III. Use of third-party providers
1. Online meetings and webinars with Zoom
To conduct online meetings, workshops and webinars, we use the provider "Zoom" of Zoom Video Communications, Inc. The processing of personal data of meeting participants takes place exclusively in data centers in the European Union. Personal data is not transferred to the USA or any other third country.
We have concluded an order processing agreement with "Zoom" that includes the EU standard contractual clauses. The data of meeting participants (specified name, specified email address, duration of participation in meetings) are stored for a maximum period of 12 months.
The legal basis for the use of Zoom is Art. 6 para. 1 lit. b DS-GVO. In the case of "open webinars", it is Art. 6 (1) lit. f DS-GVO. For more information on the processing of personal data at Zoom, please visit https://zoom.us/de-de/gdpr and https://zoom.us/de-de/privacy.html.
2. Use of Zammad as a ticket system
(1) We use the ticket system Zammad, a service provided by Zammad GmbH, Marienstraße 11, 10117 Berlin, to process customer inquiries. For this purpose, when you contact us data such as surname, first name, email address and, optionally, any attachment to the message sent to us via our website are recorded so that we can process your inquiry. Zammad GmbH stores the data processed for us in Germany.
(2) For more information about Zammad's data processing please see the Zammad privacy policy at https://zammad.com/de/datenschutz.
(3) If you contact us by email, via the form or chat on the website, we will only use the personal data you provide for processing your specific request. The data provided will be treated confidentially. The data provided and the message history with our team will be stored for a period of six months for follow-up questions and subsequent contact. The data entered in the contact form will be processed on the basis of your consent (Art. 6 Section 1 a GDPR).
(4) We have concluded an agreement with Zammad GmbH. for contract data processing.
3. Use of Mailjet as a contract data processor
(1) Sending emails to the various user groups is a central function of the platform. This ensures that content is communicated promptly and personally. For the purpose of sending emails we use the email dispatch service Mailjet GmbH, Rankestr. 21, 10789 Berlin, Germany. Only the email addresses required for sending the newsletter are transferred and temporarily stored. Email addresses are used exclusively in the context of Startnext and are not passed on to third parties. You can find Mailjet's privacy policy at https://www.mailjet.de/privacy-policy/. The legal basis for the use of the distribution service provider is the consent pursuant to Art. 6 para. 1 p. 1 lit a GDPR. which you can revoke at any time via the newsletter or by email. We have concluded an order processing agreement with Mailjet pursuant to Art. 28 Section 3 Sentence 1 GDPR. We have concluded a contract processing agreement with Mailjet in accordance with Art. 28 Section 3. 1 GDPR.
(2) Mailjet may use the recipient's data in pseudonymized form, i.e. without assignment to a user, to optimize or improve its own services, e.g. for technical optimization of the distribution and presentation of the newsletter or for statistical purposes. However, the distribution service does not use the data of our newsletter recipients to contact them itself or to pass the data on to third parties.
(3) According to Mailjet, they store your personal data, only as long as it is necessary to provide its services. Mailjet will delete your data when we delete you from our address file.
4. Use of Matomo
(1) In order to constantly improve our platform, we use the statistic analysis tool "Matomo" (formerly "Piwik") to analyze the use of our website. The statistics obtained allow us to regularly improve our services and make it more interesting for you as a user. We use "Matomo" according to Art. 6 para. 1 p. 1 lit. f) GDPR for the purpose of analyzing user behavior in order to continuously improve the Startnext platform.
(2) Cookies are stored on your computer for this analysis. We store the information collected in this way exclusively on our server. The evaluation can be prevented by deleting existing cookies and preventing the storage of cookies. If the storage of cookies is prevented, we point out that our platform may not be fully usable. Preventing the storage of cookies is possible through the setting in your browser. If you do not want your navigation to be evaluated anonymously by "Matomo", you can deactivate this function. You can decide here whether a unique web analysis cookie may be stored in your browser to enable the website operator to collect and analyze various statistical data.
