In the following, we provide information about the processing of personal data when using our website www.derstartupcfo.com our social media profiles.
Personal data is all data that can be related to a specific natural person, such as their name or IP address.
The controller in accordance with Article 4 (7) of the EU General Data Protection Regulation (GDPR) is nugrow GmbH, Südring 23 44787 Bochum, e-mail: [email protected]. We are legally represented by Sebastian Janus.
Gesetzlich vertreten werden wir durch Florian Wilk.
The scope of data processing, processing purposes and legal bases is set out in detail below. In principle, the following can be considered as the legal basis for data processing:
Article 6 (1) (a) GDPR serves us as the legal basis for processing operations for which we obtain consent.
Art. 6 (1) (b) GDPR is the legal basis insofar as the processing of personal data is necessary to fulfill a contract, e.g. when a site visitor purchases a product from us or we perform a service for him. This legal basis also applies to processing that is necessary for pre-contractual measures, such as inquiries about our products or services.
Art. 6 (1) (c) GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.
Article 6 (1) (f) GDPR serves as the legal basis if we can rely on legitimate interests to process personal data, e.g. for cookies that are necessary for the technical operation of our website.
Insofar as we transfer data to service providers or other third parties outside the EEA, the security of the data when transferred, as far as available (e.g. for Great Britain, Canada and Israel), guarantees the security of the data (Art. 45 (3) GDPR). If there is no adequacy decision (e.g. for the USA), the legal basis for the transfer of data is usually standard contractual clauses, i.e. unless we provide otherwise. These are rules adopted by the EU Commission and are part of the contract with the respective third party. In accordance with Article 46 (2) (b) GDPR, they guarantee the security of data transfer. Many of the providers have provided contractual guarantees that go beyond the standard contractual clauses, which protect the data beyond the standard contractual clauses. These include, for example, guarantees with regard to the encryption of data or with regard to an obligation on the part of a third party to notify data subjects when law enforcement agencies want to access data.
Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its purpose and the deletion does not conflict with any legal storage requirements. If the data is not deleted because it is necessary for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not for others
purposes processed. This applies, for example, to data that we must store for commercial or tax reasons.
Data subjects have the following rights vis-à-vis us with regard to personal data concerning them:
●Right to information,
●Right to correction or deletion,
●Right to restrict processing,
●Right to object to processing,
●Right to data portability,
●Right to withdraw consent at any time.
Data subjects also have the right to contact a data protection
to complain to supervisory authorities about the processing of their personal data. The contact details of the data protection supervisory authorities are here retrievable.
As part of a business relationship or other relationship, customers, interested parties or third parties must only provide us with the personal data that is necessary to establish, carry out and end the business relationship or for the other relationship or which we are legally obliged to collect. Without this data, we will usually have to refuse to conclude a contract or provide a service or will no longer be able to carry out an existing contract or other relationship. Mandatory information is marked as such.
In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and carry out a business relationship or other relationship. Should we use these procedures in individual cases, we will inform you of this separately, provided this is required by law.
When you contact us, e.g. by e-mail or telephone, the data provided to us (e.g. names and e-mail addresses) is stored by us in order to answer questions. The legal basis for processing is our legitimate interest (Art. 6 (1) (f) GDPR) to answer inquiries addressed to us. We delete the data arising in this context after storage is no longer necessary, or restrict processing if there are legal storage obligations.
From time to time, we conduct customer surveys to get to know our customers and their needs better. In doing so, we collect the data requested in each case. It is our legitimate interest to get to know our customers and their wishes better, so that the legal basis for the associated data processing is Art. 6 (1) (f) GDPR. We delete the data when the results of the surveys have been evaluated.
We reserve the right to inform customers who have already used our services or have purchased goods from time to time by e-mail or other electronic means of our offers, unless they have objected to this. The legal basis for this data processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in direct marketing (recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time at no additional cost, for example via the link at the end of each email or by sending an email to our email address mentioned above. Interested parties have the option of subscribing to a free newsletter. We process the data provided when registering exclusively for sending the newsletter. Registration is made by selecting the appropriate field on our website, by ticking the appropriate box in a paper document or by taking another clear action, which gives interested parties their consent to the processing of their
explain data so that the legal basis is Art. 6 (1) (a) GDPR. The consent can be withdrawn at any time, e.g. by clicking on the corresponding link in the newsletter or sending a message to our e-mail address provided above. The processing of data until revocation remains lawful even in the event of a revocation. Based on the consent of the recipients (Art. 6 (1) (a) GDPR), we also measure the opening and click rate of our newsletters in order to understand which content is relevant to our recipients.
