With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular within our Fotogoals app (hereinafter referred to as the “app”). We would like to point out that an internet connection is required to use the Fotogoals app. Data transmission via the Internet may be subject to security vulnerabilities, which is why complete protection of data against access by third parties is not possible. The terms used are not gender-specific. (Users of the app are hereinafter referred to as “users” for short)
Status: 10.05.2024
Table of contents
Responsible person
Fotogoals – Lukas Zobel
Weedstr. 5
97346 Iphofen, Germany
Authorized representative: Lukas Zobel
E-mail: kontakt@fotogoals.com
Imprint: fotogoals.com/imprint
1. General storage period of personal data
Unless otherwise stated in this Privacy Policy or explicitly stated, the personal data collected by this APP will be stored until a user requests us to delete it, revokes their consent to storage or the purpose for data storage no longer applies. If there is a legal obligation to store the data or another legally recognized reason for storing the data (e.g. legitimate interest), the personal data in question will not be deleted until the respective reason for storage no longer applies.
2. Legal basis
-
The processing of personal data is only permitted if there is an effective legal basis for the processing of this data. Insofar as we process your data, this is regularly done on the basis of your consent in accordance with Art. 6 (1) lit. of the GDPR. Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.
- Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
(e.g. for in-app purchases or when using other paid app functions)
- Legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. (e.g. as part of advertising campaigns)
National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling.
3. Security measures
-
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, safeguarding of availability and its separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
Encryption
This APP uses encryption for security purposes and to protect the transmission of sensitive content, e.g. requests that you send to us as the APP operator. This encryption prevents the data you transmit from being read by unauthorized third parties.
4. App access rights
-
In order to provide our services via the APP, we require the access rights listed below, which allow us to access certain functions of the user’s device.
- Location data (only while using the APP and only if permitted! )
- Unique device identifier
- Authentication data (only when creating a user account via. Apple or Google Account. See: Point 5.)
- Internal memory (downloading media content)
Access to the device functions is necessary to ensure the functionality of the APP. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 (1) lit. f GDPR, your consent within the meaning of Art. 6 (1) lit. of the GDPR or – if a contract has been concluded – the fulfillment of our contractual obligations (Art. 6 (1) b GDPR).
5. registration and use of personal data in the context of app use
The user is enabled to use our app without registration. Registration and an existing user account are required for the provision of certain content or services (more functions) in our app. Registration is required to create a user account.
In the course of using the app, the user’s personal data may be used and collected. This concerns the following personal data of the user:
- E-mail address (for registration)
- Anonymized usage data
- Device information (e.g. operating system or screen size)
Registration
We use Firebase Authentication, a service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street Dublin 4 Ireland, to handle the registration and login process. Firebase Authentication is a login and authentication service provided by Google. To simplify the login and authentication process, Firebase Authentication may use third-party identity services (Apple, Facebook, etc.) and store the information on its platform.
Google is a processor within the meaning of Art. 28 GDPR, with which we have concluded a corresponding data processing agreement. Google also relies on the use of standard contractual clauses.
You can choose between five registration options:
- E-mail and password,
- Single sign-on (SSO) with your Apple, Google account ,
- or guest access.
In all cases, a user ID is generated for a user, which is used to identify the user in our app.
In addition, the third-party providers usually transmit further basic information about your user profile there (e.g. email address and profile picture) via Firebase Authentication. You can restrict this transfer of information in the login process if necessary. You can obtain more information from the respective third-party providers:
- Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Irland: https://www.apple.com/de/privacy
- Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Irland: https://policies.google.com/privacy
The processing of this personal data is justified and necessary to ensure the functionality of the APP. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 (1) lit. f GDPR,
to ensure the functionality and error-free operation of the app. The rights of the user and the interest in protecting their personal data should prevail within the meaning of Art. 6 (1) lit. f GDPR.
The processing of this personal data is justified and necessary for the fulfillment of the contract between the user and us within the meaning of Art. 6 (1) lit. b GDPR, for the use of the app. See point “Legal bases”.
Voluntary data
During the app registration process, a user has the option of entering additional data. These can be entered voluntarily by the user and cannot be viewed by other users. These data are
- Place of residence (no exact address)
- Instagram user name
6. User rights
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw your consent at any time.
Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain information about this data and further information and a copy of the data in accordance with the legal requirements.
Right to rectification: In accordance with the statutory provisions, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
Complaint to the supervisory authorityWithout prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.
7. disclosure of personal data to third parties
We will only disclose personal user data to third parties (including processors, i.e. third parties who process data for us on our behalf) if the transfer is necessary to fulfill our contractual obligations to the user, if we are otherwise legally entitled or obliged to disclose it or if the user has given us consent to do so. In order to provide our services, selected personal information may be shared with certain departments within our company. This includes employees from the accounting, legal, product management, marketing and IT departments. In certain cases, we also use external service providers who have been commissioned by us to process data for us in accordance with the instructions (see below). Where user data is transferred to third parties who are not located in an EEA (European Economic Area) country, we ensure that the recipient has an adequate level of data protection. We also ensure that appropriate confidentiality provisions in the applicable contracts are complied with and that the standard contractual clauses for the transfer of personal data to processors issued by the European Commission are complied with or that we obtain your consent.
7.1 Service providers
We also share user data with companies whose services we use to provide our services and manage our business affairs. In particular, the following services are provided to us by contractors that we use: Payment services, hosting services, maintenance and support, web/app analytics, fraud monitoring and prevention, marketing services, CRM services, customer service management services, geo-query services (converting coordinates to real-world locations), etc.
These service providers are contractually obliged by us to process user data in accordance with the strict guidelines of the GDPR and may not use user data for other purposes. The data is processed in accordance with Art. 28 (1) GDPR.
In addition, users will find detailed information below on how personal user data is collected, for what purposes and using which service providers:
Possible processed data types: Usage data (e.g. interest in content, access times), meta/communication data (e.g. device information, IP addresses), inventory data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms).
Affected persons: User (app user).
Purposes of processing: Provision of our online offer and user-friendliness, provision of contractual services and customer service, marketing, profiles with user-related information (creation of user profiles).
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR), consent (Art. 6 para. 1 p. 1 lit. a. GDPR), contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR).
Services used and service providers:
- Google Maps: We integrate the maps of the “Google Maps” service of the provider Google via an API. The processed data may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually in the context of the settings of their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy Policy: Google Maps PP; Opt-Out: Opt-Out-Plugin: Further information, Settings for the display of advertisements: Further information
- Google Places API Web Service (address completion): We use the Google Places API web service and Google’s automatic address completion. In order for us to receive this information from Google, the IP address and the content entered by the user is transmitted to Google. A connection to Google’s servers is established for this purpose. As a result, Google becomes aware that our service has been accessed via the user’s IP address. Google is used in the interest of simplifying the completion of input fields when entering addresses in our app. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information on Google Places Api Web Services can be found in Google’s privacy policy: Google Places PP
- OpenWeather: We use tools to provide up-to-date weather forecasts for the photo spots we publish. For this purpose, current weather data is loaded from the provider openweathermap.org (Openweather Ltd, 4 Queens Road, Wimbledon, London, SW19 8YB, United Kingdom). The IP address may be transmitted to the provider’s server. The weather forecast is displayed in the interest of an appealing and informative presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Openweather Ltd; Website: https://openweathermap.org/; Privacy Policy: Openweather PP
- Sunrise-Sunset: We use tools to provide current forecasts for different times (Sunrise | Sunset | Golden Hour | Blue Hour) at the photo spots we publish. For this purpose, current data is loaded from the provider sunrise-sunset.org (Sunrise-Sunset ©). If necessary, the IP address is transmitted to the provider’s server. The times are displayed in the interest of an appealing and informative presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Openweather Ltd; Website: https://sunrise-sunset.org/; Privacy Policy:Sunsrise Sunset PP
