Create a professional resume in minutes.

Privacy

OVERVIEW:

 

1. Definitions

2. General for data processing by cvlogin

3. Deliberately transmitted Data

a. Access Data

b. Compulsory Information

c. Facebook Connect

d. CV Data

e. Email: Communication and Advertising

f. Payment Data

Payment via Stripe

Payment via PayPal

g. Contact Form Data

h. Job Applications

4. Automatically transmitted Data

a. Server Log Data

b. Data Analysis

c. Blockchain

d. Tracking

e. Cookies

5. Recipients of Personal Data

6. Data Transmission to Third Countries

7. Technologies used and Incorporation of Third-Party Services

a. Google Tools

Google Tag Manager

Google Analytics

Google Optimize

Google Remarketing Services

Google Invisible reCAPTCHA

Google Adwords (Conversion Tracking)

Google Web Fonts

Google Adsense

b. Hotjar

c. Facebook Remarketing

d. SendinBlue

e. Amazon Web Services

f. Contabo

g. Cloudinary

h. Intercom

i. Kickbox

j. Sucuri

k. Jetpack / Wordpress Stats

8. Duration of Data Retention

9. User Rights

a. Objection

b. Information

c. Correction

d. Deletion

e. Restriction of Processing

f. Data Portability

g. Revocation of Consent

h. Complaint

10. Data Protection Officer

 

 

 

1. DEFINITIONS:

 

The terms applied below have the following meaning:

 

­   "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Individuals with regard to the Processing of Personal Data, on the free Movement of Persons, repealing Directive 95/46 / EC, also called "General Data Protection Regulation"

 

­   "BDSG" means the Law adapting Data Protection Law to Regulation (EU) 2016/679 and implementing Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act of 30. June 2017, also called "Federal Data Protection Act").

 

­   "PLATFORM" means the internet service operated using the URLs www.cvlogin.com, www.cvlogin.net, www.cvlogin.in, www.cvlogin.es, www.cvlogin.de, www.cvlogin.co.uk, www.cvlogin.com .fr, www.cvlogin.com.br, www.cvlogin.ru and www.cvlogin.io.

 

­   "OPERATOR" means cvlogin GmbH, c / o iMaven GmbH, Schröderstrasse 12, 10115 Berlin, registered with the commercial register of the Landgericht (District Court) of Berlin-Charlottenburg under no. the HRB 204125 B, which operates the PLATFORM and is responsible within the meaning of the EU GDPR.

 

­   "THIRD-PARTY PROVIDER" means any third party company with which the OPERATOR is interacting on a commercial basis and which provides additional services to registered users of the PLATFORM.

 

­   "Personal data" are all information referring to an identified or identifiable natural person in accordance with Art. 4 (1) EU GDPR. A natural person is considered as identifiable if it can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, the expression of the physical , physiological, genetic, mental, economic, cultural or social identity of this natural person.

 

­   "Cookies" are small files that enable the OPERATOR to determine information specific to the online activity of the respective user on the device used by the user (eg computer, smartphone, etc.). Cookies have a limited validity, contain no personal data and are therefore not used for personal identification. Users can prevent the storage of cookies via their own browser settings.

 

­   "Web Beacons" are invisible graphics that allow to create traffic information on a web page.

 

­   "Pixel" describes an image file or a link to an image file that is inserted in the website code but is not located on the user's device.

 

­   "Profiling" describes any kind of automated processing of personal data, in accordance with Art. 4 (4) EU GDPR, using personal data to assess certain personal aspects relating to a natural person, in particular to analyze or predict aspects of work performance, economic condition, health, personal preferences, interests, reliability, behavior, whereabouts or relocation of that natural person.

 

2. GENERAL DATA PROCESSING BY CVLOGIN

 

The EU GDPR and the BDSG constitute the legal basis for the processing of personal data by cvlogin. Subject to these regulations, the OPERATOR processes personal data … 

­   if and to the extent that users have consented in it 

­   in order to fulfill contractual obligations vis-a-vis users

­   in order to safeguard justified own interests, taking into consideration the protection of interests of the users

­   as far as the OPERATOR is legally obliged to do so (for example, by providing personal data to investigative authorities).

 

Personal data used in creating a CV on the PLATFORM are initially stored only temporarily (peripherally) in the user's browser. The OPERATOR does not permanently save them until the relevant user registers on the PLATFORM.

 

The OPERATOR endeavors to permanently improve the PLATFORM and to always adapt it to the needs of its users. For this purpose, profiles of interests of users and their activity on the PLATFORM are automatically generated in order to display to users suitable recommendations for jobs, further training offers or services of THIRD PARTIES in connection with the creation of CVs and applications, furthermore with the aim of proposing users as valuable business contacts or potential employees to such THIRD PARTIES. To this end, cvlogin needs to understand what kind of interests users have. In order to determine such interests, two  classes of information are used: (1) such information as users deliberately disclose to the OPERATOR and (2) such information as the OPERATOR retains by way of automated processes without the affected user deliberately transferring such information to the OPERATOR but triggered solely by the affected user’s activity on the PLATFORM, as described in detail hereinafter.

 

3. DELIVERATELY TRANSMITTED DATA

 

a. Access Data

 

In the context of the mandatory registration process, the OPERATOR has to process certain personal data of users granting users initial access to the PLATFORM and their personal data stored there (access data). The same applies to the authentication process for subsequent visits of users on the PLATFORM. Such information is essential for the functioning of the PLATFORM. Without these data, the use of the PLATFORM is not possible. These data include:

­   username

­   E-mail address

­   access password

­   optional: Facebook or LinkedIn login

 

The processing of access data by the OPERATOR is required for fulfilling his obligations under the agreement (Art. 6 par. (1), s.1, lit. b) EU GDPR). Access data are neither accessible nor passed on to any third party. Such data will be deleted when users delete their own user account. After that, it will no be longer possible for these users to access such data previously stored in their own customer account.

