Data Privacy

This is the privacy policy ("Policy") for this website, which is operated and provided by

Civey GmbH

Managing Directors: Janina Mütze, Gerrit Richter
Alte Jakobstraße 85/86
10179 Berlin
E-Mail: kontakt@civey.com
Tel: +49 30 120747060
(we, us and our).

We process the personal data collected via this website exclusively as set out in this Policy and in accordance with applicable data protection law, in particular in accordance with the General Data Protection Regulation ("GDPR"). Below you can find out how we process your personal data, for what purposes it is processed, with whom it is shared and what control and information rights you are entitled to. For further questions about data protection, please contact our data protection officer at dpo@civey.com.

1. Summary of Data Processing by us

The following summary briefly describes the processing activities on our website. You will find more detailed information on this in the designated sections below.

• If you visit our website for information purposes without setting up a user account, only limited personal data will be processed in order to display the website to you (refer to Sec. 3.).

• If you participate as a private user in polls on our website or on the websites of our media partners or register with Civey, we process in particular your registration data and poll responses (refer to 4. and 8. below).

• If you register for one of our services or subscribe to our newsletter, further personal data will be processed in this context (refer to 5. and 7.).

• Some of your personal data may be disclosed in pseudonymised form to third parties (refer to 11.) located outside your country of residence, where different data protec-tion standards may apply (refer to 12.).

• We have taken appropriate security measures to protect your personal data (refer to 15.) and only store it for as long as necessary (refer to 16.).

• Depending on the circumstances of the specific case, you may have certain rights in relation to the processing of your personal data (refer to 17.).

2. Definitions

Our privacy policy should be simple and understandable for everyone. As a rule, the official terms of the General Data Protection Regulation (GDPR) are used in this Policy. The official definitions are explained in Art. 4 GDPR.

3. Use of the website for information purposes

If you visit our website for information purposes, i.e. without registering for one of the services offered by us listed under 4. and without providing us with personal data in any other way, we may automatically collect additional information about you, which only contains personal data in limited cases and is automatically collected by our server, such as:

• Time and date of the request
• Content of the request
• Amount of data sent in bytes
• Website from which the request comes
• IP address
• Device type
• Browser type

Your IP address is stored by us in abbreviated form. It is always shortened during further processing.

We only use this information to be able to offer you our services effectively (e.g. by customising our website to the needs of your device or by allowing you to log in to our website).

We require the automatically collected personal data for the provision of our website, Art. 6 para. 1 sentence 1 lit. b GDPR, as well as for our legitimate interest in ensuring the stability and security of the website, Art. 6 para. 1 sentence 1 lit. f GDPR.

Automatically collected personal data is stored for 30 days and then properly deleted.

Third-party services in the customer acquisition

In customer marketing, Civey relies in part on third-party companies that are not owned or controlled by Civey, such as readymag Inc, 160 Greentree Drive, Suite 101, Dover, DE 19904, U.S.A. The services of readymag Inc. are used for landing pages in the customer acquisition, but not in communication with voters. As the controller for the use of these services, Civey has concluded so-called standard contractual clauses with processors in a third country (here: United States of America) in accordance with Art. 46 (1) and Art. 46 (2) c GDPR. If a user accesses the website of readymag Inc., their IP address is processed as "personal data" within the meaning of Art. 4 (1) GDPR and stored for five years, unless statutory provisions provide for longer storage. No personal data is processed by readymag Inc. on our website.

4. Services we provide for private users of our website

Our website offers you the opportunity to take part in exciting opinion polls and view the representative results in real time and free of charge.

4.1 Participation in opinion polls and disclosure of the results

In order to view the results of the opinion poll, we ask you to provide us with certain data that is relevant for analysing the opinion polls. In this context, we process the following data, among others:

• Gender
• Year of Birth
• Postcode
• Responses in Polls

The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR. Further data, such as information on your level of education or marital status, can be provided voluntarily.

We also process the following data ("sensitive data") in some opinion polls:

• Ethnic Origin
• Political opinions
• Religious conviction
• General Belief
• Health data
• Political Party Membership
• Trade union membership
• Sexual orientation

However, the processing of all data from opinion polls only takes place if you participate in the corresponding opinion polls. You have the option of not answering or skipping individual questions at any time.