We send newsletters using the ActiveCampaign tool from ActiveCampaign, LLC, 1 N Dearborn St., 5th Floor, Chicago, Illinois 60602, USA (privacy policy: https://www.activecampaign.com/legal/privacy-policy). The provider processes content, usage, meta/communication data and contact data in the USA.
When using the website for informational purposes, i.e. when site visitors do not provide us with separate information, we collect the personal data that the browser transmits to our server to ensure the stability and security of our website. This is our legitimate interest, so that the legal basis is Art. 6 (1) (f) GDPR.
This data is:
●IP address
●Date and time of request
●Time zone difference to Greenwich Mean Time (GMT)
●Content of the request (specific page)
●Access status/HTTP status code
●Amount of data transferred in each case
●Website from which the request is made
●Browsers
●Operating system and interface
●Language and version of the browser software.
This data is also stored in log files. They are deleted when they are no longer required to be stored, at the latest after 14 days.
Our website hosts Amazon AWS. The provider is Amazon Web Services EMEA Sarl, 38 avenue John F. Kennedy, L-1855, Luxembourg. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact data, in the EU. Further information can be found in the provider's privacy policy at https://aws.amazon.com/de/privacy/?nc1=f_pr.
It is our legitimate interest to provide a website, so that the legal basis for the described data processing is Art. 6 (1) (f) GDPR.
We use the Cloudflare content delivery network for our website. The provider is Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication or contact data in the USA. For more information, please see the provider's privacy policy at.
We have a legitimate interest in using sufficient storage and delivery capacities to ensure optimal data throughput even during heavy load peaks. The legal basis for the described data processing is therefore Art. 6 (1) (f) GDPR. The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider. We use the Cloudfront (Amazon AWS) content delivery network for our website. The provider is Amazon Web Services, Inc., P.O. Box 81226 Seattle, WA 98108-1226 USA. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication or contact data in the USA.
For more information, please see the provider's privacy policy at
https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.
We have a legitimate interest in using sufficient storage and delivery capacities to ensure optimal data throughput even during heavy load peaks. The legal basis for the described data processing is therefore Art. 6 (1) (f) GDPR. The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
When you contact us via the contact form on our website, we save the data requested there and the content of the message. The legal basis for processing is our legitimate interest in answering inquiries addressed to us. The legal basis for processing is therefore Article 6 (1) (f) GDPR. We delete the data arising in this context after storage is no longer necessary, or restrict processing if there are legal storage obligations.
We publish jobs that are vacant in our company on our website, on pages connected to the website, or on third-party websites. The data provided as part of the application process is processed to carry out the application process. Insofar as these are necessary for our decision to establish an employment relationship, the legal basis is Article 88 (1) GDPR in conjunction with Section 26 (1) BDSG. We have marked the data required to carry out the application process accordingly or refer to them. If applicants do not provide this information, we will not be able to process the application. Further data is voluntary and not required for an application.
If applicants provide further information, the basis is their consent (Art. 6 (1) (a) GDPR). We ask applicants to refrain from including political opinions, religious beliefs and similarly sensitive data in their curriculum vitae and cover letter. They are not required to apply. If applicants nevertheless provide appropriate information, we cannot prevent their processing as part of processing the resume or cover letter. Your processing is then also based on the consent of the applicants (Art. 9 para. 2 lit. a GDPR).
Finally, we process applicants' data for further application processes if they have given us their consent to do so. In this case, the legal basis is Art. 6 (1) (a) GDPR.
We pass on the applicants' data to the responsible personnel department, to our contract processors in the area of recruiting and to the other employees involved in the application process.
If we enter into an employment relationship with the applicant following the application process, we will only delete the data after the employment relationship has ended.
Otherwise, we will delete the data no later than six months after an applicant has been rejected. If applicants have given us their consent to also use their data for further application processes, we will only delete their data one year after receipt of the application.
Site visitors can book appointments with us on our website. For this purpose, we process meta or communication data in addition to the data entered. We have a legitimate interest in offering interested parties a user-friendly way to arrange appointments. The legal basis for data processing is therefore Art. 6 (1) (f) GDPR. Insofar as we use a third-party tool for the agreement, the information about this can be found under “Third Party Provider.”
Visitors to the website can open a customer account on our website. We process the data requested in this context on the basis of the site visitor's consent. The legal basis for processing is therefore Article 6 (1) (a) GDPR. Consent can be withdrawn at any time, e.g. using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation. If consent is withdrawn, we delete the data unless we are obliged or entitled to continue to store it.
