data protection

Data protection declaration for the website rubarb.app

I. Name and address of the person responsible and the data protection officer

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

rubarb GmbH
Speersort 4-6
20095 Hamburg

represented by Fabian Scholz, Jakob Scholz, Kevin Craig
Phone: +49 40 299 960 882
Email: service@rubarb.app

The controller’s data protection officer is:

Lawyer and specialist lawyer for information technology law
Dr. Christian Rauda
GRAEF Rechtsanwälte Digital PartG mbB
Jungfrauenthal 8

E-mail: dpo@rubarb.app
Website: www.graef.eu

II. General information on data processing

1. Scope of processing of personal data

We collect and use our users’ personal data only insofar as this is necessary to provide our website with our content and services. The collection and use of personal data of our users takes place regularly only with the consent of the user. An exception applies in those cases in which prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law. We process the following types of data:

– User data (e.g. websites visited, interest in content, access times)
– Meta / communication data (e.g. device information, IP addresses)
– Name, e-mail, telephone number and message texts of messages sent to us via e-mail or website forms

2. Legal basis
for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 Para. 1 lit. a EU General Data Protection Regulation (GDPR) as the legal basis for the processing of personal data.

When processing personal data that is required to fulfill a contract to which the data subject is a party, Art. 6 Para. 1 lit. b GDPR as the legal basis. This also applies to processing operations that are required to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the person concerned do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR as the legal basis for processing.

3. Data deletion and storage duration

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data in order to conclude or fulfill a contract.

III. Provision of the website and creation of log files

Description and scope of data processing

Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer. The following data is collected for a limited time:

1. Website visited
2. amount of data transferred,
3.Information about the type and version of the browser used,
4. the user’s operating system,
5. the user’s IP address,
6. the date and time of access and
7. The websites from which the user’s system came to our website.

The data is stored in the log files of our system. This data is only required to analyze any malfunctions and is deleted within seven days at the latest. The legal basis for the temporary storage of the data and the log files is Art. 6 Para. 1 lit. f GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this, the user’s IP address must be stored for the duration of the session. The storage in log files takes place in order to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context and no conclusions are drawn about your person. Our legitimate interest in data processing in accordance with Art. 6 Para. 1 lit. f) GDPR. The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no possibility of objection on the part of the user.

IV. Cookies

We use so-called session or flash cookies on our website. Cookies are text files that are stored in or by the Internet browser on the user’s computer system. When a user visits a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that enables the browser to be clearly identified the next time the website is accessed. Some functions of our website cannot be offered without the use of cookies. For this it is necessary that the browser is recognized even after changing pages. The user data collected with technically necessary cookies are not used to determine the identity of the user or to create user profiles. The legal basis for the processing of personal data using cookies is Art. 6 Para. 1 lit. f) GDPR. The use of technically necessary cookies serves to simplify the use of websites for users. The user data collected by technically necessary cookies are not used to create user profiles. According to Art. 6 para. 1 lit. f) GDPR, the processing of personal data is necessary to safeguard our legitimate interests.

Cookies are stored on the user’s computer and transmitted to our site by the user. As a user, you therefore have full control over the use of cookies, and these cookies are deleted when you close your browser. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated, not all functions of the website may be available.

V. Google services

On the basis of consent within the meaning of Art. 6 Para. 1 lit. a. DSGVO) Google Analytics, Google Ads and Google Double Click, i.e. web analysis services from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). According to their terms of use, Google reserves the right to use personal data for its own purposes. However, Google does not disclose whether and which personal data is used by Google.

If you have given your consent, Google uses cookies. The information generated by a cookie about the use of the online offer by the user is usually transmitted to a Google LLC server in the USA and stored there. Google processes the data in the USA on the basis of EU standard contractual clauses and thus offers sufficient guarantees within the meaning of Art. 46 Para. 1, para. 2 lit. c) GDPR. You can find more information about the cookies used by Google as well as the option to withdraw your consent here .

