Privacy policy
With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes and to what extent in the context of providing our service.
The terms used are to be understood as gender-neutral. The terms used, such as “personal data” or their “processing” refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Responsible
Squills GmbH
Goldenfelsstr. 9
50935 Cologne
Processing overview
The personal data of users processed within the framework of this online offer include:
The following persons are affected by the data processing
We process users’ personal data only in compliance with the relevant data protection provisions. This means that user data will only be processed if a legal permission exists, in particular if the data processing is necessary or legally required for the provision of our contractual services (e.g. processing of orders) as well as online services, if a consent of the user exists, as well as due to our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer in the sense of Art. 6 para. 1 lit. f. DSGVO, in particular in the case of range measurement, creation of profiles for advertising and marketing purposes as well as collection of access data and use of third-party services.
Relevant legal bases
The following is an overview of the legal basis of the GDPR on the basis of which we process personal data. Should more specific legal bases be relevant in individual cases, we will inform you of these in the data protection declaration.
In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.
Security measures
We take appropriate organizational, contractual and technical security measures in the sense of Art 32. DSGVO according to the state of the art, taking into account the implementation costs and the nature, scope, circumstances and purposes of the data processing, as well as the varying likelihood and severity of the risk to the rights and freedoms, in order to ensure an adequate level of protection for your data. We hereby ensure compliance with the provisions of data protection laws and protect this data against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
The security measures include in particular the encrypted transmission of data between your browser and our server. You can recognize such encrypted connections by the fact that the URL in the address bar of your browser begins with “https://”. This is a communication protocol with which data can be transmitted in a tap-proof manner as part of a transport encryption.
Disclosure of data to third parties and third-party providers
Data is only passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if this is necessary, for example, on the basis of Art. 6 Para. 1 lit. b DSGVO for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 Para. 1 lit. f. DSGVO in the economic and effective operation of our business.
We only use subcontractors to provide our services if we have taken suitable legal precautions and appropriate technical and organizational measures to ensure the protection of the personal data processed in accordance with the relevant statutory provisions.
If content, tools or other means described in the context of this privacy policy are used by other providers (hereinafter collectively referred to as “third-party providers”), we comply with the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website.
If we use a third-party provider whose registered office is located in a third country (outside the European Union (EU) or the European Economic Area), it must be assumed that data is transferred to the countries where the third-party provider is based. The transfer of data to third countries only takes place if there is an adequate level of data protection, user consent or otherwise legal permission.
Data deletion
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not required for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. The data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
As part of our privacy notices, we may provide users with further information regarding the deletion as well as the retention of data that is specific to the respective processing operations.
Cookies use
When you visit our website, information may be stored on your computer in the form of a cookie. Cookies are pieces of information that are transmitted from our web server or third-party web servers to users’ web browsers, where they are stored for later retrieval. Most browsers are set to accept cookies automatically. We would like to point out that the use of our online offer without cookies is only possible to a limited extent. In particular, the use of your customer account is generally not possible, as the use of cookies is technically mandatory for this. However, you can also use your browser to prevent only the setting of certain cookies (e.g. cookies from third-party providers), for example if you want to prevent web tracking. You can find more information on this in the help function of your browser. For more information on third-party cookies that are set or processed when you visit our website, please refer to the privacy policy below, insofar as we make use of them. The term cookies also includes other technologies that perform the same functions as cookies (e.g., when user information is stored using pseudonymous online identifiers, also referred to as “user IDs”).
We use cookies in accordance with the legal regulations. Therefore, we obtain prior consent from the users, unless the cookies are necessary. Consent is not required for necessary cookies if the storage and reading of the information, i.e. including cookies, is absolutely necessary in order to provide the telemedia service (i.e. our online offer) expressly requested by the users. The revocable consent is clearly communicated to the users and contains the information about the respective cookie use.
The legal basis under data protection law on which we process users’ personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests. The purposes for which we process cookies are explained in this privacy policy or in our consent and processing procedures.
