Privacy Policy

I. General information

1. Contact

If you have any questions or suggestions regarding this information or would like to contact us about asserting your rights, please send your enquiry to:

AMN Data Solutions GmbH
Oranienburger Straße 69, 10117 Berlin
E-mail: hello@getcaya.com
‍

2. Legal basis

The term "personal data" under data protection law refers to all information relating to an identified or identifiable individual. We process personal data in compliance with the relevant data protection regulations, in particular the DSGVO and the BDSG. Data processing by us only takes place on the basis of legal permission. We process personal data only with your consent (Section 15 (3) TMG or Art. 6 (1) a DSGVO), for the performance of a contract to which you are a party, or at your request for the performance of pre-contractual measures (Art. 6 (1) b DSGVO), for the performance of a legal obligation (Art. 6(1)(c) DSGVO) or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms which require the protection of personal data override (Art. 6(1)(f) DSGVO).
‍

3. Duration of storage

Unless otherwise stated in the following notes, we only store data for as long as is necessary to achieve the purpose of processing or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law provisions. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting records for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof, as well as with complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to its processing for this purpose.
‍

4. Data transfer to third countries

Visiting our website or using our services may involve the transfer of certain personal data to third countries, i.e. countries in which the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards pursuant to Article 46 of the GDPR are in place or if one of the conditions of Article 49 of the GDPR is met.
‍
Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data to third countries. You have the possibility to obtain a copy of these EU standard data protection clauses or to inspect them. To do so, please contact us at the address given under Contact.

If you consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Art. 49 (1) a DSGVO.
‍

5. Categories of recipients of the data

We use processors as part of the processing of your data. Processing operations carried out by such processors include, for example, hosting, emailing, maintenance and support of IT systems, customer and order management, scanning service providers, communication service providers, order processing, accounting and billing, marketing measures or file and data carrier destruction. A processor is a natural or legal person, public authority, institution or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out the data processing exclusively on behalf of the data controller.
‍

6. Processing when exercising your rights

If you exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data provided for the purpose of implementing these rights by us and to be able to provide evidence of this. We will only process data stored for the purpose of providing information and preparing it for this purpose as well as for data protection control purposes and otherwise restrict processing in accordance with Art. 18 DSGVO.

These processing operations are based on the legal basis of Art. 6 para. 1 lit. c DSGVO in conjunction with. Art. 15 to 22 DSGVO and § 34 para. 2 BDSG.
‍

7. Your rights

As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:

In accordance with Art. 15 DSGVO and Section 34 BDSG, you have the right to request information as to whether and, if so, to what extent we are processing personal data relating to you or not.
You have the right to demand that we correct your data in accordance with Art. 16 DSGVO.
You have the right to demand that we delete your personal data in accordance with Art. 17 DSGVO and § 35 BDSG.
You have the right to have the processing of your personal data restricted in accordance with Art. 18 DSGVO.
You have the right, in accordance with Art. 20 DSGVO, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format and to transfer this data to another controller.
If you have given us separate consent to data processing, you may revoke this consent at any time in accordance with Art. 7 (3) DSGVO. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
If you are of the opinion that a processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
‍

8. Right of objection

In accordance with Art. 21 (1) DSGVO, you have the right to object to processing based on the legal basis of Art. 6 (1) (e) or (f) DSGVO on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing in accordance with Art. 21 (2) and (3) DSGVO.
‍

9. Data protection officer

You can reach our data protection officer at the following contact details:

E-mail: datenschutz@amn-ds.com
Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg
https://www.datenschutzkanzlei.de
‍

II. Data processing on our website

When you use the website, we collect information that you provide yourself. In addition, during your visit to the website, we automatically collect certain information about your use of the website. In data protection law, the IP address is also generally considered to be personal data. An IP address is assigned to every device connected to the Internet by the Internet provider so that it can send and receive data.
‍

1. Processing of server log files

During the purely informative use of our website, general information that your browser transmits to our server is initially stored automatically (i.e. not via registration). This includes by default: browser type/version, operating system used, page accessed, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code. The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) f DSGVO. This processing serves the technical administration and security of the website. The stored data is deleted after thirty days, unless there is a justified suspicion of unlawful use based on concrete indications and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject from the stored information. Articles 15 to 22 of the GDPR therefore do not apply pursuant to Article 11(2) of the GDPR unless you provide additional information enabling us to identify you in order to exercise your rights set out in these articles.
‍

2. Cookies

We use cookies and similar technologies ("cookies") on our website. Cookies are small data sets that are stored by your browser when you visit a website. This identifies the browser you are using and can be recognised by web servers. You have full control over the use of cookies through your browser. You can delete the cookies in the security settings of your browser at any time. You can object to the use of cookies through your browser settings in principle or for specific cases.

The use of cookies is partly technically necessary for the operation of our website and thus permissible without the user's consent. In addition, we may use cookies to offer special functions and content as well as for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third party cookies). We only use such technically unnecessary cookies with your consent in accordance with Art. 6 (1) a DSGVO. Information on the purposes, providers, technologies used, stored data and storage duration of individual cookies can be found in the cookie settings of our Consent Management Tool. You can access and adjust the setting at any time at www.getcaya.com at the bottom of the page under "Cookie setting".
‍

3. Consent Management Tool

This website uses a Consent Management Banner to control cookies. The consent banner enables the users of our website to give consent to certain data processing procedures or to revoke a given consent. By confirming the "Accept all" button or by saving individual cookie settings on the "Save selection" button, you consent to the use of the associated cookies. The legal basis under data protection law is your consent within the meaning of Art. 6 (1) a DSGVO.

