Privacy Policy

Introduction

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both within the scope of providing our services and in particular on our websites, in mobile applications, and within external online presences such as our social media profiles (collectively referred to hereinafter as the “online offering”).

The terms used are gender-neutral.

Last updated: 04.03.2024

Person responsible

SOPAGO GmbH
Jakob-Klar-Str. 4
80796 München
Germany

Authorized Representative: Dipl.-Wirtsch.-Ing. Ingomar Jünger

E-Mail-Adress: info@sopago.org

Legal Notice: https://sopago.org/impressum

Security Measures

In accordance with legal requirements, and taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation of the data. We have also established procedures to ensure the exercise of data subject rights, data deletion, and response to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software, and processes, in line with the principles of data protection by design and by default.

IP Address Truncation: If IP addresses are processed by us or by service providers and technologies we use, and a full IP address is not necessary, the IP address is truncated (also known as “IP masking”). This involves removing or replacing the last two digits or the final part of the IP address after a dot. Truncation of the IP address is intended to prevent or significantly hinder the identification of an individual based on their IP address.

SSL Encryption (https): To protect the data you transmit via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix “https://” in your browser’s address bar.

Transfer of Personal Data

In the course of processing personal data, it may occur that data is transferred to, or disclosed to, other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include, for example, service providers responsible for IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to safeguard your personal data.

Data Transfer Within the Organization: We may transfer personal data to other units within our organization or grant them access to such data. If this transfer is made for administrative purposes, it is based on our legitimate business and organizational interests, or it takes place if it is necessary for fulfilling our contractual obligations, if consent has been given by the data subjects, or if there is a legal basis allowing such a transfer.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of using services of third parties or the disclosure or transfer of data to other persons, entities, or companies, this is done only in accordance with legal requirements.

Subject to explicit consent or contractually or legally required transfers, we process or have data processed in third countries only if there is an adequate level of data protection recognized, contractual obligations through so-called standard contractual clauses of the European Commission, the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR; information page of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Use of Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user’s computer. Primarily, a cookie serves to store information about a user during or after their visit to an online service. Stored information can include, for example, language settings on a website, login status, a shopping cart, or the point where a video was watched. The term “cookies” also includes other technologies that perform similar functions (e.g., when user data is stored based on pseudonymous online identifiers, also called “user IDs”).

The following cookie types and functions are distinguished:

• Temporary Cookies (Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their browser.
• Permanent Cookies: Permanent cookies remain stored even after closing the browser. For example, login status can be saved, or preferred content displayed directly when a user revisits a website. User interests used for reach measurement or marketing purposes can also be stored in such cookies.
• First-Party Cookies: Set by us directly.
• Third-Party Cookies: Mainly used by advertisers (so-called third parties) to process user information.
• Necessary (Essential) Cookies: Cookies that are absolutely required for operating a website (e.g., to save logins or other user inputs, or for security reasons).
• Statistics, Marketing, and Personalization Cookies: Cookies are also used for measuring reach and when user interests or behavior (e.g., viewing specific content, using features) on individual websites are saved in a user profile. These profiles serve to display content tailored to users’ potential interests. This process is also called “tracking,” meaning the monitoring of users’ potential interests. If we use cookies or tracking technologies, we will inform you separately in our privacy policy or when obtaining consent.

Legal Basis: The legal basis for processing your personal data via cookies depends on whether we ask for your consent. If you consent to the use of cookies, processing is based on that consent. Otherwise, cookie-processed data is handled based on our legitimate interests (e.g., operating and improving our online offering) or, if required to fulfill contractual obligations.

Storage Duration: If we do not provide explicit information about the storage duration of permanent cookies (e.g., in cookie opt-in notices), please assume the duration can be up to two years.

General Information on Revocation and Objection (Opt-Out): Depending on whether processing is based on consent or legal permission, you may revoke consent or object to cookie-based data processing at any time (collectively called “opt-out”). You can initially do this via your browser settings by disabling cookies (which may limit functionality of our online services). Objections to marketing cookies can also be made through services such as https://optout.aboutads.info and https://www.youronlinechoices.com/. Additional opt-out information may be provided with details on the services and cookies used.

