The terms used, such as "personal data" or their "processing" are to be understood in the sense of the definitions in Art. 4 of the EU General Data Protection Regulation (GDPR).
Passcreator is an offer of mediahelden GmbH, Theodor-Lipps-Str. 4, 80997 Munich, Germany. HRB 232134 Munich, VAT-ID. DE815685987.
1.1 Collected data
User data processed within Passcreator include:
e.g. names and addresses of customers
e.g. e-mail addresses, telephone numbers, Messenger IDs
e.g. text input, photographs, videos
e.g. time of conclusion, content, payment information
Visited websites, access times
(this data is processed anonymously) e.g. device IDs, IP addresses, location data
The term "user" covers all categories of data involved in data processing. These include our business partners, customers, interested parties and other visitors to Passcreator. The terms used, such as "user", are to be understood gender-neutrally.
1.3 Data processing
We process users' personal data only in compliance with the relevant data protection regulations. This means personal data will only be processed if you give your consent, if there's a regulation or based on our legitimate interest (art. 6 para. 1 lit. b. GDPR).
We point out that the legal basis of consent is art. 6 paragraph 1 lit a. and art. 7 GDPR, the legal basis to process data in order to provide our services and enforce contractual measures is art. 6 paragraph 1 lit. b GDPR, the legal basis to process data in order to comply with legal obligations is art. 6 paragraph 1 lit. c GDPR and the legal basis to protect our legitimate interests is art. 6 paragraph 1 lit. f GDPR.
1.4 Server location
The servers used by Passcreator are operated in compliance with EU laws. Our service provider uses the Google Cloud platform to provide hosting services. Only data centers within the EU are being used.
2. Security measures
We take organizational, contractual and technical security measures in accordance that are state of the art to ensure that processing of personal data is compliant with data protection laws (especially GDPR) and to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
3. Transferring data to third parties or third-party providers
We only transfer data in compliance with legal regulations. We only transfer data to third parties if the transfer is necessary in order to e.g. maintain contractual liabilities (art. 6 paragraph 1 lit. b GDPR) or based on our legitimate interest (art. 6 paragraph 1 lit. f GDPR) to run our business in a efficient and economically justifiable way.
If we use subcontractors to provide our services, we will take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
4. Online Marketing Platform
We process inventory data (e.g., names and addresses as well as contact data of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 Para. 1 lit b. GDPR.
Users may optionally create a user account to create and manage wallet passes using Passcreator. During the registration process, the required information will be stated. The user accounts are not public and cannot be indexed by search engines. If you have terminated your user account, its data will be deleted unless the data must be retained for tax reasons pursuant to Art. 6 Para. 1 lit. c GDPR. It is the responsibility of the users to secure their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.
Within the scope of registration and logins as well as use of our online services, we store the IP address and the time of the respective user action. The processing of this data is based on our legitimate interest, as well as the user's protection against misuse and other unauthorized use. These data will not be transferred on to third parties unless it is necessary to pursue our claims or there is a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR.
5. Getting in touch
When contacting us (via contact form, e-mail or Support Messenger), the user's details will be collected in order to process the contact enquiry in accordance with Art. 6 Para. 1 lit. b) GDPR. The user's details can be stored in our Customer Relationship Management System ("CRM System") or comparable systems. We use the support system "Kayako" of the provider Kayako (Kayako Ltd. Sixth Floor, 20 Ropemaker Street, London EC2Y 9AR, United Kingdom) on the basis of our legitimate interests (efficient and fast processing of user inquiries). For this purpose we have concluded a contract with Kayako with so-called standard contractual clauses in which Kayako obliges to process the user data only in accordance with our instructions and to comply with the EU data protection level.
6. Collection of access data and log files
On the basis of our legitimate interests within the meaning of Art. 6 Para. 1 lit. f. GDPR, we collect data on each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referring URL (the previously visited page), IP address and the requesting provider. Log file information is stored for security reasons (e.g. to investigate potential misuse or fraud) for a maximum period of seven days and then deleted. Data, whose storage is necessary for evidence purposes, is excluded from deletion until the respective incident has been finally settled.
