• Information technology infrastructure.

Relevant legal bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal basis of the GDPR on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the data protection declaration.

• Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO) - The data subject has given consent to the processing of personal data relating to him/her for a specific purpose or purposes.

• Contract performance and pre-contractual enquiries (Art. 6 (1) p. 1 lit. b) DSGVO) - Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request.

• Legitimate interests (Art. 6 (1) p. 1 lit. f) DSGVO) - Processing is necessary to protect the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. These include in particular the Federal Data Protection Act (BDSG). In particular, the BDSG contains special regulations on data processing for employment purposes (Section 26 BDSG), especially with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. Furthermore, data protection laws of the individual federal states may apply.

Security measures

We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, entry into, disclosure of, assurance of availability of and segregation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

TLS encryption (https): In order to protect your data transmitted via our online offer, we use TLS encryption. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of personal data

In the course of our processing of personal data, the data may be transferred to or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

International data transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this only takes place in accordance with the legal requirements (see Art. 44 to 49 DSGVO, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en ).

Subject to express consent or contractually or legally required transfer (see Art. 49 of the GDPR), we only process or allow the processing of data in third countries with a recognised level of data protection within the framework of an adequacy decision (Art. 45 GDPR), in the presence of and compliance with contractual obligations through so-called standard protection clauses of the EU Commission (Art. 46 para. 2 lit. b) GDPR), in the presence of certifications (Art. 46 para. 2 lit. f) GDPR) or binding internal data protection regulations (Art. 46 para. 2 lit. b) GDPR).

EU-U.S. Data Privacy Framework (DPF): Within the framework of the so-called "EU-U.S. Data Privacy Framework" (DPF), the EU Commission has also recognised the level of data protection for certified companies from the USA. The list of certified companies as well as further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ . Information in German and other languages can be found on the website of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en . We also inform you about the companies we use that are certified under the EU-U.S. Data Privacy Framework.

Data deletion

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not required for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

Our privacy notices may also contain further information on the retention and deletion of data, which will take precedence for the respective processing operations.

Rights of the data subjects

Data subjects' rights under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right to object (Art. 21 DSGVO): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

• Right of withdrawal of consent (Art. 7 para. 3 DSGVO): You have the right to revoke given consent at any time with effect for the future.

• Right of access (Art. 15 GDPR): You have the right to request confirmation as to whether data in question is being processed and to information about this data as well as further information and a copy of the data in accordance with the legal requirements.

• Right to rectification (Art. 16 DSGVO): In accordance with the legal requirements, you have the right to request that the data concerning you will be completed or that the incorrect data concerning you will be corrected.

• Right to erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR): In accordance with the legal requirements, you have the right to demand that data concerning you will be deleted without delay or, alternatively, to demand restriction of the processing of the data in accordance with the legal requirements.

• Right to data portability (Art. 20 DSGVO): You have the right to receive data relating to you that you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements or to request that it will be transferred to another controller.

• Complaint to supervisory authority (Art. 77 GDPR): In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, for example a supervisory authority in the Member State where you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

In order to exercise your rights as described here, you can contact us via the contact details mentioned above at any time. This also applies if you wish to receive copies of guarantees demonstrating an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.

Reading out and storing information on your terminal device - Use of cookies and similar technologies

Technologies used

Tools used by us can use technologies to store information on your device or read information from your device. This serves, for example, to ensure the functionality, the implementation of registration and authentication, the security and convenience of our online offer or to analyse its use. The following technologies may be used, for example:

• Cookies - only in the browser: small text files stored on the device, consisting in particular of a name, a value, the storing domain and an expiry date.... So-called session cookies (e.g. PHPSESSID) are deleted after the session (e.g. by closing the browser), while so-called permanent cookies remain stored beyond this and are only deleted after the specified expiry date. Cookies can also be removed manually.

• Web Storage (Local Storage / Session Storage) - only in the browser: information stored on the device, consisting of a name and a value. Information in the Session Storage is deleted after the session, while information in the Local Storage has no expiry date and remains stored unless a mechanism for deletion has been set up (e.g. storage of a Local Storage with time entry). Information in the Local and Session Storage can also be removed manually.

• JavaScript: programming codes (scripts) embedded in or called up from the service, which can, for example, set cookies and web storage, execute certain functions for the delivery of content, actively read information from the user device or collect information about the usage behaviour of the visitor. JavaScript can be blocked by a setting in the browser, although most services will then no longer function.

• Pixel: tiny graphic automatically loaded by a service, which can make it possible to determine, for example, the visit to a service and the opening of an email by automatically transmitting the usual connection data (in particular IP address, information about browser, operating system, language, address called up and time of call). The use of pixels can be prevented, for example, by blocking images, for example in emails, although the display is then severely restricted;

• Software Development Kits (SDK): a package of various development tools for creating programmes in a specific programming language and for a specific operating system, which also uses programming interfaces (API) to integrate further software.

Most browsers are set by default to accept cookies, run scripts and display graphics. However, you can usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you block the storage of cookies, the display of graphics and the execution of scripts completely, our services are unlikely to function properly or at all.

Legal basis according to § 25 TTDSG

We use tools in accordance with the statutory provisions. Therefore, we obtain prior consent from users in accordance with Section 25 (1) TTDSG, unless this is not required by law in accordance with Section 25 (2) TTDSG. In particular, consent is not required if the storage and reading of the information is absolutely necessary in order to provide the users with a telemedia service (i.e. our online offer) that they have expressly requested. The strictly necessary tools usually include functions that serve the display and operability of the online offer, load balancing, security, the storage of the preferences and choices of the users or similar purposes related to the provision of the main functions of the online offer requested by the users. The revocable consent is clearly communicated to the users and contains the information on the respective tool use.

Necessary data processing

The following necessary information is currently stored on your device, which does not require consent:

Cookies

We only use cookies in the context of user logins and single sign-on for our self-hosted services (session cookies, Oauth cookies, CSRF cookies). CSRF = Cross-Site Request Forgery (a security mechanism used in the context of the login process). These include

• "csrf_token_{ID}" (365 days): CSRF protection - Ory;

• "ory_session_{ID}" (session): Login, authentication - Ory.

• "requireCameraPermission" (session): Saving the camera access permission

• "onboarding_swipe_*" (1 year): Saving information on whether users have seen the initial information on using the Challenges area.