 

b. Compulsory Information

 

In order to register with the PLATFORM, it is furthermore required that users provide additional information such as 

­   their first and last name

­   their address

The processing of these data by the OPERATOR takes place for the fulfillment of the agreement (Art. 6 par. (1), s.1, lit. b) EU GDPR). Submission of such data to any THIRD-PARTY PROVIDER (see below) will only take place if the individual user has expressly consented to the disclosure in the cvlogin Dashboard by means of a corresponding setting (Art. 6 (1) (1) (a)) EU GDPR).

 

c. Facebook Connect

 

Alternatively to inserting individual registration data on the PLATFORM, users may opt to register via  Facebook Connect. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. If users decide to do so and click on the "Login with Facebook" / "Connect with Facebook" button, they will automatically be redirected to the Facebook platform where they can log in with their user data, linking their Facebook profile with the PLATFORM. This link gives the OPERATOR access to certain user data stored on Facebook, such as …

­   Facebook name and first name

­   Facebook profile photo

­   Facebook email address

­   Facebook friends lists

­   Facebook likes 

­   birthday

­   gender

­   country

­   language

These data are used to create, provide and personalize the cvlogin account. Such data processing takes place on the basis of the user’s consent (Art. 6 paragraph par. (1), s.1 lit. a) EU GDPR).

 

Information about Facebook privacy can be found in the Facebook Terms of Use and the Facebook Privacy Policy (see https://de-de.facebook.com/about/privacy/ and https://www.facebook.com/legal/terms/

 

d. CV Data

 

In addition to the required access data and compulsory information, users of the PLATFORM can provide further personal information about themselves in accordance with their individual aspirations in their resume which is created and stored on the PLATFORM. Only then does the added value of using cvlogin for the users arise. These data may include the following information:

­   birth name

­   E-mail address

­   address, country (note that the OPERATOR will not collect geodata)

­   date and place of birth

­   telephone number (mobile and landline)

­   photo for job applications 

­   desired position

­   current occupation

­   professional experience, including the companies that have been worked for, title, working hours and role description

­   professional skills and special qualifications

­   foreign language skills

­   educational history (attended schools, universities, subjects and degrees)

­   student ID numbers of visited universities

­   certificates as well as evaluations and personal reference documents issued by third parties (in digitized form), including these third party’s names and titles, in which case the user will be responsible for ensuring that these third parties have effectively consented to the processing of their personal data 

­   scholarships & projects

­   hobbies

­   any other piece of personal information that the user provides about himself in his own profile (eg driver's license).

 

The knowledge of such CV data enables THIRD-PARTY PROVIDERs cooperating with the OPERATOR to get to know users better and to offer them suitable services or jobs. This concerns, in particular, providers of services around the creation of CVs, human resource agencies and job-offering companies, training institutions and providers of vocational training and services.

 

This processing of CV data by the OPERATOR is based on user consent (Art. 6, par. (1); s.1, lit a) EU GDPR): The OPERATOR only makes CV data of users available to third parties only if the individual user has expressly consented to it. Such consent is provided by a corresponding setting in the cvlogin Dashboard and can either be granted for a specific duration or without any time limit. The user can change his settings in the dashboard at any time. Privacy compliance of THIRD-PARTY PROVIDERs in their processing of such CV data and other personal data of users , based on consent, is subject to the THIRD-PARTY PROVIDERs‘ own sole responsibilty.

 

To the extent that such consent is denied or revoked, the OPERATOR and THIRD PARTY PROVIDERS can not or no longer, as the case may be, offer the affected user any matching service(s).

 

If users opt to use their own LinkedIn or Facebook profile data to create a cvlogin CV, they may use the Connect function with the websites of Facebook or LinkedIn (see above) to do so. Thereby, the PLATFORM enables users to contact their own Facebook and LinkedIn network contacts via cvlogin, to invite them to use cvlogin and / or to review these users‘ CVs. The Connect function does not run on the domain of the PLATFORM and the OPERATOR is unable to take notice of the login data of users on Facebook or Linkedin as these data are not processed by the OPERATOR. The PLATFORM will, however, store the relevant user‘s network contacts on Facebook or LinkedIn.

 

At the latest, the OPERATOR will completely delete or anonymize these data when users deletes their own user account.

 

e. Email: Communication and Advertising

 

In addition to being used in the registration process (see above), the e-mail address provided by users is also used by the OPERATOR

(1)   to electronically provide users with information about products and services or surveys for the purpose of market research and to inform users about new functions of the PLATFORM and to propose interesting THIRD-PARTY PROVIDERs;

(2)   to refer users to THIRD-PARTY PROVIDERs so they can connect with these users.

 

In both cases, such data processing takes place (1) in the OPERATOR‘s legitimate interest of improving his products based on his knowledge of the users interests and needs which outweighs the protected interests of the users concerned (Art. 6, par. (1), s.1 lit. f) EU GDPR) as well as (2.) if users have consented to this processing (Art. 6 par. (1) lit a) EU GDPR). Such consent may be revoked or restricted at any time in the notification settings in the cvlogin Dashboard.

 

If users chose to delete their own email address from their cvlogin Dashboard settings, it will be removed from the respective application. At the latest, the OPERATOR will completely delete e-mail addresses of users after they have deleted their own user account. 

