1. Important information and who we are
2. Overview of processing operations
3. Relevant legal basis
4. Security Measure
5. Transfer and disclosure of personal data
6. International Transfers
9. Web Analysis
10. Online marketing
11. Use of third party tools and services
12. Retention of data
14. Changes to your information
15. Your legal rights
1. IMPORTANT INFORMATION AND WHO WE ARE
VAHA Technologies Ltd is the controller and is responsible for its website, www.vaha.com.
Data Protection Officer – Contact details
Full name of legal entity: ePrivacy GmbH
Email address: firstname.lastname@example.org
Postal address: Große Bleichen 21, 20354 Hamburg
You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
2. OVERVIEW OF PROCESSING OPERATIONS
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Categories of data
- Identity data (names, addresses, etc.).
- Content data (text inputs, photographs, videos).
- Contact data (e-mail, telephone numbers).
- Financial Data (bank account and payment card details). Unless we tell you otherwise at the time of your purchase or application for financing, your Financial Data is processed by our third party processors and we do not collect, store or maintain your Financial Data (Please see section 5 (Transfer and Disclosure of Personal Data) below.
- Transaction Data (details about payments to and from you and other details of products and services you have purchased from us).
- Health and nutrition data.
- Meta/communication data (device information, IP addresses).
- Usage data (websites visited, interest in content, access times).
- Location data.
Categories of data subjects
- Interested parties.
- Communication partners.
- Users (website visitors).
Purposes of processing
- Provision of our online offer and user friendliness.
- Visitor action evaluation.
- Cross-device tracking (processing of user data across devices for marketing purposes).
- Interest-based and behavioral marketing.
- Contact requests and communication.
- Conversion measurement (measuring the effectiveness of marketing efforts).
- Profiling (creating profiles of users).
- Reach measurement (access statistics, recognition of returning visitors).
- Tracking (interest/behavioral profiling, cookies).
- Contractual services.
- Training planning, training consulting, training optimisation.
- Target group formation (determination of relevant target groups for marketing purposes or other content output).
Failure to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
3. RELEVANT LEGAL BASIS
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances in accordance with current UK data protection legislation (“UK GDPR”), which is based on the EU’s General Data Protection Regulation ((EU) 2016/679):
- Where you have given your consent to the processing of your data for one or more specific purposes.
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Type of data
Lawful basis for processing including basis of legitimate interest
To register you as a new customer
Performance of a contract with you
To process and deliver your order including:
(a) Manage payments, fees and charge
(b) Collect and recover money owed to us
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(b) Asking you to provide comment or take a survey
(d) Marketing and Communications
(a) Necessary to comply with a legal obligation
(b) Necessary for our legitimate interests (to keep our records updated and to evaluate your feedback)
To enable you to partake in or complete a survey
(e) Marketing and Communications
Necessary for our legitimate interests (evaluate your feedback)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To use data analytics to improve our website, products/services, customer relationships and experiences
Necessary for our legitimate interests (to define types of contributors to keep our website updated and relevant, to develop our business and to inform our strategies)
To make suggestions and recommendations to you about services that may be of interest to you
(f) Marketing and Communications
Necessary for our legitimate interests (to develop our products/services and grow our business)
Please note that in addition to the UK GDPR, the national data protection regulations in your country of residence and domicile may apply.
4. SECURITY MEASURES
We take appropriate technical and organisational measures in accordance with the UK GDPR, taking into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data on a “need to know” basis, as well as access to, entry into, disclosure of, assurance of availability of and segregation of the data. We have put in place procedures to ensure the exercise of your data rights, the deletion of data, our response to data compromise, and to deal with any suspected personal data breach. We will notify you and any applicable regulator of a breach in compliance with our legal obligations.
SSL encryption (https): To protect your data transmitted via our online offer, we use SSL encryption. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.
5. TRANSFER AND DISCLOSURE OF PERSONAL DATA
In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organisational units or persons. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers entrusted with IT tasks or providers of services and content incorporated into a website. Where this is necessary we will put in place appropriate agreements with the recipients of your personal data that serve to protect it. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. INTERNATIONAL TRANSFERS
We share your personal data within our group. This will involve transferring your data outside the UK in compliance with the UK GDPR, specifically to our parent company in Germany, etone Motion Analysis GmbH. Many of our external third parties are also based outside the UK so their processing of your personal data will also involve a transfer of data outside the UK. A list of these third parties can be requested, sending an email to email@example.com.
