Ratepay Data Privacy Statement
2. Contact person
Contact person and so-called person responsible for the processing of your personal data when visiting this website in terms of the EU Data Protection Basic Regulation (GDPR) is
– Data protection –
If you have any questions about data protection in connection with our services or the use of our website, you can also contact our data protection officer at any time. Our data protection officer can be reached as follows:
ISiCO Data Protection GmbH
– Data Protection Officer Ratepay –
At Hamburger Bahnhof 4
3. Data processing on our website
3.1 Access to our website / access data
Whenever you use our website, we collect access data that your browser automatically transmits to enable you to visit the website. The access data includes in particular:
- IP address of the requesting device,
- Date and time of the request,
- Address of the website called up and the requesting website,
- Information about the browser and operating system used,
- Online identifiers (e.g. device identifiers, session IDs).
The data processing of these access data is strictly necessary to enable you to visit the website, to ensure the permanent functionality and security of our systems and for general administrative maintenance of our website. For the purposes described above, the access data is also temporarily stored in internal log files in order to find the cause and take action in the event of repeated or criminal requests that threaten the stability and security of our website. The legal basis is Art. 6 para. 1 sentence 1 lit. b DSGVO, if the page visit occurs in connection with the initiation or performance of a contract, and otherwise Art. 6 para. 1 sentence 1 lit. f DSGVO due to our legitimate interest in enabling the website visit as well as the permanent functionality and security of our systems.
3.2 Ratepay portals
3.2.1 Ratepay merchant portal
You have the possibility to register for our merchant portal if you as a merchant offer Ratepay payment methods. The registration information for the merchant portal is provided by Ratepay. Further information about the merchant portal of Ratepay can be found here [https://Ratepay.gitbook.io/legal/terms/interfaces/en]. Legal basis of the processing is Art. 6 para. 1 lit. b GDPR.
3.2.2 Ratepay buyer portal
3.3 Establishing contact
You have the possibility to get in contact with us via a contact form. In this context we process data exclusively for the purpose of communicating with you. The legal basis is Art. 6 para. 1 lit. b GDPR, as far as the information is required for the initiation or execution of a contract. Otherwise, your data will be processed on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interests consist of communication with users and the processing of customer enquiries. The data collected by us when using the contact form will be automatically deleted after your enquiry has been completely processed, unless we still need your enquiry to fulfil contractual or legal obligations (see section “Storage period”). In addition, you will receive information about attractive payment solutions from our partners (Nets A/S, Denmark, www.nets.eu), provided you have consented to this, Art. 6 para. 1 lit. a GDPR.
3.4.1 You have the option of subscribing to our newsletter, in which we regularly inform you about innovations to our products and promotions. To send our newsletter, we use Cleverreach, a service of CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (“Cleverreach”).
3.4.2 For ordering our newsletters, we use the so-called double opt-in procedure, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you are the owner of the e-mail address provided. If you confirm your e-mail address, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The storage is solely for the purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this purpose. Your data for the newsletter dispatch will be deleted within one month after the end of the newsletter receipt, provided that the deletion does not conflict with any legal retention obligations. We use standard market technologies in our newsletters to measure interactions with the newsletters (e.g. opening of the e-mail, links clicked on). We use this data in pseudonymous form for general statistical evaluations and to optimise and further develop our content and customer communication. This is done with the help of small graphics embedded in the newsletter (so-called pixels). The data is collected exclusively in pseudonymised form and is not linked to your other personal data. The legal basis for the processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR.
3.4.3 We want to share content that is as relevant as possible for our customers via our newsletter and better understand what readers are actually interested in. If you do not want the analysis of usage behaviour, you can unsubscribe from the newsletters or deactivate graphics in your email programme by default. The data on interaction with our newsletters is stored pseudonymously for 30 days and then completely anonymised.
A cookie is a small text file that is stored on your device by the browser. Cookies are not used to run programs or download viruses onto your computer. Similar technologies are in particular web storage (local / session storage), fingerprints, tags or pixels. Most browsers are set by default to accept cookies and similar technologies. However, you can generally adjust your browser settings so that cookies or similar technologies are rejected or only stored with your prior consent. If you reject cookies or similar technologies, it is possible that not all of our services will work properly for you.
In the following, we list the tools we use by category, informing you in particular about the providers of the tools, the storage period of the cookies and the transfer of data to third parties. We also explain in which cases we obtain your free consent to use the tools and how you can withdraw this consent.
3.5.1 Essential tools
We use specific tools to enable the basic functions of our website (“essential tools”). Without these tools, we would not be able to provide our service. Therefore, essential tools are used without consent based on our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f DSGVO or for the performance of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 (1) sentence 1 lit. b DSGVO.