• "lastDaySeenSubmissions" (1 day): Saves information on when the last report on successful participation in challenges was submitted.

• "SESSION / JSESSIONID" (1 year): Saving the logged-in session in the Challenges area to avoid having to log in again.

Local Storage

The following entries are created in Local Storage:

• "i18nextLng" (unlimited): Recognise and save language - i18next;

• "onboarding_state_value" (unlimited): Store information on whether users have already seen the initial information required to use the platform or whether it should be displayed;

• "space_join_is_onboarded" (unlimited): Saves the information as to whether users have already seen the initial information required to use Spaces or whether it should be displayed.

• "force_oauth2_logout" (session, max. 24 hours): Saves the login status after manual logout from the cloud storage.

• "EXPO_CONSTANTS_INSTALLATION_ID" (unlimited) Random and unique ID of an end device or browser profile, which is retained for the entire lifetime of the app installation / browser data. This ID does not allow any conclusions to be drawn about personal data and is not read or otherwise used by holi.

• "user_session" (3 months): Login, authentication - Ory.

• "HOLI_TRACKING_CONSENT" (unlimited): Saves the consent/refusal status for tracking for various purposes if the user is not logged in.

Optional data processing

To personalise the offer and analyse platform performance, the following information is also stored on your device after you have given your consent. Further information on this can be found below.

Local Storage

• "ph_{our posthog key}_posthog" (unlimited): Posthog-internal status such as device and session IDs.

• "__ph_opt_in_out_{our posthog key}" (unlimited): Posthog-internal opt-in or opt-out status

Tracking of usage data

With your prior consent, we use various tracking information to record and analyse your usage. The purpose of this is to offer you a personally relevant user experience and to analyse and continuously improve the use of our platform. Below we explain in detail what data is collected and what it is used for.

• Your user activity: We track your use of the various areas and objects of the app or website. Pages, elements, posts, actions and reactions that are displayed and clicked on, as well as filter settings or search entries are analysed and recorded. Based on the information obtained, we improve the product experience by, for example, pre-sorting list items (donations, volunteer activities, etc.) based on user interests or offering customised suggestions for suitable projects. If tracking for personalisation is rejected, the individualised offer content is omitted, but there are no other user disadvantages.

  Furthermore, this data is used to analyse the visibility and use of various elements and placements and, if necessary, to optimise them by learning, for example, how far users scroll in the home page feed or which placements are seen and/or clicked on particularly frequently. This helps us to offer more people content that is as relevant as possible and to increase awareness of social or environmental issues.

  If you refuse tracking for analysis purposes, no usage data relating to your personal data will be processed and therefore not taken into account in analyses, but there will be no disadvantages in terms of usage.

• The source of your visit: If your use of holi has come about through an advertising medium (e.g. an advert on other websites or scanning a QR code from advertising posters), we will link the information about the source of the visit to your user profile after you have given your consent. The aim of this combination of data is to determine how successful different advertising placements are and to analyse whether user behaviour differs based on the source of the visit. If you refuse tracking for marketing purposes, information about your visit source will not be processed with reference to your personal data and will therefore not be taken into account in analyses, but there will be no disadvantages in terms of use.

• Technical data: When you access our platform, we also collect some device and network connection data with the tracking information, such as the app version, your operating system and your IP address. In addition to providing the services, this also serves to analyse errors and performance of our application on various devices and operating systems.

• Types of data processed: When you access our platform, we also collect some device and network connection data, such as the app version, your operating system and your IP address, along with the tracking information. In addition to providing the services, this also serves to analyse errors and performance of our application on various devices and operating systems. Usage data (e.g. pages visited on the holi platform, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status);

• Data subjects: Users (e.g. website visitors, users of our online service);

• Purposes of processing: Reach measurement, creation of profiles with user-related information,

• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR);

• Recipient: PostHog: We transmit the above-mentioned data to PostHog Inc. via the open-source program PostHog. PostHog offers us the possibility to analyse and graphically process the usage behaviour of individual users as well as aggregated usage patterns of usage groups and time periods. This helps us to recognise usage problems and test different placements of elements. The tracking data is stored on servers of the provider PostHog Inc. within the European Union. PostHog Inc. acts as a data processor and stores the data exclusively in accordance with our instructions. PostHog Inc. itself only has anonymised access to our users' usage data for analysis purposes.
  Service provider: PostHog Inc, 2262 Market Steet #4008, San Fransisco, CA 94114, USA
  Website:https://www.posthog.com

Legal basis for data processing

The legal basis under data protection law on which we process the personal data of users with the help of tools depends on whether we ask users for consent. If users consent, the legal basis for processing their data is their declared consent (Art. 6 para. 1 sentence 1 lit. a) DSGVO). Otherwise, the data processed with the help of tools is processed on the basis of our legitimate interests (e.g. in the business management of our online offer and improvement of its usability) (Art. 6 para. 1 p. 1 lit. f) DSGVO) or, if this is done in the context of the fulfilment of our contractual obligations, if the use of tools is necessary to fulfil our contractual obligations (Art. 6 para. 1 p. 1 lit. b) DSGVO). We explain the purposes for which the tools process data in the course of this privacy policy or as part of our consent and processing procedures.

General information on revocation and objection (opt-out)

Users can revoke the consent they have given at any time for the future and also object to processing in accordance with the legal requirements in Art. 21 DSGVO. Users can also declare their objection via their browser settings, e.g. by deactivating the use of cookies, JavaScript or images (although this may also limit the functionality of our online services). An objection to the use of tools for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Provision of the online offer and web hosting

We process the users' data in order to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status); content data (e.g. entries in online forms).

• Affected persons: Users (e.g. website visitors, users of online services); customers.

• Purposes of processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; provision of contractual services and customer service.

• Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further information on processing operations, procedures and services:

• Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from corresponding server providers (also referred to as "web hosting providers"); with the aim of minimising the CO² emissions of our servers and computing capacity used, we have chosen Finland as the storage location. This location offers the lowest emissions among the possible options within the Google Cloud.
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

• Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files". The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the operating system of the user, referrer URL (the previously visited page) and, in general, IP addresses and the requesting provider. The server log files may be used for security purposes, e.g. to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure server utilisation and stability;
  Legal grounds: contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.