With Google Analytics, the information obtained by cookies is used on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with other services related to the use of this online offer and the internet to provide. In doing so, pseudonymous user profiles can be created from the processed data. We only use Google Analytics with activated IP anonymization. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The full IP address is only transmitted to a Google server in the USA and shortened there in exceptional cases.

With Google Ads, the information obtained by cookies is used on our behalf in order to be able to recognize from which Google advertisement the user came to our site and to optimize the relevance of the advertisement. Google Ads also delivers targeted advertising based on behavioral profiles and geographic location. Your IP address and other identification features such as your user agent will be transmitted to Google. If you are registered with a Google Ireland Limited service, Google Ads can assign the visit to your account. Even if you are not registered with Google Ireland Limited or have not logged in, it is possible that Google will find out and save your IP address and other identification features. In this case, Google Ireland Limited is responsible for forwarding your data.

Google Double Click uses a cookie ID. The information obtained in this way is used on our behalf in order to be able to recognize from which ad on a third party site the user came to our site. DoubleClick can also use the cookie ID to record which advertisements have already been shown in a browser in order to avoid duplication. The cookie ID also enables DoubleClick to record conversions. Conversions are recorded, for example, if a user has previously been shown a DoubleClick advertisement and then makes a purchase on the advertiser’s website with the same internet browser.

A DoubleClick cookie does not contain any personal data, but can contain additional campaign IDs. A campaign identifier is used to identify the campaigns with which you have already been in contact on other websites. As part of this service, Google gains knowledge of data that Google also uses to create commission statements. Among other things, Google can understand that you have clicked on certain links on our website. In this case, Google Ireland Limited is responsible for forwarding your data.

The IP address transmitted by the user’s browser will not be merged with other Google data. In addition to the default setting at the start of using the website, you can prevent the storage of cookies by setting your browser software accordingly; You can also prevent Google from collecting the data generated by the cookie and relating to your use of the online offer and from processing this data by downloading and installing the browser plug-in available under the following link: http: // tools. google.com/dlpage/gaoptout?hl=de.

Finally, we also use Google’s Google Fonts service to display icons on our website. In order to obtain these icons, a connection to Google servers is established, whereby your IP address may be transferred to the USA. Google processes the data in the USA on the basis of EU standard contractual clauses and thus offers sufficient guarantees within the meaning of Art. 46 Para. 1, para. 2 lit. c) GDPR. The use of Google Fonts is based on our legitimate interests, ie interest in a uniform provision and the optimization of our online offer in accordance with Art. 6 Para. 1 lit. f. GDPR.

Further information on the use of data by Google, setting and objection options can be found on the Google website: https://www.google.com/intl/de/policies/privacy/partners (“Use of data by Google when you use websites or apps of our partners “), http://www.google.com/policies/technologies/ads (” use of data for advertising purposes “), http://www.google.de/settings/ads (” manage information that Google uses, to show you advertisements “).

VI. Facebook conversion pixels

We use a marketing pixel from the service provider Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) on our website. We have implemented a code for this on our website. The pixel is an excerpt from JavaScript code that loads a collection of functions with which Facebook can track your user actions if you came to our website via Facebook ads. For example, if you purchase a product on our website, the pixel is triggered and saves your actions on our website in the respective cookies. These cookies enable Facebook to compare your user data (customer data such as IP address, user ID) with the data of your Facebook account. Then Facebook deletes this data again. The data collected is anonymous and cannot be viewed by us and can only be used in the context of advertising. If you are a Facebook user yourself and are logged into your account there, your visit to our website is automatically assigned to your Facebook user account.

We only want to show our services and products to those people who are really interested in them. With the help of this marketing pixel, our advertising measures can be better tailored to your wishes and interests. So Facebook users (provided they have allowed the use of cookies required for personalized advertising) see appropriate advertising. In addition, Facebook uses the collected data for analysis purposes and its own advertisements.