The legal basis for this is Art. 9 para. 2 lit. a GDPR. We process the sensitive personal data you provide exclusively for the purpose of analysing the opinion polls.

4.2 Opening a user account

You have the option of opening a user account with us. The user account enables you to create favourites (for monitoring polls over a certain period of time) and to receive evaluations of your own voting behaviour. The user account also enables us to verify you before you take part in polls. Registration takes place using the so-called "double opt-in" procedure in order to be authorised for the full scope of use described above, including the receipt of newsletters and poll briefings. As part of your registration process, you will receive an e-mail with a link that you can use to confirm that you are the owner of the e-mail address and wish to be notified via our e-mail service. If you do not confirm your registration within 48 hours of requesting the confirmation email, you will receive a reminder email and have another opportunity to confirm. If you have not confirmed your registration and still try to register with your e-mail address, you will always receive another reminder e-mail with the option to confirm. As long as your confirmation is pending, the scope of use of your user account is limited and you will not receive a newsletter; the scope of use corresponds to the services described in section 4.1.

In connection with your user account, we process the following data, among others:

• Gender
• Potentially the country of residence
• Year of Birth
• Postcode
• Responses in Polls
• Click data
• E-Mail-Address
• Password

The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR and our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in verifying the participants in our polls and improving the results of our opinion polls using demographic data. If sensitive data is col-lected and processed, the processing is based on Art. 9 para. 2 lit. a GDPR. This data is used solely for the creation and analysis of the polls.

If you have taken part in opinion polls with or without creating a user account, we process the personal data you have provided for the following purposes:

• Evaluation of the polls
• Identification of your person when you log in
• Providing the services and information that are offered via the website or that you request
• Management of your user account
• Communication with you

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b and Art. 6 para. 1 sentence 1 lit. f GDPR, insofar as the processing serves our legitimate interest in the evaluation and improvement of our services.

Single Sign On

Single Sign On (SSO) with Google

You can also use our services by logging in using your Google ID (hereinafter: "Google ID"). This service is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as "Google"). If you decide to use this service, we process your data on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time via your Android settings or your settings in your Google account and in the app settings. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. You can find more information on data protection at Google here .

When you use the Google service, Google shares your e-mail address, your name and your profile picture with us, whereby neither your name nor your profile picture are stored by us. Google does not gain access to your user behaviour. You can find more information about this here.

Google processes and transfers your data in the USA. Due to the annulment of the Privacy Shield, the USA was temporarily considered an unsafe third country for which no adequacy decision existed; however, since the summer of 2023, the Transatlantic Data Privacy Framework TADPF (https://www.dataprivacyframework.gov/s/) has replaced the Privacy Shield as an adequa-cy decision, which Google has joined. Google also bases the transfer of your data to the USA on standard contractual clauses (SCC) approved by the EU Commission in order to provide sufficient guarantees for the transfer in accordance with Art. 46 para. 2 lit. c GDPR.

5. Services addressed to Publishers / Mediapartners and Business Clients

We offer you access to all the polls we carry out and create polls with detailed analyses on your behalf.

In order to make use of our fee-based services, it is necessary to create a business customer account. When creating and using the account, the following personal data is processed:

• Pre- and Surname
• E-Mail-Address
• Employer
• Branche
• Click data
• IP-Address (Storage of more than one week only in abbreviated form)

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b GDPR and our legitimate interest in analysing and improving our services (Art. 6 para. 1 sentence 1 lit. f GDPR).

In order to provide you with the best possible support during our cooperation, we also process the above-mentioned personal data to process contact enquiries from you and for us to contact you. The legal basis for this processing is, depending on the purpose of the contact, Art. 6 para. 1 sentence 1 lit. a or b GDPR.

Unless exceptions apply, your personal data will be stored for as long as you use your user account. After deletion of your account, your personal data will be deleted within three months. However, statutory retention obligations or the need to store your personal data for legal action due to misconduct in the use of services or payment problems may result in us storing certain personal data beyond this period despite the deletion of the user account. In such a case, we will inform you accordingly.

