GeoSci

Privacy Policy

Information on the processing of personal data.

Introduction

The following privacy policy informs you about the types of your personal data (hereinafter also referred to as “data”) that we process, for which purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both within the scope of providing our services and in particular on our websites, mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are gender-neutral.

As of: September 7, 2022

Contents

  • Introduction
  • Controller
  • Overview of processing
  • Applicable legal bases
  • Security measures
  • Data deletion
  • Use of cookies
  • Provision of the online offering and hosting
  • Contact and inquiry management
  • Analytics, monitoring, and optimization
  • Social media presence
  • Changes and updates to this privacy policy
  • Rights of data subjects
  • Definitions

Controller

GeoSci Gesellschaft mit beschränkter Haftung
Heimstättenstr. 1
22523 Hamburg

Authorized representatives:
Florian Grünwald

Email address:

florian@geosci.de

Imprint:

https://geosci.de/en/impressum/

Overview of processing

The following overview summarizes the types of data processed, the purposes of processing, and the data subjects concerned.

Types of data processed

  • Contact data.
  • Content data.
  • Usage data.
  • Meta/communication data.

Categories of data subjects

  • Communication partners.
  • Users.

Purposes of processing

  • Provision of contractual services and customer support.
  • Contact requests and communication.
  • Security measures.
  • Reach measurement.
  • Tracking.
  • Administration and response to inquiries.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online offering and usability.
  • Information technology infrastructure.

Applicable legal bases

Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that national data protection provisions may also apply in your or our country of residence. If more specific legal bases are relevant in individual cases, we will inform you in this privacy policy.

  • Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
  • Contract performance and pre-contractual measures (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.

In addition to the GDPR, national data protection regulations in Germany apply. This includes in particular the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer as well as automated decision-making in individual cases including profiling. It also regulates data processing for employment purposes (Section 26 BDSG). Furthermore, the data protection laws of the federal states may apply.

Security measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include in particular ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, access to data, input, disclosure, securing availability, and separation. We also have procedures in place to ensure the exercise of data subject rights, deletion of data, and responses to data threats. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures according to the principle of data protection by design and by default.

TLS encryption (https): To protect data transmitted via our online offering, we use TLS encryption. You can recognize encrypted connections by the https:// prefix in your browser's address bar.

Data deletion

The data we process will be deleted in accordance with legal requirements as soon as consent for processing is withdrawn or other permissions no longer apply (e.g., when the purpose of processing has ceased or the data is no longer required for the purpose). If data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. This means the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is required for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person.

Our data protection notices may provide further information on deletion and retention of data that applies specifically to the respective processing activities.

Use of cookies

Cookies are small text files or other storage markers that store information on end devices and read information from end devices, for example to store login status, shopping cart contents, accessed content, or functions used by an online offering. Cookies can also be used for different purposes, such as functionality, security, and convenience of online offerings, as well as creating analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal provisions. Therefore, we obtain prior consent from users unless it is not legally required. Consent is not necessary, in particular, if storing and reading information, including cookies, is strictly necessary to provide a telemedia service expressly requested by users (i.e., our online offering). The revocable consent is clearly communicated to users and contains information about the respective cookie use.

Notes on legal bases: The legal basis under data protection law for processing personal data of users with the help of cookies depends on whether we ask users for consent. If users consent, the legal basis is their consent. Otherwise, data processed via cookies is processed on the basis of our legitimate interests (e.g., economic operation of our online offering and improving its usability) or, if this is within the scope of fulfilling our contractual obligations, if the use of cookies is required to fulfill our contractual obligations. We explain for which purposes we process cookies in this privacy policy or in our consent and processing procedures.

Storage duration

  • Temporary cookies (session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored after the device is closed. For example, login status can be stored or preferred content can be displayed directly when the user visits a website again. Data collected via cookies can also be used for reach measurement. Unless we provide users with explicit information on the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are persistent and the storage duration can be up to two years.

General notes on withdrawal and objection (opt-out): Users can withdraw consent at any time and object to processing in accordance with legal requirements under Art. 21 GDPR. Users can also declare their objection via their browser settings, for example by disabling cookies (which may limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Further notes on processing procedures and services:

Processing of cookie data based on consent: We use a cookie consent management procedure in which users' consent for the use of cookies or the processing and providers named in the consent management procedure is obtained, managed, and withdrawn. The consent declaration is stored so that it does not have to be requested again and to be able to prove consent in accordance with legal obligations. Storage can be server-side and/or in a cookie (so-called opt-in cookie or similar technologies) to assign consent to a user or their device. Subject to individual information about providers of cookie management services, the following applies: the consent storage period can be up to two years. A pseudonymous user identifier is formed and stored together with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used.

Provision of the online offering and hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses); content data (e.g., entries in online forms).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Provision of our online offering and usability; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures and services:

Provision of online offering on rented storage: We use storage space, computing capacity, and software from a server provider (web host) to provide our online offering; legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Collection of access data and log files: Access to our online offering is logged in so-called “server log files”. Log files may include the address and name of accessed web pages and files, date and time of access, amount of data transferred, message about successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server utilization and stability; legal basis: legitimate interests (Art. 6(1)(f) GDPR); deletion of data: log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the incident is finally clarified.

WordPress.com: Hosting and software for the creation, provision, and operation of websites, blogs, and other online offerings; service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; legal bases: legitimate interests (Art. 6(1)(f) GDPR); website: https://wordpress.com; privacy policy: https://automattic.com/de/privacy/ ; data processing agreement: https://wordpress.com/support/data-processing-agreements/ .

Contact and inquiry management

When contacting us (e.g., via contact form, email, phone, or social media) and within existing user and business relationships, the information provided by the inquiring persons is processed to respond to inquiries and any requested measures.