For information to activate the Do Not Track Header, please visit https://www.eff.org/de/deeplinks/2012/06/how-turn-do-not-track-your-browser
5. Integration of YouTube videos
(1) We and almost all Starters have included YouTube videos in our online offer or campaign descriptions, which are stored at http://www.YouTube.com and can be played directly from our platform. YouTube is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google"). The videos are all integrated in the "extended data protection mode" or can be integrated by Starters in this way, and are additionally prevented from direct transfer to YouTube by an image file upstream of the video. This means that no data about you as a user will be transferred to YouTube if you do not play the videos. The data mentioned in Section 2 will only be transmitted if you play the videos. We have no influence on the data transfer to Google after the start of the video. The legal basis for data processing when playing the video is your consent pursuant to Art. 6 section 1 p.1 lit. a) GDPR.
(2) Playing a YouTube video on our platform informs Google that you have accessed the corresponding sub-page of our platform. In addition, at least the data specified in 3. of this declaration will be transmitted. You can do this whether you're logged in to your Google Account or not, or even if you don't have a user account. If you are logged in to Google, your information will be directly associated with your account. If you do not wish the data to be associated with your user profile on YouTube, you must log out before activating the button. YouTube stores your data as user profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its own website. Such an evaluation takes place in particular (even for not logged in users) for the provision of demand-oriented advertising and to inform other users of the social network about your activities on our platform. You have the right to object to the creation of these user profiles, but you must contact YouTube to exercise this right.
(3) Further information on the purpose and scope of data collection and processing by YouTube can be found in the data protection declaration. It also provides you with more information about your rights and privacy settings: https://www.google.de/intl/de/policies/privacy.
6. Integration of Vimeo videos
(1) We and/or a number of Starters use components of the provider Vimeo as an alternative to YouTube videos on our site. Vimeo is a service of Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA. Each time you visit our website equipped with such a component, this component causes the browser you are using to download a corresponding representation of the Vimeo component. If you access such a video on our platform while logged in to Vimeo, Vimeo uses the information collected by the component to identify which specific page you are visiting and associate this information with your personal account at Vimeo. For example, if you click the "Play" button and/or make comments, this information will be transferred to your personal Vimeo account and stored there. In addition, the information that you have visited our site will be passed on to Vimeo. However, this is done by placing an image file in front of the video only if you click on the component. The legal basis for data processing when playing the video is your consent pursuant to Art. 6 section 1 p.1 lit. a) GDPR.
(2) According to its own statement, Vimeo stores personal data only as long as you have an account with Vimeo. If you do not have an account, the data is only stored in anonymized form, so that the GDPR does not apply to this data.
(3) If you want Vimeo to stop this transmission and storage of data about you and your behavior on our website, you must log out of Vimeo before you visit our site. Vimeo's privacy policy provides more detailed information, in particular regarding the collection and use of data by Vimeo: https://vimeo.com/privacy
7. Use of SoundCloud Plugins
(1) We use SoundCloud for the integration of audio material. SoundCloud is operated by SoundCloud Limited, headquartered at 33 St James Square, London SW1Y 4JS, UK.
(2) Every time you visit our website that contains such a component, the component causes the browser you are using to download a corresponding representation of the SoundCloud component. If you start such an audio file on our platform while logged into SoundCloud, SoundCloud uses the information collected by the component to identify which specific page you are visiting and associate this information with your personal account on SoundCloud. For example, if you click the "Play" button and/or make comments, this information will be transferred to your personal SoundCloud account and stored there. In addition, the information that you have visited our site will be shared with SoundCloud. However, this is done by placing an image file in front of the audio file only if you click on the component. The legal basis for the processing is your consent according to Art. 6 section. 1 p. 1 lit. a) GDPR.
