Privacy policy

This privacy policy describes the collection and use of personal data in connection with the use of our website https://www.circula.com/en ("Website") in accordance with the requirements of the General Data Protection Regulation ("GDPR"). Processing activities that are not covered by this data protection declaration may be supplemented by further data protection declarations, which must be observed separately.

1.1 Responsible party

The responsible party within the meaning of the DSGVO is
Circula GmbH ("Circula"/"we"/"us").
Schönhauser Allee 148
10435 Berlin
Germany

1.2 Data Protection Officer

We have appointed an external data protection officer through Simpliant. Simpliant also advises us on the implementation and operation of our data protection management system. More information about Simpliant can be found at http://www.simpliant.eu.

You can reach our appointed data protection officer:

• by mail at:

Circula GmbH
- Data Protection Officer -
Schönhauser Allee 148
10435 Berlin
Germany

• or by e-mail at:

privacy@circula.com

1.3 Data subject rights and supervisory authority

You can exercise the following rights:

• Right to information about your data stored by us and its processing (Art. 15 DSGVO),
• Right to correct incorrect personal data (Art. 16 DSGVO),
• Right to have your data stored by us deleted (Art. 17 DSGVO),
• Right to restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 DSGVO),
• Right to portability of data if you have consented to data processing or have concluded a contract with us (Art. 20 DSGVO),
• Right to object to the processing of your data by us (Art. 21 DSGVO).

To exercise your rights, you can contact us by email at privacy@cirula.com.

For identification purposes, we ask you to provide the following information:

• First and last name
• E-mail address

In individual cases, further information may be required for unique identification. The processing of your request and the identification of your person is based on Art. 6 para. 1 lit. c DSGVO.

You may at any time pursuant to Art. 77 DSGVO in conjunction with. § 19 BDSG to file a complaint with a supervisory authority, e.g. with the competent supervisory authority of the federal state in which you reside or with the authority responsible for us.

1.4 Processing of data, purpose and legal basis

We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (DSGVO) and the German Federal Data Protection Act (BDSG).

The legal basis for all our processing activities is based on Art. 6 (1) DSGVO.

We use your data based on your consent pursuant to Art. 6 para. 1 p.1 lit. a) DSGVO for specific purposes, in particular:

• for sending newsletters with regular offers
• to receive special information and offers from Circula
• to support usage processes of the website
• for personalized use of the website and personalized offers
• for analytical purposes to optimize our offer for you.

Consent given can be revoked at any time. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.

In addition, we process your data to protect our legitimate interests in accordance with Art. 6 para. 1 p. 1 lit. f) DSGVO,

• for the assertion of legal claims including collection and defense in legal disputes.
• for purposes of compiling statistics to improve products and services.
• For contacting you, insofar as a permanent business relationship with you or your employer exists or is intended (business contacts).

In addition, we will process your data pursuant to Art. 6 para. 1 lit. c) DSGVO, insofar as we are legally obliged to do so, for example, in order to comply with our retention obligations under commercial or tax law.

1.5 Storage period

We take all reasonable steps to ensure that your personal data is only processed for the period required in each case according to the purpose of processing. If the storage period is not specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage ceases to apply. Personal data will not be deleted if storage is required by law (e.g. § 257 HGB, 147 AO). Furthermore, we may store your personal data until the expiry of the statutory limitation periods (usually 3 years; in individual cases, however, up to 10 years or longer), provided that this is necessary for the assertion, exercise or defense of legal claims.

1.6 Data security

To protect the security of your data during transmission, we use technical and organizational security measures, in particular the encryption of our website to prevent unauthorized access by third parties. The encryption via HTTPS is enforced within the framework of an HSTS header. The data collected from you is generally hosted on ISO 27001 certified servers. Our security measures are continuously improved and adapted according to technological developments.

1.7 Transmission to service providers

We use service providers for the provision of our offers. These service providers act only according to our instructions and are contractually obligated to comply with the provisions of Art. 28 DSGVO. If not further specified below, service providers are contracted for the following services:

• Maintenance of IT systems and related services
• Handling our customer service and managing requests
• Measurement of website performance
• Provision of personalized content

1.8 Data transfer to third countries

Unless otherwise stated below, your data will not be transferred to a third country outside the European Union. Your personal data will only be transferred to third countries if the requirements of Art. 44- 49 DSGVO are met, in particular standard contractual clauses, binding corporate rules, adequacy decision of the Commission.

