• Privacy Policy (Web)

The Privacy Policy of gleea.de

Privacy Policy (Web)

Privacy Policy (Web)

Introduction

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data" for short) that we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: November 17, 2022

Responsible Party

Gleea Educational Software GmbH
Hubert-Dammert-Str. 1
86836 Klosterlechfeld

Authorized representatives: Stefanie Graumann, Christian Brugger, Christoph Graumann, Andreas Voit.

Email address: [email protected].

Legal Notice: https://gleea.de/impressum.

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data (e.g. names, addresses).
  • Content data (e.g. entries in online forms).
  • Contact data (e.g. e-mail, telephone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. websites visited, interest in content, access times).

Categories of Affected Persons

  • Communication partners.
  • Users (e.g. website visitors, users of online services).

Purposes of Processing

  • Registration process.
  • Provision of our online offerings and user-friendliness.
  • Direct marketing (e.g., via email or postal mail).
  • Contact requests and communication.
  • Security measures.
  • Performance of contractual services and customer service.
  • Administration and response to requests.

Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the regulations of the GDPR, national data protection provisions may apply in your or our country of residence. Should specific legal bases be applicable in individual cases, we will inform you of this in the privacy policy. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures at the request of the data subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection in Germany apply. This includes, in particular, the law to protect against the misuse of personal data in data processing (Bundesdatenschutzgesetz - BDSG). The BDSG contains specific provisions, particularly regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. It also regulates data processing for employment purposes (§ 26 BDSG), especially concerning the establishment, execution, or termination of employment relationships and the consent of employees. State data protection laws of individual federal states may also apply.

Security Measures

We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

Among the measures are, in particular, the securing of confidentiality, integrity, and availability of data through control of physical and electronic access to the data, as well as access to them, their input, transmission, secured availability, and their separation. Furthermore, we have procedures in place that ensure data subject rights, deletion of data, and responses to data threats. We also consider the protection of personal data in the development or selection of hardware, software, and procedures, according to the principle of data protection by design and by default.

SSL Encryption (https): To protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser. This also applies to any communication between our app and the backend server.

Transfer of Personal Data

In the context of our data processing, it may happen that data is transferred to other entities, companies, legally independent organizational units, or individuals or that they are disclosed to them. Recipients of these data can include service providers entrusted with IT tasks or providers of services and content embedded in a website. In such cases, we comply with the legal requirements and conclude appropriate contracts or agreements, which serve to protect your data, with the recipients of your data.

Data transfer within the organization: We may transfer personal data to other entities within our organization or grant them access to this data. If this disclosure is for administrative purposes, the transfer of data is based on our legitimate entrepreneurial and business interests or occurs if it is necessary for the performance of our contractual obligations or if there is consent from the data subjects or a legal permit.

Datenverarbeitung in Drittländern

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing occurs as part of the use of services from third parties or the disclosure or transfer of data to other individuals, entities, or companies, this only takes place in accordance with legal requirements.

Subject to express consent or contractual or legally required transfer, we process or allow the processing of data only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection rules (Art. 44 to 49 GDPR, EU Commission Information Page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Deletion of Data

The data we process is deleted or its processing is restricted according to the legal requirements, once consents that allow the processing are revoked or other permissions cease to apply (e.g., if the purpose of the processing of the data no longer applies or it is not necessary for the purpose anymore).

If the data is not deleted because it is required for other legally permissible purposes, its processing will be limited to these purposes. This means the data is locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or to protect the rights of another natural or legal person.

Our data protection notices may also contain further information on the retention and deletion of data, which applies primarily to the respective processing activities.

Use of cookies

ookies are text files that contain data from websites or domains visited and are stored by a browser on the user’s computer. A cookie is primarily used to store information about a user during or after their visit to an online service. The information stored may include, for example, the language settings on a website, the login status, a shopping cart or the location where a video was watched. The term “cookies” also includes other technologies that perform the same functions as cookies (e.g. when user information is stored using pseudonymous online identifiers, also known as “user IDs”)

A distinction is made between the following cookie types and functions:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their browser.
  • Permanent cookies:* Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users that are used for reach measurement or marketing purposes can also be stored in such a cookie.
  • First-party cookies: First-party cookies are set by us.
  • Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (also: essential or absolutely necessary) cookies: Cookies can be absolutely necessary for the operation of a website (e.g. to save logins or other user input or for security reasons).
  • Statistical, marketing and personalization cookies: Cookies are also generally used to measure reach and when a user’s interests or behaviour (e.g. viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also referred to as "tracking", i.e. tracking the potential interests of users. If we use cookies or "tracking" technologies, we will inform you separately in our privacy policy or when obtaining consent.

