Privacy Policy

We are delighted by your interest in the online offer provided by hystreet.com GmbH. The protection of your privacy is an important issue for us. In the following, we would like to inform you about the handling of personal data when our website at https://hystreet.com is used. Personal data are to be understood as all data that can be related to you personally, e.g. name, address and email address.

For easier orientation, we have divided the following information into the sections (A) Basic information, (B) Visiting our website, (C) Use of our services and (D) Rights of the data subject.

A. Basic information

1. Controller

The controller of the data processing within the meaning of article 4.7 of the EU General Data Protection Regulation (GDPR) is:

hystreet.com GmbH
Oppenheimstrasse 9
50668 Köln / Cologne, Germany

Telephone: +49 221 77204-251 Fax: +49 221 77204-40

Email: datenschutz@hystreet.com

You can find more information and additional legal advice in our Imprint https://hystreet.com/imprint.

We are not obliged to appoint a company data protection officer. If you have any questions about legal data protection issues, you may send us your queries using the contact data detailed above.

2. Data and system security

We protect our website and systems from loss, destruction, access to, alteration or disclosure of your personal data by unauthorized persons by means of technical and organizational measures.

In connection with visits of our website, data that could possibly enable identification (e.g. IP address) will be temporarily stored on our servers for data and system security purposes, but principally no longer than for ten days. The processing of data that could be related to the person for purposes of data and system security is based on GDPR article 6.1.f and our legitimate interest in protecting our systems and preventing misuse.

3. Principles for the storage and deletion of personal data

3.1 Personal data shall only be processed for the period required to fulfil the respective storage purpose or by laws or regulations that apply to us (e.g. retention requirements under commercial or tax law). If a storage purpose no longer applies or a statutorily required storage period expires, the personal data in question shall be routinely deleted in keeping with the statutory requirements, or their processing shall be restricted (e.g. limited processing as part of retention requirements under commercial or tax law).

3.2 The processing of personal data because of a legal duty, namely the fulfilment of statutory retention obligations, is based on GDPR article 6.1.c. Insofar as personal data as per GDPR article 6.1.f are processed for the purpose of preserving evidence, these processing purposes shall lapse upon expiry of the statutory limitation periods, with the regular statutory limitation period amounting to three years.

3.3 For further details of concrete storage periods and deletion deadlines, please also refer to the individual service descriptions and/or information provided in this Data Privacy Policy.

B. Visiting our website

If you use our website for information only and do not provide us with personal data in any other way, data that are relatable to your person could still accrue from your browser transmitting them to our server. We moreover also use the tracking tool INFOnline.

1. Technical website provision When you visit our website, we collect the following data, which are technically required by us to display our website to you and maintain the stability and security of our online offer:

- IP address - Date and time of the request - Time zone difference from Greenwich Mean Time (GMT) - Content of the request (actual page) - Access status/HTTP status code - Respectively transmitted data volume - Website from which the request is made - Browser - Operating system and its interface - Language and version of the browser software.

The legal basis for this collection and processing is GDPR article 6.1.f. Our legitimate interest resides in the provision of a functional website offer and its system security.

2. Cookies

Our website uses cookies. Cookies are small text files that are installed in a computer system by way of the internet browser and stored there.

Many websites and servers use cookies. Cookies meanwhile often contain a so-called cookie ID. This ID is a unique identifier of the cookie and consists of a string of characters by which the website and server may be related to a specific internet browser where the cookie was installed. These cookies enable your individual browser to be distinguished from other internet browsers containing different cookies. A specific internet browser may thus be recognized and identified by means of a unique cookie ID.

The use of cookies enables us to provide you with more user-friendly services that could not be realized without them at all, or only to a limited extent. The cookies are used in the interest of providing and optimizing a functional and comfortable online offer.

You can prevent the installation of cookies in the settings of your internet browser or also set your browser to informing you as soon as cookies are sent. In addition, you can also delete already installed cookies by means of an internet browser or other software program. Please note, however, that you may not be able to use all the functions of our or other online offers if you deactivate cookies in your internet browser.

3. Web analysis (INFOnline)

Our application uses the "SZMnG" measurement system provided by INFOnline GmbH (https://www.INFOnline.de) to determine statistical parameters concerning the use of our offers. This usage measurement is aimed at determining the usage intensity, number of usages and users of our application, as well as their surfing behaviour statistically – based on a consistent standard procedure – and thus at obtaining data that are comparable across the market.

The usage statistics for all digital offers that are members of the German Audit Bureau of Circulation (IVW – http://www.ivw.eu) or take part in studies by the Working Group for Online Media Research (AGOF - http://www.agof.de) are regularly converted into reaches by AGOF and the media analysis working group agma (agma - http://www.agma-mmc.de) and published with the performance value "unique users", as well as by the IVW with the performance values "page impressions" and "visits". These reaches and statistics may be viewed at the respective websites.

