Privacy Policy
This is an automated translation of the original German version. In case of discrepancies, the German version shall prevail.
With this privacy policy information, we inform you about our handling of your personal data and about your rights according to the European Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG).
Caya GmbH (hereinafter referred to as "we" or "us") is responsible for data processing.
Have you discovered a security risk?
Please contact our security team directly: security@getcaya.com
I. General information
1. Contact
If you have any questions or suggestions regarding this information or would like to contact us about asserting your rights, please send your enquiry to:
Caya GmbH
Ritterstr. 24-27, 10969 Berlin
E-mail: hello@getcaya.com
2. Legal Basis
The data protection term "personal data" refers to any information relating to an identified or identifiable individual. We process personal data in compliance with the applicable data protection regulations, particularly the GDPR (General Data Protection Regulation) and the BDSG (Federal Data Protection Act). We process personal data only based on a legal authorization. We process personal data only with your consent (§ 15 para. 3 TMG or Art. 6 para. 1 lit. a GDPR), to fulfill a contract to which you are a party, or at your request to take steps prior to entering into a contract (Art. 6 para. 1 lit. b GDPR), to fulfill a legal obligation (Art. 6 para. 1 lit. c GDPR), or when the processing is necessary for the purposes of legitimate interests pursued by us or by a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data override those legitimate interests (Art. 6 para. 1 lit. f GDPR).
3. Retention Period
Unless otherwise stated in the following sections, we will retain the data only for as long as necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal retention obligations may arise, in particular, from commercial or tax law regulations. From the end of the calendar year in which the data was collected, we will retain personal data included in our accounting records for ten years, and personal data in business correspondence and contracts for six years. In addition, we will retain data related to documented consents and claims for complaints and receivables for the duration of the statutory limitation periods. Data stored for advertising purposes will be deleted if you object to the processing for such purposes.
4. Data Transfer to Third Countries
Visiting our website or using our services may involve the transfer of certain personal data to third countries, i.e., countries where the GDPR is not applicable. Such transfers take place in a permissible manner if the European Commission has determined that an adequate level of data protection exists in the third country. If such an adequacy decision from the European Commission is not in place, the transfer of personal data to a third country will only occur if there are appropriate safeguards in place according to Art. 46 GDPR or if one of the conditions in Art. 49 GDPR is met.
Unless otherwise stated, we use the EU Standard Contractual Clauses as appropriate safeguards for transferring personal data to third countries. You have the right to obtain a copy of these EU Standard Contractual Clauses or review them. Please contact the address provided under the "Contact" section for more information.
If you consent to the transfer of personal data to third countries, the transfer will be based on the legal grounds of Art. 49 para. 1 lit. a GDPR.
5. Categories of Recipients of the Data
We use processors in the processing of your data. The processing activities carried out by such processors include, for example, hosting, email distribution, IT system maintenance and support, customer and order management, scanning services, communication services, order processing, accounting and billing, marketing activities, or the destruction of files and data carriers. A processor is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but perform the data processing exclusively for the controller and are contractually obligated to ensure appropriate technical and organizational measures for data protection. Additionally, we may share your personal data with entities such as postal and delivery services, our bank, tax advisors/auditors, or the tax authorities. Further recipients may arise from the following sections.
6. Processing in Exercising Your Rights
When you exercise your rights under Articles 15 to 22 of the GDPR, we process the personal data you provide in order to implement these rights and to be able to demonstrate compliance with them. For the purpose of providing information and preparing such information, stored data will only be processed for this purpose and for purposes of data protection oversight, and we will otherwise limit processing in accordance with Art. 18 GDPR.
This processing is based on the legal grounds of Art. 6 para. 1 lit. c GDPR in conjunction with Articles 15 to 22 GDPR and § 34 para. 2 BDSG.
7. Your Rights
As a data subject, you have the right to assert your rights under data protection law against us. In particular, you have the following rights:
- You have the right, under Art. 15 GDPR and § 34 BDSG, to request information about whether and, if so, to what extent we process personal data concerning you.
- You have the right to request the correction of your data under Art. 16 GDPR.
- You have the right to request the deletion of your personal data under Art. 17 GDPR and § 35 BDSG.
- You have the right to request the restriction of processing of your personal data under Art. 18 GDPR.
- You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit these data to another controller under Art. 20 GDPR.
- If you have given us separate consent for the data processing, you may withdraw this consent at any time according to Art. 7 para. 3 GDPR. The withdrawal will not affect the legality of the processing based on the consent before the withdrawal.
- If you believe that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority under Art. 77 GDPR.
8. Right to Object
You have the right, under Art. 21 para. 1 GDPR, to object to processing based on Art. 6 para. 1 lit. e or f GDPR, for reasons arising from your particular situation. If we process your personal data for direct marketing purposes, you may object to such processing in accordance with Art. 21 para. 2 and 3 GDPR.
9. Data Protection Officer
You can contact our Data Protection Officer at the following contact details:
Email: datenschutz@getcaya.com
Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg
https://www.datenschutzkanzlei.de
II. Data Processing on Our Website
When you use our website, we collect information that you provide yourself. Additionally, certain information about your website usage is automatically collected during your visit. Under data protection law, IP addresses are generally also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider to enable it to send and receive data.