 

f. Payment Data

 

When users use paid services offered by cvlogin, the OPERATOR will process their payment data for payment and billing purposes according to the chosen means of payment. For payment processing, only certain payment data are stored, including …

­   the last four digits of the used credit card

­   paid products and fees

­   sums and balances of the respective customer account

 

The processing of such data by the OPERATOR takes place for the fulfillment of the agreement (Art. 6 par. (1), s.1, lit. b) EU GDPR). Payment data will not be disclosed to third parties except only if a third party is commissioned by the OPERATOR to assert any claim of the OPERATOR for payment against the relevant user in which case, the data transfer takes place in order to protect the legitimate interests of the OPERATOR (Art. 6 par. (1), s.1, lit. f) DSGO). The OPERATOR will store these data until the user account is deleted and beyond that point in time until storage of such data will no longer be subject to any tax, commercial or other statutory obligation. Thereafter, such data will be deleted or anonymized, as the case may be. 

 

The OPERATOR is cooperating with the online payment service providers Stripe and PayPal. During the online payment process, a connector to the respective payment service will be loaded into the users‘ browser. There, the users will enter their personal banking data. The OPERATOR has access to neither these banking data nor to  the relevant website of the payment service provider. On the OPERATOR’s side, no processing of personal data of users takes place in this respect.

 

Payment via Stripe

 

If users opt for a payment method offered through the payment service provider "Stripe", payment will be processed via Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. In the course of the the payment process, Stripe will receive the information provided by the relevant user (name, address, account number, bank code, possibly credit card number, invoice amount, currency and transaction number) directly. Upon completion of the payment transaction, Stripe will send to the OPERATOR only the last 4 digits of the credit card used by the users when making the payment. These data are stored by the OPERATOR solely for the purpose of recording them as additional customer information on the respective invoice.

 

For more information about Stripe privacy, visit https://stripe.com/en/privacy.

 

Payment via PayPal

 

For payment via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "installment payment" via PayPal, payment data go directly to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as far as this is required for the payment.

For the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "installment" via PayPal, PayPal reserves itself the right to execute a credit check. For this purpose, payment data of the users concerned may, if appropriate, be transferred to credit reporting agencies in accordance with Art. 6 par. 1 lit. f) EU GDPR, based on the legitimate interest of PayPal to determinate solvency. PayPal will use the results of such credit check based on the statistical probability of default to decide about whether or not to provide the respective payment method. The credit information may contain probability values ​​(so-called score values). Insofar as score values ​​are included in the results of the credit rating, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of score values ​​includes, but is not limited to, address data.

 

Users can object to this processing of their data at any time by sending a message to PayPal. However, PayPal may continue to be entitled to process this personal data, if required for the contractual payment.

 

Further data protection information, including information about credit reference agencies, are accessible on PayPal’s privacy protection information website at https://www.paypal.com/webapps/mpp/ua/privacy-full.

 

g. Contact Form Data

 

If users send inquiries to the OPERATOR via the contact form on the PLATFORM, their contact details will be stored by the OPERATOR for the purpose of processing their requests. This data processing takes place for the purpose of fulfilling the agreement and for carrying out pre-contractual measures (Art. 6, par. (1); s.1, lit b) EU GDPR). The OPERATOR forwards the  personal data contained in the contact to Intercom (see section 7) based on the users‘ consent (Art. 6, par. (1); s.1, lit a) EU GDPR). This consent can be revoked at any time for which an message by e-mail to the OPERATOR will suffice in which case the legality of the data processing operations carried out prior to such revocation remains unaffected. Following such revocation, no communication between the user and the OPERATOR is possible via the communication method(s) specified in the contact form.

 

The data entered by users in the contact form will remain with the OPERATOR until the users concerned ask the OPERATOR to delete them, revoke their consent to the storage or the purpose for data storage (for example, after completion of the request). Mandatory statutory provisions - especially retention periods - remain unaffected.

 

h. Job Applications

 

If users apply for a job with the OPERATOR, they will be considered as giving their revocable consent to the processing of their personal data transmitted by them by the OPERATOR and such data shall be processed by the persons entrusted to do so by the OPERATOR and shall be stored there for the purpose of personnel selection. If such consent is revoked, the application process can not be continued and the application will be considered withdrawn. These data will be deleted by the OPERATOR after a rejection or withdrawal of the application. Documents on paper sent to the OPERATOR in the context of an unsolicitedly application will not be returned to the applicant but shall be destroyed. 

 

4. AUTOMATICALLY TRANSMITTED DATA

 

When users visit the PLATFORM, the OPERATOR collects certain data automatically transmitted to him by the devices used by users.

 

a. Server Log Data:

 

The users‘ browser automatically transmits server log data to the OPERATOR. Such data include, in particular, browser type and version, operating system used, referrer URL, host name of the accessing computer, time of the server request and the IP address used by the users, products viewed or searched for by the users, site response times, download errors, the length of stay on visited cvlogin pages, page interaction information (such as scrolling, clicks and mouse-overs), and site browsing methods. There is no merge of these data with other data sources.

 

The processing of this data is based on Art. 6 par. (1), s.1, lit. f) EU GDPR, the OPERATOR having a legitimate and overriding interest in the technically error-free presentation and optimization of his website, including the processing of the server log data is required.

 

b. Data Analysis

 

The OPERATOR processes analysis data from the evaluation of the use of newsletters sent by him, such as the opening of the newsletter, reading time and duration as well as clicks on content. This data processing is carried out for the pursuit of legitimate and overriding interests of the OPERATOR (Art. 6, par. (1), s.1, lit. d) EU GDPR) in improving his product quality, in particular with a view of improving the targeting of his  products to the interests of users.