Cookie Consent Management: We use a cookie consent management system to obtain, manage, and allow revocation of user consents for cookie use and related processing. Consent declarations are stored to avoid repeated requests and to prove consent as legally required. Storage may be server-side and/or via a cookie (opt-in cookie or similar technology) to assign consent to a user or device. Unless otherwise specified, consent is stored up to two years, using a pseudonymous user identifier, time of consent, scope of consent (which cookie categories or providers), and information about browser, system, and device.

• Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses)
• Affected Persons: Users (e.g., website visitors, users of online services)
• Legal Bases: Consent (Art. 6(1)(a) GDPR), Legitimate Interests (Art. 6(1)(f) GDPR)

Provision of the Online Offer and Web Hosting

To provide our online offer securely and efficiently, we use the services of one or more web hosting providers, whose servers (or servers they manage) deliver the online offer. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, database services, as well as security and technical maintenance services.

Data processed in connection with the provision of the hosting service may include all user-related information generated during use and communication. This regularly includes the IP address, which is necessary to deliver online content to browsers, as well as any inputs made within our online offer or on websites.

Collection of Access Data and Log Files: We (or our web hosting provider) collect data for every server access (so-called server log files). These server log files may include the address and name of the accessed web pages and files, date and time of access, amount of data transferred, status of successful access, browser type and version, user’s operating system, referrer URL (previously visited page), and typically IP addresses and the requesting provider.

Server log files are used for security purposes, e.g., to prevent server overload (especially in case of abusive attacks such as DDoS attacks), and to ensure server capacity and stability.

• Types of Data Processed: Content data (e.g., inputs in online forms), usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses)
• Affected Persons: Users (e.g., website visitors, users of online services)
• Legal Basis: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR)

Services and Service Providers Used:

• alfahosting: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacities); service provider: Alfahosting GmbH, Ankerstraße 3b, 06108 Halle (Saale), Germany; website: https://alfahosting.de; privacy policy: https://alfahosting.de/datenschutz

Special Notes on Applications (Apps)

We process the data of users of our application to the extent necessary to provide the application and its functionalities to the users, to monitor its security, and to further develop it. Furthermore, we may contact users in compliance with legal requirements if communication is necessary for the administration or use of the application. Otherwise, regarding the processing of user data, we refer to the privacy information in this privacy policy.

Legal Basis: The processing of data necessary to provide the functionalities of the application serves the fulfillment of contractual obligations. This also applies if the provision of functions requires authorization from the users (e.g., permissions for device functions). If the processing of data is not necessary for providing the functionalities of the application but serves the security of the application or our legitimate business interests (e.g., collection of data for optimizing the application or security purposes), it is carried out on the basis of our legitimate interests. If users are explicitly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on that consent.

Device Permissions for Access to Functions and Data: The use of our application or its functionalities may require users to grant permissions to access certain functions of the devices used or to the data stored on or accessible through the devices. By default, these permissions must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure to control app permissions may depend on the device and the software used by the users. If users need clarification, they can contact us. We point out that denial or revocation of the respective permissions may affect the functionality of our application.

• Types of Data Processed: Master data (e.g., names, addresses), meta-/communication data (e.g., device information, IP addresses)
• Purposes of Processing: Provision of contractual services and customer service
• Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR), Contract fulfillment and pre-contractual requests (Art. 6 (1) sentence 1 lit. b GDPR), Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR)

Contact

When contacting us (e.g., via contact form, email, telephone, or social media), the details of the requesting persons are processed to the extent necessary to respond to the contact inquiries and any requested measures.

Responding to contact inquiries within the scope of contractual or pre-contractual relationships takes place to fulfill our contractual obligations or to answer (pre-)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries.

• Types of Data Processed: Master data (e.g., names, addresses), contact data (e.g., email addresses, telephone numbers), content data (e.g., entries in online forms)
• Affected Persons: Communication partners
• Purposes of Processing: Contact inquiries and communication
• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR)

Push Notifications

With the consent of users, we can send so-called “push notifications” to users. These are messages displayed on users’ screens, devices, or browsers, even if our online service is not currently actively used.