6. Contacting us

If you have any questions about our services and products, regardless of whether you are a user or a customer, you can contact our support team. We collect the following personal data for this purpose:

• Pre- and Surname
• E-Mail-Address
• Contents of your message
• Potentially telephone number
• Potentially Employer

The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. a or lit. b GDPR, depending on the purpose of your contacting us.

7. Newsletter / Briefings for Polls

When you register for a user account, you will also receive a newsletter and poll briefings on the basis of Section 7 (3) UWG.

You can unsubscribe from the newsletter at any time and object to the sending of further poll briefing emails by clicking on the link contained in each newsletter or by sending us an email to kontakt@civey.com . The legality of the data processing operations that have already taken place remains unaffected by the cancellation. After unsubscribing from the newsletter, it is possible to subscribe again using a settings slider in your user account.

We use Sendinblue to send newsletters. The provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Sendinblue is a service that can be used to organise and analyse the newsletters being sent, among other things. The data you enter for the purpose of subscribing to the newsletter is stored on Sendinblue's servers in Germany. With the help of Sendinblue, we are able to analyse our newsletter campaigns, e.g. to see whether a newsletter message has been opened and which links, if any, have been clicked on. By that, we can determine, among other things, which links were clicked particularly often and were of particular interest to you and others. We can also recognise whether certain previously defined actions, e.g. participation in a poll, were carried out after opening/clicking (conversion rate).

Sendinblue also allows us to categorise newsletter recipients according to various categories and to form certain clusters. The newsletter recipients can be categorised according to age, gender or place of residence, for example. This makes it easier to customise the distribution of a newsletter to the respective target groups. If you do not wish to be analysed by Sendinblue, please unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message.

Detailed information on the functions of Sendinblue can be found at the following link: https://de.sendinblue.com/newsletter-software/.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or Sendinblue until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this. After you unsubscribe from the newsletter dis-tribution list, your e-mail address may be stored by us or Sendinblue in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both, your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

For more information, please refer to Sendinblue's privacy policy at: https://de.sendinblue.com/datenschutz-uebersicht/.

We have concluded an data processing agreement (DPA / AVV) with Sendinblue for the use of the above-mentioned service.

8. Polls on websites of our media partners

8.1 Poll-Widget

Our media partners can embed Civey polls on their websites. This gives you the opportunity to take part in our polls in the context of relevant articles. When the widget is called up, personal data is processed - possibly in joint responsibility with the media partner - within the framework of so-called log files, such as your (shortened) IP address, device and browser information, date and time of access and information about the website on which you are located. Further information on these log files can be found above in section 3 of this Policy. If you decide to participate in one or more polls or create a user account with Civey, Civey is solely responsible for processing the usage or registration data. A description of the data processing in the event of participation in the poll or registration with Civey can be found in section 4 of this Policy. If you access the poll widget via the websites of our media partners, cookies may also be set that are required to display the widget (refer to section 10).

8.2 Data Stories

Some of our media partners include the "Data Story" tool on their websites. Data Story is a Civey product that helps the media publisher to visualise poll results. No opinion poll is conducted with Data Story. Participants' votes are not processed, are not saved and are not included in the results. Participation merely serves to visualise and classify one's own opinion in relation to the opinion of the population as a whole.

When using Data Story, we only process a small amount of information about you, which generally does not allow any personal reference. As soon as you click on one of the answer options in the poll in a Data Story, we collect a timestamp and device information (tablet/mobile/desktop) as well as the information that you have clicked. We process this data in order to be able to display the Data Story to you. The click data is required to guide you through the Data Story process. We process the click data to show you the next screen according to your click. The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b GDPR. The device info (tablet/mobile/desktop) is then deleted. We only store the information that you have clicked within Data Story and the date of your participation. As we do not store any other data about you, it is not possible to assign the click data to a specific user. We process the information in aggregated form in order to be able to recognise how users interact with the data story. In particular, it is therefore not possible for us to track you or recognise you when you visit again.

