Datenschutzerklärung

of the P-ick app

(hereinafter referred to as "Services")

As of: July 2025

Introduction

Privacy policies are often difficult to read. We understand that. And we want to do things differently. With our privacy policy, we want to provide you with an easy-to-understand explanation of how we process your personal data. To this end, we have structured our privacy policy clearly for you and show you for each topic area whether and how we process your personal data.

Table of contents

Our privacy policy is structured as follows

General information – Brief introduction to the subject matter of the privacy policy, the controller and the data protection officer
General information on data processing - Information on what personal data is, on what legal basis we process it or share it with third parties
Rights of data subjects - Information about your rights to, among other things, information, deletion or objection to our data processing
Information about the cookies and other technologies we use - Information about the use of cookies and other technologies with or through which we process your personal data
Data processing in connection with the use of our services - Information about our data processing in our services themselves, about registration and about individual functions
Communication services - Information about communication services and the corresponding processing of your personal data
Payment processing - Information on the processing of payments with the integration of payment service providers and the resulting processing of your personal data
Provision of our services - Information about our hosting service providers and the services they use
Tracking & Tools - Information about services we use to provide our services to you and to analyse the use of our services
Fan pages on social media - Information about our presence on social media networks and the corresponding processing of your personal data
Plug-ins in our services – information about plug-ins from other platforms available in our services and the resulting processing of your personal data
Share function - Information about options for sharing content directly from our services on social media networks

1. General

The protection of your personal data and your privacy is extremely important to us. That is why we want to offer you comprehensive transparency regarding the processing of your personal data (GDPR) and the storage of information on your device (TDDDG). Only if the processing of personal data and information is comprehensible to you as the data subject can you be adequately informed about the scope, purposes and benefits of the processing.

This privacy policy applies to all processing of personal data carried out by us and to the storage of information on your end devices. It therefore applies both in the context of the provision of our services and within external online presences, such as our social media fan pages.

The controller within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other data protection regulations is

P-ick UG (limited liability)

Rutschbahn 33

20146 Hamburg

+49 (0)176-36 29 85 94

[email protected]

Hereinafter referred to as "controller" or "we".

2. General information on data processing

First of all, we would like to provide you with some introductory information about what the protection of your personal data means, what personal data is, how we process it and what security measures we take to do so.

2.1 Processing of personal data

Personal data (hereinafter also referred to as "data") is individual information about the personal or factual circumstances of an identified or identifiable natural person.

Individual details about personal or factual circumstances are, for example:

Personal data - name, age, marital status, date of birth
Communication data - address, telephone number, email address
Account data - account number, credit card number
Geodata - IP address & location data
Health data – state of health, illnesses

The "processing" of personal data includes, for example, the following measures

Collection - The collection of your data via contact forms, by email or through processes and services used by us
Transfer – the transfer of your data to our service providers, integrated services or other third parties
Storage – The storage of your data in our databases or on our servers
Deletion – the deletion of your data when we no longer have the right to process it

2.2 Legal basis for the processing of your personal data

We only process personal data within the limits permitted by law. We are required to do so by law, in particular by the GDPR. This means that we are obliged to always be able to base data processing operations on a legal basis. These legal bases are standardised in Art. 6 (1) GDPR. Here we list the most common legal bases on which we process your personal data.

Consent – Art. 6(1)(a) GDPR: Your data will only be processed if you have consented to this processing after we have provided you with sufficient information about its scope and purpose.
For the performance of a contract - Art. 6 para. 1 lit. b: Your data will only be processed if it is necessary for the performance of a contract between us or for the implementation of pre-contractual measures.
Legitimate interest - Art. 6 para. 1 lit. f GDPR: Your data will only be processed if this is necessary to safeguard a legitimate interest on our part and if your interests or fundamental rights and freedoms, including the protection of your data, do not prevail.

We only process personal data for specific purposes (Art. 5 para. 1 lit. b GDPR). As soon as the purpose of processing no longer applies, your personal data will be deleted or protected by technical and organisational measures (e.g. pseudonymisation).

