Ratepay Data Privacy Policy

1. Content of this data privacy policy

In this data privacy policy we (Ratepay GmbH) inform you about the processing of personal data when using our website.

You can print or save this data privacy policy by using the usual functionality of your browser.

2. Contact person

Contact person and so-called person responsible for the processing of your personal data when visiting this website in terms of the EU Data Protection Basic Regulation (GDPR) is

Ratepay GmbH

– Data protection –

Franklinstraße 28-29

D-10587 Berlin

datenschutz@ratepay.com

 

If you have any questions about data protection in connection with our services or the use of our website, you can also contact our data protection officer at any time. Our data protection officer can be reached as follows:

ISiCO Data Protection GmbH

– Data Protection Officer Ratepay –

At Hamburger Bahnhof 4

D-10557 Berlin

3. Data processing on our website

3.1          Access to our website / access data

Whenever you use our website, we collect access data that your browser automatically transmits to enable you to visit the website. The access data includes in particular:

–              IP address of the requesting device,

–              Date and time of the request,

–              Address of the website called up and the requesting website,

–              Information about the browser and operating system used,

–              Online identifiers (e.g. device identifiers, session IDs).

The data processing of these access data is necessary to enable you to visit the website and to ensure the permanent functionality and security of our systems. For the purposes described above, the access data is also temporarily stored in internal log files in order to generate statistical data on the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices used to access the pages increases) and for general administrative maintenance of our website. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. As we have a legitimate interest in the operation and further development of our website.

3.2 Ratepay portals

3.2.1 Ratepay merchant portal
You have the possibility to register for our merchant portal if you as a merchant offer Ratepay payment methods. The registration information for the merchant portal is provided by Ratepay. Further information about the merchant portal of Ratepay can be found here [https://ratepay.gitbook.io/legal/terms/interfaces/en]. Legal basis of the processing is Art. 6 para. 1 lit. b GDPR.

3.2.2 Ratepay buyer portal
You have the option of registering for our buyer portal when you have placed an order using a payment method from Ratepay. We have highlighted the data you are obliged to provide by marking them as mandatory fields. Registration is not possible without this data. Details on registration and the mandatory data to be entered can be found in the terms of use for the Ratepay buyer’s portal [https://www.myratepay.com/policy]. Legal basis of the processing is Art. 6 para. 1 lit. b GDPR.

3.3          Establishing contact

You have the possibility to get in contact with us via a contact form. In this context we process data exclusively for the purpose of communicating with you. The legal basis is Art. 6 para. 1 lit. b GDPR, as far as the information is required for the initiation or execution of a contract. Otherwise, your data will be processed on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interests consist of communication with users and the processing of customer enquiries. The data collected by us when using the contact form will be automatically deleted after your enquiry has been completely processed, unless we still need your enquiry to fulfil contractual or legal obligations (see section “Storage period”).

3.4          Google reCAPTCHA

Our website uses the service Google reCAPTCHA which is offered to users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”). This feature is primarily intended to distinguish whether an entry is made by a natural person or is improperly made by machine and automated processing. To use this service, your web browser must connect to a Google server, which may also be located in the USA, when you access the contact page. In the event that personal data is transferred to the USA, Google has submitted to the US Privacy Shield [https://www.privacyshield.gov/]. Google is thereby informed that the contact page of our website was called up from the IP address of your device and, if applicable, further data required by Google for the service reCAPTCHA. The legal basis is Art. 6 para. 1 p. 1 lit. f GDPR, based on our legitimate interest in establishing individual responsibility on the Internet and avoiding abuse and spam. Google and Ratepay have recorded the respective data protection obligations in an agreement [https://cloud.google.com/maps-platform/terms/maps-controller-terms/].