9. Automated decision making

We do not process your personal data for automated decision-making that produces legal effects concerning you or significantly affects you in a similar way.

10. Cookies / Google Analytics

Like almost all websites on the Internet, we use cookies. Cookies are very small text files used by websites that your browser stores on your computer.

So-called "session cookies" are temporarily stored in the working memory and automatically deleted when the browser is closed.

So-called "permanent cookies" are stored on the hard disk for a specified longer period of time; they are automatically deleted after the specified period of time has expired. Cookies are primarily used to make the use of a website easier, more effective and more secure. For example, we use cookies to identify you throughout your session after you have logged in to Civey.

All cookies currently used are absolutely necessary for our services and products. They are therefore always set and cannot be deactivated. The legal basis for the setting of cookies and the associated data processing is Art. 6 para. 1 sentence 1 lit. b, f GDPR.

We do not currently use cookies that are not mandatory. Should we wish to use non-essential cookies in the future, we will only use them if you have given your consent in advance. In this case, consent is the legal basis for the setting of cookies and the associated data processing (Art. 6 para. 1 sentence 1 lit. a GDPR). The specific information on whether a cookie is mandatory can be found in the section on individual cookies.

In addition, you can set your browser so that it generally does not accept cookies or only accepts them after your express confirmation. However, if your browser does not accept cookies, the functionality of Civey may only be available to a limited extent or not at all.

You can find out how to adjust the settings for cookies in Google Chrome, Mozilla Firefox, Safari 9, Microsoft Edge and Windows Internet Explorer here:

• Google Chrome: https://support.google.com/accounts/answer/61416?hl=de
• Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
• Safari 9: https://support.apple.com/kb/ph21411?locale=de_DE
• Microsoft Edge: https://support.microsoft.com/de-de/help/4027947/windows-delete-cookies
• Windows Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies

You can easily find out how to change the cookie settings for other browsers using the help function of your browser.

We may use the following cookies on our website:

Cookie used on the civey.com website:

catAccCookies: When you visit civey.com for the first time, a Civey cookie is set so that the cookie banner is not displayed every time you visit. The cookie only stores the information "true" or "false" if the user has seen the cookie banner. No timestamp is stored, but it can be deduced that the user has visited the site in the last 365 days, because that is how long the cookie is valid. If you do not delete the cookie in the meantime, the cookie banner will not be displayed again during the lifetime of the cookie when you visit our website. This cookie is absolutely necessary for the function of our services and cannot be deactivated. The legal basis is Art. 6 para. 1 sentence 1 lit. b, f GDPR. Duration: 365 days.

When you visit civey.com to take part in surveys on civey.com or with a media partner, or load the poll widget on a media partner's website.

Prod_sessionId: This cookie is required for the technical provision of our services. The provider of the cookie is Civey. For this purpose, the shortened IP address, technical data about the end device such as screen resolution or browser, date and time, as well as the URL on which the widget is integrated are transmitted to Civey. Civey cannot use this data to estab-lish a personal reference. This cookie is absolutely necessary for the function of our services and cannot be deactivated. The legal basis is Art. 6 para. 1 sentence 1 lit. b, f GDPR. Duration: 30 minutes.

User data is stored by Civey for statistical analysis purposes and only after the IP address has been truncated. At this point, Civey can no longer assign the data to a natural person.

If you register at civey.com with your master data (year of birth, gender, postcode) in order to take part in polls, we will identify you with the following cookie. This is a first party cookie from Civey.

prod_sid: This cookie identifies you as a returning user. It does not store any voting data, but merely generates an individual identifier consisting of numbers and letters. The cookie does not enable cross-device identification. This cookie is absolutely necessary for the function of our services and cannot be deactivated. The legal basis is Art. 6 para. 1 sentence 1 lit. b, f GDPR. Duration: 180 days.

Due to certain technical circumstances, the voting widget can only be displayed on the websites of some of our media partners with the help of an additional 1st party cookie.

cve_sid: This cookie is required for the display of our product on some pages. It is a first party cookie from Civey. No voting data is stored in it, only an individual identifier consisting of numbers and letters is generated. The cookie does not enable cross-device identification. This cookie is absolutely necessary for the display of the voting widget and thus the possibility of participating in polls and cannot be deactivated. The legal basis is Art. 6 para. 1 sen-tence 1 lit. b, f GDPR. Duration: 90 days.

