Privacy policy of komoot for business

The subject of data protection is personal data (hereinafter also referred to as “data”), i.e. all information that relates to an identified or identifiable natural person.

When you access our website, your device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:

• Browser type and browser version 
• Operating system used 
• Referrer URL
• URL of the retrieved site
• Latency of the network connection 
• Date and time of server request
• IP address

We store this data for the following purposes:

• To ensure the security of our IT systems, e.g. to defend against specific attacks on our systems and detect attack patterns
• To ensure that our IT systems are operating properly, e.g. if errors occur that we can only rectify by storing the IP address
• To enable criminal prosecution, an emergency response or legal prosecution in cases where there is a concrete indication of criminal offences

Your IP address will be stored for a period of 90 days.

In this case, processing takes place based on our overriding legitimate interests mentioned above pursuant to Art. 6 Para. 1 (f) of the General Data Protection Regulation (Datenschutz-Grundverordnung, abbreviated in German to DSGVO) (“GDPR”).

If data is still required for legal reasons or to (potentially) secure, assert or enforce legal claims, it will be stored longer. For more information, please see “Deletion of your data” below.

We operate our website on the servers of our web host, Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (“Hetzner”). Hetzner processes your personal data on our behalf, i.e. exclusively according to our instructions (see Art. 4 No. 8, 28 GDPR).

When you use our website and its associated services and functions, we process your personal data to provide them.

If you use these services and functions associated with our website, for instance if you change language settings, use the search and filter functions, or download content, we process the information and settings you enter in order to provide you with these services and functions. This is also in our legitimate interest. The legal basis for this data processing is Art. 6 Para. 1 (f) GDPR.

Enquiries using our contact form

If you send us an enquiry using our contact form (e.g. if you have questions about your partner profile or about us and our services), you must provide:

• Your first name and surname
• Your company or organisation
• Your business e-mail address
• Information about your question or concern

You also have the option to provide your telephone number and your industry. We also collect the time and date of your enquiry.

Enquiries using our contact information 

If you send us an enquiry by postal mail or e-mail using our contact information found on our website, we collect:

• Your first name and surname
• The time and date of your enquiry 
• The other information you provide to us in your enquiry

and, depending on the method of contact you choose or the contact details you provide:

• Your e-mail address
• Your phone number and/or 
• Your address

For enquiries in connection with contracts (e.g. regarding your partner profile or the purchase of vouchers) processing serves to initiate or implement the contractual relationship (Art. 6 Para. 1 (1 b) GDPR). We process voluntary information that you provide in connection with our contact form on the basis of our legitimate interest in processing your request effectively and properly (Art. 6 Para. 1 (f) GDPR).

For other enquiries, processing is done on the basis of our legitimate interest in receiving and processing your enquiry, (Art. 6 Para. 1 (f) GDPR).

We store enquiries about contracts or enquiries that are potentially legally relevant for the duration of the general period of limitation, i.e. three years from the end of the year in which we receive the request. We store all other enquiries for a period of 24 months. Your enquiry will then be deleted.

Storage is based on our legitimate interest, the proper documentation of our business operations, and the safeguarding of our legal position (Art. 6 Para. 1 (f) GDPR). In the case of enquiries about contracts, the data is stored to initiate and implement the contractual relationship (Art. 6 Para. 1 (b) GDPR) and, if necessary, to fulfil legal obligations (Art. 6 Para. 1 (c) GDPR).

If data is still required for legal reasons or to (potentially) secure, assert or enforce legal claims, it will be stored for longer. For more information, please see “Deletion of your data” below.

We use the service provider Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Harju maakond, Estonia (“Pipedrive”) to send our newsletter and for newsletter tracking. Pipedrive processes your personal data on our behalf, i.e. exclusively according to our instructions (see Art. 4 No. 8, 28 GDPR).

Newsletter

If you sign up for our newsletter to receive regular (approximately once monthly) promotional information in the form of updates and news about us and our services, including your partner opportunities and the komoot Academy, by e-mail, you must provide:

• Your first name and surname
• Your company or organisation
• Your business e-mail address

Newsletter tracking

To allow us to measure success, our newsletters contain tracking pixels and tracking links. When you open our newsletter, a connection to Pipedrive's servers is automatically established and the tracking pixel is loaded. This allows us to determine whether and at what time you opened our newsletter. Our newsletters also contain tracking links to allow us to track whether and which links you clicked and when, and to which of our websites or content you were redirected. After you click on a tracking link, we may also track how you interact with the websites and content e.g., whether you download certain content or open and/or submit forms.

In addition, we also collect certain technical data as part of this tracking (e.g. your IP address, type of browser and operating system, information about your device and the e-mail programme you use to open our newsletter).

We process this data to measure the reach and success of our newsletters and to better understand the interests of our newsletter subscribers and evaluate subscribers’ interactions with our newsletters and the content included in them. Based on these findings, we can make newsletters that better suit our target group, and create newsletters that address the needs of our subscribers.

