Data privacy statement
The protection of your personal data is important to us. With this data privacy statement, we aim to explain to you in more detail what personal data we collect when you use komoot.com and for what purpose the data is used.
Contact information and responsible party
Responsible for the processing of your personal data is:
If you have any questions or suggestions regarding data protection, please feel free to email us at email@example.com.
You can contact our privacy protection officer at firstname.lastname@example.org.
Subject matter of data protection
The subject of data protection is personal data, i.e. all information relating to an identified or identifiable natural person.
Automated data collection
When accessing our website, your device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:
- Browser type and version
- Operating system
- Referrer URL
- URL of the loaded website
- The latency of the network connection
- Date and time of the server request
- Your IP address
We save this data for the following purposes:
- Ensuring the security of our IT systems, for example, to prevent specific attacks on our systems and to identify attack patterns.
- Ensuring the proper operation of our IT systems, for example if errors occur that we can only remedy by storing the IP address.
- To enable criminal prosecution, security or legal prosecution if there are specific indications of criminal offenses.
Your IP address is only saved for a period of 90 days.
In this case, the processing takes place on the basis of our predominant legitimate interests mentioned above (Art. 6 Para. 1 lit.f GDPR).
To be able to use all functions of komoot, you have to register. For this you have to provide the following mandatory information:
- Email address
- Alternatively, you can log into komoot using your Facebook or Apple account. Doing so means we will receive the following information from the Facebook/Apple corporation:
- Email address
- Profile picture (Facebook only)
- An authorisation token
When you sign up via Facebook, all of your Facebook friends that are also on komoot can find you via the search function, unless your Facebook settings determine otherwise. After you sign up, you will receive a registration email in order to activate your komoot account.
Your registration data is necessary in order for komoot to create a user account for you. This is also used to activate and manage your account and to allow you to use all the features of the komoot website. In this way, you opt-in to a (free) user contract which allows us to store the data (according to Art. 6 Para. 1 lit. b GDPR).
In order to conclude the contract, you have to provide us with this data. However, you are neither contractually nor legally obliged to conclude the contract and thus to provide the data.
In addition, you can provide further voluntary information as part of the registration, for example you can save a profile photo, tell others about yourself or indicate your favorite sport. This information is voluntary and not necessary to register you. Please note, however, that this information may be visible to other komoot users according to your settings. You can determine whether you want to be found by other users. We collect this data in order to be able to provide you with the corresponding functions of our website, Art. 6 Para. 1 lit. b GDPR.
When you log in to komoot, we also save your IP address for a short period of time in order to be able to detect and prevent possible attacks and mass misuse of logins to komoot (e.g. so-called brute force attacks) by blocking these IP addresses temporarily if necessary. The processing takes place in order to ensure the security of the processing according to Art. 32 GDPR and based on our legitimate interest in protecting us from misuse of our service (Art. 6 Para. 1 lit.f GDPR). Data is stored for a maximum of 90 days. It is subsequently anonymised.
At komoot, you can interact with other users, for example by publishing personal Highlights, commenting, giving other tips or discussing with other users. You can also follow other users if you want to keep up to date with new posts from them.
The use of these functions is of course voluntary. If you use it, we collect the data you have entered in order to make it accessible to other komoot users in accordance with your settings and the function you use.
If you want, we can also inform you by e-mail or push notification if there is any news about your published posts. You'll also receive an email and a notification if you're set as a safety contact by another user. You’ll also subsequently be notified when the user for whom you’re a safety contact starts a Tour and has Live Tracking enabled. You can manage which notifications you receive in your settings.
Your data is processed for these purposes in order to be able to provide you with the functions within the framework of your user contract (Art. 6 Para. 1 lit. b GDPR).
If you use Live Tracking, a feature of komoot Premium, your location data will be sent to our API at regular intervals during the Tour recording. You can optionally share location data by sending a publicly accessible link or by designating other komoot users as safety contacts. Your safety contacts will receive an email and a message in their profile as soon as you start a new Tour and Live Tracking is active. Your location data will be deleted after 28 days.