Google Analytics

We use Google Analytics 4 on our website, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "Google"). In this context, pseudonymised user profiles are created and cookies are used. The information generated by the cookie about the use of our website (e.g. IP address of the accessing computer, time of access, referrer URL and information about the browser and operating system used) is usually transmitted to Google servers in the USA and processed there.

The use of Google Analytics is based on your consent in accordance with (Art. 6 para. 1 sen-tence 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG) in the analysis and optimisation of our online offer and the economic operation of this website. Google therefore processes the information on our behalf in order to analyse the use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage for the purposes of market research and the needs-based design of this website.

We have concluded an order processing contract with Google for the use of Google Analytics. Through this contract, Google ensures that it processes the data in accordance with the General Data Protection Regulation and guarantees the protection of the rights of the data subject.

The IP address processed by Google Analytics is automatically shortened. The last three digits of your IP address are replaced by a "0", which prevents them from being assigned. The data collected may be transferred to third parties if this is required by law or if third parties process the data on our behalf. The user data collected via cookies is automatically deleted after 2 months.

Note: The information generated by the cookies about the use of our website (e.g. IP address of the accessing computer, time of access, referrer URL and information about the browser and operating system used) is transferred to Google servers in the USA and pro-cessed there. The USA is a so-called unsafe third country, as there was no longer an adequacy decision by the European Commission following the cancellation of the Privacy Shield. However, since the summer of 2023, the Transatlantic Data Privacy Framework TADPF (https://www.dataprivacyframework.gov/s/) has replaced the Privacy Shield as an adequacy decision, which Google has signed up to.Google relies on standard contractual clauses approved by the EU Commission for the transfer as a guarantee of a level of data protection comparable to that in the EU. You can obtain a copy of the standard contractual clauses here.

You can revoke or adjust your consent at any time with effect for the future. Further information on data protection in connection with Google Analytics can be found in the Google Analytics help centre. Information on the use of data by Google can be found in their privacy policy.

11. Disclosure of personal data to third parties

Some of your personal data, such as your email address, will be shared with service providers who assist us with the following services:

• Communicating with you (especially if you contact us or have a business account with us),
• Providing technical services (such as cloud services, hosting or fraud prevention tools)
• Enhancing your user experience by providing information.

The data transfer is based on Art. 28 (3) GDPR in conjunction with the respective order processing agreement concluded.

If we are legally obliged to do so (e.g. due to applicable law or a court order), we may dis-close your personal data. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR or our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR to fulfil our corresponding obligations.

12. Transfer of personal data to third party countries

Within the scope mentioned above, it is possible that we may transfer your personal data to other countries (including countries outside the EU) where different data protection standards may apply than at your place of residence. Please note that data processed in other countries may be subject to foreign laws and may be accessible to local governments, courts and law enforcement and supervisory authorities. However, when transferring your personal data to such countries, we will take appropriate measures to adequately secure your data.

13. Social Media / Lead Generation / Google Ads

a) Google Ads

We use Google Ads Remarketing from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and the representative in the Union Google Ireland Ltd, Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter referred to as: Google). The purpose of processing personal data is to specifically address a target group. The cookies stored on the user's end device recognise them when they visit an online presence and can therefore show them interest-based advertising. Google places a cookie on the user's computer. This allows personal data to be stored and evaluated, in particular the user's activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and operating system), data on the advertisements displayed (in particular which advertisements have been displayed and whether the user has clicked on them) and also data from advertising partners (in particular pseudonymised user IDs).

Further information on the processing of data by Google can be found here.

b) LinkedIn Lead Gen Forms

We use the Marketing Solutions product of LinkedIn Corporation, 1000 W Maude, Sunnyvale, CA 94085, USA and its representative in the Union LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter referred to as: LinkedIn). LinkedIn transmits personal data to us with the help of a form (so-called LinkedIn Lead Gen Forms). Lead Gen Forms are forms pre-filled with LinkedIn profile data that allow members to submit their data, which is publicly visible on the network, with just a few clicks. These are usually the first name, surname and email address.