Proof of consent

We verify your consent to receive our newsletter by using the double opt-in procedure. First, you are sent an e-mail to the e-mail address you provided. This e-mail asks you to actively confirm your consent. We use the information about this confirmation and the time of this confirmation to document and prove your consent. We store this data for a period of three years, starting at the end of the year in which you revoke your consent or we discontinue the newsletter.

Legal basis, revocation and storage period

The legal basis for receiving our newsletter, including newsletter tracking, and the associated processing of your personal data is your given consent (Art. 6 Para. 1 (a) GDPR). The use of tracking pixels and the associated storage of information on your device or access to information on your device is also based on your given consent, § 25 Para. 1 of the new Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, abbreviated in German to TTDSG) (“TTDSG”), Art. 6 Para. 1 (a) GDPR.

You can revoke your consent at any time by using the unsubscribe option (provided as a link in every newsletter), or by sending an e-mail to partner@komoot.de. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before it was revoked.

Your data will be processed in this respect until the purpose of processing no longer applies e.g., until we discontinue the newsletter or you revoke your consent.

The legal basis for the processing of your personal data for the purpose of double opt-in or to prove your consent is Art. 6 Para. 1 (c) GDPR in conjunction with. Art. 7 Para. 1 GDPR. We are legally required to provide proof of your consent.

If data is still required for legal reasons or to (potentially) secure, assert or enforce legal claims, it will be stored for longer. For more information, please see “Deletion of your data” below.
 

If you want to use the partner option, you can contact us to have us create your partner profile. In this case, you must provide the following information:

• Your first and surname 
• Your company or organisation
• Your business e-mail address

You must also provide us:

• An e-mail address that does not have a komoot account
• A profile name you choose yourself that will be displayed in your URL 

In addition, you have the option of providing:

• Your industry 
• Your (work) phone number 

The processing of obligatory data is necessary to initiate or execute a contract, i.e. so we can create and manage your partner profile for you and send you access information by e-mail (Art. 6 Para. 1 (b) GDPR). The processing of optional data is based on our legitimate interest in providing you or your company with the best assistance (Art. 6 Para. 1 (f) GDPR).

Find more information about the processing of personal data in connection with the use of your partner profile here: Data privacy statement | komoot.

We offer you the opportunity to enrol in the komoot Academy so that you can get the most out of the features offered by your partner profile. To enrol in the komoot Academy, you must provide:

• Your first name and surname
• Your company or organisation
• Your industry
• Your business e-mail address 
• Your preferred language 

The processing of this data is necessary to initiate or execute the contract, i.e. to enable you to participate in the komoot Academy (Art. 6 Para. 1 (b) GDPR).

To operate and make the komoot Academy available, we use our service provider eloomi A/S, Per Henrik Lings Allé 4, 2100 Copenhagen, Denmark (“eloomi”). eloomi processes your personal data on our behalf, i.e. exclusively according to our instructions (Art. 4 No. 8, 28 GDPR).

Our website uses Friendly Captcha, a service provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany (“Friendly Captcha”). Friendly Captcha processes your personal data on our behalf, i.e. exclusively according to our instructions (Art. 4 No. 8, 28 GDPR).

The Friendly Captcha widget is embedded into our website to prevent bots from automatically filling online forms and automatically creating accounts, thereby also preventing spam, fraud and other abusive behaviour on our website and in connection with our services. Friendly Captcha helps us distinguish human users from bots using a proof-of-work challenge. Unnoticed by users, this cryptographic calculation task increases the computing power needed to visit our website, which in turn makes it unprofitable for bot networks to use bots on our website.

Friendly Captcha does not use cookies, but only collects technical data that is automatically transmitted to us when you visit our website (HTTP request header data, in particular the browser version and type, origin and referrer, date/time of the request, version of the widgets used, URL of the website retrieved, hash value (one-way encryption) of the incoming IP address, number of requests from the (hashed) IP address per period). Furthermore, we collect the answer to the task solved on your device. The IP address is immediately discarded – only the hash value of the IP address is stored. We save this data for a period of 30 days.

The legal basis for the processing of your data is Art. 6 Para. 1 (f) GDPR. It is in our legitimate interest to protect ourselves and our users from spam, fraud and other abusive behaviour.

In order to manage partner profiles and customer relationships, we use a CRM provided and operated by Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Harju maakond, Estonia (“Pipedrive”). Pipedrive processes your personal data on our behalf, i.e. exclusively according to our instructions (Art. 4 No. 8, 28 GDPR).

We store cookies and use similar technologies to increase the functionality of our website (“strictly necessary cookies”); to analyse your use of our website and your interests to give us a better understanding of how our users use our website and how we can optimise our website (“analytics cookies”); and to be able to provide you advertising from our website that is tailored to your interests (“marketing and targeting cookies”).