Your data is processed for the aforementioned purposes in order to be able to provide you with the functions as part of your user contract (Art. 6 Para. 1 lit. b GDPR).
We transmit payment information to these payment service providers to process the payments for the respective services, Article 6 (1) (b) GDPR. The further processing of payment information by the payment service provider is the sole responsibility of the respective payment service provider. Please note the data protection declarations of the payment service providers. The respective payment service provider is solely responsible for processing your payment data. We have neither access nor influence over it.
We only receive information from the payment service providers that the payment has been properly processed. We process this information along with your name in order to complete the transaction you have made. If you have purchased a voucher from us, we will also process your e-mail address in order to send you the voucher code. The legal basis for processing is Art. 6 (1) (b) GDPR.
In order to be able to conclude the purchase contract, you must provide this data. However, you are neither contractually nor legally obliged to conclude the contract and thus to provide the data.
Support requests submitted through our support center (Zendesk)
If you contact us via our support center, we process:
- Your e-mail address
- The time and date of your request
- The subject and content of your request
- All information included in any attachments you may have uploaded
To process your inquiries via our support center, we use the Zendesk customer service platform, a service provided by Zendesk Inc., 989 Market Street, San Francisco, CA 94103 ("Zendesk") (cf. Art. 4 No. 8 , 28 GDPR).
Your data will be processed in the USA. There is no adequacy decision by the EU Commission for the USA. Therefore, we have concluded the standard data protection clauses approved by the EU Commission with Zendesk corresponding to Article 46 (2) (c) GDPR.
Direct inquiries via our contact details
If you send us inquiries by e-mail or by other means (e.g. by post), your details will be processed to process the enquiry. This includes:
- Your name
- The time and date of your request and the other information you provide us with in your request
Depending on how you contact us or the contact details you have provided, we may also process:
- Your email address
- Your address
Purpose and legal basis of processing
The legal basis for the processing is our legitimate interest (Art. 6 Para. 1 lit. f GDPR) in rapid communication in order to conduct the exchange you are seeking and to be able to process your request properly. In the case of inquiries in connection with an existing or future contractual relationship, processing is carried out to initiate and implement the respective contractual relationship, Art. 6 (1) (b) GDPR. In addition, we have a legitimate interest in the efficient management of our customer relationships, Article 6 (1) (f) GDPR.
We store inquiries about contracts or of potential legal relevance during the general limitation period, i.e. three years from the end of the year in which we received your requests. We store all other inquiries for a period of 24 months. Your requests will then be deleted unless we are legally obliged to keep them for a longer period of time.
The storage takes place on the basis of our legitimate interest, the proper documentation of our business operations and the protection of our legal positions (Art. 6 Para. 1 lit. f GDPR). In the case of inquiries about contracts, the storage takes place to initiate and implement the respective contractual relationship (Art. 6 Para. 1 lit. b GDPR) and, if necessary, to fulfill legal obligations (Art. 6 Para.1 lit. c GDPR).
Security vulnerability reward program
If you have discovered a vulnerability on our website and in our services and report it to us, we will process your contact details as well as other information you have provided in order to receive and process your report and, if necessary, to ask you any questions. If your report is included in our bounty reward program and you qualify for a reward, we also need additional information from you in order to pay you the corresponding reward.
Please note that we may forward reports regarding vulnerabilities on service providers or third parties to them.
The legal basis for the processing of your personal data is Article 6 (1) (f) GDPR. We have a legitimate interest in receiving and processing your report to ensure the security and functionality of our website and services.
We store reports of potentially legal relevance during the general limitation period, i.e. three years from the end of the year in which we received your report. We store all other reports for a period of 24 months. Your report will then be deleted unless we are legally obliged to keep it for a longer period of time.
The storage takes place on the basis of our legitimate interest, the proper documentation of our business operations and the safeguarding of our legal positions (Art. 6 Para. 1 lit. f GDPR) and, if necessary, to fulfill legal obligations (Art. 6 Para.1 lit. c GDPR).