7. Cookies and audience measurement
8. Google Analytics
9. Facebook Social Plugins
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service in the sense of Art. 6 Para. 1 lit. f. of the GDPR) we use Social Plugins ("Plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can display interactive elements or content (e.g. videos, graphics or text contributions) and can be recognized by one of the Facebook logos (white "f" on a blue tile, the terms "like" or a "thumb up" sign) or are marked with the addition "Facebook Social Plugin". The list and appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/
Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active=a2zt0000000GnywAAC&status=Active).
When a user accesses a part of our online service that contains such a plugin, his device establishes a direct connection with Facebook's servers. The content of the plugin is transmitted directly from Facebook to the user's device and integrated into the online service by the user. User profiles can be created from the processed data. We therefore have no influence on the extent of the data that Facebook collects with the help of this plugin and therefore inform the user according to our state of knowledge.
By integrating the plugins, Facebook receives the information that a user has visited the corresponding page of the online service. If the user is logged in to Facebook, Facebook can assign the visit to his Facebook account. When users interact with the plugins, for example by clicking the Like button or commenting, the corresponding information is transferred directly from your device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to find out his IP address and save it. According to Facebook, only an anonymous IP address is stored in Germany.
If a user is a Facebook member and does not want Facebook to collect data about him or her via this online service and link it to the member data stored on Facebook, he or she must log out of Facebook and delete his or her cookies before using our online service. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads=ads or via the US page http://www.aboutads.info/choices/ or the EU page https://www.facebook.com/settings?tab=ads The settings are platform-independent, i.e. they are adopted for all devices, such as desktop computers or mobile devices.
The following information will inform you about the contents of our newsletter as well as the registration, delivery and statistical processes and your rights of objection. By subscribing to our newsletter, you declare your agreement with the receipt and the described processes.
Content of the newsletter: We send newsletters, e-mails and other electronic messages containing advertising information (hereinafter "newsletter") only with the consent of the recipient or a legal permission. If the contents of the newsletter are specifically described within the scope of registration, they are decisive for the consent of the user. In addition, our newsletters contain information on our products, offers, promotions and our company. Double opt-in and logging: Registration with our newsletter is done by using a so-called double opt in process. I.e. after registration you will receive an e-mail in which you will be asked to confirm your registration. This confirmation is necessary so that nobody can register with e-mail addresses he has no access to. The registrations for the newsletter are logged in order to be able to prove the consent according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Likewise changes of your data stored at the delivery service provider are logged.
Registration data: To subscribe to the newsletter, it is sufficient to enter your e-mail address. Optionally, we ask you to enter a name in the newsletter form for the purpose of addressing you personally. Statistical survey and analyses - The newsletters contain a so-called "web-beacon", i.e. a file the size of a pixel, which is downloaded from the server of the delivery service provider when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval are collected. This information is used for the technical improvement of the services on the basis of the technical data or the target groups and their reading behaviour on the basis of their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our nor the delivery service provider's intention to monitor individual users. The evaluations serve us recognize the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users. The use of the delivery service provider, execution of the statistical surveys and analyses as well as logging of the registration procedure take place on the basis of our legitimate interests according to art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter system which serves both our business interests and the expectations of the users.
Cancellation/revocation: - You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. At the same time, your consent to its delivery by the delivery service provider and the statistical analyses expire. A separate revocation of the delivery by the delivery service provider or the statistical analysis is unfortunately not possible. You will find a link to cancel the newsletter at the end of each newsletter. If users have only subscribed to the newsletter and cancelled their subscription (which means they don't have a Passcreator account), their personal data will be deleted.
11. Google reCaptcha
We use the Google reCaptcha service to determine whether a person or computer uses our website. Google uses the following data to determine make sure you are a human:
- IP address of your device
- URL of the page on which reCaptcha is integrated
- language and time zone of your browser
- Installed Browser Plugins
- Screen size and resolution
- Browser and operating system
- Google account, if you're signed in to Google
- Mouse movements on the visited web page
The legal basis for the data processing described is Article 6(1)(f) of the General Data Protection Regulation. There is a legitimate interest on our part in this data processing to ensure the security of our website and to protect us from automated input (attacks). Google operates servers around the world. Therefore, your data may be processed on servers located outside the country in which you live. Google adheres to certain legal frameworks for data transfer that guarantee an adequate level of data protection, such as the Privacy Shield Agreement between the EU and the US and Switzerland and the US. reCaptcha is offered by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Registration Number: 368047.