• Email dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of emails. For these purposes, the addresses of the recipients and senders are processed, as well as further information regarding the sending of the emails (e.g. the providers involved) and the contents of the respective emails. The aforementioned data may also be processed for the purpose of recognising SPAM. We ask you to note that emails on the Internet are generally not encrypted in terms of content before they are sent and when they are received (unless a so-called end-to-end encryption procedure is used). As a rule, emails are therefore only encrypted in transit. We can therefore not assume any responsibility for the transmission path of the emails between the sender and the reception on our server;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

• Framer: Content Management System;
  Service provider: Framer B.V., Rozengracht 207, 1016 LZ, Amsterdam, Netherlands;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.framer.com ;
  Privacy policy: https://www.framer.com/legal/privacy-statement/ ;
  Order processing contract: https://www.framer.com/legal/data-processing-addendum/ ;
  Standard contractual clauses (ensuring level of data protection for processing in third countries): https://www.framer.com/legal/data-processing-addendum/
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008S8eAAE&status=Active .

• QR track: To draw the attention of interested users to our offers by means of posters or posts, we sometimes use QR codes that contain the URLs of our web offers. These codes can be scanned with the camera of a mobile phone to read the web address (URL) and visit it using a mobile web browser. In order to measure how successful the various placements are, we use QR-Track as a commissioned data processor, which registers the views of the various placements.
  Processed data types: Meta, communication and process data (e.g. IP addresses, device type, browser, operating systems, time data, HTTP headers, user agent);
  Data subjects: Users who scan a QR code with a reference to our landing pages with their mobile phone and call up the link contained therein with their browser.
  Purposes of processing: Reach measurement of the various QR code placements
  Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR);
  Service provider: QR-Track - Michael Hack Software e.K., Heimbachstr. 5, 86836 Graben
  Website:  https://www.qrtrack.de
  Privacy policy: https://www.qrtrack.de/datenschutz

• Usercentrics Consent Management Platform: We use the Usercentrics service of Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany as a consent management provider to collect consent information on the https://holi.social/ website. The consent information is processed for this purpose. The data will be deleted after one year.
  Processed data types: Opt-in and opt-out information, consent ID, time of consent, template version and banner language), referrer URL, user agent and IP address
  Data subjects: Visitors to the website https://holi.social/ and its subpages
  Purposes of processing: Consent management Legal basis: Fulfilment of a legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR)
  Service provider: Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany
  Website: https://www.usercentrics.com/
  Privacy policy: https://www.usercentrics.com/privacy-policy/

• Google Cloud Storage: cloud storage, cloud infrastructure services and cloud-based application software; storage location: Finland.
  Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Website: https://cloud.google.com/ ;
  Privacy policy: https://policies.google.com/privacy ;
  Order processing contract: https://cloud.google.com/terms/data-processing-addendum ;
  Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active ;
  Further information: https://cloud.google.com/privacy .

• Google Cloud CDN: Content Delivery Network (CDN) - service with the help of which the content of an online offer, in particular large media files such as graphics or programme scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; we only use the Google Cloud CDN to deliver size-optimised images from partner interfaces (currently to deliver images of the http://GoodNews.eu offers). The aim is to achieve data economy and faster loading times.
  Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://cloud.google.com/cdn ;
  Privacy policy: https://policies.google.com/privacy ;
  Order processing contract: https://cloud.google.com/terms/data-processing-addendum ;
  Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause ;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active ;
  Possibility to object (opt-out): https://cloud.google.com/privacy.

• Google Fonts: Provision of fonts;
  Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
  Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://developers.google.com/fonts?hl=de ;
  Privacy policy: https://developers.google.com/fonts/faq/privacy?hl=de ;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active .

• Sentry: Monitoring system stability and identifying code errors - details of the device or time of error are collected pseudonymously and are subsequently deleted;
  Service provider: Functional Software Inc, Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA;
  Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://sentry.io ;
  Privacy policy: https://sentry.io/privacy ;
  Order processing contract: https://sentry.io/legal/dpa/ ;
  Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://sentry.io/legal/dpa/;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000YdenAAC&status=Active .

Collaboration and communication tools of our platform

One of the goals of our platform is to make it easier for groups and initiatives to jointly plan and organise projects within the framework of the social and ecological transformation. For this purpose, we provide digital collaboration spaces. Within these spaces, we offer the participants various collaboration and communication tools.

The aim of these offers is in particular to ensure and simplify work organisation measures for the collaborative work of users, groups of people, teams and initiatives as well as communication management.

Further information on processing operations, procedures and services:

• Matrix Chat: We offer our logged-in members a chat solution hosted in our Google Cloud environment based on the Matrix protocol. Matrix is an open, decentralised communication service for real-time communication. The first & last name details of the login to the platform are used as the display name. However, since the Matrix protocol also allows decentralised federated use (use of the account created on our chat server on other chat servers or use of accounts created on other Matrix chat servers on our chat instance (both currently deactivated)), the creation of a unique user name (Matrix ID) is necessary. This technical user name is created when a user account is created. Users can choose the name when registering, but cannot change it later.
  Types of data processed:
  - Access management: first & last name(s), mail address, matrix ID (local part of the mail address), display name;
  - Authentication: user name and password;
  - User content: all data that the user enters into the system (end-to-end encryption is currently not yet available);
  - Device identification: IP addresses with timestamp and device name; type of end device used (mobile / desktop), operating system;
  - Server protocol: IP addresses with time stamp.
  This data is stored and processed exclusively on our behalf in the cloud infrastructure described and is not made available to any third party.
  Data subjects:
  All users who create a user profile receive a user account for the Matrix chat server. Further data is only collected during active use of the chat.
  Purposes of processing: Provision of the chat functionality and participation of users in the chat of the platform. The user ID is used for identification on the system. Chat messages, shared files and the affiliation to chat rooms are assigned to this identification. Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO). In addition to the possibilities of objection and removal within the framework of the provision of the platform and creation of log files, we point out that (personal) data transmitted in chat rooms cannot be subsequently changed (cf. Art. 17 para. 1 lit. a) or lit. c) DSGVO);
  Service providers: The open Matrix chat protocol as well as open-source implementation solutions for creating your own Matrix servers is provided by The http://Matrix.org Foundation;
  Website: https://matrix.org/ .