If you register with us, we will inform you about news about our services on the komoot platform about once a month.
In this case, the collection and processing of your personal data takes place due to our legitimate interest in promoting similar services to your user account with komoot (Art. 6 Para. 1 lit. f GDPR, § 7 Para. 3 UWG).
You can object to this at any time - even when registering - by deactivating the corresponding checkbox or by clicking on the link to unsubscribe in the respective emails.
We use reCAPTCHA, a service from Google LLC, 1600 Amphitheater Pkwy Mountain View, California 94043, USA ("Google"), which is integrated into our website and shows the so-called Captchas - small tasks that are easy for people to solve but for machines are difficult to manage. These Captchas help us to prevent the automatic creation of user accounts and thus spam, fraud and other abuse in our community.
Please note that there is currently no adequacy decision by the EU Commission for the USA. Therefore, we have concluded the standard contractual clauses approved by the EU Commission with Google in accordance with Article 46 (2) (c) GDPR.
We use reCaptcha based on our legitimate interest in protecting ourselves from spam, fraud against us and our users and other misuse through automatically created accounts (Art. 6 Para. 1 lit. f GDPR).
Cookies and similar technologies
We store so-called "cookies" and use cookie-like technologies to be able to offer certain functions of our website and to optimize the use of our pages. "Cookies" are small files that are stored on your end device with the help of your internet browser. Similar technologies can be, for example, pixels, scripts, local storage or other comparable technologies for storing information (hereinafter collectively referred to as “cookies”).
- Cookies, which are required to save certain technical data during your visit to our website and the use of the associated services.
- Cookies that ensure that the cookie settings you have made are saved correctly.
Depending on the respective function of these cookies, these cookies are only stored for the duration of your visit (session cookies) or for a longer period of time, e.g. until you actively log out. Cookies for storing your chosen settings and the cookie settings you have made remain stored until the end of the browser session.
If personal data from these cookies are processed, the processing is carried out to ensure the following:
- That our website and the functions provided can be used by you. This is also our legitimate interest, Art. 6 Para. 1 lit. f GDPR
Cookies for analysis purposes
These cookies are used to measure online traffic and analyze behavior. They collect information about how you interact with our website, which pages you have visited and which features of our website you have used. Your usage behavior can be traced using a user ID. This enables us to better understand the use of our website and optimize it accordingly.
If personal data from these cookies is processed, this processing is also based on your consent.
These cookies remain stored on your end device for up to two years, unless you withdraw your consent before this period has expired.
Services relating to the cookies we use for analysis purposes
In this section, we explain the services that we use in the context of the cookies we use for analysis purposes in more detail:
With your permission, we use Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
Google will use this information to evaluate your use of the website for us, to create reports on the use of our website and to perform further analyses and evaluations related to the use of our website and internet use. Google can also link this data to other data about you, such as your search history, your personal account, the usage data of other devices and other data that Google has stored about you. Google may also transfer this information to third parties if required to do so by law (e.g. state authorities) or if third parties process this data on Google's behalf.
The use of Google Analytics is based on your consent (Art. 6 Para. 1 lit. a GDPR).
You can withdraw your consent at any time by clicking "Privacy Settings" at the bottom of the page. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent up to the time of revocation.
With your permission, we also use Google Optimize, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), together with Google Analytics.
Google Optimize analyzes the use of different variants of our website and helps us to improve user-friendliness based on the behavior of our users on the website. Google Optimize is a tool integrated into Google Analytics, so the above statements on Google Analytics apply accordingly.
Google Optimize is used on the basis of your consent (Article 6 (1) (a) GDPR).
You can withdraw your consent by adjusting your cookie settings here or by clicking "Privacy Settings" at the bottom of the page. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent up to the time of revocation.
We use Google Firebase, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). We use Google as a processor (cf. Art 4 No. 8, 28 GDPR).