 

c. Blockchain

 

The OPERATOR reserves the right to process cryptographic hashes to identify information (eg name and date of birth) and blockchain IDs (eg blockchain addresses and public keys) for the purpose of using blockchain technology in the certification of documents uploaded to the PLATFORM by users , such certification being carried out by third parties, including the creation and maintenance of a Blockchain-based wallet (documents & ID wallet), if opted for by the individual user. Such data processing serves the purpose of fulfilling the agreement and implementing pre-contractual measures and is further in the legitimate and predominant interests of the OPERATOR (Art. 6 par. (1), s.1, lit. b) and d) EU GDPR).

 

d. Tracking

 

On the one hand, tracking serves to ensure the protection of users and the security of user data, as well as the cvlogin websites and the cvlogin service.

 

In addition, tracking and user behavior analysis help the OPERATOR to validate and optimize the effectiveness of the service and to correct errors. This is done with the intention to adapt the products and services of cvlogin to the needs of the users: The evaluation of the information gained by tracking is required in order to provide personalized services to the user according to the purpose of the PLATFORM to ensure the maximum benefit of it to its users. The knowledge about their use of the PLATFORM, which users convey to the OPERATOR as a result of tracking through their use of teh PLATFORM, is key for the OPERATOR in order to understand which content and offers from THIRD-PARTY PROVIDERs users are interested in, and to determine which of the THIRD-PARTY PROVIDERs the OPERATOR may suggest to users as a valuable business contacts or potential employers.

 

Furthermore, tracking supports the OPERATOR in making the success of advertising campaigns measurable and in optimizing the display of advertising. In this context, tracking serves the purpose of range measurement with the aim of statistically determining the intensity of use, the number of users of a website and the surfing behavior - based on a uniform standard procedure - and thus of obtaining comparable data ​​across the market. The legal basis for this is the OPERATOR’s legitimate interest in optimizing his advertising, which outweighs the protection interests of the users concerned (Art. 6, par. (1), s.1, lit. (f) of the EU GDPR).

 

In connection with the display of advertisements, servers of third-party (e.g., marketers) are necessarily also adressed directly by users of the PLATFORM. These third parties are solely responsible for the privacy-compliant operation of their IT systems. They are also responsible for deciding about the duration of storage of the data.

 

Users can opt to stop tracking to measure and optimize advertising. Occasionally, the OPERATOR is applying  technology which users can only prevent directly on their end devices.

 

Applications on the PLATFORM may also contain content from external providers. These are integrated into the familiar cvlogin environment from external pages. The OPERATOR has no influence on the type of tracking applied to such external content. Users wishing to exclude tracking from external vendors within the cvlogin environment can disable the integration. Once users engage in external content, they will leave the cvlogin environment and will automatically be directed to the third party’s site. This does not necessarily lead to less tracking, but only to tracking which takes place outside off the PLATFORM.

 

e. Cookies

 

cvlogin uses cookies, small text files, which are saved on end devices of the user and stored in the browser. They neither do harm to end users' devices nor do they contain viruses. They are designed to make the PLATFORM more user-friendly, effective and secure. Most of the cookies used on the PLATFORM are so-called "session cookies". They  will be automatically deleted at the end of a visit. Other cookies remain stored on the device until users are deleted by the user. These cookies allow the OPERATOR to recognize the user's browser at the next visit. Cookies which are required to carry out the electronic communication process or to provide certain functions desired by the user (eg shopping cart function) are stored on the basis of Art. 6 , par. (1); s.1, lit. f) GDPR, as the OPERATOR has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services.

 

Users may set their browser in such a way that they will (a) be informed about the setting of cookies, (b) only allow cookies in individual cases, (c) exclude the acceptance of cookies for certain cases or in general, and (d) activate the automatic deletion of cookies when closing the browser. For this purpose, the use of cookies can be deactivated generally by calling the deactivation page of the Network Advertising Initiative at https://www.networkadvertising.org/choices/ and implementing the further information on the opt-out mentioned there. The use of cookies by Google may be permanently disabled by downloading and installing the plug-in provided at the following link: https://support.google.com/ads/answer/7395996?hl=en.

 

When cookies are deactivated, the functionality of the PLATFORM may be restricted for the affected users.

 

5. RECIPIENTS OF PERSONAL DATA

 

Insofar as the OPERATOR cooperates with external service providers within the framework of data processing, this takes place within the framework of a so-called order processing. In such case, the OPERATOR remains responsible for the data processing and the OPERATOR commits each of these service providers to the measures necessary for data protection and data security and thus ensures the legally required protection of personal data of the users.

 

Insofar as data actively transmitted to the OPERATOR by users are transferred to third parties, this takes place based on consent of the users concerned in (Art. 6, par. (1); s.1, lit a) EU GDPR ), for the purpose of fulfilling the user agreement and for the performance of pre-contractual measures of the third party on request of the users concerned (Art. 6, par. (1); s.1, lit. b) EU GDPR), as well as to protect the OPERATOR's overriding legitimate interests in consideration of the rights of affected users (Art. 6 (1) (1) (f) DSGO), as set out with regard to the different types of personal data processed.

 

Transmission of data of users to third parties according to the settings chosen by the users takes place for the following purposes: 

 

­   providing provision of information to career coaches, training providers and other THIRD PARTY PROVIDERS for the purpose of creating personalized offers for users and for contacting them

­   providing information to job offerers (potential employers, recruiting agencies) for the purpose of creating personalized job offers for users and for contacting them

­   certification of CV data on education and professional development by universities, colleges, schools, employers, educational institutions and training providers

­   inviting friends to use the PLATFORM and / or review resumes.

