The responsible party within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is the: 

Ideabay GmbH / Widenmayerstraße 10 / 80538 Munich

Phone: +49 89 21544639 / E-Mail: info@ideabay.org

Dr. Christian Szidzek

E-Mail: christian.szidzek@thales-datenschutz.de

1.1 Scope of the processing of personal data

As a matter of principle, we only process personal data of our users insofar as this is necessary for the provision of a functional website as well as our contents and services. The processing of personal data of our users is regularly only carried out with the consent of the user. An exception applies in those cases in which obtaining prior consent is not possible for actual reasons and the processing of the data is permitted by legal regulations.  

1.2 Legal basis for the processing of personal data

Insofar as we obtain your consent for the processing of personal data, Art. 6 para. 1 lit. a DSGVO serves as the legal basis. 

Insofar as the processing of personal data is necessary for the performance of a contract to which you are a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are carried out to implement pre-contractual measures in response to your request. 

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 para. 1 lit. c DSGVO serves as the legal basis. 

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) lit. d DSGVO serves as the legal basis. 

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.  

1.3 Data deletion and storage period

We store your data for as long as this is necessary for the provision of our online offer and the associated services or for the provision of our services or we have a legitimate interest in the continued storage. In all other cases, we delete your personal data with the exception of data that we must retain in order to comply with contractual or legal (e.g. tax or commercial) retention periods (e.g. invoices). Contractual retention periods may also result from contracts with third parties (e.g. holders of copyrights and ancillary copyrights). We block data that is subject to a retention period until the expiry of the period. 

2.1 Disclosure of data to third parties

As a matter of principle, we will only disclose your personal data to third parties if this is necessary for the performance of the contract, if we or the third party have a legitimate interest in the disclosure or if we have your consent to do so. If data is transferred to third parties on the basis of a legitimate interest, this will be explained in these data protection provisions. In addition, data may be transferred to third parties if we are obliged to do so by law or by an enforceable official or court order. 

2.2 Service provider

We reserve the right to use service providers for the collection and processing of data. Service providers only receive the personal data they require for their specific activities. For example, your email address may be passed on to a service provider so that they can deliver a newsletter that you have ordered. Service providers may also be commissioned to provide server capacity. Service providers are usually integrated as so-called order processors who may only process personal data of the users of this online offer according to our instructions. 

2.3 Transfer of data to non-EEA countries

We also share personal data with third parties or processors located in non-EEA countries. In this case, we ensure before the transfer that either an adequate level of data protection exists at the recipient (e.g. through self-certification of the recipient for the EU-US Privacy Shield or the agreement of so-called EU standard contractual clauses of the European Union with the recipient) or that sufficient consent has been obtained from our users. You can obtain an overview of the recipients in third countries and a copy of the concretely agreed regulations to ensure the appropriate level of data protection from us. Please use the information in the Contact section for this purpose. 

During the mere informational use of our website, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called "server log files"). When you call up our website, we collect the following data, which is technically necessary for us to display the website to you: 

(1) Browser type and version
(2) Operating system used
(3) Referrer URL
(4) Host name of the accessing computer
(5) Time of the server request
(6) IP address

The data may also be stored in the log files of our system. This data is not stored together with other personal data of the user. The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f DSGVO. The temporary storage of the IP address by the system is necessary to enable delivery of the website to your computer. For this purpose, your IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f DSGVO. 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.  

Our internet pages use so-called "cookies". Cookies are small text files and do not cause any damage to your terminal device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser. 

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies are used to evaluate user behaviour or display advertising. 

Cookies that are required to carry out the electronic communication process (necessary cookies) or to provide certain functions that you have requested (functional cookies, e.g. for the shopping basket function) or to optimise the website (e.g. cookies to measure the web audience) are stored on the basis of Art. 6 (1) lit. f DSGVO, unless another legal basis is specified. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services.  

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited. 