Google Firebase offers us various services to offer the functionalities of our website. Specifically, we use the following services within the framework of Google Firebase:
Google collects statistical and technical data for us about any website crashes. As intended, they do not receive any personal data. However, should personal data be included, we collect this based on our legitimate interest in the error-free operation of our website and the possibility of troubleshooting (Art. 6 Para. 1 S. 1 lit. f GDPR).
Google stores non-personal statistics about the performance of our website for us, i.e. about the speed and any delays in the process. As intended, this information does not contain any personal data. However, should personal data be included, we collect this based on our legitimate interest in error-free and needs-based operation of our website and the possibility of error detection and correction (Art. 6 Para. 1 S. 1 lit. f GDPR).
We use the A/B testing functions of Google Firebase to be able to test innovations as part of the product development of our website. As part of this, non-personal statistical data is collected. The use is based on our legitimate interest in the needs-based design of our website (Art. 6 Para. 1 S. 1 lit. f GDPR) to address your device and play out content as a test, technical data must be processed via your end device.
If you want, you can use social plugins to share the content of our website on social networks. We have provided a two-click solution: If you want to share content via such a plugin, you must first click on an icon of the corresponding social network. This click then unlocks the plug-in of the respective social network for the future.
Only then will various data be transmitted to the respective social network. This can include:
- Date and time of the visit to the website
- Browser used
- Operating system used
- URL of the website you previously visited (“referrer”)
- URL of the website you are on
- Your IP address
You can withdraw your consent by adjusting settings here or by clicking “Privacy Settings” at the bottom of the page. Withdrawing your consent does not affect the lawfulness of the processing carried out on the basis of your consent up until the moment you withdrew it.
If you are logged into the respective social network while visiting our site, the provider may recognize that you visited our site and assign the visit to your account. If you use the plugin functions (e.g. clicking the "Like" button, submitting a comment), this information will also be transmitted from your browser directly to the respective social network and saved there if necessary. The purpose and scope of the data collection and the further processing and use of the data by the networks can be found in the data protection information of the respective social network.
We use New Relic, a service of New Relic, Inc. 188 Spear Street, Suite 1200, San Francisco, CA 94105 ("New Relic"). This allows us to monitor the proper operation of our website, to recognize errors and to remedy them promptly. New Relic collects your IP address and determines the approximate geographical region in which you are located, so that we can recognize if our website is not working properly in certain regions (e.g. due to network problems). After assigning the region, your IP address will be deleted by New Relic. No other personal data will be processed. This processing is necessary to ensure the smooth operation of our contractual services (Art. 6 Para. 1 lit. b GDPR) and to safeguard our legitimate interest in the proper and safe operation of our website (Art. 6 Para. 1 lit. f GDPR).
The processing is done by New Relic in the USA. There is no adequacy decision by the EU Commission for the USA. Therefore, with NewRelic, we adhere to the standard data protection clauses approved by the EU Commission in accordance with Art. 46 Para. 2 lit. c GDPR.
Integrated third-party content
We have also included third-party content on our website. This content is loaded from the servers of the respective providers, so that your end device transmits certain technically necessary data to the third party provider. In particular, it is not excluded that these providers can take note of the IP address assigned to you. As far as personal data is processed, this is done on the basis of the data protection declarations of the respective third party providers. The inclusion of your data is processed to allow us to display corresponding content and to offer necessary functions, as well as allowing us to operate our website more efficiently as long as this doesn't infringe on your own legitimate interests (Art. 6 para. 1 lit. f GDPR). We include the following third-party content:
To activate Google Street View in our maps, we integrate Google Maps, a service for users in the EU from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For users outside of the EU, this service is provided by Google LLC, 1600 Amphitheater Pkwy Mountain View, California 94043, USA ("Google"). There is no adequacy decision by the EU Commission for the USA. Therefore, with Google, we adhere to the standard data protection clauses approved by the EU Commission in accordance with Art. 46 Para. 2 lit. c GDPR.
