Data protection policy for the services of PenPal – A service by MyPostcard.com GmbH
Data protection policy for the services of MyPostcard.com GmbH
With this date protection policy, we, MyPostcard.com GmbH, Hohenzollerndamm 3, 10717 Berlin (hereafter "MyPostcard" or “PenPal” or "we"), undertake to inform you of all data protection aspects of the offering on the penpal.me website (the "Website") and our mobile app ("App") (collectively "Services"). We collect, process and use your personal data only in accordance with the following data protection policy. Personal data in this sense are all individual details about personal or factual circumstances of a specific or identifiable natural person, such as, for example, your name, telephone number, address, and any other information you provide to us when registering, using our services or contacting us ("Personal Information").
I. Responsibility for data processingMyPostcard is responsible for data processing in accordance with Article 4 No. 7 of EU Regulation 2016/679 ("DSGVO").
Collection and storage of personal data and the nature and purpose of their use
1. Processing data for the use of our services If you access the website via your browser or the app via your mobile device, we only collect personal data that your browser or mobile device automatically transmits to enable you to visit our website or app and the stability and to ensure safety. This can be specifically • your IP address, • your device identifier, i.e. the unique number of the terminal, • content, date and time of the request, • the time zone of the requesting computer or mobile terminal, • the website from which the request was forwarded, • the requested page, • the http status code, • the transferred amount of data, • browser ID, • your operating system, • language and version of the browser software as well as • mobile device identifier (IDFA, IDFV and AAID). The processing of this data serves to • ensure a smooth connection of the website, • the display of our services and products, • the usability of our services, • the evaluation and system security and stability as well as • further administrative purposes. PenPal may use your information to ensure the safety and security of our Website and of our members, for example, by monitoring misuse or suspicious activity, identifying violations of our Terms of Service, protect the community against spam, harassment, and other security risks. The legal basis of this processing of your personal data is Article 6 (1) sentence 1 lit. f DSGVO. Our legitimate interest follows for the aforementioned purposes of data collection.
2. Processing of data when using the contact form We offer you the opportunity to contact us via a form provided on the website. To use it, you must enter your name and a valid e-mail address. The processing of this data serves our legitimate interest in answering your contact requests properly and is therefore based on Art. 6 para. 1 sentence 1 lit. f DSGVO
3. Processing of data for the use of our services and the purchase of our products If you wish to use our services and products, you may at different times be asked to provide us personal information such as • your name, • your date of birth, • your address, • your email address, • your home phone number or mobile number, • photographs as well as • indicating payment information. Your personal data will be processed and required by us for the following purposes: • in accordance with Article 6 para. 1 sentence 1 lit. b DSGVO, for the fulfillment of contractual obligations or for the execution of pre-contractual measures: to process your purchases, process your payments and to offer you customer service, to correspond with you, to settle claims by you or us, to ensure technical administration of our website as well as to manage our customer data; • according to Article 6 para. 1 sentence 1 lit. c DSGVO due to legal requirements or pursuant to Art. 6 para. 1 sentence 1 lit. e DSGVO in the public interest: to protect you and us (including our affiliates) from fraud.
4. How we share the collected information between members The goal of PenPal is to connect the world via real mail, by allowing you to exchange postcards with other members around the world. However, your postal address will never be shared with anyone. Instead, the user sends their postcard to the recipient’s username. We then send the card to the address saved in the recipient’s profile, without the sender ever seeing the address. Sending postcards can take place in a direct postcard exchange as well as via selecting a recipient randomly. The random variation is called PenPal Auto-Match. When the user uses PenPal Auto Match it is not possible for them to request access to a specific user. Instead, the Website randomly selects the recipient of each postcard. We also limit the number of recipients an account can request and have security measures in place to prevent abuse. The number of times your username may be shared is proportional to the number of postcards you have sent yourself. By consequence, until you send your first postcard and become eligible to receive one back, your username is not shared with anyone.