With regard to the storage period, the following types of cookies are distinguished:
Users can revoke the consents they have given at any time and also lodge an objection to processing in accordance with the legal requirements in Art. 21 DSGVO. An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Notes on processing operations, procedures and services
We use a cookie consent management procedure in which the consent of users to the use of cookies or the processing and providers named in the cookie consent management procedure can be obtained and managed and revoked by users. Here, the declaration of consent is stored in order not to have to repeat its query and to be able to prove the consent in accordance with the legal obligation. The storage can take place on the server side and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) in order to be able to assign the consent to a user or their device. The duration of the storage of the consent can be up to two years. A pseudonymous user identifier is created and stored with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system and end device used.
Provision of contractual services
We process inventory data (e.g. names and addresses as well as contact data of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 lit b. DSGVO. We inform the contractual partners which data is required for the aforementioned purposes before or in the course of data collection, e.g. in online forms by means of special marking (e.g. colors) or symbols (e.g. asterisks or similar), or in person. Within the framework of applicable law, we only disclose this data to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations or with your consent (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities).
We delete the data after the expiry of statutory warranty and comparable obligations, i.e., in principle after the expiry of 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons (e.g., for tax purposes usually 10 years). Data disclosed to us by the contractual partner within the framework of a contractual relationship will be deleted by us in accordance with the requirements of the contract, in principle after the contractual services have been performed.
Users can optionally create a user account, in which they can view their orders in particular. As part of the registration process, users are provided with the required mandatory information. The user accounts are not public and cannot be indexed by search engines. If users have cancelled their user account, their data with regard to the user account will be deleted, subject to their retention is necessary for commercial or tax reasons in accordance with Art. 6 para. 1 lit. c DSGVO. It is the responsibility of the users to save their data in the event of termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.
Within the scope of registration and renewed logins as well as the use of our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. In principle, this data is not passed on to third parties, unless it is necessary for the pursuit of our claims or there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c DSGVO.
We process usage data (e.g. the web pages visited on our website, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile, for example to display product information to users based on the services they have used to date.
Payment method
In the context of contractual and other legal relationships based on legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers in addition to banks and credit institutions for this purpose (collectively, “payment service providers”).
The data processed by the payment service providers include inventory data, such as the name and address, bank data, such as credit card numbers, contract, total and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. We do not receive any account or credit card related information, but only information with confirmation or negative information of the payment.
The terms and conditions and the data protection notices of the respective payment service providers apply to the payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other data subject rights.
For this purpose, we process inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses). Only our customers are affected by this processing. The data processing is carried out to provide the contractual service. It is based on the legal basis in Art. 6 para. 1 sentence 1 lit. b DSGVO.
We use service provider Stripe as our payment service provider. This is Stripe, Inc, 510 Townsend Street, San Francisco, CA 94103, USA, https://stripe.com; https://stripe.com/de/privacy.
Provision of the online offer and web hosting
In order to be able to provide our online offer securely and efficiently, we use the services of several web hosting providers from whose servers (or servers managed by them) the online offer can be accessed. These are Host Europe GmbH
Hansestrasse 111, 51149 Cologne, Germany and Bubble Group, Inc. 900 Broadway Suite 504 New York, NY 10003 (hereinafter “Bubble”). We have concluded standard contractual clauses with Bubble to ensure an appropriate level of data protection.
For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services. The web hosting providers process the personal data exclusively on our behalf on the legal basis of Art. 28 DSGVO.
We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO, we collect data about each access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g., for the clarification of abuse or fraud) for a maximum of seven days and then deleted. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the final clarification of the respective incident.
The web hosting services also include sending, receiving as well as storing e-mails. For these purposes, the addresses of the recipients and senders, but also further information about the e-mail dispatch (e.g. the providers involved), including contents of the respective e-mails are processed. Even though our e-mail communications have transport route encryption, they are not encrypted on the servers from which they are sent and received. The content of e-mail communications is therefore fundamentally susceptible to manipulation.