Cookies are small files that are stored on your device with the help of your internet browser. Similar technologies include, for example, pixels, scripts, local storage or other comparable technologies that store information on your device or which are used to read information already stored there (hereinafter collectively referred to as “cookies”). 

A distinction must be made with regard to the storage period: session cookies are only stored for the duration of a single browser session and are deleted as soon as the browser is closed. Persistent cookies, on the other hand, remain on your device until they either reach a pre-determined expiration date or they are deleted by you. You can delete cookies from your device at any time, for example by using your browser settings.

The following categories of cookies are used on our website

Strictly necessary cookies

Strictly necessary cookies are always active. The storage and access to such cookie information does not rely on your consent. Thus, we use cookies that are absolutely necessary for the operation and functionality of our website and associated services pursuant to §25 Para. 2 No. 2 of the Telecommunications-Telemedia Data Protection Act/TTDSG without your consent. This category of cookies includes cookies that ensure the website is technically accessible and usable. In addition, these cookies allow for the essential and basic functionalities of our website and the associated services. We use strictly necessary cookies for the following functions:

• Cookies that are needed to store certain technical data during your visit to our website and whilst using the associated services
• Cookies that are needed to save chosen language settings
• Cookies that ensure that the cookie and privacy settings you make, including the status of your consent, are stored correctly and that the cookie and privacy consent message is only shown to you until you have made your selection

Depending on the function of these cookies, the cookies are only stored for the duration of your visit (session cookies) or for a period of up to 30 days in order to save the cookie and privacy settings you have chosen. Cookies that are used to save your chosen settings and the cookie settings you have made are stored until the end of the browser session.

If personal data from these cookies is processed, it is to ensure that you can use our website and its functions. Your cookie and privacy settings, and in particular your consent, given or not, to the use of cookies and the associated processing is stored properly.

This is also in our legitimate interest (Art. 6 Para. 1 (f) GDPR).

Analytics cookies

Analytics cookies are used on our website by us or by service providers we have commissioned. They are used to measure online traffic and analyse behaviour. They collect information about how you interact with our website, which pages you visit and which features of our website you use. Your behaviour can be tracked across multiple website visits using a unique user ID. This allows us to understand how our users move around our website, which pages are most popular and which are used less, allowing us to thus better understand the performance and reach of our website and improve our website accordingly.

We only use analytics cookies in accordance with § 25 Para. 1 TTDSG and based on your consent (Art. 6 Para. 1 (a) GDPR). Your consent not only includes the storage of information on your device and the reading of information already stored on your device, but also the processing of that information for the purposes mentioned above, including to create analysis reports and evaluate the use of our website.

Marketing and targeting cookies

Marketing and targeting cookies are used on our website by us, or by service providers we have commissioned, and our advertising partners. These cookies allow us and our advertising partners to understand how visitors move around our website and how they interact with our website, advertisements and advertising campaigns we display on third-party platforms. Your behaviour is tracked across multiple website visits using a unique user ID, even if you visit the website using different devices. Using this information, we and our advertising partners can analyse your behaviour and interests, measure the effectiveness of our ads and campaigns, and target and customise advertising and website content that is based on your preferences, for instance by displaying advertising that is relevant to you.

We only use marketing and targeting cookies in accordance with §25 Para. 1 TTDSG and based on your consent (Art. 6 Para, 1 (a) GDPR). Your consent not only includes the storage of information on your device and the reading of information already stored on your device, but also the processing of that information for the purposes mentioned above, including to create analysis reports and evaluate the use of the website and the reach of our advertisements and advertising campaigns.

Revocation / changes to your cookie and privacy preference settings

You can revoke your consent to the use of analytics cookies and marketing and targeting cookies and the associated processing of data at any time with effect for the future using the “data privacy settings” link. From there you can also change your cookie and privacy settings at any time. You can also find the link in the footer of our website.

Below we describe the services we use as part of analytics cookies in more detail:

Google Tag Manager

We use Google Tag Manager. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) on our behalf and according to our instructions (Art. 4 No. 8, 28 GDPR).

Google Tag Manager is a service that allows us to incorporate other analytics, marketing and targeting services and other technologies into our website. Google Tag Manager only serves to manage and utilise the technologies integrated into it (through tags). This means that Google Tag Manager itself does not create user profiles, does not store cookies and does not carry out any independent analysis. However, Google Tag Manager collects your IP address and, in connection with the cookies and similar technologies used by Google Tag Manager, also collects unique cookie IDs that can also be transferred to Google’s parent company, Google LLC in the USA. In this case, Google will use the standard data protection clauses approved by the EU Commission pursuant to Art. 46 Para. 2 (c). Plus, Google LLC is also certified under the EU-U.S. Data Privacy Framework (find more information here). The EU-U.S. Data Privacy Framework is an adequacy decision by the EU Commission. According to this framework, an adequate level of data protection is guaranteed in the U.S. for personal data that is processed by companies certified under the EU-U.S. Data Privacy Framework. In addition, Google Tag Manager collects aggregated data when using tags to monitor and diagnose system stability, performance and installation quality (e.g. browser type, browser version, operating system used, HTTP status code).

