Privacy Policy

Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you. This policy is intended to help you understand who we are, how we collect information and how we use the information collected as well as how you can make use of your rights.

I. NAME OF THE PERSON RESPONSIBLE

The person responsible within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is the

  • Usercentrics GmbH
  • Sendlinger Straße 7
  • 80331 Munich
  • Germany
  • Email: datenschutz@usercentrics.com | Website: www.usercentrics.com

II. DATA PROTECTION OFFICER

You can contact our data protection officer here:

  • SECUWING GmbH & Co. KGd
  • Maximilian Hartung
  • Frauentorstr. 9
  • 86152 Augsburg
  • Germany
  • E-mail: epost@datenschutz-agentur.de | Phone: +49 821 90786450 | Fax: +49 821 90786459

III. GENERAL INFORMATION ABOUT THE COLLECTION AND PROCESSING OF YOUR DATA

1. Scope of processing

In principle, we process personal data only insofar as this is necessary to provide a functioning website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent can not be obtained for reasons of fact and the processing of the data is permitted by law.

2. Legal basis

Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para.1 s. 1 lit. a GDPR serves as a legal basis. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis. This also applies to processing operations required to carry out pre-contractual actions. Insofar as processing of personal data is required to fulfill a legal obligation that is subject to our company, Art. 6 para. 1 s. 1 lit. c GDPR serves as the legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis for processing.

3. Storage and deletion of your data

In principle, we only store personal data for as long as is necessary to fulfill contractual or legal obligations for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations. For evidentiary purposes, we must retain contractual data for six years from the end of the year in which the business relationship with you ends. Any claims become statute-barred at this point at the earliest according to the statutory limitation period. Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents are two to ten years. We delete or block the personal data of the data subject as soon as the purpose of the storage is fulfilled. It may also be stored if provided for by the European or national legislator in EU regulations, laws or regulations to which our company is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for conclusion of a contract or fulfillment of the contract.

4. Please note

Your consent data will be processed for the use of this website and the use of the implemented Consent Management Platform. We use the Google Cloud Platform, provided by Google Cloud EMEA Ltd. The servers are located in Germany and Belgium. Due to the judgment of the Court of Justice of July 16th, 2020 (Case C311/18), the transfer of personal data to the US on the basis of the Privacy Shield was declared invalid. We would like to inform you that we cannot exclude the fact that data may be transferred to the US and may be subject to access by the US security authorities in accordance with 50 U.S.C. §1881(b)(4), 50 U.S.C. §1881a (= FISA 702). In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Google in accordance with Art. 46 Para. 2 lit. c GDPR. More information can be found in the Data Protection references of Google. Additionally we have taken further safety measures to ensure the security of the data.

IV. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES

1. Scope of processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. This is e.g. information like

  • Information about the type and version of your internet browser
  • The operating system of your computer or smartphone
  • Your internet service provider
  • Your IP address
  • Date and time of your access
  • Geographic location
  • Websites from which you came to us
  • Websites that you visit from our site

We collect such technical information in so-called “log files”, so that you can display our website correctly and we can identify the causes of any technical problems, for the technical optimization of our websites and for the purpose of the security of our computer systems and networks. For these purposes, we have a legitimate interest in the processing of data according to Art. 6 para. 1 s. 1 lit. f GDPR. The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Typically, this technical information will be erased or rendered unrecognizable at the latest after seven days. The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website.

V. RESEARCH PARTICIPATION

If you place an order with us, including by signing up for a trial account, we may use your e-mail address to invite you to participate in customer feedback activities such as satisfaction surveys, user interviews, or other forms of product research. These activities help us better understand your experience and improve our products and services. The legal basis for this is Art. 6 para. 1 lit. a GDPR, where you have provided your consent. In some cases, Art. 6 para. 1 lit. f GDPR may also apply, based on our legitimate interest in constantly improving our service and ensuring a high-quality user experience.

VI. COOKIES AND TRACKING TECHNOLOGIES

1. What are Cookies?

Web-Browser-Cookies: A web browser cookie is a small text file sent from a website to your computer or mobile device where it is stored by your web browser. Web browser cookies may store information such as your IP address or other identifier, your browser type, and information about the content you display and interact with on the digital services. By storing such information, web browser cookies can store your preferences and settings for online services and analyze how you use online services. Tracking Technologies: Web Beacons, Pixels, Tags, Script. Emails and mobile applications can contain small, transparent image files or lines of code to record how you interact with them. This information is used to help website and app publishers better analyze and improve their services.