 

The OPERATOR does not intend to process the respective data for any purpose other than for the purpose of the data collection.

 

The OPERATOR is applying a variety of tools and technologies, some of which are transmitted to or disclosed to third parties through visits of the PLATFORM by users. Details are explained in section "Technology USED and Incorporation of Third Party Services", below.

 

Service providers cooperating with the OPERATOR are obliged by the OPERATOR to take all necessary measures for data protection and data security.

 

6. DATA TRANSMISSION TO THIRD COUNTRIES

 

The OPERATOR uses certain third-party services to transfer data to the United States, that is, to a third country outside the European Union or the European Economic Area (see section "Technology used and Incorporation of Third Party Services", below). The United States has an adequate level of legal privacy protection within the meaning of Art. 45, par. (3) EU GDPR in the form of the EU-US Privacy Shield. Information is available online at http://ec.europa.eu/justice/data-protection/document/citizens-guide_en.pdf

 

 7. TECHNOLOGIES USED AND INCORPORATION OF THIRD-PARTY SERVICES

 

The OPERATOR uses various third-party technologies and services to improve product performance, measure range, and optimize advertising delivered on the PLATFORM, as described below. Certain data automatically generated by users visiting the PLATFORM are transmitted to these third parties or made available to them. This data processing takes place on the basis of a revocable consent (Art. 6, para. (1), s.1 a) EU GDPR) or on the OPERATORS legitimate interest in the analysis of user behavior, both on the PLATFORM and his advertising,  outweighing the protection interests of the users concerned (Art. 6, par. (1), s.1, lit. (f) EU GDPR).

 

a. Google Tools

 

The Operator uses various technologies and services provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (hereinafter "Google"), including Google Tag Manager, Google Analytics, Google Optimize, Google Remarketing Services, Google Invisible reCAPTCHA, Google Adwords (Conversion Tracking), Google Web Fonts and Google Adsense, as described below. Detailed information about Google's privacy policies can also be found at https://www.google.com/intl/en/policies/privacy/

 

Google Tag Manager

 

With the Google Tag Manager used by the OPERATOR, marketers can manage website tags through a cookie-free domain interface. It does not collect any personally identifiable information but triggers other tags that may collect data which the tool does not access. If disabled on the domain or cookie level, it will remain in effect for all tracking tags implemented with the Google Tag Manager. More information on how to handle user data can be found in the Google Privacy Policy at https://www.google.com/intl/en/policies/privacy/

 

Google Analytics

 

The OPERATOR uses functions of the analytics service Google Analytics to analyze the use of websites. Google Analytics also uses cookies (see above). The information generated by cookies about the use of the PLATFORM is usually transmitted to and stored by Google on a server in the United States, i.e. outside the EU (see section "DATA TRANSMISSION TO THIRD COUNTRIES"). Google uses this information on behalf of the OPERATOR to evaluate the use of the website by the users concerned, to compile reports on website activity and to provide other services related to website activity and internet usage to the OPERATOR.

 

On the PLATFORM, the function "IP anonymization" is activated for the use of Google Analytics. This will cut off the IP address from data of users within Member States of the European Union or other parties to the Agreement on the European Economic Area prior to transmission of such data to the United States. Only in exceptional cases will the full IP address be sent to a Google server in the US and will be cut off there. In addition, Google has entered into a data processing agreement whereby Google's user data will not be merged with other data collected by Google to identify the user's identity.

 

Moreover, users can download and install Google's Google Analytics blocking plug-in at http://tools.google.com/dlpage/gaoptout?hl=en, enabling them to block Google from collecting and sharing their personal information. Likewise, users can prevent the collection by Google Analytics by setting the link <a href="javascript:gaOptout()"> deactivate Google Analytics </a>, which is an opt-out cookie, which will also prevent the collection of their data (see above). (Cp. also https://developers.google.com/analytics/devguides/collection/gajs/.)

 

Google Analytics also helps the OPERATOR to analyze data from AdWords and the Double-Click Cookie for statistical purposes. Users not wishing this feature can use the Ads Preferences Manager https://www.google.com/settings/u/0/ads/authenticated to rearrange far reaching settings or disable the service compeletely.

 

The OPERATOR also uses the demographics feature of Google Analytics. As a result, reports can be produced that contain information on the age, gender and interests of site visitors. These data stem from interest-based advertising by Google and from visitor data provided by third parties. These data cannot be assigned to a specific person. Users can disable this feature at any time through the ad settings in their Google Account or generally prohibit the collection of their data by Google Analytics, as shown below.

 

More information on handling user data by Google Analytics is contained in the Google Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=en.

 

Google Optimize

 

Google Optimize is a tool integrated with Google Analytics and is used by the OPERATOR to analyze the use of different variations of the PLATFORM. This helps the OPERATOR to improve the usability of the PLATFORM according to the behavior of the users on the website. (To opt-out or opt-out of this service, see above: Google Analytics.)

 

Google Remarketing Services

 

The OPERATOR uses Google's remarketing or "Like Audiences" feature on the PLATFORM. This function also serves the purpose of analyzing the behavior and the resulting interests of the PLATFORM visitors. Google uses cookies to carry out the analysis of the website usage, which forms the basis for the creation of interest-based advertisements (see above). Visits to the website and anonymous data on the use of the website are recorded. There is no storage of personal data of visitors to the website. If another website if the Google Display Network is visited, users will see ad impressions that are likely to reflect their previously viewed product and information areas.

 

Again, users can object to the processing of their personal data at any time. For more information about Google Remarketing Services and its privacy policy, visit https://www.google.com/privacy/ads/.