By agreeing to our terms you are consenting to transfers of your personal data to these organizations outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed under English law to provide an adequate level of protection for personal data.
- If we need to transfer data to a country without such an adequacy ruling, we will only transfer you data under contracts with the relevant organizations in those countries that seek to appropriately protect your data.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
"Cookies" are small files that are stored on users' devices. Within the cookies, different information can be stored. The information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched.
Cookies are also generally used when a user's interests or behavior (e.g. viewing certain content, using functions, etc.) are stored in a user profile via individual websites. These profiles are used, for example, to display ads to users that match their potential interests.
When contacting us (e.g. by contact form, e-mail, telephone or via social media), your information is processed to the extent necessary to respond to your requests and to take any requested measures.
The response to the contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or respond to (pre) contractual inquiries and otherwise on the basis of the legitimate interests in responding to the inquiries.
9. WEB ANALYSIS
Web analytics (also referred to as "reach analysis"), is used to evaluate the flow of visitors to our online offering and may include their behaviour, interests or demographic information, such as age or gender as pseudonymous values. With the help of reach analysis, we can see, for example, at what time our online offer or its functions or content are most frequently used or invite re-use, as well as which areas require optimisation.
In addition to web analytics, we may also use testing procedures, for example, to test and optimise different versions of our online offering or its components.
10. ONLINE MARKETING
We process personal data for online marketing purposes, which includes, in particular, the presentation of promotional and other content based on the potential interests of users and measurement of its effectiveness.
For these purposes, profiles of the users may be created and stored in a file (a "cookie") in order to analyse relevant information about the user. This information may include, content viewed, websites visited and interactions made, online networks used, and technical information such as the browser and computer system used and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.
The IP addresses of the users are also stored. However, we use an existing IP masking procedure (i.e., pseudonymisation by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimisation, no clear data of the users (such as e-mail addresses or names) are stored, only pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, only pseudonymised information stored in their profiles.
The stored cookies can be read later, generally also on other websites that use the same online marketing procedure, and analysed for the purpose of displaying content, as well as stored supplemented with other data and saved on the server of the online marketing procedure provider.
In principle, we only receive access to summarised information about the success of our advertisements. However, within the framework of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e., for example, to a conclusion of a contract with us. The conversion measurement is used solely to analyse the success of our marketing measures.
11. USE OF THIRD-PARTY TOOLS AND SERVICES
We use certain third-party tools and services in the provision of our online offer. For example, we include functional and content elements (such as graphics, videos, or social media buttons as well as posts) that are obtained from the servers of their respective providers.
These third-party tools and services include:
- Web hosting services: In order to provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offer can be accessed. Data processed in the course of providing the hosting service regularly includes the user’s IP address and all interactions with our online offer.
The web hosting services we use also include the dispatch, receipt and storage of e-mails. For these purposes, the addresses of the recipients and senders, as well as further information regarding the e-mail dispatch (e.g. the providers involved) and the contents of the respective e-mails are processed.
We and our web hosting provider collect data each time the server is accessed (server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page).
Web hosting services are provided to us by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (https://www.hetzner.de/rechtliches/datenschutz).
- Facebook pixel: With the help of the Facebook pixel, it is possible for Facebook, on the one hand, to determine the visitors to our online offer as a target group for the display of advertisements.
- LinkedIn pixel: With the help of the LinkedIn insight tag, it is possible for LinkedIn, on the one hand, to determine the visitors to our online offering as a target group for the display of ads.
- Google Analytics: online marketing and web analytics; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
- Google Ads and conversion measurement: we use the "Google Marketing Platform" (and services such as "Google Ads") to place ads in the Google advertising network (e.g., in search results, in videos, on web pages, etc.). We also measure the conversion rate of these ads.
- Google Fonts: We integrate Google Fonts into our website, whereby user data is used solely for the purpose of displaying website fonts in the user's browser.
Please contact us at firstname.lastname@example.org for further information on our use of these tools and services.