1. Processing of Server Log Files
When you use our website purely for informational purposes, general information that your browser automatically transmits to our server is initially stored. This includes, by default, browser type/version, operating system, requested page, the previously visited page (referrer URL), IP address, date and time of the server request, and HTTP status code. Processing occurs to protect our legitimate interests and is based on Article 6(1)(f) of the GDPR. This processing serves the technical administration and security of the website. The stored data will be deleted after thirty days unless concrete indications of unlawful use require further examination and processing. We are not able to identify you as a data subject based on the stored information. Therefore, Articles 15 to 22 of the GDPR do not apply in accordance with Article 11(2) of the GDPR, unless you provide additional information that enables us to identify you in order to exercise your rights under these articles.
2. Cookies
We use cookies and similar technologies ("Cookies") on our website. Cookies are small data sets stored by your browser when you visit a webpage. They mark the browser in use and allow it to be recognized by web servers. You have full control over cookie use via your browser settings, where you can delete cookies at any time. You can generally refuse cookies or block them in certain cases through your browser settings.
Some cookies are technically necessary for the operation of our website and are therefore permissible without user consent. Additionally, we may use cookies to offer specific functions and content and for analysis and marketing purposes. This may also include third-party cookies. We use non-essential cookies only with your consent in accordance with Article 6(1)(a) of the GDPR. Information on the purposes, providers, technologies, stored data, and storage duration of individual cookies can be found in the cookie settings of our consent management tool, accessible at any time at the bottom of www.caya.com under "Cookie Settings."
3. Consent Management Tool
This website uses a consent management banner to control cookies. The consent banner allows users to consent to specific data processing activities or withdraw previously given consent. By clicking “Accept All” or saving individual cookie settings with “Save Selection,” you consent to the use of associated cookies. The legal basis is your consent under Article 6(1)(a) of the GDPR.
The banner also helps us demonstrate proof of consent declaration. For this purpose, we process information about the consent declaration and other log data related to it, using cookies to gather this data.
The processing of this data is necessary to provide evidence of the consent given. The legal basis is our legal obligation to document your consent (Article 6(1)(c) in conjunction with Article 7(1) of the GDPR).
4. Contact Options and Inquiries
Our website includes various contact forms through which you can send us messages. The transfer of your data is encrypted (as indicated by "https" in the browser address bar). All fields marked as required are essential to process your request. Without these, we cannot handle your inquiry. Additional data provision is voluntary. We use the service Typeform (TYPEFORM/Spain) to provide forms for our customers, which help us gather the data needed to process orders and/or customer inquiries. When these forms are used, customer data is transmitted to Typeform so we can associate it with your order. Typeform acts as our data processor and is not permitted to use this information for its own purposes. When using Typeform, data may be transferred to TYPEFORM US LLC in the USA. For further information, please refer to the "Data Transfer to Third Countries" section. Additional details on Typeform's processing of customer data can be found in their Privacy Policy here: https://admin.typeform.com/to/dwk6gt/.
Alternatively, you can contact us via the contact email provided. We process data to respond to your inquiry. If your inquiry relates to entering into or performing a contract with us, the legal basis for processing is Article 6(1)(b) of the GDPR. Otherwise, we process data based on our legitimate interest in contacting inquiring individuals, with Article 6(1)(f) of the GDPR as the legal basis.
If you send us a message via the contact email provided, we will process the data to respond to your inquiry.
5. Applications
You have the option to apply through the Careers section on our website. In doing so, we collect personal data from you, which includes your name, resume, cover letter, and other content you provide. We use Join, a service provider based in Switzerland, to manage our applications. Join acts as a data processor for us, following our instructions. Data transfer to Switzerland cannot be ruled out, but the country has an adequacy decision under Article 45 of the GDPR, ensuring an adequate level of protection. Your application data is processed exclusively in relation to your interest in current or future employment with us. Your online application is only handled and reviewed by relevant personnel, all of whom are bound by confidentiality obligations regarding your data. If we cannot offer you employment, we retain your data for up to six months after the application process to answer questions related to your application and rejection, unless legal requirements prevent deletion, further storage is needed for evidence, or you have expressly agreed to extended retention.
The legal basis for data collection is Section 26(1) sentence 1 BDSG. If we retain your applicant data for more than six months and you have given explicit consent, please note that this consent can be withdrawn at any time per Article 7(3) of the GDPR. Withdrawal does not affect the legality of processing based on consent before its withdrawal.
6. Google Tag Manager
We use Google Tag Manager from Google Ireland Limited (Ireland/EU) to manage our website tags via an interface. Google Tag Manager is a cookie-free domain that does not collect or store personal data. It merely triggers other tags, which may in turn collect data without accessing this data directly. Any deactivation at the domain or cookie level (e.g., through the consent management tool) will apply to all tracking tags implemented via Google Tag Manager.
For Google services, data transfer to Google Inc. in the USA or other countries where Google Ireland or its subprocessors operate cannot be ruled out. Please refer to the “Data Transfer to Third Countries” section for more information.
Further information on Google’s privacy practices can be found in Google’s Privacy Policy: https://policies.google.com/privacy.