Your personal data will be stored for this purpose for a maximum period of 14 days.

We use Google Tag Manager in accordance with § 25 Para. 1 TTDSG on the basis of your consent, Art. 6 Para. 1 (a) GDPR. In addition to accessing information on your device or reading information on your device in the context of Google Tag Manager, this also refers to the processing of your personal data for the purposes mentioned above.

You can revoke your consent at any time with future effect by adjusting your cookie settings here. Find more information about how cookies and similar technologies are used, as well as your revocation options, in the “Cookies and similar technologies” section above.

Google Analytics

If you agree, we use Google Analytics, a web analytics service of Google, to analyse the use of our website and, taking the information gained, to adjust it to the needs of our users. Google processes your personal data on our behalf (Art. 4 No. 8, 28 GDPR).

Google Analytics collects pseudonymous data from you about your use of our website based on the information generated by the cookies used. This includes, in particular, the number of visits you make to our website, how long you spend on our website and how you interact with our website (for example, if you searched for something or which pages you visited). Your usage behaviour can be tracked across multiple website visits using a unique user ID. In this regard, your geographical location (e.g. city) and data about your device (including model and screen resolution) are also collected. The information collected by the cookies about your use of this website is transmitted to a Google server within the European Union and is typically stored there. Your IP address is not stored by Google. Insofar as Google shares the information generated by the cookies about your use of our website within their business group, in particular with Google’s parent company, Google LLC, and with other third parties, your personal data may also be transferred to the U.S. and other third countries where there is no EU Commission decision that an adequate level of data protection is generally guaranteed. In this case, Google will use the standard contractual clauses approved by the EU Commission pursuant to Art. 46 Para.2 (c) GDPR.

In addition, Google LLC is also certified under the EU-U.S. Data Privacy Framework (find more information here). The EU-U.S. Data Privacy Framework is an adequacy decision by the EU Commission. According to this framework, an adequate level of data protection is guaranteed in the U.S. for personal data that is processed by companies certified under the EU-U.S. Data Privacy Framework. Further information can be found in Google's privacy policy.

Google uses this information to evaluate your use of the website for us, create reports on the use of our website and generate further analytics and evaluation regarding the use of our website and internet usage. Google can link this data with other data about you, such as your search history, personal account, usage data from other devices and other information about you that Google has saved. Google may also transfer this information to third parties (e.g. state authorities) if this is required by law or if third parties process this data on Google’s behalf.

The data which is sent by us and linked to cookies or user identification (e.g. user ID) is automatically deleted after 14 months; only aggregated statistics are kept.

Find more information about how Google uses your data in Google’s privacy policy. Pursuant to § 25 Para.1 TTDSG, the legal basis for setting and reading cookies is your consent, Art. 6 Para. 1 (a) GDPR. Your consent also applies to the subsequent processing of your personal data for the purposes mentioned above. You can revoke your consent at any time with effect for the future by adjusting your cookie settings here. Find more information on the use of cookies and similar technologies and your revocation options in the “Cookies and similar technologies” section above.

Meta Pixel

If you have given us your consent, we use the tracking pixel from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”) for marketing and optimisation purposes, in particular to measure the reach and success of our advertisements on Facebook and Instagram in order to improve what we offer and to use advertisements and campaigns on Facebook and Instagram that are relevant for our users.

If you agree, your browser will automatically use this pixel to establish a direct connection to the Meta server and place cookies. This allows Meta to track your behaviour on our website after you have been redirected to our website by clicking on a Meta ad. Your usage behaviour is tracked across multiple website visits using a unique user ID, even if you visit the website using different devices. In this way, information is collected, for instance, about which links you clicked on our website, whether you signed up for our newsletter, took part in a specific promotion, or downloaded or shared certain content (so-called event data). In addition to cookie data, including the cookie ID and the technical connection information (including URL, referrer URL, IP address, device and browser features, timestamps and page views), the data collected about surfing behaviour is pseudonymous for us; that means we cannot directly identify you as a user. 

Using this event data as a basis, Meta creates aggregated evaluations and reports on our behalf (Art. 4 No. 8, 28 GDPR) on the reach and success of our Meta ads, as well as usage behaviour of our website and services. We use these evaluations and reports to improve our online advertising, for example by targeting advertisements by only showing certain Meta advertisements to users who have previously visited our website and are interested in our online content or users who have shown interest in certain topics.