The same applies to the expiry of a prescribed storage period, except in cases where further storage is necessary for the conclusion or fulfilment of a contract. In addition, there may be a legal obligation to store data for a longer period or to pass it on to third parties (in particular to law enforcement authorities). In other cases, the storage period and type of data collected, as well as the type of data processing, depend on which functions you use in each individual case. We will be happy to provide you with information on this in individual cases in accordance with Art. 15 GDPR.

2.3 We process the following categories of data

Data categories include the following data in particular:

Master data (e.g. names, addresses, dates of birth),
Contact details (e.g. email addresses, telephone numbers, messenger services),
Content data (e.g. text entries, photographs, videos, contents of documents/files),
Contract data (e.g. subject matter of the contract, terms, customer category),
Payment data (e.g. bank details, payment history, use of other payment service providers),
Usage data (e.g. history of our services, use of certain content, access times),
Connection data (e.g. device information, IP addresses, URL referrers).

2.4 We take these security measures

In accordance with legal requirements and taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risk to your rights and freedoms, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring that your data is stored and processed in a confidential and secure manner and is available at all times. Furthermore, the security measures we implement include controls on access to your data, as well as on access, input, transfer, availability and separation from data of other natural persons. Furthermore, we have established procedures to ensure that data subjects can exercise their rights (see section 5), that data is deleted and that we respond to any threats to your data. We also take the protection of personal data into account when developing our software and through procedures that comply with the principle of data protection by design and through data protection-friendly default settings.

2.5 How we transfer or disclose personal data to third parties

As part of our processing of your personal data, this data may be transferred or disclosed to other entities, companies, legally independent organisational units or persons. These third parties may include, for example, payment institutions in connection with payment transactions, service providers commissioned with IT tasks or providers of services and content that we have integrated into our services. If we transfer or disclose your personal data to third parties, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure that your data is protected.

2.6 How data is transferred to third countries

If this privacy policy states that we transfer your personal data to a third country, i.e. a country outside the EU or outside the EEA, the following applies. A transfer to a third country will only take place in accordance with the legal requirements. We assure you that we have contractual or legal authorisation to transfer and process your data in the third country in question. Furthermore, we only allow your data to be processed by service providers in third countries who, in our opinion, have a recognised level of data protection. This means that there is an appropriate level of protection between the EU and the country to which we transfer your personal data, e.g. an adequacy decision. An "adequacy decision" is a decision adopted by the European Commission pursuant to Art. 45 GDPR, which determines that a third country (i.e. a country not bound by the GDPR) or an international organisation provides an adequate level of protection for personal data. Alternatively, for example if there is no adequacy decision, a transfer to a third country will only take place if, for example, contractual obligations between us and the service provider in the third country exist in the form of so-called standard contractual clauses of the EU Commission and further technical security measures have been taken to ensure a level of protection equivalent to that in the EU or the service provider in the third country has data protectioncertification and your data is only processed in accordance with internal data protection regulations (Articles 44 to 49 GDPR. Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Within the framework of the so-called "Data Privacy Framework" ("DPF"), the EU Commission has recognised the level of data protection for certain companies from the USA as adequate within the framework of the adequacy decision of 10 July 2023. A list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). In this privacy policy, we inform you which services we use that are certified under the Data Privacy Framework.

2.7 Deletion of data

The data we process will be deleted in accordance with legal requirements as soon as the consent for processing is revoked or other permissions expire (e.g. if the purpose for processing this data no longer applies or it is no longer necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

Within the scope of this privacy policy, we will inform you, where applicable, about the deletion and storage of data that applies specifically to the respective processing process.

2.8 Storage of and access to data on your end device

Unless we obtain your consent, the storage of or access to information on your end device will be carried out in accordance with Section 25 (2) No. 2 of the German Act on Data Protection and Privacy in Telecommunications and Digital Services (TDDDG), as the storage of and access to this information is absolutely necessary to provide the desired functions of our services. If we obtain your consent, the legal basis is Section 25 (1) TDDDG. Our services use cookies, tokens, beacons or other technologies that may be stored on your end devices and without which the provision of our services would not be possible.

Cookies, tokens, beacons or other technologies are usually text files that are stored on your end device and can be read by us and third parties when you access our services. Many of the aforementioned technologies contain their own ID. Such an ID is a unique identifier for the technology used. It consists of a string of characters that can be used to assign websites and servers to the specific Internet browser or the specific service or device used in which cookies, tokens, beacons or other technologies have been stored. This enables website operators and analysis services to identify you as a user and distinguish you from others.