12. Integration of third party services and content
Based on our legitimate interest (i.e. interest in the analysis, optimisation and economic operation of our service within the meaning of art. 6 paragraph 1 lit. f. GDPR) we integrate content or services from third parties, such as videos or fonts (hereinafter uniformly referred to as "content"). This presupposes that the third-party provider knows your IP address in order to deliver the content to your device. We try to use services of providers who only use the IP addresses to serve content. In addition third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" can be used to analyse information such as visitor traffic on the pages of our website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit times and other information about the use of our service and may be linked to such information from other sources. the following presentation provides an overview of third-party providers and their content, as well as links to their privacy policies, which contain further information about the processing of data and, in some cases already mentioned here, possible objections (so-called opt-out):
- If our customers use the payment services of third parties (e.g. PayPal, Sofort banking, Stripe, etc.), the terms and conditions and privacy policies of the respective third parties, which can be accessed within the respective websites or transaction applications, apply.
Sofort banking: https://www.klarna.com/sofort/privacy-policy/
13. User rights
Users have the right, upon request and free of charge, to obtain information about the personal data that we have stored about them, to correct any inaccuracies, to limit the processing and deletion of their personal data and, where applicable, to exercise their right to data portability and, in the event of unlawful data processing, to file a complaint with the competent supervisory authority. Users can also revoke their consent, in principle with effect for the future.
Persons concerned can also contact our data protection officer at any time:
Certified data protection officer
14. Deletion of data
The data stored by us will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them. If the user's data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be stored for commercial or tax reasons.
According to legal requirements, the data is stored for 6 years in accordance with § 257 Para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting records, etc.) and for 10 years in accordance with § 147 Para. 1 AO (books, records, management reports, accounting records, commercial and business letters, documents relevant for taxation, etc.).
Automated processes are used to delete data. For example, if a user does not log in to Passcreator for 12 months, he will receive two e-mails within a period of 30 days informing him of the deletion of his user account if he does not log in. For this reason, we advise users to keep their contact information, in particular their e-mail address, up to date and to add Passcreator's sender domain (passcreator.com) to the permitted senders of the e-mail program.
15. Right of objection
Users may at any time object to the future processing of their personal data in accordance with the statutory provisions. The objection can be made in particular against the processing for purposes of direct marketing.
Information for end users
If you download Wallet passes (content e.g. for the Apple Wallet, third-party apps on Android or Google Pay), there's usually no direct contractual relationship between you and Passcreator. In the following we have summarised information this is relevant when using Wallet passes. When a Passcreator customer provides passes he can decide if Google Pay or a third party app should be used on Android devices. Apple Wallet is always used on iPhones. For this reason, the functionality of the three different apps is explained below.
Passes in Apple Wallet (iOS)
When you save a pass created with Passcreator in the Wallet app on your iPhone, you usually visit a website. This so-called download page uses Google Analytics, Google reCaptcha if necessary and may contain personal data. Whether personal data is included depends on how the pass issuer (this is the Passcreator customer) configures the Wallet pass. Wallet passes are small files that contain all the information needed to display the pass, such as images and text.
Once you save the Wallet pass, your iPhone sends a message to the Apple Push Notification Service (APNS) including a random ID (Device Library Identifier). This ID is also sent to Passcreator by your phone. This ID is used to update wallet passes, but it does not in any way identify you personally. If the Wallet pass contains personal information, the issuer can see if the pass has been stored on your phone. The Wallet pass information is only shared between you (your device) and Passcreator. The APNS service serves only as an intermediary to initiate communication.
If you delete the pass or disable push notifications, the APNS will notify us so that no updates will be sent to your phone from that point on.
If the issuer the Wallet pass, we will send the ID to the APNS. This in turn notifies your device that it should pick up the updated wallet pass from Passcreator.
Passes on Android (third-party apps)
The third-party apps for displaying Wallet passes on Android work as described for Apple Wallet, with the difference that Google's Push Notification service is used.
Passes on Android (Google Pay)
When you save a pass in Google Pay, that pass was previously created on the Google Pay servers (i.e. the images and text that appear on the pass are stored there). The moment you click the button to save the pass, the pass is linked to your Google Account and automatically synchronised to all devices on which you have set up Google Pay.
Valid as of August 2019