We use YouTube videos. YouTube is a service of Google LLC, 1600 Amphitheater Pkwy Mountain View, California 94043, USA, for users from the EU of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). There is no adequacy decision by the EU Commission for the USA. Therefore, with Google, we adhere to the standard data protection clauses approved by the EU Commission in accordance with Art. 46 Para. 2 lit. c GDPR.
We integrate videos from Vimeo. Vimeo is a service of Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. There is no adequacy decision by the EU Commission for the USA. Therefore, with Vimeo, we adhere to the standard data protection clauses approved by the EU Commission in accordance with Art. 46 Para. 2 lit. c GDPR.
We operate our website on the servers of our web host Amazon Web Service EMEA Sarl, 38 avenue John F. Kennedy, L-1855, Luxembourg, which processes personal data on our behalf. Processing takes place only within the European Union.
When you apply for a job at komoot, we process the following:
- Your name
- Your email address
- Your application documents, including all supplementary information that you attach to your application
- Any additional content that you upload to our application portal
If you go through our application process, other personal data will also be processed, especially as part of the challenges and if we make notes or have questions for you during an interview. We also reserve the right to cross-check professional information that you have published or that you make available on professional networks, insofar as this is necessary to process your application. You can find more information about the application process at: How does our recruitment process work? | komoot.
Your personal data is processed to process your application or to decide on the establishment of an employment relationship. Your data in connection with your application will only be made accessible to the persons responsible for the application within our company. The data processing takes place on the legal basis of § 26 paragraph 1, 3 BDSG.
In addition, we also process information regarding how you became aware of komoot. We process this information in order to be able to better evaluate and optimize the reach of our recruiting measures. This is also in our legitimate interest, Art. 6 Para. 1 lit. f GDPR.
You are neither legally nor contractually obliged to provide your personal data. However, the provision of the data required to receive and process your application is necessary both for this receipt and processing of your application and for the decision to establish an employment relationship with you. If you do not provide us with the necessary personal data in connection with your application, we cannot consider your application.
If we are unfortunately unable to offer you a position, your application documents will generally be kept for up to 4 months after the end of the respective application process in order to be able to answer any questions in connection with your application. Further storage can take place if this is necessary for providing evidence, in particular for defending against, asserting or enforcing claims (Art. 6 Para. 1 lit. f GDPR).
Otherwise, we only store your applicant data if you have expressly consented to it (Article 6 (1) (a) GDPR). You can revoke your consent at any time with effect for the future. You can use the contact details above to do this. A revocation does not affect the processing that has taken place up to your revocation.
To receive and process applications, we use the Workable platform, a service provided by Workable Software Limited, 5 Golden Square, 5th Floor, London, W1F 9BS, United Kingdom ("Workable"). As our processor, Workable processes your personal data exclusively in accordance with our instructions (cf. Art. 4 No. 8, 28 GDPR). For the United Kingdom, there is an adequacy decision by the EU Commission in accordance with Art. 45 (1) GDPR, according to which the United Kingdom offers an appropriate level of protection.
Our social media presence
We operate pages or profiles on different social media platforms. In this context, the processing of personal data described below takes place.
If you interact with us via our social media pages or our posts, we will collect and process the data you have provided, including your username and your profile photo (if applicable). The relevant processing takes place regularly on the basis of our legitimate interest in making the corresponding functions available on our social media pages (Art. 6 Para. 1 lit. f GDPR) and, if necessary, on the basis of your consent to the operator of the respective network (Art . 6 (1) (a) GDPR) or your contractual relationship with the operator (Art. 6 (1) (b) GDPR). Please also note that this content will be published on our relevant social media pages according to your account settings and may be accessible by anyone worldwide.
Further data processing by us can be carried out in order to be able to receive and process inquiries or messages via our social media pages (Art. 6 Para. 1 lit. b GDPR).
Uploaded content can be stored for an unlimited period of time. If you would like us to remove content you have uploaded to our social media site, please send us an email with your request to the contact details given under point 1.