184.108.40.206 Use of own cookies
We use our own cookies in particular
- for login authentication,
- for load distribution,
- to save your language settings,
- to note that you have been shown information placed on our website ¬- so that it will not be displayed again the next time you visit the website.
In this way, we want to enable you to use our website more conveniently and individually. These services are based on our aforementioned legitimate interests, the legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR.
We use the Usercentrics tool from Usercentrics GmbH, Rosental 4, 80331 Munich (“Usercentrics”) to obtain and manage your consent. This generates a banner which informs you about the data processing on our website and gives you the opportunity to consent to all, individual or no data processing through optional tools. This banner will appear the first time you visit our website and when you revisit your preferences selection to change them or withdraw consent. The banner will also appear on further visits to our website if you have deactivated the storage of cookies or the cookies or information in Usercentrics’ local storage have been deleted or have expired.
Your consent or revocation, your IP address, information about your browser, your end device and the time of your visit are transmitted to Usercentrics during your visit to the website. In addition, Usercentrics stores necessary information on your end device in order to retain the consents and withdrawals you have given. If you delete your cookies or information in the local storage, we will ask you for your consent again when you visit the site later.
Data processing by Usercentrics is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for the use of Usercentrics is Article 6 (1) sentence 1 lit. f DSGVO, justified by our interest in fulfilling the legal requirements for consent management.
220.127.116.11 Google reCAPTCHA
Our website uses the Google reCAPTCHA Enterprise service, which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area, Switzerland and Liechtenstein and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”) for all other users. This function is primarily used to distinguish whether an entry is made by a natural person or is misused by machine and automated processing. To do this, your web browser must establish a connection to a Google server, which may also be located in the USA, when you visit our website. Google thereby receives the information that our website was visited from the IP address of your device and possibly further data required by Google for the reCAPTCHA Enterprise service. The following cookies are set by Google reCAPTCHA Enterprise: “_GRECAPTCHA” for 180 days (for risk analysis). The following information is stored in local storage: “_grecaptcha”.
The legal basis is Art. 6 para. 1 p. 1 lit. f GDPR, based on our legitimate interest in avoiding misuse and spam. We have concluded standard contractual clauses with Google as part of the Google Cloud contracts valid for Google reCAPTCHA Enterprise.
3.5.2 Functional tools
We also use tools to improve the user experience on our website and to provide you with more features (“functional tools”). While these are not strictly necessary for the basic functionality of the website, they can bring significant benefits to users, particularly regarding user experience and the provision of additional communication, visualisation or payment channels.
The legal basis for the functional tools is your consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. To withdraw your consent, you can access the Usercentrics settings again. In the event that personal data is transferred to the USA or other third countries, your consent explicitly also covers the data transfer (Art. 49 para. 1 p. 1 lit. a DSGVO). Please refer to section 5, Data transfer to third countries, for the associated risks.
18.104.22.168 Google Maps
Our website uses the map service Google Maps which is offered to users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”). In order for the Google Maps we use to be embedded and displayed in your web browser, your web browser must connect to a Google server, which may also be located in the United States, when you access the Contact Page. Google thereby receives the information that the contact page of our website was called up from the IP address of your device. Google and Ratepay have recorded their respective data protection obligations in an agreement [https://cloud.google.com/maps-platform/terms/maps-controller-terms/].
If you call up the Google map service on our website while you are logged into your Google profile, Google may also link this event to your Google profile. If you do not wish to be associated with your Google Profile, you will need to log out of Google before you can access our contact page. Google stores your data and uses it for the purposes of advertising, market research and personalised presentation of Google Maps. You can object to this collection of data from Google.
22.214.171.124 YouTube videos
We have embedded videos in our website that are stored on YouTube and can be played directly from our websites. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
By visiting our website, YouTube and Google receive the information that you have called up the corresponding subpage of our website. This occurs regardless of whether you are logged in to YouTube or Google or not. YouTube and Google use this data for the purposes of advertising, market research and demand-oriented design of their websites. If you visit YouTube on our website while you are logged into your YouTube or Google profile, YouTube and Google may also link this event to the respective profiles. If you do not want this assignment to take place, it is necessary for you to log out of Google before you visit our website.
You can configure your browser to reject cookies as shown above. Furthermore, you can, beside the withdrawal of your consent, prevent the collection of data generated by cookies and related to your use of this website and the processing of this data for marketing purposes by Google by deactivating the button “Personalised advertising on the web” in the Google settings for advertising [https://adssettings.google.com/]. In this case, Google will only display non-individualised advertising.