There are various ways of opting out of these tools and services. In addition to any opt-out options given by the providers themselves, you have the option of switching off cookies in your browser settings. However, this may restrict functions of our online offer.
We therefore recommend the following additional opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territory: http://optout.aboutads.info.
12. RETENTION OF DATA
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances you can ask us to delete your data: see “Your Legal Rights” below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
14. CHANGES TO YOUR INFORMATION
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
15. YOUR LEGAL RIGHTS
You have rights under the relevant data protection laws in relation to your personal data:
- Right to object: you have the right to object at any time to the processing of personal data concerning you which is carried out by us on a lawful basis under articles 6(1)(a), (b), (c) and (f) of the UK GDPR) – ie processing on the basis of your consent, processing necessary to effect the contract between us, processing in compliance with legal obligations and processing on the basis of legitimate interests; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
- Right to withdraw consent: you have the right to revoke any consent given at any time
- Right to information: you have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with the legal requirements (commonly known as a “data subject access request”).
- Right to rectification: you have the right, in accordance with the law, to request that data concerning you be completed or that inaccurate data concerning you be rectified.
- Right to erasure and restriction of processing: you have the right, in accordance with the law, to request that data concerning you be erased without delay, or alternatively, in accordance with the law, to request restriction of the processing of the data.
- Right to data portability: you have the right to receive data concerning you, which you have provided to us, in a structured, common and machine-readable format in accordance with the legal requirements, or to demand its transfer to another responsible party.
If you wish to exercise any of the rights set out above, please contact us.
No Fee Usually Required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What We May Need From You
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time Limit To Respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113 or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites).
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
- Conversion measurement: Conversion measurement is a method used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' devices within the websites on which the marketing measures take place and then retrieved again on the target website. In this way it can be tracked whether the ads we have placed on other websites have been successful.
- Cross-device tracking: Cross-device tracking is a form of tracking in which users' behavioral and interest information is collected across devices in so-called profiles by assigning users an online identifier. This allows user information to be analysed independently of the browsers or devices used (e.g. cell phones or desktop computers), usually for marketing purposes. For most providers, the online identifier is not linked to clear data such as names, postal addresses or e-mail addresses.
- IP masking: IP masking refers to a method in which the last octet, i.e., the last two numbers of an IP address, are deleted so that the IP address can no longer be used to uniquely identify a person. IP masking is a means of pseudonymising processing methods, especially in online marketing.
- Location data: Data that indicates the location of an end user's device.
- Processing: Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data, be it collection, evaluation, storage, transmission or deletion.
- Profiling: Profiling is any type of automated processing of personal data that consists of using such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include information regarding age, gender, location data and movement data, interaction with websites and their content, shopping behavior, social interactions with other people) (e.g., interests in certain content or products, click behavior on a website or location). Cookies and web beacons are often used for profiling purposes.
- Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online site and may include visitors' behavior or interests in certain information, such as content on web pages. With the help of reach analysis, website owners can see, for example, at what time visitors visit their website and what content they are interested in. This enables them, for example, to better optimise website content to meet the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more precise analyses of the use of an online offer.
- Remarketing: we speak of remarketing, or retargeting, when, for example, it is noted for advertising purposes which products a user was interested in on a website, in order to remind the user of these products on other websites, e.g. in advertisements.
- Target group formation: We speak of target group formation (or "custom audiences") when target groups are determined for advertising purposes, e.g., display of advertisements. For example, based on a user's interest in certain products or topics on the Internet, it can be concluded that this user is interested in advertisements for similar products or the online store in which the user viewed the products. In turn, we speak of "lookalike audiences" (or similar target groups) when the content deemed suitable is displayed to users whose profiles, or interests, presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating custom and lookalike audiences. Custom audiences can be formed by processing visitors to an online offering or can be uploaded to the provider of an online marketing process (which is usually done pseudonymously).
- Tracking: This is when the behavior of users can be tracked across several online services. In this case, behavioral and interest information is usually stored in cookies or on servers of the providers of the tracking technologies with regard to the online offers used (so-called profiling). This information can subsequently be used, for example, to display advertisements to users that presumably correspond to their interests.