• Link hub: Within a collaboration space, a list of important links can be created and organised in the so-called Link Hub. All contributors to a space can create, edit and also delete entries. Link entries are displayed without reference to the person creating them and are only visible within the respective space.
  Processed data types:
  - User account information: Name, e-mail address, information on membership in the respective collaboration space, technical user ID;
  - Server protocol: IP addresses with time stamp.
  Data subjects: Users of a collaboration space who use the linkhub
  Purposes of processing: Provision of the link hub
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

• Tasks, appointments and update posts: Update posts, appointments and tasks can be published within a collaboration Space. Normal contributors can create these for viewing within the relevant collaboration space. Administrators of a space can also create publicly visible updates, appointments and tasks. The respective entries show the profile information (user name and, if available, profile photo) of the creator.Users can transfer appointments to their calendars and download the necessary files (.ics. files).

  Access to the user's calendar is required to insert the appointments directly into the calendars of the mobile app users (Google Calendar or iCalendar). The application requests the necessary authorisation to read and write when the function is actively used for the first time at the user's request.

  Processed data types: User account information: Name, e-mail address, information on membership in the respective collaboration space, technical usage ID; Server protocol: IP addresses with time stamp.;
  Data subjects: Users of a collaboration room who create update posts, tasks or appointments;
  Purposes of processing: Provision of the functions described;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR);

• Cloud storage: Each collaboration room (Space) has a cloud storage for shared access to files and documents. The files are stored in encrypted form on rented storage space in the Google Cloud environment, which is also used to operate the platform (see section "Provision of the online offering and web hosting").
  A self-hosted instance of the ownCloud software is used as a file management system to manage the storage space.
  Types of data processed:
  - User account information: Name, email address, information on membership in the respective collaboration space, technical usage ID;
  - File data: Files, texts, tables, presentations and other file formats created, edited and uploaded by users.
  - Device identification: IP addresses with timestamp and device name; type of end device used (mobile / desktop), operating system;
  - Server log: IP addresses with timestamp.
  Affected persons: Users of a collaboration room who use the cloud storage are added to the cloud storage as authorised users. Further usage data only arise when the storage space is actively used by accessing files and uploading or downloading files.
  Purposes of processing: Provision of the cloud storage and authorisation management.
  Legal basis: Contract fulfilment and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO).
  Service provider: The open-source software OwnCloud is provided by ownCloud GmbH, Rathsbergstr. 17, 90411 Nuremberg, Germany. As we operate a self-hosted instance, no usage data is transmitted to ownCloud GmbH. The ownCloud instance is hosted in the Google Cloud (see section "Provision of the online offer and web hosting").
  Website: https://owncloud.com/de/

• Document editing with OnlyOffice: To enable contributors to (jointly) create and edit digital documents in our provided digital collaboration areas (so-called Spaces), we have integrated a self-hosted instance of the open-source software OnlyOffice. This can be opened and used via the cloud storage also provided.
  Types of data processed:
  - User account information: Name, email address, password (encrypted);
  - Document data: Texts, tables, presentations and other file formats created, edited and uploaded by users;
  - Communication data: Chat logs, comments, change tracking and other interactions within the OnlyOffice environment;
  - Metadata: Timestamps, access rights, file sizes and other technical information related to uploaded documents;
  - System and log data: IP address, browser type, operating system, device information and other technical data collected during use.
  Data subjects: All users who are members of a collaboration space (Space) and use it to create, open or edit documents via OnlyOffice.
  Purposes of processing:
  - Providing the viewing, creation and editing function of text, spreadsheet and presentation files;
  - Authenticating user accounts and ensuring access control, editing, storage and sharing of documents in accordance with user requirements
  - Ensuring collaboration and communication between users.
  Legal basis: contract fulfilment and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO);
  Service provider: The open-source community version of OnlyOffice used is provided by Ascensio System SIA. As it is a self-hosted instance, no data is forwarded to Ascensio System SIA. The ownCloud instance is hosted in the Google Cloud (see section Provision of the Online Offer and Web Hosting);
  Website: https://www.onlyoffice.com/ .

• Video conferencing with Jitsi-Meet: Jitsi-Meet is an open-source video conferencing solution that we have integrated into our digital product to enable users to communicate seamlessly and securely with each other. As open-source software, Jitsi-Meet follows strict privacy and security standards so that we can provide a reliable and privacy-oriented video conferencing experience. We host our Jitsi instance on server infrastructure provided by netcup GmbH in Nuremberg to ensure maximum data security.
  Types of data processed: When you use the video conferencing feature of our app provided by Jitsi-Meet, it is important to understand what data is collected and how it is used:
  - Meeting Metadata: Jitsi-Meet collects metadata related to the video conferences, such as the date, time, duration and IP addresses of the participants. This information is critical to managing and optimising the videoconferencing experience, but is not used to personally identify individuals.
  - Media Streams: During videoconferences, audio and video data is transmitted directly between participants' devices using end-to-end encryption. Jitsi-Meet does not store or have access to these media streams to ensure the confidentiality of your conversations.
  - Chat messages: Jitsi-Meet provides a chat feature that allows participants to communicate via text messages. These chat messages are temporarily stored on our servers during the conference for real-time delivery, but are not retained after the conference ends.
  - Analytics: To improve the performance and user experience of our app, we may collect anonymised usage analytics related to the video conferencing feature. These analytics do not contain any personal data and are used for internal purposes only.
  Purposes of processing: provision of the video conferencing rooms, management of access permissions and anonymised usage analytics.
  Legal basis: contract fulfilment and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO), legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
  Service provider: Jitsi is a trademark of 8x8, Inc. 8×8 is the main contributor to the open-source video conferencing solution http://Jitsi.org .
  8x8 Inc. 675 Creekside Way Campbell, CA 95008 USA.
  As this is a self-hosted instance of Jitsi, no data is transmitted to 8x8 Inc. The Jitsi instance used is hosted on servers of: netcup GmbH Daimlerstraße 25D, 76185 Karlsruhe; websites: https://jitsi.org/jitsi-meet/ and https://www.netcup.de/ ;
  Privacy policy: https://www.netcup.de/kontakt/datenschutzerklaerung.php ;
  Order processing contract: available.

