Privacy Policy for the Teveo app

We take the protection of your personal data very seriously and treat these data as confidential in compliance with the data protection regulations (GDPR, TTDSG and BDSG new). This Privacy Policy applies for our mobile iPhone and Android apps (hereinafter referred to as “App”). It describes the nature, purpose and scope of data collection associated with the use of the app.

Controller for data processing:

TEVEO GmbH
Dr.-Zumach-Ring 6
91522 Ansbach, Germany

Email: service@teveo.com

Phone number: +49 9872 438 96 64

The company’s external data protection officer is

Nico Becker

Projekt 29 GmbH & Co. KG

Ostengasse 14

93047 Regensburg

Email: anfragen@projekt29.de

Phone: 0941-2986930

1. General

When you use the app, we process personal data concerning you. “Personal data” refers to all information concerning an identified or identifiable natural person. Because we are concerned with protecting your privacy while using the app, we would like to inform you in the following sections regarding which of your personal data we process when you use the app and how we handle these data. In addition, we inform you of the legal basis for processing of your data and, insofar as processing is necessary to protect our legitimate interests, we also inform you of our legitimate interests.

2. Encryption

For security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as an app operator, or for communication between app users, this app uses encryption. This encryption prevents unauthorised third parties from reading the data you have submitted.

3. IV. Information about the processing of your data

Certain information is automatically processed as soon as you use the app. In the following, we provide you with an outline of exactly which personal data are processed:

3.1. Information collected when downloading

When you download the app, certain required information is transmitted to the app store you have chosen (e.g. Google Play or Apple App Store). In particular, this may involve processing your username, email address, customer number of your account, time of download, payment information and individual device identifier. The processing of these data is carried out exclusively by the specific app store and falls outside our sphere of influence.

3.2. Information collected automatically

When you use the app, we collect certain data automatically that are required for the use of the app. These include:

Internal device ID,
Version of your operating system
Time of access

These data are automatically processed for the following reasons:

Providing the app environment
Improving the app
Preventing malfunctions

This data processing is justified by the fact that the processing is necessary for the performance of the contract between you as data subject and us, pursuant to Art. 6 (1) (b) GDPR, for the use of the app, and we also have a legitimate interest in ensuring the functionality and faultless operation of the app and offering a service oriented to the market and customer interests that overrides your rights and interests in the protection of your personal data as defined by Art. 6 (1) (f) GDPR.

3.3. Rights of access for the app

In order to offer our services through the app, we require the access rights listed below, which enable us to access specific functions on your device:

Photos,
Videos
Camera
Location

Access to these device functions is required in order to ensure the functionality of the app. The legal basis for this data processing is our interest pursuant to Art. 6 (1)(f) GDPR, your consent pursuant to Art. 6 (1)(a) GDPR and Section 25 (1) TTDSG, and – if a contract was concluded – for the performance of our contractual obligations (Art. 6 (1)(b) GDPR).

3.4. Creating a user account (registration) and logging in

You always have the option of using the app as a guest and thus of using the app without providing personal data. However, some features are restricted as a result: e.g. participation in contests and campaigns.

When you create a user account or log in, we use your access details such as email address and password to enable you to access and manage your user account. Mandatory information is marked with an asterisk during the registration process and is required in order to establish a usage contract. If you do not provide these data, you cannot create a user account. Your user details are the same access details as for the Teveo shop. We processing the following data for registration:

Gender
Last name, first name
Email address

For the order process, we process the following information:

Address
Payment information

You can also provide some additional information voluntarily:

Preferred size
Date of birth

The processing of these personal data is required in order to ensure the functionality of the app. The legal basis for this data processing is our legitimate interest pursuant to Art. 6 (1)(f) GDPR, your consent pursuant to Art. 6 (1)(a) GDPR and Section 25 (1) TTDSG, and – if a contract was concluded – for the performance of our contractual obligations (Art. 6 (1)(b) GDPR).

4. Receipt of notifications (push notifications):

In the app, you have the option of activating “push notifications” (push technology or server push refers to a type of communication in which data are transmitted even though the receiving app is running in the background). With “push notifications” you can be informed, for example, if news is available in a news channel that contains information for you. You can configure this option using the tab bar in the app under the “Settings” icon and activate/deactivate notifications separately for each service (channel, comments and chat).

To enable “push notifications”, based on your identification data regarding activation or deactivation of “push notifications” for each service, the activation or deactivation of “push notifications” in general, we save push tokens on your mobile end device (only if at least one “push notification” is active).

This storage is only visible for the specific app user who is logged in. The storage of these personal data in the context of “push notifications” occurs for the purpose of helping app users stay informed. The collected personal data is not evaluated in any manner exceeding the described purposes of use.

The basis for data processing is your consent in the context of voluntary use of this service in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TTDSG.