2. Use, legal basis and purpose

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break. The user data collected through technically necessary cookies will not be used to create user profiles.

3. Duration of storage, objection and disposal options

Cookies are stored on the computer of the user and transmitted by this on our side. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to the full.

VII. YOU BECOME A CUSTOMER OF USERCENTRICS

1. Description and scope of data processing

As a customer of Usercentrics some of your data will be processed. This includes the following information

  • Your e-mail address
  • First name and last name
  • if necessary company affiliation
  • Payment information (including first and last name, account details, financial institution and other relevant information for the transaction)
  • other data that we request from you and
  • possibly data that we receive in the course of the business relationship

The data will be processed with the help of Salesforce (Salesforce, Erika-Mann-Straße 31-37, 80636 Munich, Germany). Further information on how the data is handled by Salesforce can be found below.

Additionally, when you choose to sign-up for further Usercentrics services, like the Cookiebot CMP, some of the data you have entered previously (country, domain, etc.) may automatically be transferred and populated in the sign-up form for the other services.

2. Legal basis for processing

Legal basis for the processing of the data is the performance of a contract Art. 6 para. 1 s. 1 lit. b GDPR, as the data is necessary for the fulfillment of a contract or the implementation of pre-contractual measures

3. Purpose of the data processing

The processing of the above mentioned data is necessary in order to carry out the contractual obligations.

4. Opposition and removal possibility

As a customer you always have the option to cancel your account. You can change the data stored about you at any time. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible, unless contractual or legal obligations preclude deletion.

VIII. IMPLEMENTED TECHNOLOGIES

Technologies used on website

Amplitude

We use the services provided by Amplitude, Inc., 501 2nd Street, Suite 100, San Francisco, CA 94107, United States of America (hereinafter Amplitude) for analytics purposes as well as A/B testing and feature flagging. By using the service the Geographic location, Browsing activity, Device information and Device identifiers will be processed. The legal basis for the processing is legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR). The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA and into the United States of America. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Amplitude, you can visit Amplitude’s privacy policy or contact Amplitude at privacy@amplitude.com.

Auth0

We use the authentification service provided by Auth0 Inc, 10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA (hereinafter Auth0) to provide login and authentication options. In order to do so the log-in information (e-mail address and password) of the user will be processed. The legal basis for the processing is legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR), as the usage of the service is necessary for a secure log-in. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider. For more information on how data is processed by Auth0, you can visit Auth0’s privacy policy or contact Auth0 at privacy@auth0.com.

Channelscaler

We use the service provided by Allbound Inc, it's Affiliate including Channel Mechanics Technologies Limited DBA Channelscaler , Block 4, Ballybrit Business Park, Ballybrit, Galway, H91 A4XW, Ireland (hereinafter Channelscaler) as a Partner Relationship Management Provider including a Channel Enablement Platform. This service will process information including first and last name, UserID, title, position, company details, contact information, invoice data invoice ID and status, payment information, connection data and localization data of the user. The legal basis for the processing is the performance of a contract (Art. 6 para. 1 s. 1 lit. c GDPR), as the usage of the service is necessary to manage the partnership relationship between the parties. Data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider. For more information on how data is processed by Channelscaler, you can visit Channelscaler’s privacy policy or contact Channelscaler at privacy@channelscaler.com.

Dreamdata

We use the service Dreamdata provided by Dreamdata.io ApS, Kalvebod Brygge 39, st., 1560 København V, Denmark (hereinafter Dreamdata) as a customer attribution service. In order to do so the Name, email address, company name, title, IP address, telephone number, Page URL and User Agent will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For more information on how data is processed by Dreamdata, you can visit Dreamdata’s privacy policyor contact Dreamdata at privacy@dreamdata.io.

Google Analytics 4

We use the service Google Analytics provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereinafter Google Analytics) as an analytics service. In order to do so the device information, IP address, Referrer URL, Geographic location, Browser information, Device Operating System, Screen resolution, Interaction data, Date and time of visit, User behavior, Pages visited, Online identifiers, User ID and Advertising identifier will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Google Analytics, you can visit Google’sprivacy policy.

