Jourma

Privacy Policy for the Website — Jourma GmbH

Legally Binding Version: German

This privacy policy applies to the website https://jourma.de.

Thank you for visiting our website. The protection of your personal data is important to us. We want you to feel safe when using our services. We process your personal data in accordance with the General Data Protection Regulation (DSGVO) and the data protection provisions applicable in Germany.

§1 Contact Details of the Data Controller

The Data Controller within the meaning of the DSGVO is:

Jourma GmbH Taunustor 1 60310 Frankfurt am Main / Deutschland

Managing Director (Geschaeftsfuehrer): Hakan Kocabas Commercial Register: Amtsgericht Frankfurt am Main, HRB 136208 USt-IdNr. (VAT ID): DE412018648

Telefon: +49 69 5050604633 E-Mail: info@jourma.de Website: https://jourma.de

§2 Contact Details for Data Protection Matters

If you have any questions regarding data protection, please contact:

E-Mail: datenschutz@jourma.de

Postal address: Jourma GmbH, Taunustor 1, 60310 Frankfurt am Main, Deutschland.

§3 Scope of this Privacy Policy

This Privacy Policy applies to:

(a) the website https://jourma.de (hereinafter "Website"); (b) all related website services and functionalities.

§4 Scope of Processing of Personal Data

As a general principle, we process personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Beyond this, the processing of personal data of our users regularly takes place only with their Consent. An exception applies in cases where prior obtaining of Consent is not possible for factual reasons and the processing of data is permitted by statutory provisions.

We may process the following categories of data:

  • Master data (e.g. first name, last name)
  • Contact data (e.g. e-mail address, telephone number)
  • Communication data (e.g. e-mail content, social media posts)
  • Connection data (e.g. IP address, HTTP headers, user agent)
  • Consent data (e.g. selected tools and categories of the consent banner)
  • Device data (e.g. device type, screen resolution, browser type, operating system, language)
  • Identifiers (e.g. pseudonymised user identifiers, information from cookies and web storage elements)
  • Usage data (e.g. pages visited, date and time of visit, duration of visit, scroll activity, buttons clicked, files downloaded, interactions with media and forms)
  • Newsletter data (e.g. name, e-mail address, consent information, opened e-mails, clicked links)
  • Business page insight data (e.g. demographic information such as age, gender, region and country; interactions with the company page)
  • Data protection requests (e.g. your specific request, our response, our documentation of fulfillment of the request)

§4.1 Contact Form (Website)

When you contact us via the contact form provided on the Website, this is done on the basis of our Legitimate Interest in processing and responding to your contact request (Art. 6 Abs. 1 lit. f DSGVO). We use the data submitted via the contact form exclusively to respond to your enquiry. Use for other purposes does not take place at any time.

§4.2 Newsletter Subscription

When you subscribe to our newsletter, the data entered in the input form (including name and e-mail address) is transmitted to the Data Controller. Registration takes place using the double opt-in procedure: after registration, you will receive an e-mail asking you to confirm your registration. Your subscription will only be activated after this confirmation. This serves to prevent unauthorised registrations using third-party e-mail addresses.

During registration, we also store the IP address as well as the date and time of registration in order to prevent possible misuse. Your data will not be passed on to third parties unless there is a legal obligation to do so. The data collected is used exclusively for sending the newsletter. You may unsubscribe from the newsletter at any time via the link contained in every e-mail and revoke your Consent to the storage of your personal data.

We use market-standard technologies to measure interactions with our newsletters (e.g. opening of e-mails, clicking on links) for general statistical evaluations as well as for the optimisation and further development of our content and customer communication.

Your data is processed on the basis of Art. 6 Abs. 1 lit. a DSGVO, provided that you have given your Consent. If the newsletter is sent in connection with the sale of goods or services, the Legal Basis is Art. 6 Abs. 1 lit. f DSGVO in conjunction with Sec. 7 Abs. 3 UWG. For the delivery of the newsletter, we use Mailchimp (Intuit, Inc.).

§5 Legal Bases for the Processing of Personal Data

Insofar as we obtain Consent from the data subject for the processing of personal data (e.g. for website tracking), Art. 6 Abs. 1 lit. a DSGVO serves as the Legal Basis.

