Privacy Terms

1. Name and address of the person responsible

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
CRISP e.V.
Weisestrasse 27
12049 Berlin
Germany
Tel/Fax: +49 (0) 30 63 41 33 76
Email: hello@crisp-berlin.org
Web: www.crisp-berlin.org

2. General information on data processing

a) Scope of processing of personal data

In principle, we only process the personal data of our users to the extent that this is necessary to provide a functional application (app) and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in such cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by statutory provisions.

b) Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
Article 6 (1) (b) GDPR serves as the legal basis for the processing of personal data required to fulfill a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6 Paragraph 1 lit. d GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the person concerned do not outweigh the first interest, Article 6 Paragraph 1 Letter f GDPR serves as the legal basis for the processing.

c) Data erasure and storage period

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

3. Provision of the application (app) and creation of log files

a) Description and scope of data processing

When using the app, the operating system, its manufacturer (Apple or Google) and our system automatically collects data and information from the smartphone used.
The following data is collected here:
– Information about the device used (name and manufacturer and unique device ID)
– The operating system of the user
– Date and time of access
– Information about crashes
The data is stored in the log files of the operator of the marketplace and in our system. This data is not stored together with other personal data of the user.
A reference to your person could not be made by the provider without the involvement of your provider and the operator of the marketplace (Apple or Google).

b) Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Article 6 (1) (f) GDPR.

c) Purpose of data processing

The temporary storage of the data by the system is necessary to enable the app to be installed and operated on the user’s smartphone.
Our legitimate interest in data processing in accordance with Article 6 (1) (f) GDPR also lies in these purposes.

d) Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
If the data is stored in log files or the data of the operator of the marketplace, the user data will be deleted or alienated so that it is not possible for us to assign the calling user.

e) Possibility of objection and elimination

The collection of the data for the provision of the application (app) and the storage of the data in log files is absolutely necessary for the operation of the application. Consequently, there is no possibility of objection on the part of the user.

4. Collection of location data

a) Description and scope of data processing

The application (app) includes so-called location-based services. With these services we offer special offers that are tailored to the respective location. In order to be able to use these functions of the app, we determine the location data using GPS data, identifiers of WLAN networks in the vicinity, mobile data and Bluetooth, if the user has previously permitted this. The right can be granted or revoked at any time in the settings of the operating system. Location data is not used to create movement profiles beyond the current location and is therefore neither logged nor stored.

b) Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Article 6 (1) (f) GDPR.

c) Purpose of data processing

The acquisition of the location is necessary in order to be able to display and play the content that is location-based.

d) Duration of storage

The location data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is the case as soon as the application is completely terminated. As long as the application is running in the background, the location data is recorded.

If the location data is stored in log files or the data of the operator of the marketplace, the user data will be deleted or alienated so that it is not possible for us to assign the calling user.

e) Possibility of objection and elimination

The collection of the data for the provision of the application (app) and the storage of the data in log files is necessary for the operation of the application. The location data collection function can be allowed or revoked at any time in the operating system settings.

5. Integration of external services from Google

a) Description and scope of data processing

The iOS and Android App use technologies from Google Firebase (Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, „Google“). Firebase is part of the Google Cloud Platform and offers several services.

Firebase Analytics enables the analysis of the use of the app. This data and information is collected, transmitted to Google and stored there. Google uses the information to anonymously evaluate the use of the app. Based on the evaluation, services are provided that are to be used.

Firebase Crashlytics is a report for checking the stability of the app and thus serves to improve the apps. Information about the device used and the use of the app is collected (e.g. time and affected point in the code that led to a crash). This reporting makes it possible to analyze and resolve problems.

Firebase Cloud Messaging is used to send push messages or in-app messages. For this purpose, a pseudonymised push reference is assigned to a mobile device, which serves as the target for the messages. The push messages can be deactivated and reactivated at any time in the settings of the mobile device.