2.9 Order processing

If we use external service providers to process your data, we will select and commission them with care. If the services provided by these service providers constitute order processing within the meaning of Art. 28 GDPR, the service providers are bound by our instructions and are regularly monitored. Our order processing agreements comply with the strict requirements of Art. 28 GDPR and the guidelines of the German data protection authorities.

Requests, issues, and suggestions

If you find an accessibility issue on the site, or if you require further assistance, you are welcome to contact us through the organization's accessibility coordinator:

[Name of the accessibility coordinator]
[Telephone number of the accessibility coordinator]
[Email address of the accessibility coordinator]
[Enter any additional contact details if relevant / available]

3. Rights of data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR and, as a user, you have the following rights vis-à-vis the controller:

3.1 Right to information

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you may request the following information from the controller:

the purposes for which the personal data is processed;
the categories of personal data that are processed;
the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage duration;
the existence of a right to rectify or erase personal data concerning you, a right to restrict processing by the controller or a right to object to such processing;
the existence of a right to lodge a complaint with a supervisory authority;
all available information on the origin of the data if the personal data is not collected from the data subject;
the existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

3.2 Right to rectification

You have the right to obtain from the controller the rectification and/or completion of personal data concerning you if the personal data processed is inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

3.3 Right to restriction of processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

if you dispute the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead;
the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercising or defence of legal claims; or
if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data may – apart from its storage – only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

3.4 Right to erasure

3.4.1. You may request that the controller delete your personal data immediately, and the controller is obliged to delete this data immediately if one of the following reasons applies:

The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
You withdraw your consent on which the processing is based in accordance with Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
The personal data concerning you has been processed unlawfully.
The erasure of personal data concerning you is necessary for compliance with a legal obligation to which the controller is subject under Union law or the law of the Member States.
The personal data concerning you has been collected in relation to the services offered by information society services in accordance with Art. 8 para. 1 GDPR.

3.4.2. If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller shall take reasonable steps, including technical measures, to inform the controllers to whom the personal data has been disclosed, taking account of the available technology and the implementation costs, to ensure that the personal data is no longer processed and that the personal data is erased. that you, as the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.

3.4.3. The right to erasure does not apply if processing is necessary

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing in accordance with Union law or the law of the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
for the establishment, exercising or defence of legal claims.

3.5 Right to information

If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to obtain information about these recipients from the controller.

3.6 Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

3.7 Right to object

You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In connection with the use of information society services, you have the option, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

3.8 Right to revoke your consent to data protection

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The processing is lawful until you withdraw your consent – the withdrawal therefore only takes effect on the processing after receipt of your withdrawal. You can declare your withdrawal informally by post or email. Your personal data will then no longer be processed, unless permitted by another legal basis. If this is not the case, your data must be deleted immediately after revocation in accordance with Art. 17 (2) GDPR. Your right to revoke your consent subject to the above conditions is guaranteed.

Your revocation should be sent to:

P-ick UG (limited liability)

Rutschbahn 33

20146 Hamburg

+49 (0)176-36 29 85 94

[email protected]

3.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

3.10 Automated individual decision-making, including profiling

Automated decisions in individual cases, including profiling, do not take place.

3.11 Notification obligations of the controller

If your personal data has been disclosed to other recipients (third parties) on legal grounds, we will inform them of any rectification, erasure or restriction of the processing of your personal data (Art. 16, Art. 17(1) and Art. 18 GDPR). The obligation to notify does not apply if it involves disproportionate effort or is impossible. We will also inform you of the recipients upon request.

4. Information about the cookies and other technologies we use

We use cookies, beacons or other technologies to provide and evaluate our services and to use the evaluated data for marketing purposes. Cookies are small text files that contain data from websites or domains you have visited and are stored on your device (computer, tablet or smartphone). When you access a website, the cookie stored on your device sends information to the party who placed the cookie.