Where we process your data to carry out pre-contractual measures at your request or for the performance of a contract, our Legal Basis is Art. 6 Abs. 1 lit. b DSGVO.

Where we process data to fulfil a legal obligation (e.g. tax-related retention obligations), Art. 6 Abs. 1 lit. c DSGVO is the Legal Basis.

Beyond this, we process personal data pursuant to Art. 6 Abs. 1 lit. f DSGVO on the basis of Legitimate Interests, which we describe in the section on the purposes of data processing.

§6 Purposes of Data Processing

Personal data is processed for the following purposes:

  • Provision of the Service: Enabling the usability of our website, ensuring the permanent functionality and security of our information technology systems, general administration of our service (Art. 6 Abs. 1 lit. b, f DSGVO). This includes the provision of our online offering with all content and functionalities, including the consent management system.

  • Contact: Responding to contact enquiries, communicating with users, and providing a contact form (Art. 6 Abs. 1 lit. f DSGVO).

  • Newsletter: Provision and dispatch of our newsletter, including storage of registration data for the fulfilment of documentation obligations (Art. 6 Abs. 1 lit. a, f DSGVO).

  • Analytics: Provision of analytical tools that recognise users of our service via identifiers, measure pages visited, analyse usage behaviour, and use the data to optimise the website (Art. 6 Abs. 1 lit. a DSGVO). An evaluation for marketing purposes does not take place in this context.

  • Social Network Company Pages: Operation and management of company pages on social networks, including communication with interested parties and customers, as well as processing of aggregated business page insight data (Art. 6 Abs. 1 lit. f DSGVO).

  • Data Protection Matters: Processing and responding to your data protection-related requests, as well as storage of your requests for the fulfilment of documentation obligations (Art. 6 Abs. 1 lit. f DSGVO).

  • Compliance: Enforcement of our own legal claims and compliance with other legal provisions (Art. 6 Abs. 1 lit. c, f DSGVO).

§7 Data Recipients

The data we collect is only disclosed where there is a data protection Legal Basis in the specific case.

We use external service providers for certain functions of our website. As is common in many companies, we use both domestic and international partners for various business processes, including in the areas of IT, telecommunications, sales, and marketing. These service providers act exclusively on our instructions and are obligated to comply with data protection provisions on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 DSGVO.

The following categories of recipients — generally as Data Processors — may, under certain circumstances, have access to your personal data:

  • Technical service providers that ensure the operation of our website and handle the processing of stored or transmitted data (e.g. data centres, cloud infrastructure, IT security service providers). The transfer is based on Art. 6 Abs. 1 lit. b or f DSGVO, unless they act as Data Processors.

  • Public bodies and authorities, insofar as we are legally obligated to disclose your data, in particular in the case of binding requirements, official requests, court orders, and legal proceedings for the enforcement or assertion of rights (Art. 6 Abs. 1 lit. c DSGVO).

  • External partners in business operations, such as auditors, banks, insurance companies, legal advisors, or supervisory authorities. The data transfer is based on Art. 6 Abs. 1 lit. b or f DSGVO.

  • Beyond this, we only disclose personal data to third parties if this is legally permissible and necessary for the performance of a contract or for the implementation of pre-contractual measures at your request (Art. 6 Abs. 1 lit. b DSGVO), or if you have given us your express Consent pursuant to Art. 6 Abs. 1 lit. a DSGVO.

§8 Data Processors and Third-Party Providers

§8.1 Website Data Processors

The following service providers process your data in connection with the use of our website:

(a) Vercel Inc. (San Francisco, USA) — Website hosting and delivery. Processes request logs and IP addresses.

(b) Sentry / Functional Software Inc. (San Francisco, USA) — Error monitoring and optional session replay (only with your Consent via analytics cookies).

(c) Resend Inc. (USA) — E-mail delivery for contact form enquiries. Processes your name, e-mail address, and message content.

  • DPA: Signed DPA and SOC 2 Type II report on file.
  • Third-country transfer: Standard Contractual Clauses (SCCs) (Art. 46 Abs. 2 lit. c DSGVO).

