Privacy Policy

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within the scope of providing our services as well as within our online offering and the associated websites, functions, and content as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering"). With regard to the terminology used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

responsible:
Tim Petzold
7R Park Poznań West
Szumin 7
62-080 Tarnowo
VAT ID: PL7011058679

Contact:
+49 160 2900535
info@box17.com
www.box17.com

Link to the imprint: https://www.box17.com/impressum

Types of data processed:Inventory data (e.g., personal master data, names, or addresses).
Contact details (e.g., email, phone numbers).
Content data (e.g., text inputs, photographs, videos).
Usage data (e.g., visited websites, interest in content, access times).
Meta/communication data (e.g., device information, IP addresses).
Categories of data subjects:
Visitors and users of the online offering (hereinafter collectively referred to as "users").

Purpose of processing:
Provision of the online offering, its functions, and content.
Responding to contact inquiries and communicating with users.
Security measures.
Reach measurement/marketing.
Terms used:
"Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and includes virtually any handling of data.

"Pseudonymization" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

A "controller" is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

A "processor" is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Relevant legal bases:
In accordance with Article 13 of the GDPR, we inform you of the legal bases of our data processing. For users within the scope of the General Data Protection Regulation (GDPR), i.e., the EU and the EEA, the following applies if the legal basis is not mentioned in the privacy policy:The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR.
The legal basis for processing for the performance of our services and the execution of contractual measures, as well as responding to inquiries, is Article 6(1)(b) GDPR.
The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
The legal basis for processing to perform a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6(1)(e) GDPR.
The legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR.
The processing of data for purposes other than those for which it was collected is determined by the provisions of Article 6(4) GDPR. The processing of special categories of data (pursuant to Article 9(1) GDPR) is determined by the provisions of Article 9(2) GDPR.
Security measures:
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the access, input, disclosure, availability, and separation thereof. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and the response to data breaches. We also consider data protection during the development, selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default settings.

Cooperation with processors, joint controllers, and third parties:
If we disclose data to other persons and companies (processors, joint controllers, or third parties) as part of our processing, transmit it to them, or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, is necessary for the performance of the contract), if you have consented to it, a legal obligation provides for it, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.). If we disclose, transmit, or otherwise grant access to data to other companies in our corporate group, this is done primarily for administrative purposes as a legitimate interest and, beyond that, on a basis that complies with legal requirements.

Transfer to third countries:
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation) or this is done as part of the use of third-party services or disclosure, or transmission of data to other persons or companies, this will only occur if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, a legal obligation, or on the basis of our legitimate interests. Subject to explicit consent or contractual transfer, we process or have the data processed only in third countries with a recognized level of data protection, including those certified under the "Privacy Shield" for US processors, or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications, or binding internal data protection regulations (Articles 44 to 49 GDPR, Information page of the EU Commission).

The analyses serve to increase user-friendliness, optimize our offer, and improve cost-effectiveness. The analyses serve only us and will not be disclosed externally unless they are anonymous analyses with aggregated values. If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the user, otherwise after two years from the conclusion of the contract. Furthermore, the overall economic analyses and general trend determinations are created anonymously whenever possible.

Contact
When contacting us (e.g., via contact form, email, telephone, or social media), the user's details are processed to handle the contact request and its processing in accordance with Art. 6 para. 1 lit. b. (within the scope of contractual/pre-contractual relationships), Art. 6 para. 1 lit. f. (other inquiries) GDPR. The user's details may be stored in a Customer Relationship Management (CRM) system or comparable inquiry organization.We delete the inquiries if they are no longer necessary. We review the necessity every two years; furthermore, the statutory archiving obligations apply.

Hosting and Email Dispatch
The hosting services we use provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services, and technical maintenance services that we use to operate this online offering. In this process, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties, and visitors to this online offering based on our legitimate interests in the efficient and secure provision of this online offering in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).

Collection of Access Data and Log Files
We or our hosting provider collect data based on our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR data on every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, message about successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider. Log file information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is necessary for evidence purposes is excluded from deletion until the respective incident is finally clarified.

In other words, Google does not store or process the name or email address of users, but processes the relevant data cookie-based within pseudonymous user profiles. From Google's perspective, ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who that cookie holder is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the USA. If we ask users for consent (e.g., as part of a cookie consent), the legal basis for this processing is Art. 6 para. 1 lit. a GDPR. Otherwise, the personal data of users are processed based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f GDPR).

Regarding data processing in the USA, we would like to point out that Google is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law. Further information on data use by Google, settings, and objection options can be found in Google's privacy policy and in the settings for displaying advertisements by Google.