4.1 How we use cookies and other technologies

We want you to be able to make an informed decision for or against the use of cookies and other technologies that are not strictly necessary for the technical characteristics of the Services. Therefore, if we use cookies and other technologies that require your consent, we allow you to choose which cookies and other technologies you accept when you first visit our Services and then permanently in the corresponding settings. In this context, functional cookies and other technologies are always required for visiting our services and are therefore already enabled in our default settings. Statistics and marketing cookies and other technologies are optional. You can allow them by consenting to the use of these cookies and other technologies in the consent banner. Alternatively, you can reject statistics and marketing cookies and other technologies.

4.2 Storage duration of cookies and other technologies

Unless we provide you with explicit information about the storage period of cookies and other technologies (e.g. in the consent banner), you can assume that the storage period may be up to two years. If cookies and other technologies have been set on the basis of your consent, you have the option of revoking your consent at any time or objecting to the processing of your data by cookies/technologies (collectively referred to as "opt-out").

4.3 Types of cookies and other technologies

We distinguish between

Functional cookies/technologies: These are necessary for the basic technical functions of the services. They enable, for example, secure login and the storage of progress during order processes. They also enable us, for example, to store your login details, the contents of your shopping basket and the uniform presentation of page content.
Statistical cookies/technologies: These enable us to analyse the services so that we can measure and improve their performance. You can change your personal settings for statistics by clicking on the corresponding opt-out link.
Marketing cookies/technologies: We use these to provide you with advertising that may be relevant to your interests. They enable, for example, the sharing of pages via social networks and the writing of comments. Offers that may be of interest to you are also displayed. You can change your personal settings in marketing by clicking on the corresponding opt-out link.

4.4 Consent management

We use NAME OF TOOL as a consent management tool ("consent tool") as part of the tracking and analysis activities in our services. NAME OF TOOL collects log file and consent data using JavaScript. This JavaScript enables us to inform you about your consent to certain tags in our services and to obtain, manage and document this consent.

We process the following data: (1) Consent data or consent information (anonymised logbook data (consent ID, processor ID, controller ID), consent status, timestamp), (2) Device data or data of the devices used (including truncated IP addresses (IP v4, IP v6), device information, timestamp), (3) User data or user data (including email, ID, browser information, setting IDs, changelog). The Consent ID (containing the above data) and the consent status, including the timestamp, are stored in your browser's local memory and simultaneously on the cloud servers we use. Further processing only takes place if you submit a request for information or revoke your consent. The legal basis for processing personal data using the consent tool in accordance with the provisions set out here results from our legitimate interest and from the fulfilment of legal requirements, and thus from Art. 6 para. 1 lit. f and c GDPR. By using the consent tool, we aim to comply with legal requirements regarding data protection and tracking, and thus to ensure that our information technology systems function in a manner that is both legally compliant and user-centric.

5. Data processing in connection with the use of our services

The use of our services with all their functions involves the processing of personal data. We explain exactly how this happens here.

5.1 Registration

In order to use our services, you must register and create a user account. In doing so, we process master data and contact details such as first name, last name, date of birth, email address, password (encrypted) and, optionally, telephone number. For users under the age of 18, we also process the email address of a parent or legal guardian for the purpose of providing information about interactions on our services. In addition, we automatically process connection data such as the date, device information and IP address. After registering, you have the option of using our services in either the free version or the paid version, depending on your user group. Our services allow you to select various services and access the content they contain. This use of our services may require the processing of personal data and information in the manner described in this section 5.

Some processing steps may also be carried out by third-party providers. Data processing by third-party providers is carried out in accordance with the terms and conditions of the relevant privacy policies. In the event of data processing with third-party providers, this may constitute order processing within the meaning of Art. 28 GDPR. This is subject to strict legal requirements, which we comply with in the course of our contractual agreements with our order processors.

The use during or after registration and login and the associated data processing operations may differ from purely informational use. The collection of this data associated with your profile is carried out for the purpose of verifying your status and the associated fulfilment of our contractual obligations towards you. These are legitimate purposes in accordance with Art. 6 para. 1 lit. b GDPR. If your consent is required for the processing operation, we will obtain it at the appropriate point (e.g. via the opt-in option in a consent banner when you first use our service). If you have any further questions, we will be happy to assist you in accordance with your right to information under Art. 15 para. 1 GDPR.