(3) If you want SoundCloud to stop this transmission and storage of data about you and your behavior on our website, you must log out of SoundCloud before starting an audio file. SoundCloud's privacy policy provides more detailed information, in particular about SoundCloud's collection and use of data: https://soundcloud.com/pages/privacy
8. Use of Spotify Plugins
(1) We use plugins from "Spotify" an audio streaming platform operated by Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. For an overview of Spotify plugins, please visit: https://developer.spotify.com
(2) We use Spotify by embedding individual audio files from the platform on our website as a so-called iFrame, so that they can be played on our website as a stream. If you visit a subpage of our website on which a Spotify plugin is embedded and you click the "Play" button, a connection is established to the Spotify servers and the plugin is displayed within our website. Thereupon, this information is transmitted to your personal user account at Spotify and stored there. In addition, the information that you have visited our site is passed on to Spotify. For more information on data protection at Spotify, please visit https://www.spotify.com/de/legal/privacy-policy. The legal basis for the processing is your consent according to Art. 6 section. 1 p. 1 lit. a) GDPR.
9. Login with Facebook
(1) We offer you the option of using your Facebook profile information from your Facebook account to authenticate you to Facebook on our website ("Facebook Connect").
(2) If you choose to register with your Facebook account, Facebook will have access to certain information about your personal information through this interface and will be able to store that information. This includes, but is not limited to, your encrypted email address and other information about your registration on our websites. A listing can be found at: https://developers.facebook.com/docs/permissions/reference. Conversely, we may gain access to your email address, name, profile picture, and other publicly available profile information on Facebook. If you do not agree to this data exchange, you should not use Facebook Connect. You can still log in directly from our website as usual. Further details and what data Facebook collects in detail and what rights you have in this regard can be found at www.facebook.com and in particular in Facebook's Privacy Policy. The social login data will be stored and used as described until a revocation is declared.
(3) The legal basis for the transfer of data in connection with your use of Facebook Connect is the contractual basis with Facebook (Article 6 para. 1 sentence 1 lit. b GDPR) as well as supplementary consent within the framework of the express use of the Facebook Connect function (Article 6 para. 1 sentence 1 lit. a GDPR).
10. Login with Google
(1) We offer you the possibility to authenticate yourself with your Google account on our website ("Google Connect"). The registration takes place via a redirect to the website of Google (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), where you can log in with your login.
(2) If you decide to register with your Google account, your Google account will be linked to Startnext. We have no influence on the processing of your data at Google. We receive the following information from Google: Last name, first name, email address and profile picture. For more information about Google, please see Google's privacy policy and terms of use, at: https://policies.google.com/privacy?hl=de Legal basis for the processing is your consent according to Art. 6 section. 1 p. 1 lit. a) GDPR.
(3) If you do not agree with this data exchange, you should not use the Google login. You can still log in directly via our website as usual.
(4) The legal basis for the transfer of data in connection with your use of Google is the contractual basis with Google (Article 6 (1) sentence 1 lit. b DS-GVO) and, in addition, the consent in the context of the express use of the Google function (Article 6 (1) sentence 1 lit. a DS-GVO).
11. Use of Cloudflare
CloudFlare is used as a so-called CDN ("Content Delivery Network") to secure this website and optimize loading times. For this reason, all requests relating to our platform are forcibly routed through their servers and consolidated into statistics that cannot be deactivated and stored in the European Union. The collected raw data is usually deleted within 4 hours, at the latest after 3 days. Here you will find information about the data collected there and about security & privacy at CloudFlare. We have concluded a corresponding agreement with Cloudflare (DPA, Data Processing Agreement). The legal basis is Art. 6 Section 1 f GDPR.
12. Use of New Relic
(1) We use New Relic on our website to ensure robust technical platform operation. New Relic allows us to determine whether the website can be accessed and how quickly the page is displayed on your device when accessed. If your browser generates a technical error message, this is transmitted anonymously to New Relic.
