Data controller The controller of data processed in connection with the Palau App is:
Palau BV . Palau is the data controller and can be contacted at:
Tabakvest 9, 2000 Antwerp, Belgium
Managing Directors (managing director and responsible editor): Jerome Cloetens, Simon Hendrickx
VAT-ID (value-added tax identification number):BE 0770878497
Data that we process automatically
You can use our Palau App without disclosing much personal data. However, every time you or another user uses our Palau App, we will automatically process certain personal data (e.g., IP address) as well as other technical data (e.g., operating system version, device type), language, and region. We need your IP address, for example, in order to make it technically possible for you to use the Palau App at all (Art. 6 para. 1 letter b GDPR).
However, we cannot use these data to identify you directly.
Data that you submit to us voluntarily
You do not have to provide any other personal information. Only if you want to use additional functions of the Palau App or contact us voluntarily, will we need additional personal data from you. As soon as you enter personal data (such as name, address, email address) into our Palau App, this will therefore occur on a voluntary basis. If you use Palau App functions (in particular our carbon footprint calculator and scanning tool ), we will process data about your carbon footprint and scanning behaviour.
Personal data will be processed when you perform the following actions:
- Contact customer service
- Register or log in via one of your social media accounts (Apple, Facebook, Google) or your email address (Magic Link)
- Use functions of the Palau App
- Subscribe or unsubscribe to the newsletter
If you provide us with personal data for any of the above-mentioned reasons, we will use them to perform the user agreement (Art. 6 para. 1 letter b GDPR). We will send you a newsletter on the basis of your consent (Art. 6 para. 1 letter a GDPR) and use your contact data for this purpose.
We will also process data about your usage behaviour in order to continuously improve our Palau App, provided you consent to this processing (Art. 6 para. 1 letter a GDPR). For this purpose, we analyze the usage behaviour of all users. Such usage data allow us to determine, for example, how many users are accessing the Palau App at the same time, which functions they use, and which elements and functions of our Palau App are especially popular. These usage profiles are pseudonymized. Under normal circumstances, we therefore cannot draw conclusions about you or your use of the Palau App. In addition, we will process these data to provide you with personalized/targeted advertising from our advertising partners. However, in this case, too, we will do so only with your consent (Art. 6 para. 1 letter a GDPR).
For these purposes, we use technologies that work similarly to cookies.
In some cases, we work together with partners who process these data on our behalf. These partners sometimes process data outside the European Economic Area, in particular in the United States.
We will be happy to inform you, free of charge, which of your personal data we store and we will erase or correct your data at your request. You may generally object to data processing by us (for example, to any data processing for direct advertising) and you may, of course, revoke your consent at any time. Simply contact us with your request. and please inform yourself about your rights in detail below.
We will, of course, ensure that you can effectively exercise all your rights.
If you believe that your data have been processed unlawfully, you may file a complaint with the competent supervisory authority.
To ensure that you always have full control over your data and know exactly how and for what purpose your data is being processed and by whom, we have provided you with more detailed information on the individual topics below. Please carefully read the following information:
- General information about data processing
- Important terms
- Legal basis
- Cooperation with processors and third parties
- Data transfers to third countries
- Erasure of data
- Data security
- Technically necessary data processing
- Registration and login
- Registration with Apple ID
- Registration with Google Account
- Facebook Login
- Calculation of carbon footprint
- Participation in carbon offset scheme
- Hosting (AWS)
- Subscription and unsubscription to the newsletter (Mailchimp)
- Analysis by us and with the help of third parties
- Targeted advertising by us and with the help of processors/third parties (Facebook SDK)
- Integration of third-party services and content
- Right of objection
- Right of revocation
- Rights of data subjects
1. General information about data processing
1.1 Important terms. "Personal data" means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data, whether or not by an automated process. In practice, this term covers most cases in which data are used in some way.
"Controller" means the natural person or legal entity, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
The legal basis for processing data on the basis of consent is Art. 6 para. 1 letter a and Art. 7 GDPR, the legal basis for processing data for the purpose of providing our services, the performance of agreed measures, and responding to inquiries is Art. 6 para. 1 letter b GDPR, the legal basis for processing data for the purpose of performing our legal obligations is Art. 6 para. 1 letter c GDPR, and the legal basis for processing data on the basis of our legitimate interests is Art. 6 para. 1 letter f GDPR. Should vital interests of a data subject or another natural person require the processing of personal data, such data will be processed on the basis of Art. 6 para. 1 letter d GDPR.