5.2 Further information about the user account

After registering and logging in to our services, you have the option, depending on your user group, to voluntarily provide further information about yourself and your personal data. If you are a P-icker, this information may include your interests, skills, location (district or postcode), your language skills, education and career aspirations. If you are a P-rof, this information includes your contact person, field of activity and job description. We process this data in order to complete your user account. The use of the aforementioned functions is an essential part of our services, therefore the processing of your data serves the purpose of contract fulfilment and is thus necessary in accordance with Art. 6 para. 1 lit. b GDPR.

5.3 Sign-on, single sign-on and social login

In order to use some or all of our services, you must first register if this is necessary for use. We will then create a user profile to which the specific information you have provided can be assigned. There are various options available for registration. You can register with your email address, use the single sign-on or social login procedure.

Registration with your email address

When you register with your email address, an individual ID is first generated for your device and stored together with your IP address and, in the case of email registration, your email address and password.

Registration with single sign-on or social login

If you use the single sign-on or social login procedure, you can conveniently log in with your Google or TikTok account. During this procedure, an individual ID is first generated for your device and stored together with your IP address. In the next step, your login name and password are transferred to the third-party provider you have selected. This informs the third-party provider that you are using our services and allows them to assign this information to your user profile there. After verification, we receive a token together with your login name, which confirms that you have an account with the respective third-party provider with the specified access data. In addition, the third-party providers transmit further basic information about your user profile there. We have no influence on whether and what information is transmitted to us. You can obtain further information from the respective third-party providers:

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland:

https://policies.google.com/privacy?hl=de.

tiktok technology limited 10 earlsfort terrace, dublin d02 t380 Ireland:

https://www.tiktok.com/legal/privacy-policy?lang=de-DE.

5.4 Functions of our services

Depending on your registration, you will have access to the functions of our services listed below. We provide you with all of the functions listed below so that you can take full advantage of our services, depending on the model you have booked, and so that we can achieve the best results for you in our collaboration. We only pass on the data you enter to authorised third parties and process it for the purpose of fulfilling the contractual relationships entered into with you, in particular for the fulfilment of the usage agreement you have concluded by using our services. Therefore, the legal basis for the processing of your data is Art. 6 para. 1 lit. b GDPR. If you are under the age of 16, our data processing in connection with the provision of the functions in our services is based on the consent of your legal guardians, i.e. on Art. 6 para. 1 lit. a in conjunction with Art. 8 para. 1 sentence 2 GDPR.

5.4.1 Swiping & Matching

You have the option of swiping the positions advertised by P-rofs (hereinafter also referred to as "positions") with various job descriptions, company descriptions and questions of interest one after the other to the left (not interesting) or to the right (interesting). The categories of data processed in this context include master data, usage data, content data and connection data. Your swipe decisions based on your profile are stored in your profile, which enables us to determine a personal interest profile for you using a tag system on the job cards. Based on your personal interest profile, we can make suitable suggestions for companies or jobs. We also store suitable positions for you as "matches" in our systems. In the event of a match, you have the option of contacting the P-rof behind the position and sharing your interest and the profile content you have approved with the P-rof. See "Application function" below for more information.

5.4.2 Application function

You have the option of submitting an application including your profile details together with a short optional application text to a P-rof via our services. We will forward your application directly to the relevant P-rof. The P-rof you contact in this way is independent and solely responsible for all processes and procedures relating to your application. The legal basis for the processing of your data by the P-rof within the scope of applicant management, unless otherwise stated to you, is based on Art. 88 (1) GDPR in conjunction with § 26 (1) sentence 1 BDSG. We ourselves will delete all data that we have processed in connection with the use of the application function within 6 months of forwarding your application to the P-rof, unless you have given your consent for further use.

5.5 Chat and messaging system

Our services give you the opportunity to contact other users via integrated chat and message functions, to exchange information and, if necessary, to initiate and conclude contracts. The categories of data processed in this context are master data, contact data and, where applicable, content data, contract data and payment data. We transfer this data to the person you have contacted to the extent that you yourself authorise the transfer of data or integrate this data into your messages yourself. In addition, we receive information about the time and the parties involved in a contact via our chat and message functions. Furthermore, the personal data you provide is transmitted to us by your end device and stored in our information technology systems. Your IP address and the time of registration are also stored.