3.5         Google Maps

Our website uses the map service Google Maps which is offered to users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”). In order for the Google Maps we use to be embedded and displayed in your web browser, your web browser must connect to a Google server, which may also be located in the United States, when you access the Contact Page. In the event that personal information is transferred to the USA, Google has submitted to the EU-US Privacy Shield [https://www.privacyshield.gov/]. Google thereby receives the information that the contact page of our website was called up from the IP address of your device. The legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR, based on our legitimate interest in the integration of a map service for establishing contact. Google and Ratepay have recorded their respective data protection obligations in an agreement [https://cloud.google.com/maps-platform/terms/maps-controller-terms/].

If you call up the Google map service on our website while you are logged into your Google profile, Google may also link this event to your Google profile. If you do not wish to be associated with your Google Profile, you will need to log out of Google before you can access our contact page. Google stores your data and uses it for the purposes of advertising, market research and personalised presentation of Google Maps. You can object to this collection of data from Google.

You can find more information about this in Google’s Privacy Policy [https://www.google.com/intl/de/policies/privacy/index.html] and the Additional Terms of Use [https://www.google.com/intl/de/help/terms_maps.html] for Google Maps.

3.6          Use of own cookies

For some of our services it is necessary that we use so-called cookies. A cookie is a small text file that is stored by the browser on your device. Cookies are not used to execute programs or to load viruses onto your computer. The main purpose of our own cookies is rather to provide you with a specially tailored offer and to make the use of our services as time-saving as possible.

Most browsers are set by default to accept cookies. However, you can adjust your browser settings to reject cookies or to only store them after prior consent. If you reject cookies, not all of our services may work for you without interruption.

We use our own cookies in particular

–              for login authentication,

–              for load distribution,

–              to save your language settings,

–              to note that you have been shown information placed on our website ¬- so that it will not be displayed again the next time you visit the website.

In this way, we want to enable you to use our website more conveniently and individually. These services are based on our aforementioned legitimate interests, the legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR.

We also use cookies and comparable technologies (e.g. web beacons) from partners for analysis and marketing purposes. This is described in more detail in the following sections.

3.7         Use of cookies and comparable technologies for analysis purposes

In order to improve our website, we use cookies and comparable technologies (e.g. web beacons) for the statistical recording and analysis of general usage behaviour based on access data. We also use analysis services to evaluate the use of our various marketing channels.

Insofar as consent has been obtained, the legal basis for the data processing described in the following section is Art. 6 para. 1 sentence 1 lit. a GDPR. Otherwise, the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in the needs-based design and continuous optimisation of our website.

In the following list of the technologies we use, you will also find information on the possibilities of objection regarding our analysis measures by means of a so-called opt-out cookie. Please note that after deleting all cookies in your browser or later use of another browser and/or profile, an opt-out cookie must be set again.

3.7.1      Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). According to Google, the contact for all data protection issues is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to analyse and improve our website based on your user behaviour. The data collected in this context may be transferred by Google to a server in the USA for evaluation and stored there. In the event that personal data is transferred to the USA, Google has subjected itself to the EU-US Privacy Shield [https://www.privacyshield.gov/]. However, your IP address will be shortened before the evaluation of the usage statistics, so that no conclusions can be drawn about your identity. For this purpose, Google Analytics has been extended on our website by the code “anonymizeIP” to ensure anonymous recording of IP addresses.

Google will process the information gained from the cookies in order to evaluate your use of the website, to compile reports on the website activities for the website operators and to provide further services associated with the use of the website and the Internet.

You can, as shown above, configure your browser to reject cookies, or you can prevent the collection of data generated by cookies and related to your use of this website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on [https://tools.google.com/dlpage/gaoptout?hl=de] provided by Google. This will prevent the collection of data by Google Analytics within this website in the future (the opt-out only works in the browser and only for this domain). If you delete your cookies in this browser, you will have to click this link again.

You can find more information on this in the Google’s Privacy Policy [https://www.google.com/intl/de/policies/privacy/index.html].