 

Google Invisible reCAPTCHA

 

The OPERATOR uses Google's Invisible reCAPTCHA service for the purpose of distinguishing between input from a human and that by an automated machine processing. In the background, Google collects and analyzes usage data, which Invisible reCAPTCHA will then use to differentiate regular users from bots. For this purpose, the input is transmitted to Google and used there. In addition, the IP address and any other data required by Google for the Invisible reCAPTCHA service will be transmitted to Google. These data are processed by Google within the European Union and potentially also in the USA.

 

This data processing is based on the legal basis of Art. 6 par. (1) s.1, lit. f) EU GDPR as it is in the the legitimate interest of the OPERATOR to protect the PLATFORM against automated spying, abuse and spam.

 

For more information on Google reCAPTCHA and its privacy policy, please visit: https://www.google.com/recaptcha/intro/android.html and https://www.google.com/privacy

 

Google AdWords (Conversion Tracking)

 

The OPERATOR uses the online advertising program "Google AdWords" and in this context conversion tracking (visit evaluation). When users click on an ad displayed by Google, a conversion tracking cookie is placed on their machine. These cookies have a limited validity, contain no personal data and are therefore not for personal identification (see above). If users visit certain pages and the cookie has not yet expired, Google and the OPERATOR can detect that these users clicked on the ad in question and were redirected to this page. Each Google AdWords customer receives a different cookie. Thus, there is no way that cookies can be tracked through the websites of advertisers.

 

The information obtained through the conversion cookie is for the purpose of generating conversion statistics. Here, the OPERATOR learns the total number of users who clicked on the ad on the PLATFORM and were redirected to a page tagged with a conversion tracking tag. However, the OPERATOR does not receive any information that personally identifies users.

 

Data processing is based on the legal basis of Art. 6 par. (1), s.1 lit. (f) EU GDPR as it is the legitimate interest of the OPERATOR to perform targeted advertising and an analysis of the impact and efficiency of this advertising. Users have the right to object to this processing at any time and can prevent the storage of cookies by selecting the appropriate technical settings of their browser software. In this case, they may no longer be able to use all features of the PLATFORM. They will no longer be included in the conversion tracking statistics. They can also turn off personalized advertising in the Ads Ads Settings on Google. Instructions can be found at https://support.google.com/ads/answer/2662922?hl=en.

 

Google Web Fonts

 

The OPERATOR uses so-called Web Fonts provided by Google for a uniform representation of fonts on the PLATFORM. When a webpage is adressed, the browser of the respective user will load the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser used must connect to Google's servers. As a result, Google obtains knowledge that the PLATFORM was accessed via the IP address of the respective user. If the browser you are using does not support web fonts, a default font will be used by the user's computer.

 

The use of Google Web Fonts is in the interest of a consistent and attractive presentation of the online offers of the OPERATOR as well as the optimization and economic operation of the PLATFORM. This constitutes an overriding legitimate interest within the meaning of Art. 6, par. (1) lit. (f) EU GDPR.

 

More information about Google Web Fonts is available at https://developers.google.com/fonts/faq and in Google's Privacy Policy: https://policies.google.com/privacy?hl=en.

 

Google Adsense

 

The OPERATOR uses the Google AdSense service to engage advertisers and analyze the use of the PLATFORM. Cookies and so-called web beacons are stored on the terminal via the Internet browser used by the user. Information about the use of the website as well as advertising formats, which also include users‘ IP address, will be transmitted to Google and stored there. Contractors of Google can also obtain this information. According to Google, IP addresses are not merged with other user data.

 

If users do not agree with this data processing, they have the possibility to prevent the installation of cookies by the corresponding settings in their internet browser (see above), which may result in a restriction of the use of the PLATFORM.

 

b. Hotjar

 

The OPERATOR uses Hotjar, an analysis software from Hotjar Ltd. (Level 2, St Julian's Business Center, 3, Elia Zammit Street, St Julian's STJ 1000, Malta; www.hotjar.com). With Hotjar, it is possible to measure and evaluate user acticity on the PLATFORM (e.g., clicks, mouse movements, scroll heights, etc.). This allows to track movements on the PLATFORM (so-called heatmaps). For example, it is possible to see how far users are scrolling and which buttons they click and how often they do so. In this way, the OPERATOR gains valuable information in order to make the PLATFORM even faster and more customer-friendly. Hotjar Ltd. uses data on an anonymous or pseudonymous basis for the preparation of evaluation reports on the visit of the PLATFORM for the OPERATOR. The information generated by the so-called tracking code and cookies on the visit to the PLATFORM, collected by the device and browser used by the user in and server of Hotjar Ltd. in Ireland, includes the following information:

­   IP address of the device used (in anonymized format)

­   screen size, device type and browser information of the device used

­   preferred language(s) in the presentation of the website

­   referring domain

­   visited pages

­   date and time of access to the PLATFORM

­   country from which the PLATFORM was accessed

 

The cookies used by Hotjar have a different "lifespan" of up to 365 days; however, some remain valid only during the current visit. Hotjar stores this information in pseudonymous user profiles. This information is neither used by Hotjar nor by the OPERATOR to identify individual users or combined with other data about individual users. For more information, see Hotjar's Privacy Policy at https://www.hotjar.com/legal/policies/privacy.

 

Hotjar Ltd., for its part, also uses services provided by other companies, such as Google Analytics and Optimizely from Google (see above). Google may store information that the browser applied by users sends as part of the site visit, such as cookies or IP requests. For more information, such as Google Analytics and Optimizely store and use data, their privacy statements apply.

 

The use of Hotjar and the related data processing is based on Art. 6 par. (1), s.1 lit. (f) EU GDPR as the legitimate and interest of the OPERATOR to better understand the needs of its users and to optimize the offer on the PLATFORM takes prevails over users‘ interests.