In addition, the respective operators collect and process personal data from you under their own data protection responsibility when you visit our social media pages and/or interact with them or our contributions. This applies in particular if you are registered or logged in to the relevant social media network. Even if you are not logged into a social media network, the operators collect certain personal data when you visit the site, such as unique identifiers that are linked to your browser or your device. Please note that this data may be merged across different platforms and services if they are operated by the same operator. Further information can be found in the data protection notices of the respective operators, to which we refer below.
Specifically, we operate the following social media presences:
You can also find us on Facebook at https://www.facebook.com/komoot.
For users outside of the USA and Canada, Facebook is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For users in the USA and Canada, Meta Platforms Inc., 1601 Willow Road Menlo Park, CA 9402, USA, operates Facebook.
Even if you are not registered with Facebook and visit our Facebook fan page, Meta Platforms can collect pseudonymous usage data from you. You can find more information in the Meta Platforms data policy at https://de-de.facebook.com/about/privacy/ and at https://www.facebook.com/legal/terms/information_about_page_insights_data. In the data policy you will also find information about the setting options for your Facebook account.
Meta Platforms may share your data within the Meta group of companies and with other third parties. This can lead to a transfer of personal data to the USA and other third countries for which there is no adequacy decision by the EU Commission. In this case, Facebook Ireland will use the standard contractual clauses approved by the EU Commission in accordance with Article 46(2)(c) GDPR. You can also refer to the Meta Platforms Data Policy for more information.
In addition, together with Meta Platforms Ireland Limited, we are responsible for the processing of so-called insights data when you visit our Facebook fan page. With the help of this insight data, Meta Platforms Ireland Limited analyzes the behavior on our Facebook fan page and makes this data available to us in an anonymous form. To this end, we have entered into a joint data controllership agreement with Meta Platforms Ireland Limited, which you can view here. Among other things, Meta Platforms Ireland Limited undertakes the primary responsibility under the GDPR for the processing of Insights data and to fulfil all obligations according to all GDPR regulations regarding the processing of Insights data. The processing serves our legitimate economic interests in the optimization and needs-based design of our Facebook fan page, Art. 6 Para. 1 lit f. GDPR. Additionally, we also draw your attention to the following:
If you visit or like our Facebook page as a registered Facebook user, Meta Platforms Ireland Limited collects personal data from you. If you are not registered with Facebook and visit the Facebook page, Meta Platforms can collect pseudonymous usage data from you.
In detail, the following information is collected by Meta Platforms:
- Going to a page, post or video from a page
- Subscribing or unsubscribing to/from a page
Liking or unliking a page or post
Recommending a page in a post or comment
- Commenting, sharing, or reacting to a page post (including how you react)
- Hiding a page post or reporting it as spam
- Clicking a link that leads to the page from another page on Facebook or from a website outside of Facebook
Hovering over a page's name or profile picture to see a preview of the page's contents
- Clicking the website, phone number, "Get Directions" button, or any other button on a page
- Information about whether you are logged in from a computer or mobile device while visiting or interacting with a site or its content.
Provision of your data
You are neither legally nor contractually obliged to provide your personal data; furthermore, the provision of your personal data - unless expressly mentioned in the aforementioned clauses - is not necessary for the conclusion of a contract.
However, the provision of your personal data is necessary to a certain extent so that we can provide you with the functions on our website. In particular, the provision of your data is necessary so in order to:
- Effectively make use of the community functions
- Process any requests/messages you submit to us
If it is necessary to provide your data, we will point this out to you when you enter it by marking it as a mandatory field. Providing further data is voluntary. In the case of required data, failure to provide this data means that we cannot provide you with the relevant functions of our website and cannot receive and process your inquiries or reports.
In other cases, non-provision may mean that we do not provide the relevant functions or not to the usual extent, or that we are only able to process your inquiries and reports to a limited extent.