In addition, we, together with Meta, are responsible for the collection of event data on our website and the subsequent transmission to Meta in the context of Meta Pixel. Find information about Meta as the (joint) controller and the contact details of Meta's data protection officer at https://www.facebook.com/about/privacy. There you can also learn about how Meta processes personal data, including the legal position that Meta takes.

We have entered into a joint responsibility agreement with Meta (which can be viewed at https://www.facebook.com/legal/controller_addendum) in which we (1) determine the responsibilities for fulfilling the GDPR obligations with regard to joint processing; (2) define that we are responsible for providing you with at least the information listed above; and (3) that, between the parties, Meta is responsible for enabling the rights of data subjects pursuant to Articles 15-20 GDPR regarding the personal data stored by Meta after joint processing.

Meta may share your data within the Meta group, in particular with the parent company Meta Platforms, Inc., or with other third parties. This may result in personal data being transferred to the USA and other third countries where there is no decision by the EU Commission that generally guarantees an adequate level of data protection in these third countries. According to Meta, standard contractual clauses approved by the EU Commission in accordance with Art. 46 Para. 2 (c) GDPR are used by Meta to ensure an adequate level of data protection for data transfer to the USA and other third countries where there is no adequacy decision by the EU Commission. In addition, Meta Platforms, Inc. is also certified under the EU-U.S. Data Privacy Framework (find more information here). The EU-U.S. Data Privacy Framework is an adequacy decision by the EU Commission. According to this framework, an adequate level of data protection is guaranteed in the U.S. for personal data that is processed by companies certified under the EU-U.S. Data Privacy Framework. For more information, please see Meta's privacy policy.

The data collected using Meta Pixel is stored by Meta for a period of 180 days. The data is then anonymised and encrypted. However, we only use event data for targeting purposes for a period of 90 days after the use of our website.

We use Meta Pixel in accordance with § 25 Para. 1 TTDSG on the basis of your consent, Art. 6 Para. 1 (a) GDPR. In addition to the placing and reading of cookies and information on your device in connection with Meta Pixel, this also refers to the processing of your personal data by us for the purposes mentioned above.

You can revoke your consent at any time with effect for the future by adjusting your cookie settings here. Find more information on the use of cookies and similar technologies and your revocation options in the “Cookies and similar technologies” section above.

LinkedIn Pixel (LinkedIn Ads)

If you have given your consent, we use LinkedIn Pixel and the associated targeting service (“LinkedIn Ads”) from LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2 Ireland (“LinkedIn”) on our website in order to measure the success of our advertisements on LinkedIn and to create targeted advertisements on LinkedIn.

With the help of this pixel, your browser automatically establishes a direct connection with the LinkedIn server and cookies are placed. This allows for certain data about your visit to our website, including the URL, referrer URL, IP address, device and browser features, timestamps and page views, to be collected, and your surfing behaviour to be tracked – e.g. which links you clicked on our website – after you are redirected to our website by clicking on a LinkedIn ad. This allows us to evaluate the effectiveness of our LinkedIn ads for statistical and market research purposes, and to improve future advertising campaigns on LinkedIn. In addition, we can also direct personalised and target-group-specific ads on LinkedIn to you using LinkedIn Pixel. Your usage behaviour is tracked across multiple website visits using a unique user ID, even if you visit the website with different devices. Based on this data, LinkedIn creates anonymous reports for us on the performance of advertisements, as well as reports on user behaviour on our website. The data collected is pseudonymous for us; this means we cannot draw any conclusions about the identity of a user. The data is, however, stored and processed by LinkedIn, so a connection can possibly be made to the respective user profile and LinkedIn can use the data for its own advertising purposes pursuant to the LinkedIn data privacy policy. This allows LinkedIn to place advertisements on LinkedIn pages, as well as outside of LinkedIn. 

The data collected with LinkedIn Pixel is encrypted by LinkedIn and anonymised within seven days. The anonymised data is deleted within 90 days.

LinkedIn may share your data within the LinkedIn group, in particular its parent company, LinkedIn Corporation, or with other third parties. This may result in data being transferred to the USA and other third countries where there is no decision by the EU Commission that an adequate level of data protection is generally guaranteed. According to LinkedIn, standard contractual clauses approved by the EU Commission in accordance with Art. 46 Para. 2 (c) GDPR are used by LinkedIn to ensure an adequate level of data protection for data transfer to the USA and other third countries where there is no adequacy decision by the EU Commission. Find more information in LinkedIn’s data privacy policy. There you will also find information on how LinkedIn processes your data. LinkedIn also provides information on how you can prevent data from being collected in the account settings of your LinkedIn account.

We use LinkedIn Pixel in accordance with § 25 Para. 1 TTDSG on the basis of your consent, Art. 6 Para. 1 (a) GDPR. In addition to the setting and reading of cookies and information on your device in connection with LinkedIn Pixel, this also refers to the processing of your personal data by us for the purposes mentioned above.