(d) Google (Google Analytics, Google Tag Manager, Google Fonts): Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland.

(e) Intuit (Mailchimp): Intuit, Inc., 2700 Coast Avenue, Mountain View, CA 94043, USA — Newsletter dispatch.

§8.2 Meta Platforms (Independent Data Controller)

Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Irland.

Facebook Fan Page and Instagram Business Profile: We and Meta process aggregated business page insight data on our company pages as joint controllers; the respective social network provider is contractually responsible for fulfilling data subject rights. Joint controller arrangement: https://www.facebook.com/legal/terms/page_controller_addendum.

§8.3 LinkedIn (Joint Controller)

LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Irland — LinkedIn company page.

We and LinkedIn process aggregated business page insight data on our LinkedIn company page as joint controllers.

§9 Transfer to Third Countries

We may use services whose providers are partly located in so-called third countries (outside the European Union (EU) or the European Economic Area (EEA), in particular in the USA) or transfer personal data thereto, i.e. to countries whose data protection level does not correspond to that of the European Union.

Adequacy Decision (Art. 45 DSGVO): Where an Adequacy Decision of the European Commission exists for such countries, we base the data transfer thereon. For the USA, this applies only if the US recipient has certified under the EU-US Data Privacy Framework. This concerns in particular:

  • Google LLC (Google Analytics, Google Fonts, Google Tag Manager)
  • Meta Platforms Inc. (Facebook, Instagram)
  • LinkedIn Corporation
  • Intuit Inc. (Mailchimp)

Standard Contractual Clauses (SCCs) (Art. 46 Abs. 2 lit. c DSGVO): Where no Adequacy Decision exists for the country concerned, we have put in place appropriate contractual safeguards to ensure an adequate level of data protection for any data transfers. These include in particular the EU Standard Contractual Clauses. This concerns in particular:

  • Vercel Inc. (website hosting)
  • Sentry / Functional Software Inc. (error monitoring)
  • Resend Inc. (e-mail delivery)

Where this is not possible, we base the data transfer on derogations pursuant to Art. 49 DSGVO, in particular your express Consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures.

Where a transfer to a third country is planned and neither an Adequacy Decision nor an appropriate safeguard is in place, there is a possibility and risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed.

§10 Duration of Data Storage

We store your personal data only for as long as is necessary for the respective purposes for which they were collected. In detail, the following retention periods apply:

Data Category Retention Period
Contact enquiries (Website) Maximum 6 months
Newsletter subscription data Until revocation of Consent
Consent cookies (Consent Manager) 180 days
Google Analytics cookies 2 years
Server logs 90 days

Statutory retention periods and deletion obligations remain unaffected, e.g. pursuant to Sec. 257 HGB or Sec. 147 AO (up to 10 years for tax-relevant documents). After expiry of the statutory retention periods, the data is deleted unless further storage is necessary and covered by a Legal Basis.

§11 Access to and Storage of Information on the End Device

Our website accesses or stores information on your end device only where this is strictly necessary for the provision of the digital service requested by you — i.e. for the core functionalities of our service — or where you have previously given your Consent — i.e. for optional services — in accordance with the implementing laws of the ePrivacy Directive of the EU Member States, in Germany pursuant to Sec. 25 TDDDG.

We use technologies such as cookies, local storage, or session storage that are stored on the end device, or scripts and other program code that access information on your end device, e.g. identifiers such as device ID or advertising ID.

The Legal Basis for the processing of personal data using technically necessary technologies is Art. 6 Abs. 1 lit. f DSGVO. The Legal Basis for the processing of personal data using optional technologies for analytics purposes is Art. 6 Abs. 1 lit. a DSGVO, provided the user has given Consent thereto.

§11.1 Consent Manager

We use consent management to enable or disable data protection-relevant website functionalities. The cookies are deleted after 180 days. The Legal Basis is our Legitimate Interest pursuant to Art. 6 Abs. 1 lit. f DSGVO.

The following cookies are stored by the Consent Manager:

  • cookie-consent (180 days): Consent decision.
  • analytics (180 days): Consent decision for analytics purposes.
  • functional (180 days): Consent decision for functional purposes.
  • marketing (180 days): Consent decision for marketing purposes.