To subscribe to push notifications, users must confirm the request from their browser or device to receive push notifications. This consent process is documented and stored. The storage is necessary to recognize whether users have consented to receiving push notifications and to be able to prove the consent. For these purposes, a pseudonymous identifier of the browser (the so-called “push token”) or the device ID of a device is stored.

Push notifications can be required to fulfill contractual obligations (e.g., relevant technical and organizational information for using our online offer) and otherwise, unless specifically stated otherwise below, are sent based on users’ consent. Users can change their push notification settings at any time using the notification settings of their respective browsers or devices.

• Purposes of Processing: Provision of contractual services and customer service
• Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR), contract fulfillment and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR)

Online Marketing

We process personal data for the purposes of online marketing, which in particular includes marketing advertising space or displaying advertising and other content (collectively referred to as “content”) based on users’ potential interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedures are used, whereby relevant user data for displaying the aforementioned content is stored. These data may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information such as the browser used, the computer system, and usage times. If users have consented to the collection of their location data, these can also be processed.

Users’ IP addresses are also stored. However, we use available IP-masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear personal data (such as email addresses or names) are stored in online marketing procedures, but pseudonyms. This means that neither we nor the providers of online marketing procedures know the actual identity of users but only the information stored in their profiles.

The data in the profiles are generally stored in cookies or using similar methods. These cookies can also later be read on other websites using the same online marketing procedures and analyzed for content display purposes as well as supplemented with additional data and stored on the online marketing service provider’s server.

In exceptional cases, clear personal data may be assigned to profiles. This is the case if users are, for example, members of a social network whose online marketing procedures we use, and the network connects the profiles of users with the aforementioned information. Please note that users may enter into additional agreements with providers, e.g., by consenting during registration.

We generally only receive aggregated information about the success of our ads. However, we can check which of our online marketing procedures have led to a so-called conversion, e.g., a contract concluded with us, through conversion measurement. Conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, please assume that used cookies are stored for a period of two years.

Notes on Legal Bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, data processing is based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

• Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses)
• Affected Persons: Users (e.g., website visitors, users of online services)
• Purposes of Processing: Marketing, creation of user profiles with user-related information, conversion measurement (measuring marketing effectiveness)
• Security Measures: IP masking (pseudonymization of the IP address)
• Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR)
• Right to Object (Opt-Out): We refer to the privacy notices of the respective providers and the objection options (so-called “opt-out”). If no explicit opt-out option is provided, you may disable cookies in your browser settings. This may, however, limit the functions of our online offer. Therefore, we additionally recommend the following opt-out possibilities, which are generally offered for specific regions: Europe: https://www.youronlinechoices.eu Canada: https://www.youradchoices.ca/choices USA: https://www.aboutads.info/choices Cross-region: https://optout.aboutads.info

Used Services and Service Providers:

• Google Analytics: Online marketing and web analysis; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://policies.google.com/privacy; opt-out option: opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying ads: https://adssettings.google.com/authenticated

• Google Ads and Conversion Measurement: We use the online marketing tool “Google Ads” to place ads in the Google advertising network (e.g., in search results, videos, on websites, etc.) so that they are shown to users who are likely interested in the ads. Furthermore, we measure the conversion of the ads. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page marked with a so-called “conversion tracking tag.” We do not receive any information that could identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com; privacy policy: https://policies.google.com/privacy

Plugins and Embedded Functions as well as Content

We integrate functional and content elements into our online offer, which are obtained from the servers of their respective providers (hereinafter referred to as “third parties”). These can be, for example, graphics, videos, or maps (hereinafter uniformly referred to as “content”).

The integration always requires that the third-party providers of this content process the IP address of the users, since without the IP address they would not be able to send the content to the users’ browsers. Therefore, the IP address is necessary for the display of these contents or functions. We strive to only use content whose respective providers use the IP address solely for delivering the content. Third parties may also use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. Through the “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, visit duration, as well as other data on the use of our online offer, and may be combined with such information from other sources.