Notes on legal bases: The legal basis on which we process your personal data with the help of cookies depends on whether we ask you for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in the business operation of our online offering and its improvement) or, if the use of cookies is necessary to fulfill our contractual obligations.

Storage period: If we do not provide you with explicit information on the storage period of permanent cookies (e.g. as part of a so-called cookie opt-in), please assume that the storage period can be up to two years.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke your consent or to object to the processing of your data by cookie technologies (collectively referred to as "opt-out"). You can initially declare your objection using your browser settings, e.g. by deactivating the use of cookies (although this may also restrict the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared using a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can obtain further objection notices as part of the information on the service providers and cookies used.

Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the consent of users to the use of cookies or the processing and providers mentioned in the cookie consent management procedure can be obtained, managed and revoked by the users. The declaration of consent is stored so that it does not have to be requested again and the consent can be proven in accordance with the legal obligation. Consent can be stored on the server and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: Consent may be stored for up to two years. A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Affected persons: Users (e.g. website visitors, users of online services).
  • Data subjects: Users (e.g. website visitors, users of online services).** Legal basis:** Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Provision of Online Offer and Webhosting

To provide our online offer securely and efficiently, we use the services of one or more webhosting providers from whose servers (or managed by them) the online offer can be accessed. For these purposes, we use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The processed data in the context of providing these services includes all data relating to the users of our online offer necessary for communication and usage thereof. Regularly, this includes the IP address necessary to deliver the contents of online offers to browsers and any input made within our online offer or websites.

Collection of Access Data and Log Files: We or our webhosting provider collect data about each access to the server (so-called server log files). The server log files may include the address and name of the retrieved web pages and files, date and time of access, data volumes transmitted, message about successful retrieval, browser type and version, the operating system of the user, referrer URL (the previously visited page), IP addresses, and the requesting provider.

Server log files may be used for security purposes, e.g., to monitor for overloads on the servers (particularly in cases of abuse attacks, known as DDoS attacks), and to ensure server utilization and stability.

  • Processed data types: Content data (e.g., entries in online forms), usage data (e.g., visited websites, content interest, access times), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

Registration, Login, and User Account

Users can create a user account. During registration, the required mandatory details are communicated to the users and are processed for the purpose of providing the user account based on the fulfillment of contractual obligations. Processed data includes, in particular, login information (username, password, and an email address).

In the course of using our registration and login functions and the use of the user account, we store the IP address and the times of the user actions. The storage is based on our legitimate interests and those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users will be informed about actions that are relevant for their user account, such as technical changes, by email.

Registration with Pseudonyms: Users may use pseudonyms instead of real names as usernames.

User profiles are public: The profiles of the users are publicly visible and accessible.

Deletion of Data After Termination: If users have terminated their user account, their data concerning the user account will be deleted, provided that there is no legal retention obligation. It is the responsibility of users to back up their data before the end of the contract. We are entitled to irretrievably delete all user data stored during the contract period.

It is the responsibility of users to back up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.

  • Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service, security measures, administration, and response to inquiries.
  • Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Single-Sign-On Authentication

“Single-Sign-On“ or “Single-Sign-On Authentication“ is understood as procedures that allow users to log in using a user account with a single sign-on provider (e.g., a social network) also when using our online offer. The prerequisite for single-sign-on authentication is that users are registered with the respective single-sign-on provider and enter the necessary access data into the corresponding online form or are already logged in at the single-sign-on provider and confirm the single-sign-on registration via button.

Authentication takes place directly with the respective single-sign-on provider. As part of such authentication, we receive a user ID with information indicating that the user under this user ID is logged in at the respective single-sign-on provider and does not require further authentication (e.g., user handle). Whether we receive additional data depends solely on the single-sign-on procedure used, on the selected data releases within the scope of the authentication, and additionally on what data users have released in the privacy or other settings of the user account with the single-sign-on provider. It can be different data depending on the single-sign-on provider and the user’s preferences; as a rule, these are the email address and username. The password entered during the single-sign-on process is neither visible to us nor is it stored by us.

Users are asked to note that their data stored with us can be automatically compared with their user account at the single-sign-on provider, but this is not always possible or actually happens. For example, if users change their email addresses, they must manually change them in their user account with us.

We can use single-sign-on registration, provided it has been agreed with users, in the context of or before contract performance, if users have been asked for their consent, and otherwise based on our legitimate interests and those of users in an efficient and secure authentication system.

If users decide not to use their user account with the single-sign-on provider for single-sign-on anymore, they must cancel the connection with their user account at the single-sign-on provider. If users want to delete their data, they must cancel their registration with us.

  • Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers).
  • Affected persons: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service, registration process.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfillment, and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

Contact and inquiry management

When contacting us (e.g. by contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, the data of the inquiring persons are processed insofar as this is necessary to answer the contact inquiries and any requested measures.

The response to contact inquiries and the management of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries and maintaining user or business relationships.

  • Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms).
  • Affected persons: Communication partners.
  • Purposes of processing: Contact requests and communication.
  • Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b. GDPR), Legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).

Services used and service providers:

Direct communication

We use online conferencing tools, among others, to communicate with our customers. The individual tools we use are listed below. If you communicate with us by video or audio conference via the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conferencing tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). The conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other “contextual information” in connection with the communication process (metadata). Furthermore, the provider of the tool processes all technical data that is required to process the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

If content is exchanged, uploaded or provided in any other way within the tool, this is also stored on the tool provider’s servers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

Please note that we do not have full control over the data processing procedures of the tools used. Our options are largely determined by the company policy of the respective provider. Further information on data processing by the conference tools can be found in the privacy policies of the tools used, which we have listed below this text.

  • Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).
  • Affected persons: Communication partners (e.g. customers, users, partners).
  • Purposes of processing: Provision of contractual services and customer service, holding online meetings
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Services used and service providers:

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. If the specific content of the newsletter is described in the context of a subscription, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is usually sufficient to provide your email address. However, we might ask you to provide a name for personal address in the newsletter or further details, if required for the purposes of the newsletter.

Double-Opt-In Procedure: The registration for our newsletter takes place generally in a so-called double-opt-in procedure. This means you will receive an email after registration asking you to confirm your registration. This confirmation is necessary so that no one can register with external email addresses. Registrations for the newsletter are logged to provide proof that the registration process complies with legal expectations. This includes storing the login and confirmation times as well as the IP address. Changes to your data stored by the shipping service provider are also logged.

Deletion and Restriction of Processing: We can store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them, to prove previous consent. The processing of this data is limited to the purpose of a possible defense against claims. Individually, a request for deletion is possible at any time, provided the previous existence of consent is simultaneously confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address in a blocklist (so-called “blacklist”) for this purpose alone.

The logging of the registration process is based on our legitimate interests for purposes of proving its proper procedure. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure sending system.

Notes on Legal Bases: The dispatch of the newsletters takes place based on the receiver’s consent or, if a consent is not required, based on our legitimate interests in direct marketing, provided and to the extent it is permitted by law, e.g., with existing customer advertising. As far as we commission a service provider with the dispatch of emails, this is done on the basis of our legitimate interests. Registration procedures are recorded on the basis of our legitimate interests in proving that they have been conducted in accordance with the law.

Contents: Information about us, our services, apps, promotions, and offers.

  • Processed data types: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), meta/communication data (e.g., device information, IP addresses).
  • Affected persons: Communication partners.
  • Purposes of processing: Direct marketing (e.g., via email or postal mail).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
  • Objection possibility (Opt-Out): You can cancel the receipt of our newsletter, i.e., revoke your consent or object to further receipt, at any time. A link to cancel the newsletter can be found either at the end of each newsletter or, you can use any of the contact options listed above, preferably email, for this purpose.

Services used and service providers:

Advertising communication via e-mail, post, fax or telephone

We process personal data for the purposes of advertising communication, which may take place via various channels, such as e-mail, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object to advertising communication at any time.

After revocation or objection, we may store the data required to prove consent for up to three years on the basis of our legitimate interests before deleting it. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time.

  • Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers).
  • Affected persons: Communication partners.
  • Purposes of processing: Direct marketing (e.g. by e-mail or post).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Changes and Updates to the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes to the data processing we perform make it necessary. We inform you as soon as changes require a contribution from you (e.g., consent) or if an individual notification becomes necessary.

Should we provide addresses and contact information for companies and organizations in this privacy policy, please note that the addresses may change, and we ask you to verify the information before contacting us.

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR, in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data which is based on Art. 6 para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling insofar as it is associated with such direct marketing.
  • Right to withdraw consent: You have the right to revoke consents at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.
  • Right to deletion and restriction of processing: You have the right to request that data concerning you be deleted immediately in accordance with legal requirements, or alternatively to request a restriction of data processing in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you, which you provided to us, in a structured, commonly used, and machine-readable format according to legal requirements or to request their transmission to another controller.
  • Complaint to supervisory authority: You have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of data concerning you violates the GDPR.

Supervisory authority responsible for us:

Bavarian State Office for Data Protection Supervision
Postfach 1349
91504 Ansbach
Phone: 0981/180093-0
Email: [email protected]

Definitions

This section provides you with an overview of the terminology used in this privacy policy. Much of the terms are taken from the law and are essentially defined in Article 4 GDPR. The legal definitions are binding. The following explanations are primarily intended to assist understanding. The terms are arranged in alphabetical order.

  • Personal Data: “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is considered identifiable if they can be identified, directly or indirectly, particularly by means of association with an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
  • Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, such as collection, evaluation, storage, transmission, or deletion.

[Created