Google Tag Manager

We use the service Google Tag Manager provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereinafter Google Analytics) as a tag management system. In order to do so aggregated data about tag firing will be processed. The legal basis for the processing is legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR), as this is required for tag firing. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Google Ads, you can visit Google’s privacy policy.

Hotjar

We use the service “Hotjar” provided by Hotjar Limited, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta (hereinafter Hotjar) as an analytics service. In order to do so the Date and time of visit, Device type, Geographic location, IP address, Mouse movements, Pages visited, Referrer URL, Screen resolution, Unique device identifier, Language information, Device operating system, Browser type, Clicks, Domain name and Unique user ID will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Hotjar, you can visit Hotjar’s privacy policy or contact them under dpo@hotjar.com.

LinkedIn Ads

We use the service LinkedIn Ads provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter LinkedIn Ads) as an advertising service. In order to do so the Device information, IP address, Referrer URL, Timestamp, Browser info, Hashed e-mails will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by LinkedIn, you can visit LinkedIn’s privacy policy.

Meta Pixel

We use Meta Pixel for marketing purposes. It is used to track interactions of visitors with the website. This service is provided by Meta Platform Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland. When using this service, data, such as IP address, Browser type and version, Operating system, Screen resolution, Device type, Page views, Clicks, Scroll depth, Time spent on page, Events data, Referrer URL, Host and path of the webpage where the pixel is placed and User agent string might be processed. The legal basis is consent, Art. 6 para. 1 s. 1 lit. a GDPR. You can revoke your consent at any time. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Meta, you can visit Meta’s privacy policy.

Microsoft Advertising

We use the service Microsoft Advertising provided by Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter Microsoft Ads) as an advertising service. In order to do so the Consent data, MSCLKID, Browser language, Clicked advertisements, IP address, Page title, Referrer URL, Screen color depth, Screen resolution, Page load time, Publisher/URL accessed, User identifiers and Hashed e-mails will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Microsoft advertising, you can visit Microsoft’s privacy policy.

Reddit Ads

We use the service Reddit advertising provided by Reddit for Business Reddit UK Limited, 5 New Street Square, London, United Kingdom, EC4A 3TW (hereinafter Google Analytics) as an advertising service. In order to do so the IP address, User agent, Referrer URL, Advertising cookie information, sStandard event data, Device information, Browser information, OS Version, Screen width/height, Hashed e-mails will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider and the provider is included in the Data Privacy Framework List. For more information on how data is processed by Reddit Ads, you can visit Reddit’s privacy policy.

Sentry

We use the service Sentry provided by Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105-2250, USA (hereinafter Sentry). It is used in order to log frontend errors happening for users of our product. In order to do so the following data will be processed: IP- address. The legal basis for the processing is legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR), as it is needed for tracking of errors in our products. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. This service might transfer data outside of the EU/EEA. For that case we have signed standard contractual clauses with the service provider. For more information on how data is processed by Sentry, you can visit Sentry’s privacy policy or contact Sentry at compliance@sentry.io.

Tracify

We use the service Tracify provided by Tracify GmbH, Agnes-Pockels-Bogen 1, 80992 München, Germany (hereinafter Tracify) as an advertising service. In order to do so the IP Address, Geographic location, Usage data, Device information and Browser information will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). You can revoke consent at any time. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For more information on how data is processed by Tracify, you can visit Tracify's privacy policy or contact Tracify at contact@tracify.ai.

Usercentrics Consent Management Platform

We use the service Usercentrics provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany (hereinafter Usercentrics) as a consent management provider. In order to do so the consent information (opt-in and opt-out information, consent ID, time of consent, template version and banner language), Referrer URL, User agent, and IP Address will be processed. The legal basis for the processing is compliance with a legal obligation (Art. 6 para. 1 s. 1 lit. c GDPR). The data will be deleted after one year. For more information on how data is processed by Usercentrics, you can visit Usercentrics privacy policy or contact Usercentrics at privacy@usercentrics.com.

