Privacy Policy

2.1. Purpose of Data Processing

In principle, we process the personal data of users of our websites, our customers and service providers only to the extent necessary for providing a functioning website and our content and services. The purposes of the separate processing activities are detailed in the relevant section.

In general, you can also use our website without providing personal data. Personal data (e.g. name, address, e-mail addresses and telephone numbers) are voluntarily shared by you as far as possible, insofar as they are collected if you contact us - e.g. via our contact form or in support enquiries - or if you conclude a contract with us. If you do not share the required data, we may not be able to provide the information and services you have requested.

2.2. Legal Basis for Processing Personal Data

The processing of our users' personal data is regularly carried out only after obtaining their consent. An exception applies where the processing of personal data is lawful due to other legal grounds.

Insofar as we obtain the consent of the data subject for personal data processing procedures, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) is used as the legal basis for processing based on this consent.

Article 6 para. 1-b GDPR is the legal basis for processing personal data necessary to perform a contract to which the data subject is a party. This justification also applies to processing activities that are necessary for the fulfilment of pre-contractual measures.

Insofar as personal data collection and/or processing is necessary for legal requirements or for reasons of public interest, Art. 6 para. 1 (c) or (e) GDPR is used as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights, and freedoms of data subjects do not outweigh this legitimate interest, Art. 6 (1) -f GDPR shall serve as the legal basis for processing.

2.3. Storage and Deletion Period

The personal data of the data subjects will be erased when the original purpose of the processing has ended, and there is no other legal basis for longer retention of the data. Data retention may also occur if it is provided for by the European or national legislator in the laws or other regulations to which the controller is subject. Once the retention period stipulated by the aforementioned standards has expired, the data will be blocked or deleted unless there is no longer any need to retain the data. In these cases, we restrict the processing of the relevant data.

2.4. Transfer of Data to Third Parties

We do not pass on personal data to third parties for purposes other than those pursued by us. Furthermore, we will only disclose your personal data to third parties if you have given your explicit consent under Art. 6 (1) sentence 1-a GDPR if disclosure is necessary for the assertion, exercise or defence of legal claims based on our legitimate interest under Art. 6 (1) sentence 1-f GDPR or if there is a legal obligation for disclosure under Art. 6 (1) sentence 1-c GDPR. This applies to open data concerning you (name, contact details, etc.).

The transfer of personal data is limited to the minimum necessary to fulfil the purpose.

2.5. Transfer of data to third countries

To achieve the stated processing purposes, we transfer personal data in each case, both within and outside the EU, to our network partners and service providers commissioned by us (commissioned data processors).

If we transfer personal data to a third country outside the EU, we do so by the conditions under the GDPR. For various third countries to which personal data are transferred, an adequate level of protection for personal data has already been recognised by a relevant adequacy decision of the EU Commission. In the absence of such an adequacy decision for a country, we have concluded contracts with our partners and service providers containing the EU Commission's standard contractual clauses ("EU Standard Contractual Clauses") and, where necessary, agreed on other appropriate measures to ensure an adequate level of protection for the transferred data.

Furthermore, when obtaining users' consent for the use of non-essential cookies and data processing requiring consent, we inform them about the potential risks of transferring data to a third country without an adequacy decision and request their explicit consent for the transfer of data to the third country to achieve the intended processing purposes.

Below, we explain which of our network partners may transfer personal data to a third country outside the EU/EEA and which guarantees for adequate data protection exist.

3.1. SSL- /TSL Encryption

For security reasons, our websites use SSL or TSL encryption. If encryption is activated, third parties cannot read the data you transmit to us.

3.2. Collection of Log File Data

The KiVVON website collects general usage data each time a data subject or automated system calls up the website. This data and information is stored in the server's log files and may contain personal data.

The following data may be collected:

• Browser types and versions used;
• The operating system used by the access system;
• The website from which an access system reaches our website (so-called referrer);
• Sub-websites on our website that are accessed via an access system;
• The date and time of access to the website;
• An internet protocol address (IP address), the internet service provider of the access system.

The data is stored in our system's log files. This data is not stored together with the user's other personal data. The data is anonymised by shortening the IP address. The storage period is regularly limited to seven days. The processing of log file data is based on our legitimate interest to ensure the functionality of the website, optimise the website, and ensure the security of our information technology systems (Art. 6 para. 1 lit. f DSGVO).

5.1. Technically Necessary Cookies

For some elements and functions of our website, cookies are technically necessary to provide you with our pages and functions as you have requested. We do not need your consent to use these essential cookies.

For example, we use technically necessary cookies so that you can verify your identity as a registered and logged-in user on each of the KiVVON sub-pages. These cookies are short-term session cookies.

6.1. Facebook Single Sign-On

The Facebook Single-Sign-On authentication service provider is Meta Platforms Inc. Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is responsible for the European region.

Meta/Facebook also processes your data in the USA. Due to the current legal situation in the USA, the US authorities may obtain information about the personal data of providers in the USA. Accordingly, it can be assumed that the level of data protection in the USA is below the relevant EU standard. This may lead to risks to the legality and security of data processing.

However, to provide appropriate guarantees for compliance with the data transfer conditions set out in Section V of the GDPR as well as other provisions of the GDPR, Facebook uses standard data protection clauses published by the EU Commission according to Article 46 (2) c of the GDPR, the application of which is considered binding. The Facebook data processing conditions corresponding to the standard contractual clauses can be found at https://www.facebook.com/legal/terms/dataprocessing. Meta / Facebook has also taken other appropriate measures to ensure protection comparable to the GDPR.