You can find the cookies that are set by integrating the marketing pixel here . You can find more information on the collection and use of data by Facebook and your rights and options for protecting your privacy in the Facebook data protection information at https://www.facebook.com/about/privacy/.

The legal basis for the setting of cookies and the associated processing of personal data is Art. 6 para. 1 lit. a GDPR.

The purpose of setting the cookies is to send you interesting advertising in connection with rubarb on Facebook, provided you are a potential customer there. The cookies are only processed for these processing purposes until you revoke your consent. All processing operations carried out until the consent was revoked remain unaffected. You can withdraw your consent at any time here withdraw.

As part of the use of marketing pixel functions, the personal data contained in the cookies will be transmitted to Facebook if you are a customer there. It can happen that Facebook processes data on servers outside the European Union. By concluding EU standard contractual clauses, Facebook guarantees an appropriate level of data protection within the meaning of Art. 44 ff. GDPR. The legal basis for processing in connection with the marketing pixel outside the European Union is Art. 6 para. 1 lit. a GDPR. You can also revoke this consent at any time in the settings. If only the consent for processing outside the European Union is withdrawn, however, further use of the marketing pixel functions will no longer be possible.

VII. Data transfer to third countries

We use the Adobe Type Kit service provided by Adobe Systems Software Ireland Ltd., 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland to display our fonts and certain icons on the website. We also use the Bootstrap service from Stackpath Inc., 2021 McKinney Ave Ste 1100, Dallas, TX 75201, USA to display certain icons. When using our website, a connection to the servers of these service providers in the USA is established. Your IP address is transmitted to the service provider so that they can display the fonts and icons from our website on your screen.

We have also integrated the Freshchat chat service from the service provider Freshworks Inc., 2950 S. Delaware Street, Suite 201, San Mateo CA 94403, USA, into our website so that customers can easily contact us and view the FAQs. When using the Freshchat communication tool, a connection to the servers of the service provider Freshworks in the USA is established and your IP address is transmitted.

The use of the services is based on our legitimate interests, i.e. our interest in a platform-independent provision of content and its design as well as communication tools in accordance with Art. 6 Para. 1 lit. f) GDPR.

The service providers process the data on our behalf and on the basis of EU standard contractual clauses and thus offer sufficient guarantees within the meaning of Art. 46 Para. 1, para. 2 lit. c) GDPR.

VIII. YouTube

Our website includes videos from YouTube (“YouTube”). YouTube is operated by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

As soon as you start a YouTube video via the website, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

The service is used on the basis of our legitimate interests, ie the interest in a platform-independent provision of content in accordance with Art. 6 Para. 1 lit. f) GDPR.

Due to the integration of the videos, the YouTube servers are called up for technical reasons. For the associated use of data from your browser or device, we refer to the data protection information from YouTube, as YouTube is responsible for the corresponding data processing. The specific storage period of the processed data cannot be influenced by us, but is determined by YouTube. Further information can be found in the YouTube data protection declaration: https://policies.google.com/privacy?hl=de

In order to guarantee an adequate level of data protection when transmitting data to the USA, we have concluded the EU standard contractual clauses with the provider of YouTube. As a further protective measure, we always include videos from YouTube in the “Do Not Track” variant, so that personal data is only transmitted to Vimeo in a minimal way.

IX. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:

1. Right to information

You can request confirmation from the person responsible as to whether personal data relating to you is being processed by us.

If this is the case, you can request the following information from the person responsible:

1. the purposes for which the personal data are processed;
2. the categories of personal data that are processed;
3. the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
4. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
5. the existence of a right to correction or deletion of your personal data, a right to restrict processing by the person responsible or a right to object to this processing;
6. the right to lodge a complaint with a supervisory authority;
7. all available information about the origin of the data if the personal data are not collected from the data subject;
8. the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information about whether the personal data relating to you is being transmitted to a third country or to an international organization. In this context, you can request to be informed about the appropriate guarantees in accordance with. Art. 46 GDPR to be informed in connection with the transfer.