Our website contains a contact form that can be used for electronic contact. If a user makes use of this option, the data entered in the input mask is transmitted to us and stored. These data are: 

First name, last name, e-mail address, text of the message 

The following data is also stored at the time the message is sent: 

(1) The IP address of the user 

(2) Date and time of registration 

For the processing of the data, your consent is obtained during the submission process and reference is made to this privacy policy. 

Alternatively, it is possible to contact us via the e-mail address, telephone or fax provided. In this case, the user's personal data transmitted by e-mail or telephone will be stored.  

In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation. 

The legal basis for the processing of data is Art. 6 (1) lit. a DSGVO if the user has given his or her consent. The legal basis for the processing of data transmitted in the course of contacting us is Art. 6 para. 1 lit. f DSGVO. If the purpose of the contact is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) lit. b DSGVO. 

The processing of the personal data from the input mask serves us solely to process the contact. In the event of contact being made by e-mail or telephone, this also constitutes the necessary legitimate interest in processing the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems. 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest. 

The user has the option to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he or she can object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued. 

The user can object to the storage of his or her personal data at any time by contacting us via the email address provided above under point I email address provided above. All personal data stored in the course of contacting us will be deleted in this case. 

6.1 Web analysis through Matomo (formerly PIWIK) 

We use the open source software tool Matomo (formerly PIWIK), a service of InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, ("Matomo") on our website to analyse the surfing behaviour of our users. The software sets a cookie on the user's computer (for cookies, see above). If individual pages of our website are called up, the following data is stored: 

(1) Two bytes of the IP address of the calling system of the user 

(2) The accessed web page 

(3) The website from which the user has reached the accessed website (referrer) 

(4) The subpages that are accessed from the accessed web page 

(5) The length of stay on the website 

(6) The frequency with which the website is accessed 

The software runs exclusively on the servers of our website. Personal data of the users is only stored there. The data is not passed on to third parties.  

The software is set in such a way that the IP addresses are not stored completely, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer. 

The legal basis for the processing of the users' personal data is Art. 6 para. 1 lit. f DSGVO. The processing of the users' personal data enables us to analyse the surfing behaviour of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes are also our legitimate interest in processing the data in accordance with Art. 6 Para. 1 lit. f DSGVO. By anonymising the IP address, the interest of users in the protection of their personal data is sufficiently taken into account. 

The data is deleted as soon as it is no longer required for our recording purposes. 

 Cookies are stored on the user's computer and transmitted from it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent. 

We offer our users the option of opting out of the analysis process on our website. To do this, you must follow the corresponding link. In this way, another cookie is set on their system, which signals to our system not to save the user's data. If the user deletes the corresponding cookie from their own system in the meantime, they must set the opt-out cookie again. 

For more information on the privacy settings of the Matomo software, please see the following link: https://matomo.org/docs/privacy/. 

6.2 Google Web Fonts

This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly. 

For this purpose, the browser you use must connect to Google's servers. This enables Google to know that this website has been accessed via your IP address. The use of Google WebFonts is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the uniform presentation of the typeface on his website. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time. 

If your browser does not support web fonts, a standard font is used by your computer. 

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://policies.google.com/privacy?hl=de.

You have the option of subscribing to our newsletter, in which you will regularly receive free information about our services. You can revoke your corresponding consent at any time. For ordering our newsletters, we use the so-called double opt-in procedure, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you would like to receive our newsletters. If you confirm your wish to receive the newsletter, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe. The storage is solely for the purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this purpose. The legal basis for the aforementioned data processing is your consent pursuant to Art. 6 Para. 1 a) DSGVO. 

Our email newsletters are sent via the technical service provider The Rocket Science Group, LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (www.mailchimp.com), to whom we pass on the data you provided when registering for the newsletter. This transfer takes place in accordance with Art. 6 (1) lit. f DSGVO and serves our legitimate interest in using a newsletter system that is effective in advertising, secure and user-friendly. Please note that your data is usually transferred to a MailChimp server in the USA and stored there. You can find more information on this in MailChimp's privacy policy at https://mailchimp.com/legal/privacy/. 