In addition, the banner helps us to be able to provide evidence of the declaration of consent. For this purpose, we process information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data.

The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 para. 1 letter c in conjunction with Art. 7 para. 1 DSGVO).
‍

4. Contact options and enquiries

Our website contains various contact forms which you can use to send us messages. The transfer of your data is encrypted (recognisable by the "https" in the address line of the browser). All data fields marked as mandatory are required to process your request. Failure to provide this information will result in us not being able to process your request. The provision of further data is voluntary. We use the service Typeform (TYPEFORM/Spain) to provide forms for our customers. These forms help us to collect data that we need to process orders and/or enquiries from our customers. When these forms are used, personal customer data is transmitted to Typeform so that we can match it to your order. Typeform itself acts as our order processor and is therefore not authorised to use this information for its own purposes. When using Typeform, a transfer to TYPEFORM US LLC, based in the USA, cannot be ruled out. Please note the information in the section "Data transfer to third countries". Further information on the processing of customer data by Typeform can be found in Typeform's Privacy Policy here: https://admin.typeform.com/to/dwk6gt/.

Alternatively, you can also send us a message via the contact email. We process the data for the purpose of answering your inquiry. Insofar as your enquiry is directed towards the conclusion or performance of a contract with us, Art. 6 para. 1 lit. b DSGVO is the legal basis for the data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting enquirers. The legal basis for the data processing is then Art. 6 para. 1 lit. f DSGVO.

If you send us a message via the contact email provided, we will process the transmitted data for the purpose of answering your enquiry.
‍

5. Newsletter

On our website we offer the possibility to register for our newsletter. After registration, we will inform you regularly about the latest news on our offers. A valid e-mail address is required to register for the newsletter. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address and name on the basis of the consent you have given. The processing is based on the legal basis of Art. 6 (1) a DSGVO. You can revoke your consent at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation.

When you register for the newsletter, we also store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 para. 1 letter c in conjunction with Art. 7 para. 1 DSGVO).

We also analyse the reading behaviour and opening rates of our newsletter. For this purpose, we collect and process pseudonymised usage data, which we do not merge with your e-mail address or your IP address. The legal basis for the analysis of our newsletter is Art. 6 para. 1 letter f DSGVO and the processing serves our legitimate interest in optimising our newsletter. You can object to this at any time by contacting one of the above-mentioned contact channels.

For the management of subscribers, the dispatch of the newsletter and the analysis, we use the service Mandrill of The Rocket Science Group LLC d/b/a MailChimp (USA). Your email address is therefore transmitted by us to the service provider. If you do not want your data to be processed by this service provider, you should not subscribe to the newsletter or unsubscribe from it again.

Please note the information in the section "Data transfer to third countries".
‍

6. Google Fonts

We use Google Web Fonts from Google Ireland Limited (Ireland/EU) on our website to display fonts. For such integration, processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Google. This data processing is carried out to protect our legitimate interests in the optimisation and economic operation of our website and is based on the legal basis of Art. 6 (1) f DSGVO. You can object to this data processing at any time via the settings of the browser used or certain browser extensions. One such extension is the Matrix-based firewall uMatrix for the browsers Firefox and Google Chrome. Please note that this may result in functional restrictions on the website.

In the case of Google services, the transmission of data to Google Inc. in the USA and to countries in which Google Ireland or Google Ireland maintain subcontracted processing facilities cannot be ruled out. Please note the information in the section "Data transfer to third countries".

Users can find further information on data protection at Google in Google's data protection information: https://policies.google.com/privacy.
‍

7. Applications

You have the opportunity to apply for a job via our website in the career section. For this purpose, we collect personal data from you, including in particular your name, CV, letter of application and other content provided by you. For the selection of our applications, we use Join, a service provider based in Switzerland, which is solely bound by instructions for us in accordance with the legal requirements for order processing. Nevertheless, a data transfer to Switzerland cannot be ruled out. For Switzerland, there is an adequacy decision in accordance with Art. 45 DSGVO, whereby an appropriate level of protection can be guaranteed. Your personal application data will only be processed for purposes related to your interest in current or future employment with us and the processing of your application. Your online application will only be processed and noted by the relevant contacts at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you have submitted for up to six months after the end of the application process for the purpose of answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.

The legal basis for the collection of data is Section 26 Paragraph 1 Sentence 1 BDSG. If we store your applicant data for longer than six months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with Art. 7 Para. 3 DSGVO. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.

‍

8. Google Tag Manager

We use the Google Tag Manager of Google Ireland Limited (Ireland/EU). The Google Tag Manager is used to manage our website tags via an interface. The Google Tag Manager is a cookieless domain that does not collect or store any personal data. The Google Tag Manager merely triggers other tags, which in turn may collect data without accessing that data themselves. If a deactivation has been made at domain or cookie level (e.g. via the Consent Management Tool), this remains in place for all tracking tags implemented with Google Tag Manager.

In the case of Google services, a transfer of data to Google Inc. in the USA and to countries in which Google Ireland or Google Ireland maintain subcontracted processing facilities cannot be ruled out. Please note the information in the section "Data transfer to third countries".