1.3 Cooperation with processors and third parties. If in the course of our data processing we disclose data to any other persons or companies, transfer data to them, or grant them access to data in any other way, this will be done only if permitted by law. If we transfer your data to a payment service provider, for example, this will serve the purpose of performing our contract with you and will be covered by Art. 6 para. 1 letter b GDPR. A data transfer may also take place if you have given your consent (Art. 6 para. 1 letter a GDPR), if we have a legal obligation to transfer data (Art. 6 para. 1 letter c GDPR), or if we have a legitimate interest in transferring data (Art. 6 para. 1 letter f GDPR).
In some cases, we use other companies as processors. For this purpose, we enter into "data processing agreements" on the basis of Art. 28 GDPR.
1.4 Data transfer to third countries. We use cloud services. We will therefore transfer your data to a cloud services provider and your data will be processed there. In some cases, data will also be processed by our service providers in so-called third countries. These are countries outside the European Union (EU) and the European Economic Area (EEA). This is done either to perform our (pre-) contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. However, such processing will only take place if the special requirements of Art. 44 et seq. GDPR are satisfied. An adequate level of data protection will be ensured in these cases, as well. This is because we require our service providers to agree to special contractual obligations that ensure a level of data protection comparable to that in the EU (so-called "EU standard contractual clauses").
1.5. Erasure of data. We erase or restrict the processing of personal data in accordance with Art. 17 and 18 GDPR. Stored data are generally erased when they are no longer needed for their intended purpose unless erasure would conflict with legal recordkeeping obligations. We restrict data processing if data cannot be erased because they will be used for other, lawful purposes. This means that data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for any commercial or tax law reasons.
In Germany data are stored for 6 years in accordance with § 257 para. 1 of the German Commercial Code (HGB) (commercial accounts, inventories, opening balance sheets, annual financial statements, commercial correspondence, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 of the German Tax Code (AO) (books, records, management reports, accounting vouchers, commercial and business correspondence, tax-related documents, etc.).
1.6 Data security. All data transfers between your end device and our servers or the servers of our service providers will be encrypted. We use commercially available encryption techniques to ensure that your data transfers are secure. We also follow the principle of data economy and try to collect and store only as much of your personal data as is necessary for providing our services.
2. Technically necessary data processing. In the course of providing our services, we process data to the extent technically necessary. This includes, for example, server logs, firewall logs, etc., for example at our hosting partner AWS. In connection with these logs, basic connection data are stored, such as
- time of access
- IP address of the terminal device
- resource requested
3. Registration and login. If you want to use our Palau App to the full extent, you must register. We process registration data for the initiation and performance of the user agreement (Art. 6 para. 1 letter b GDPR). There are several ways to register for and log into our Palau App:
3.1. Email. You can register with your email address. For this purpose we will process your first and last name, as well as your email address. After you have registered, you will receive a confirmation email from us, which will contain a link (Magic Link) protected via HTTPS which you can use to log in to the Palau App.
3.2 Registration via Apple ID. Alternatively, you can register and log in to the Palau App using the "Register with Apple" function. The "Register with Apple" function identifies you either via your Face ID, Touch ID, or Apple password. Your name and email as well as an authentication token will be sent to us. It is also possible to hide your email address. In this case, Apple will generate a randomly generated email address for you, and incoming messages sent to this email address will only be forwarded to your actual email address. In this case, we will not know your email address. If you use the "Register with Apple" feature, Apple will create no profiles or will not track your usage history. Apple will only process data about where you register using this feature.
3.3 Google Account registration. You can also register and log in to the Palau App using your Google Account. The Palau App will establish a connection to Google's servers, where you can log in with your user name and password. Your identity will then be confirmed by Google, and Google will disclose your basic profile information (your first and last name) and your email address to us. We will also process an authentication token.
3.4 Facebook Login. Finally, you can also register and log in using the "Facebook Login" feature. For this purpose the Palau App will establish a connection to Facebook's servers. To register, you must log in to your Facebook account. Facebook will then confirm your identity. Facebook will send us your name and profile picture. Additionally, we will ask you for your email address. We will also process an authentication token. Please also note that Facebook will receive information via Facebook Login about how you use our Palau App.
4. Calculation of carbon footprint. The Palau App allows you to calculate your personal carbon footprint. To do so, you will have to answer several questions about your personal lifestyle. Your answers to these questions contain personal data about you, such as what type is your diet. When you register with a user account, we will link this personal data with other data we have about you. We will store these data until you close your user account. We will process these data in order to be able to offer you this service (Art. 6 para. 1 letter b GDPR).