2. Right to rectification

You have a right to correction and / or completion vis-à-vis the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.

3. Right to restriction of processing

You can request the restriction of the processing of your personal data under the following conditions:

1. if you dispute the accuracy of the personal data concerning you for a period that enables the person responsible to check the accuracy of the personal data;
2. the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
3. the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
4. if you have objected to the processing in accordance with Art. 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of your personal data has been restricted, this data – apart from its storage – may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest processed by the Union or a Member State. If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

4. Right to cancellation

a) Obligation to delete

You can request the person responsible to delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

1. The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
2. You revoke your consent on which the processing according to Art. 6 para. 1 lit. a or Art. 9 Para. 2 lit. a GDPR, and there is no other legal basis for the processing.
3. You lay acc. Art. 21 para. 1 GDPR objection to the processing and there are no overriding legitimate reasons for the processing, or you object acc. Art. 21 para. 2 GDPR objection to the processing.
4. The personal data concerning you have been processed unlawfully.
5. The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the member states to which the person responsible is subject.
6. The personal data concerning you were collected in relation to information society services offered in accordance with Art. 8 Para. 1 GDPR.

b) Information to third parties

If the person responsible has made the personal data concerning you public and is acc. Art. 17 para. 1 GDPR to delete them, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the person concerned are about to delete them have requested any links to this personal data or copies or replications of this personal data.

c) Exceptions

The right to deletion does not exist if processing is necessary

1. to exercise the right to freedom of expression and information;
2. to fulfill a legal obligation that requires processing under the law of the Union or the member states to which the person responsible is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been transferred to the person responsible ;
3. for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes acc. Art. 89 para. 1 GDPR, insofar as the right mentioned under section a) is likely to make the realization of the objectives of this processing impossible or seriously impair it, or
5. for the establishment, exercise or defense of legal claims.

5. Right to be informed

If you have asserted the right to correction, deletion or restriction of processing against the person responsible, the person responsible is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this turns out to be impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the person responsible.

6. Right to data portability

You have the right to receive the personal data relating to you that you have provided to the person responsible in a structured, common and machine-readable format. You also have the right to transfer this data to another person responsible without hindrance from the person responsible to whom the personal data was provided, provided that

1. the processing on a consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract according to. Art. 6 para. 1 lit. b GDPR is based and
2. the processing is carried out using automated procedures.

In exercising this right, you also have the right to have your personal data transmitted directly from one person responsible to another, insofar as this is technically feasible. This must not impair the freedoms and rights of other people. The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task that is in the public interest or takes place in the exercise of official authority that has been transferred to the person responsible.

7. Right to Object

You have the right, for reasons that arise from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 para. 1 lit. e or f GDPR takes place, to object; this also applies to profiling based on these provisions.

The person responsible will no longer process the personal data concerning you unless he can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you are processed in order to operate direct mail, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you object to processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In connection with the use of information society services – regardless of Directive 2002/58 / EC – you have the option of exercising your right of objection by means of automated procedures that use technical specifications.

8. Right to revoke the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of revocation.

9. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which has legal effects on you or which significantly affects you in a similar manner. This does not apply if the decision

1. is necessary for the conclusion or performance of a contract between you and the person responsible,
2. is permissible on the basis of legal provisions of the Union or of the member states to which the person responsible is subject and these legal provisions contain appropriate measures to safeguard your rights and freedoms and your legitimate interests or
3. is made with your express consent.

However, these decisions may not be based on special categories of personal data according to Art. 9 Para. 1 GDPR, unless Art. 9 Para. 2 lit. a or g applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases mentioned in (1) and (3), the person responsible shall take appropriate measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the person responsible, to express their own position and heard on contesting the decision.

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of your personal data is against violates the GDPR.

The supervisory authority to which the complaint was submitted informs the complainant about the status and the results of the complaint, including the possibility of a judicial remedy according to Art. 78 GDPR.