(2) For this purpose, your browser connects to the domain bam-cell.nr-data.net operated by New Relic during your visit to Startnext. This transfers information such as your IP address and the type of browser you are using. No data like cookies are stored in the browser. All page views of all visitors are considered together, so that no identification of the actions of a single person is possible. You can find more information on data protection at: https://newrelic.com/termsandconditions/privacy. The legal basis is Art. 6 Section 1 f GDPR.
13. Use of Risk.Ident
1) For our website we use the services of the IT security service provider Risk.Ident GmbH, Am Sandtorkai 50, 20457 Hamburg, Germany. All communication between us and Risk.Ident is solely for the purpose of avoiding fraudulent use of our websites. The legal basis for the processing is our legitimate interest in the defense against criminal threats pursuant to Art. 6 (1) p. 1 lit. f) GDPR.
(2) Data storage: Risk.Ident uses cookies and tracking technologies to collect and process specific data from our users regarding the equipment of the end device used ("device-specific data"), raw data from the TCP/IP connection and data about the use of our website. Risk.Ident also collects and processes the IP address of the user, but this is encrypted within a few seconds at Risk.Ident. The information is stored by Risk.Ident in a fraud prevention database.
(3) Data retrieval: When creating, starting or supporting projects, we retrieve a risk assessment from the Risk.Ident database, which has been stored there for the end device used by the user.
This risk assessment is based, among other things, on information about:
(a) whether the user's device is currently communicating or has communicated in the past via a proxy connection,
(b) whether the terminal device has recently dialed in via different Internet service providers,
(c) whether the terminal device had or has a frequently changing geo-reference,
(d) how many Internet transactions have been made via the device within the last time (however, it is not recognizable for us what kind of transactions these were), and
(e) how likely it is that the device stored in the Risk.Ident database is actually that of the user.
The result of this risk assessment helps us to prevent fraud attempts.
(4) Data transmission: Furthermore, we transmit data to Risk.Ident if we become aware that a user has committed or attempted to commit fraud against us. Risk.Ident will be informed of this fact as well as the respective device-specific data of the user.
14 Starter communication via Mautic
(1) We use Mautic on our platform, an open source tool for marketing automation to stay in contact with our starter. It is an analysis and tracking software for the allocation and storage of usage data (e.g. browser used, last page visited, duration of visit). The software uses this information to personalise our marketing measures and better align them with the interests of each individual user. Mautic also helps us to better analyse the success of individual marketing measures.
(2) Mautic is hosted on the same server as our website in Germany. Data is not passed on to third parties. We collect and process data with Mautic only to the extent necessary to achieve our business objectives with you. We have concluded an dpa contract with our hoster for this purpose.
(3) We use Mautic as follows:
Email marketing and campaigns
Personalised emails are sent to starters. These are based in part on user behaviour on the website, when reading our emails and when interacting with the links contained therein. We also send emails as part of marketing campaigns. They are assigned to the campaigns by segmentation and tagging.
Personalised web links
In order to recognise whether, for example, a user accesses a link from an email, Mautic adds a unique identifier to these links, which has previously been assigned to an individual user profile.
IP address
The IP address currently used by website visitors is transmitted to us each time our website is accessed. Mautic uses this to recognise users of the website.
Reports
Reports analyse the performance data on the collected data and display it in aggregated form.
(4) The data collected in this way is as follows
- the activity on our website
- the number of page views and length of stay of the website visitor
- the click path of the respective visitor
- Downloads of files provided via the website
- Visits to landing pages
- Opening of emails from newsletters and campaigns
As part of a registration or support on Startnext, we also collect the following data through use
- E-mail address
- first name
- surname
- Number of projects per phase, as well as a list of the tags and categories of the projects of the users in this phase for each phase
(5) Mautic is only used if you have expressly given your consent to the use of so-called "first-party cookies" when using our website for the first time. We only send this information mails to starter with active projects. You can revoke your consent at any time by clicking a link in the footer of the email. In this case, all tracking data collected via Mautic will be deleted.