If possible, Google Firebase uses servers located in the EU for the services described. It cannot be ruled out that data will also be transferred to the USA and, in particular, will also be evaluated by servers within the EU in the USA.

b) Legal basis for data processing

The legal basis for the Firebase Crashlytics, Firebase Analytics and Firebase Cloud Messaging services is Article 6 Paragraph 1 Sentence 1 lit interest is required.

c) Purpose of data processing

Firebase Cloud Messaging uses Firebase Installation IDs to determine which devices to send messages to. In this way, push notifications can be sent to the correct user in a targeted manner.

Firebase Crashlytics uses crash stack traces. This links crashes to a project, sends email notifications to developers, displays them in the Firebase console to help debug crashes. Crahslytics uses Crashlytics installation UUIDs to measure the number of users affected by a crash and minidump data to process NDK crashes.

The app itself makes it possible to identify, check and better fix any technical errors that occur.

Firebase Analytics uses the data to provide analytics information. The exact information collected varies by device and environment. The aim is to use the collected data for advertising and to improve the website. On our behalf, Google will use this information to evaluate the use of the app, to compile reports on the usage activities within the app and to provide us with other services related to the use of the app and the internet.

d) Duration of storage

The duration of the storage is subject to the provisions of Google. These can be accessed at https://firebase.google.com/support/privacy. Below for the individual services:

Cloud Messaging: Firebase retains the Firebase installation IDs until the user makes an interface call to delete the ID. After the call, the data is removed from the live and backup systems within 180 days.
Firebase real-time database: Firebase retains the Firebase installation IDs until the Firebase customer makes an interface call to clear the ID. After the call, the data is removed from the live and backup systems within 180 days.

Crashlytics: Firebase Crashlytics stores crash stack traces, extracted minidump data and associated identifiers (including Crashlytics installation UUIDs) for 90 days.

Firebase Analytics:  Firebase Analytics stores certain data associated with the advertising identifier (e.g. Apple’s advertiser identifier and provider identifier, Android advertising ID) for 60 days and maintains aggregate reporting without automatic expiration. Retention of user-level data, including conversions, is set for up to 14 months.

e) Possibility of objection and elimination

The user has the option to revoke his consent to the processing of personal data at any time. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

The consent can be given in text form or in writing and is to be addressed to:

CRISP e.V.
Weisestrasse 27
12049 Berlin
Germany

Tel/Fax: +49 (0) 30 63 41 33 76
Email: hello@crisp-berlin.org
Web: www.crisp-berlin.org

All personal data that was saved in the course of making contact will be deleted in this case.

6. Email Contact

a) Description and scope of data processing

Contact details are available in the application, which can be used to make contact. If a user takes advantage of this option, the data entered will be transmitted to us and stored.

If contact is made via the e-mail address provided, the user’s personal data transmitted with the e-mail will be stored.

In this context, the data will not be passed on to third parties. The data will only be used to process the conversation.

b) Legal basis for data processing

The legal basis for processing the data is Article 6(1)(a) GDPR if the user has given their consent.

The legal basis for the processing of data transmitted in the course of sending an email is Article 6 Paragraph 1 Letter f GDPR. If the e-mail contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.

c) Purpose of data processing

The processing of personal data serves us solely to process the establishment of contact. If contact is made by e-mail, this is also the necessary legitimate interest in the processing of the data.

d) Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data sent by email, this is the case when the respective conversation with the user has ended completely and there is no longer any customer relationship. The conversation is ended when it can be inferred from the circumstances that the facts in question have been finally clarified and there is no other connection to the user.

e) Possibility of objection and elimination

The user has the option to revoke his consent to the processing of personal data at any time. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

The consent can be given in text form or in writing and is to be addressed to:

CRISP e.V.
Weisestrasse 27
12049 Berlin
Germany

Tel/Fax: +49 (0) 30 63 41 33 76
Email: hello@crisp-berlin.org
Web: www.crisp-berlin.org

All personal data that was saved in the course of making contact will be deleted in this case.