3.8          Social Media

3.8.1      Online presence in social media

We maintain online presences in social networks to communicate with customers and interested parties and to inform them about our products and services.

User data is generally processed for market research and advertising purposes. In this way, user profiles can be created based on the interests of the users. For this purpose cookies and other identifiers will be stored on the users’ computers. On the basis of these user profiles, advertisements are then placed, for example, within social networks but also on third-party websites.

When using social networks, personal data of users may be processed outside the European Economic Area. In the event that a provider is certified according to the EU-U.S. Privacy Shield, it has thus undertaken to comply with the data protection standards of the European Union.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in effective user information and communication. The legal basis for data processing carried out by the social networks on their own responsibility can be found in the data protection information of the respective social network. The following links will also provide you with further information on the respective data processing and the possibilities of objection.

We would like to point out that data protection requests can be made most efficiently to the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly.

3.8.1.1  Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

–              Privacy policy: https://help.instagram.com/519522125107875

3.8.1.2  Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)

–              Privacy policy: https://twitter.com/de/privacy

–              Opt-out: https://twitter.com/personalization,

–              EU-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

3.8.1.3  LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)

–              Privacy policy https://www.linkedin.com/legal/privacy-policy

–              Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

–              EU-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.

3.8.1.4  Xing/Kununu (XING SE, Dammtorstraße 30, 20354 Hamburg, Germany)

–              Privacy policy/ Opt-out: https://privacy.xing.com/de/datenschutzerklaerung.

3.8.1.5  Glassdoor (Glassdoor, Inc., 100 Shoreline Highway, Building A, Mill Valley, California, 94941, USA)

–              Privacy policy https://hrtechprivacy.com/de/brands/glassdoor#privacypolicy

3.9 Surveys
If you participate in one of our surveys, we use your data for market and opinion research. As a matter of principle, we evaluate the data anonymously for internal purposes. If, in exceptional cases, surveys are not evaluated anonymously, the data will only be collected with your consent. In the case of anonymous surveys, the GDPR is not applicable and in the case of exceptional personal evaluations, the legal basis is the aforementioned consent pursuant to Art. 6 para. 1 sentence 1 lit. a of the GDPR.
To conduct surveys we use the services of zenloop of zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin, Germany. We have concluded a data processing agreement with zenloop (https://www.zenloop.com/de/legal/data-processing). You can find more information in the zenloop privacy policy.

3.10          Integration of videos

3.10.1      Integration of YouTube videos

We have embedded videos in our website that are stored on YouTube and can be played directly from our websites. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). In the event that personal data is transferred to the United States, Google and its YouTube subsidiary have agreed to comply with the EU-US Privacy Shield [https://www.privacyshield.gov/]. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in the integration of video and image content.

By visiting our website, YouTube and Google receive the information that you have called up the corresponding subpage of our website. This occurs regardless of whether you are logged in to YouTube or Google or not. YouTube and Google use this data for the purposes of advertising, market research and demand-oriented design of their websites. If you visit YouTube on our website while you are logged into your YouTube or Google profile, YouTube and Google may also link this event to the respective profiles. If you do not want this assignment to take place, it is necessary for you to log out of Google before you visit our website.

You can configure your browser to reject cookies as shown above, or you can prevent the collection of data generated by cookies and related to your use of this website and the processing of this data by Google by deactivating the button “Personalised advertising on the web” in the Google settings for advertising [https://adssettings.google.com/]. In this case, Google will only display non-individualised advertising.

For more information, please see Google’s Privacy Policy [https://www.google.com/intl/de/policies/privacy/index.html], which also applies to YouTube.

4.            Disclosure of information

A transfer of the data collected by us will only take place in principle if:

•             you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,

•             the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,

•             we are legally obliged to pass on the data in accordance with Art. 6 Para. 1 S. 1 lit. c GDPR or

•             this is legally permissible and, according to Art. 6 para. 1 sentence 1 lit. b GDPR, is necessary for the processing of contractual relationships with you or for the implementation of pre-contractual measures which are carried out at your request.