We also use a content delivery network. A CDN is a service with the help of which the content of an online offer, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet. The use is based on our legitimate interests Art. 6 para. 1 p. 1 lit. f. DSGVO). This website uses services from “Cloudflare” (provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Cloudflare operates a content delivery network (CDN) and provides protection functions for the website (web application firewall). The data transfer between your browser and our servers flows through Cloudflare’s infrastructure and is analyzed there to prevent attacks. Cloudflare uses cookies for this purpose to enable you to access our website. The use of Cloudflare is in the interest of a safe use of our Internet presence and the defense of harmful attacks from the outside. For more information, please see the Cloudflare privacy policy: https://www.cloudflare.com/de-de/privacypolicy/
Furthermore, we use the CloudFront of Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS) to increase the security and delivery speed of our website. For this purpose, personal data may be processed in server log files by AWS. We have concluded an order processing agreement with AWS, so that AWS is obliged to process personal data exclusively in accordance with our instructions. Your personal data will be stored by AWS for as long as necessary for the purposes described. For more information on objection and removal options vis-à-vis AWS, please visit: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.
Registration, login and user account
Users can create a user account. In the course of registration, users are provided with the required mandatory data and processed for the purpose of providing the user account on the basis of contractual obligation fulfillment. The processed data includes in particular the login information (username, password and an e-mail address).
Within the scope of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.
Users can be informed by e-mail about processes relevant to their user account, such as technical changes.
In the course of registration, inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); meta/communication data (e.g. device information, IP addresses) of our customers are processed for the provision of the contractual service on the legal basis of Art. 6 (1) p. 1 lit. b DSGVO. If customers have terminated their user account, their data with regard to the user account will be deleted, subject to any legal permission, obligation or consent of the customer .
Contact
When contacting us (via contact form or e-mail), the user’s details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b DSGVO. Here, we only process the data that we need to process your request.
User information may be stored in our Customer Relationship Management System (“CRM System”) or comparable inquiry organization.
Newsletter
With the following information, we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.
We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. Insofar as the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. In addition, our newsletters contain information about our products, offers, promotions and our company.
The registration for our newsletter takes place in a so-called double opt-in process. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other email addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Likewise, the changes to your data stored with the shipping service provider are logged.
We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove consent formerly given. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a block list (so-called “block list”) for this purpose alone.
The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.
We use the service provider Sendinblue to send e-mails. For this purpose, the e-mail addresses are transferred to Sendinblue. The data processing is carried out by: Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.
Sendinblue operates a server location in Germany and has a TÜV Rheinland certificate for data protection. Sendinblue is a certified provider selected according to the requirements of the General Data Protection Regulation and the Federal Data Protection Act. Sendinblue processes the personal data on our behalf and under our direction on the basis of a contract concluded with the company for the processing of orders in accordance with Art. 28 sec. 3 GDPR.
For more information on Sendinblue’s privacy, please click here: Privacy Policy – Personal Data Protection – Sendinblue
Integration of third-party services and content
We use within our online offer on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer in the sense of Art. 6 para. 1 lit. f. DSGVO) or on the basis of your consent (Art. 6 para. 1 lit. a DSGVO) content or service offers of third party providers to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”). This is done to provide our online offer and to create a user-friendly online offer. This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus necessary for the presentation of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
The following presentation provides an overview of third-party providers and their content, together with links to their data protection declarations, which contain further information on the processing of data and, in part already mentioned here, options for objection (so-called opt-out). If a transfer to a third country takes place in the course of this, we have concluded the necessary Steiner contract clause with the respective third party provider:
Integrations
When using our online offer, we enable various indications of which we make use. Within the scope of the use of the integrations, the following data is processed.
Google Calendar
For scheduling we use the service of Google Calendar via an API. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Calling up Google Calendar establishes a connection to Google’s servers. Within the scope of this call, the processing of the user’s IP address takes place on the legal basis of Art. 6 (1) lit. a DSGVO only with the consent of the user. In addition, other personal data may be processed individually for scheduling purposes.
Before integrating these services, we have concluded standard contractual clauses with Google. The data is encrypted during transmission and at the storage location. Personal data is stored there for a maximum of one year. For more information on data protection with “Google Calendar”, please see the provider’s privacy policy at: https://www.google.de/intl/de/policies/privacy/
Google Meet
We use Google Meet to conduct video conferences and online meetings. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When using Google Meet, a connection to Google’s servers is established. To use the service, basic data for registration, communication data and logging data are processed on the basis of Art. 6 (1) lit. b DSGVO.