3.5.3 Marketing tools
We also use tools for advertising purposes (“marketing tools”). Some of the access data collected when using our website is used for interest-based advertising. By analysing and evaluating this access data, we are able to present you with personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers.
The legal basis for the marketing tools is your consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. To withdraw your consent, you can access the Usercentrics settings again. In the event that personal data is transferred to the USA or other third countries, your consent explicitly also covers the data transfer (Art. 49 para. 1 p. 1 lit. a DSGVO). Please refer to section 5, Data transfer to third countries, for the associated risks.
In the following section, we would like to explain these technologies and the providers used for this purpose in more detail. The data collected may include in particular: the IP address of the device; the identification number of a cookie or information in the web storage; the device identifier of mobile devices (e.g. device ID); referrer URL (previously visited page); pages viewed (date, time, URL, title, duration of visit); files downloaded; links clicked to other websites; if applicable, achievement of certain goals (conversions); technical information: operating system; browser type, version and language; device type, brand, model and resolution; approximate location (country and city, if applicable). However, the collected data is stored exclusively pseudonymously, so that no direct conclusions can be drawn about the persons.
126.96.36.199 Google Analytics
Google will process the information gained from the cookies in order to evaluate your use of the website, to compile reports on the website activities for the website operators and to provide further services associated with the use of the website and the Internet.
Google Analytics sets the following cookies for the specified purpose with the respective storage period: “_ga” for 2 years and “_gid” for 24 hours (both to recognise and distinguish website visitors by a user ID) and “_gat” for 1 minute (to reduce requests to the Google servers).
188.8.131.52 Facebook Pixel
For marketing purposes, our websites use the “Facebook Pixel” service of the social network Facebook, a service offered for users outside the USA and Canada by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland and for all other users by Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA (together “Facebook”).
We use Facebook Pixel to analyse the general use of our websites and to track the effectiveness of Facebook advertising (“conversion tracking”). In addition, we use Facebook Pixel to deliver individualised advertising messages to you based on your interest in our products (“Retargeting”). For this purpose, Facebook processes data that the service collects via cookies, web beacons and comparable storage technologies on our websites. The following cookies are set by Facebook Pixel for the specified purpose with the respective storage period: “_fbp” for 3 months (usage analysis and retargeting).
The data generated in this context may be transferred by Facebook to a server in the USA for evaluation and stored there. In the event that personal data is transferred to the USA, we have concluded standard contractual clauses with Facebook.
If you are a member of Facebook and have allowed Facebook to do so via the privacy settings of your account, Facebook may also link the information collected about your visit to us to your member account and use it for the targeted placement of Facebook ads. You can view and change the privacy settings
3.6 Social Media
3.6.1 Online presence in social media
We maintain online presences in social networks to communicate with customers and interested parties and to inform them about our products and services.
User data is generally processed for market research and advertising purposes. In this way, user profiles can be created based on the interests of the users. For this purpose, cookies and other identifiers will be stored on the users’ computers. Based on these user profiles, advertisements are then placed, for example, within social networks but also on third-party websites.
When using social networks, personal data of users may be processed outside the European Economic Area.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in effective user information and communication. The legal basis for data processing carried out by the social networks on their own responsibility can be found in the data protection information of the respective social network. The following links will also provide you with further information on the respective data processing and the possibilities of objection.
We would like to point out that data protection requests can be made most efficiently to the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly.
184.108.40.206 Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
- Instagram Business account based on an agreement on joint processing of personal data (so-called Page Insights Controller Addendum): https://www.facebook.com/legal/terms/page_controller_addendum
- Information on the processed site insights data and the contact option in the event of data protection requests: https://www.facebook.com/legal/terms/information_about_page_insights_data
- Opt-out (description): https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE
220.127.116.11 Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
18.104.22.168 LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
- LinkedIn Company Page based on an agreement on joint processing of personal data (so-called Page Insights Joint Controller Addendum): https://legal.linkedin.com/pages-joint-controller-addendum
- Information on the processed site insights data and the contact option in the event of data protection requests: https://legal.linkedin.com/pages-joint-controller-addendum
- Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out .
22.214.171.124 Xing/Kununu (XING SE, Dammtorstraße 30, 20354 Hamburg, Germany)
126.96.36.199 Glassdoor (Glassdoor, Inc., 100 Shoreline Highway, Building A, Mill Valley, California, 94941, USA)
If you participate in one of our surveys, we use your data for market and opinion research. As a matter of principle, we evaluate the data anonymously for internal purposes. If, in exceptional cases, surveys are not evaluated anonymously, the data will only be collected with your consent. In the case of anonymous surveys, the GDPR is not applicable and in the case of exceptional personal evaluations, the legal basis is the aforementioned consent pursuant to Art. 6 para. 1 sentence 1 lit. a of the GDPR.