Responding to inquiries and managing contact and inquiry data within contractual or pre-contractual relationships is carried out to fulfill contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries and maintaining user or business relationships.

Types of data processed: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).

Data subjects: Communication partners.

Purposes of processing: Contact requests and communication; administration and response to inquiries; feedback (e.g., collecting feedback via online form); provision of our online offering and usability; provision of contractual services and customer support.

Legal bases: Contract performance and pre-contractual measures (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures and services:

Contact form: If users contact us via the contact form, email, or other communication channels, we process the data provided in this context to handle the request. For this purpose, we process personal data within pre-contractual and contractual business relationships where necessary to fulfill them and otherwise on the basis of our legitimate interests and the interests of communication partners in responding to requests and our statutory retention obligations; legal bases: contract performance and pre-contractual measures (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Analytics, monitoring, and optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests, or demographic information about visitors such as age or gender as pseudonymous values. With the help of reach analysis, we can, for example, recognize when our online offering, its functions, or content are used most frequently or invite reuse. We can also identify areas requiring optimization.

In addition to web analytics, we may also use test procedures to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles (i.e., data aggregated for a usage process) can be created for these purposes and information can be stored in and read from a browser or device. The collected information includes visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and usage times. If users have consented to the collection of location data, location data can also be processed.

Users' IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of web analytics, A/B testing, and optimization, but pseudonyms. This means that we and the providers of the software used do not know the actual identity of users, only the information stored in their profiles for the respective procedures.

Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); tracking (e.g., interest/behavior-based profiling, use of cookies); provision of our online offering and usability.

Security measures: IP masking (pseudonymization of the IP address).

Legal bases: Consent (Art. 6(1)(a) GDPR).

Further notes on processing procedures and services:

Google Analytics: Web analytics, reach measurement, and measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; legal bases: consent (Art. 6(1)(a) GDPR); website: https://marketingplatform.google.com/intl/de/about/analytics/ ; privacy policy: https://policies.google.com/privacy ; data processing agreement: https://business.safety.google/adsprocessorterms ; standard contractual clauses: https://business.safety.google/adsprocessorterms ; opt-out: https://tools.google.com/dlpage/gaoptout?hl=de , ad settings: https://adssettings.google.com/authenticated ; more information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).

Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags via an interface and integrate other services into our online offering (see further details in this privacy policy). The Tag Manager itself (which implements the tags) does not create user profiles or store cookies. Google only receives the user's IP address, which is necessary to run Google Tag Manager; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; legal bases: consent (Art. 6(1)(a) GDPR); website: https://marketingplatform.google.com ; privacy policy: https://policies.google.com/privacy ; data processing agreement: https://business.safety.google/adsprocessorterms ; standard contractual clauses: https://business.safety.google/adsprocessorterms ; more information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).

Social media presence

We maintain online presences within social networks and process user data in this context to communicate with active users or provide information about us.

We note that user data may be processed outside the European Union. This may result in risks for users, as the enforcement of their rights could be more difficult.

Furthermore, user data in social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on usage behavior and resulting interests. These profiles can then be used to show ads within and outside the networks that presumably match user interests. Cookies are typically stored on users' devices for these purposes, in which usage behavior and interests are stored. Data can also be stored in usage profiles independently of the devices used by users (especially if users are members of the respective platforms and are logged in to them).

For a detailed description of the respective processing and opt-out options, we refer to the privacy policies and information provided by the network operators.

In the case of requests for information and the assertion of data subject rights, we note that these can be most effectively asserted with the providers. Only providers have access to user data and can take appropriate measures and provide information directly. If you still need assistance, you can contact us.

Types of data processed: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Contact requests and communication; feedback (e.g., collecting feedback via online forms); marketing.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures and services:

LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.linkedin.com ; privacy policy: https://www.linkedin.com/legal/privacy-policy ; data processing agreement: https://legal.linkedin.com/dpa ; standard contractual clauses: https://legal.linkedin.com/dpa ; opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out .

Changes and updates to this privacy policy

We ask that you regularly review the content of our privacy policy. We update the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your participation (e.g., consent) or other individual notification.

If we provide addresses and contact information for companies and organizations in this privacy policy, please note that addresses may change over time and please verify the information before contacting.

Rights of data subjects

Data subjects have various rights under the GDPR, which are derived in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to access such data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with legal requirements, to request the completion or correction of inaccurate data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted without undue delay or, alternatively, request restriction of processing.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another controller.
  • Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

Definitions

This section provides an overview of the terms used in this privacy policy. Many terms are taken from the law and are primarily defined in Art. 4 GDPR. The legal definitions are binding. The explanations below are primarily for understanding. The terms are listed alphabetically.

  • Personal data: “Personal data” means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Profiles with user-related information: The processing of “profiles with user-related information” (or “profiles”) includes any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information about demographics, behavior, and interests, such as interaction with websites and their content, etc.) to analyze, evaluate, or predict them (e.g., interests in certain content or products, click behavior on a website, or location). Cookies and web beacons are often used for profiling purposes.
  • Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate visitor flows of an online offering and can include behavior or interests of visitors in certain information, such as content on websites. With the help of reach analysis, website operators can recognize, for example, at what time visitors visit their website and which content they are interested in. This allows them to better tailor website content to visitor needs. Pseudonymous cookies and web beacons are often used for reach analysis to recognize returning visitors and obtain more precise analyses of the use of an online offering.
  • Tracking: “Tracking” refers to when the behavior of users can be traced across multiple online offerings. As a rule, behavior and interest information about the online offerings used is stored in cookies or on servers of the providers of tracking technologies (so-called profiling). This information can then be used, for example, to display ads to users that are likely to match their interests.
  • Controller: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, such as collection, evaluation, storage, transmission, or deletion.