- Revive software and services: We use software and server technology to display advertisements in various places in our app in line with our business activities. In addition to paid advertisements, cooperations or sponsorships, these can also be so-called ‘affiliate’ links or banners. All advertisements or ‘affiliate’ links/banners are therefore clearly marked with the designation “Ad” and are thus clearly recognizable as such for a user. The services of the provider Revive Software and Services BV are used to display the advertisements. In some cases, the IP address is transmitted to the provider’s server in order to be able to display advertisements to the user based on their location, for example. Advertisements can also be displayed on the basis of device information (e.g. operating system or screen size). The display and use of this technology is in the interest of our business relationships with our partners and an appealing and informative presentation within our online offering. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Revive Software and Services BV; Website: https://revive-sas.com ; Privacy Policy: Revive PP
- Amazon affiliate program: In terms of our business activities, we are participants in the Amazon EU partner program, which was designed to provide a medium for websites by means of which advertising costs can be earned through the placement of advertisements and links to Amazon.de (so-called affiliate system). Amazon uses cookies to track the origin of orders. Among other things, Amazon can recognize that you have clicked on the partner link on this website and subsequently purchased a product from Amazon. We receive a commission for correspondingly qualified purchases. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or one of its affiliates. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Amazon Europe Core S.à.r.l., Amazon EU S.à.r.l., Amazon Services Europe S.à.r.l. and Amazon Media EU S.à.r.l., ; Website: https://partnernet.amazon.de/ ; Privacy Policy: Amazon PP
- Awin affiliate program: In terms of our business activities, we are participants in the AWIN AG (Landsberger Allee 104 BC, 10249 Berlin, Germany) affiliate program, which was designed to provide a medium for websites by means of which advertising costs can be earned through the placement of advertisements and links to AWIN (so-called affiliate system). AWIN uses cookies in order to be able to trace the origin of the conclusion of the contract. Among other things, AWIN can recognize that you have clicked on the partner link on this website and subsequently concluded a contract with or via AWIN. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: AWIN AG; Website: https://www.awin.com/de ; Privacy Policy: Awin PP
- DJI Affiliate Program: We are a participant in the affiliate program of SZ DJI Technology Co, Ltd (14th Floor, West Wing, Skyworth Semiconductor Design Building, No. 18 Gaoxin South 4th Ave, Nanshan District, Shenzhen, China.), which was designed to provide a medium for websites through which advertising costs can be earned by placing advertisements and links to DJI (so-called affiliate system). DJI uses cookies in order to be able to trace the origin of the conclusion of the contract. Among other things, DJI can recognize that you have clicked on the partner link on this website and subsequently concluded a contract with or via DJI. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: SZ DJI Technology Co, Ltd; Website: https://u.dji.com/ ; Privacy Policy: DJI PP
- Belboon affiliate program: In terms of our business activities, we are participants in the affiliate program of belboon GmbH (Weinmeisterstr. 12-14, 10178 Berlin, Germany), which was designed to provide a medium for websites by means of which advertising costs can be earned through the placement of advertisements and links to BELBOON (so-called affiliate system). BELBOON uses cookies in order to be able to trace the origin of the conclusion of the contract. Among other things, BELBOON can recognize that you have clicked on the partner link on this website and subsequently concluded a contract with or via BELBOON. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: belboon GmbH; Website: https://belboon.com/ ; Privacy Policy: Belboon PP
- Webgains affiliate program: For the purposes of our business activities, we are participants in the affiliate program of Webgains GmbH (Frankenstraße 150C, 90461 Nuremberg, Germany), which was designed to provide a medium for websites by means of which advertising costs can be earned through the placement of advertisements and links to WEBGAINS (so-called affiliate system). WEBGAINS uses cookies in order to be able to trace the origin of the conclusion of the contract. Among other things, WEBGAINS can recognize that you have clicked on the partner link on this website and subsequently concluded a contract with or via WEBGAINS. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Webgains GmbH; Website: https://www.webgains.com/public/de/ ; Privacy Policy: Webgains PP
- Tradedoubler affiliate program: For the purposes of our business activities, we are participants in the affiliate program of Tradedoubler GmbH (Mainzer Straße 13, 80804 Munich, Germany), which was designed to provide a medium for websites by means of which advertising costs can be earned through the placement of advertisements and links to TRADEDOUBLER (so-called affiliate system). TRADEDOUBLER uses cookies in order to be able to trace the origin of the conclusion of the contract. Among other things, TRADEDOUBLER can recognize that you have clicked on the partner link on this website and subsequently concluded a contract with or via TRADEDOUBLER. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Tradedoubler GmbH; Website: https://www.tradedoubler.com/de/ ; Privacy Policy: Tradedoubler PP
