Data protection policy for the services of MyPostcard.com GmbH
With this data protection policy, we, MyPostcard.com GmbH, Hohenzollerndamm 3, 10717 Berlin (hereafter "MyPostcard" or "we"), undertake to inform you of all data protection aspects of the offering on the mypostcard.com website (the "Website") and our mobile app ("App") (collectively "Services") We collect, process and use your personal data only in accordance with the following data protection policy. Personal data in this sense are all individual details about personal or factual circumstances of a specific or identifiable natural person, such as, for example, your name, telephone number, address, and any other information you provide to us when registering, using our services or contacting us ("Personal Information").
I. Responsibility for data processing
MyPostcard is responsible for data processing in accordance with Article 4 No. 7 of EU Regulation 2016/679 ("GDPR").
II. Collection and storage of personal data and the nature and purpose of their use
1. Processing data for the use of our services
If you access the website via your browser or the app via your mobile device, we only collect personal data that your browser or mobile device automatically transmits to enable you to visit our website or app and the stability and to ensure safety. This can be specifically
- your IP address,
- your device identifier, i.e. the unique number of the terminal,
- content, date and time of the request,
- the time zone of the requesting computer or mobile terminal,
- the website from which the request was forwarded,
- the requested page,
- the http status code,
- the transferred amount of data,
- browser ID,
- your operating system,
- language and version of the browser software as well as
- mobile device identifier (IDFA, IDFV and AAID).
- ensure a smooth connection of the website,
- the display of our services and products,
- the usability of our services,
- the evaluation and system security and stability as well as
- further administrative purposes.
2. Processing of data when using the contact form
We offer you the opportunity to contact us via a form provided on the website. To use it, you must enter your name and a valid e-mail address. The processing of this data serves our legitimate interest in answering your contact requests properly and is therefore based on Art. 6 para. 1 sentence 1 lit. f GDPR.
3. Processing of data for the use of our services and the purchase of our products
If you want to use our services and products, you may be asked at various times to provide us with personal data such as
- Your name,
- Your date of birth,
- Your address,
- Your email address,
- Your telephone number or mobile phone number,
- Photographs and to provide payment information.
Your personal data is processed by us for the following purposes and is necessary for these:
- pursuant to Art. 6 para. 1 p. 1 lit. b GDPR for the fulfilment of contractual obligations or for the performance of pre-contractual measures: to process your purchases, process your payments and to be able to offer you customer service, to correspond with you, to process claims by you or by us, to ensure the technical administration of our website and to manage our customer data;
- pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR on the basis of legal requirements or pursuant to Art. 6 para. 1 sentence 1 lit. e GDPR in the public interest: to protect you and us (including our affiliated companies) against fraud;
- pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of your consent, insofar as you have given us permission to access contacts (surname, first name, address and, if applicable, date of birth and email address) on your end device in order to save them in your address book in the app. You can revoke your consent at any time by revoking the authorisation to access saved contacts in the settings on your end device;
- pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of your consent to receive push notifications on your terminal device to remind you of upcoming birthdays of your contacts. Insofar as you have added the date of birth to your contacts in your address book in the app or this has been transferred to your address book within the scope of accessing your contacts with your consent in accordance with the above, we will send you push notifications on your end device to remind you of upcoming birthdays of your contacts in the address book, but only insofar as you have expressly consented to receive such push notifications. You can revoke your consent at any time by deactivating the push notifications in the app;
- pursuant to Art. 6 para. 1 p. 1 lit. f GDPR on the basis of our legitimate interest to send reminders of upcoming birthdays by email. Insofar as you have added the date of birth to your contacts in your address book in the app or this has been transferred to your address book in the course of accessing your contacts with your consent in accordance with the above, we will remind you of your contacts' upcoming birthdays by e-mail. We have a legitimate interest in making existing customers aware of our greeting card and postcard service by sending them reminders of their contacts' upcoming birthdays. You can object to the processing of your data for the purpose of sending the reminders by e-mail at any time, e.g. by unsubscribing from these reminders by clicking on the unsubscribe link contained in each such e-mail.