3.8 Job applications
For our career page https://karriere.ratepay.com (powered by talentsconnect), we use the services of talentsconnect AG, Niehler Straße 104, 50733 Cologne (“talentsconnect”). On this page, you can in particular find out about vacancies, search for jobs and apply for vacancies. Talentsconnect processes personal data (e.g. automatically generated connection data, log files, data in connection with the search and noting of job offers) under its own responsibility.
For the management of applications, Ratepay uses the applicant management system Personio, which is offered by Personio GmbH, Rundfunkplatz 4, 80335 Munich (“Personio”).
If you apply for a vacancy at Ratepay via our careers page (powered by talentsconnect) and enter your applicant data on the careers page (e.g. title, first name/last name, e-mail address, date of earliest possible start of job, salary requirement, date of birth, application documents such as cover letter, CV and references), talentsconnect will forward this data to Ratepay on Ratepay’s behalf and on Ratepay’s instructions as a processor via an interface to the Personio applicant management system (“talentsconnect Fast Application”).
For more information on data processing at talentsconnect, in particular on the division of responsibility for respective processing steps, please visit: https://www.talentsconnect.com/privacy.
We have concluded data processing agreements with both talentsconnect and Personio. Your data will be processed and stored within the European Union. The purpose of the data processing is the selection of applicants for the possible establishment of an employment relationship. The legal basis for processing your application documents is Sec. 26 (1) BDSG in conjunction with Article 88 DSGVO.”.
4. Disclosure of information
A transfer of the data collected by us will only take place in principle if:
- you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,
- the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
- we are legally obliged to pass on the data in accordance with Art. 6 Para. 1 S. 1 lit. c GDPR or
- this is legally permissible and, according to Art. 6 para. 1 sentence 1 lit. b GDPR, is necessary for the processing of contractual relationships with you or for the implementation of pre-contractual measures which are carried out at your request.
Part of the data processing can be carried out by our service providers. In addition to the service providers mentioned in this data protection declaration, this may include in particular computer centres that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to our service providers, they may use the data exclusively for the fulfilment of their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the persons concerned and are regularly monitored by us.
In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings if this is necessary for legal prosecution or enforcement.
5. Data transfer to third countries
Where this is not possible, we base the transfer of data on exceptions to Art. 49 DSGVO, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a third country transfer is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it and that the enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the consent banner, you will also be informed of this.
6. Storage period
As a matter of principle, we only store personal data for as long as necessary to fulfil the purposes for which we have collected the data. Afterwards, we delete the data immediately, unless we need the data until the expiry of the statutory limitation period for evidence purposes for civil law claims or because of statutory retention obligations.
For evidence purposes, we must retain contractual data for a further three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred after the statutory standard period of limitation at the earliest at this point in time.
Even after this period, we still have to store your data in part for accounting reasons. We are obliged to do so because of statutory documentation obligations, which may arise, from the German Commercial Code, the German Fiscal Code, the German Banking Act, the Money Laundering Act and the Securities Trading Act. The periods stipulated there for the retention of documents range from two to ten years.
7. Your rights
You have the right to information about the processing of your personal data by us at any time. In this context we will explain the data processing to you and provide you with an overview of the data stored about your person. If data stored by us is incorrect or no longer current, you have the right to have this data corrected. You can also request the deletion of your data. In principle, your data can only be deleted if certain conditions are met / if data is no longer required, if processing is not lawful or in other cases of Art. 17 GDPR. If, exceptionally, deletion is not possible due to other legal provisions, the data will be blocked – if the necessary conditions are met – so that they are only available for this legal purpose. You can also have the processing of your personal data restricted, for example if you doubt the accuracy of the data. Under certain conditions, you also have the right to data transferability, i.e. that we send you a digital copy of the personal data you have provided us with on request.
In order to assert your rights described here, you can contact us at any time using the contact details given above. This also applies if you wish to receive copies of guarantees to prove an adequate level of data protection.
Your inquiries regarding the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of three years and, in individual cases, for the assertion, exercise or defence of legal claims even beyond this period. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability under Art. 5 GDPR.
Finally, you have the right to complain to a data protection supervisory authority. You may exercise this right especially before a supervisory authority in the Member State in which you are resident, your place of work or the place of the suspected infringement or any other data protection authority. In Berlin, the seat of Ratepay GmbH, is the competent supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.
8. Data security
We maintain current technical measures to ensure data security, in particular to protect your personal data from dangers during data transfers and from third parties gaining knowledge of them. These measures are adapted to the current state of the art. To secure the personal data you provide on our website, we use Transport Layer Security (TLS), which encrypts the information you enter.