If registered with Facebook, you can revoke your consent to using your data for advertising purposes via the opt-out function at https://www.facebook.com/adpreferences/ad_settings Further information on the data processed through the use of Facebook can be found in Facebook's data protection declaration at https://www.facebook.com/policy.php.

6.2. Google Single Sign-On

The service provider of the Google Single-Sign-On authentication service is Google Ireland Limited. Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for the European region.

Google also processes your data in the USA. Due to the current legal situation in the USA, the US authorities may obtain information about the personal data of providers in the USA. Accordingly, it can be assumed that the level of data protection in the USA is below the relevant EU standard. This may lead to risks to the legality and security of data processing.

However, to provide appropriate guarantees for compliance with the data transfer conditions set out in Section V of the GDPR as well as other provisions of the GDPR, Google uses the standard data protection clauses published by the EU Commission under Article 46 (2) c GDPR, the application of which is considered binding. The standard contractual clauses can be found at: https://germany.representation.ec.europa.eu/index_de. Google has also taken other appropriate measures to ensure protection comparable to the GDPR. Further information on Google's standard contractual clauses can be found in the Google Ads Data Processing Terms at https://business.safety.google/adsprocessorterms/.

At Google, you can revoke your consent to using single sign-on logins via the opt-out function at https://adssettings.google.com/authenticated Further information on the data processed using Google Single Sign-On can be found in Google's Privacy Policy at https://policies.google.com/privacy?hl=en.

6.3. Apple Single Sign-On

The service provider for the Apple Single-Sign-On authentication service is Apple Inc. The responsible company for the European region is Apple Inc, Infinite Loop, Cupertino, CA 95014, USA.

Apple also processes your data in the USA. Due to the current legal situation in the USA, the US authorities may obtain information about the personal data of providers in the USA. Accordingly, it can be assumed that the level of data protection in the USA is below the relevant EU standard. This may lead to risks to the legality and security of data processing.

However, to provide appropriate guarantees of compliance with the data transfer conditions set out in Chapter V of the GDPR, as well as other provisions of the GDPR, Apple uses standard data protection clauses published by the EU Commission under Article 46(2) c of the GDPR, the application of which is considered binding. These clauses are based on an implementing decision of the EU Commission. The standard contractual clauses can be found at: https://germany.representation.ec.europa.eu/index_de. Apple has also taken other appropriate measures to ensure a level of protection comparable to the GDPR.

Further information on the privacy policy and Apple's processing of personal data can be found at https://www.apple.com/de/legal/privacy/de-ww/.

7.1. Right to Information

You can request confirmation from the data controller on whether the data controller processes personal data concerning you. In this case, you have the right to free information about your stored personal data, their origin and recipient, and the data processing purpose.

7.2. Right to rectification

If the personal data processed about you is incorrect or incomplete, you have the right to request that your personal data be corrected and/or completed by the data controller.

7.3. Right to Delete

You may request the data controller to delete personal data concerning you without undue delay, and the data controller is obliged to delete such data without undue delay if one of the following reasons applies:

• If the personal data concerning you is no longer necessary for the purposes for which they were collected or otherwise processed;
• If you have withdrawn your consent on which the processing was based in accordance with Article 6(1)(a) GDPR and there is no other legal basis for the processing;
• If you have objected to the processing and there are no valid legitimate grounds for the processing;
• If the personal data concerning you have been unlawfully processed;
• If the erasure of personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject;
• If the personal data concerning you were collected in connection with information society services provided under Article 8(1) GDPR.

7.4. Right to Restrict Data Processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

• If you contest the accuracy of the personal data concerning you for a period, enabling the controller to verify the accuracy of the personal data;
• If the processing is unlawful, and you object to the erasure of the personal data and request the restriction of the use of the personal data instead;
• If the controller no longer needs the personal data for the purposes of the processing, but you need the data for the establishment, exercise or defence of legal claims, or;
• You have objected to the processing and it is not yet clear whether the legitimate grounds of the controller override your grounds.

7.5. Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common, and machine-readable format. In addition, in the following cases, you have the right to transfer this data to another person responsible without any hindrance from the person responsible for the provision of the personal data.

7.6. Right of Objection

You have the right to object at any time on grounds relating to your particular situation to the processing of personal data concerning you carried out under Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you after you have exercised your right to object unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If you object to processing your personal data for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

7.7. Right to withdraw consent under data protection law

You have the right to withdraw your consent for us to process your personal data at any time. Please send your withdrawal request by e-mail to hello@kivvon.com.

The withdrawal of consent does not affect the lawfulness of the processing based on your consent before this processing.

7.8. Right to lodge a complaint with the supervisory authority

Without prejudice to any other administrative or judicial remedy, if you believe that the processing of your personal data violates the GDPR (EU General Data Protection Regulation), you have the right to lodge a complaint with the relevant supervisory authority, in particular in the EU Member State of your place of residence, place of work or place of the alleged infringement.

Address of the supervisory authority responsible for the data controller:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin

Tel.: +49 (0)30 13889-0
Fax: +49 (0)30 2155050
E-Mail: mailbox@datenschutz-berlin.de