Information on data protection regarding the processing of prospective customer data and customer data at Ideabay GmbH in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (DSGVO)

1. purposes and legal bases of processing

We process your personal data in accordance with the provisions of the European Data Protection Regulation (EU-DSGVO) and the German Federal Data Protection Act (BDSG), insofar as this is necessary for the establishment, implementation or performance of a contract or for the implementation of pre-contractual measures. Insofar as the provision of personal data is required for the initiation or implementation of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful pursuant to Art. 6 (1) lit. b DSGVO. If you give us express consent to process personal data for specific purposes (e.g., disclosure to third parties, evaluation for marketing purposes or promotional approaches), the lawfulness of this processing is based on your consent pursuant to Art. 6 (1) a DSGVO. Consent given can be revoked at any time, with effect for the future (see section 9 of this data protection information).

If necessary and legally permissible, we process your data beyond the actual contractual purposes for the fulfillment of legal obligations pursuant to Art. 6 para. 1 lit. c DSGVO. In addition, processing may be carried out to protect the legitimate interests of us or third parties in accordance with Art. 6 (1) f DSGVO. If necessary, we will inform you separately, stating the legitimate interest, insofar as this is required by law.

2. categories of personal data

We only process data that is necessary for the execution of the contract or for pre-contractual measures. This may be general data about you or persons in your company (name, address, contact details, etc.) as well as, if applicable, other data that you provide to us in the course of the initiation and establishment of the contractual relationship for its implementation.

3. sources of the data 

We only process personal data that we have collected directly from you or that you have provided to us. Data collection via third parties does not take place.

4. recipients of the data

We only pass on your personal data within our company to those areas and persons who need this data to fulfill contractual and legal obligations or to implement our legitimate interests. 

In addition, we use service providers in certain areas who process personal data on our behalf. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of Article 28 DSGVO. Proper order processing contracts in accordance with Article 28 of the GDPR are in place with all processors.

This applies in particular to service providers for sales software and customer management systems and software (CRM) as well as project support applications.

Otherwise, data is only forwarded to recipients outside the company if this is required by law, if the forwarding is necessary for the processing and thus the fulfillment of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or if we are authorized to provide information. Under these conditions, recipients of personal data may be, for example:

Public bodies and institutions (e.g. public prosecutor's office, police, supervisory authorities, tax office) if there is a legal or official obligation

Recipients to whom the disclosure is directly necessary for the purpose of establishing or fulfilling a contract

5. transmission to a third country

A transfer of personal data to countries outside the EEA (European Economic Area) or to an international organization only takes place to the extent that this is necessary for the processing and thus the fulfillment of the contract or, at your request, for the implementation of pre-contractual measures, the transfer is required by law or you have given us consent. In these cases, the recipients may include specific development platforms.

6. duration of data storage

As far as necessary, we process and store your personal data for the duration of our business relationship or for the fulfillment of contractual purposes. This includes, among other things, the initiation and execution of a contract. If a contract is not concluded with you, we delete your data after a period of 6 months following the end of the contractual negotiations.

In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods prescribed there for storage or documentation are two to ten years.

Finally, the storage period is also based on the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years. This is based on our legitimate interest in pursuing or defending legal claims. 

7. Necessities of the provision of personal data

As a rule, the provision of personal data for the purpose of establishing, implementing or fulfilling a contract or for the performance of pre-contractual measures is not required by law or contract. You are therefore not obliged to provide personal data. Please note, however, that these are usually required for the decision on the conclusion of a contract, the performance of the contract or for pre-contractual measures. If you do not provide us with personal data, we may not be able to make a decision within the scope of contractual measures. We recommend that you only ever provide personal data that is required for the conclusion of the contract, the fulfillment of the contract or for pre-contractual measures.

We offer you the opportunity to apply to us (e.g. on our website, by e-mail or post). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence. 