Users can find further information on data protection at Google in Google's data protection information: https://policies.google.com/privacy.

‍

9. Statistics

a. Google Analytics

We use the Google Analytics service of the provider Google Ireland Limited (Google Ireland/EU) on our website. Google Analytics is a web analytics service that allows us to collect and analyse data about the behaviour of visitors to our website. Google Analytics uses cookies for this purpose, which enables an analysis of the use of our website. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website. Some of this data is information stored in the terminal device you are using. In addition, further information is also stored on your end device via the cookies used. Such storage of information by Google Analytics or access to information already stored in your terminal device will only take place with your consent. Google Ireland will process the data thus collected on our behalf in order to evaluate the use of our website by users, to compile reports on the activities within our website and to provide us with further services related to the use of our website and the use of the Internet. In doing so, pseudonymous user profiles can be created from the processed data. We use the Google Analytics 4 variant, which allows us to track interaction data from different devices and from different sessions. This allows us to put individual user actions in context and analyse long-term relationships. We only use Google Analytics with IP anonymisation enabled. This means that the IP address of users is truncated by Google Ireland within member states of the European Union or in other states party to the Agreement on the European Economic Area. The IP address transmitted by the user's browser is not merged with other data.

Further information on these processing activities, the technologies used, stored data and the storage period can be found in the settings of our Consent Management Tool and in Google's data protection information: https://policies.google.com/privacy.

The setting of cookies and the further processing of personal data described here is carried out with your consent. The legal basis for the data processing is therefore Art. 6 (1) a DSGVO. You can revoke this consent at any time with effect for the future. You can also prevent the collection of information generated by the cookie by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout.

In the case of Google services, a transfer of data to Google Inc. in the USA as well as to countries in which Google Ireland or Google Ireland's sub-processors maintain facilities cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

b. Hotjar

We use the service Hotjar of the provider Hotjar Ltd. (Malta/EU). Hotjar enables us to analyse movements on our website using so-called "heat maps". This allows us to see, for example, how far users scroll and which buttons users click on and how often. Furthermore, with the help of the tool, it is also possible to obtain feedback directly from the users of the website. In this way, we obtain valuable information to make our website even faster and more customer-friendly.

Hotjar only allows us to track which buttons are clicked, mouse history, how far scrolled, device screen size, device type and browser information. In addition, we receive information about your geographical location (country) and the preferred language for displaying our website. Areas of the websites where personal data of you or third parties are displayed are automatically hidden by Hotjar and are therefore not traceable by the tool at any time.

Hotjar uses cookies and other technologies to collect data about the behaviour of our users and their devices, in particular the IP address of the device (which is only collected and stored anonymously during your use of the website), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language for displaying our website. The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the data processing is therefore Art. 6 para. 1 letter a DSGVO. You can revoke this consent at any time with effect for the future. You can find further information on these processing activities in the settings of our Consent Management Tool and in the privacy notices of Hotjar at https://help.hotjar.com/hc/en-us/sections/115003180467-Data-Privacy.
‍

c. Google Optimize

We use the Google Optimize service on our website, which is offered by Google Ireland Limited (Google Optimize/EU). Google Optimize allows us to test various designs and settings of our website and, based on the results, to adapt our website to the needs and wishes of website visitors. To analyse the test results, the Google Optimize service is linked to the Google Analytics analysis service. Some of the data processed is information stored in the terminal device you are using. In addition, further information is also stored on your end device via the cookies used.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing in connection with the Google Optimize service is therefore Art. 6 (1) a DSGVO.

In the case of Google services, a transfer of data to Google Inc. in the USA as well as in countries in which Google Ireland or Google Ireland maintain subcontracted processing facilities cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

10. Tracking & Retargeting

a. Segment.io

This website uses the software of Segment, a service of Segment.io Inc. (USA). Segment.io helps us to manage the data collected by the third-party tools described below and stores data in pseudonymous usage profiles. These usage profiles are used to analyse visitor behaviour and are evaluated to improve our offer. Cookies are used for this purpose. You can find more information in Segment.io's privacy policy and data protection guidelines at https://segment.com/legal/privacy/.

Segment.io is only used with your consent in accordance with Art. 6 (1) a DSGVO. A transfer of your data to the USA cannot be excluded. Please note the information in the section "Data transfer to third countries".
‍

b. Google Marketing Services

We use the Google Ads Conversions marketing service provided by Google Ireland Limited (Ireland/EU). Google Ads allows us to place ads relevant to users on the Google advertising network (e.g. in search results, or on other websites), improve campaign performance reports and avoid serving ads to a user more than once. Each Ads client sets a different conversion cookie. These cookies cannot therefore be tracked across the websites of different Ads clients. A cookie ID is used to record which ads are played in which browser. In this way, multiple display of the same campaign can be prevented. In addition, cookie IDs can be used to track conversions, i.e. whether a user sees an ad and later visits the advertiser's website and makes a purchase.

Remarketing allows us to target users who have already interacted with our website. In doing so, our ads are delivered when this target group visits a Google website or a website in the Google advertising network. For these purposes, a code is executed by Google when our website is called up and so-called (re)marketing tags are integrated into the website. With their help, an individual cookie is stored on the user's device. The cookies can be set by various domains, including google.com, doubleclick.net, googlesyndication.com or googleadservices.com. This file records which websites users have visited, what content they are interested in and which offers were used. In addition, technical information on the browser and operating system, referring websites, time of visit and other details on the use of the online offer are stored. All user data is processed only as pseudonymous data and does not contain any information with which we can personally identify users. The advertisements displayed are therefore not specifically displayed for a person, but for the owner of the cookie.