7. Statistics
a. Google Analytics
We use Google Analytics, a service provided by Google Ireland Limited (Google Ireland/EU), on our website. Google Analytics is a web analytics service that allows us to collect and analyze data on visitor behavior on our website. For this purpose, Google Analytics uses cookies, which enable the analysis of website usage. Personal data is processed in the form of online identifiers (including cookie IDs), IP addresses, device identifiers, and information about interaction with our website. Some of this data includes information stored on your device, and additional information is stored through cookies. Google Analytics can only store information or access information on your device with your consent. Google Ireland processes the data collected in our interest, helping us evaluate website use, compile reports on website activities, and provide further services related to website and internet usage. These processed data may be used to create pseudonymized user profiles. We use the Google Analytics 4 version, which enables tracking of user interaction data across different devices and sessions, providing a fuller picture of user behavior and long-term relationships.
We use Google Analytics with IP anonymization enabled, which means that user IP addresses are truncated by Google Ireland within member states of the European Union or other signatory states to the European Economic Area Agreement. The IP address transmitted by the user’s browser is not combined with other data.
Further details on these processing activities, technologies used, data storage, and retention period can be found in our Consent Management Tool settings and in Google’s Privacy Policy at https://policies.google.com/privacy.
The use of cookies and the personal data processing described here only occurs with your consent. Therefore, the legal basis for this data processing is Art. 6(1)(a) GDPR. You may revoke this consent at any time with future effect. You can also prevent the collection of information generated by the cookie by downloading and installing the browser plugin available at https://tools.google.com/dlpage/gaoptout.
With Google services, data transfers to Google Inc. in the USA and countries where Google Ireland or its subprocessors operate facilities cannot be ruled out. Please refer to the "Data Transfer to Third Countries" section for further information.
b. Hotjar
We use the service Hotjar, provided by Hotjar Ltd. (Malta/EU), on our website. Hotjar enables us to analyze website movement through so-called "heatmaps." For instance, we can see how far users scroll and which buttons are clicked. Additionally, the tool allows us to collect direct user feedback, helping us to make our website faster and more user-friendly.
Hotjar allows us to see which buttons are clicked, mouse movements, scrolling depth, device screen size, device type, and browser information. We also receive information about your geographic location (country) and preferred website display language. Areas of our website that display personal data are automatically excluded from Hotjar’s analysis.
Hotjar uses cookies and other technologies to collect data on user behavior and devices, particularly the device’s IP address (captured and stored in anonymized form only), screen size, device type (unique device identifiers), browser information, location (country only), and preferred website display language. The use of cookies and the described data processing only occurs with your consent. The legal basis for this data processing is Art. 6(1)(a) GDPR. You may revoke this consent at any time with future effect. Further details on these processing activities can be found in our Consent Management Tool settings and in Hotjar’s Privacy Policy at https://help.hotjar.com/hc/en-us/sections/115003180467-Data-Privacy.
8. Tracking & Retargeting
a. Segment.io
This website uses software from Segment, a service by Segment.io Inc. (USA). Segment.io helps us manage data collected by the third-party tools described below, creating pseudonymized user profiles. These profiles analyze visitor behavior to improve our offerings. Cookies are used for this purpose. For more information, please see the Segment.io Privacy Policy at https://segment.com/legal/privacy/.
The use of Segment.io only occurs with your consent, as per Art. 6(1)(a) GDPR. Data transfer to the USA cannot be ruled out. Please refer to the "Data Transfer to Third Countries" section for further information.
b. Google Marketing Services
We use the marketing service Google Ads Conversions from Google Ireland Limited (Ireland/EU). Google Ads enables us to place relevant ads in the Google ad network (e.g., in search results or on other websites), improve campaign reporting, and avoid repetitive ads for users. Each Ads customer receives a different conversion cookie, so cookies cannot be tracked across websites of different Ads customers. Cookie IDs allow us to monitor ad display and prevent repeat campaigns. Conversions, such as when a user views an ad and later visits the advertiser’s website to make a purchase, can also be tracked with cookie IDs.
Remarketing allows us to reach users who have previously interacted with our website by displaying ads to this audience on Google or Google network sites. For this purpose, a code is executed when our website is accessed, embedding (re)marketing tags. These tags place a unique cookie on the user’s device, marking sites visited, interests, and actions taken. Technical data about the browser, operating system, referring websites, and visit time are also recorded. User data is processed pseudonymously, without direct user identification, meaning ads are not targeted to a specific individual but rather to the cookie holder.
For further details on these processing activities, technologies, data storage, and retention period, see our Consent Management Tool settings and Google’s Privacy Policy at https://policies.google.com/privacy.
Google Marketing Services usage only occurs with your consent, as per Art. 6(1)(a) GDPR. You may opt out of cross-device remarketing/targeting by deactivating personalized advertising in your Google account at https://www.google.com/settings/ads/onweb/.