5. Services and data analysis

In order to provide the app and certain functions, we have integrated external services. We have concluded corresponding processing agreements with these service providers pursuant to Art. 28 GDPR.

When you access our app, your behaviour may be statistically evaluated using certain analysis tools and analysed for the purpose of advertising, market research or improving our services. When using such tools, we ensure compliance with the statutory data protection regulations. When using external service providers (contract processors), we establish corresponding contracts with the providers to ensure that data processing is carried out subject to the German and European data protection standard.

Google Firebase

In our app, we use the “Google Firebase” service, an analysis and monitoring tool provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as well as Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) (“Google”). When using Google Firebase, Google process identifiers for mobile devices on our behalf, including Mobile Advertising IDs, Analytics App Instance IDs, IDFVs/Android IDs and Instance IDs.

In our app, the following functions of Google Firebase are used:

Analytics: This function uses identifies for mobile devices and technologies similar to cookies that analyse user behaviour (e.g. your screen accesses, pressing buttons, in-app purchases or the effectiveness of advertising measures) in the app. In this manner, we can continue to develop our app and advertising measures based on the needs of our users. You can find more information about data collection here: https://support.google.com/firebase/answer/6318039?hl=de

Crashlytics: This function enables us to perform technical analysis about crashes. In this context, various data (e.g. the time stamp of when the app was launched and when the crash occurred) are processed that enable us to diagnose and resolve problems with our app. These data may also contain personal data in the specific case (e.g. pseudonymised device IDs). These personal data are not brought together with your other profile information.

Performance monitoring: This creates and analyses reports about the network behaviour on our app to improve the stability of the infrastructure and thus the performance of our app. This monitoring only considers the network behaviour between the app and its own endpoints that are accessible over the Internet. In this way, we determine information such as the average launch time for the app.

Dynamic links: This enables the user and optimises sharing of content from the app via the Share function.

Remote config personalisation (predictions): This function applies machine learning to the analysis data collected by Google Firebase in order to create dynamic user segments in the app based on the predicted behaviour of our app users.

In-app messaging: This is used to send in-app messages (notifications/campaigns that are only displayed in the specific app). For this purpose, a pseudonymised push reference is assigned to the mobile device that acts as the “destination” for the in-app message.

The use of this service is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TTDSG. You may withdraw your consent at any time with future effect using the settings in our app and under Settings/Firebase.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/.

Google is also certified under the “EU-US Data Privacy Framework” (DPF). DPF is an agreement between the European Union and the USA which is intended to ensure compliance with European data protections standards for data processing in the USA. Every company certified under DPF commits to observing these data protection standards.

Depending on the purpose, the data transmitted to Google are erased within 60 days and subsequently used by us only in anonymised form, that is, without reference to persons.

You can find the Firebase Privacy Policy at https://firebase.google.com/support/privacy/.

TikTok Pixel

On our website, we use the TikTok Pixel. The TikTok Pixel is a TikTok advertiser tool from the two providers:

TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and
TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (both are referred to jointly in the following as “TikTok”).

The TikTok Pixel is a JavaScript code fragment that enables us to understand and track the activity of users on our website. For this purpose, the TikTok Pixel collects and processes information about the visitors to our website or the devices they use (known as event data).

The event data collected by the TikTok Pixel are used for targeting our adverts and for improving advert delivery as well as for personalised marketing. To this end, the event data collected on our website using the TikTok Pixel are transmitted to TikTok.

Some of these event data are information saved in the end device that you are using. The TikTok Pixel also involves the use of cookies that save information on the end device that you are using. Such storage of information by the TikTok Pixel or access to information already saved in your end device only occurs with your consent. The use of this service is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TTDSG. Your consent can be revoked at any time.

This collection and transfer of event data is carried out by us and TikTok as joint controllers pursuant to Art. 26 GDPR. We have established an agreement with TikTok regarding processing as joint controllers which stipulates the distribution of data protection obligations between us and TikTok. In this agreement, we have agreed to the following with TikTok:

that we are responsible for providing you with all information pursuant to Art. 13, 14 GDPR regarding joint processing of personal data;
that TikTok is responsible for enabling data subjects to assert their rights pursuant to Art. 15 to 20 GDPR against Facebook Ireland after the joint processing of saved personal data.

You can access the agreement concluded between us and TikTok at https://ads.tiktok.com/i18n/official/article?aid=300871706948451871 .

TikTok is the sole controller for the subsequent processing of the transmitted event data after transmission. You can find more information about how TikTok processes personal data, including the legal basis on which TikTok bases its processing, and the options for exercising your rights against TikTok, in TikTok’s Privacy Policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.

Facebook Conversion API

We have integrated the service of Facebook Conversion API. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, however, the collected data are also transmitted to USA and other third countries.
Facebook Conversion API enables us to record the interactions of website visitors with our website and forward them to Facebook in order to improve Facebook’s marketing performance.