Further information on these processing activities, the technologies used, stored data and the storage period can be found in the settings of our Consent Management Tool and in Google's data protection information: https://policies.google.com/privacy.

Google marketing services are only used with your consent pursuant to Art. 6 (1) a DSGVO. You can also permanently object to cross-device remarketing/targeting by deactivating personalised advertising in your Google account: https://www.google.com/settings/ads/onweb/.

In the case of Google services, a transfer of data to Google Inc. in the USA as well as in countries in which Google Ireland or Google Ireland maintain subcontracted processing facilities cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

c. Microsoft Ads

We use the Microsoft Advertising (formerly Bing Ads) service of the provider Microsoft Ireland Operations Limited (Microsoft Ireland/EU) on our website. Microsoft Advertising is an online marketing service that uses the Universal Event Tracking (UET) tool to help us serve targeted ads via the Microsoft Bing search engines. Microsoft Advertising uses cookies for this purpose. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about device and browser settings. Some of this data is information stored in the terminal device you are using. In addition, further information is also stored on your end device via the cookies used. Such storage of information by Microsoft Advertising or access to information already stored in your terminal device will only take place with your consent.

Microsoft Advertising collects data via UET, which we use to track target groups thanks to remarketing lists. For this purpose, a cookie is stored on the end device used when you visit our website. Microsoft Advertising can thus recognise that our website has been visited and play an advertisement when Microsoft Bing or Yahoo is used at a later time.

The information is also used to create conversion statistics, i.e. to record how many users have reached our website after clicking on an advertisement. This tells us the total number of users who clicked on our ad and were redirected to our website. However, we do not receive any information with which users can be personally identified.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the data processing in connection with the Microsoft Advertising service is therefore Art. 6 para. 1 letter a DSGVO. A transfer of your data to the USA cannot be excluded. Please note the information in the section "Data transfer to third countries".
‍

d. Twitter Conversion Tracking

We use the conversion tracking of Twitter International Company (Ireland) on our website. In doing so, Twitter stores a cookie on the user's computer in order to enable an analysis of the use of our online offer. Twitter's conversion tracking makes it possible to track the actions users have taken after viewing ads or interacting with ads on Twitter. Twitter's conversion tracking enables the attribution of conversions such as link clicks, retweets or likes.

This use of cookies and the subsequent processing of data only takes place with your consent. The legal basis for the use of this service is Art. 6 para. 1 letter a DSGVO. A transfer of your data to the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

e. Facebook Pixel

We use the Facebook Pixel on our website, a Facebook business tool provided by Meta Platforms Ireland Limited ("Meta" Ireland/EU). For information on Meta's contact details and the contact details of the data protection officer, please refer to Meta's data policy at https://www.facebook.com/about/privacy.

The Facebook pixel is a snippet of JavaScript code that allows us to track visitors' activity on our website. This tracking is called conversion tracking. The Facebook pixel collects and processes the following information (so-called event data) for this purpose:
‍

Information about actions and activities of visitors to our website, such as searching for and viewing a product or purchasing a product;
Specific ePixel information such as the pixel ID and the Facebook cookie;
Information about buttons clicked by visitors to the website;
Information present in the HTTP header such as IP addresses, web browser information, page location and referrer; Information about the status of disabling/restricting ad tracking.
Some of this event data is information stored in the device you are using. In addition, cookies are also used via the Facebook pixel, via which information is stored on your end device used. Such storage of information by the Facebook pixel or access to information already stored in your end device only takes place with your consent.

Tracked conversions appear in the dashboard of our Facebook Ads Manager and Facebook Analytics. We may use the tracked conversions there to measure the effectiveness of our ads, to set Custom Audiences for ad targeting, for Dynamic Ads campaigns and to analyse the effectiveness of our website's conversion funnels. The features we use via the Facebook Pixel are described in more detail below.
‍

Processing of event data for advertising purposes
Event data collected through the Facebook Pixel is used to target our ads and improve ad delivery, personalise features and content, and improve and secure Facebook products. To do this, event data is collected on our website using the Facebook Pixel and transmitted to Meta Platforms Ireland Limited. This only takes place if you have previously given your consent to this. The legal basis for the collection and transmission of personal data by us to Facebook Ireland is therefore Art. 6 (1) a DSGVO.

This collection and transmission of event data is carried out by us and Meta Platforms Ireland Limited as joint controllers. We have entered into a joint controller agreement with Meta Platforms Ireland Limited which sets out the allocation of data protection obligations between us and Meta Platforms Ireland Limited. In this agreement, we and Meta Platforms Ireland Limited have agreed, among other things,
that we are responsible for providing you with all information pursuant to Art. 13, 14 DSGVO about the joint processing of personal data;
that Meta Platforms Ireland Limited is responsible for enabling data subjects' rights under Art. 15 to 20 GDPR in respect of personal data held by Facebook Ireland following the joint processing.
You can access the agreement concluded between us and Meta Platforms Ireland Limited at [https://www.facebook.com/legal/controller_addendum](https://www.facebook.com/legal/controller_addendum).