Data transfers to Google Inc. in the USA and countries where Google Ireland or its subprocessors operate cannot be ruled out. Please see the "Data Transfer to Third Countries" section.
c. Microsoft Ads
We use Microsoft Advertising (formerly Bing Ads) from Microsoft Ireland Operations Limited (Microsoft Ireland/EU) on our website. Microsoft Advertising is an online marketing service that helps us target ads via Microsoft Bing search engines using the Universal Event Tracking (UET) tool. Microsoft Advertising uses cookies to process online identifiers (including cookie IDs), IP addresses, device identifiers, and information about device and browser settings.
Microsoft Advertising collects data via UET, allowing us to track audiences through remarketing lists. A cookie is stored on the device when our website is visited, enabling us to recognize users who later see our ads on Bing or Yahoo.
This information also helps create conversion statistics, showing how many users reach our website after clicking an ad. However, we receive no personally identifiable information.
The use of cookies and the described data processing only occurs with your consent. Therefore, the legal basis for data processing in connection with Microsoft Advertising is Art. 6(1)(a) GDPR. Data transfer to the USA cannot be ruled out. Please refer to the "Data Transfer to Third Countries" section.
d. Facebook Pixel
We use the Facebook Pixel on our website, a Facebook Business tool from Meta Platforms Ireland Limited (“Meta,” Ireland/EU). For information on Meta's contact details and the Data Protection Officer's contact details, please refer to Meta’s data policy at https://www.facebook.com/about/privacy.
The Facebook Pixel is a JavaScript code snippet that enables us to track visitor activity on our website. This tracking is called Conversion Tracking. The Facebook Pixel collects and processes the following information (known as Event Data):
- Information on actions and activities taken by visitors on our website, such as searching for and viewing a product or making a purchase;
- Specific Pixel information, such as the Pixel ID and Facebook Cookie;
- Information on buttons clicked by visitors on the website;
- Information in HTTP headers, like IP addresses, browser details, page location, and referrer;
- Information about the status of ad tracking disablement/restriction.
Some of this Event Data includes information stored on your device. The Facebook Pixel also uses cookies to store information on your device. Any storage of information by the Facebook Pixel or access to information already stored on your device only occurs with your consent.
Tracked conversions appear on our Facebook Ads Manager dashboard and Facebook Analytics. We can use the tracked conversions to measure the effectiveness of our ads, set up Custom Audiences for ad targeting, create Dynamic Ads campaigns, and analyze the effectiveness of our website's conversion funnels. Below, we describe the functions we use through the Facebook Pixel in more detail.
Processing of Event Data for Advertising Purposes
The Event Data collected via the Facebook Pixel is used to target our ads, improve ad delivery, personalize features and content, and enhance the security and quality of Facebook products. Event Data is collected on our website via the Facebook Pixel and transmitted to Meta Platforms Ireland Limited. This only occurs if you have given your consent. The legal basis for collecting and transmitting personal data to Facebook Ireland is therefore Art. 6(1)(a) GDPR.
The collection and transmission of Event Data are carried out by us and Meta Platforms Ireland Limited as joint controllers. We have entered into a joint controller agreement with Meta Platforms Ireland Limited, which establishes the allocation of data protection obligations between us and Meta Platforms Ireland Limited. In this agreement, we and Meta Platforms Ireland Limited have agreed that:
- We are responsible for providing you with all necessary information under Art. 13, 14 GDPR regarding the joint processing of personal data;
- Meta Platforms Ireland Limited is responsible for enabling data subject rights under Art. 15 to 20 GDPR concerning the personal data stored by Facebook Ireland following joint processing.
You can access the joint controller agreement between us and Meta Platforms Ireland Limited at https://www.facebook.com/legal/controller_addendum.
For the subsequent processing of the transmitted Event Data, Meta Platforms Ireland Limited is the sole controller. For more information on how Meta Platforms Ireland Limited processes personal data, including the legal basis used by Meta Platforms Ireland Limited and options for exercising your rights, please refer to Meta's data policy at https://www.facebook.com/about/privacy.
Processing of Event Data for Measurement Solutions and Analytics Services
We have also engaged Meta Platforms Ireland Limited to generate reports on the effectiveness of our advertising campaigns and other online content (campaign reports) based on Event Data collected via the Facebook Pixel and to create analyses and insights on user behavior on our website, products, and services (analytics). For this purpose, we transmit personal data included in the Event Data to Meta Platforms Ireland Limited. Meta Platforms Ireland Limited processes the transmitted personal data on our behalf to provide us with the campaign reports and analytics. Processing of personal data for analytics and campaign reports only occurs if you have given your prior consent. The legal basis for this data processing is therefore Art. 6(1)(a) GDPR.
The data processed on our behalf is transmitted by Meta Platforms Ireland Limited to Meta Platforms, Inc. in the USA. Meta Platforms Ireland Limited transmits data to Meta Platforms, Inc. based on the standard contractual clauses for processor-to-processor transfers, while reserving the right to use an alternative transfer method recognized by the GDPR and other applicable data protection laws in the European Economic Area, the United Kingdom, and Switzerland.
e. LinkedIn Conversion Tracking
We use the LinkedIn Insight Tag on our website, a marketing product of LinkedIn Ireland Unlimited Company (Ireland/EU). For information on LinkedIn Ireland's contact details and the contact details of LinkedIn Ireland's Data Protection Officer, please refer to LinkedIn's data policy at https://www.linkedin.com/legal/privacy-policy.