(a) Legal basis of the processing

The measurement using the SZMnG measuring process provided by INFOnline GmbH is performed with a legitimate interest as per GDPR article 6.1.f.

The personal data are processed for the purpose of creating statistics and defining user cate-gories. The statistics enable us to track and document the use of our offer. The user categories form the basis for an interest-oriented provision of advertising materials and/or promotional measures. A usage measurement that ensures comparability with other market participants is indispensable for marketing this application. Our legitimate interest arises from the economic exploitability of the findings obtained from the statistics and user categories and the market value of our application – also in direct comparison with third-party applications - derivable by means of the statistics.

We also have a legitimate interest in providing the pseudonymized data to INFOnline, AGOF and IVW for market research (AGOF, agma) and statistical purposes (IVW, INFOnline). And we furthermore also have a legitimate interest in providing the pseudonymized data to INFOnline for the further development and provision of interest-oriented advertising materials.

(b) Data types

INFOnline GmbH collects the following data regarded as person-related under the GDPR:

- IP address: On the Internet, each device requires a unique address to transmit in-formation: the IP address. Because of how the Internet functions, it is technically necessary for the IP address to be stored, at least for a short period. IP addresses are truncated to 1 byte before any processing. Further processing is only per-formed on anonymised IP addresses. No IP addresses that have not been truncat-ed are saved or processed.

- A randomly generated Client ID: To allow computer systems to be recognised, the further processing uses either a third-party cookie, a first-party cookie, a local stor-age object or a signature that is compiled from diverse information from your browser that is transmitted automatically. This identification is explicit for a brows-er, as long as the cookie or local storage object is not deleted. It is possible to measure the data and to subsequently assign it to the respective client identifier by accessing other websites that also use the measuring method ("SZMnG") of IN-FOnline GmbH. The validity of the cookie is restricted to a maximum of 1 year.

(c) Data use

The INFOnline GmbH measurement process used in this application collects usage data. This happens to determine the performance values "page impressions", "visits" and "clients" and generate other parameters from them (e.g. qualified clients). In addition to this, the measured data are also used as follows:

- So-called geolocalization, i.e. tracing of your website visit to the place where it is displayed, is only applied on the basis of the anonymized IP address and only down to the geographical level of the German Länder/regions. The geographical information obtained this way cannot be used to draw conclusions about a user's actual place of residence in any case. - The usage data of a technical client (e.g. a browser in a device) are merged across applications and stored in a database. These data are used for the technical estimation of the social information age and gender and provided to the service providers of AGOF for further reach processing. In the AGOF study, a random sample is used for the technical estimation of social features: age, gender, nationality, occupation, marital status, general information on the household, household income, place of residence, internet use, online interests, place of use, user type.

(d) Data storage period

The full IP address is never stored by INFOnline GmbH. The truncated IP address is stored for 60 days maximum. The usage data in combination with the unique identifier are stored for a maximum of 6 months.

(e) Data disclosure

Neither the IP address nor the truncated IP address are disclosed. To create the AGOF study, data with client identifiers are disclosed to the following service providers of AGOF: - Kantar Deutschland GmbH (https://www.tns-infratest.com/) - Ankordata GmbH & Co. KG (http://www.ankordata.de/homepage/) - Interrogare GmbH (https://www.interrogare.de/)

(f) Rights of the data subject

See section D (below).

(g) Opt-out

We offer our users a separate opt-out option in our website. This serves to install a cookie in your system that signals to our system not to store the user's data: Opt-Out

(h) Further information

Further information on the data protection in the measuring process is available from the website of INFOnline GmbH (https://www.infonline.de), which operates the measuring system, from the data protection page of AGOF (http://www.agof.de/datenschutz) and from the data protection page of IVW (http://www.ivw.eu).

C. Use of our services

1. Communication

We offer you various options in our website for getting in touch with us or sending us messages. You can especially also contact us by telephone or email. If you contact us in this manner, we shall store and process the data communicated by you (e.g. your email address, possibly your name and telephone number) to process your request. The legal basis insofar are GDPR articles 6.1.b and 6.1.f. Our legitimate interest resides in an efficient and structured registration and processing of requests. We delete the collected data as soon as their storage is no longer required or restrict their processing if they are subject to statutory retention requirements.

2. Use of our information system by registered users

2.1 Registration, use of person master data

In the registration process, we collect the first name, name, company name (optional), email address (jointly referred to as the "person master data"), your confirmation that you are 16 years of age, and the password you need to enter. The password only serves for system login (see also section C.2.2 below).