 

Users can prevent the processing of their data by Hotjar by clicking on the following link and follow the instructions there: https://www.hotjar.com/opt-out.

 

c. Facebook Remarketing

 

The OPERATOR uses remarketing feature "Custom Audiences" on the PLATFORM offered by Facebook (Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, "Facebook"). This function serves to target visitors to the PLATFORM with interest-based advertising in the social network Facebook. For this purpose, Facebook's remarketing tag was implemented on the PLATFORM. Through this tag, a direct connection to the Facebook servers will be made when visiting the PLATFORM. Thereby, information will be transmitted to the Facebook server about which of the cvlogin websites users have visited. Facebook assigns this information to their personal Facebook user account. When users visit the social network Facebook, they are then shown personalized, interest-based Facebook ads.

 

This data processing is based on Art. 6 par. (1), s.1, lit. (f) EU GDPR, i.e. the legitimate interest of the OPERATOR in the above-mentioned purpose.

 

Users have the right to object to data processing at any time by disabling the remarketing feature "Custom Audiences". Further information on the collection and use of the data by Facebook, user rights and options for privacy protection can be found in the Facebook privacy policy at https://www.facebook.com/about/privacy/.

 

d. SendinBlue

 

SendinBlue is a service used by the OPERATOR to organize and analyze the sending of newsletters. The provider of this service is SendinBlue SAS, 55, rue d'Amsterdam, 75008 Paris, France. The data entered by users in order to receive newsletters (such as their e-mail address) is stored on SendinBlue's servers. Using SendinBlue, the OPERATOR also analyzes how many recipients have opened the newsletter message and how often which link in the newsletter has been clicked.

 

Data processing is based on user consent, which can be revoked at any time by unsubscribing from the newsletter. For this purpose, a corresponding link is available in every newsletter message. The revocation can alternatively be sent by email to the address given in the imprint. The legality of the already completed data processing operations remains unaffected by such revocation.

 

The user data stored by the OPERATOR for the purpose of subscribing to the newsletter is stored until cancellation of the newsletter service and then deleted from both the PLATFORM servers and the SendinBlue servers. Data stored for other purposes with the OPERATOR remains unaffected.

 

Further details can be found in the SendinBlue privacy policy at https://en.sendinblue.com/legal/privacypolicy/.

 

e. Google Cloud Services

 

The OPERATOR makes use of Google Cloud services (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://cloud.google.com) in the form of infrastructure and platform services, computing and data storage capacity, database services, as well as data security and technical maintenance services used to operate the PLATFORM. Google Could Services also provides various technical services for use over the Internet, which are also used by the OPERATOR.

 

If users visit the PLATFORM, the OPERATOR automatically transfers the personal data of the persons concerned to Google Could Services. For this purpose, it has concluded an agreement with Google Could Services for order processing in accordance with the requirements of the EU GDPR, according to which the data of the users concerned are in no case processed in a third country outside the scope of the EU GDPR.

 

Users who do not wish Google Could Services to process their personal data must stop using the PLATFORM. The services of Google Could Services are an integral part of the PLATFORM; without them, the use of the PLATFORM is not possible. Additional information on privacy at Google Could Services is available at https://cloud.google.com/security/gdpr?hl=de

 

f. Contabo

 

The OPERATOR uses services of Contabo GmbH ("Contabo", Aschauer Straße 32a 81549 Munich; www.contabo.de) in the form of infrastructure and platform services, computing capacity, data storage and database services, and data security as well as technical maintenance services used to operate the PLATFORM.

 

On the basis of an agreement for order processing between the OPERATOR and Contabo gem. Art. 28 EU GDPR, Contabo processes personal data, in particular inventory, contact, content, contract, usage, meta and communication data of customers, interested parties and visitors to the PLATFORM. The legal justification lies in the legitimate, predominant interest of the OPERATOR in an efficient and secure provision of its services in accordance with. Art. 6, para. (1), s.1, lit. (f) EU GDPR. More information on the privacy of Contabo is available at https://contabo.de/datenschutz.html.

 

Users who do not wish Contabo to process their personal data must stop using the PLATFORM. The services of Contabo are an integral part of the PLATFORM; without them, the use of the PLATFORM is not possible.

 

g. Cloudinary

 

The OPERATOR uses the storage service "Cloudinary" for content that is uploaded to the PLATFORM by users. Its provider is Cloudinary Ltd., 111 W Evelyn Ave, Suite 206 Sunnyvale, CA 94086, USA. Cloudinary does not grant third parties access to this content. Data processing is based on the consent of the users. This consent can be revoked at any time. Thereafter, however,  the further use of the PLATFORM is no longer possible. For more information about Cloudinary's privacy, visit http://cloudinary.com/privacy and http://cloudinary.com/tos.

 

h. Intercom

 

The OPERATOR transmits certain categories of personal user data to Intercom R & D Unlimited Company (2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Ireland) for the purpose of customer management. The OPERATOR also uses the services of Intercom (such as the contact form and online chat on the PLATFORM) in order to be able to better communicate with the users and to be able to quickly answer questions about the PLATFORM. For this purpose, a limited portion of user data (such as e-mail address and registration time) is transmitted to Intercom, Inc. (98 Battery Street, Suite 402, San Francisco, CA 94111 USA) which is certified under the terms of the EU-US Privacy Shield.  Intercom Inc. uses cookies to allow an analysis of the use of the PLATFORM. The information generated by the cookies about the use of the PLATFORM and the IP address of the users are transmitted to an Intercom server in the USA and stored there. This includes the email addresses and registration times of users. Intercom uses this information as well as publicly available information about users (eg company, job title, website, social network handle and physical address) to generate data analysis for the OPERATOR (e.g. by querying the registration time or user activity) for the purpose of improving customer support and customer communication via email or messages within the product.