You can revoke your consent at any time with effect for the future by adjusting your cookie settings here. Find more information on the use of cookies and similar technologies and your revocation options in the “Cookies and similar technologies” section above.

Google Ads Conversion Tracking

If you have given your consent, we use Google Ads Conversion, a service of Google, to draw attention to our offers using advertising activities (“Google Ads”) on external websites. These advertising activities are delivered by Google via so-called ad servers. We can determine how successful individual advertising activities are in relation to the data we receive about the advertising campaigns. Based on this data, we can improve our advertising campaigns and show ads that are relevant and interesting to you and other users.

For this, Google Ads uses so-called tags with which we can define which of your interactions on our website should be tracked to measure the success of the advertising campaigns (conversions). Google Ads also uses cookies through which certain success-measuring parameters, such as the display of ads or clicks by users, can be measured. If you land on our website via a Google ad, Google Ads stores a cookie on your device. Typically, the unique cookie ID, the frequency of display of the respective advertisements (so-called ad impressions) per placement, the last ad impression (relevant for post-view conversions) and opt-out-information are stored on this cookie as analysis values. Your user behaviour is tracked across multiple website visits using the unique cookie ID, even if you visit the website using different devices. We receive campaign reports from Google that give us the total number of users who clicked on one of our ads and were redirected to a page that was given a conversion tracking tag. We do not receive any information with which we can personally identify you as a user.

Whilst using Google Ads Conversion, your data may be transferred within the Google group, in particular to their parent company, Google LLC, and to other third parties. This may result in personal data being transferred to the USA and other third countries where there is no decision by the EU Commission that an adequate level of data protection is generally guaranteed. In this case, Google shall use standard contractual clauses approved by the EU Commission in accordance with Art. 46 Para. 2 (c) GDPR. In addition, Google LLC is also certified under the EU-U.S. Data Privacy Framework (find more information here). The EU-U.S. Data Privacy Framework is an adequacy decision by the EU Commission. According to this framework, an adequate level of data protection is guaranteed in the U.S. for personal data that is processed by companies certified under the EU-U.S. Data Privacy Framework. Find more information, including information about how Google processes personal data, in Google’s privacy policy and in Google’s information about advertising and cookies.

This data is stored for a period of 90 days. 

We use Google Tags in accordance with § 25 Para. 1 TTDSG on the basis of your consent, Art. 6 Para. 1 (a) GDPR. In addition to the setting and reading of cookies and information on your device in connection with Google Tags, this also refers to the processing of your personal data by us for the purposes mentioned above.

You can revoke your consent at any time with effect for the future by adjusting your cookie settings here. Find more information on the use of cookies and similar technologies and your revocation options in the “Cookies and similar technologies” section above.

If you like, you can share content from our website on social networks using social plugins. We use a two-click solution: if you want to share content using such a plugin, you must first click on the icon of the appropriate social network. This click activates the plugin of the corresponding social network for the future. 
Only then will data be transmitted to the respective social network. This data may include:

• Date and time of your visit to the website 
• URL of the website you are on 
• URL of the website you visited before (“referrer”)
• Browser used
• Operating system used
• Your IP address

You can revoke your consent at any time with future effect by accessing the “Privacy settings” on the website. Revoking your consent will not affect the lawfulness of the processing carried out based on your consent before it was revoked.

If you are logged in to the social network in question whilst visiting our site, it cannot be ruled out that the provider will assign your visit to your account. If you use the plugin functions (e.g. clicking the “Like” button, leaving a comment), this information is also transmitted from your browser directly to the social network and, if necessary, stored there. You can find information on the purpose and scope of data collection, the further processing and how the data is used by the social network in their respective data privacy policy.

Our website includes content from third parties. This content is loaded from the servers of the respective providers, and thus your device sends certain technically necessary data to the third-party provider. Notably, it cannot be ruled out that these providers may record the IP address assigned to you. To the extent that personal data is processed, this is done by the respective third-party provider under their own responsibility. You can find more information on how these third parties process your personal data in their data privacy policies noted below.

We include this content based on our legitimate interest in being able to provide users with the corresponding content and functionalities, and in being able to operate our website profitably and on the fact that your legitimate interests do not outweigh this, Art. 6 Para. 1 (f) GDPR.

We include the following third-party content:

Google Maps

In order to activate Google Street View in our maps, we use Google Maps, a service for users in the EU by Google LLC (for other users, by Google LLC) for the display of maps. There is no EU Commission adequacy decision for the USA. Therefore, we have concluded with Google LLC the standard data protection clauses approved by the EU Commission in accordance with Article 46 Para. 2 (c) GDPR.
Find Google LLC’s privacy policy here.