Meta Platforms Ireland Limited is the sole controller of the subsequent processing of the transferred event data. For more information on how Meta Platforms Ireland Limited processes personal data, including the legal basis on which Meta Platforms Ireland Limited relies and how you can exercise your rights against Meta Platforms Ireland Limited, please see Meta Platforms Ireland Limited's Data Policy at https://www.facebook.com/about/privacy.

Processing of event data for measurement solutions and analytics services

We have also engaged Meta Platforms Ireland Limited to report on the impact of our advertising campaigns and other online content based on the Event Data collected through the Facebook Pixel (Campaign Reports) and to provide analytics and insights about users and their use of our website, products and services (Analytics). We transfer personal data contained in the Event Data to Meta Platforms Ireland Limited for this purpose. The personal data submitted will be processed by Meta Platforms Ireland Limited as our processor to provide us with the campaign reports and analytics. Personal data will only be processed to provide analytics and campaign reports if you have given your prior consent to do so. The legal basis for this processing of personal data is therefore Article 6(1)(a) DSGVO.

The data processed on our behalf is transmitted by Meta Platforms Ireland Limited to Meta Platforms, Inc. in the USA. Meta Platforms Ireland Limited transfers the data to Meta Platforms, Inc. on the basis of processor-to-processor standard contractual clauses, but reserves the right to use an alternative transfer method recognised by the GDPR and other applicable data protection laws in the European Economic Area, the UK and Switzerland.

‍

f. LinkedIn Conversion Tracking

We use the LinkedIn Insight tag on our website, a marketing product of LinkedIn Ireland Unlimited Company (Ireland/EU). Information on the contact details of LinkedIn Ireland and the contact details of the data protection officer of LinkedIn Ireland can be found in LinkedIn's data policy at https://www.linkedin.com/legal/privacy-policy.

The LinkedIn Insight tag is a JavaScript code snippet that is triggered by LinkedIn when you visit our website and stores a cookie on the device you are using. Such storage of information by the LinkedIn Insight tag or access to information already stored in your terminal device and also further processing of personal data in connection with the LinkedIn Insight tag will only take place with your consent. The legal basis for the collection and transmission of personal data by us to LinkedIn Ireland is therefore Art. 6 (1) a DSGVO.

We can perform various functions via the LinkedIn Insight tag, which we describe in detail below. LinkedIn conversion tracking is an analytics function supported by the LinkedIn Insight tag. The LinkedIn Insight tag allows us to collect data about visits to our website, including URL, referrer URL, IP address, device and browser properties (user agent) and timestamp. IP addresses are shortened or (if used to reach members across devices) hashed. LinkedIn does not provide us with any personally identifiable information, only reports (which do not identify you) on website audience and ad performance. This allows us to track the effectiveness of LinkedIn ads for statistical and market research purposes.

Members' direct identifiers are removed by LinkedIn within seven days to pseudonymise the data. LinkedIn then deletes this remaining pseudonymised data within 180 days.

This processing is done for the purpose of obtaining information about our website target group and a report on the effectiveness of LinkedIn campaigns.

We also use the Matched Audiences service to target our advertising campaigns to specific audiences. Through LinkedIn Matched Audiences and related data integrations, we can target advertising to specific audiences based on data we provide to LinkedIn (e.g. company lists, hashed contact information, device identifiers or event data such as websites visited).

This processing is done for the purpose of marketing our offerings via the targeting of advertising.

We have entered into a joint controller agreement with LinkedIn, which sets out the distribution of data protection obligations between us and LinkedIn. We will be happy to provide you with the document upon request.

Please note that according to LinkedIn's privacy policy, personal data is also processed by LinkedIn in the USA or other third countries. LinkedIn only transfers personal data to countries for which an adequacy decision has been issued by the European Commission in accordance with Article 45 of the GDPR or on the basis of appropriate guarantees in accordance with Article 46 of the GDPR.

‍

11. External media and services of third parties

a. Vimeo

On our website, we use the service Vimeo of Vimeo, Inc. (USA) for the integration of videos. For such an integration, the processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Vimeo and Vimeo may set its own cookies. Further information on these processing activities, the technologies used, stored data and the storage period can be found in the settings of our Consent Management Tool and in Vimeo's privacy policy at https://vimeo.com/privacy.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the data processing is therefore Art. 6 (1) a DSGVO. You can revoke this consent at any time with effect for the future.

With Vimeo, a transfer of data to third countries such as the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries".

‍

b. YouTube

We use the YouTube service of Google Ireland Limited (Ireland/EU) on our website to integrate videos. For such an integration, processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Google and Google may set its own cookies. We use YouTube in "extended data protection mode" so that no cookies are set by YouTube to analyse user behaviour. Further information on these processing activities, the technologies used, stored data and the storage period can be found in the settings of our Consent Management Tool and in Google's privacy policy at https://www.google.com/policies/privacy.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the data processing is therefore Art. 6 (1) a DSGVO. You can revoke this consent at any time with effect for the future.

In the case of YouTube, a transfer of data to Google Inc. and YouTube LLC in the USA and in countries in which Google Ireland or Google Irelands maintain subcontracted processing facilities cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

III. Data processing when using getcaya

If you use the getcaya platform as a private customer, we process your data for the agreed provision of services. This includes in particular

Your master data (name, address and other contact data such as e-mail address and telephone number);
Contract and payment data;
Server log files (browser and system information, IP address);
Usage data as well as content and information from letters that are processed in the course of providing the service.
The data processing is carried out for the performance of the contract and is based on the legal basis of Art. 6 (1) b) DSGVO.
‍

1. Cookies

We use cookies and comparable technologies ("cookies") on our platform. Cookies are small data sets that are stored by your browser when you visit a website. This identifies the browser you are using and can be recognised by web servers. You have full control over the use of cookies through your browser. You can delete the cookies in the security settings of your browser at any time. You can object to the use of cookies through your browser settings in principle or for specific cases.