The LinkedIn Insight Tag is a JavaScript code snippet that is triggered by LinkedIn when our website is accessed and places a cookie on your device. Storage of information by the LinkedIn Insight Tag or access to information already stored on your device, as well as further processing of personal data in connection with the LinkedIn Insight Tag, only occurs with your consent. The legal basis for collecting and transmitting personal data to LinkedIn Ireland is therefore Art. 6(1)(a) GDPR.
Through the LinkedIn Insight Tag, we can execute various functions, which are described in detail below. LinkedIn Conversion Tracking is an analytics feature supported by the LinkedIn Insight Tag. The LinkedIn Insight Tag collects data on website visits, including URL, referrer URL, IP address, device and browser characteristics (user agent), and timestamp. IP addresses are truncated or hashed (if used to identify members across devices). LinkedIn does not provide us with personal data but only reports (in which you are not identified) on website audience and ad performance. This allows us to measure the effectiveness of LinkedIn ads for statistical and market research purposes.
LinkedIn removes direct identifiers of members within seven days to pseudonymize the data. LinkedIn then deletes the remaining pseudonymized data within 180 days.
This processing is conducted to gather information on our website audience and obtain reports on the effectiveness of LinkedIn campaigns.
We also use the "Matched Audiences" service to target our ad campaigns to specific audiences. LinkedIn Matched Audiences and related data integrations allow us to target ads to specific audiences based on data we provide to LinkedIn (e.g., company lists, hashed contact information, device identifiers, or event data such as visited websites).
This processing is done to market our offerings through targeted ad delivery.
We have entered into a joint controller agreement with LinkedIn, which defines the allocation of data protection responsibilities between us and LinkedIn. We are happy to provide you with this document upon request.
Please note that, according to LinkedIn’s privacy policy, personal data may also be processed by LinkedIn in the USA or other third countries. LinkedIn only transfers personal data to countries for which an adequacy decision exists from the European Commission under Art. 45 GDPR or based on appropriate safeguards under Art. 46 GDPR.
9. External Media and Third-Party Services
a. Vimeo
We use the service Vimeo by Vimeo, Inc. (USA) on our website to embed videos. For such embedding, it is technically necessary to process your IP address to send the content to your browser. Therefore, your IP address is transmitted to Vimeo, and Vimeo may set its own cookies. Further details on these processing activities, the technologies used, stored data, and the storage duration can be found in the settings of our consent management tool and in Vimeo’s privacy policy at https://vimeo.com/privacy.
The setting of cookies and the further data processing described here occur with your consent. The legal basis for this data processing is Art. 6(1)(a) GDPR. You can withdraw this consent at any time with future effect.
Please note that data may be transferred to third countries such as the USA when using Vimeo. For more information, please refer to the section “Data Transfer to Third Countries.”
b. YouTube
We use the service YouTube by Google Ireland Limited (Ireland/EU) on our website to embed videos. For such embedding, it is technically necessary to process your IP address to send the content to your browser. Therefore, your IP address is transmitted to Google, and Google may set its own cookies. We use YouTube in "enhanced privacy mode," meaning that YouTube does not set cookies to analyze user behavior. Further details on these processing activities, the technologies used, stored data, and the storage duration can be found in the settings of our consent management tool and in Google’s privacy policy at https://www.google.com/policies/privacy.
The setting of cookies and the further data processing described here occur with your consent. The legal basis for this data processing is Art. 6(1)(a) GDPR. You can withdraw this consent at any time with future effect.
Please note that data transfer to Google Inc. and YouTube LLC in the USA, as well as to countries where Google Ireland or its subprocessors operate facilities, cannot be excluded when using YouTube. For more information, please refer to the section “Data Transfer to Third Countries.”
III. Data Processing When Using Caya
When you, as an individual customer, use the Caya platform, we process your data to provide the agreed services. This includes, in particular:
- Your master data (name, address, and other contact details such as email address and phone number);
- Contract and payment data;
- Server log files (browser and system information, IP address);
- Usage data as well as content and information from mail items processed as part of the service delivery.
Data processing is conducted for the purpose of contract fulfillment and is based on the legal grounds of Art. 6(1)(b) GDPR.
1. Cookies
We use cookies and similar technologies ("Cookies") on our platform. Cookies are small datasets stored by your browser when you visit a website. They mark the browser used and can be recognized again by web servers. You have full control over the use of cookies through your browser. You can delete cookies at any time in your browser’s security settings. You can also disable the use of cookies altogether or for specific cases in your browser settings.
The use of certain cookies is technically necessary for the operation of our website and is therefore permitted without user consent. Additionally, we may use cookies to offer special functions and content, as well as for analytics and marketing purposes. This may include third-party cookies. We only use non-essential cookies with your consent according to Art. 6(1)(a) GDPR. Information on purposes, providers, technologies used, stored data, and storage duration for each cookie can be found in the cookie settings of our consent management tool.
2. Registration
To book and use the platform, registration is required. The necessary information is processed for the purpose of service provision. Processing of your necessary personal data for this purpose is based on Art. 6(1)(b) GDPR.