Data protection information for the rubarb mobile app

I. Name and address of the person responsible and the data protection officer

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

rubarb GmbH
Speersort 4-6
20095 Hamburg

represented by Fabian Scholz, Jakob Scholz, Kevin Craig
Phone: +49 40 299 960 882
Email: service@rubarb.app

The controller’s data protection officer is:

Lawyer and specialist lawyer for information technology law
Dr. Christian Rauda
GRAEF Rechtsanwälte Digital PartG mbB
Jungfrauenthal 8

E-mail: dpo@rubarb.app
Website: www.graef.eu

II. General information on data processing

1. Scope of processing of personal data

We collect and use our users’ personal data only insofar as this is necessary for the provision of our app, our content and services. The collection and use of personal data of our users takes place regularly only with the consent of the user. An exception applies in those cases in which prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.

2. Legal basis for processing personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 Para. 1 lit. a EU General Data Protection Regulation (GDPR) as the legal basis for the processing of personal data.

When processing personal data that is required to fulfill a contract to which the data subject is a party, Art. 6 Para. 1 lit. b GDPR as the legal basis. This also applies to processing operations that are required to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the person concerned do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR as the legal basis for processing.

3. Data deletion and storage duration

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data in order to conclude or fulfill a contract.

III. Provision of the mobile app and use of the mobile app

1. App Store

When downloading the mobile app, the required information is transferred to the respective app store (Apple App Store, Google Play Store), in particular the username, email address and customer number of your account there, the time of the download, payment information and the individual device code. We have no influence on this data processing, nor are we responsible for it.

2. Use of the mobile app

When providing the app, we only process data insofar as it is necessary for downloading the mobile app to your mobile device. During installation, our mobile app generates a device key which uniquely identifies your mobile device in order to link it to the user account. In this way we ensure that your account is not used by strangers against your will.

When you use our mobile app, we collect the following data, which is technically necessary for us to offer you the functions of our mobile app and to guarantee stability and security:

– Date and time of the request
– Time zone difference to Greenwich Mean Time (GMT)
– content of the request (specific page)
– Access status / HTTP status code
– Amount of data transferred in each case
– Website from which the request came
– Operating system and its interface

The above-mentioned data is processed in the log files in order to ensure the functionality and security of our mobile app.

The legal basis for the provision of our service is Art. 6 Para. 1 lit. b GDPR. Otherwise, the legal basis for the temporary storage of this data and the log files is Art. 6 Para. 1 lit. f GDPR, because we have a legitimate interest as the responsible app provider to ensure the functionality and security of our mobile app.

IV. Personal information

If you use the services offered with our mobile app, we process the following data that are necessary for us to be able to offer you the contractually guaranteed functions of our mobile app:

– salutation
– first name and surname
– E-mail address
– Address

The processing of the above-mentioned personal data takes place to fulfill our contractual performance obligations, which we make available to you with our mobile app.

The above data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case at the end of the third year after the end of the contract, unless storage going beyond this is provided for by the European or national legislature in Union regulations.

The legal basis for the provision of our service is Art. 6 Para. 1 lit. b GDPR.

V. Video identification data

In order to be able to offer you the full functionality of our mobile app, verification of your identity is required. For this we use the IDnow service of the service provider IDnow GmbH, Auenstraße 100, 80469 Munich. We have concluded an order processing contract with IDnow GmbH.

After the verification process, IDnow sends us the following data:

– Pictures & data for the identification documents:
– Data on the identification document: type of identification document, country of issue, issuing authority, date of issue, validity date, first name, surname, address, date of birth, place of birth, nationality, gender
– Images for the identification document: photo of the front and back, security features
– Video logs
– Audio logs

The processing of the above-mentioned personal data takes place to fulfill our contractual performance obligations, which we make available to you with our mobile app.

The above data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case at the end of the third year after the end of the contract, unless storage going beyond this is provided for by the European or national legislature in Union regulations.