§11.2 Google Tag Manager

Our website uses the Google Tag Manager of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, which serves exclusively for the management of website tools through the integration of so-called website tags. The Google Tag Manager uses JavaScript and does not require cookies.

Legal Basis: Art. 6 Abs. 1 lit. a DSGVO.

§11.3 Google Fonts

We use Google Fonts of Google Ireland Limited for the embedding of online fonts. For this purpose, your browser must establish a connection to Google servers. This provides Google with the information that our website was accessed via your IP address. No cookies are stored. The server may be located in the USA.

Legal Basis: Art. 6 Abs. 1 lit. a DSGVO.

§11.4 Google Analytics

We use the analytics tracking tool Google Analytics (GA) of Google Ireland Limited on our website. The information about your use of the website is generally transmitted to and stored on a Google server in the USA.

The following cookies are stored by Google Analytics:

  • _ga (2 years): Recognition and differentiation of visitors via a user ID.
  • _ga_ZKJSTBC3W1 (2 years): Maintaining current session information.

Legal Basis: Art. 6 Abs. 1 lit. a DSGVO.

§12 Your Rights as a Data Subject

You have the following rights:

§12.1 Right of Access (Art. 15 DSGVO)

You have the right to obtain information from us about the personal data concerning you. This includes in particular information about the processing purposes, the categories of personal data, the recipients, the retention period, and the existence of further rights. This requires a request on your part, which is to be sent to us by e-mail to datenschutz@jourma.de or by post to the address stated above.

§12.2 Right to Object and Withdrawal of Consent

Pursuant to Art. 21 DSGVO, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims. If we process your data for direct marketing purposes, we will comply with your objection without requiring a reason.

Pursuant to Art. 7 Abs. 3 DSGVO, you have the right to withdraw your Consent at any time. The consequence of this is that we may no longer continue the data processing based on this Consent in the future. The withdrawal does not affect the lawfulness of the processing carried out on the basis of the Consent until the withdrawal.

§12.3 Right to Rectification (Art. 16 DSGVO)

Insofar as personal data concerning you is inaccurate, you have the right to demand immediate rectification from us.

§12.4 Right to Erasure (Art. 17 DSGVO)

Under the conditions set out in Art. 17 DSGVO, you have the right to demand the erasure of personal data concerning you. A right to erasure exists in particular where the data concerned is no longer necessary for the purposes for which it was collected or processed, where the retention period has expired, where an objection has been lodged, or where the processing is unlawful.

If you use an account in our app, you may delete your account in the app settings. All personal data associated with the account will then be deleted, subject to statutory retention obligations.

§12.5 Right to Restriction of Processing (Art. 18 DSGVO)

You have the right to demand the restriction of processing of your personal data from us, in particular where the accuracy of the data is contested, the processing is unlawful, or we no longer need the data but you require it for the establishment, exercise, or defence of legal claims.

§12.6 Right to Data Portability (Art. 20 DSGVO)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, insofar as the statutory requirements are met.

§13 Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection provisions, you have the right, pursuant to Art. 77 DSGVO, to lodge a complaint with a data protection supervisory authority.

The contact details of the supervisory authority competent at our location are:

Der Hessische Beauftragte fur Datenschutz und Informationsfreiheit Gustav-Stresemann-Ring 1 65189 Wiesbaden / Deutschland

Telefon: 0611-1408 0 E-Mail: poststelle@datenschutz.hessen.de

§14 Necessity of Providing Data

There is generally no obligation to provide your data. The use of our website is generally possible without providing personal data. For the contact form, entering your first name, last name, e-mail address, and your message is required. Without this data, you cannot contact us via the contact form.

§15 Automated Decision-Making

Automated decision-making including profiling pursuant to Art. 22 DSGVO that produces legal effects or similarly significantly affects you does not take place.

§16 Updates to the Privacy Policy

We reserve the right to supplement or amend this Privacy Policy as necessary, in particular in the event of changes to our services, new legal requirements, or the introduction of new processing activities. The current version is available on our website at all times.