For this purpose, in particular, the time of access, website accessed, your IP address and your user agent are collected along with other specific data if necessary (e.g. purchased products, value of basket and currency). A complete overview of the collected data can be found here: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters.
The use of this service is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TTDSG. Your consent can be revoked at any time.

To the extent that personal data is collected on our website using the tool described here and transmitted to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Article 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its disclosure to Facebook. The processing that occurs after the data is transferred to Facebook is not part of the joint responsibility. The obligations incumbent on us jointly were set out in a joint processing agreement. The full text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for ensuring the legally compliant implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. You can exercise your data subject rights (such as requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.
Data transmission to the USA is based on the adequacy agreement and certification of Meta for the Data Privacy Framework Program.
You can find additional information about the protection of your privacy in Facebook’s Privacy Policy: https://de-de.facebook.com/about/privacy/.

Klaviyo

This website uses the services of Klaviyo to distribute newsletters. The provider is Klaviyo, 225 Franklin St, Boston, MA 02110, USA.

Klaviyo is a service used to organise and analyse newsletter distribution. When you enter data for the purpose of subscribing to the newsletter (for example, your email address), it will be stored on Klaviyo’s servers in the United States.

Klaviyo helps us to analyse our newsletter campaigns. If you open an

email sent using Klaviyo, a file contained in the email (known as a web beacon) connects you with the Klaviyo servers in the USA. This makes it possible to determine whether a newsletter message was opened and which links were clicked on. In addition, technical information will be collected (such as time of access, IP address, browser type, and operating system). This information cannot be attributed to the specific newsletter recipient. It is only used for statistical analysis of newsletter campaigns. The results of these analyses can be used to better tailor future newsletters to the interests of recipients.

If you do not want your data to be analysed by Klaviyo, you will need to unsubscribe from the newsletter. We provide a link for this purpose in every newsletter email. Data processing is carried out based on your consent (Article 6(1)(a) of the GDPR). You can withdraw this consent at any time by unsubscribing from the newsletter. The lawfulness of the data processing operations that have already occurred will be unaffected by this withdrawal.

The data you provide for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe, after which it will be deleted from the newsletter distribution list. Data which we saved for other purposes remain unaffected by this.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/. The company is also certified under the “EU-US Data Privacy Framework” (DPF).

After you are removed from the newsletter mailing list, your email address may be saved

on a blacklist by us or the newsletter provider if this is required in order to prevent

future mailings. The data from the blacklist is used only for this purpose and is not merged with other data. This serves both your interest and our own interest in complying with the legal requirements when mailing newsletters (legitimate interest within the meaning of Article 6(1)(f) GDPR). Storage in the blacklist occurs for an unlimited period of time. You can object to this storage to the extend that your interests outweigh our legitimate interest.

You can find more details in the Privacy Policy of Klaviyo at:

https://www.klaviyo.com/legal/privacy-notice

We have entered into a data processing agreement (DPA) with the aforementioned provider in accordance with Article 28 of the GDPR. This is a contract required by data protection law which ensures that the processor only processes the personal data of our website visitors based on our instructions and in compliance with the GDPR.

branch.io

We use Branch Metrics (Branch.io), operated by Branch Metrics, Inc. 1400 Seaport Blvd, Building B, 2nd Floor, Redwood City, CA 94063, USA.

The purpose of collecting and using these data is to review and optimise our marketing campaigns and product information, and to optimise our app and services. This service makes it possible to generate targeted smart links for content within our app in order to directly link this content outside the app.

For example, if you would like to use our app but have not installed it on your smartphone, Branch.io makes it possible to forward you to the store of the relevant provider of your smartphone operating system. Branch.io generates a user-specific hyperlink for this purpose. In order to ensure improvement of user management, Branch.io collects the operating system and version, time stamp, API key (identification key of the application), application version, device model, manufacturer and identification number, iOS identification key for advertising, iOS identification key for vendors, Android identification key for advertising, IP address and network status. The abovementioned data, in particular the IP address, are exclusively used for the purpose of generating a link to our apps and only used for a limited period of time. Under certain circumstances, Branch.io uses cookies.

The legal basis for processing is your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TTDSG.

You can find the purpose and scope of data collection and the purpose of data by Branch Metrics, along with your rights in this context, in the Privacy Policy of Branch Metrics: https://branch.io/policies/#privacy.

An agreement for contract data processing pursuant to Art. 28 GDPR was established with Branch Metrics, Inc. as well as an agreement on standard contractual clauses adjusted for our purposes. The European Commission has issued an adequacy decision for the United States, provided that companies are certified according to the Data Privacy Framework programme. Branch Metrics is certified accordingly and thus fulfils the requirements of the EU Commission.

