Privacy Policy – Crealytics Search Platform

Last Updated: August 31, 2021

This Privacy Policy provides you with information regarding which personal data we collect when you use our crealytics Search Platform (hereinafter referred to as “Search Platform”) by accessing csp.crealytics.com and for what purpose these data are used. You can access this Privacy Policy at any time by visiting our website: crealytics.com/search-platform/privacy-policy

1. Controller/Contact

The controller within the meaning of applicable data protection law is:

crealytics GmbH
Salzufer 12
10587 Berlin

Telephone: +49 30 609 8381 0

Email: info@crealytics.com

If you have questions or suggestions regarding any data protection matter, you can also write to us via email; our email address is info@crealytics.com

You can reach our data protection officer at dataprotection@crealytics.com

2. The data protected

The data protected are personal data. Article 4(1) GDPR defines personal data as any information relating to an identified or identifiable natural person; this definition includes data such as names and identification numbers.

3. Automated data collection

Whenever you access the Search Platform, your device automatically transmits data for technical reasons. Unless otherwise stated in this Privacy Policy, these data are stored separately from other data, which you may transmit to us under certain circumstances:
• date and time of access, browser type and version;

• IP address.
The data is stored for the following purposes:
• ensuring the security of our IT systems, e.g., to counter specific attacks on our systems and detect attack patterns,

• ensuring proper operation of the Search Platform and our IT systems, e.g. if errors occur that we can only rectify by storing the IP address,

• enabling criminal prosecution, averting of dangers as well as legal prosecution in the event of specific indication of criminal offenses,
Log data and the IP address are stored for a period of 7 days. Log data are stored for a longer period in the event of specific indication of criminal offenses to enable criminal prosecution as well as legal prosecution in the event of specific indication of criminal offenses. In this case, the data will be deleted when the relevant procedures have been completed.

The processing takes place to ensure the security of processing pursuant to Article 32 GDPR and based on our above-mentioned legitimate interests (Article 6(1)(f) GDPR).

4. Provision of our services / Your Search Platform user account

4.1 Login

To use the Search Platform, you need to login to your user account. To register you for your user account we will process your email address that you or our customer for whom you are working has provided to us to set up your account and send you your initial password. We will then ask you to change the initial password to a password of your choice.

To login to your account, you must provide the following mandatory information:
• Email address

• Password
You can also login using your Google Account. In this case, we use the services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) for authorisation and authentication.

We receive the following data from Google:
• Name

• Email Address

• Language preference

• Profile picture

• An authentication token

4.2 Managing your account

Further, we will process your personal data, such as your email address and the settings you have applied to manage your account and to provide you with our service.

4.3 Legal basis for the processing

The processing is based on Article 6(1)(f) GDPR as we have a legitimate interest in setting up and managing your account in the course of providing our services, therewith allowing the performance of the respective contractual relationship with our customers.

We erase your data immediately upon account deletion request.

We further store your personal data in case such data is of legal relevance. The storage takes place based on our legitimate interest, the proper documentation of our business operations and the securing of our legal positions (Article 6(1)(f) GDPR) and, if applicable, for the fulfillment of legal obligations (Article 6(1)(c) GDPR).

5. Support requests

Your support requests are handled using the customer service platform Support Hero, a service provided by Support Hero LLC, 5280 Ivyfarm Rd, Cincinnati, Ohio, 45243, United States (“Support Hero”), which we use as a processor.

Your data are processed in the United States. There exists no adequacy decision of the EU Commission for the United States. For this reason, we and Support Hero entered into the standard contractual clauses adopted by the EU Commission in accordance with Article 46(2)(c) GDPR.

If you send us a support request through the Search Platform, we process the details regarding the topic of your request as well as any additional information you provide to respond to your request. Along with the message, we receive information about the device, browser, and operating system you are using as well as the URL.

The processing is based on Article 6(1)(f) GDPR as we have a legitimate interest in effectively processing your request and to allow the performance of the respective contractual relationship with our customers.

In the case of requests, which have potential legal relevance, we reserve the right to retain the requests for a period equal to the respective statutes of limitation, that is: three years, commencing as of the end of the year in which we have received your request. Apart from said cases, we erase requests once we no longer need them for the purpose for which we collected them such is the case once we have processed your request completely.

The storage takes place based on our legitimate interest, the proper documentation of our business operations and the securing of our legal positions (Article 6(1)(f) GDPR) and, if applicable, for the fulfilment of legal obligations (Article 6(1)(c) GDPR).

6. Web Host

We operate the Search Platform on the servers of our web host Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Your data are also processed by Google LLC in the United States. There exists no adequacy decision of the EU Commission for the United States. For this reason, we and Google LLC entered into the standard contractual clauses adopted by the EU Commission in accordance with Article 46(2)(c) GDPR.

7. Cookies

We store cookies, which make it possible for us to offer you all the features of the Search Platform and to make our service more user-friendly. Cookies are small files that are stored on your end device, with the aid of your browser.