3. Booking and Payment
When you book services through our website, we process personal data solely to execute the contract or provide our service to you. During the booking or ordering process, we process only the data you have entered in the input fields, along with payment information, if applicable. The legal basis for this processing is Art. 6(1)(b) GDPR. Data fields marked as mandatory are required for booking processing. If they are not provided, we cannot process your booking. Any additional data is provided voluntarily and is processed based on Art. 6(1)(f) GDPR.
4. Payment Providers and Billing
You can choose from different payment options for our services. We work with various payment providers for this purpose. Please note that the respective payment information is collected and processed by the payment providers themselves.
Payment via PayPal
You can pay via PayPal. Please note that PayPal (Europe) S.à r.l. et Cie, S.C.A. (PayPal/EU) collects and processes payment information on its own responsibility. PayPal provides us with your address details stored with PayPal, which we process solely for contract execution. The legal basis is Art. 6(1)(b) GDPR.
Further information on PayPal’s privacy policy can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE#r5.
Payment via Stripe
On our website, you can pay by credit card or Sepa transfer via the payment provider Stripe, offered by Stripe Payments Europe Ltd. (Stripe/EU). The payment data you provide during the order process is transmitted to Stripe to the extent necessary to complete the payment transaction. The legal basis for this transmission is Art. 6(1)(b) GDPR.
Further information on Stripe’s privacy policy can be found here: https://stripe.com/de/privacy#translation.
Payment via GoCardless
On our website, you can pay by Sepa transfer via GoCardless, offered by GoCardless SAS (GoCardless/EU). The payment data provided during the order process is transmitted to GoCardless as necessary to complete the payment transaction. The legal basis for this transmission is Art. 6(1)(b) GDPR.
Further information on GoCardless’ privacy policy can be found here: https://gocardless.com/de-de/rechtliches/datenschutz/.
Billing via Chargebee
We use Chargebee, a service by Chargebee Inc. (USA), for billing. The use of Chargebee may involve data transfers to the USA. We have signed standard contractual clauses with Chargebee. More information can be found in the section “Data Transfer to Third Countries.”
5. Mail Forwarding Order
To set up your mail forwarding order, we process the personal data you provide through the platform and forward it to Deutsche Post or, for customers in Berlin, to PIN Mail AG. Data processing is conducted to fulfill the contract and is based on Art. 6(1)(b) GDPR.
6. DHL Package Notification
DHL Paket GmbH’s package notification service informs you free of charge about the expected delivery date of packages ordered to your home address. Additionally, DHL will notify you of delivery delays or if you were not home to receive the package.
To send you the package notification via email, DHL Paket GmbH requires your email address. The package notification is activated as part of the contract when you order a package with Caya. The processing of the email address for this purpose is based on Art. 6(1)(b) GDPR.
If you are not a registered DHL customer, DHL Paket GmbH receives your email address from us, Caya GmbH, as the sender of the package, as we use DHL Paket GmbH’s package notification service. The legal basis for forwarding your email address to DHL Paket GmbH is your consent, as per Art. 6(1)(a) GDPR. DHL Paket GmbH will then process the email address solely to send you the package notification. The legal basis for this is Art. 6(1)(b) GDPR.
Each DHL package notification includes an option to unsubscribe from future notifications.
7. System Messages with Amazon Simple Email Service (SES) and Mandrill
We use Amazon Simple Email Service (SES), a service by Amazon Web Services EMEA SARL (Luxembourg), to send system messages like password reset emails to registered customers. Customer data, excluding payment data, may be transmitted through this service. We also use the Mandrill service provided by The Rocket Science Group LLC d/b/a MailChimp (USA). Please refer to the section “Data Transfer to Third Countries.” Processing is based on Art. 6(1)(f) GDPR and serves our legitimate interest in optimizing our email dispatch.
8. Customer Support
a. Zendesk
We use the Zendesk ticketing system, a customer service platform provided by Zendesk Inc. (USA), to handle customer inquiries via the contact form or email. Necessary data, such as your name, surname, and email address, is transmitted to Zendesk to process your inquiry. Processing is based on Art. 6(1)(b) GDPR. Further information on Zendesk’s privacy policy can be found here: https://www.zendesk.de/company/privacy-and-data-protection/.
Zendesk’s use may involve data transfer to the USA. Zendesk has implemented Binding Corporate Rules, providing suitable safeguards per Art. 47 GDPR to ensure an adequate level of protection.
b. Zoho Desk and Zoho CRM
We use the software solutions Zoho Desk and Zoho CRM by Zoho Corporation GmbH to handle customer inquiries and manage customer relationships. In these applications, personal data such as first name, last name, email address, phone number, and other relevant information are collected and processed. This data processing serves to respond to customer inquiries and optimize sales activities and is based on the legal grounds of Art. 6 (1) sentence 1 (b) GDPR. The data is processed in Zoho's EU data centers. For more information on data protection, please visit https://www.zoho.com/privacy.html.