Note: If you are the recipient of a postcard or greeting card sent by one of our customers, we will inform you about the processing of your personal data in accordance with the legal provisions (Art. 14 GDPR) in a separate data protection declaration. You can find this here.
III. Disclosure of your data to processors and third parties
To process your data, we use specialized external service providers such as payment service providers, server management providers, IT service providers, online marketing providers, providers of ecommerce / webshop software, digital support systems, marketing automation solution providers, and web analytics tool providers, etc.. These are carefully selected and commissioned by us, are bound by our instructions and are checked regularly. Furthermore, we may pass on your personal data to third parties (such as shipping companies, cooperation partners, etc.) if this is necessary for the execution of a contract closed with you under Art. 6 para. 1 sentence 1 lit. b or in order to safeguard our legitimate interests under Art. 6 para. 1 sentence 1 lit. f GDPR is required. Finally, we transfer your information to our affiliate, MyPostcard.com Inc., 433 Broadway, 2nd Floor, 10013 NY, New York, USA, to the extent necessary to protect our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. 1 GDPR is required. These interests include, in particular, support services in the context of processing of your order, customer support and the guarantee of smooth business operations. Incidentally, your personal data will only be forwarded to third parties if you have previously consented and submitted them in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR or a legal permission in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR is present.
IV. Transfer of personal data abroad
Insofar as we transfer personal data to countries outside the European Economic Area, we ensure that the recipient of the data guarantees an adequate level of data protection in accordance with Art. 45 GDPR. In the absence of an adequacy agreement, MyPostcard will ensure that the recipients of the data have provided suitable guarantees in accordance with Art. 46 GDPR and, in particular, use the standard European Union model contracts for the transfer of data to other EU countries, as amended.
VI. Use of Mobile Device Identifier (IDFA, IDFV and AAID)
We use so-called “Mobile Device Identifiers” on our app. These are unique, but non-personalized and non-permanent identification numbers for a specific device that are provided by iOS or Android. The data collected via Mobile Device Identifier are not linked to any other device-related information. We use mobile device identifiers to provide you with personalized advertising and to evaluate your usage. If you activate the option “No ad tracking” in the iOS or Android settings under “Data protection” - “Advertising”, we can only take the following measures: Measurement of your interaction with banners by counting the number of times a banner was displayed without being clicked on (“frequency capping”), click rate, determination of unique use (“unique user”) as well as security measures, fraud prevention and error elimination. You can delete the respective Mobile Device Identifier in the device settings at any time ("Reset Ad-ID"). A new Mobile Device Identifier will then be created which will not be merged with the previously collected data. We would like to point out that you may not be able to use all functions of our app if you restrict the use of the respective mobile device identifier.
1. Google Analytics
For the purpose of customizing and continually optimizing our pages, we use Google Analytics, a Google Inc. advertising analytics service, 1600 Amphitheater Parkway Mountain View, CA 94043, USA ("Google"). In this context, pseudonymised user profiles are created and cookies (see section V of this data protection policy) are used. The information generated by the cookie about your use of our services (such as your IP address, browser type / version, operating system used, referrer URL, time of server request) is transmitted to a Google server in the USA and stored there. However, on our website and app, your IP address will be shortened by Google beforehand within member states of the European Union or other parties under the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. Google will use this information on our behalf to evaluate your use of our services, to compile reports about the website and app activities for us, and to provide us with other services related to website and app usage and internet usage. This information may also be transferred to third parties if required by law or if third parties process this data in the order. Google will not merge your IP address with other Google data. However please note that, based on our current state of knowledge, we cannot rule out that data from Google in the USA could be linked with other user data such as search history, personal accounts, usage data from other devices and other existing user data that Google has access to. You can prevent the storage of cookies by a corresponding setting of your browser software. In addition, you may prevent the collection by Google of the data generated by the cookie and related to your use of our services (including your IP address) and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en. For more information about data protection related to Google Analytics, please see the following link in the Google Analytics Help Center: http://google.com/intl/en/analytics/privacyoverview.html.