We use the person master data for contract performance purposes and customer care, including communication. The legal basis for this is GDPR article 6.1.b. The data are also processed in keeping with GDPR article 6.1.c for the purpose of fulfilling legal obligations, namely compliance with statutory retention obligations, and in keeping with GDPR article 6.1.f for documentation purposes and the preservation of evidence. We furthermore process personal data of our users in keeping with GDPR article 6.1.f for customer relations purposes. This data processing is based on our legitimate interest in optimizing the information offered, being able to provide customers and/or business partners with interest- and needs-oriented information, and refining our service offer. For details of the right to object to data processing for direct marketing purposes, see section D below.

2.2 User access (account)

If you have registered for the login area, we shall store your email address and the login password. You can then simply log in with your email address and password in the future. We use these data for the described purposes of offering you this service. This login option exists for the duration of the usage relationship, unless the account is terminated. The legal basis is GDPR article 6.1.b insofar.

2.3 Registration of clicked locations

Based on the consent provided to us in the registration process, which is revocable at any time with effect for the future, we collect information on the evaluations and exports undertaken by registered users in the login area. This includes information on the locations, periods and dimensions viewed by the users, in order to create usage statistics, especially, on the basis of these data, and gain knowledge about the attractiveness of the locations in question. The legal basis is provided by GDPR article 6.1.a.

2.4 Storage period and deletion

We only process and store personal data of registered users for the period required to fulfil the purpose of their storage or for as long as required by laws or regulations that the controller of the processing is subject to, e.g. by retention periods under commercial or tax law. If personal data are processed as per GDPR article 6.1.f for the purpose of preserving evidence, these processing purposes shall lapse upon expiry of the statutory limitation periods, with the regular statutory limitation period amounting to three years. If the storage purpose lapses or one of the statutorily required storage periods the controller of the processing is subject to expires, the personal data shall be routinely deleted in keeping with the statutory requirements, or their processing shall be restricted.

3. Newsletter

If you register for our newsletter, we shall collect and store personal data for sending promotional information, namely information about the city rankings determined by hystreet.com, activities of hystreet.com GmbH, new locations and functions, as well as further news and information. The registration is consent-based. To complete the registration process for our newsletter, your registration shall be followed by an email from us to the email address provided by you wherein we confirm the registration and future sending of our newsletter to this email address to you. We use your data provided in the registration for the newsletter for the purpose of delivering our newsletter. The following data are additionally collected in the registration process: IP ad-dress of the computer used, date and time of the registration. These data are collected and stored to be able to prove that the respective user has actually provided a valid consent. The legal basis for processing your data for the purpose of providing the newsletter service is your consent as per GDPR article 6.1.a. Insofar as we technically document the registration for our newsletter, the legal basis is GDPR article 6.1.f, with our legitimate interest residing in the verifiability of the appropriate obtainment of your consent. The data collected in the newsletter registration shall only be stored for as long as the newslet-ter subscription is active. The newsletter subscription may be cancelled by the respective user at any time. A corresponding unsubscribe link is provided in every newsletter for this purpose. You may also gladly contact us using or stating the email address used for registering for the newsletter; simply use the contact data provided in this data privacy policy for this.

4. Twitter-Account

Data processed by Twitter

Hystreet.com uses the technical platform and services of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. for the short message service of-fered here. The Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland is responsible for the data processing of persons living out-side the United States. We would like to point out that you use the Twitter short message service offered here and its functions under your own responsibility. This applies in particular to the use of the interactive functions (e.g. sharing, rating). Information about which data is processed by Twitter and for which purposes can be found in Twitter's privacy policy: https://twitter.com/de/privacy Twitter Inc. is committed to the principles of the EU-US Privacy Shield. You can find out more at: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active Hystreet.com has no influence on the type and extent of the data processed by Twit-ter, the type of processing and use or the disclosure of this data to third parties. It also has no effective means of control in this respect. By using Twitter, your personal data will be collected, transmitted, stored, disclosed and used by Twitter Inc. and transferred, stored and used in the United States, Ireland and any other country in which Twitter Inc. does business, regardless of your place of residence. Twitter will process your voluntarily entered data such as name and user name, e-mail address, telephone number or the contacts in your address book when you upload or synchronize it. Second, Twitter also evaluates the content you share based on what topics you are interested in, stores and processes confidential messages you send directly to other us-ers, and may determine your location based on GPS data, wireless network infor-mation, or your IP address to send you advertisements or other content. Twitter, Inc. may use analysis tools such as Twitter or Google Analytics to analyze your information. Hystreet.com has no influence on the use of such tools by Twitter Inc. and has not been informed of any such potential use. If tools of this kind are used by Twitter Inc. for the account of hystreet.com, hystreet.com has not commissioned, approved or otherwise supported this in any way. Nor will the data obtained during the analysis be made available to hystreet.com. Only certain, non-personal information about the tweet activity, such as the number of profile or link clicks through a particular tweet, can be viewed by hystreet.com via its account. In addition, hystreet.com has no way of preventing or stopping the use of such tools on its Twitter account. Finally, Twitter also receives information if, for example, you view content, even if you have not created an account. This so-called "log data" may include your IP address, browser type, operating system, information about the previously visited website and pages, your location, your mobile operator, the device you are using (including device ID and application ID), the search terms you are using, and cookie information. Twitter buttons or widgets embedded in Web pages and the use of cookies allow Twit-ter to track your visits to those Web pages and associate them with your Twitter profile. This information can be used to tailor content or advertising to you. You can restrict the processing of your data in the general settings of your Twitter ac-count and under "Privacy and security". In addition, you can restrict Twitter access to contact and calendar data, photos, location data, etc. for mobile devices (smartphones, tablet computers) in the settings options there. However, this depends on the operating system used.