The legal basis for the provision of our service is Art. 6 Para. 1 lit. b) GDPR.

VI. Cooperation partner

In order to be able to offer you our services, we work with the financial service provider DAB BNP Paribas (German branch: DAB BNP Paribas SA Germany branch, Landsberger Straße 300, 80687 Munich). To use our services, an account will be opened for you at DAB BNP Paribas using your courier power of attorney. For the provision of the services we process the following data, which we forward to DAB BNP Paribas:

– salutation
– first name and surname
– E-mail address
– Address
– Tax seat
– Tax ID (optional)
– Place of birth
– Birthday
– Nationalities + ID information
– Job
– Industry / company
– Income
– Free funds
– Reference account (IBAN)

The above data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case at the end of the third year after the end of the contract, unless storage going beyond this is provided for by the European or national legislature in Union regulations.

The legal basis for data processing in the context of providing our service is Art. 6 Para. 1 lit. b) GDPR. In addition, we are legally obliged to store the data forwarded to DAB BNP Paribas; The legal basis for this is Art. 6 para. 1 lit. c) GDPR.

DAB BNP Paribas is responsible for the processing of your data at DAB BNP Paribas. The data protection information there apply: https://b2b.dab-bank.de/Footer/Datenschutzerklaerung/

VII. Account information

To provide our services within the app, we work with the service provider FinTecSystems GmbH, Gottfried-Keller-Str. 33, 81245 Munich, as the account information service provider. Using FinTecSystems, we give you the option within the app to link one or more of your accounts and credit cards so that we can generate rounding payments based on the transaction data and invest them for you.

The following data is processed:

– Information about the bank account: first name, last name, bank name, IBAN, BIC, account number, bank code, account balance
– Transaction data: date, dealer, amount paid

The processing of the above-mentioned personal data takes place to fulfill our contractual performance obligations, which we make available to you with our mobile app.

The above data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case at the end of the third year after the end of the contract, unless storage going beyond this is provided for by the European or national legislature in Union regulations.

The legal basis for the provision of our service is Art. 6 Para. 1 lit. b) GDPR. FinTecSystems GmbH is responsible for processing your data at FinTecSystems. As a rule, you give FinTecSystems your consent to the collection, use and storage of your data. The data protection information there applies: https://fintecsystems.com/datenschutz/

VIII. Investment data

Within the app you have the option of selecting different investments. We process the data on whether and how you invest and forward this data to the cooperation partner DAB BNP Paribas for collection and investment. In return, we receive current data from DAB BNP Paribas on individual transactions that were carried out on your behalf to display your current account and securities account information within the app.

The above data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is usually the case at the end of the third year after the end of the contract, unless storage going beyond this is provided for by the European or national legislature in Union regulations.

The legal basis for the provision of our service is Art. 6 Para. 1 lit. b) GDPR.

IX. Google Firebase

We use the Firebase technology from Google (Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland). Firebase is part of the Google Cloud Platform and, in addition to a real-time database, offers other services:

Firebase Analytics enables the analysis of the use of our offer. This collects information about the use of our app, transfers it to Google and stores it there. Personal data collected are unique device identifiers and usage data. Google will use the information mentioned to evaluate the use of our app anonymously and to provide us with other services related to the use of apps.

Firebase Crash Reporting is used for the stability and improvement of the app. This collects information about the device used and the use of our app (e.g. the time stamp, when the app was started and when the crash occurred), which enables us to diagnose and solve problems.

Firebase Cloud Messaging is used to be able to transmit push messages or so-called in-app messages (messages that are only displayed within the app). A pseudonymized push reference is assigned to the mobile device, which serves as the destination for the push messages or in-app messages. We use data processing for the purpose of providing a functional app that corresponds to the state of the art. With the data, which is evaluated anonymously, we receive the necessary information that enables us to offer an appealing design of our content.