Part of the data processing can be carried out by our service providers. In addition to the service providers mentioned in this data protection declaration, this may include in particular computer centres that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to our service providers, they may use the data exclusively for the fulfilment of their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the persons concerned and are regularly monitored by us.

In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings if this is necessary for legal prosecution or enforcement.

4. Disclosure of information

A transfer of the data collected by us will only take place in principle if:

•             you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,

•             the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,

•             we are legally obliged to pass on the data in accordance with Art. 6 Para. 1 S. 1 lit. c GDPR or

•             this is legally permissible and, according to Art. 6 para. 1 sentence 1 lit. b GDPR, is necessary for the processing of contractual relationships with you or for the implementation of pre-contractual measures which are carried out at your request.

Part of the data processing can be carried out by our service providers. In addition to the service providers mentioned in this data protection declaration, this may include in particular computer centres that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to our service providers, they may use the data exclusively for the fulfilment of their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the persons concerned and are regularly monitored by us.

In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings if this is necessary for legal prosecution or enforcement.

5. Storage period

As a matter of principle, we only store personal data for as long as necessary to fulfil contractual or legal obligations for which we have collected the data. Afterwards, we delete the data immediately, unless we need the data until the expiry of the statutory limitation period for evidence purposes for civil law claims or because of statutory retention obligations.

For evidence purposes, we must retain contractual data for a further three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred after the statutory standard period of limitation at the earliest at this point in time.

Even after this period, we still have to store your data in part for accounting reasons. We are obliged to do so because of statutory documentation obligations which may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the Money Laundering Act and the Securities Trading Act. The periods stipulated there for the retention of documents range from two to ten years.

6. Your rights

You have the right to information about the processing of your personal data by us at any time. In this context we will explain the data processing to you and provide you with an overview of the data stored about your person. If data stored by us is incorrect or no longer current, you have the right to have this data corrected. You can also request the deletion of your data. In principle, your data can only be deleted if certain conditions are met / if data is no longer required, if processing is not lawful or in other cases of Art. 17 GDPR.  If, exceptionally, deletion is not possible due to other legal provisions, the data will be blocked – if the necessary conditions are met – so that they are only available for this legal purpose. You can also have the processing of your personal data restricted, for example if you doubt the accuracy of the data. Under certain conditions, you also have the right to data transferability, i.e. that we send you a digital copy of the personal data you have provided us with on request.

In order to assert your rights described here, you can contact us at any time using the contact details given above. This also applies if you wish to receive copies of guarantees to prove an adequate level of data protection.

Your inquiries regarding the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of three years and, in individual cases, for the assertion, exercise or defence of legal claims even beyond this period. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability under Art. 5 GDPR.

You have the right to revoke any consent granted to us at any time. As a result, we will no longer continue to process the data based on this consent for the future. Revocation of consent does not affect the lawfulness of the processing that took place on the basis of the consent until revocation.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to the processing of your data for direct marketing purposes, you have a general right of objection, which will be implemented by us even without giving reasons.

If you would like to exercise your right of revocation or objection, it is sufficient to send an informal message to the contact details given above.

Finally, you have the right to complain to the data protection supervisory authority responsible for us. You may exercise this right before a supervisory authority in the Member State in which you are resident, your place of work or the place of the suspected infringement or any other data protection authority. In Berlin, the seat of Ratepay GmbH, is the competent supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.

7. Data security

We maintain current technical measures to ensure data security, in particular to protect your personal data from dangers during data transfers and from third parties gaining knowledge of them. These measures are adapted to the current state of the art. To secure the personal data you provide on our website, we use Transport Layer Security (TLS), which encrypts the information you enter.

8. Changes to the data privacy policy

From time to time we update this data privacy policy, for example when we adapt our website or when legal or regulatory requirements change.

[PDF-Version]