As personal data is transferred to the USA, further protection mechanisms are required to ensure the level of data protection required by the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even by this contractual extension, we endeavour to obtain additional regulations and assurances from the recipient in the USA.

Further information on the collection and storage of data by LinkedIn can be found at here.

If cookies are set, we process the personal data in order to reach relevant target groups with suitable advertising measures and to create analyses. The relevant legal basis for this processing is Art. 6 para. 1 lit. f GDPR. You can prevent the collection and processing of your personal data by LinkedIn by preventing the storage of third-party cookies on your computer, using the "Do Not Track" function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker in your browser.

You can use the following link to deactivate the use of your personal data by LinkedIn LinkedIn Opt-Out.

c) Microsoft Advertising

We use the Microsoft Advertising service (formerly Bing Ads) of the provider Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (hereinafter referred to as "Microsoft") on our website. Microsoft Advertising is used for the purpose of displaying and optimising targeted advertisements via the Microsoft Bing search engines and tracking the activities of users on our website if they have reached our website via advertisements. We have also linked Microsoft Clarity with Google Analytics in order to be able to better analyse the goals and campaigns defined in Google Analytics using the information and evaluations obtained via Microsoft Clarity and to evaluate their success. This understanding helps us to customise our website to the user experience and to be able to implement marketing measures in line with interests. Further information on Google Analytics can be found in the corresponding section.

Microsoft Advertising uses cookies and Universal Event Tracking (UET) for this purpose. This is a code that is used in conjunction with cookies to store information about the use of the website. This includes, among other things, the time spent on the website, which areas of the website were accessed and which adverts brought users to our website. Personal data is processed in the form of online identifiers (including cookie identifiers), IP addresses, access information, device identifiers and information about device and browser settings.

Microsoft Advertising collects information via UET, which we can also use to track target groups thanks to remarketing lists. Microsoft Advertising can recognise that our website has been visited and display an advertisement when Microsoft Bing is subsequently used. The information is also used to create conversion statistics, i.e. to record how many users have reached our website after clicking on an advert. This tells us the total number of users who clicked on our advert and were redirected to our website. However, we do not receive any information with which users can be personally identified.

The legal basis for the use of Microsoft Advertising is your consent pursuant to Section 25 (1) sentence 1 TTDSG (for the use of cookies and the UET) and pursuant to Art. 6 (1) sen-tence 1 lit. a GDPR (for data processing). You can revoke or amend your consent at any time with effect for the future. The personal data will be deleted after the purpose has ceased to apply.

Microsoft is the recipient of the personal data and also processes it under its own responsibility. You can also deactivate personalised advertising with Microsoft or set it individually. You can find details on this here and here. You can also find setting options for personalised advertising here. Further information on data protection at Microsoft can be found in Microsoft's data protection information at https://privacy.microsoft.com/de-de/privacystatement. The information and personal data are also transmitted by Microsoft to servers in the USA and processed there. Following the annulment of the Privacy Shield, the USA was considered an unsafe third country and there was no adequacy decision by the European Commission and personal data in the USA was therefore not subject to a level of data protection comparable to that in the EU. Since the summer of 2023, the Transatlantic Data Privacy Framework TADPF (https://www.dataprivacyframework.gov/s/) has replaced the Privacy Shield as an adequacy decision, which Microsoft has joined.

Furthermore, Microsoft relies on standard contractual clauses approved by the EU Commission for the transfer to other Microsoft companies (e.g. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA) as a guarantee of a level of data protection comparable to that in the EU. You can obtain a copy of the standard contractual clauses from Microsoft itself.

d) Microsoft Clarity

We use the Microsoft Clarity analysis tool from the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as "Micro-soft") on our website. Microsoft Clarity enables us to use cookies and other technologies (e.g. device fingerprinting) to measure reach and statistically evaluate the behaviour of users and to better understand and track their interactions with our website.