The processing operations associated with the use of our chat and messaging systems serve the purpose of assigning usage processes and enable you to access the entire range of our services. The use of the chat and message functions is an essential part of our services, therefore the processing of your data serves the purpose of contract execution and is thus purpose-bound and necessary in accordance with Art. 6 para. 1 lit. b GDPR.

The storage of your IP address and the time of use of our chat and message functions is necessary to ensure the security of our information technology systems. This is also our legitimate interest, which is why the processing is also lawful under Art. 6 para. 1 lit. f GDPR.

The personal data you enter will be stored until you delete your profile with us, and beyond that only for as long as processing is necessary for the fulfilment of any contract. We do not intend to pass on your data to other third parties.

6. Communication services

6.1 Contact form / Contact by email

We process the personal data you provide us with when contacting us for the purpose of responding to your enquiry, your email or your callback request. The categories of data processed are master data, contact data, content data, usage data (if applicable), connection data and contract data (if applicable). In individual cases, we forward this data to affiliated companies or third parties who are permitted to process this data for the purpose of processing orders and bookings in accordance with the agreement. The legal basis for processing is determined by the purpose of the contact. By submitting your enquiry via the contact form or by contacting us by email, you declare that you wish to receive answers or information on specific topics. You also provide your data for this purpose. We will respond to your enquiry as requested and process your data for this purpose. The legal basis for the processing of your data is therefore Art. 6 para. 1 lit. b GDPR, as we process it to respond to your enquiry and thus to fulfil the contract.

6.3 Applicant management

We process the personal data you provide us with during the application process (e.g. via the relevant contact/application form in our services) for the purpose of processing your application and carrying out the application process. At your request, we will also consider your application for future application processes. The categories of data processed in this context are master data, contact data, content data, usage data (not for postal applications), connection data (not for postal applications) and contract data. In the case of unsuccessful applications, we will delete your data within 3 months of the rejection. In the case of successful applications, we will transfer your data to our systems, e.g. to the personnel file. The legal basis for processing your data in the context of applicant management is based on Art. 88 (1) GDPR in conjunction with § 26 (1) sentence 1 BDSG. The legal basis for applying to subsidiaries and for storing your data for future application processes is Art. 6 para. 1 lit. a GDPR in conjunction with Art. 7 GDPR, Section 26 para. 2 BDSG; Art. 6 para. 1 lit. f GDPR.

7. Payment processing

We offer various payment methods for processing payment claims. For this purpose, we use the payment service providers described below. We do this for the purpose of providing our services properly and in accordance with your needs. In this context, the data processed includes usage data, connection data, master data, payment data, contact data or contract data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, sum and recipient-related information. This information is necessary to carry out the transactions. The data entered is only processed and stored by the payment service providers. We do not receive any account or credit card information, but only information about the confirmation or rejection of the payment. Under certain circumstances, your data may be transferred by the payment service providers to credit agencies. The purpose of this transfer is to verify your identity and creditworthiness. In this regard, we refer you to the terms and conditions and privacy policy of the payment service providers. The legal basis for the use of payment service providers is Art. 6 (1) lit. b GDPR. We can only provide the services promised to you with our services and thus fulfil our contractual obligations if we use third parties, such as payment service providers, , to process payment transactions. If a payment service provider transfers data to a third country (e.g. the USA), this will only happen in individual cases, on the basis of a data processing agreement concluded with them and in accordance with standard contractual clauses agreed with them and other security measures permitted by the GDPR, which ensure the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF).

Stripe

If you choose a payment method from the payment service provider Stripe, payment processing will be handled by the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we will forward the information you provided during the ordering process together with the information about your order (name, address, account number, bank code, credit card number, if applicable, invoice amount, currency and transaction number) in accordance with Art. 6 para. 1 lit. b GDPR. Further information on Stripe's data protection can be found at https://stripe.com/de/privacy#translation.

Stripe reserves the right to carry out a credit check based on mathematical-statistical methods in order to protect its legitimate interest in determining the user's solvency. Stripe may transfer the personal data necessary for a credit check and obtained in the course of payment processing to selected credit agencies, which Stripe will disclose to users upon request. The credit report may contain probability values (so-called score values). Insofar as score values are included in the credit report, these are based on a scientifically recognised mathematical-statistical method. Address data, among other things, but not exclusively, are included in the calculation of the score values. Stripe uses the result of the credit assessment in relation to the statistical probability of default to decide whether you can use the selected payment method.