The use of cookies is partly technically necessary for the operation of our website and thus permissible without the user's consent. In addition, we may use cookies to offer special functions and content as well as for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third party cookies). We only use such technically unnecessary cookies with your consent in accordance with Art. 6 (1) a DSGVO. Information on the purposes, providers, technologies used, data stored and the storage period of individual cookies can be found in the cookie settings of our Consent Management Tool.

‍

2. Registration

In order to book and use the platform, registration is first required. The required information is processed for the purpose of providing the service. The processing of your personal data required for this purpose is based on the legal basis of Art. 6 (1) b) DSGVO.
‍

3. Booking and payment

If you book our services via our website, we process personal data exclusively for the purpose of processing the contract or to be able to provide you with our service. Within the scope of the booking or ordering process, we only process the data that you yourself have entered in the input mask and, if applicable, payment information. The legal basis for the processing is in each case Art. 6 para. 1 letter b DSGVO. All data fields marked as mandatory are required for processing your booking. Failure to provide this data will result in us not being able to process your booking. The provision of further data is voluntary. We process such voluntarily provided data on the basis of Art. 6 para. 1 lit. f DSGVO.
‍

4. Payment service provider and invoicing

To pay for our service, you can choose between various options. For this purpose, we work together with various payment service providers. Please note that the respective payment information is collected and processed by the respective payment service providers on their own responsibility.
‍

Payment via PayPal

You also have the option of paying by PayPal. Please note that the relevant payment information is collected and processed by PayPal (Europe) S.à r.l. et Cie, S.C.A. (PayPal/EU) on its own responsibility. PayPal transmits your address data deposited with PayPal to us, which we process exclusively for the purpose of processing the contract. The legal basis is Art. 6 para. 1 letter b DSGVO.

Further information on data protection at PayPal can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE#r5.
‍

Payment via Stripe

On our website, you have the option of paying by credit card and Sepa transfer via the payment service Stripe, offered by Stripe Payments Europe Ltd. (Stripe/EU). The payment data you provide during the order process will be transmitted by us to Stripe, insofar as this transmission is necessary for the execution of the payment process. The legal basis for this transmission is Art. 6 para. 1 letter b DSGVO.
‍

Stripe is solely responsible for the processing of the payment data within the scope of the subsequent payment processing. You can find more information about Stripe's data protection here: https://stripe.com/de/privacy#translation.
‍

Payment via Gocardless

On our website, you have the option of making payment by Sepa transfer via the GoCardless payment service, offered by GoCardless SAS (GoCardless/EU). The payment data you provide during the ordering process will be transmitted by us to GoCardless, insofar as this transmission is necessary to carry out the payment process. The legal basis for this transmission is Art. 6 para. 1 letter b DSGVO.
‍

GoCardless is solely responsible for the processing of the payment data in the course of the subsequent payment transaction. You can find more information on GoCardless' data protection here: https://gocardless.com/de-de/rechtliches/datenschutz/.
‍

Invoicing via Chargebee

For invoicing, we use Chargebee, a service of Chargebee Inc. (USA). By using Chargebee, a transmission of your data to the USA cannot be excluded. We have concluded standard contractual clauses with Chargebee. For more information, please see the section "Data transfers to third countries".
‍

5. Forwarding order

In order to set up your forwarding order, we process your personal data that you provide to us via the platform and forward it to Deutsche Post and, in the case of Berlin customers, to PIN Mail AG. The data processing is carried out for the performance of the contract and is based on the legal basis of Art. 6 (1) (b) DSGVO.
‍

6. System messages with Amazon Simple Email Service (SES) and Mandrill

We use Amazon Simple Email Service (SES), a service provided by Amazon Web Services EMEA SARL (Luxembourg). We use the service to send automatically generated system messages such as password reset emails to our registered customers. In the process, customer data can be transmitted with the exception of payment data. We also use the Mandrill service of The Rocket Science Group LLC d/b/a MailChimp (USA) for this purpose. Please note the information in the section "Data transfer to third countries". The processing is based on the legal basis of Art. 6 para. 1 lit. f DSGVO and serves our legitimate interest in optimising our email dispatch.
‍

7. Satisfaction surveys with eKomi

When you purchase a product from Caya, we use your email address and your first and last name to conduct a satisfaction survey. The survey is carried out by the service provider eKomi, Ltd. commissioned by us. The service provider generates and moderates ratings, provides marketing services (including SEO optimisation) and analyses and evaluates the data collected as part of the service. For this purpose, we transmit your first and last name as well as the communicated email address and your customer ID to eKomi Ltd. We only carry out the processing with your consent. It is based on the legal basis of Art. 6 (1) a DSGVO. The evaluations are made unrecognisable for us by the service provider and deleted at the time of order completion.
‍

8. Customer Support with Zendesk

We use the ticket system Zendesk, a customer service platform of Zendesk Inc. (USA). For this purpose, necessary data such as surname, first name, e-mail address, which we need to process your request, are also transmitted to Zendesk. The processing serves to handle your enquiries as a customer or interested party and is based on the legal basis of Art. 6 para. 1 p. 1 b DSGVO. Further information on data protection can be found at https://www.zendesk.de/company/privacy-and-data-protection/.