In doing so, we process usage data (e.g. pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses, browser information), location data (information on the geographical position of a device) and interaction/movement data (click rate, dwell time, mouse and scroll movements). We use Microsoft Clarity with activated IP masking (shortening of the IP address). Microsoft assigns the personal data and information to individual user IDs.

The legal basis for the use of Microsoft Advertising is your consent pursuant to Section 25 (1) sentence 1 TTDSG (for the use of cookies and other technologies) and pursuant to Art. 6 (1) sentence 1 lit. a GDPR (for data processing). You can revoke or amend your consent at any time with effect for the future.

The personal data will be deleted after the purpose has ceased to apply. The personal data is stored for 30 days to 13 months, depending on the category and type.

Microsoft is the recipient of the personal data and processes it on its own responsibility and for its own purposes, including the provision of Microsoft Advertising and for product improvement. You can also deactivate personalised advertising with Microsoft or set it individually. Details can be found here and here. You can also find setting options for personalised advertising here. Further information on data protection at Microsoft can be found in Microsoft's data protection information at https://privacy.microsoft.com/de-de/privacystatement.

The personal data is transmitted to Microsoft servers (Azure Cloud Services) and stored there. This may also involve the transfer of personal data to the USA, a so-called third country. For these data transfers to the USA as a third country, we rely on your expressly granted consent in accordance with Art. 49 para. 1 sentence 1 lit. a GDPR. Explanation: A third country is a country outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered unsafe if the EU Commission has not issued an adequacy decision for this country in accordance with Art. 45 para. 1 GDPR, which confirms that there is adequate protection for personal data in the country. With the ECJ ruling of 16 July 2020 (C-311/18), the adequacy decision for the USA, the so-called Privacy Shield, was declared null and void. The USA was therefore considered a so-called unsafe third country. This means that the USA did not offer a level of data protection comparable to that in the EU. The following risks exist when transferring personal data to the USA. There is a risk that US authorities could gain access to personal data on the basis of the PRISM and UPSTREAM surveillance programmes based on Section 702 of the FISA (Foreign Intelligence Surveillance Act), as well as on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective legal defence against this access in the USA or the EU. This situation has been resolved since the summer of 2023 by the Transatlantic Data Privacy Framework TADPF (https://www.dataprivacyframework.gov/s/), which has replaced the Privacy Shield as an adequacy decision; Microsoft has joined the TADPF.

e) Social-Media-Plugins

Our website also uses social media plugins (Facebook, Twitter, LinkedIn, Xing). By using the Facebook, Twitter and LinkedIn plugins, some of your personal data will be sent to the USA. To ensure suitable guarantees for the protection of the transfer and processing of personal data outside the EU, the data transfer to and data processing by our plugin operators is carried out on the basis of suitable guarantees in accordance with Art. 46 et seq. GDPR, in particular through the conclusion of so-called standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR.

f) Social-Media-Links

Social networks (Facebook, Twitter, YouTube, Instagram, LinkedIn and XING) are integrated on our website as links to the corresponding services. After clicking on the integrated text/image link, you will be redirected to the page of the respective provider. User information is only transferred to the respective provider after you have been redirected. For information on the handling of your personal data when using these services, please refer to the respective privacy policies of the providers you use.

14. Hubspot

For our online marketing activities and lead generation, we use the services of HubSpot Inc., a software company from the USA, 25 First Street, Cambridge, MA 02141 USA, with a branch in Ireland; 2nd Floor 30 North Wall Quay, Dublin 1, Ireland and Germany, Am Postbahnhof 17, 10243 Berlin. This is an integrated software solution with which we cover various aspects of our online marketing. The following data and the content of our website are stored on HubSpot's servers. As part of processing via HubSpot, data may be transferred to the USA. We have agreed the Data Processing Agreement with HubSpot, including the standard contractual clauses and other suitable guarantees that ensure the security of data transmission (https://legal.hubspot.com/dpa); in addition, HubSpot has joined the Transatlantic Data Privacy Framework TADPF (https://www.dataprivacyframework.gov/s/), which has replaced the Privacy Shield as the adequacy decision since summer 2023.