Google Firebase: We use the developer platform "Google Firebase" and the associated functions and services offered by Google Ireland Limited. Google Firebase is a platform for application developers for mobile devices and websites, offering various features such as app storage including personal data of application users, cloud computing, and interfaces for interaction between app users and other services. User interactions can be evaluated using the Firebase Analytics service to capture how users interact with an app, events such as the first opening of the app, installation, update, crash, or frequency of app usage. User data processed through Google Firebase may be combined with other Google services such as Google Analytics and Google marketing services. If we ask users for consent, the legal basis for this processing is Art. 6 para. 1 lit. a GDPR. Otherwise, the personal data of users are processed based on our legitimate interests.

LinkedIn Marketing Services: We utilize the marketing services of the social network LinkedIn to display targeted ads within the network and LinkedIn's advertising partners' offerings. LinkedIn processes user data pseudonymously, storing and processing relevant data cookie-based within pseudonymous user profiles. This means that ads are not managed and displayed for a specifically identified person but for the cookie holder. If users are registered with LinkedIn, LinkedIn may associate their interaction with our online offering with their user account.

Facebook Pixel, Custom Audiences, and Facebook Conversion: We use the Facebook pixel within our online offering to determine our online offering's visitors as a target group for displaying ads (Facebook Ads) and to track the effectiveness of Facebook advertising for statistical and market research purposes. Facebook processes data in accordance with its data usage policy. Users can opt out of Facebook pixel data collection and use for displaying Facebook ads.

Social media presences: We maintain online presences within social networks and platforms to communicate with customers, interested parties, and users active there. Data of users may be processed outside the European Union. The processing of personal data is based on our legitimate interests in effective user information and communication. Users' rights can typically be exercised most effectively with the respective providers.

Third-party content: We incorporate third-party content or service offerings into our online offering based on our legitimate interests. These providers may use pixel tags for statistical or marketing purposes, collecting information such as visitor traffic on the website. Users' IP addresses are necessary for displaying such content. We strive to only use content from providers who use IP addresses solely for content delivery purposes.

Google Fonts and Google Maps: We use Google Fonts and Google Maps within our online offering, with user data used solely for displaying fonts in users' browsers or providing map services. Data may be processed in the USA. Users' IP addresses and location data may be among the processed data. Users can find more information about data processing in Google's privacy policy.:
Tim Petzold
7R Park Poznań West
Szumin 7
62-080 Tarnowo
VAT ID: PL7011058679

Contact:
+49 160 2900535
info@box17.com
www.box17.com

Link to the imprint: https://www.box17.com/impressum

Types of data processed:Inventory data (e.g., personal master data, names, or addresses).
Contact details (e.g., email, phone numbers).
Content data (e.g., text inputs, photographs, videos).
Usage data (e.g., visited websites, interest in content, access times).
Meta/communication data (e.g., device information, IP addresses).
Categories of data subjects:
Visitors and users of the online offering (hereinafter collectively referred to as "users").

Purpose of processing:
Provision of the online offering, its functions, and content.
Responding to contact inquiries and communicating with users.
Security measures.
Reach measurement/marketing.
Terms used:
"Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and includes virtually any handling of data.

"Pseudonymization" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

A "controller" is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

A "processor" is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Relevant legal bases:
In accordance with Article 13 of the GDPR, we inform you of the legal bases of our data processing. For users within the scope of the General Data Protection Regulation (GDPR), i.e., the EU and the EEA, the following applies if the legal basis is not mentioned in the privacy policy:The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR.
The legal basis for processing for the performance of our services and the execution of contractual measures, as well as responding to inquiries, is Article 6(1)(b) GDPR.
The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
The legal basis for processing to perform a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6(1)(e) GDPR.
The legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR.
The processing of data for purposes other than those for which it was collected is determined by the provisions of Article 6(4) GDPR. The processing of special categories of data (pursuant to Article 9(1) GDPR) is determined by the provisions of Article 9(2) GDPR.
Security measures:
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the access, input, disclosure, availability, and separation thereof. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and the response to data breaches. We also consider data protection during the development, selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default settings.

Cooperation with processors, joint controllers, and third parties:
If we disclose data to other persons and companies (processors, joint controllers, or third parties) as part of our processing, transmit it to them, or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, is necessary for the performance of the contract), if you have consented to it, a legal obligation provides for it, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.). If we disclose, transmit, or otherwise grant access to data to other companies in our corporate group, this is done primarily for administrative purposes as a legitimate interest and, beyond that, on a basis that complies with legal requirements.