2. Google Ads Conversion Tracking
3. Google Tag Manager
We also use Google Tag Manager. This service allows website tags to be managed through a single interface. Tags are small code elements that serve, among other things, to measure traffic and visitor behavior. Google Tag Manager only implements tags. As a result, no cookies are used and consequently no personal data is collected. Google Tag Manager triggers other tags, which may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
4. Pinterest Conversion Tracking
5. Reddit Conversion Tracking
Our website also uses "Reddit Conversion Pixel", an analysis service of Reddit Inc., 520 Third Street, Suite 305, San Francisco, CA 94107, USA ("Reddit"). For this tool so-called tracking pixels are integrated on our sides. When you visit our pages, this tracking pixel establishes a direct connection between your browser and the Reddit server. Reddit receives thereby et al. the information from your browser that our website received from your device. We point out that we have no influence on the extent of the transmitted data and their further use by Reddit and therefore inform you according to our knowledge: Through the use of Reddit Conversion pixels Reddit receives the information that you have accessed the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a Reddit service, Reddit may associate the visit with your account. Even if you are not registered with Reddit or have not logged in, there is a chance that the vendor will discover and store your IP address and other identifying features. For more information about privacy and how it works, visit https://www.redditinc.com/policies/privacy-policy.
6. Facebook Advertising Tracking
We also use Facebook's "Custom Audiences" remarketing feature, 1 Hacker Way, Menlo Park, CA 94025, USA, ("Facebook"). As a result, users of our website can be shown interest-based advertisements ("Facebook Ads") as part of their visit to the social network Facebook or other websites that also use the process. For this marketing function, we use "Facebook pixels" on our websites, i.e. on our sides so-called tracking pixels are integrated. When you visit our pages, the tracking pixel establishes a direct connection between your browser and the Facebook server. This gives Facebook et al. the information from your browser that our website called from your device. We point out that we have no influence on the extent of the data transmitted and their further use by Facebook and therefore inform you according to our knowledge: Through the integration of Facebook Custom Audiences, Facebook receives the information that you have visited the corresponding website of our internet presence or have clicked on an ad from us. If you are registered with a service of Facebook, Facebook can assign the visit to your account. Even if you are not registered with Facebook or have not logged in, there is a chance that the provider will find out and store your IP address and other identifying features. You may object to the use of Facebook Website Custom Audiences at any time in the future through https://www.facebook.com/settings/?tab=ads and http://www.youronlinechoices.com/preferencemanagement/. For more information about privacy and your related options, visit https://www.facebook.com/settings/?tab=ads and https://www.facebook.com/about/privacy.
7. Bing Ads Tracking
8. Twitter Conversion Tracking
We use a service from the social network Twitter (Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA) on our website to position target group-based online advertising and for conversion tracking. We have implemented a Twitter tag on our website for this purpose. Due to this tag, when you visit the website, a direct connection to the Twitter servers is established and the fact that you have visited our website as well as data on your use of our website is recorded and transmitted. In this way, based on your previous page views and activities, we can place targeted advertisements on Twitter that may be of interest to you (remarketing). The data processed by Twitter does not allow us to identify you personally. We do not link this pseudonymous information to any other information about you. If you are registered with a Twitter service, Twitter can assign your visit to our website to your account. Even if you are not registered with Twitter or have not logged in, there is a possibility that the provider will be able to find out and save your IP address and other identification features. The information generated by the tags about your use of our services is transmitted to a Twitter server in the USA and stored there.
You can find further information here: https://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads. You can deactivate the collection of data by Twitter at the following address: https://twitter.com/settings/account/personalization.
9. Apple Search Ads
We use the Apple Search Ads marketing service, a service provided by Apple Inc. 1 Infinite Loop, Cupertino, California, USA, 95014. Apple Search Ads is a service that displays advertisements for our app that appear in the Apple App Store . We use this service to show targeted advertisements to certain customer segments in the App Store, i.e. for people with similar characteristics, whereby Apple guarantees that targeting is not carried out individually for a customer. To determine a customer segment - each consisting of at least 5,000 Apple customers - Apple uses your Apple account data, App Store data (search history, downloads and surfing activities in the App Store), data from app transactions (in-app purchases, downloaded apps) and context information (Device type, iOS version as well as time, location and specific search query). We do not receive any personal information from you via the advertisements placed in the App Store, only aggregated data on clicks and conversions in the form of registrations (e.g. downloads of our app). Apple does not follow / track people as part of Apple Search Ads, which means that Apple does not associate any user or device data from Apple apps with user or device data collected by third parties for the purpose of targeting or measuring advertising measures.