6. Hosting (AWS). We use the cloud services of Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (hereinafter "AWS"), for hosting the Palau App. This company provides us with the following services: Infrastructure and platform services, computing capacity, storage and database services, and security and technical maintenance services. AWS processes inventory data, contact data, content data, contract data, usage data, and meta and communication data of our users and interested parties on our behalf. This is done on the basis of our legitimate interest in making our Palau App available in an efficient and secure manner, Art. 6 para. 1 letter f GDPR in conjunction with Art. 28 GDPR (data processing agreement). If and to the extent data are transferred to servers in so-called third countries, the appropriate level of data protection will be ensured via EU standard contractual clauses.
7. Communication by us and with the help of service providers
7.1. Direct contact. If you contact us directly and you have questions or comments about the Palau App or your user agreement, your data will be processed for the purpose of initiating or performing our contract with you (Art. 6 para. 1 letter b GDPR). For other topics, the legal basis is our legitimate interest in being able to appropriately respond to your general inquiries (Art. 6 para. 1 letter f GDPR). Your data will be erased as soon as your inquiry has been addressed and there are no legal recordkeeping obligations.
8. Subscription for and cancellation of newsletter (Mailchimp). Below you will find information about the content of our newsletter as well as the subscription, mailing, and statistical analysis process and about your right of objection. By subscribing to our newsletter, you agree to receive the newsletter and to the described processes.
Content of the newsletter: We send newsletters, emails, and other electronic notifications containing advertising information (hereinafter referred to as the "Newsletter") only with the consent of recipients or if permitted by law. If the content of the Newsletter is specifically described when you sign up for the Newsletter, this description will be controlling for purposes of the user's consent. Furthermore, our Newsletter contains information about our products, offers, and promotions, and about our company.
Double-opt-in and logging: Subscription to our Newsletter involves a so-called double-opt-in procedure. This means that after subscription you will receive an email asking you to confirm your subscription. This confirmation is necessary so that nobody can subscribe using an email address of a third party. Subscriptions to the Newsletter are logged in order to be able to document the subscription process in compliance with legal requirements. This includes logging the time of subscription and confirmation time as well as the IP address. In addition, any changes to your data stored at Mailchimp will be logged.
Data transfer to third countries: Mailchimp processes personal data in so-called third countries. With Mailchimp we agreed EU standard contractual clauses to ensure an adequate level of data protection in these third countries, as well.
Collection and analysis of statistical data: The Newsletter contains a so-called web beacon, i.e., a pixel-sized file that is retrieved by the Mailchimp server when the Newsletter is opened. As part of this retrieval process, technical information, such as information about your browser and operating system, your IP address and the time of retrieval will initially be collected. Based on these technical data your reading behavior and the place of retrieval (which can be determined by means of the IP address) can be established. These data also make it possible to determine whether the Newsletter is opened, when it is opened, and which links are clicked. For technical reasons, this information may be correlated to specific Newsletter subscribers. However, it is neither our intention nor the intention of Mailchimp to monitor individual users. Rather, the analyses allow us to learn about the reading habits of our users, to adapt our content to their interests, or to send different content according to the interests of our users.
According to Mailchimp, Mailchimp may use such data in pseudonymous form, i.e., without correlation to any particular user, to improve its own services, e.g., for optimizing technical mailing details, the presentation of the Newsletter, or for statistical purposes, and to determine in which countries subscribers live. However, Mailchimp does not use data of our Newsletter subscribers to contact them nor does Mailchimp transfer their data to any third parties. Mailchimp is responsible for processing these data.
Legal basis: We will process your email address to send you our Newsletter, if you have consented to receiving the Newsletter (Art. 6 para. 1 letter a GDPR). Our use of Mailchimp, our collection and analysis of statistical data, as well as our logging of the subscription process are based on our legitimate interests within the meaning of Art. 6 para. 1 letter f GDPR. Our legitimate interest is to offer you and other users a user-friendly and secure newsletter system that serves our business interests and meets the expectations of users.
Cancellation/revocation: You may cancel your subscription to our newsletter at any time, i.e., by revoking your consent. By revoking your consent you will automatically also object to the mailing the Newsletter by Mailchimp and to statistical analyses. Objecting only to the mailing of our Newsletter by Mailchimp or to statistical analyses is unfortunately not an option. You will find a link to cancel your subscription to the Newsletter at the end of each Newsletter, or you can deactivate the Newsletter via the Palau App. After you have cancelled your subscription, we will no longer process your email address for this purpose. Unless we need your email address for other purposes, we will erase it.