Transfer to third countries:
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation) or this is done as part of the use of third-party services or disclosure, or transmission of data to other persons or companies, this will only occur if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, a legal obligation, or on the basis of our legitimate interests. Subject to explicit consent or contractual transfer, we process or have the data processed only in third countries with a recognized level of data protection, including those certified under the "Privacy Shield" for US processors, or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications, or binding internal data protection regulations (Articles 44 to 49 GDPR, Information page of the EU Commission).

The analyses serve to increase user-friendliness, optimize our offer, and improve cost-effectiveness. The analyses serve only us and will not be disclosed externally unless they are anonymous analyses with aggregated values. If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the user, otherwise after two years from the conclusion of the contract. Furthermore, the overall economic analyses and general trend determinations are created anonymously whenever possible.

Contact
When contacting us (e.g., via contact form, email, telephone, or social media), the user's details are processed to handle the contact request and its processing in accordance with Art. 6 para. 1 lit. b. (within the scope of contractual/pre-contractual relationships), Art. 6 para. 1 lit. f. (other inquiries) GDPR. The user's details may be stored in a Customer Relationship Management (CRM) system or comparable inquiry organization.We delete the inquiries if they are no longer necessary. We review the necessity every two years; furthermore, the statutory archiving obligations apply.

Hosting and Email Dispatch
The hosting services we use provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services, and technical maintenance services that we use to operate this online offering. In this process, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties, and visitors to this online offering based on our legitimate interests in the efficient and secure provision of this online offering in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).

Collection of Access Data and Log Files
We or our hosting provider collect data based on our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR data on every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, message about successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider. Log file information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is necessary for evidence purposes is excluded from deletion until the respective incident is finally clarified.

In other words, Google does not store or process the name or email address of users, but processes the relevant data cookie-based within pseudonymous user profiles. From Google's perspective, ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who that cookie holder is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the USA. If we ask users for consent (e.g., as part of a cookie consent), the legal basis for this processing is Art. 6 para. 1 lit. a GDPR. Otherwise, the personal data of users are processed based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 para. 1 lit. f GDPR).

Regarding data processing in the USA, we would like to point out that Google is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law. Further information on data use by Google, settings, and objection options can be found in Google's privacy policy and in the settings for displaying advertisements by Google.

Google Firebase: We use the developer platform "Google Firebase" and the associated functions and services offered by Google Ireland Limited. Google Firebase is a platform for application developers for mobile devices and websites, offering various features such as app storage including personal data of application users, cloud computing, and interfaces for interaction between app users and other services. User interactions can be evaluated using the Firebase Analytics service to capture how users interact with an app, events such as the first opening of the app, installation, update, crash, or frequency of app usage. User data processed through Google Firebase may be combined with other Google services such as Google Analytics and Google marketing services. If we ask users for consent, the legal basis for this processing is Art. 6 para. 1 lit. a GDPR. Otherwise, the personal data of users are processed based on our legitimate interests.

LinkedIn Marketing Services: We utilize the marketing services of the social network LinkedIn to display targeted ads within the network and LinkedIn's advertising partners' offerings. LinkedIn processes user data pseudonymously, storing and processing relevant data cookie-based within pseudonymous user profiles. This means that ads are not managed and displayed for a specifically identified person but for the cookie holder. If users are registered with LinkedIn, LinkedIn may associate their interaction with our online offering with their user account.

Facebook Pixel, Custom Audiences, and Facebook Conversion: We use the Facebook pixel within our online offering to determine our online offering's visitors as a target group for displaying ads (Facebook Ads) and to track the effectiveness of Facebook advertising for statistical and market research purposes. Facebook processes data in accordance with its data usage policy. Users can opt out of Facebook pixel data collection and use for displaying Facebook ads.

Social media presences: We maintain online presences within social networks and platforms to communicate with customers, interested parties, and users active there. Data of users may be processed outside the European Union. The processing of personal data is based on our legitimate interests in effective user information and communication. Users' rights can typically be exercised most effectively with the respective providers.

Third-party content: We incorporate third-party content or service offerings into our online offering based on our legitimate interests. These providers may use pixel tags for statistical or marketing purposes, collecting information such as visitor traffic on the website. Users' IP addresses are necessary for displaying such content. We strive to only use content from providers who use IP addresses solely for content delivery purposes.

Google Fonts and Google Maps: We use Google Fonts and Google Maps within our online offering, with user data used solely for displaying fonts in users' browsers or providing map services. Data may be processed in the USA. Users' IP addresses and location data may be among the processed data. Users can find more information about data processing in Google's privacy policy.