1.9 No obligation to provide data / No profiling.

There is no legal or contractual obligation to provide us with data. However, some services can only be provided if the required data is provided by you. Your personal data will not be used for automated individual decision making including profiling.

Our website offers different areas with different functionalities for the visitor, which are described in more detail below.

2.1 Server protocols

Nature and purpose of data processing:

When you access our website, information of a general nature is automatically collected. This information, known as server log files, includes:

• IP address
• Name of the access provider
• Browser type, browser software version and browser language
• Operating system
• Date and time of access
• Content of the access
• Amount of data transferred
• Access status (successful transmission/error)
• Web page(s) to which the access was redirected
• Visited web pages
• Processing is performed for the following purposes:
• Ensuring a trouble-free connection to the website
• Ensuring smooth use of our website
• Evaluation of system security and stability

Legal basis:

Processing is carried out pursuant to Art. 6 (1) lit. f DSGVO based on our legitimate interest in hosting the website and improving and monitoring the security, stability and functionality of the website.

Recipient:

The recipient of the data is a technical service provider who are responsible for the operation (hosting) and maintenance of our website. As processors, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to third countries:

The servers through which our website is offered are located in Frankfurt am Main, Germany. Under certain circumstances, however, usage data may occasionally be transferred to the United States of America. The order processing contracts with the service provider contain standard contractual clauses approved by the EU Commission and appropriate guarantees that data protection obligations will be met.

Retention period:

Server log files are deleted after 30 days at the latest.

2.2 Consent management

Nature and purpose of processing:

Our website uses cookies for various processing activities for which your consent is required. In order to obtain such consent and store it, we use a so-called Consent Management Platform from Usercentrics. As part of this, a cookie - a small text file - is set on your terminal device to register your selection/consent. For this purpose, we process your IP address, among other things. On our website, you can make gradual privacy settings regarding these cookies.

Legal basis:

The processing is based on our legitimate interests in documenting compliance with the provisions of the DSGVO regarding obtaining consent (Art. 6 (1) lit. f DSGVO).

You can find more information under the item "Cookies".

2.3 Newsletters and whitepapers

Type and purpose of processing:

On our website, we offer you the opportunity to sign up for an email newsletter with regular product news and updates. You also register for the newsletter when you sign up to download a whitepaper. For all the above purposes, we need to process your name and email address. This data is processed in order to send you previously mentioned information.

Legal basis:

The processing is based on your consent (Art. 6 para. 1 lit. a DSGVO).

Recipients:

The recipients of the data are order processors. As processors, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to third countries:

Data is transferred to the United States of America. The order processing contracts with the service provider contain standard contractual clauses approved by the EU Commission and appropriate guarantees that data protection obligations will be met.

Retention period:

We process your data until you unsubscribe from our newsletter, revoke your consent, or request that we delete it.

Withdrawal of consent:

If you no longer wish to receive newsletters from us in the future and/or wish to object to the analysis of your data by such newsletters, please use the "unsubscribe" link contained in each newsletter or send us an email at privacy@circula.com.

2.4 Contact

Nature and purpose of processing:

In order to provide you with the best possible support in the context of using our offers, we offer you the possibility to contact our customer service in the form of a chat or contact form on the website or by e-mail. All communications addressed to us become support tickets. In this context, we process your name, e-mail address, if any, as well as contents of your request.

Legal basis:

The data is processed for the implementation of pre-contractual measures (Art. 6 para. 1 b) DSGVO). It is also processed to protect our legitimate interests Art. 6 para. 1 f) DSGVO. We want to provide customers with a customer service available anywhere on the site (in the form of chat or a customer-facing email).

Recipients:

The recipients of the data are order processors. As processors, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to Third Countries:

Data is transferred to the United States of America. The order processing contracts with the service provider contain standard contractual clauses approved by the EU Commission and appropriate guarantees that data protection obligations will be met.

Retention period:

If there is no assignment to a user account, the data will be deleted within 12 months after data entry.

2.5 Online Learning Portal

Nature and purpose of processing:

You have the option to register with our online learning portal via the website in order to complete online courses via Circula. For this, we need your name and email address to provide you with the relevant materials and access to the course.

Legal basis:

The data is processed for the implementation of contractual measures (Art. 6 para. 1 b) DSGVO) (free user relationship of the online learning portal). It is also carried out to protect our legitimate interests Art. 6 para. 1 f) DSGVO in providing information regarding the implementation of our service. For this purpose, we require your name and e-mail address.