7. Rights of the data subject

If personal data is processed by you, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:

a) Right to information

You can request confirmation from the person responsible as to whether personal data relating to you is being processed by us.
If such processing is present, you can request information from the person responsible for the following information:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;

(4) the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage duration;

(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to this processing;

(6) the existence of a right of appeal to a supervisory authority;

(7) all available information about the origin of the data if the personal data are not collected from the data subject;

(8) the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether your personal data is being transmitted to a third country or to an international organization. In this context, you can request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information can be restricted insofar as it is likely to make it impossible or seriously impair the realization of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

b) Right to rectification

You have a right to correction and/or completion to the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.
Your right to rectification can be restricted insofar as it is likely to make it impossible or seriously impair the realization of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

c) Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of your personal data:

(1) if you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you refuse to have the personal data erased and instead request that the use of the personal data be restricted;

(3) the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or

(4) if you have lodged an objection to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of the personal data concerning you has been restricted, this data – apart from its storage – may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State are processed.
If the restriction of processing has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to restriction of processing can be restricted to the extent that it is likely to make it impossible or seriously impair the realization of the research or statistical purposes and the restriction is necessary to fulfill the research or statistical purposes.

d) Right to Erasure

aa) Obligation to delete

You can request the person responsible to delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You revoke your consent on which the processing was based pursuant to Article 6 Paragraph 1 Letter a or Article 9 Paragraph 2 Letter a GDPR and there is no other legal basis for the processing.

(3) You object to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Article 21 (2) GDPR.

(4) The personal data concerning you was processed unlawfully.

(5) The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

(6) The personal data concerning you was collected in relation to information society services offered pursuant to Article 8 (1) GDPR.

bb) Information to third parties

If the person responsible has made the personal data relating to you public and is obliged to delete it in accordance with Art. 17 (1) GDPR, he shall take appropriate measures, including technical measures, to protect the person responsible for data processing, taking into account the available technology and the implementation costs , who process the personal data, that you, as the data subject, have requested them to delete all links to this personal data or copies or replications of this personal data.
cc) exceptions

The right to erasure does not exist if processing is necessary

(1) to exercise the right to freedom of expression and information;

(2) to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller became;

(3) for reasons of public interest in the field of public health in accordance with Article 9 (2) lit. h and i and Article 9 (3) GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law mentioned under Section a) is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or

(5) to assert, exercise or defend legal claims.

e) Right to information

If you have asserted the right to correction, deletion or restriction of processing against the person responsible, he is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the person responsible.

f) Right to data portability

You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person responsible without hindrance by the person responsible for providing the personal data, provided that

(1) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and

(2) the processing is carried out using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible. The freedoms and rights of other people must not be impaired by this.
The right to data portability does not apply to processing of personal data that is required to perform a task that is in the public interest or in the exercise of official authority that has been assigned to the controller.

g) Right to object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6 Paragraph 1 lit. e or f GDPR; this also applies to profiling based on these provisions.
The person responsible no longer processes the personal data relating to you unless he can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.
In connection with the use of information society services, you have the option – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures that use technical specifications.
You also have the right, for reasons arising from your particular situation, to object to the processing of personal data relating to you for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR.

Your right to object can be restricted insofar as it is likely to make it impossible or seriously impair the realization of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

h) Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.

i) Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the person responsible,

(2) is permitted by law of the Union or the Member States to which the person responsible is subject and this law contains appropriate measures to protect your rights and freedoms and your legitimate interests or

(3) with your express consent.
However, these decisions must not be based on special categories of personal data according to Article 9 Paragraph 1 GDPR, unless Article 9 Paragraph 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests .
With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the person responsible, to express his or her point of view and to challenge the decision.

j) Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of your personal data violates violates the GDPR.
The supervisory authority to which the complaint was lodged will inform the complainant about the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.