- Mail service provider – Mailchimp ‘Rocket Science Group, LLC‘: We use the service exclusively for sending information e-mails with general information or notes on the app (changes to data protection/terms of use, changes to the user account) to registered users. You can find more information on the use of the data under point: 8.>Services used and service providers > Mailchimp ‘Rocket Science Group, LLC’. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Service provider: Service provider: “Mailchimp” – Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Website: https://mailchimp.com; Privacy Policy: Mailchimp PP; Standard Contractual Clauses as the basis for processing in the USA: Info; Special security measures: Info
7.2 Government agencies, authorities and courts, legal representatives
Insofar as we are legally obliged to do so or this is permitted under data protection law, we transmit personal data to authorities such as the police or the public prosecutor’s office (Art. 6 para. 1 lit. c GDPR). This data is disclosed on the basis of our legitimate interest in combating misuse, prosecuting criminal offenses (e.g. credit card fraud) and securing, asserting and enforcing claims, provided that the rights and interests of users in the protection of their personal data do not prevail. 6 (1) lit. f GDPR.
8. web hosting and provision of our online offer
In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.
The data processed as part of the provision of the hosting service may include all information relating to the users of our online service that is generated during use and communication. This regularly includes the IP address, which is necessary in order to be able to deliver the content of online offers to browsers, and all entries made within our online offer or from websites.
E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as other information relating to the sending of e-mails (e.g. the providers involved) and the content of the respective e-mails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but not on the servers from which they are sent and received (unless an end-to-end encryption method is used). We can therefore accept no responsibility for the transmission path of e-mails between the sender and receipt on our server.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability.
Content delivery network: We use a content delivery network (CDN). A CDN is a service with the help of which the content of an online offer, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet.
- Processed data types: Content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Affected persons: User (app user)
- Purposes of processing: Provision of our online offer and user-friendliness, Content Delivery Network (CDN).
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Services used and service providers:
- IONOS: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Website: https://www.ionos.de/; Privacy Policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/.
- Supabase: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: Supabase, Inc, 970 Toa Payoh North #07-04, Singapore 318992; Website:https://supabase.com/ ; Privacy Policy: https://supabase.com/privacy
- Frostberry: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: Frostberry UG, Frankenweg 37, 97318 Kitzingen, Germany: https://frostberry.de/; Privacy Policy: On request via Frostberry UG
- Cloudflare: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany; Website: https://www.cloudflare.com/de-de/; Privacy Policy: https://www.cloudflare.com/de-de/privacypolicy/.
- Mailchimp: Services in the field of sending e-mails or newsletters and the corresponding provision of information technology infrastructure and associated services (e.g. storage space and/or computing capacity). Fotogoals uses the service exclusively for sending general information or notices about the app (changes to data protection/terms of use, changes to the user account) to registered users.
The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with the European level of data protection (https://www.privacyshield.gov/).
The mailing service provider may use the data (exclusively the e-mail address of a user) of the app users in pseudonymous form, i.e. without assignment to a user, to optimize or improve its own services, e.g. to technically optimize the mailing and presentation of the newsletter/mails or for statistical purposes. However, the mailing service provider does not use the data (exclusively the e-mail address of a user) of our app users to write to them itself or to pass the data on to third parties. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR and an order processing contract pursuant to Art. 28 para. 3 sentence 1 GDPR as follows. Service provider: Rocket Science Group LLC; Website: https://mailchimp.com/de/ ; Privacy Policy: Intuit PP
9. Changes and updating
Fotogoals reserves the right, at its sole discretion, to modify or replace any part of this privacy policy. It is the user’s responsibility to check this statement regularly for changes. Fotogoals reserves the right to change these terms at any time in accordance with the law. Fotogoals may also offer new services and/or features through the App in the future (including, the release of new tools and resources). Such new features and/or services will be subject to the terms and conditions of this Privacy Policy.
© 2024 Fotogoals. All rights reserved