11. Use of Technologies from Branch Metrics, Inc. in our App
Our sites also use the Branch.io app analytics service Branch Metrics, Inc., 1400 Seaport Blvd, Building B, 2nd Floor, Redwood City, CA 94063, USA ("Branch") to analyze app usage. When using the app Branch collects on our behalf installation and usage data. We use this information to understand how you interact with our app. Branch uses your IDFA or Android ID as well as your IP or Mac address. An identification of your person is not possible. The analyzes are used exclusively for the purposes of our own market research as well as the optimization and needs-based design of our app. The information collected is transmitted to Branch servers in the United States. They may object to the use of Branch at any time by setting the slider for anonymous statistics in the app under "Settings". For more information about Branch's privacy, please visit the following link: https://branch.io/policies/#privacy. You can deactivate the collection of data by Branch at any time at https://branch.app.link/optout or change your settings.
12. Use of Google Analytics for Firebase and Crashlytics in our app
We also use the function of the Google Firebase service, Crashlytics, in our app. With the help of this tool, analysis of crashed apps can be carried out in order to enable us to react more quickly to errors and bugs and to continuously improve the stability of our app. Only aggregated and anonymized data is transmitted to Firebase in the form of real-time crash reports with information on codes and device information- never personal data.
15. Use of the SalesViewer® technology
VII. Use of social plug-ins
VIII. Registration for our website / app with Facebook, Google or Apple
Alternatively, we offer you the option of registering for our website / app via your Facebook (website / app), Google (website / app) or Apple user account (app only), provided you have a user account on Facebook, Google or Apple and would like to register through one of these services. After entering your login data for the respective service and following confirmation from you, you can log in to our website / app using your Facebook, Google or Apple log-in data.
If you decide to register for our website / app using your Facebook, Google or Apple log-in data, we will receive
- from Facebook only your email address and your public information name, gender and profile picture on Facebook. “Public” in this context means that everyone outside of Facebook can see this data. You can get an overview of which data you have released for which applications at www.facebook.com/settings?tab=applications. We can't post about it on Facebook.
- from Google we only receive your Google user ID, your email address / email verified status, name, language and picture. Further information on logging in with your Google account and an overview of which data you have shared with which applications can be found at www.myaccount.google.com/permissions and at www.support.google.com/accounts/answer/3466521?hl=en.
- We receive your email address and your name from Apple. However, you can decide yourself whether it is your real email address or whether you want to use a random email address suggested by Apple in which your real email address is hidden. For more information about logging in with your Apple account and an overview of which data you have shared with which applications, please visit www.support.apple.com/en-us/HT210318 and www.support.apple.com/en-us/HT210426.
Please note that when you register with one of the aforementioned third-party services, we do not receive or save your login data (especially passwords). The link is only required to enable the desired log-in. The legal basis for processing data as described above for the purpose of creating a user account is Article 6 Paragraph 1 Sentence 1 Letter a) GDPR (processing data based on the consent of the person concerned). You can revoke your consent at any time, e.g. by sending a message to the contact details provided in our legal notice. In this case you would have to register again for the website / app, if you want to continue using the website / app.
Please also note that we have no influence on the data collected by Facebook, Google or Apple when logging in. If you do not want Facebook, Google or Apple to collect data about you via your log-in and use it for their own purposes, we recommend that you do not register for our website / app by logging in to Facebook, Google or Apple . Further information on data protection on Facebook, Google and Apple can be found in the respective data protection provisions of the respective service.
IX. Integration of YouTube videos
We have integrated YouTube videos on our website, which are stored on https://www.YouTube.com and can be played directly from our website. These are integrated in the "extended data protection mode", i.e. no cookies are set by YouTube if you do not play the videos. It’s only when you play the videos that the data mentioned in the following paragraph will be transmitted. We embed YouTube videos on our website in order to make the use of our website as user-friendly as possible by allowing you to view videos without having to leave our website. The legal basis is Article 6, Paragraph 1, Clause 1 f) GDPR (processing is necessary to safeguard the legitimate interests of the person responsible).