9. Analysis by us and with the help of processors
9.1 Integration of Heap.io SDK
Heap is a platform that provides analytics infrastructure to reduce the annoying parts of user analytics. San Francisco, California, United States. Series D. heap.io.
We use Heap to collect information on how you use the app. We consider this information while designing future versions of our app with the intention to provide our users with the best possible, most useful functionalities.
9.2 Integration of Firebase SDK
Google Firebase is a Google-backed application development software that enables developers to develop iOS, Android and Web apps. Firebase provides tools for tracking analytics, reporting and fixing app crashes, and creating marketing and product experiment.
We use Firebase to collect information on how you use the app. We consider this information while designing future versions of our app with the intention to provide our users with the best possible, most useful functionalities.
9.3. Sentry.io. We use Sentry for our Palau App. This service of Functional Software, Inc. (132 Hawthorne Street, San Francisco, California 94107, U.S.A.) enables us to monitor the stability of our Palau App and to detect code errors or exceptions in order to improve our Palau App (Art. 6 para. 1 letter f GDPR). Data of Palau App users (such as information about the device used or the time of an error) are collected anonymously, are not used in relation to any particular users, and are then erased.
You can find more information about data processing by Sentry at the following link:
10. Targeted advertising by us and with the help of processors/third parties (Facebook SDK). The Software Development Kit (SDK) of Facebook is integrated into our Palau App. The Facebook SDK is published and administered by Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, U.S.A. We use the Facebook SDK on the basis of your consent (Art. 6 para. 1 letter a GDPR).
The Facebook SDK enables us to offer you numerous functions in the Palau App, such as social login and sharing. We also use the Facebook SDK to provide you with personalized advertising. In what follows we explain everything you need to know in this connection:
For our Palau App we use the remarketing function "Custom Audiences" of Facebook. This function is used to present you, as a user of our Palau App, with interest-based advertisements (hereinafter "Facebook Ads") when you visit the social network Facebook. For this purpose we have implemented this remarketing function of Facebook in our Palau App and defined so-called events. These are certain actions that you take in the Palau App and that we then analyze. This can, for example, be your opening of the Palau App. With this information, we can define so-called target groups, e.g., groups of all users who have opened our Palau App on a certain day. When you use our Palau App, a direct connection to Facebook's servers will be established via various interfaces. The events that you have triggered in the Palau App will then be transmitted to Facebook's servers. Facebook will attribute this information to your personal Facebook user account. However, your data will be converted ("hashed") into numerical values before transmission, so that neither Facebook nor we will directly know who you are or what you have done using our Palau App. Nevertheless, it will still be possible to show you and the group personalized advertising on Facebook. Such data are also processed on servers in the United States. We agree EU standard contractual clauses with Facebook to ensure an adequate level of data privacy. You may object to the collection of such data and to the use of your data to display Facebook Ads. You can do this by simply sending us an email. You can find more information about the collection and use of data by Facebook, your rights, and ways to protect your privacy, in the Facebook Data Policy at the following link: https://de-de.facebook.com/policy.php Alternatively, you can deactivate the remarketing function "Custom Audiences" at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen You must be logged into Facebook to do this.
12. Integration of services and content. In some cases, we integrate content from third parties into our Palau App, such as videos or selected articles. When you access such third-party content, data will be transferred to the third-party content provider. We identify all third-party content in our Palau App. You consent that if you access third-party content, your data may be processed by the third-party content provider. We have no influence on data processing by third-party content providers.
14. Right to revoke consent. You may revoke your consent at any time with effect for the future. All you need to do is send us an informal email or use one of the opt-out options we make available to you, for example directly in the Palau App. The lawfulness of data processing that took place up to the date of revocation will remain unaffected by your revocation.
15. Rights of data subjects
15.1. Information. Under Art. 15 GDPR you have the right to request information as to whether and how your personal data are being processed, and to receive additional information and a copy of your data.
15.2. Completion and correction. Under Art. 16 GDPR you have the right to ask for the addition of any missing personal data or for the correction of any incorrect personal data.
15.3 Erasure and restricted data processing. Under Art. 17 GDPR you have the right to request that your personal data be erased immediately, or, under Art. 17 GDPR, you have the right to request that processing of your personal data be restricted.
15.4 Data portability. Under Art. 20 GDPR you have the right to have data that we process automatically on the basis of your consent or in performance of a contract turned over to you or to a third party in a standard, machine-readable format. If you request a direct transfer of your data to another responsible party, this will be done if and to the extent technically feasible.