You can object to this processing of your data at any time by sending a message to Stripe or the credit agencies commissioned.

However, Stripe may still be entitled to process your personal data if this is necessary for the contractual payment processing.

8. Hosting

8.1 Provision of our services

In order to provide you with our services, we use the services of a hosting provider. Our services are accessed from the servers of this hosting provider. For these purposes, we use the infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services of the web hosting provider.

The data processed includes all data that you enter during your use and communication in connection with your visit to our services or that is collected from you in this context (e.g. your IP address). Our legal basis for using a hosting provider to provide our services is Art. 6 para. 1 lit. f GDPR (legitimate interest).

8.3 Collection of access data and log files

We ourselves (or our hosting provider) collect data on every access to the server (server log files). The server log files may include the address and name of the services and files accessed, the date and time of access, the amount of data transferred, notification of successful access, the type of device and version, your operating system, the referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g. to prevent server overload (especially in the event of malicious attacks, known as DDoS attacks) and to ensure server utilisation and stability. Our legal basis for using a hosting provider to collect access data and log files is Art. 6 para. 1 lit. f GDPR (legitimate interest).

9. Tracking & Tools

In order to ensure smooth technical operation and optimal user-friendly use of our services, we use the following services:

Google Analytics

We use Google Analytics for statistical analysis of your use of our services. We collect your IP address before it is anonymised by Google prior to permanent storage on their servers. Google Analytics enables us to understand how you use our services and how we can improve and develop them accordingly. For example, Google Analytics shows which content you click on or visit repeatedly. The data processed is usage data and connection data. The recipient of the data is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (as joint controller, Art. 26 GDPR). Should Google transfer this data to a third country (e.g. the USA), this will only happen in individual cases, on the basis of a data processing agreement concluded with Google and in accordance with standard contractual clauses agreed with Google and other security measures permitted by the GDPR, which ensure the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). The legal basis for the use of Google Analytics is your consent (e.g. via an opt-in in the consent banner), provided that you have given us this consent during your visit to our services, and therefore results from Art. 6 para. 1 lit. a GDPR. Based on your consent, cookies, so-called "beacons" or similar (text) files are stored on your device and personal data is read from them. If you have not given us your consent to use Google Analytics (no opt-in in the consent banner or revocation of your consent), we will not (or no longer) use Google Analytics in connection with your visits to our services.

10. Fan pages on social media websites

We maintain fan pages on the websites of social networks on the Internet and process personal data in this context in order to communicate with users active there or to provide information about us. We would like to point out that your data may be processed outside the European Union when you visit our fan pages. The operators of the respective social networks are responsible for this. A detailed description of the respective forms of processing and the options for objection (e.g. opt-out) can be found in the privacy policies of the operators of the respective social networks.

Instagram

We operate a so-called Instagram fan page for our company on Instagram. When you visit the Instagram fan page, Meta may analyse your usage behaviour and share the information obtained with us ("Insights"). The page insights are used for the purposes of economic optimisation and the needs-based design of our website/services. The categories of data processed may include master data, contact data, content data, usage data and connection data. The recipient of the data is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 para. 1 lit. f GDPR.

Meta is responsible for implementing your data subject rights. Meta provides information about your data subject rights at: https://privacycenter.instagram.com/policy. You can also assert your rights against us, and we will forward your request to Meta immediately.

TikTok

We operate a TikTok fan page for our company on TikTok. When you visit the TikTok fan page, TikTok may evaluate your usage behaviour and share the information obtained with us. The information is used for the purposes of economic optimisation and the needs-based design of our website/services. The categories of data processed may include master data, contact data, content data, usage data and connection data. The recipient of the data is tiktok technology limited 10 earlsfort terrace, dublin d02 t380 Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 para. 1 lit. f GDPR.

TikTok is responsible for implementing your data subject rights. TikTok provides information about your data subject rights at: https://www.tiktok.com/legal/privacy-policy?lang=de-DE. You can also assert your rights against us, and we will forward your request to TikTok immediately.