The data processing takes place on the basis of Art. 6 Para. 1 lit. f) GDPR (legitimate interest). We have a legitimate interest in providing a functioning and optimized mobile app that provides a certain level of convenience and technology. This interest outweighs your interest in anonymous use.

If possible, Google Firebase uses servers located in the EU for these services. However, it cannot be ruled out that data will also be transferred to the USA. Google has joined the EU-US Privacy Shield, a data protection agreement between the EU and the USA.

X. Google Maps Platform

Within the app, we use Google Maps Platform “Places”, a service of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, to simplify the onboarding for address look-up and place of birth completion.

If you would like to use the associated functionalities, we will collect data on your location.

Your location can be determined with varying degrees of accuracy. Google uses:

GPS, IP address , Sensor data from your device , Information about objects near your device such as wireless access points, radio masts, and Bluetooth-enabled devices

The types of location data that Google collects depend in part on your device and account settings. You can object to the use of the Google Maps Platform “Places” services at any time. You can use the “Settings” menu on your device enable or disable your device’s location tracking . If you’d like to create a private map of places you visit with your signed-in devices, you can also use the Location history activate.

The data processing takes place on the basis of Art. 6 Para. 1 lit. f) GDPR (legitimate interest). We have a legitimate interest in providing a functioning and optimized mobile app that provides a certain level of convenience and technology.

Wherever possible, Google uses servers located in the EU for these services. However, it cannot be ruled out that data will also be transferred to the USA. Google has joined the EU-US Privacy Shield, a data protection agreement between the EU and the USA.

XI. Adjust

Within the app, we use the analysis technology “adjust” from adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin (“Adjust”). Adjust uses IDFA or the AAID of the user for the analysis, but these are only used anonymously. A conclusion to a natural person is not possible. We use this information for our own market research as well as to optimize our own advertising measures.

The legal basis for data processing is Art. 6 Para. 1 lit. f) GDPR (legitimate interest). We have a legitimate interest in providing effective advertising.

We use this information for our own market research and to optimize our own advertising measures. Further information on the purpose and scope of the data collection and the further processing and use of the data can be found in Adjust’s privacy policy at https://www.adjust.com/privacy-policy/. The data collection and storage by Adjust can be deactivated at any time with effect for the future at https://www.adjust.com/opt-out. We have concluded an order processing agreement with adjust GmbH.

XII. IBAN scanner

To make the account opening process easier for you, we offer you the option of scanning the IBAN of your bank card as part of our app. This means that you do not have to type in the IBAN by hand when you save your reference account. There is also the option of entering the IBAN manually.

We use a software development kit (SDK) to use the scan function. It is a collection of programming tools and program libraries for developing software. Specifically, we use the Google Play service “MLKIT” (Machine Learning Kit) from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Due to the specific nature of the implementation, no personal data is passed on to third parties.

The legal basis for the processing of your personal data and access to your camera is your consent in accordance with Art. 6 Para. 1 p. 1 a) GDPR. You can revoke the rubarb app’s access to the camera at any time in the settings of your smartphone. Please note that the use of the scan function requires access to the camera.

As part of the scanning process, we only extract the IBAN. The scan itself is not saved. In this way we ensure that no other personal data is processed.

XIII. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:

1. Right to information

You can request confirmation from the person responsible as to whether we are processing personal data relating to you.

If such processing is available, you can request the following information from the person responsible:

1. the purposes for which the personal data are processed;
2. the categories of personal data that are processed;
3. the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
4. the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage duration;
5. the existence of a right to correct or delete your personal data, a right to restrict processing by the person responsible or a right to object to this processing;
6. the right to lodge a complaint with a supervisory authority;
7. all available information about the origin of the data if the personal data are not collected from the data subject;
8. the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information about whether the personal data relating to you is being transmitted to a third country or to an international organization. In this context, you can request to be informed about the appropriate guarantees in accordance with Art. 46 GDPR to be informed in connection with the transfer.

2. Right to rectification

You have a right to correction and / or completion vis-à-vis the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.