Recipients:

The recipient of the data is an order processor. As a processor, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to third countries:

Data is transferred to Canada. For Canada, there is an adequate decision of the EU Commission regarding an adequate level of data protection.

Retention period:

Your data will be processed until the user account is deleted.

2.6 Website analysis

Nature and purpose of data processing:

This website uses cookie-based technologies to help us better understand how the website is used and how we can further optimize it for the benefit of performance and user experience. We do this by compiling reports about activity on the website that do not identify specific individuals. Analytics cookies process your IP address and data about usage behavior on our website (e.g. which pages were visited and which buttons were clicked) for this purpose.

Legal basis:

The processing is carried out with your consent in accordance with Art. 6 para. 1 lit. a DSGVO.

You can find more information under the item "Cookies".

2.7 Personalized advertising

Type and purpose of data processing:

We use cookie-based technologies that help us deliver relevant and personalized advertising.

This enables us to determine the visitors to our online offering as the target group for the display of advertising (so-called "targeted advertising"). In addition, we can track the effectiveness of our online advertising by seeing whether users were redirected to our website after clicking on such advertising (so-called "conversion tracking"). We may also use service providers to identify users who have visited our website as potential customers and recipients of advertising (so-called "retargeting").

Legal basis:

The processing is carried out with your consent in accordance with Art. 6 para. 1 lit. a DSGVO.

You can find more information under the item "Cookies".

Our website uses so-called cookies. Cookies do not cause any damage to your device and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your terminal device and in your browser.

Most of the cookies we use are so-called session cookies. These cookies are automatically deleted at the end of the session. Session cookies are used to assign successive page views to individual users accessing our website at the same time. Other cookies are stored on your device until you delete them. These cookies allow us to recognize your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies, decide on a case-by-case basis whether to accept them or exclude the acceptance of cookies for certain cases or in general, as well as activate the automatic deletion of cookies when closing the browser.

Google Chrome: https://support.google.com/accounts/answer/61416?hl=en

Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox

Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac

Opera: https://www.opera.com/help

We would like to point out that the use and especially the comfort of use may be limited without the use of cookies. The cookies are set via a consent management tool. The settings can be defined here.

We maintain publicly accessible profiles on social networks. The social networks used by us in detail can be found below.

By visiting our social media presence, numerous data protection-relevant processing operations are triggered.

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, you can be shown interest-based advertising inside and outside the respective social media presence. Provided you have an account with the respective social network, the interest-based advertising may be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis:
Our social media presence is intended to ensure the most comprehensive presence possible on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO. The analysis processes initiated by the social networks may be based on different legal bases, which are to be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1) lit. a DSGVO).

Responsible party and assertion of rights:
If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. against Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Retention period:
The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for storing it no longer applies, you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly.

4.1.1 Facebook
We have a company profile on Facebook. We have concluded an agreement with Facebook on joint responsibility for the processing of data (Controller Addendum). This agreement specifies the data processing operations for which we or Facebook is responsible when you visit our Facebook fan page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

4.1.2 LinkedIn
We have a company profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

For details on how they handle your personal data, please refer to LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy

4.1.3 Instagram
We have a business profile on Instagram. The provider is Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA, which in turn belongs to Facebook.

For details on their handling of your personal data, please refer to Instagram's privacy policy: https://help.instagram.com/519522125107875

4.1.4 Twitter
We have a company profile on Twitter. The provider is Twitter Inc. San Francisco, USA.

For details on how they handle your personal data, please refer to Twitter's privacy policy:
https://twitter.com/de/privacy

4.1.5 Crunchbase
We have a company profile on Crunchbase. The provider is Crunchbase, 564 Market Street, Suite 700, San Francisco, CA 94104, USA.

For details on their handling of your personal data, please refer to Crunchbase's privacy policy: https://about.crunchbase.com/terms-of-service/privacy-policy/

4.1.6 Xing
We have a company profile on Xing. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.

For details on their handling of your personal data, please refer to the privacy policy of LinkedIn:
https://privacy.xing.com/de/datenschutzerklaerung

4.1.7 YouTube
We have a company profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google's privacy policy for YouTube can be found at the following link:
https://policies.google.com/privacy

4.1.8 Google My Business
We have a company profile on Youtube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google's privacy policy for Youtube can be found at the following link: https://policies.google.com/privacy

Circula's app is exclusively sold to companies. The majority of data processing therefore takes place as a processor for companies and on their instructions. These processing operations on behalf of companies are governed by the data processing agreement between Circula and its customers as data controllers, who in turn are obliged to inform data subjects about the processing as data controllers.