III. Disclosure of your data to processors and third partiesTo process your data, we use specialized external service providers such as payment service providers, IT service providers, online marketing providers, marketing automation solution providers, and web analytics tool providers. These are carefully selected and commissioned by us, are bound by our instructions and are checked regularly. Furthermore, we may pass on your personal data to third parties (such as shipping companies, cooperation partners, etc.) if this is necessary to safeguard our legitimate interests under Art. 6 para. 1 sentence 1 lit. f DSGVO is required. Finally, we transfer your information to our affiliate, MyPostcard.com Inc., 433 Broadway, 2nd Floor, 10013 NY, New York, USA, to the extent necessary to protect our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. 1 DSGVO is required. These interests include, in particular, the processing of your order, the sending of postcards and the guarantee of smooth business operations. Incidentally, your personal data will only be forwarded to third parties if you have previously consented and submitted them in accordance with Art. 6 para. 1 sent. 1 lit. a DSGVO or a legal permission in accordance with Art. 6 para. 1 sentence 1 lit. c DSGVO is present.
IV. Transfer of personal data abroadInsofar as we transfer personal data to countries outside the European Economic Area, we ensure that the recipient of the data guarantees an adequate level of data protection in accordance with Art. 45 DSGVO. In the absence of an adequacy agreement, MyPostcard will ensure that the recipients of the data have provided suitable guarantees in accordance with Art. 46 DSGVO and, in particular, use the standard European Union model contracts for the transfer of data to other EU countries, as amended. When transmitting data to the US, MyPostcard will endeavor to oblige the recipient to comply with and abide by the principles of the Privacy Shield (that is, to recognize minimum standards in the handling of personal data).
VI. Use of Mobile Device Identifier (IDFA, IDFV and AAID)On our app we use the so-called "Mobile Device Identifier" ("Mobile Device Identifier"). These are unique but non-personalized and non-permanent identification numbers for a particular terminal provided by iOS and Android respectively. The data collected via the Mobile Device Identifier will not be linked to other device-related information. We use Mobile Device Identifiers to provide you with personalized advertising and to evaluate your usage. If you enable "no ad tracking" in the "Privacy" - "Advertising" iOS or Android settings, we can only take the following actions: Measure your interaction with banners by counting the number of ads on a banner without clicking frequency capping, click-through rate, unique user identification, security measures, anti-fraud and troubleshooting. You can delete the respective Mobile Device Identifier at any time in the device settings ("Reset Ad-ID"), then a new Mobile Device Identifier is created, which is not merged with the previously collected data. We point out that you may not be able to use all the features of our app if you restrict the use of the respective Mobile Device Identifier. Use of analysis and tracking technologies in our services We use the above-mentioned analysis and tracking technologies as well as third-party technologies listed below and used by us in accordance with Article. 6 para. 1 lit. f DSGVO: • to carry out data analyzes, • to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer, • to constantly improve and manage our offer, • to measure success and optimize our advertising measures, as well as • in order to be able to send you advertising, in particular personalized marketing information. These interests are legitimate within the context of the aforementioned provision.
1. Google Analytics For the purpose of customizing and continually optimizing our pages, we use Google Analytics, a Google Inc. advertising analytics service, 1600 Amphitheater Parkway Mountain View, CA 94043, USA ("Google"). In this context, pseudonymised user profiles are created and cookies (see section V of this data protection policy) are used. The information generated by the cookie about your use of our services (such as your IP address, browser type / version, operating system used, referrer URL, time of server request) is transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI. However, on our website and app, your IP address will be shortened by Google beforehand within member states of the European Union or other parties under the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. Google will use this information on our behalf to evaluate your use of our services, to compile reports about the website and app activities for us, and to provide us with other services related to website and app usage and internet usage. This information may also be transferred to third parties if required by law or if third parties process this data in the order. Google will not merge your IP address with other Google data. You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the functions of our services in full. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of our services (including your IP address) and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. For more information about data protection related to Google Analytics, please see the following link in the Google Analytics Help Center: http://google.com/intl/en/analytics/privacyoverview.html.