Disclosure of your data
Your data will only be passed on as described in this data protection declaration to the following extent:
- If it is necessary to clarify the illegal use of our website and services or for legal prosecution, personal data will be forwarded to external consultants (e.g. lawyers), the law enforcement authorities and, if necessary, to injured third parties. However, this only happens if there are concrete indications of illegal or abusive behavior. A transfer can also take place if this serves to assert, exercise or defend claims. We are also legally obliged to provide information to certain public bodies upon request. These are criminal prosecution authorities, authorities that prosecute administrative offenses subject to fines and the financial authorities.
In addition, your personal data may also be passed on if we are exposed to other claims by third parties, which may include information about your data.
This data is passed on on the basis of our legitimate interest in combating abuse, prosecuting criminal offenses and asserting, exercising or defending claims according to article 6 (1) (f) GDPR or on the basis of a legal obligation under article 6 Paragraph 1 lit. c GDPR.
- For the provision of the services, we rely on contractually linked third-party companies and external service providers, so-called processors (cf. Art. 4 No. 8, 28 GDPR). In such cases, personal data is passed on to these processors in order to enable them to carry out further processing. These processors process personal data on our behalf and are strictly bound by instructions.
In addition to the processing parties already mentioned in this data protection declaration, we also use the following categories of processors:
- IT service providers
- Cloud service providers
- Software service providers
- As part of administrative processes and the organization of our operations, financial accounting and compliance with legal obligations (such as archiving), we disclose or transmit your data to financial administrations and consultants. These include tax consultants or auditors as well as other fee offices and payment service providers.
This data is transmitted on the basis of our legitimate interest in maintaining our business activities, performing our tasks, asserting, exercising or defending claims (according to Art. 6 (1) lit. f GDPR) or on the basis of a legal obligation (according to Art. 6 Paragraph 1 lit. c GDPR).
- As part of the further development of our business, the structure of our company may change as a result of a change in legal form, establishment, acquisition or sale of subsidiaries, parts of companies or components. In such transactions, user information is shared with the part of the transferring company. Whenever personal data is passed on to third parties to the extent described above, we ensure that this is done in accordance with this data protection declaration and the relevant data protection laws.
The transfer of personal data is justified by the fact that we have a legitimate interest in adapting our company’s form to fit economic and legal circumstances in accordance with Art. 6 Para. 1 lit. f GDPR.
Transfer of data to third-party countries
We also process data in countries outside the European Economic Area ("EEA"), in so-called third-party countries, or transfer data to recipients in these third-party countries.
This also includes the USA. Please note that there is currently no adequacy decision by the EU Commission that these third countries generally have an adequate level of data protection. For the USA in particular, there is currently no corresponding adequacy decision by the EU Commission.
Insofar as your personal data is transferred beyond the cases described in this data protection declaration to recipients outside the European Economic Area, we transfer your data to third-party countries for which there is an adequacy decision by the EU Commission in accordance with Article 45 (1) GDPR.
If such an adequacy decision exists, we use the standard contractual clauses approved by the EU Commission in accordance with Article 46 (2) (c) GDPR when structuring the contractual relationships with recipients in third-party countries. You can request a corresponding copy of these standard contractual clauses as well as information on the additional measures that we have taken to ensure an appropriate level of data protection using the contact details given under point 1.
Automated decision making and visitor profiling
We do not use automation to make specific decisions in regards to profiling.
Deletion of your data
Unless otherwise stated, we will delete or anonymize your personal data as soon as it is no longer required for the purposes for which we collected or used it in accordance with the preceding paragraphs. As a rule, we store your personal data for the duration of the usage or contractual relationship via the website plus a period of 30 days in which we keep backup copies after the deletion. We will also keep your data if we are obliged to do so for legal reasons or if the data is needed for criminal prosecution or to secure, assert or enforce legal claims.
If you delete your user account, your profile will be completely and permanently deleted. However, we will keep backup copies of your data for a period of 30 days before they are finally deleted, provided that this data is no longer required for legal reasons or for criminal prosecution or to secure, assert or enforce legal claims.