9. Analysis and Evaluations
a. Amplitude
We use Amplitude, an analytics service by Amplitude Inc. (USA), to analyze user behavior. Caya transmits information on your usage to an Amplitude server. Amplitude stores data in the form of generic IDs with timestamps and other information such as user ID, device type, app version, geolocation data, mobile carrier (if applicable), device language, and browser information. These are not personally identifiable data. IP addresses are not stored. For more information, see Amplitude’s privacy policy.
The legal basis for this transmission is your consent, per Art. 6(1)(a) GDPR. You can withdraw your consent to tracking at any time. Data transfer to third countries such as the USA cannot be ruled out. Please refer to the section “Data Transfer to Third Countries” for details.
b. Mixpanel
We use Mixpanel to compile statistics on service usage and visits. Mixpanel, provided by Mixpanel, Inc. (USA), sets cookies to collect data on our service usage. This data is analyzed by Mixpanel and transmitted to us for marketing optimization.
The legal basis for this transmission is your consent, per Art. 6(1)(a) GDPR. You can withdraw your consent to tracking at any time. Data transfer to third countries such as the USA cannot be ruled out. Please refer to the section “Data Transfer to Third Countries.”
c. Google Analytics
We also use the Google Analytics service on our platform. For more information about Google Analytics, please refer to Section II: Data Processing on Our Website.
IV. Additional Data Processing Through Our App
In addition to our other online offerings, we provide a mobile app that you can download to your mobile device. Below, we inform you about the collection and processing of personal data when using our mobile app.
1. App Download
When downloading the app, certain required information is transmitted to the app store you selected (e.g., Google Play or Apple App Store), including, in particular, the username, email address, customer number of your account, the time of the download, and the individual device number. The processing of this data is carried out solely by the provider of the respective app store and is beyond our control.
2. Automatic Processing of Personal Data When Using the App
When using the mobile app, we collect the personal data described below to enable comfortable use of the features. If you wish to use our mobile app, we collect the following data, which is technically necessary for us to provide you with the functions of our mobile app and to ensure stability and security:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transmitted
- Website from which the request originates
- Browser
- Operating system and its interface
- Language and version of the browser software.
The legal basis for processing this data is Art. 6 (1) (f) GDPR.
3. Permissions on the Device When Using the App
In the course of using the app, it may be necessary to access certain functions of the device being used. The app requires the following permissions:
- Internet access: This is necessary for you to open, read, and edit documents.
V. Data Processing on Our Social Media Pages
We are represented on several social media platforms with a corporate page. This allows us to provide additional opportunities for information about our company and for interaction. Our company has corporate pages on the following social media platforms:
- YouTube
When you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile also regularly constitutes personal data. This includes messages and statements made using the profile. Furthermore, certain information may often be automatically collected during your visit to a social media profile, which may also represent personal data.
1. Visiting a Social Media Page
a. Facebook and Instagram Page
When visiting our Facebook or Instagram page, through which we present our company or individual products from our offerings, certain information about you is processed. The sole responsible party for this processing of personal data is Meta Platforms Ireland Limited (Ireland/EU – “Meta”). Further information about the processing of personal data by Meta can be found at https://www.facebook.com/privacy/explanation. Meta provides the option to object to certain data processing; relevant information and opt-out options can be found at https://www.facebook.com/settings?tab=ads.
Meta provides us with anonymized statistics and insights for our Facebook and Instagram pages, which help us gain insights into the types of actions that individuals take on our page (so-called “Page Insights”). These page insights are generated based on specific information about individuals who have visited our page. This processing of personal data is carried out by Meta and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our page and improving our page based on these insights. The legal basis for this processing is Art. 6 (1) (f) GDPR. We cannot assign the information obtained through page insights to individual user profiles that interact with our Facebook and Instagram page. We have entered into an agreement with Meta regarding processing as joint controllers, which outlines the distribution of data protection responsibilities between us and Meta. Details about the processing of personal data for the creation of page insights and the agreement between us and Meta can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. In relation to these data processing activities, you have the option to assert your rights as a data subject (see “Your Rights”) against Meta as well. More information can be found in Meta's privacy policy at https://www.facebook.com/privacy/explanation.
Please note that, according to Facebook’s privacy policies, user data may also be processed in the USA or other third countries. Meta transfers user data only to countries for which an adequacy decision by the European Commission under Art. 45 GDPR exists or based on appropriate safeguards under Art. 46 GDPR.
b. LinkedIn Company Page
For the processing of personal data when visiting our LinkedIn page, LinkedIn Ireland Unlimited Company (Ireland/EU – “LinkedIn”) is generally the sole responsible party. Further information about the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
When you visit our LinkedIn company page, follow this page, or engage with the page, LinkedIn processes personal data to provide us with anonymized statistics and insights. This gives us insights into the types of actions that individuals take on our page (so-called page insights). LinkedIn processes such data that you have already provided to LinkedIn through your profile information, such as data on function, country, industry, seniority, company size, and employment status. Additionally, LinkedIn will process information about how you interact with our LinkedIn company page, e.g., whether you are a follower of our LinkedIn company page. With the page insights, LinkedIn does not provide us with any personal data about you. We only have access to summarized page insights. It is also not possible for us to draw conclusions about individual members based on the information from the page insights. This processing of personal data in the context of page insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our LinkedIn company page and improving our company page based on these insights. The legal basis for this processing is Art. 6 (1) (f) GDPR. We have entered into an agreement with LinkedIn regarding processing as joint controllers, which outlines the distribution of data protection responsibilities between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. Accordingly, the following applies:
LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn online using the following link https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or reach LinkedIn through the contact details in the privacy policy. You can contact the data protection officer at LinkedIn Ireland through the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us using the contact details provided for exercising your rights regarding the processing of personal data in the context of page insights. In such cases, we will forward your request to LinkedIn. LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority that oversees the processing for page insights. You always have the right to file a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or with any other supervisory authority. Please note that, according to LinkedIn’s privacy policies, personal data may also be processed by LinkedIn in the USA or other third countries. LinkedIn transfers personal data only to countries for which an adequacy decision by the European Commission under Art. 45 GDPR exists or based on appropriate safeguards under Art. 46 GDPR.