YouTube

We incorporate videos from YouTube. YouTube is a service of Google LLC; for users from the EU, Google LLC. There is no EU Commission adequacy decision for the USA. Therefore, we have concluded with Google LLC the standard data protection clauses approved by the EU Commission in accordance with Article 46 Para. 2 (c) GDPR.

Find Google LLC’s privacy policy here.

Vimeo

We incorporate videos from Vimeo+. Vimeo is a service of Vimeo Inc., 555 West 18th Street New York, New York 10011, USA (“Vimeo”). There is no EU Commission adequacy decision for the USA. Therefore, we have concluded with Vimeo the standard data protection clauses approved by the EU Commission in accordance with Article 46 Para. 2 (c) GDPR.

Find Vimeo’s privacy policy here.

We operate pages and/or profiles on the following social media platforms: 
LinkedIn: https://www.linkedin.com/showcase/komoot-for-business

Find more information about how personal data is processed in connection with our pages and/or profiles on these social media platforms here.

We also process the same data that we collect for the purposes above for the following purposes:

• in the event of concrete indications of criminal offences, for criminal prosecution, to avert danger or legal prosecution,
• to provide evidence and assert, exercise or defend claims,
• for internal administrative purposes, to organise our operations and for financial accounting, and
• to comply with legal obligations.

This processing is carried out on the basis of our legitimate interest in maintaining our business activities, carrying out our duties, asserting, exercising or defending claims (Art. 6 Para. 1 (f) GDPR), or on the basis of a legal obligation pursuant to Art. 6 Para.1 (c) GDPR.

Provision of data

You are neither contractually nor legally obliged to provide your data. However, your personal data is necessary so that:

• we can provide our services relating to your partner profile and provide vouchers, and 
• you can participate in the komoot Academy.

If you do not provide your data, it is not possible to conclude a contract. In addition, your data is required:

• for you to use the functionalities of our website, 
• for you to subscribe to our newsletter,
• for us to receive and process enquiries, and
• for you to be able to use our social media community functions.

If it is necessary for you to provide your data, we will indicate this to you at the time you enter your data by marking it as a mandatory field. Providing additional data is voluntary. If data is required, failure to provide this data means that we cannot provide you with the functions and services mentioned above. In other cases, non-provision may have the result that we are not able to provide the relevant functions and services, or not be able to provide these functions and services to the standard extent.

Your data will only be passed on as described in this data privacy policy to the following extent:

• Personal data will be passed on to external consultants (e.g. lawyers), law enforcement authorities and, if necessary, to aggrieved third parties if it is necessary to investigate the illegal use of our website and services, or for legal prosecution. However, this shall only happen if there is concrete evidence of illegal or abusive behaviour. Data can also be transferred if it serves to assert, exercise or defend claims. We are legally obliged to provide information to certain public authorities upon request. These are law enforcement authorities, authorities that prosecute administrative offences that are subject to fines, and fiscal authorities.
  Furthermore, your personal data may also be passed on if we are subject to other claims from third parties which may involve information about your data.
  This data is transferred on the basis of our legitimate interest in countering abuse, prosecuting criminal offences and asserting, exercising or defending claims, Art. 6 Para. 1 (f) GDPR, or on the basis of compliance with a legal obligation pursuant to Art. 6 Para. 1 (c) GDPR.
• We use contractually bound third-party companies and external service providers, so-called processors (see Art. 4 No. 8, 28 GDPR), to provide services. In such cases, personal data is transferred to these processors to enable them to carry out further processing. These processors process personal data on our behalf and are strictly bound to our instructions.
• In addition to the processors already mentioned in this data privacy policy, we also use the following categories of processors:
  • IT service providers
  • Cloud service providers
  • Software providers
• As part of the administrative processes and organisation of our operations, financial accounting and compliance with legal obligations such as archiving, we disclose or transfer your data to fiscal authorities, consultants such as tax advisors or auditors, as well as other payment centres and payment service providers.
  This data is transferred on the basis of our legitimate interest in maintaining our business activities, carrying out our duties, asserting, exercising or defending claims, Art. 6 Para. 1 (f) GDPR, or on the basis of compliance with a legal obligation pursuant to Art. 6 Para. 1 (c) GDPR.
• As our business develops, the structure of our company may change through a change in legal form, or the foundation, acquisition or sale of subsidiaries, business units or components. In such transactions, user information is shared with the part of the business being transferred. Whenever we disclose personal data to third parties to the extent described above, we shall ensure that it is done in accordance with this privacy policy and the relevant data protection legislation.

The transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate structure to economic and legal circumstances, Art. 6 Para. 1 (f) GDPR.

We also process data in countries outside of the European Economic Area (EEA), so-called third countries, and/or transfer data to recipients in these third countries.
 