1. Scope and purpose of data collection 

If you transmit us an application, we process your associated personal data (e.g. contact and communication data, application documents, notes in the context of job interviews, etc.) to the extent that this is necessary to decide on the establishment of an employment relationship. The personnel data are stored and processed in personnel data processing systems. The legal basis for this is § 26 BDSG-neu under German law (initiation of an employment relationship), Art. 6 para. 1 lit. b DSGVO (general contract initiation) and - if you have given your consent - Art. 6 para. 1 lit. a DSGVO. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If you apply for a vacancy or send an unsolicited application via the application system on our website, we transmit your data via TLS encryption to Personio GmbH, Rundfunkplatz 4, 80335 Munich, which offers and operates the personnel management software Personio. In this context, Personio GmbH is our order processor in accordance with Art. 28 DSGVO and stores the data exclusively on ISO-certified servers in Germany. The privacy policy of Personio GmbH can be found at https://www.personio.de/ueber-uns/datenschutz/#datenschutz-downloads.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of § 26 BDSG-neu and Art. 6 para. 1 lit. b DSGVO for the purpose of implementing the employment relationship. 

2. Retention period of the data 

If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 para. 1 lit. f DSGVO) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will only be deleted when the purpose for continued storage no longer applies. 

Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a DSGVO) or if legal storage obligations prevent deletion. 

The applicable data protection law grants you comprehensive data subject rights (rights of access and intervention) vis-à-vis the controller with regard to the processing of your personal data, which we inform you about below: 

1. Right to information pursuant to Art. 15 DSGVO 

In particular, you have the right to obtain information about your personal data processed by us, the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned storage period or criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it is not processed by us. the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it has not been collected from you by us, the existence of automated decision-making including profiling and, if applicable, meaningful information about the logic involved and the scope and intended effects of such processing concerning you, as well as your right to be informed about which guarantees exist in accordance with Art. 46 of the GDPR if your data is transferred to third countries; 

2. Right to rectification pursuant to Art. 16 DSGVO 

You have the right to have any incorrect data relating to you corrected without delay and/or to have any incomplete data stored by us completed; 

3. Right to erasure pursuant to Art. 17 DSGVO 

You have the right to request the deletion of your personal data if the conditions of Art. 17 (1) DSGVO apply. However, this right does not exist in particular if the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims; 

4. Right to restriction of processing pursuant to Art. 18 DSGVO 

You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data that you dispute is being verified, if you refuse the deletion of your data due to unlawful data processing and instead request the restriction of the processing of your data, if you require your data for the assertion, exercise or defence of legal claims after we no longer need this data after the purpose has been achieved or if you have lodged an objection on the grounds of your particular situation as long as it has not yet been determined whether our legitimate grounds prevail; 

5. Right to information pursuant to Art. 19 of the GDPR 

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients. 

6. Right to data portability pursuant to Art. 20 DSGVO 

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller, insofar as this is technically feasible; 

7. Right to revoke consent granted pursuant to Art. 7 (3) DSGVO 

You have the right to revoke your consent to the processing of data at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned unless further processing can be based on a legal basis for processing without consent. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation; 

8. Right to lodge a complaint pursuant to Art. 77 GDPR 

If you believe that the processing of personal data concerning you violates the GDPR, you have the right - without prejudice to any other administrative or judicial remedy - to lodge a complaint with the supervisory authority responsible for us. Alternatively, you can contact the data protection authority in your place of residence, which will then forward your concern to the competent authority. 

Due to our registered office in Munich, the supervisory authority responsible for us is:  

Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 27, D-91522 Ansbach 

9. Right of objection TO THE COLLECTION OF DATA IN SPECIFIC CASES AND TO DIRECT MARKETING (ART. 21 GDPR) 

IF WE PROCESS YOUR PERSONAL DATA WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE AT ANY TIME ON GROUNDS ARISING FROM YOUR PARTICULAR SITUATION. 

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING IS FOR THE PURPOSE OF ASSERTING, EXERCISING OR DEFENDING LEGAL CLAIMS. 

IF WE PROCESS YOUR PERSONAL DATA FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH MARKETING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE. 

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES. 

If you have any further questions on the subject of data protection, please contact us via the contact address given above under point I above.