c. Twitter
For the processing of personal data when visiting our Twitter profile, Twitter Inc. (USA) is generally the sole responsible party. Further information about the processing of personal data by Twitter Inc. can be found at https://twitter.com/de/privacy.
d. YouTube
For the processing of personal data when visiting our YouTube channel, Google Ireland Limited (Ireland/EU) is generally the sole responsible party. Further information about the processing of personal data by YouTube or Google Ireland Limited can be found at https://policies.google.com/privacy.
2. Comments and Direct Messages
We also process information that you have provided to us via our corporate page on the respective social media platform. Such information may include the username used, contact details, or a message to us. These processing activities by us are carried out as the sole responsible party. We process this data based on our legitimate interest in contacting individuals who inquire. The legal basis for data processing is Art. 6 (1) (f) GDPR. Additional data processing may occur if you have given consent (Art. 6 (1) (a) GDPR) or if it is necessary to fulfill a legal obligation (Art. 6 (1) (c) GDPR).
VI. Additional Data Processing
1. Contacting Us via Email
If you send us a message via the provided contact email, we will process the transmitted data to respond to your inquiry. We process this data based on our legitimate interest in contacting individuals who inquire. The legal basis for data processing is Art. 6 (1) (f) GDPR.
2. Customer and Prospect Data
If you contact our company as a customer or prospect, we process your data to establish or perform the contractual relationship to the necessary extent. This regularly includes processing the personal master, contract, and payment data provided to us, as well as the contact and communication data of our contacts at commercial customers and business partners. The legal basis for these processing activities is Art. 6 (1) (b) GDPR for private customers and Art. 6 (2) (f) GDPR for commercial customers. In addition, we process customer and prospect data for evaluation and marketing purposes. These processing activities are based on the legal basis of Art. 6 (1) (f) GDPR for legitimate interests in the form of marketing and product improvement.
3. Use of Email Address for Marketing Purposes
We may use the email address you provided during registration or ordering to inform you about our own similar products and services. The legal basis for this is Article 6 (1) (f) GDPR in conjunction with Section 7 (3) of the German Act Against Unfair Competition (UWG). You can object to this at any time, without incurring any costs other than the transmission costs at the basic rates. You can unsubscribe by clicking on the unsubscribe link included in every mailing or by sending an email to hello@getcaya.com.
3. Applications
If you apply to our company, we will process your application data solely for purposes related to your interest in current or future employment with us and for processing your application. Your application will only be processed and reviewed by the relevant contacts within our organization. All employees involved in data processing are required to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you provided for up to six months following a potential rejection to answer questions related to your application and rejection. This does not apply if legal provisions prohibit deletion, if further retention is necessary for evidentiary purposes, or if you have explicitly agreed to longer retention. The legal basis for data processing is Section 26 (1) Sentence 1 of the Federal Data Protection Act (BDSG). If we retain your application data beyond six months and you have explicitly consented to this, please note that this consent can be revoked at any time in accordance with Article 7 (3) GDPR. Such a revocation does not affect the lawfulness of the processing carried out based on the consent until the revocation.
4. Workflow Automations with Workato
Workato Inc. offers an intelligent automation platform that enables Caya customers to integrate third-party software solutions and automate complex document-based business processes. The headquarters of Workato Inc. is located in Mountain View, California (215 Castro St FL 3 Mountain View, CA, 94041-2821, United States).
Data from Caya customers is processed and stored by Workato exclusively in the EU data center in Frankfurt am Main, without transmission, replication, or backup in data centers in countries outside the EEA (especially in the United States).
Our customers must explicitly consent to the use of Caya Workflow Automations within the Caya web app. By activating the Caya Workflow Automations, Caya customers expressly agree to Workato's terms and conditions for "Embedded Software Users."
5. Natif.ai GmbH
For our OCR, document classification, and data point extraction, we use a service from Natif.ai GmbH, a company with a German location and servers, specializing in OCR, AI-driven data analysis, and machine learning. Natif.ai GmbH is a 100% subsidiary of Docuware, is subject to German data protection laws, and is contractually obligated to delete all processed data after two weeks, unless a longer retention period is required for legal reasons or for training purposes.
As of: November 2024
Bye bye paperwork, hello proper work
By automating document workflows and letting you collaborate on everything else, Caya frees you to invest your time and energy where it matters most.