6. Transfer and transmission of data

Apart from the cases explicitly named in this Privacy Policy, your personal data will only be transferred without your express prior consent if this is permitted or required by law. This may be the case, for instance, if processing is required in order to protect vital interests of the user or another natural person.

6.1. Misuse or violation of laws

If necessary for resolution of unlawful or improper use of the app or for prosecution, personal data will be transferred to the law enforcement authorities or other authorities, as well as to damaged third parties or legal advisors where relevant. However, this only occurs if there are reasons to suspect unlawful or improper behaviour. Data may also be transferred if this assists with enforcing the terms of use or other legal claims. In addition, we are legally obligated to provide information to certain public entities on request. These include law enforcement authorities, authorities that pursue administrative penalties, and the fiscal authorities.

Any potential transfer of personal data is justified by the fact that processing is necessary to fulfil a legal obligation to which we are subject pursuant to Art. 6 (1) (f)GDPR in conjunction with national legal regulations concerning the transfer of data to law enforcement authorities, or if we have a legitimate interest in transferring the data to the abovementioned third parties if there is reason to suspect improper conduct or to enforce our terms of use, other conditions or legal claims, and your rights and interests in protecting your personal data pursuant to Art. 6 (1) (f) GDPR do not override this interest.

6.2. Ongoing development

In the course of the ongoing development of our business, it is possible that the structure of our company will be transformed by changing the legal form, or by founding, buying or selling business units or components. During such transactions, customer information may need to be transferred along with the part of the business that is being transferred. For each disclosure of personal data to third parties in the scope described above, we ensure that this occurs in harmony with this Privacy Policy and the applicable data protection laws.

Any potential transfer of personal data is justified by the fact that we have a legitimate interest in adapting our company form to the commercial and legal circumstances as needed, and your rights and interests in protecting your personal data pursuant to Art. 6 (1) (f) GDPR do not override this interest.

7. Changes of purpose

Your personal data will only be processed for purposes other than the indicated purposes if this is permitted by legal regulations or you have consented to the modified purpose of data processing. In case of further processing for other purposes than those for which the data were originally collected, we will inform you about these other purposes before further processing and provide you with all additional material information in this regard.

8. Duration of storage

We erase or anonymise your personal data as soon as they are no longer required to fulfil the purposes for which we collected or used them according to the above clauses. As a rule, we save your personal data for the duration of usage or contract relationship through the app, plus a period of [7] days, during which we retain backup copies after erasure, unless these data are required for longer periods due to criminal prosecution or for safeguarding, asserting or enforcing legal claims.

Specific statements in this Privacy Policy or legal requirements for the retention and erasure of personal data, in particular data which we are required to retain for tax purposes, remain unaffected.

9. Your rights as data subject

9.1. Right to access information

You have the right to demand access at any time to the personal data we have processed concerning you, within the scope of Art. 15 GDPR. To do so, you can send a request by mail or email to the address indicated below.

9.2. Right to rectification of inaccurate data

You have the right to demand that we promptly correct your personal data if this is inaccurate. For this purpose, please contact us using the addresses listed below.

9.3. Right to erasure

You have the right subject to the requirements described in Art. 17 GDPR to demand that we erase your personal data. In particular, these requirements include a right to erasure if the personal data are no longer required for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or an obligation of erasure under European Union law or the laws of the member state which we are obligated to observe. Regarding the duration of data storage, see also Clause 5 of this Privacy Policy. To exercise your right of erasure, please contact us using the addresses listed below.

9.4. Right to restriction of processing

You have the right to request us to restrict processing according to Art. 18 GDPR. This right applies particularly if the accuracy of the personal data is disputed between the user and us, for the period it takes to review accuracy, as well as in the case that the user requests restricted processing instead of erasure where a right to erasure exists; furthermore for the case in which the data are no longer required for our intended purposes, yet the user requires the data for the assertion, exercise or defence of legal claims, and if successful assertion of an objection between us and the user is still in dispute. To exercise your right to restriction of processing, please contact us using the addresses listed below.

9.5. Right to portability of data

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format according to Art. 20 GDPR. To exercise your right of data portability, please contact us using the addresses listed below.

10. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data that occurs on the basis of Art. (6) (1) (e) or (f) GDPR, in accordance with Art. 21 GDPR. We will discontinue the processing of your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if processing is necessary for the assertion, exercise or defence of legal claims.

11. Right to lodge a complaint

You also have the right to lodge a complaint with the responsible supervisory authority. The responsible supervisory authority is:

Bavarian State Office for Data Protection Supervision

Promenade 18

91522 Ansbach, Germany

Phone: +49 (0) 981 180093-0
Fax: +49 (0) 981 180093-800
Email: poststelle@lda.bayern.de

12. Changes to this Privacy Policy

We always keep this Privacy Policy up to date. For this reason, we reserve the right to change it from time to time and add changes to the collection, processing or use of your data. The latest version of the Privacy Policy is always available within the app.