Specifically, we use the following cookies:

7.1 Strictly necessary:

These cookies are strictly necessary for the operation and functionality of the Search Platform. They allow our service to be accessible and available; they provide essential and basic functionalities such as the navigation, the correct presentation of contents in your browser, or consent management. Without these cookies, the Search Platform cannot function properly.
The legal basis for using strictly necessary cookies is Section 15(1) of the Telemediengesetz (Tele-communications Act) and Article 6(1)(b) GDPR, to the extent that these cookies are necessary for the use of the Search Platform and the features used by you.

We use the following cookies:
Name Provider Purpose Expiry Type Category
JSESSIO NID
crealytics GmbH
Maintain the user session
The session
HTTP
Strictly necessary
sid
crealytics GmbH
To keep a user logged in
1 day
HTTP
Strictly necessary
company
crealytics GmbH
Take the user to the last account they viewed
1 day
HTTP
Strictly necessary

8. Local Storage

We use local storage technology, which makes it possible for us to store data locally in the cache of your end device, with the aid of your browser.

Local storage allows your preferences and user configuration of the Search Platform to be stored on your end device and reused when you visit the Search Platform again.

That information includes, for instance, the following data:
• User configuration
The data in your local storage remains indefinitely and can be read by us even after closing your browser unless you actively delete the cache.

The legal basis for the use of local storage technology is Article 6(1)(f) GDPR. We have a legitimate interest to be able to provide you with an attractive and fully functional Search Platform as well as efficient ways to customise the Search Platform according to your needs.

If you do not wish that we store data in your local storage, you can configure your end device accordingly. Please note that in this case the functionalities of the Search Platform may no longer be available to you or only to a limited extent.

9. Sharing data

Unless otherwise specified in this Privacy Policy, your personal data will be shared without your prior consent only in the cases specified below:

9.1

If necessary, for purposes of investigating the unlawful use of our services or for purposes of establishing our rights, personal data will be shared with law enforcement agencies and, where applicable, with injured third parties. Personal data will be shared, however, only if specific evidence exists, which is indicative of illicit or abusive conduct. Personal data can also be shared, when sharing that data serves to enforce terms of use or other agreements. Furthermore, we are required by law to provide information to certain public agencies. These include law enforcement agencies, government authorities that prosecute misdemeanours subject to fines, and fiscal authorities.

Personal data will be shared not only on the basis of the legitimate interest we have in combatting abuse; in prosecuting crimes; and in securing, establishing, and enforcing claims, Article 6(1)(f) GDPR, but also on the basis of a statutory obligation, as contemplated by Article 6(1)(c) GDPR.

9.2

We disclose personal data to auditors, accounting service providers, lawyers, banks, tax consultants and similar bodies insofar as this is necessary for the provision of our services (Article 6(1)(b) GDPR) or the proper operation of our business (Article 6(1)(f) GDPR) or we are obliged to do so (Article 6(1)(c) GDPR).

9.3

In providing our services, we rely on third-party undertakings and outside service providers (“Processors”), each bound by contracts. In these cases, personal data are shared with these Processors for further processing. These Processors are carefully selected by us and audited at regular intervals in order to ensure that your rights and freedoms are preserved. Processors may use the data only for the purposes specified by us and are also required by contract to handle your data only in compliance with this Privacy Policy and with applicable data protection law.

Data are shared with Processors on the basis of Article 28(1) GDPR, alternatively on the basis of the legitimate interest we have in the economic and technical benefits associated with the engagement of specialized Processors, Article 6(1)(f) GDPR. Beyond the Processers already specified in this Privacy Policy, we engage the following categories of Processers:
• IT service provider

• Cloud service provider

• Hosting service provider

• Software service provider

9.4

In the course of developing our business, it is possible that the structure of crealytics GmbH will be changed, by changing its legal form; by establishing, selling, or buying subsidiaries or business divisions. In the event of such transactions, customer information will be passed on, together with any portion of the business to be transferred. In the event personal data are shared with third parties within the scope described above, we shall ensure that those data are shared in accordance with this Privacy Policy and with applicable data protection law.

Sharing personal data is justified on the grounds that we have a legitimate interest in changing the form of our undertaking to align, whenever necessary, with the economic and legal particularities on the ground, Article 6(1)(f) GDPR.

10. Transfers to third countries

We also process data in countries outside the European Economic Area (“EEA”), in so-called third countries, and/or transfer data to recipients in these third countries. The foregoing also includes the United States. Please note that, at present, there exists no adequacy decision of the EU Commission; that, in general, these third countries have an adequate level of data protection. In particular, there exists, at present, no adequacy decision of the EU Commission for the United States. For this reason, we rely on the standard data protection clauses adopted by the EU Commission in accordance with Article 46(2)(c) GDPR, to structure the contractual relationships with third-country recipients. These can be viewed at any time by visiting: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en or by requesting corresponding copies using our contact details provided in Sec. 1 of this privacy policy. We and our service providers that process your data on our behalf (“Processors”) enter into the standard data protection clauses for data transfers to processers established in third countries (so-called EU controller to non-EU or EEA processor standard data protection clauses). For transfers to third parties in third countries, we use the relevant standard data protection clauses for transfers to third parties (so-called EU controller to non-EU or EEA controller standard data protection clauses).