Even if videos have been embedded in a website in "extended data protection mode", we would like to point out that navigating to the website leads to a connection to YouTube and YouTube receives the information that the user has navigated to the corresponding subpage of our website. We would also like to point out that when the video is played, YouTube saves your data as a user profile and uses it for advertising, market research and / or needs-based design of the YouTube website. You have the right to object to the creation of these user profiles, although you must contact YouTube to exercise this right.
Further information on the purpose and scope of data collection and its processing by YouTube can be found in Google's data protection declaration. You will also find further information on your rights and settings options to protect your privacy here: https://www.google.de/intl/en/policies/privacy.
X. Newsletter / Marketing
XI. Sending push and text messages
1. Sending push messages through the website
To keep you up-to-date on current topics, we offer a service to receive push messages through our website. For this purpose, an anonymous ID is stored in order to analyze the use of the push service. If you would like to prevent the receipt of push notifications and thus the associated data collection for the future, you can block the notifications in the website settings of your internet browser for this website.
2. Sending push messages in the app
3. Sending text messages via the website
You can have a link to our MyPostcard app sent to you via text on our website; all you need to do is provide your mobile phone number. For the purpose of sending the desired SMS, we use the text dispatch service provider, Twilio’s service (Twilio Inc., 375 Beale St # 300, San Francisco, CA 94105, USA) as part of order processing. Twilio will only use your telephone number as part of our instructions to send the desired SMS from MyPostcard, but not for Twilio's own messages. Further information on data protection from Twilio can be found here: https://www.twilio.com/legal/privacy#how-twilio-processes-your-end-users-personal-information.
XII. Duration of storage
We store your personal data as long as this is necessary to achieve the respective storage purpose. Subsequently, your data will be deleted by us, unless, according to Art. 6 para. 1 p. 1 lit. c GDPR we are obliged to retain it for a longer period of time due to tax, commercial or other statutory storage or documentation obligations or you have agreed to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
XIII. Your rights
You are entitled at any time according to Art. 15 GDPR to disclosure of information about your personal data stored with us. In particular, you may demand disclosure of information about the purposes of processing, the categories of data we have stored about you, the categories of recipients of such data, the planned duration of storage, your right to rectification, cancellation, limitation of processing or opposition, the existence of a right of appeal to a regulatory authority, the source of your data, if not collected from you, and the existence of an automated decision-making process including profiling and, where appropriate, meaningful information about their details. In addition, according to Art. 16 GDPR, you may request the correction of incorrect data and, pursuant to Art. 17 GDPR, the deletion of personal data, as far as the processing of the exercise of the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
Furthermore, you have the right to demand, pursuant to Art. 18 GDPR, blocking or restriction of the processing of your personal data, in so far as the accuracy of the data is disputed by you, the processing is unlawful, you reject its deletion and we no longer need the data, however you need them for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR. Furthermore, according to Art. 20 GDPR, you have the right to receive the personal data that you have provided to us in a structured, common and machine-readable format or to request its transfer to another person responsible. If your personal data are based on legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit., in accordance with Art. 21 GDPR, you have the right to object to the processing of your personal data at any time if there are reasons for this arising from your particular situation or the objection is directed against processing for direct marketing purposes. In the latter case, you have a fundamental right of objection, which is implemented by MyPostcard without specifying any particular situation. If you believe that the processing of your personal data by us is not in accordance with applicable law, you may file a complaint with a supervisory authority pursuant to Art. 77 GDPR. If the processing of your data relies on a consent granted by DGSVO according to Art. 6 para. 1 lit, you have the right to revoke this consent at any time with future effect.
XIV. Data security
When visiting our services, we use the common SSL method in conjunction with the highest encryption level supported by your browser. Incidentally, we use appropriate technical and organizational security measures to protect your data against manipulation, loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
XV. Your contact for data protection
If you have any questions about the collection, processing or use of your personal data, information, correction, blocking or deletion of data and revocation of granted consent, please contact our data protection officer at email@example.com.