Notes on legal basis: If we ask users for their consent to the use of third parties, the legal basis for data processing is consent. Otherwise, the data of the users are processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., visited websites, interest in content, access times), meta-/communication data (e.g., device information, IP addresses)
• Affected persons: Users (e.g., website visitors, users of online services)
• Purposes of processing: Provision of our online offer and user-friendliness, fulfillment of contractual services and customer service
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Used services and service providers:

• reCAPTCHA: We integrate the “reCAPTCHA” function to be able to recognize whether inputs (e.g., in online forms) are made by humans and not by automated machines (so-called “bots”). The data processed may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with reCAPTCHA on other websites, possibly cookies as well as results of manual recognition procedures (e.g., answering posed questions or selecting objects in images). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy; Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for ad display: https://adssettings.google.com/authenticated

• Font Awesome: Display of fonts and icons; service provider: Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA; Website: https://fontawesome.com/; Privacy policy: https://fontawesome.com/privacy

• Google Fonts: We embed the fonts (“Google Fonts”) of the provider Google, whereby user data is used solely for the purpose of displaying the fonts in the user’s browser. The integration is based on our legitimate interests in a technically secure, maintenance-free and efficient use of fonts, their uniform display, and taking into account possible licensing restrictions for their integration. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy

• Google Maps: We embed the maps of the service “Google Maps” from the provider Google. The data processed may especially include IP addresses and location data of users, which, however, are not collected without their consent (usually given within the settings of their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy policy: https://policies.google.com/privacy; Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for ad display: https://adssettings.google.com/authenticated

Deletion of Data

The data we process will be deleted in accordance with legal requirements as soon as the consents permitting their processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data no longer exists or if the data is no longer necessary for that purpose).

If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. That means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or for protecting the rights of another natural or legal person.

Within the framework of our data protection information, we may provide users with further details about deletion and data retention that specifically apply to the respective processing procedures.

Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the contents of our privacy policy. We update the privacy policy as soon as changes in our data processing activities make this necessary. We will inform you as soon as the changes require your participation (e.g., consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time, and we ask you to verify the information before making contact.

Rights of the Data Subjects

As a data subject, you have various rights under the GDPR, especially those arising from Articles 15 to 21 GDPR:

• Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw any given consent at any time.
• Right to Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to request access to that data as well as further information and a copy of the data according to legal provisions.
• Right to Rectification: You have the right, according to legal provisions, to demand the completion of incomplete data or correction of incorrect personal data concerning you.
• Right to Erasure and Restriction of Processing: You have the right, according to legal provisions, to demand that your data be deleted immediately or alternatively to demand the restriction of processing.
• Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller according to legal provisions.
• Right to Complain to a Supervisory Authority: According to legal provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State where you habitually reside, where you work, or where the alleged infringement occurred, if you believe that the processing of your personal data violates the GDPR.

Definitions

This section provides an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are especially defined in Article 4 of the GDPR. The legal definitions are binding. The following explanations are mainly intended to aid understanding. The terms are listed alphabetically.

• IP Masking: “IP masking” refers to a method in which the last octet, i.e., the last two numbers of an IP address, are deleted so that the IP address can no longer be used to uniquely identify a person. Therefore, IP masking is a means of pseudonymizing processing procedures, especially in online marketing.
• Conversion Measurement: Conversion measurement (also called “visitor action evaluation”) is a process used to determine the effectiveness of marketing measures. Usually, a cookie is stored on users’ devices within the websites where the marketing measures are applied and then retrieved again on the target website. For example, this allows us to track whether ads placed by us on other websites were successful.
• Personal Data: “Personal data” means all information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with User-Related Information: The processing of “profiles with user-related information,” or simply “profiles,” includes any kind of automated processing of personal data that consists of using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this can include various information regarding demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are frequently used for profiling purposes.
• Controller: The “controller” is the natural or legal person, authority, institution, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and includes almost any handling of data, such as collection, evaluation, storage, transmission, or deletion.