We offer services through our website. As part of the order, we process the following data:
Name, address, email address
The data is processed to provide the contract concluded with the respective site visitor (Art. 6 (1) (b) GDPR).
To process payments, we use payment processors who are themselves responsible for data protection within the meaning of Art. 4 No. 7 GDPR. Insofar as they receive data and payment data entered by us during the ordering process, we thus fulfill the contract concluded with our customers (Art. 6 (1) (b) GDPR).
These payment service providers are:
●American Express Europe S.A.
●giropay GmbH
●Klarna Bank AB (publ), Sweden (“Klarna Sofort”)
●Mastercard Europe SA, Belgium
●PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
●Stripe Payments Europe, Ltd., Ireland
●Visa Europe Services Inc., Great Britain
Our website uses cookies. Cookies are small text files that are stored in a web browser on a site visitor's device. Cookies help to make the website more user-friendly, effective and secure. Insofar as these cookies are necessary for the operation of our website or its functions (hereinafter “technically necessary cookies”), the legal basis for the associated data processing is Art. 6 (1) (f) GDPR. We have a legitimate interest in providing customers and other site visitors with a functional website. Specifically, we use technically necessary cookies for the following
purpose or the following purposes:
●Cookies that adopt language settings, cookies that remember search terms, cookies that store login data, cookies that set payment providers to process payments and do not analyze user behavior, and flash cookies that are set to play media content
Make.com
We use make.com for automation and workflow optimization. The provider is: Celonis, Inc. Address: One World Trade Center, 87th Floor, New York, NY, 10007, USalegal representative: Bastian Nominacher, Alexander Rinke, Martin Klenk.The provider processes contact data (e.g. e-mail addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) in the EU.
The legal basis for processing is Art. 6 (1) (a) GDPR.
Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation. We delete the data when the purpose of its collection has ceased to apply.
Further information is available in the provider's privacy policy at https://www.make.com/en/privacy-notice.
Pipedrive
We use Pipedrive for lead management. The provider is Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia. The provider processes contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) in the EU.
The legal basis for processing is Art. 6 (1) (f) GDPR.
We have a legitimate interest in managing lead data for direct marketing purposes.
We delete the data when the purpose of its collection has ceased to apply.
Further information is available in the provider's privacy policy
under https://www.pipedrive.com/en/privacy retrievable.
Hotjar
We use Hotjar for analysis. The provider is Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's, STJ 3141, Malta. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.
The legal basis for processing is Art. 6 (1) (a) GDPR.
Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
The data will be deleted when the purpose of its collection no longer applies and there is no obligation to store it. Further information is available in the provider's privacy policy at https://www.hotjar.com/legal/policies/privacy/ retrievable.
Calendly
We use Calendly to schedule appointments. The provider is Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA. The provider processes usage data (e.g. websites visited, interest in content, access times), contact data (e.g. email addresses, telephone numbers) and master data (e.g. names, addresses) in the USA.
The legal basis for processing is Art. 6 (1) (a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
We delete the data when the purpose of its collection has ceased to apply. Further information is available in the provider's privacy policy at https://calendly.com/pages/privacy retrievable.
Google Marketing Platform
We use Google Marketing Platform for analysis and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA. The legal basis for processing is Art. 6 (1) (a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation. The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider. We delete the data when the purpose of its collection no longer applies. Further information is available in the provider's privacy policy
under https://policies.google.com/privacy?hl=de retrievable.
Google Tag Manager
We use Google Tag Manager for analysis and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) in the USA.
The legal basis for processing is Art. 6 (1) (a) GDPR.
Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation. The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
We delete the data when the purpose of its collection has ceased to apply. Further information is available in the provider's privacy policy at https://policies.google.com/privacy?hl=de retrievable.
Google conversion tag
We use Google Conversion Tag for conversion tracking.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) in the USA.
The legal basis for processing is Art. 6 (1) (a) GDPR.
Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is ensured by
guarantees standard data protection clauses adopted in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
The data will be deleted when the purpose of its collection no longer applies and there is no obligation to store it. Further information is available in the provider's privacy policy at
https://policies.google.com/privacy?hl=de
https://support.google.com/tagmanager/answer/9323295?hl=de&ref_topic=3441532 retrievable.
Facebook Conversion API
We use Facebook Conversion API for analysis. The provider is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
The legal basis for processing is Art. 6 (1) (a) GDPR.
Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is ensured by
guarantees standard data protection clauses adopted in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider. The data will be deleted when the purpose of its collection no longer applies and there is no obligation to store it. Further information is available in the provider's privacy policy at
https://www.facebook.com/policy.php retrievable.
ActiveCampaign
We use ActiveCampaign for analysis. The provider is ActiveCampaign, LLC, 1 N Dearborn St., 5th Floor, Chicago, Illinois 60602, USA. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA. The legal basis for processing is Art. 6 (1) (a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation. The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider. We delete the data when the purpose of its collection no longer applies. Further information is available in the provider's privacy policy at https://www.activecampaign.com/legal/privacy-policy retrievable.
Cloudflare
Wir nutzen das Content Delivery Network (CDN) von Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München Deutschland (Cloudflare), um die Sicherheit und die Auslieferungsgeschwindigkeit unserer Website zu erhöhen. Dies entspricht unserem berechtigten Interesse (Art. 6 Abs. 1 lit. f DSGVO). Ein CDN ist ein Netzwerk aus [weltweit] verteilten Servern, das in der Lage ist, optimiert Inhalte an den Websitenutzer auszuliefern. Für diesen Zweck können personenbezogene Daten in Server-Logfiles von Cloudflare verarbeitet werden. Bitte vergleichen Sie die Ausführungen unter „Hosting“.
Cloudflare ist Empfänger Ihrer personenbezogenen Daten und als Auftragsverarbeiter für uns tätig. Die entspricht unserem berechtigten Interesse im Sinne des Art. 6 Abs. 1 S. 1 lit. f DSGVO, selbst kein Content Delivery Network zu betreiben.
Sie haben das Recht der Verarbeitung zu widersprechen. Ob der Widerspruch erfolgreich ist, ist im Rahmen einer Interessenabwägung zu ermitteln.
Die Verarbeitung der unter diesem Abschnitt angegebenen Daten ist weder gesetzlich noch vertraglich vorgeschrieben. Die Funktionsfähigkeit der Website ist ohne die Verarbeitung nicht gewährleistet.
Ihre personenbezogenen Daten werden von Cloudflare so lange gespeichert, wie es für die beschriebenen Zwecke erforderlich ist.
Weitere Informationen zu Widerspruchs- und Beseitigungsmöglichkeiten gegenüber Cloudflare finden Sie unter: Cloudflare DPA
Cloudflare hat Compliance-Maßnahmen für internationale Datenübermittlungen umgesetzt. Diese gelten für alle weltweiten Aktivitäten, bei denen Cloudflare personenbezogene Daten von natürlichen Personen in der EU verarbeitet. Diese Maßnahmen basieren auf den EU-Standardvertragsklauseln (SCCs). Weitere Informationen finden Sie unter: https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf
Fillout.com Forms
Für Online-Formulare verwenden wir die Dienste von Fillout.com, Restly, Inc., d.b.a. Fillout, Attn: Privacy Team, 1210 S Indiana Ave. Unit 1817, Chicago, IL 60605. Fillout bietet EU-basiertes Hosting und Speicherung für alle Endnutzerdaten auf ihrem Enterprise-Plan. Weitere Informationen zur Datenverarbeitung durch Fillout findest du in der Datenschutzerklärung von Fillout.com.
Perspective.com
Wir setzen zur Verarbeitung Ihrer personenbezogenen Daten und Präsentation des Inhalts der Internetseite das Unternehmen Perspective Software GmbH (folgend: Perspective) ein. Perspective ist ein Unternehmen mit Sitz in Deutschland, welches eine Software zur Erstellung und zum Betrieb von Mobile Funnel anbietet ( https://perspective.co/impressum ) (Datenschutzerklärung: https://perspective.co/datenschutzerklaerung/).
Die im Rahmen der Verwendung von Mobilen Funnel eingetragenen Daten werden per SSL Verschlüsselung übertragen und in einer Datenbank gespeichert. Perspective ist lediglich Betreiber der Software und in dem Zusammenhang Auftragsverarbeiter nach Art. 28 DS-GVO. Die Grundlage für die Verarbeitung durch Perspective ist hierbei ein Vertrag zur Auftragsverarbeitung zwischen der verantwortlichen Stelle und Perspective. Zudem verarbeitet die Perspective Software GmbH zur Erbringung ihrer Dienstleistungen, insbesondere für den Betrieb der Mobile Funnel, weitere Daten, die zum Teil auch personenbezogene Daten sein können.