Privacy policy greenpay card

PRIVACY POLICY FOR VISITORS TO OUR WEBSITE AND APP

We would like to inform you about the protection of your privacy, data protection and informational self-determination when using our website at www.greenpaycard.eu and the greenpay card App as follows:

1. WHO ARE WE?

Responsible for the website at www.greenpaycard.eu and the greenpay card App according to Art. 4 para. 7 EU General Data Protection Regulation (DS-GVO)

transact Elektronische Zahlungssysteme GmbH
Managing Directors: Dr. Samareh Khosravi, Dr. Markus Landrock, Marc Ehler, Martin Croot
Fraunhoferstr. 10
82152 Martinsried

Phone +49 (0)89 899 64 3 0
E-mail: info@epay.de
(for further details see our imprint).

transact Elektronische Zahlungssysteme GmbH (“transact”) has been appointed for the technical administration and management of the greenpay card programme.

2. WHO IS RESPONSIBLE FOR DATA PROTECTION?

All our employees take care of the topic of data protection. In addition, we have appointed a data protection officer, whom you can contact as follows:

transact Electronic Payment Systems GmbH
Fraunhoferstr. 10
82152 Martinsried
E-Mail DPO_DE@epayworldwide.com

3. COLLECTION OF PERSONAL DATA WHEN VISITING OUR WEBSITE

In the case of merely informational use of our website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you, to ensure stability and security, and for statistical analysis (legal basis is Art. 6 para. 1 p. 1 lit. f DS-GVO):

  • IP address,
  • Date and time of the request,
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Data volume transferred in each case
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

4. DATA PROCESSING IN THIRD COUNTRIES

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this will only be done in accordance with the legal requirements.

Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, which includes US processors certified under the “Privacy Shield”, or on the basis of special guarantees, such as contractual obligation through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 DSGVO, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).

5. USE OF COOKIES

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie is primarily used to store information about a user during or after his visit within an online offer. Stored information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched. The term cookies also includes other technologies that perform the same functions as cookies (e.g., when user information is stored using pseudonymous online identifiers, also referred to as “user IDs”).

The following cookie types and functions are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
  • Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, the interests of users used for reach measurement or marketing purposes can be stored in such a cookie.
  • First-party cookiesFirst-party cookies are set by us.
  • Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (also: essential or absolutely necessary) cookies: Cookies may be absolutely necessary for the operation of a website (e. g. to store logins or other user inputs or for security reasons).
  • Statistics, marketing and personalization cookies: Furthermore, cookies are generally also used in the context of range measurement and when a user’s interests or behavior (e.g. viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also referred to as “tracking”, i.e., tracking the potential interests of users. Insofar as we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or in the context of obtaining consent.

Notes on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is your declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in a business operation of our online offer and its improvement) or, if the use of cookies is necessary to fulfill our contractual obligations.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke any consent you have given or to object to the processing of your data by cookie technologies (collectively referred to as “opt-out”). You can initially declare your objection by means of your browser settings, e.g. by deactivating the use of cookies (whereby this may also restrict the functionality of our online offer.

Processing of cookie data on the basis of consent: Before we process or have data processed within the scope of the use of cookies, we ask users for consent that can be revoked at any time. Before the consent has not been expressed, cookies are used at most, which are necessary for the operation of our online offer. Their use is based on our interest and the interest of users in the expected functionality of our online offer.

  • Types of data processed: Usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).

6. RIGHTS OF THE DATA SUBJECTS

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
  • Right of revocation for consents: You have the right to revoke any consent you have given at any time.
  • Right of access: You have the right to request confirmation as to whether data in question is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: In accordance with the law, you have the right to request that data concerning you be completed or that inaccurate data concerning you be rectified.
  • Right to erasure and restriction of processing: You have the right, in accordance with the law, to request that data relating to you be erased immediately or, alternatively, to request restriction of the processing of the data in accordance with the law.
  • Right to data portability: You have the right to receive data relating to you that you have provided to us in a structured, common and machine-readable format, or to request that it be transferred to another controller, in accordance with the law.
  • Complaint to supervisory authority: You also have the right, in accordance with the law, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been violated in some way, you can complain to the supervisory authority.

In Bavaria :
Bavarian State Office for Data Protection Supervision
Tel.: +49 (0) 981 180093-0
Fax: +49 (0) 981 180093-800
E-Mail: poststelle@lda.bayern.de
Postfach 1349 | 91504 Ansbach

7. INFORMATION ABOUT THE COLLECTION OF PERSONAL DATA

(1) Registration, login and user account

Users can create a user account. In the course of registration, users are provided with the required mandatory data and processed for the purpose of providing the user account on the basis of contractual obligation fulfillment. The processed data includes in particular the login information (password as well as an e-mail address). The data entered during registration is used for the purposes of using the user account and its purpose.