By using Zendesk, a transfer of your data to the USA cannot be excluded. Zendesk has adopted binding internal data protection rules (so-called "Binding Corporate Rules") and thus offers suitable guarantees in accordance with Art. 47 DSGVO to ensure an adequate level of protection.
‍

9. analysis and evaluations

a. Amplitude

We use Amplitude, an analysis service of Amplitude Inc. (USA) to analyse user behaviour. For this purpose, getcaya transmits information about your usage to a server of Amplitude. Amplitude stores personal data in the form of generic IDs including a timestamp and other information such as user ID, device type, app version, geo-information, possibly the mobile phone provider, the device language or browser details. This data does not constitute personally identifiable information for Amplitude. IP addresses are not stored. Further information on data protection can be found at https://amplitude.com/privacy.

The legal basis for the transfer is your consent in accordance with Art. 6 (1) a DSGVO. You have the option to revoke your consent to tracking at any time. In the case of Amplitude, a transfer of data to third countries such as the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

b. Mixpanel

We use the Mixpanel service to compile statistics on the use of our service and visits. Mixpanel is an analytics service provided by Mixpanel, Inc. (USA). Mixpanel sets cookies to record and populate information about the use of our service. This data is then analysed by Mixpanel and passed on to us. We use all the information collected exclusively to optimise our marketing measures.

The legal basis for the transfer is your consent in accordance with Art. 6 (1) a DSGVO. You have the option to revoke your consent to tracking at any time. In the case of Mixpanel, a transfer of data to third countries such as the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries".
‍

c. Google Analytics

We also use the Google Analytics service on our platform. Further information on Google Analytics can be found under point II. Data processing on our website / 9. Statistics/ a. Google Analytics.
‍

IV. Further data processing via our app

In addition to our other online services, we provide you with a mobile app that you can download onto your mobile device. In the following, we inform you about the collection and processing of personal data when using our mobile app.
‍

1. Downloading the app

When downloading the app, certain required information is transmitted to the app store selected by you (e.g. Google Play or Apple App Store), in particular the user name, the e-mail address, the customer number of your account, the time of the download, as well as the individual device number may be processed. The processing of this data is carried out exclusively by the provider of the respective app store and is outside our sphere of influence.
‍

2. Automatic processing of personal data when using the app

When using the mobile app, we collect the personal data described below to enable the convenient use of the functions. If you wish to use our mobile app, we collect the following data, which is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security.
‍

IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request came
Browser
Operating system and its interface
Language and version of the browser software.
‍

The legal basis for the processing of this data is Art. 6 para. 1 letter f DSGVO.
‍

3. Authorisations on the end device when using the app

Within the scope of using the app, it may be necessary to access certain functions of the end device used. The app requires the following authorisations for this purpose:
‍

Internet access: this is required so that you can open, read and edit documents.
V. Data processing on our social media sites
We are represented on several social media platforms with a company page. Through this, we would like to offer further opportunities for information about our company and for exchange. Our company has company pages on the following social media platforms:

Facebook
Instagram
Twitter
LinkedIn
Youtube

When you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile used also regularly constitutes personal data. This also covers messages and statements made while using the profile. In addition, during your visit to a social media profile, certain information is often automatically collected about it, which may also constitute personal data.
‍

4. Visiting a social media site

a. Facebook and Instagram page

When you visit our Facebook or Instagram page, through which we present our company or individual products from our range, certain information about you is processed. The sole controller of this processing of personal data is Meta Platforms Ireland Limited (Ireland/EU - "Meta"). For more information about Meta's processing of personal data, please visit https://www.facebook.com/privacy/explanation. Meta offers the possibility to object to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.

Meta provides us with anonymised statistics and insights for our Facebook and Instagram page, which help us to gain knowledge about the types of actions that people take on our page (so-called "page insights"). These page insights are created based on certain information about individuals who have visited our page. This processing of personal data is carried out by Meta and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our site and to improve our site based on these insights. The legal basis for this processing is Article 6(1)(f) DSGVO. We cannot associate the information obtained via page insights with individual user profiles interacting with our Facebook and Instagram page. We have entered into a joint controller agreement with Meta which sets out the allocation of data protection obligations between us and Meta. Details of the processing of personal data to create page insights and the agreement entered into between us and Meta can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. In relation to this data processing, you also have the option of asserting your data subject rights (see "Your rights") against Meta. Further information on this can be found in Meta's privacy policy at https://www.facebook.com/privacy/explanation.

Please note that in accordance with Facebook's privacy policy, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 DSGVO or on the basis of appropriate guarantees in accordance with Art. 46 DSGVO.
‍

b. LinkedIn company page

LinkedIn Ireland Unlimited Company (Ireland/EU - "LinkedIn") is the sole controller of the processing of personal data when you visit our LinkedIn page. Further information about the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

When you visit, follow or engage with our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights. This provides us with insights into the types of actions that people take on our page (so-called page insights). For this purpose, LinkedIn processes in particular such data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page. With Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to the aggregated Page Insights. It is also not possible for us to draw conclusions about individual members using the information in the Page Insights. This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our LinkedIn company page and to improve our company page based on these insights. The legal basis for this processing is Article 6(1)(f) DSGVO. We have entered into a joint controller agreement with LinkedIn which sets out the allocation of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. Thereafter, the following applies:

LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn online via the following link https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or contact LinkedIn via the contact details in the Privacy Policy. You can contact the Data Protection Officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also contact us at our contact details provided about exercising your rights in connection with the processing of personal data in the context of Page Insights. In such a case, we will forward your request to LinkedIn.

LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see at www.dataprotection.ie) or any other supervisory authority.

Please note that under LinkedIn's privacy policy, personal data may also be processed by LinkedIn in the US or other third countries. LinkedIn only transfers personal data to countries for which an adequacy decision has been issued by the European Commission in accordance with Article 45 of the GDPR or on the basis of appropriate safeguards in accordance with Article 46 of the GDPR.
‍

c. Twitter

For the processing of personal data when visiting our Twitter profile, Twitter Inc. (USA) is the sole responsible party. Further information on the processing of personal data by Twitter Inc. can be found at https://twitter.com/de/privacy.
‍

d. YouTube

Google Ireland Limited (Ireland/EU) is the sole responsible party for the processing of personal data when visiting our YouTube channel. Further information on the processing of personal data by YouTube and Google Ireland Limited can be found at https://policies.google.com/privacy.
‍

5. Comments and direct messages

We also process information that you have provided to us via our company page on the respective social media platform. Such information may be the username used, contact details or a message sent to us. These processing operations are carried out by us as the sole data controller. We process this data on the basis of our legitimate interest to get in contact with inquiring persons. The legal basis for the data processing is Art. 6 para. 1 letter f DSGVO. Further data processing may take place if you have consented (Art. 6 para. 1 letter a DSGVO) or if this is necessary for the fulfilment of a legal obligation (Art. 6 para. 1 letter c DSGVO).
‍

VI. further data processing

1. Contacting us by e-mail

If you send us a message via the contact email provided, we will process the transmitted data for the purpose of responding to your enquiry. We process this data on the basis of our legitimate interest in contacting enquirers. The legal basis for the data processing is Art. 6 para. 1 letter f DSGVO.
‍

2. Customer and interested party data

If you contact our company as a customer or interested party, we process your data to the extent necessary to establish or implement the contractual relationship. This regularly includes the processing of personal master, contract and payment data provided to us as well as contact and communication data of our contact persons at commercial customers and business partners. The legal basis for this processing is Art. 6 Para. 1 Letter b DSGVO for private customers and Art. 6 Para. 2 Letter f DSGVO for commercial customers. We also process customer and prospect data for evaluation and marketing purposes. This processing is carried out on the legal basis of Art. 6 Para. 1 Letter f DSGVO and serves our interest in further developing our offer and informing you specifically about our offers. Further data processing may take place if you have consented (Art. 6 para. 1 lit. a DSGVO) or if this is necessary for the fulfilment of a legal obligation (Art. 6 para. 1 lit. c DSGVO).
‍

3. Use of the e-mail address for marketing purposes

We may use the email address you provide when registering or ordering to inform you about our own similar products and services offered by us. The legal basis is Art. 6 para. 1 lit. f DSGVO in conjunction with. § 7 para. 3 UWG. You can object to this at any time without incurring any costs other than the transmission costs according to the basic rates. To do so, you can unsubscribe by clicking on the unsubscribe link contained in each mailing or by sending an e-mail to hello@getcaya.com.
‍

4. Applications

If you apply to our company, we will only process your application data for purposes related to your interest in current or future employment with us and the processing of your application. Your application will only be processed and noted by the relevant contacts at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you have provided for up to six months after any rejection for the purpose of answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage. The legal basis for data processing is Section 26 (1) sentence 1 BDSG. If we store your applicant data for longer than six months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with Art. 7 para. 3 DSGVO. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.

5. Workato

Workato is a provider / data receiver of Caya for our workflows feature in which we automatically move, forward, enrich with data, or even delete documents and data points according to rules defined by the customer. These workflows or the use of Workato must be explicitly enabled or set up by our customers within the Caya webapp. 

Workato, Inc.is a US company. Workato is an intelligent automation platform that enables Caya to integrate many different tools/apps and automate complex business workflows. Workato is headquartered in Mountain View, California. (Address: 215 Castro St FL 3 Mountain View, CA, 94041-2821 United State)

However: Caya is a customer of Workato’s EU Data Center in Frankfurt am Main, Germany (more info here: https://www.workato.com/product-hub/take-control-of-your-data-with-our-new-europe-data-center/). Via our contract Workato guarantees that it will process and store all data of Caya and/or Caya’s customers solely in the EU Data Center, in particular with no transfer, replication or backup to data centers in countries outside the EEA (in particular US).

The only possible exception to this guarantee that our customers need to agree to is in the form of 2nd level support tickets. This means: If Caya is not able to solve a customer's questions around automations provided through Workato’s service on the 1st level, in that case information submitted to Workato (in its role of Controller/Service Provider) in the form of a support ticket from Caya to Workato may involve transfer of such information to outside the EEA.

 
Before activating the “Workflow” functionalities Caya customers wanting to use Workato do explicitly agree to the following T&Cs of Workato for "embedded software users": https://www.workato.com/legal/embedded-software-supplemental-terms

Status: January 2022