However, the following processing operations are carried out by Circula as controller.

5.1 Admin Account

Type and purpose of the processing:

To enable the use of our app and the service processing, it is necessary to provide a so-called admin account. This is used to map all settings for the organization of our customers. As part of the provision of this account, name, company, email address and usage data, as well as so-called log files, which record information about connections to servers.

Legal basis:

The processing takes place in the context of the handling of the usage contract of the app (Art. 6 para. 1 lit. b GDPR).

Recipient:

The recipient of the data is an order processor who operates a high-security data center in Frankfurt am Main. As a processor, the service provider is obliged to process the data only within the scope of our instructions.

Retention period:

The personal data will be stored for as long as your user account exists. If necessary, we are obliged to process individual data longer due to legal retention periods (esp. tax obligations).

5.2 Service accounting and license management

Nature and purpose of the processing:

In order to process your order and payment, the data you provided during the ordering process (name, address, account number, bank routing number, credit card number (if applicable), invoice amount, currency and transaction number) will be processed. In addition, we use a unique identification number (UUID) to be able to track whether the use of our software is through a valid license. We pass on your payment data to the commissioned credit institution as part of the payment processing, insofar as this is necessary for the payment processing.

If payment service providers are used, we will inform you explicitly about this below. The legal basis for the transfer of data is Art. 6 (1) lit. b GDPR.

Recipient:

The recipients of the data are order processors. As processors, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to third countries:

Data is transferred to the United States of America. The order processing contracts with the service provider contain standard contractual clauses approved by the EU Commission and appropriate guarantees that the data protection obligations will be met.

Retention period:

The personal data will be stored for as long as your user account exists. If necessary, we are obliged to process individual data longer due to legal retention periods (esp. tax obligations).

5.3 Web App Error Correction (Error Tracking)

Nature and purpose of the processing:

To ensure the technical stability of our service, to improve it by monitoring system stability and identifying code errors. The processing is solely for these purposes and does not evaluate data for advertising purposes.

Recipient:

The recipients of the data are order processors. As processors, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to third countries:

Data is transferred to the United States of America. The order processing contracts with the service provider contain standard contractual clauses approved by the EU Commission and appropriate guarantees that the data protection obligations will be met.

5.4 App analysis

Nature and purpose of the processing:

Our app uses cookie-based technologies to help us better understand how our app is used. We do this by compiling reports about activity in the app that do not identify specific individuals. Analytics cookies transmit your IP address and usage behavior data to a service provider for this purpose.

Legal basis:

The processing is carried out with your consent according to Art. 6 para. 1 lit. a GDPR.

You can find more information under the item "Cookies".

5.5 Customer Service

Nature and purpose of the processing:

In order to provide you with the best possible support when using our offers, we offer you the possibility to contact our customer service in chat form on the website or by e-mail. All communications directed to us become support tickets. In this context, we process your name, e-mail address, if any, as well as contents of your request.

Legal basis:

The data is processed for the fulfillment of contractual measures (Art. 6 para. 1 b) DSGVO). It is also carried out to protect our legitimate interests Art. 6 para. 1 f) DSGVO. We want to provide customers with a customer service that is available everywhere (in the form of chat or a customer-facing email).

Circula offers the possibility for Customers to integrate Circula's App with other Services. This is not a processing as a controller of Circula, but a transfer from one processor (Circula) to another processor (Integrated Service) on the instructions of the responsible customer.

An overview of integrations can be found here: https://www.circula.com/product/integrations

In addition, Circula offers credit card management software to customers using a so-called co-branded Circula Pliant credit card. infinnity financial technologies GmbH (hereinafter "Pliant") is a cooperation partner of Circula, which offers an online platform for the connection of physical and virtual credit cards, which contains various functions. In cooperation with Pliant, Circula offers its customers a Circula Pliant credit card. The issuer of this credit card is Transact Payments Malta Limited, which issues corporate credit cards under a license from VISA Europe Limited. You can find their Privacy Policy here, their terms and conditions here, and the schedule here.

Cards are issued by Transact Payments Malta Limited pursuant to licence by VISA Europe Limited. Transact Payments Malta Limited is duly authorised and regulated by the Malta Financial Services Authority as a Financial Institution under the Financial Institution Act 1994. Registration number C 91879.