Zendesk

We use the service Zendesk provided by Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, USA (hereinafter Zendesk) as a support system, which allows users to communicate with Usercentrics. In order to do so the data entered into the ticket will be processed (Name, E-Mail Address, etc.) as well as the IP Address will be processed. The legal basis for the processing is consent (Art. 6 para. 1 s. 1 lit. a GDPR). The user can withdraw their consent at any time. When creating a ticket through Zendesk, you also accept the use of following features on Zendesk: Zendesk Advanced AI, Intelligent triage, Intelligence in the context panel, Generative AI for agents, Macro suggestions for admins, Autoreply and internal note trigger actions, Generative AI for Help Center. You can find further information on the usage of AI by Zendesk here. The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For more information on how data is processed by Zendesk, you can visit Zendesk’s privacy policy or contact Zendesk at privacy@zendesk.com.

Data Transfer to third countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations. If a third country transfer is provided for and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.

Recipients of Data

Usercentrics does not sell, trade or otherwise transfer to outside parties any personally identifiable information. This does not include trusted third parties or processors who assist us in operating our website, conducting our business, or servicing you. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential. We will also share data among the Usercentrics entities (Usercentrics A/S, Usercentrics GmbH, Cybot A/S (including CYBOT A/S, odštěpný závod office in Prague), Usercentrics Unipessoal, Usercentrics Inc.), here also including sharing data among Cookiebot™ and Usercentrics products when needed. All the entities may have access to personally identifiable information on a need to know basis and will be contractually obliged to keep your information confidential (joint controller agreement). We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our rights or the rights of others, property, or safety. Furthermore, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses. We only pass on the data we have collected if this is necessary for the fulfillment of the contract or for the provision of the technical functionality of the website, or if there is another legal basis for passing on the data. In principle, we process your data ourselves. In some cases, however, we also use service providers. In addition to the processors mentioned in this privacy policy, these may include, in particular, data centers that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to processors, they may only use the data to fulfill their tasks. The processors have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us. In addition, disclosure may take place in connection with official enquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement. When governments make a lawful demand for customer data from Usercentrics, Usercentrics strives to limit the disclosure. Usercentrics will only release specific data mandated by the relevant legal demand. If compelled to disclose your data, Usercentrics will promptly notify you and provide a copy of the demand unless legally prohibited from doing so. If Usercentrics commissions third parties with the collection, processing and use of data within the scope of commissioned processing in accordance with Art. 28 GDPR, this will also take place exclusively in compliance with the statutory provisions on data protection.

IX. MINORS

Our services are not aimed at children under 13 years. We do not knowingly collect information from children under the age of 13. If you have not reached the age limit, do not use the services and do not provide us with your personal information. If you are a parent of a child below the age limit and you learn that your child has provided Usercentrics personal information, please contact us at privacy@usercentrics.com and insist on exercising your rights of access, correction, cancellation and / or opposition. If you are resident in California and are under 18 years of age and wish to erase publicly available content, please contact us at privacy@usercentrics.com.

X. YOUR RIGHTS

If we process your personal data you have – after successful identification – the following rights towards us:

  • Right to information (Article 15 GDPR, § 34 BDSG)
  • Right to deletion (Article 17 GDPR, § 35 BDSG)
  • Right to rectification (Article 16 GDPR, Section 34 BDSG)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to withdraw consent (Article 7(3) GDPR)
  • Right to object to certain data processing activities (Article 21 GDPR).

In order to exercise your rights described here, you can contact us at any time using the contact details listed under “Name of the person responsible”. You also have the right to complain to the data protection supervisory authority responsible for us. You can contact the data protection authority in your place of residence, which will then forward your request to the competent authority.

XI. SECURITY AND INTEGRITY OF THE DATA

Protecting the information you give us or that we receive about you is our priority. We take appropriate security measures to protect your information from loss, misuse, and unauthorized access, alteration, disclosure, or destruction. Usercentrics has taken measures to ensure the ongoing confidentiality, integrity, availability and resiliency of systems and services that process personal information, and will restore the availability and access to information in the event of a physical or technical incident in a timely manner.

XII. UPDATES

We reserve the right to update this privacy policy from time to time. In the event that we make material changes that restrict Usercentrics’ rights or obligations under this Privacy Policy, we will publish a clear notice in this section of this Privacy Policy that informs users when they are updated.