3. Right to restriction of processing

Under the following conditions, you can request that the processing of your personal data be restricted:

1. if you dispute the accuracy of the personal data concerning you for a period of time that enables the person responsible to check the accuracy of the personal data;
2. if the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
3. if the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
4. if you have objected to the processing in accordance with Art. 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of the personal data concerning you has been restricted, this data – apart from its storage – may only be allowed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest processed by the Union or a Member State. If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

4. Right to cancellation

a) Obligation to delete

You can demand that the person responsible delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

1. The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
2. You revoke your consent on which the processing according to. Art. 6 para. 1 lit. a or Art. 9 Para. 2 lit. a GDPR, and there is no other legal basis for the processing.
3. You put gem. Art. 21 para. 1 GDPR objection to the processing and there are no overriding legitimate reasons for the processing, or you submit acc. Art. 21 para. 2 GDPR objection to the processing.
4. The personal data concerning you have been processed unlawfully.
5. The deletion of the personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the member states to which the person responsible is subject.
6. The personal data relating to you were collected in relation to information society services offered in accordance with Art. 8 Para. 1 GDPR.

b) Information to third parties

If the person responsible has made the personal data concerning you public and is acc. Art. 17 para. 1 GDPR to delete them, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the person concerned are about to delete them requested any links to, or copies or replications of, such personal information.

c) Exceptions

The right to deletion does not exist if processing is necessary

1. to exercise the right to freedom of expression and information;
2. to fulfill a legal obligation that requires processing under the law of the Union or the member states to which the person responsible is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been transferred to the person responsible ;
3. for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes acc. Art. 89 para. 1 GDPR, insofar as the right mentioned under section a) is likely to make the realization of the objectives of this processing impossible or seriously impair it, or
5. for the establishment, exercise or defense of legal claims.

5. Right to be informed

If you have asserted the right to correction, deletion or restriction of processing against the person responsible, the person responsible is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this turns out to be impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the person responsible.

6. Right to data portability

You have the right to receive the personal data relating to you that you have provided to the person responsible in a structured, common and machine-readable format. You also have the right to transfer this data to another person in charge without hindrance from the person in charge to whom the personal data was provided, provided that

1. the processing on a consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract according to. Art. 6 para. 1 lit. b GDPR is based and
2. the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data relating to you transmitted directly from one person responsible to another, insofar as this is technically feasible. This must not impair the freedoms and rights of other people.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task that is in the public interest or takes place in the exercise of official authority that has been transferred to the person responsible.

7. Right to Object

You have the right, for reasons that arise from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 Para. 1 lit. e or f GDPR takes place, to object; this also applies to profiling based on these provisions.

The person responsible will no longer process the personal data concerning you unless he can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data relating to you are processed in order to operate direct mail, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you object to processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In connection with the use of information society services – regardless of Directive 2002/58 / EC – you have the option of exercising your right of objection by means of automated processes in which technical specifications are used. This also includes the opt-in or opt-out within the respective settings of your end device.

8. Right to revoke the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of revocation.

9. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which has legal effect on you or which significantly affects you in a similar manner. This does not apply if the decision

1. is necessary for the conclusion or performance of a contract between you and the person responsible,
2. is permissible on the basis of legal provisions of the Union or of the member states to which the person responsible is subject and these legal provisions contain appropriate measures to safeguard your rights and freedoms and your legitimate interests or
3. is made with your express consent.

However, these decisions may not be based on special categories of personal data according to Art. 9 Para. 1 GDPR, unless Art. 9 Para. 2 lit. a or g applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases mentioned in (1) and (3), the person responsible shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain intervention by a person on the part of the person responsible, to express their own point of view and heard on contesting the decision.

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of the personal data concerning you is against violates the GDPR.

The supervisory authority to which the complaint was submitted informs the complainant about the status and the results of the complaint, including the possibility of a judicial remedy according to Art. 78 GDPR.