Users may be informed by e-mail about processes relevant to their user account, such as technical changes. If users have terminated their user account, their data with regard to the user account will be deleted, subject to a legal obligation to retain data. It is the responsibility of users to back up their data upon termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.

In the context of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.

  • Types of data processed: inventory data (e.g. names, addresses), contact data (e.g. e-mail), content data (e.g. text entries, photographs), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: contractual performance and service, security measures, management and response to requests, management of the user account, offer services within the framework of the app and website and the greenpay card.
  • Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. DSGVO), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).

(2) Contacting

When contacting us (e.g. by contact form, e-mail, telephone or via social media), the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

The response to contact requests in the context of contractual or pre-contractual relationships is made in order to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.

  • Types of data processed: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos).
  • Affected persons: Communication partners.
  • Purposes of processing: contact requests and communication.
  • Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).

(3) Provision of the online offer and web hosting

In order to provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed as part of the provision of the hosting offer may include all information relating to the users of our online offer, which is generated as part of the use and communication. This regularly includes the IP address, which is necessary to be able to deliver the contents of online offers to browsers, and all entries made within our online offer or from websites.

Captcha: We integrate the “Captcha” function to detect bots, e.g. when entering data in online forms. The behavioral data of users (e.g. mouse movements or queries) are evaluated to distinguish humans from bots.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files may be used, on the one hand, for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and their stability.

  • Types of data processed: Content data (e.g. text input, photographs, videos), usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).

(4) Payment service provider

In the context of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in addition to banks and credit institutions for this purpose (collectively, “payment service providers”).

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e., we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment. Under certain circumstances, the payment service providers transmit the data to credit agencies. The purpose of this transmission is to check identity and creditworthiness. In this regard, we refer to the terms and conditions and the data protection notices of the payment service providers.

The terms and conditions and the data protection notices of the respective payment service providers apply to the payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other data subject rights.

  • Types of data processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject matter of contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers, interested parties.
  • Purposes of processingcontractual performance and service.
  • Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).

Services used and service providers:

(5) Web analysis and optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can recognize, for example, at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas require optimization.

In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online offering or its components.

For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures may be used with the same purpose. This information may include, for example, content viewed, websites visited and elements used there and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processingReach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-based profiling, use of cookies), visit action evaluation, profiling (creation of user profiles).
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a DSGVO), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).

Services used and service providers:

  • etracker
    etracker GmbH – Erste Brunnenstraße 1 – 20459 Hamburg – Germany
    Web analysis / reach measurement
    Website: https://www.etracker.com/
    Privacy policy: https://www.etracker.com/datenschutzerklaerung/
  • Cookiebot CMP Widget
    Cybot A/S – Havnegade 39 – 1058 Copenhagen – Denmark
    Die Cookiebot Consent Management Platform (CMP) provides a widget for the website that makes the consent request dialog with your end users faster and more responsive than ever before.
    Webseite: https://www.cookiebot.com/de/widget
    Privacy policy: https://www.cookiebot.com/de/privacy-policy
  • Google Analytics 4
    If you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google LLC. We integrate Google Analytics 4 via plugin. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is done to analyze your usage behavior and improve our website. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. We will use the information to help us better understand how our website is used and to generate reports on website activities, among others.

    As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. The data evaluations are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find more about this in the associated Google documentation.

    Processed data: The following data can be processed by Google Analytics 4:
    • IP address;
    • User ID and device ID;
    • Referrer URL (previous visited page);
    • Pages viewed (date, time, URL, title, duration of visit);
    • Downloaded files;
    • Clicked links to other websites;
    • Achievement of specific goals (Conversions);
    • Technical information (operating system; browser type, version and language; device type, brand, model and resolution);

    You can find more information regarding the data that is processed in the following link: [GA4] Data collection – Analytics Help

    Security measures: We have implemented the following security measures for Google Analytics 4:
    • Anonymization of the IP address;
    • deactivated advertising function;
    • deactivated personalized advertising;
    • deactivated remarketing;
    • retention period of 2 months (and no reset of retention period with new activity);
    • deactivated cross-device and cross-page tracking (Google Signals);
    • deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).

    You may revoke your consent at any time with effect for the future by accessing the cookie settings Cookies – greenpay card and changing your selection there. This will not affect the lawfulness of the processing carried out on the basis of consent until revoked.

    We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Google LLC according to the EU-US Data Privacy Framework.

    You can find more information about Google Analytics 4 below:
    Google Ireland Limited – Gordon House – Barrow Street – Dublin 4 – Ireland
    Website: https://marketingplatform.google.com/about/analytics/
    Privacy policy: https://policies.google.com/privacy?hl=en