We also keep your data for the following reasons:
- If we are obliged to do so for legal reasons, Article 6 (1) (c) GDPR. Insofar as we are legally obliged to store it, we store your data for the period prescribed by law. Legal requirements for storage can result in particular from the retention periods of the German Commercial Code (HGB) or the Tax Code (AO). The retention period according to these regulations is usually between 6 and 10 years from the end of the year in which the corresponding process was completed.
- If the data is required for a longer period of time for criminal prosecution or for the assertion, exercise or defense of legal claims. This is also our legitimate interest in accordance with Art. 6 Para. 1 lit. f GDPR. Storage then takes place until the relevant process has been completed plus the statutory limitation period.
If data must be stored for legal reasons, processing will be restricted. The data is then no longer available for further use.
Your rights as a data subject
With regard to the processing of your personal data, you have the rights described below. To assert your rights, you can submit an application by post or email to the address given in Section 1 above.
Right to information
You have the right to receive information from us at any time on request about the personal data processed by us in the scope and under the conditions of Art. 15 GDPR and § 34 BDSG. To do this, you can submit an application by post or email to the above address.
Right to correct incorrect data
You have the right to request that we immediately correct your personal data if it is incorrect. For this, please contact the contact addresses given above.
Right to cancellation
You have the right, under the conditions described in Art. 17 GDPR and § 35 BDSG, to request that we delete your personal data. These requirements provide in particular a right to erasure if the personal data is no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the obligation to erase them under EU law or the law of the Member State to which we are subject. For the period of data storage, see also section 25 of this data protection declaration.
Right to restriction of processing
You have the right to demand that we restrict processing in accordance with Art. 18 GDPR.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common, machine-readable format in accordance with Art. 20 GDPR. In order to assert your above right, please contact the above address.
Right to object
You have the right to object to the processing of your personal data at any time for reasons that arise from your particular situation on the basis of Art. 6 Para. 1 (GDPR). Your right to objection exists for reasons arising out of your particular situation, unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms or if the processing is necessary for the assertion and exercise of or defence against legal claims (Art. 21 (1) GDPR).
If we process your personal data for direct marketing purposes, including profiling, you have the right to object to this processing. After your objection, we will stop processing.
Unless otherwise stated in this data protection declaration, please use the contact addresses given in Section 1 above to assert your abovementioned right.
Right to complain
You have the right to contact a supervisory authority of your choice in the event of complaints.
Data processing when exercising your rights
Finally, we would like to point out that we process the personal data transmitted by you when you exercise your rights in accordance with Article 7 (3) sentence 1 GDPR and Articles 15 to 22 GDPR for the purpose of implementing these rights and to provide evidence of this and, if necessary, to defend legal positions. The processing of your data to fulfil your rights as a data subject is based on the legal basis of Art. 6 (1) (c) GDPR in conjunction with Art. 15 to 22 GDPR and Section 34 (2) BDSG. Insofar as we process the personal data for the purposes of legal defense, this is also our legitimate interest, Art. 6 Para. 1 lit. f GDPR.
For the sake of completeness, we would like to point out that any personal data in connection with requests to exercise your rights to fulfil the legal documentation obligations in accordance with GDPR (and in particular to prove the timely response to your request) is stored for the duration of the regular limitation period of three years, beginning with the end of the year in which your application was finally processed by us.
The legal basis for storage is Art. 6 (1) (f) GDPR. It is in our legitimate interest to provide and document the aforementioned evidence.
This personal data will be blocked and will not be processed for other purposes, unless the processing is necessary for the establishment, exercise or defense of legal claims. This is also in our legitimate interest, according to art. 6 Para. 1 lit. f GDPR.
You are neither contractually nor legally obliged to provide your personal data, but we can refuse to fulfil your request to exercise your rights as a data subject in accordance with Art. 12 Para 2 when you do not provide the required data.
Changes to this data protection declaration
The current version of this data protection declaration is always available at https://www.komoot.de/privacy.
Status as of 2022-05-17