Before integrating these services, we have concluded standard contractual clauses with Google. The data is encrypted during transmission and at the storage location. Personal data is stored there for a maximum of one year. With regard to the processing of personal data when using Goolge Meet, we also refer to Google’s privacy information:
https://workspace.google.com/terms/education_privacy.html?hl=de
Zoom
For the organization of telephone conferences, online meetings, video conferences and/or webinars (hereinafter: “Online Meetings”) we use the service Zoom. “Zoom” is a service of Zoom Video Communications, Inc. which is based in the USA. To use the service, basic registration data, communication data and logging data are processed on the basis of Art. 6 (1) lit. b DSGVO.
We have concluded an order processing agreement with the provider of “Zoom” that complies with the requirements of Art. 28 DSGVO.
An appropriate level of data protection is guaranteed on the one hand by the conclusion of the so-called EU standard contractual clauses. As additional protective measures, we have also configured our Zoom so that only data centers in the EU, the EEA, or secure third countries such as Canada or Japan are used to conduct “online meetings”.
Microsoft Teams
To organize telephone conferences, online meetings, video conferences and/or webinars (hereinafter: “online meetings”), we use the Microsoft Teams service. For this purpose, we use products of Microsoft Ireland Ltd. (“Microsoft”) on the legal basis of Art. 6 (1) lit. b DSGVO and have concluded a contract processing agreement with Microsoft for this purpose in accordance with Art. 28 DSGVO. It cannot be ruled out that data will be transmitted to Microsoft Corp. in the USA in this context. Microsoft can also perform remote maintenance accesses from other third countries. We have concluded the standard data protection clauses of the European Commission with Microsoft Corp.
According to Microsoft, Microsoft Corp. processes data about Teams usage for the following proprietary business purposes: billing and account management; compensation (e.g., calculating employee commissions and partner incentives); internal reporting and modeling (e.g. forecasting, revenue, capacity planning, product strategy); combating fraud, cybercrime, or cyberattacks that may affect Microsoft or Microsoft products; improving core functionality related to accessibility, privacy, or energy efficiency; and financial reporting and compliance with legal obligations (subject to the disclosure limitations described in the DPA). Processing by Microsoft will be solely for the foregoing purposes and expressly not for user profiling, advertising or similar commercial purposes. For processing data for the aforementioned business purposes, Microsoft determines both the means and the purposes of the data processing. Microsoft considers itself solely responsible for such data processing to comply with all applicable laws and to fulfill its obligations.
Microsoft’s privacy policy can be viewed here: https://privacy.microsoft.com/de-de/privacystatement.
Office 365 Calendar
For scheduling purposes, we use the Office 365 Calendar service from Microsoft. For this purpose, we use products of Microsoft Ireland Ltd. (“Microsoft”) on the legal basis of Art. 6 (1) lit. b DSGVO and have concluded an order processing agreement with Microsoft for this purpose in accordance with Art. 28 DSGVO. It cannot be ruled out that data will be transmitted to Microsoft Corp. in the USA in this context. Microsoft can also perform remote maintenance accesses from other third countries. We have concluded the standard data protection clauses of the European Commission with Microsoft Corp.
According to Microsoft, Microsoft Corp. processes data about Teams usage for the following proprietary business purposes: billing and account management; compensation (e.g., calculating employee commissions and partner incentives); internal reporting and modeling (e.g. forecasting, revenue, capacity planning, product strategy); combating fraud, cybercrime, or cyberattacks that may affect Microsoft or Microsoft products; improving core functionality related to accessibility, privacy, or energy efficiency; and financial reporting and compliance with legal obligations (subject to the disclosure limitations described in the DPA). Processing by Microsoft will be solely for the foregoing purposes and expressly not for user profiling, advertising or similar commercial purposes. For processing data for the aforementioned business purposes, Microsoft determines both the means and the purposes of the data processing. Microsoft considers itself solely responsible for such data processing to comply with all applicable laws and to fulfill its obligations.
Microsoft’s privacy policy can be viewed here: https://privacy.microsoft.com/de-de/privacystatement.
Modification and update of the privacy policy
We ask you to regularly inform yourself about the content of our privacy policy. We adapt the data protection declaration as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.
Where we provide addresses and contact information of companies and organizations in this privacy statement, please note that the addresses may change over time and please check the information before contacting us.
Rights of the data subjects
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Status: August 2022