We operate a LinkedIn fan page for our company on LinkedIn. When you visit and use the LinkedIn fan page, LinkedIn may evaluate your usage behaviour and share the information obtained with us. This information is used for the purposes of economic optimisation and the needs-based design of our website/services. The categories of data processed are master data, contact data, content data, usage data and connection data. The recipient of the data is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 para. 1 lit. f GDPR.

LinkedIn is responsible for implementing your rights as a data subject. LinkedIn provides information about your rights as a data subject at: https://de.linkedin.com/legal/privacy-policy. You can also assert your rights against us, and we will forward your request to LinkedIn immediately.

YouTube

We operate a channel on YouTube for our company. When you visit and use our YouTube channel, Google may analyse your usage behaviour and share the information obtained with us. This information is used for the purposes of economic optimisation and the needs-based design of our website. The categories of data processed are master data, contact data, content data, usage data and connection data. The recipient of the data is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 para. 1 lit. f GDPR.

YouTube is responsible for implementing your data subject rights. YouTube provides information about your data subject rights at: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines. You can also assert your rights against us, and we will forward your request to YouTube immediately.

11. Plug-ins in our services

We integrate content such as videos, buttons, social media icons, etc. from social networks and other websites into our services via plug-ins. The integration always works in such a way that the social networks learn and process your IP address via these plug-ins. The IP address is necessary for the display of the plug-in content, as it is required so that the social networks whose plug-ins we have integrated can send information to your browser. Some social networks use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags enable information such as visitor traffic on our services to be analysed. Further information may also be stored in cookies on your device and may include technical information about your browser and operating system, the time of your visit to our services and other information about your use of our services, and may be linked to information from other sources.

Integration of YouTube videos

We use YouTube to embed videos via the YouTube video plugin for the purpose of personalising our services. By embedding videos via the YouTube video plugin, Google can analyse your usage behaviour on our services. The categories of data processed are usage data and connection data. The recipient of the data is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. If Google transfers this data to a third country (e.g. the USA), this will only happen in individual cases, on the basis of a data processing agreement concluded with Google and in accordance with standard contractual clauses agreed with Google and other security measures permitted by the GDPR, which ensure the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). The legal basis for the use of YouTube is your consent (e.g. via an opt-in in the consent banner), provided that you have given us this consent during your visit to our services, and therefore results from Art. 6 para. 1 lit. a GDPR. Based on your consent, cookies, so-called "beacons" or similar (text) files are stored on your end device and personal data is read out. If you have not given us your consent to use YouTube (no opt-in in the consent banner or revocation of your consent), we will not (or no longer) use YouTube within the scope of your visits to our services.

12. Sharing function in our services

In our services, we offer you the option of sharing generated images directly on your own profiles on various social networks. Sharing always works in such a way that when you click on "Share", the social networks learn your IP address and process it via corresponding plug-ins. The social networks thus immediately learn that you were previously on our services. Some social networks use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags allow information such as visitor traffic on our services to be evaluated. You can give or refuse your consent to this when using the "Share" function for social networks. Further information may also be stored in cookies on your device and may include technical information about your browser and operating system, the time of your visit to our services, and other information about your use of our services, which may be linked to information from other sources. The categories of data processed here are master data, contact data, content data, usage data, and connection data. The recipients of the data are the respective operators of the social networks. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 para. 1 lit. f GDPR. The operators of the social networks are responsible for implementing your rights as a data subject. Please inform yourself there about your rights.

We have integrated corresponding "share" links into our services for the following social networks.

Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta is responsible for implementing your data subject rights. Meta provides information about your data subject rights at: https://privacycenter.instagram.com/policy.

TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin D02 T380, Ireland. TikTok is responsible for implementing your data subject rights. TikTok provides information about your data subject rights at: https://www.tiktok.com/legal/privacy-policy?lang=de-DE.

LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn is responsible for implementing your rights as a data subject. LinkedIn provides information about your rights as a data subject at: https://de.linkedin.com/legal/privacy-policy.

YouTube: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland. Google is responsible for implementing your rights as a data subject. Google provides information about your rights as a data subject at: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines.

With the kind support of

https://www.derstartupanwalt.de/