a) E-Mail-Marketing:

HubSpot is used for our email marketing, among other things. Our website visitors can subscribe to topic-related newsletters and mailings as well as download certain documents (e.g. white papers). For this purpose, for example, the name and e-mail address are required. We use this data to contact visitors to our website. The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent to receive newsletters, mailings or downloads at any time via a link at the end of each e-mail or by sending a message to kontakt@civey.com - as already described above in section 7. If you withdraw your consent, your contact details will be deleted immediately.

b) Reporting and Contact Management

In addition to email marketing, we use HubSpot for reporting (e.g. traffic sources, visits) and contact management purposes (user segmentation and CRM). This involves the use of cookies, which are stored on your computer and enable us to analyse your use of the website. This information is analysed by HubSpot on our behalf in order to generate reports about visits to our pages. This enables us to determine which of our company's services are of interest to you and thus constantly improve our products and make our offers more customer-orientated.

If you have registered for our registration service (see "Email marketing"), we can also use HubSpot to link a user's visits to our website with their personal details (name, email ad-dress) so that you can receive personalised and targeted information on your preferred topics.

The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR via the cookie banner. If you generally do not want HubSpot to collect data, you can prevent the storage of cookies at any time by changing your browser settings accordingly. Further information on HubSpot's data protection can be found in the terms of use and privacy policy at https://legal.hubspot.com/privacy-policy or https://legal.hubspot.com/legal-stuff .

15. Security

We have appropriate, state-of-the-art security measures in place to protect your data from loss, misuse and alteration. For example, our security guidelines and data protection declarations are regularly reviewed and improved where necessary. In addition, only authorised employees have access to personal data. Although we cannot ensure or guarantee that data will never be lost, misappropriated or altered, we do everything in our power to prevent this. Please bear in mind that data transmission via the Internet is never completely secure. We cannot guarantee the security of the data entered on our website during transmission via the Internet. This is at your own risk.

16. Storage Periods

Our aim is to process your personal data only to the smallest possible extent. If no exact storage periods are specified in this declaration, we will only store your personal data for as long as it is necessary to fulfil the purpose for which it was originally collected and - if applicable - for as long as required by law and you have not exercised your right of revocation or objection.

17. Your rights / Data Protection Officer

Depending on the circumstances of the specific case, you have the following data protection rights:

• to request access to your personal data and/or copies of this data. This includes information about the purpose of use, the category of data used, its recipients and authorised persons and, if possible, the planned duration of data storage or, if this is not possible, the criteria for determining this duration;

• to demand the rectification, erasure or restriction of the processing of your personal data if its use is not permitted under data protection law, in particular because (i) the data is incomplete or inaccurate, (ii) it is no longer necessary for the purposes for which it was collected, (iii) the consent on which the processing was based has been withdrawn, or (iv) you have successfully exercised your right to object to data processing; in cases where the data is processed by third parties, we will forward your requests for rectification, erasure or restriction of processing to these third parties, unless this proves impossible or involves a disproportionate effort;

• to refuse consent or to withdraw your consent to the processing of your personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

• not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you;

• to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us; you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible;

• to take legal action or contact the competent supervisory authorities if you believe that your rights have been violated as a result of the processing of your personal data that does not comply with data protection regulations.

In addition, you have the right to object to the processing of your personal data at any time:

• if we process your personal data for direct marketing purposes; or

• if we process your personal data to pursue our legitimate interests and there are grounds relating to your particular situation.

The exercise of these rights does not affect the validity of a contract (Section 327q BGB).

You can (i) exercise the above rights or (ii) ask questions or (iii) object to the processing of your personal data by us by contacting us using the contact details provided above, including kontakt@civey.com.

You can contact our data protection officer as follows:

DP Dock GmbH, Mr Wolfgang von Sangersleben
Ballindamm 39, 20095 Hamburg
dpo@civey.com

18. Changes to this Privacy Policy

We reserve the right to amend this Policy in accordance with the updates to our website. Please visit this website regularly and check the current policy.

This privacy policy was last updated on December 2023.