15.5 Right to lodge complaint. If you suspect that your personal data are processed unlawfully, you may lodge a complaint with the competent supervisory authority. The competent supervisory authority for matters of data privacy law is the State Data Protection Commissioner of the German state in which our company is based.
16. Payment processing by us and with the help of processors/third parties
16.1. Stripe API. If you participate in our carbon offset scheme, your payment details will be processed by Stripe Payments Europe, Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe", www.stripe.com) as our payment processor. Stripe will process all information from you that is needed for a successful payment transaction, including your name, email address, mailing address, and other billing and payment information. Data will be transferred directly between your device and Stripe. You can find more information about data processing by Stripe at the following link:
As a general rule, no credit card information or comparable data are received, stored, or disclosed in our own systems. Please never send your credit card information directly to our team.
16.2. Paypal API. We also offer payment via our payment processor PayPal. The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. If you choose PayPal as your payment method, your data that are required for the payment process will be automatically and directly transmitted from your device to PayPal. This usually involves the following data: your name, address, email address, phone and mobile number, and IP address.
Data transmitted to PayPal may be transmitted by PayPal to credit agencies in order to verify your identity and check your credit score. PayPal may also transfer your data to third parties if this is necessary to perform contractual obligations or if data will be processed by a third party.
You can find more information about data processing by PayPal at the following link:
16.3. Authorizations by Apple Pay. To make the payment process even more convenient for you, you can also use Apple Pay with our Klima App. Apple enables you to authorize payments with stored payment methods using Apple Pay.
When you authorize a payment with Apple Pay, Apple will receive the encrypted transaction data, which will then be re-encrypted. We will only receive these encrypted transaction data. Apple Pay will send us your device account number along with a transaction-specific, dynamic security code. Neither Apple nor your device will send us the actual number of your payment card.
If we process your personal data in this connection, we will do so to enable you to participate in the carbon offset scheme (Art. 6 para. 1 letter b GDPR).
Apple stores anonymized transaction data, including the approximate purchase amount, the name of the app developer and app, the approximate date and time, and whether the transaction was completed successfully.
You can find more information at the following link:
16.4. Authorization by Google Pay. To make the payment process even more convenient for you, you can also use Google Pay with our Klima App. Google enables you to authorize payments with stored payment methods using Google Pay.
If you use Google Pay, your payment will be processed using the payment card stored at Google Pay or a payment method verified by Google Pay (e.g., PayPal).
For the purpose of processing payment, the information you provide during the ordering process, along with information about your order, will be transferred to Google. Google will then transmit your payment information stored in Google Pay to us in the form of a unique transaction number, so that we can verify payment. This transaction number will contain no information about actual payment data from the method of payment stored in Google Pay, but will be created and transmitted as a numeric token that is valid only for a single transaction. For all transactions via Google Pay, Google acts merely as an intermediary for payment processing purposes. Transactions will be executed exclusively between you and us or our payment services provider Stripe.
If personal data are processed as part of the aforementioned transmissions, data will be processed exclusively for payment processing purposes in accordance with Art. 6 para. 1 letter b GDPR.
Google reserves the right to collect, store, and analyze certain transaction-specific information for each transaction processed via Google Pay. This includes the date, time, and amount of the transaction, the location and description of the merchant, a description provided by the merchant of the goods or services purchased, photos that you attach to the transaction, the names and email addresses of the seller and buyer or of the sender and recipient, the payment method used, your description of the reason for the transaction and, if applicable, information about the services/goods purchased.
According to Google, such data will be processed exclusively in accordance with Art. 6 para. 1 letter f GDPR on the basis of a legitimate interest in proper billing, verification of transaction data, and the optimization and maintenance of the functionality of the Google Pay service.
Google also reserves the right to combine processed transaction data with other data that are collected and stored by Google when you use other Google services.
You can find more information about data privacy at Google Pay at the following link:
17. Integration of services and content. In some cases, we integrate content from third parties into our Klima App, such as videos or selected articles. When you access such third-party content, data will be transferred to the third-party content provider. We identify all third-party content in our Klima App. You consent that if you access third-party content, your data may be processed by the third-party content provider. We have no influence on data processing by third-party content providers.
19. Right to revoke consent. You may revoke your consent at any time with effect for the future. All you need to do is send us an informal email or use one of the opt-out options we make available to you, for example directly in the Klima App. The lawfulness of data processing that took place up to the date of revocation will remain unaffected by your revocation.