More information on these issues is available on the following Twitter support pages: https://support.twitter.com/articles/105576# https://help.twitter.com/de/search?q=datenschutz You can find out more about the possibility of viewing your own data on Twitter here: https://support.twitter.com/articles/20172711# Information about the conclusions drawn from Twitter can be found here: https://twitter.com/your_twitter_data Information on the existing personalisation and data protection settings can be found here (with further references): https://twitter.com/personalization You also have the option of requesting information via the Twitter privacy form or the archive requirements: https://support.twitter.com/forms/privacy https://support.twitter.com/articles/20170320#

D. Rights of the data subject

We are happy to inform you on your rights under the GDPR as a "data subject". According to this, you are vested with the following rights with respect to the personal data relating to you:

- Right to information (GDPR article 15.1 and 15.2)
- Right to rectification (GDPR article 16) and/or erasure (GDPR article 17)
- Right to restrict the processing (GDPR article 18)
- Right to data portability (GDPR article 20)
- Right to object to the processing (GDPR article 21)
- Right to withdraw your consent (GDPR article 7.3)
- Right to lodge a complaint with a supervisory authority (GDPR article 77)

We have also summarized the key aspects of your rights as a data subject under the GDPR for you supplementary below, with this presentation laying no claim to completeness, but only addressing the main features of the rights of data subjects under the GDPR:

- Right to information (including the right to confirmation and rights to data access)

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

The data subject shall have a right to access the personal data concerning him or her and to the following information: - the purposes of the processing; - the categories of the personal data being processed; - the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; - where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; - the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; - the right to lodge a complaint with a supervisory authority; - where the personal data are not collected from the data subject, any available information as to their source; - the existence of automated decision-making, including profiling, referred to in GDPR articles 22.1 and 22.4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject; - where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to GDPR article 46 relating to the transfer. The data subject has a right to be provided with a copy of his or her personal data undergoing processing.

- Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

- Right to restrict the processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: - the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data, - the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; - the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or - the data subject has objected to processing pursuant to GDPR article 21.1 pending the verification whether the legitimate grounds of the controller override those of the data subject.

- Right to erasure

The data subject shall have the right, subject to the statutorily required necessity of data processing (see GDPR article 17.3 for exceptions), to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: - The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. - The data subject withdraws consent on which the processing is based according to GDPR articles 6.1.a or 9.2.a and there is no other legal ground for the processing. - The data subject objects to the processing pursuant to GDPR article 21.1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to GDPR article 21.2. - The personal data have been unlawfully processed. - The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. - The personal data have been collected in relation to the offer of information society services referred to in GDPR article 8.1.

- Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hin-drance from the controller to which the personal data have been provided, where the processing is based on a consent or on a contract pursuant to GDPR article 6.1.b and the processing is carried out by automated means. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

- Right to withdraw consent

The data subject shall have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

- Right to lodge a complaint with a supervisory authority

Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The data protection supervisory authority of relevance for us is: LDI – Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (North-Rhine Westphalian Commissioner for Data Protection and Freedom of Information), Kavalleriestr. 2-4, 40213 Düsseldorf.

- Separate information on objection rights as per GDPR article 21.1.2

You have the right to object, at any time and on grounds relating to your particular situation, to the processing of your personal data based on GDPR articles 6.1.e or 6.1.f, including profiling based on those provisions. If you object, we shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling to the extent that it is related to such direct marketing.

Contact

If you wish to exercise your rights as a data subject or have general questions concerning data protection, you may contact us anytime. Please see the information provided in section A.1 or the Legal notice of our website for our contact details.

Version dated: 19/08/2019

hystreet.com GmbH, Oppenheimstraße 9, 50668 Köln