3. Google Tag Manager We also use Google Tag Manager. This service allows website tags to be managed through a single interface. Tags are small code elements that serve, among other things, to measure traffic and visitor behavior. Google Tag Manager only implements tags. As a result, no cookies are used and consequently no personal data is collected. Google Tag Manager triggers other tags, which may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
5. Reddit Conversion Tracking Our website also uses "Raddit Conversion Pixel," an analysis service of Reddit Inc., 520 Third Street, Suite 305, San Francisco, CA 94107, USA ("Reddit"). For this tool so-called tracking pixels are integrated on our sides. When you visit our pages, this tracking pixel establishes a direct connection between your browser and the Reddit server. Reddit receives thereby et al. the information from your browser that our website received from your device. We point out that we have no influence on the extent of the transmitted data and their further use by Reddit and therefore inform you according to our knowledge: Through the use of Reddit Conversion pixels Reddit receives the information that you have accessed the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a Reddit service, Reddit may associate the visit with your account. Even if you are not registered with Reddit or have not logged in, there is a chance that the vendor will discover and store your IP address and other identifying features. Reddit is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/list. For more information about privacy and how it works, visit https://www.redditinc.com/policies/privacy-policy.
6. Facebook Advertising Tracking We also use Facebook's "Custom Audiences" remarketing feature, 1 Hacker Way, Menlo Park, CA 94025, USA, ("Facebook"). As a result, users of our website can be shown interest-based advertisements ("Facebook Ads") as part of their visit to the social network Facebook or other websites that also use the process. For this marketing function, we use "Facebook pixels" on our websites, i.e. on our sides so-called tracking pixels are integrated. When you visit our pages, the tracking pixel establishes a direct connection between your browser and the Facebook server. This gives Facebook et al. the information from your browser that our website called from your device. We point out that we have no influence on the extent of the data transmitted and their further use by Facebook and therefore inform you according to our knowledge: Through the integration of Facebook Custom Audiences, Facebook receives the information that you have visited the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a service of Facebook, Facebook can assign the visit to your account. Even if you are not registered with Facebook or have not logged in, there is a chance that the provider will find out and store your IP address and other identifying features. Facebook is certified under the Privacy Shield so that there is an adequate level of data protection under the European Commission's implementing agreement. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC. You may object to the use of Facebook Website Custom Audiences at any time in the future through https://www.facebook.com/settings/?tab=ads and http://www.youronlinechoices.com/preferencemanagement/. For more information about privacy and your related options, visit https://www.facebook.com/settings/?tab=ads and https://www.facebook.com/about/privacy.
9. Use of Technologies from Branch Metrics, Inc. in our App Our sites also use the Branch.io app analytics service Branch Metrics, Inc., 1400 Seaport Blvd, Building B, 2nd Floor, Redwood City, CA 94063, USA ("Branch") to analyze app usage. When using the app Branch collects on our behalf installation and usage data. We use this information to understand how you interact with our app. Branch uses your IDFA or Android ID as well as your IP or Mac address. An identification of your person is not possible. The analyzes are used exclusively for the purposes of our own market research as well as the optimization and needs-based design of our app. The information collected is transmitted to Branch servers in the United States. Branch is certified under the Privacy Shield so that the European Commission's implementing agreement provides for an adequate level of data protection. The certificate can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000KzTJAA0&status=Active. They may object to the use of Branch at any time by setting the slider for anonymous statistics in the app under "Settings". For more information about Branch's privacy, please visit the following link: https://branch.io/policies/#privacy.
IX. Sending push messages1. Sending push messages through the website To keep you up-to-date on current topics, we offer a service to receive push messages through our website. For this purpose, an anonymous ID is stored in order to analyze the use of the push service. If you would like to prevent the receipt of push notifications and thus the associated data collection for the future, you can block the notifications in the website settings of your internet browser for this website.