Special notes on applications (apps)

We process the data of the users of our application insofar as this is necessary to provide the users with the application and its functionalities, to monitor its security and to develop it further. We may also contact users in compliance with the legal requirements if the communication is necessary for the purposes of administration or use of the application. In addition, we refer to the data protection information in this data protection declaration with regard to the processing of the users' data.

Legal basis: The processing of data required for the provision of the functionalities of the application serves the fulfilment of contractual obligations (Art. 6 para. 1 p. 1 lit. b) DSGVO). This also applies if the provision of the functions requires authorisation of the users (e.g. release of device functions). If the processing of data is not necessary for the provision of the functionalities of the application, but serves the security of the application or our business interests (e.g. collection of data for purposes of optimising the application or security purposes), it is carried out on the basis of our legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO) or for the fulfilment of legal obligations (Art. 6 para. 1 sentence 1 lit. c) DSGVO). If users are expressly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on the consent (Art. 6 para. 1 p. 1 lit. a) DSGVO).

Notes on functions of the application:

• Types of data processed: inventory data (e.g. names, addresses); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status); contractual data (e.g. subject matter of the contract, duration, customer category); image and/or video recordings (e.g. photographs or video recordings of a person).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: provision of contractual services and customer service.

• Legal grounds: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO); Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Fulfilment of legal obligations (Art. 6 para. 1 p. 1 lit. c) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further information on processing operations, procedures and services:

• Performance of the contract, security and further development: We process the data of the users of our application, registered and any test users (hereinafter uniformly referred to as "users") in order to be able to provide our contractual services to them and on the basis of legitimate interests in order to be able to guarantee the security of our application and to further develop it. The required information is identified as such in the context of the conclusion of the use, order, purchase order or comparable contract and may include the information required for the provision of the service and for any billing as well as contact information in order to be able to hold any consultations;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

• Device authorisations for access to functions and data: The use of our application or its functionalities may require user authorisations for access to certain functions of the devices used or to the data stored on the devices or accessible with the help of the devices. By default, these permissions must be granted by the user and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the user's device and software. Users can contact us if they need clarification. We would like to point out that the denial or revocation of the respective permissions may affect the functionality of our application.

• Access to the camera and stored images: In the course of using our application, image and/or video recordings (including audio recordings) of the user (and of other persons covered by the recordings) are processed by accessing the camera functions or stored images. Access to the device camera is necessary, for example, to add a profile photo to the user profile or to publish recordings in news (posts).

  Access to the camera functions or stored images requires an authorisation by the user that can be revoked at any time. The processing of the image and/or video recordings only serves to provide the respective functionality of our application, in accordance with its description to the users, or its typical and expected functionality.

• Access to the calendar:To save event dates in the user's calendar, the corresponding calendar entries can be downloaded and imported into the user's own calendar. Access to the user's calendar is required for this. This consent is only requested when a specific event is to be downloaded for the first time and can be revoked via the settings area at any time.

Purchase of applications via app stores

Our app is obtained via special online platforms operated by other service providers (so-called "app stores"). In this context, the data protection notices of the respective app stores apply. This applies in particular with regard to the procedures used on the platforms for range measurement and interest-based marketing, as well as any obligation to pay costs. The processing is the sole responsibility of the operators of the app stores. The specific data processed, the purposes of the processing and the legal basis can be found in the corresponding data protection notices of the respective app stores.

Further guidance on processing operations, procedures and services:

• Apple App Store: app and software sales platform;
  Service provider: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA;
  Legal basis: see privacy policy of the Apple App Store;
  Website: https://www.apple.com/app-store/ ;
  Privacy policy: https://www.apple.com/legal/privacy/en-ww/ .

• Google Play: app and software sales platform;
  Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
  Legal basis: see Google Play privacy policy;
  Website: https://play.google.com/store/apps ;
  Privacy policy: https://policies.google.com/privacy .

Registration, login and user account

Users can create a user account. As part of the registration process, users are provided with the required mandatory information and this information is processed for the purpose of providing the user account on the basis of contractual obligations. The processed data includes in particular the login information (user name, password and email address).

Within the scope of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective act of use. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorised use. As a matter of principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users can be informed by email about events relevant to their user account, such as technical changes.

• Types of data processed: inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: provision of contractual services and customer service; security measures; administration and response to enquiries; provision of our online offer and user-friendliness.

• Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further information on processing operations, procedures and services:

• Registration with real names: Due to the nature of our community, we ask users to use our services only under their real names. This means that the use of pseudonyms is not permitted.

• User profiles are public: The profiles of the users are publicly visible and accessible.

• Deletion of data after termination: If users have terminated their user account, their data relating to the user account will be deleted, subject to any legal permission, obligation or consent of the users. With regard to the deletion of contributions, see "Community functions".

• Authentication and authorisation with Ory: Ory.sh is an open-source software for managing user data. We use ORY to manage user accounts and to authenticate and authorise users. ORY collects certain user data such as the user name, email address, password hashes, IP addresses and tokens.
  The user data is stored on servers hosted by Ory in Europe. The data is processed and stored in accordance with applicable data protection laws, including the GDPR. The user data collected by ORY is only used to manage user accounts and to authenticate and authorise users. We have entered into an order processing agreement with ORY to ensure that the data is processed in accordance with applicable data protection laws. For more information on ORY's use and processing of user data, please see ORY's Privacy Policy;
  Service Provider: Ory Corp 132-A Veterans Lane, Suite 128 Doylestown, PA 18901, USA;
  Website: https://www.ory.sh ;
  Privacy policy: https://www.ory.sh/privacy/ ;
  Order processing contract: concluded;
  Standard contractual clauses (ensuring level of data protection for processing in third countries): https://www.ory.sh/resources/dpa/Ory_Data_Processing_Agreement_20230327.pdf.

Community functions

The community functions provided by us allow users to enter into conversations or otherwise engage and exchange with each other.

For example, they can publish their own contributions (text, images, link posts), submit reactions and comments on posts or articles or publish video contributions on social and ecological challenges.

Please note that the use of the community functions is only permitted in compliance with the applicable legal situation, our terms and conditions and guidelines as well as the rights of other users and third parties.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: provision of contractual services and customer service; security measures.

• Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Fulfilment of legal obligations (Art. 6 para. 1 p. 1 lit. c) DSGVO); When accessing the camera or media library: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).;

Further information on processing operations, procedures and services:

• Security of comments and posts: When users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This is done for our security in case someone leaves unlawful content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves can be prosecuted for the comment or post and are therefore interested in the identity of the author. Furthermore, we reserve the right, on the basis of our legitimate interests, to process users' details for the purpose of spam detection. On the same legal basis, we reserve the right, in the case of surveys, to store the IP addresses of users for their duration and to use cookies, for example, in order to avoid multiple voting. The personal information provided in the context of comments and contributions, any contact and website information as well as the content-related information will be stored by us until the user objects and, if necessary, beyond that, insofar as this is necessary to pursue our legal interests and claims, for example in the case of illegal content;
  Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO); fulfilment of legal obligations (Art. 6 para. 1 sentence 1 lit. c) DSGVO).

• User contributions are public: User-created contributions and content are publicly visible and accessible.

• Setting the visibility of contributions: By means of settings, users can determine the extent to which the contributions and content they create are visible or accessible to the public or only to certain persons or groups.

• Storage of data for security purposes: The contributions and other entries made by users are processed for the purposes of the community and conversation functions and, subject to legal obligations or legal permission, are not disclosed to third parties. An obligation to surrender may arise in particular in the case of illegal contributions for the purposes of legal prosecution. We would like to point out that, in addition to the content of the contributions, their time and the IP address of the user are also stored. This is done in order to be able to take appropriate measures to protect other users and the community;
  Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO); fulfilment of legal obligations (Art. 6 para. 1 sentence 1 lit. c) DSGVO).

• Right to delete content and information: The deletion of contributions, content or information of the user is permissible to the necessary extent after appropriate consideration, insofar as there are concrete indications that they represent a violation of legal regulations, our specifications or the rights of third parties.

• Restricted deletion of contributions: Out of consideration for other users, contributions or other content created by users may remain stored even after termination and account deletion, so that collaboration spaces, conversations, comments, advice or similar communication between and among users do not lose their meaning or become inaccessible. Communication between and among users does not lose or reverse its meaning. This applies in particular to created collaboration spaces if they have other users with administrative rights. User names are deleted or pseudonymised if they are not already pseudonyms. Users can request the complete deletion of their contributions at any time.

Processing of Image Information, calendar access

Users can upload personal data in the form of image information, such as pictures, photos and videos from their devices, if users activate the following functions: displaying their avatar on their profile, setting an avatar or cover image for their Space, posting, or managing tasks and appointments. It's worth noting that activating the functions mentioned as well as supplying personal data when activating the functions is completely up to the user. Nevertheless, doing so improves the user experience and enables them to gain more advantages from our services, such as better visibility for making connections, sharing posts, joining events, and finding volunteers and partners to their projects. The usage of these features and the provision of personal data is thus in the users' own interest.

Additionally, the app requests access to read and write users' calendars, but only if the user chooses to activate the apps' function to save an appointment to their calendar.

• Types of data processed: photo and video data uploaded by users.
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: provision of our online offer and user-friendliness.
• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Notifications (push, in-app, email)

Users of our platform are notified or informed about content and news relevant to them personally via various channels. Different channels can be used depending on the urgency of the notification. While most information is shared via the notification centre contained in the app (and website), information that is urgent or requires a reaction from the user, is also transmitted by email.

With prior consent, we can also send users so-called "push notifications" to draw their attention to particularly important information. These are messages that are displayed on users' screens, devices or browsers, even if our online service is not being actively used at the time.

In order to sign up for the push messages, users must confirm the query of their browser or mobile device to receive the push messages. This consent process is documented and stored. The storage is necessary to recognise whether users have consented to receive the push messages, to be able to send the push messages and to be able to prove consent. For these purposes, a pseudonymous identifier (so-called "push token" or "push key"), the app installation ID and/or the device ID of an end device are used and stored. These help us to assign the push messages to your device and your app and to play them out to the correct device. The service providers mentioned below are used to send the notifications.

On the one hand, the push messages may be necessary for the fulfilment of contractual obligations (e.g. technical and organisational information relevant to the use of our online offer) and are otherwise sent on the basis of user consent, unless specifically mentioned below. Users can change the receipt of push messages at any time using the notification settings of their respective browsers or end devices.

Contents:

Users are only informed about personally important content via push messages. This currently relates to notifications for receiving chat messages, personal mentions in comments or posts and notifications relating to collaboration in Spaces.

Push messages are currently only sent to the iOS and Android apps, browser-based push messages are currently not sent.

Receiving push notifications is voluntary and can be deactivated in the settings of the end device used.

• Types of data processed: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers);  Usage data (e.g. web pages visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).

• Affected persons: Communication partner.

• Purposes of the processing: Provision of our online offer and user-friendliness.

• legal basis: consent (art. 6 para. 1 p. 1 lit. a) dsgvo); contract fulfilment and pre-contractual enquiries (art. 6 para. 1 p. 1 lit. b) dsgvo).

Further guidance on processing operations, procedures and services:

• Novu.co notification infrastructure: We use the novu.co software from Noti-Fire Ltd. to orchestrate and control the various notification channels (push notifications, email notifications and in-app notifications in the notification centre). As a SaaS provider (Software as a Service), Noti-Fire Apps Ltd. processes and stores the first name, surname and email address of users on our behalf to ensure that notifications are delivered correctly. The use and transmission of users' data for the provision of in-app and e-mail notifications is based on the fulfilment of the contract and pre-contractual enquiries within the scope of necessity (Art. 6 para. 1 sentence 1 lit. b) GDPR), the processing for the provision of push notifications is carried out exclusively on the basis of explicit consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Processing and storage takes place on servers within the EU (Frankfurt).
  Service provider: Noti-Fire Apps Ltd, Derech Ben Gurion 132, Ramat Gan, Israel;
  Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR);
  Website: https://novu.co
  Privacy policy: https://novu.co/privacy
  Data processing agreement: https://novu.co/dpa

• Firebase Cloud Messaging (FCM): Google processes the Firebase installation ID and an authentication token to deliver push messages precisely for your Android device. The Firebase installation ID serves as an identifier for your specific app installation, while the authentication token is reassigned for each notification and ensures the secure sending and receiving of the notification. There is encryption of data at rest and data transport using point-to-point encryption;
  Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
  Legal basis: consent (Art. 6 para. 1 p. 1 lit. a) DSGVO); contract fulfilment and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO);
  Deactivation of push notification: https://support.google.com/android/answer/9079661?hl=en#zippy=%2Cbenachrichtigungen-f%C3%BCr-bestimmte-apps-aktivieren-oder-deaktivieren ;
  Website: https://firebase.google.com/docs/cloud-messaging?hl=en ;
  Privacy policy: https://policies.google.com/privacy?hl=en ;
  Order processing contract: https://firebase.google.com/terms/data-processing-terms ;
  Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://firebase.google.com/terms/firebase-sccs-eu-p2p-google-exporter ;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active .