11. Change in purpose

Your personal data will be processed for purposes other than those described only to the extent such is permitted by law or to the extent to which you have given your consent that your data can be processed for the purpose so changed. In the event your data are processed for purposes other than those for which the data were originally collected, but before those data are so processed, we will inform you of such other purposes and provide you with all further information material to such purpose(s).

12. Erasure of your data

Unless otherwise specified in this Privacy Policy, we erase or anonymize your personal data once they are no longer needed for the purposes for which we have collected or used them in accordance with the foregoing sections.

They will be stored for a longer period of time only to the extent required by law, including, but not limited to, for purposes of establishing, securing, or defending against claims.

The data are stored based on our legitimate interest, of the requirement to create proper documentation of our business operations, and of our need to secure our legal position (Article 6(1)(f) GDPR). Insofar as your data are relevant for purposes of performing contracts, they are stored for purposes of initiating and performing each individual contractual relationship (Article 6(1)(b) GDPR).

To the extent that we are bound by law to retain your data, we will store your data throughout the time prescribed by law (Article 6(1)(c) GDPR). In particular, statutory rules and regulations governing storage of data can arise from the retention periods contemplated by the Handelsgesetzbuch (Commercial Code) or by the Abgabenordnung (German Fiscal Code). As a rule, the retention periods contemplated by these statutes are 6 years, commencing as of the end of the year in which we received your request.

13. Providing your personal data

Neither by law nor by contract are you required to provide your personal data. To some extent, however, it is necessary that you provide personal data, so that we can provide you with our services and the features available on our Search Platform. In particular, it is necessary that you provide your personal data, so that we can create and manage your user account for the Search Platform and take into receipt and process any requests you send to us.

Wherever it is necessary for you to provide certain data, we have identified that data by making it a required field. Providing further data is voluntary. The consequence of not providing required data is that we will be unable to provide the relevant services and features, including, but not limited to, our inability to create or manage your account and to take into receipt and to process your requests.

Where voluntary information is concerned, the consequence of not providing such information will be that we will be unable to provide the relevant features and services or that we will be unable to provide them as they are intended to be provided.

14. Automated individual decisions or profiling measures

We do not use automated processing processes to make decisions, including profiling.

15. Your rights as data subject

15.1 Right of access

Within the scope of Article 15 GDPR and § 34 BDSG, you have the right to obtain from us, at any time you request, access to the personal data concerning you. To exercise this right, you can submit your request by mail or via email by using the address given in Section 1 above.

15.2 Right to rectify inaccurate data

You have the right to obtain from us without undue delay the rectification of any inaccurate personal data concerning you. To exercise this right, please use the contact address specified in Section 1 above.

15.3 Right to erasure

Given the prerequisites described in Article 17 GDPR and § 35 BDSG, you have the right to obtain from us the erasure of personal data concerning you. In particular, these prerequisites prescribe a right of erasure, whenever the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed as well as in cases of unlawful processing, of the existence of an objection, or in case the data have to be erased for compliance with a legal obligation under European Union law or the law of any Member State, to which we are subject. To exercise your right set out in the foregoing, please use the contact address specified in Section 1 above.

15.4 Right to restriction of processing

Under Article 18 GDPR, you have the right to obtain from us the restriction of processing. This right exists in cases including, but not limited to, those in which the accuracy of the personal data is contested between you and us, for the period required to verify the accuracy, as well as in case you have a right to erasure, but request a restriction of processing instead of erasure; further in case the data are no longer necessary for the purposes pursued by us, but you need them to establish, to exercise, or to defend against legal claims, as well as if the successful exercise of an objection remains contested between us. To exercise your right as set out above, please use the contact address specified in Section 1 above.

15.5 Right to data portability

Under Article 20 GDPR, you have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. To exercise your right as set out above, please use the contact address specified in Section 1 above.

15.6 Right to object

Under Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which, inter alia, is based on point (e) or (f) of Article 6(1). We shall no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

To the extent we process personal data concerning you for direct marketing purposes, including profiling, you have the right to object to such processing. Once you object, we will stop such processing.

Unless otherwise specified in this Privacy Policy, please use the contact address specified in Section 1 to exercise your right, as set out above.

15.7 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority of your choice.

15.8 Data processed when you exercise your rights

Finally, we advise that we process the personal data transmitted by you, when you exercise your rights under Articles 15 through 22 GDPR, not only for the purpose of complying with these rights, but also so that we can demonstrate such compliance. This processing is based upon the legal basis of Article 6(1)(c) GDPR in conjunction with Articles 15 through 22 GDPR and § 34(2) BDSG.