Please note that there is currently no adequacy decision from the EU Commission that these third countries generally provide an adequate level of data protection. If your personal data is transferred to recipients outside the European Economic Area beyond the cases described in this data privacy policy, we will only transfer your data to recipients in these third countries if one of the following conditions is met:

• There is an adequacy decision from the EU Commission in accordance with Art. 45 GDPR. On the EU Commission website, you can find a list of the so-called safe third countries that provide an adequate level of data protection and for which an EU Commission adequacy decision has been made.
• We have concluded standard data protection clauses approved by the EU Commission according to Art. 46 Para. 2 (c) GDPR.

You can request a copy of these standard contractual clauses, as well as information about the additional measures we have taken to ensure an adequate level of data protection, by contacting us using the contact details provided in the “Controller and contact information” section. You can use these contact details to contact us if you have any other questions about data transfer to third countries.

We do not use any automated processing processes to make decisions or profile.

Unless otherwise stated, we delete or anonymise your personal data as soon as it is no longer required for the purposes for which it was collected or used in accordance with the paragraphs above. As a general rule, we store your personal data for the duration of the user relationship or contractual relationship via the website and associated services, plus a period of 30 days during which backup copies are kept after deletion. For processing that we carry out based on your consent, your data will be deleted when you revoke your consent or earlier if the data is no longer required for the purpose for which it was collected.

Data will only be stored beyond the period specified in this data privacy policy if:

• We are obliged to do so for legal reasons, Art. 6 Para. 1 (c) GDPR. If we are legally obliged to keep it, we will store your data for the legally required period. Storage may be legally required resulting from the retention periods under the German Commercial Code or the Tax Code. The retention period under these regulations is usually between 6 and 10 years from the end of the year in which the relevant process was completed, e.g. the time at which your request was finally processed, or the partner profile contract has been terminated.
• The data is required to allow more time for criminal prosecution or to assert, exercise or defend legal claims. This is also our legitimate interest, Art. 6 Para. 1 (f) GDPR. It will then be stored until the respective case has been completed plus the statutory limitation period.

If data must be kept for legal reasons, processing will be restricted. The data is then no longer available for further use.

With regard to the processing of your personal data, you have the rights described below. To exercise your rights, you can submit a request by postal mail or e-mail to the contact information provided in the “Controller and contact information” section above.

Right to be informed

You have the right to receive information from us at any time upon request about the personal data we process that concerns you to the extent and under the conditions of Art. 15 GDPR and §34 Federal Data Protection Act (Bundestdatenschutzgesetzt, in German abbreviated to BDSG) (“BDSG”).

Right to rectification

You have the right to request that we immediately correct your personal data if it is incorrect or incomplete.

Right to erasure

You have the right to request the erasure of your personal data under the conditions described in Art. 17 GDPR and §35 BDSG. 

Right to restriction of processing

You have the right to request that we restrict processing according to Art. 18 GDPR. 

Right to data portability

You have the right to receive from us personal data concerning you that you have provided to us in a structured, common, machine-readable format according to Art. 20 GDPR, or to have it transferred to another controller.

Right to object

In accordance with Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based, among other things, on Art. 6 Para.1 (e) or (f) GDPR. We will stop processing your personal data unless we can provide compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

If we process personal data concerning you for direct advertising purposes, including profiling, you have the right to object to this processing. We will stop processing after your objection. 
Unless otherwise stated in this privacy policy, please contact us using the contact information provided in the “Controller and contact information” section above to exercise your right above.

Right of complaint

You have the right to contact a supervisory authority of your choice if you have any complaints.

Data processing when exercising your rights

Lastly, we would like to note that when you exercise your rights pursuant to Art. 7 Para 3. (1) GDPR and Articles 15-22 GDPR, we process the personal data you provide for the purpose of exercising these rights and to provide evidence of this and, if necessary, to defend legal claims. The processing of your data to fulfil your rights as a data subject is based on the legal basis of Art. 6 Para. 1 (c) GDPR in conjunction with Articles 15-22 GDPR and § 34 Para. 2 BDSG. Insofar as we process the personal data for the purposes of legal defence, this also lies in our legitimate interest, Art. 6 Para. 1 (f) GDPR. For the sake of completeness, we would like to note that your personal data connected to your request to exercise your rights will be stored for the duration of the regular limitation period of three years, starting with the end of the year in which we conclusively process your application, in order to fulfil legal documentation obligations under GDPR, in particular to prove that your request has been answered in a timely manner. The legal basis for storage is Art. 6 Para 1(f) GDPR. It is in our legitimate interest to provide and document the aforementioned proof.

This personal data shall be blocked and shall not be processed for other purposes unless its processing is necessary for asserting, exercising or defending legal claims. This is also in our legitimate interest, Art. 6 Para. 1 (f) GDPR.

You are neither contractually nor legally obliged to provide your personal data; however, pursuant to Art. 12 Para. 2 (2) GDPR, we can refuse to fulfil your request to exercise your rights as a data subject if you do not provide us the information necessary to clearly identify you, and in the event it has been requested.