• Apple Push Notification service (APNs): Apple processes the APNs ID to deliver push notifications precisely for your iOS device. The APNs ID is assigned for each notification and ensures the secure sending and receiving of the notification. Encryption of the data transport takes place. Insofar as data is transferred to the USA when using APNs, this transfer is regulated by the European Commission's standard contractual clauses.
  Service provider: Apple Distribution International Limited, Hollyhill Industrial Estate, Hollywill, Cork, Ireland;
  Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) DSGVO); contract fulfilment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) DSGVO);
  Deactivation of push notificationhttps://support.apple.com/en-gb/guide/iphone/iph7c3d96bab/ios ;
  Website: https://developer.apple.com/notifications/ ;
  Privacy policy: https://www.apple.com/legal/privacy/en-ww/ .

Embedded partner content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is thus required for the display of this content or function. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The pixel tags can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our website, as well as being linked to such information from other sources.

• Types of data processed: Usage data (e.g. web pages visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of the processing: Provision of our online offer and user-friendliness.

• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further information on processing operations, procedures and services:

• Optimisation and delivery of image and video files with http://imagekit.io : 
  We use http://Imagekit.io to optimise and deliver image and video files. The aim is to be able to provide users with image and, in the future, video files in suitable formats and sizes. For this purpose, user-generated images (such as profile pictures) are also transmitted to the service and processed by it;
  Service provider: India office: ImageKit Private Limited, Caddie Commercial Tower5th floor, Aerocity, New Delhi, Delhi 110037, India; US office ImageKit Inc Christiana Corporate Business Center, 200 Continental Drive, Suite 401, Newark, DE, 19713, USA;
  Website: https://imagekit.io/ ;
  Privacy policy: https://imagekit.io/privacy-policy-new/ ;
  Order processing contract: available.

• VOLTASTICS (SocialTrek UG): To integrate offers of voluntary commitment, we obtain data (offer texts, images and links to the respective providers) from VOLTASTICS, a service of SocialTrek UG (haftungsbeschränkt). In order to establish the connection and transmit the respective data and display it in our offers, the IP address of the user is transmitted;
  Service provider: VOLTASTICS is a service of SocialTrek UG (haftungsbeschränkt), Mathiaskirchplatz 10, 50968 Cologne, Germany;
  Website: https://voltastics.com/ ;
  Privacy policy: https://app.voltastics.com/privacy.html .

• http://betterplace.org (http://gut.org ): To integrate donation options, we obtain data (offer texts, images and links to the respective offers) from http://betterplace.org , a service of http://gut.org gAG. The IP address of the user is transmitted in order to establish the connection and transmit the respective data and display it in our offers;
  Service provider: http://gut.org gemeinnützige Aktiengesellschaft, Schlesische Straße 26, D-10997 Berlin;
  Website: https://www.betterplace.org/en ;
  Privacy policy: https://www.betterplace.org/c/rules/privacy-policy .

• http://goodNews.eu (GOOD Impact Foundation c/o NOAH Foundation via Contentful GmbH): For the integration of positive news we obtain data (texts, images as well as links to the respective providers) from https://goodnews.eu , a service of the GOOD Impact Foundation c/o NOAH Foundation. Data is provided by programming interfaces of Contentful GmbH;
  Service provider: GOOD Impact Foundation c/o NOAH Foundation Joachimstraße 10, 10119 Berlin, Germany via: Contentful GmbH, Max-Urich-Straße 3, 13355 Berlin, Germany ;
  Website: https://goodnews.eu/en/ and https://www.contentful.com ;
  Privacy policy: https://goodnews.eu/en/privacy-policy/ and https://www.contentful.com/legal/privacy-at-contentful/privacy-notice/ .

Contact and enquiry management

When contacting us (e.g. by post, contact form, email, telephone or via social media) as well as in the context of existing usage and business relationships, the details of the enquiring persons are processed to the extent that this is necessary to respond to the contact enquiries and any measures requested.

• Types of data processed: contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).

• Persons concerned: Communication partners:inside.

• Purposes of processing: contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form); providing our online offer and user experience.

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).

Further information on processing operations, procedures and services:

• Contact form: If users contact us via our contact form, email or other communication channels, we process the data provided to us in this context for the purpose of processing the request communicated;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

• HubSpot: Contact form, customer management as well as process and sales support with personalised customer care with multi-channel communication, i.e. management of customer enquiries from different channels as well as with analysis and feedback functions;
  Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.hubspot.de ;
  Privacy policy: https://legal.hubspot.com/de/privacy-policy ;
  Order processing contract: https://legal.hubspot.com/dpa ;
  Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://legal.hubspot.com/dpa;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active .

Newsletter and electronic Communication

We only send newsletters, emails and other electronic notifications (hereinafter referred to as "newsletters") with the consent of the recipients or with legal permission. If the contents of the newsletter are specifically described in the course of registration, they are decisive for the consent of the user. In addition, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for the purpose of a personal address in the newsletter, or further details if these are required for the purposes of the newsletter.

Double opt-in procedure: Registration for our newsletter is always carried out in a so-called double opt-in process. This means that after registration you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with other people's email addresses. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored with the dispatch service provider are also logged.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them in order to be able to prove consent formerly given. The processing of this data will be limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe revocations, we reserve the right to store the email address in a block list (so-called "block list") for this purpose alone.

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of proving that it has been carried out properly. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

Contents: By means of our newsletter we inform about innovations of the web platform/the apps, our services, campaigns, events and offers.

• Types of data processed: inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status); usage data (e.g. websites visited, interest in content, access times).

• Persons concerned: Communication partners.

• Purposes of processing: direct marketing (e.g. by email or post).

• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

• Cancellation: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options given above, preferably email, for this purpose.

Further information on processing operations, procedures and services:

• Measurement of opening and click-through rates: The newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a dispatch service provider, from their server. Within the scope of this retrieval, technical information such as information on the browser and your system, as well as your IP address and the time of the retrieval, are initially collected. This information is used for the technical improvement of our newsletter on the basis of the technical data or the target groups and their reading behaviour on the basis of their retrieval locations (which can be determined with the help of the IP address) or the access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The analyses help us to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of opening rates and click rates as well as the storage of the measurement results in the profiles of the users and their further processing are based on the consent of the users. Unfortunately, a separate revocation of the performance measurement is not possible; in this case, the entire newsletter subscription must be cancelled. In this case, the stored profile information will be deleted;
  Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO).

• HubSpot: Newsletter subscription, email marketing platform;
  Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA;
  Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.hubspot.de ;
  Privacy policy: https://legal.hubspot.com/de/privacy-policy ;
  Order processing contract: https://legal.hubspot.com/dpa ;
  Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://legal.hubspot.com/dpa ;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active .

Surveys and polls

We occasionally conduct surveys and interviews to collect information for the respective communicated survey or interview purpose. The surveys and questionnaires we conduct (hereinafter "surveys") are evaluated anonymously. Personal data is only processed insofar as this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address in order to display the survey in the user's browser or to enable the survey to be resumed with the aid of a cookie).

• Types of data processed: contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).

• Affected persons: Communication partners; Participants.

• Purposes of processing: Feedback (e.g. collecting feedback via online form).

• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO).

Further guidance on processing operations, procedures and services:

• Typeform: Creation of forms as well as surveys and administration of participant contributions;
  Service provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain;
  Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.typeform.com/;
  Privacy policy: https://admin.typeform.com/to/dwk6gt/ .

• Tally: Creation of forms as well as surveys and administration of participant contributions;
  Service provider: Tally, August van Lokerenstraat 71, 9050 - Gent, Belgium;
  Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://tally.so ;
  Privacy policy: https://tally.so/help/privacy-policy .

Presence in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us. We would like to point out that user data may be processed by the operators of the social networks outside the European Union. This may result in risks for the users, because it could, for example, make it more difficult to enforce the rights of the users.

Access to aggregated statistics:

As part of the operation of our online presences, it is possible that we may access information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presences (e.g. likes, subscriptions, sharing, viewing of images and videos) and the posts and content distributed via them. This can also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the online presence and to optimise it for our audience. Please see the list below for details and links to the social network data that we, as operators of the online presences, can access. The collection and use of these statistics is usually subject to joint responsibility. Where applicable, the relevant agreement is listed below.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f) DSGVO, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 sentence 1 lit. b) DSGVO, in order to stay in contact with our customers and to inform them, as well as to carry out pre-contractual measures with interested parties.

Communication via the social network:

Where you have an account with the social network, it is possible that we may see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This may be, for example, via direct messages or via posted articles. The content communication via the social network and the processing of the content data is thereby subject to the responsibility of the social network as a messenger and platform service. The latter is then the telecommunications provider. As soon as we transfer or process personal data from you into our own systems, we are independently responsible for this and this is done to carry out pre-contractual measures and to fulfil a contract in accordance with Art. 6 para. 1 sentence 1 lit. b) DSGVO.

Processing for market research and advertising purposes:

Furthermore, the data of users within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, information is usually also read or stored in the user's terminal device. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

The processing for market research and advertising purposes is carried out by the social networks under their own responsibility. You can find the legal basis for this in the data protection information for the respective social network. For a detailed description of the respective forms of processing and the opt-out options, please refer to the data protection declarations and information provided by the operators of the respective networks.

Exercise your rights as a data subject:

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. You can also contact us with your request. In this case, we will process your request and forward it to the provider of the social network.

• Types of data processed: contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: contact requests and communication; feedback (e.g. collecting feedback via online form); usage analysis (compiling aggregated statistics).

• Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further guidance on processing operations, procedures and services:

• Instagram: Social network;
  Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.instagram.com ;
  Privacy policy: https://instagram.com/about/legal/privacy ;
  Shared responsibility contract: https://www.facebook.com/legal/terms/page_controller_addendum ;
  Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active ;
  Possibility to object (opt-out): https://en-gb.facebook.com/help/instagram/2885653514995517.

• LinkedIn: Social network;
  Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.linkedin.com ;
  Privacy policy: https://www.linkedin.com/legal/privacy-policy;
  Joint responsibility contract: https://legal.linkedin.com/pages-joint-controller-addendum ;
  Possibility to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• Twitter: Social network;
  Service provider: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://twitter.com/;
  Privacy policy: https://twitter.com/de/privacy ;
  Possibility to object (opt-out): https://twitter.com/personalization .

• Xing: Social network;
  Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany;
  Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) DSGVO);
  Website: https://www.xing.de ;
  Privacy policy: https://privacy.xing.com/en/privacy-policy ;
  Possibility to object (opt-out): https://privacy.xing.com/en/privacy-policy/what-rights-can-you-assert/right-to-object .

Amendment and update of the privacy policy

We ask you to regularly inform yourself about the content of our data protection declaration. We adapt the data protection declaration as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Where we provide addresses and contact details of companies and organisations in this privacy statement, please note that the addresses may change over time and please check the details before contacting us.

Terminology and Definitions

This section provides you with an overview of the terms used in this privacy policy. Many of the terms are taken from the law and defined above all in Art. 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to help you understand them. The terms are sorted alphabetically.

• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Profiles containing user-related information: The processing of "profiles with user-related information", or "profiles" for short, includes any kind of automated processing of personal data which consists in using such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behaviour and interests, such as interaction with websites and their content, etc.), ) to analyse, evaluate or predict (e.g. interests in certain content or products, click behaviour on a website or location). Cookies and web beacons are often used for profiling purposes.

• Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate the visitor flows of an online offer and can include the behaviour or interests of visitors in certain information, such as website content. With the help of reach analysis, website owners can see, for example, at what time visitors visit their website and what content they are interested in. This enables them, for example, to better adapt the content of the website to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more precise analyses of the use of an online offer.

• Controller: A "controller" is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

• Processing: "Processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and covers virtually any handling of data, be it collection, analysis, storage, transmission or erasure.