 

The OPERATOR uses this information to evaluate the use of the PLATFORM and to optimize its products based thereon. The OPERATOR also uses Intercom as a communication medium for (push) messages within the user area (after login) or emails via the contact form. The OPERATOR also uses Intercom to analyze the use of the website, to improve it regularly and to process inquiries. This allows the OPERATOR to improve his offer and make it more interesting for users.

 

This data processing is legally based on user consent (Art. 6, par. (1), s.1, lit. a) EU GDPR). It is further justified by the purpose of fulfilling the agreement (Art. 6, par. (1), s.1, lit. b) EU GDPR) and the legitimate interest of the OPERATOR, which outweighs the protection interests of the users concerned (Art. 6, par. (1), s.1, lit. f) EU GDPR). The consent can be revoked at any time. Thereafter, however, then the further use of the PLATFORM is no longer possible. Further information on the privacy of Intercom can be found at http://docs.intercom.io/privacy.

 

i. Kickbox

 

In order to ensure that e-mail addresses entered on the PLATFORM are valid, the OPERATOR uses the e-mail verification feature of Kickbox Inc (2556 Elm Street, Dallas, TX 75226, USA; www.kickbox.com; "Kickbox"). E-mail addresses of users are transferred to Kickbox directly after input via a 256-bit SSL encrypted request, verified and then immediately deleted or irreversibly hashed and pseudonymized stored for a maximum of 7 days. If an e-mail address is incorrect, the user will be asked to enter it once more. Since the OPERATOR primarily contacts users of the PLATFORM via e-mail, a correct e-mail address is required to answer their inquiries and to fulfill the agreement. The verification thus lies in the predominant legitimate interest of the OPERATOR according to Art. 6, par. (1), s.1, lit. f) EU GDPR. If the registration of the e-mail address aims at the conclusion of a contract, then Art. 6, par. (1). s.1 lit. b) provides an additional legal basis for data processing.

 

Kickbox is certified under the EU-US Privacy Shield. A current certificate can be viewed at https://www.privacyshield.gov/list.

 

j. Sucuri

 

The OPERATOR uses the service "Sucuri" to ensure the full functionality of the PLATFORM. Sucuri is also the business name used by the service provider Media Temple, Inc. (6060 Center Drive, 5th Floor, Los Angeles, CA 90045, USA), a subsidiary of Go Daddy Operating Company, LLC. The PLATFORM is reviewed by Sucuri for potential malware and vulnerabilities. The OPERATOR does not send any personal information about users to Sucuri. However, during the scan, Sucuri may find personal information that has been publicly published (for example, in comments).

 

Go Daddy Operating Company, LLC is certified under the EU-US Privacy Shield Agreement (see above) also with effect for its subsidiary Media Temple, Inc. (see https://www.privacyshield.gov/list).

 

The legal basis for data processing is Art. 6, para. (1); s.1 lit. f) EU GDPR: The legitimate interest of the OPERATOR in the analysis, optimization and economic operation of his PLATFORM prevails over user interests.

 

Users can prevent the collection and processing data by Sucuri / Media Temple, Inc. by deactivating the execution of script code in their browser settings or by installing a script blocker in their browser (this can be found at www.noscript.net or www.ghostery.com). The deletion of the data takes place as soon as the purpose of its collection has been fulfilled.

 

Further information on how Sucuri deals with users' data can be found at https://sucuri.net/privacy.

 

k. Jetpack / Wordpress Stats

 

The OPERATOR uses the service "Jetpack" with the extension "WordPress Stats". This is a web analytics service provided by Automattic Inc. (132 Hawthorne Street, San Francisco, CA 94107, USA) for the purpose of analyzing the PLATFORM's usage behavior.

 

For the analysis of the usage behavior Jetpack - WordPress Stats saves cookies via the internet browser on the terminal of the respective user. During processing, the IP address, the visited website of the OPERATOR, the website from which the user switched to the PLATFORM (referrer URL), the time spent on the PLATFORM and the frequency with which it is accessed are recorded. The data collected is stored on a server of the supplier Automattic in the USA. However, the IP address is anonymized immediately after the processing and before its storage.

 

By his certification according to the EU-US Privacy Shield (see https://www.privacyshield.gov/list) the provider guarantees that he will comply with the data protection requirements of the EU GDPR also when processing data in the USA.

 

The legal basis for data processing is Art. 6 par. (1); s.1 lit. f) EU GDPR: The legitimate interests of the OPERATOR which prevails over users‘ interests are geared towards the analysis, optimization and economic operation of his PLATFORM.

 

If users do not agree with this data processing, they have the possibility to prevent the storage of the cookie by a setting in their Internet browser (see above).

 

8. DURATION OF DATA RENTENTION

 

The OPERATOR stores personal data of registered users as long as the person concerned does not

­   demand that such data shall bhe deleted or

­   revoke a required consent to the processing or

­   delete the user account.

The OPERATOR will retain such data beyond the aforesaid point in time as long as storage is required

­   to assert any unrestricted claims of the OPERATOR against the respective user and / or

­   for the preservation of legal storage requirements or / and

­   to comply with an administrative or judicial order.

Thereafter, the OPERATOR will delete or anonymize, as the cae may be, the personal data of users.

 

9. USERS‘ RIGHTS 

 

a. Objection

 

Users can object to the processing of personal data at any time if such data processing is based solely on the interests of the OPERATOR according to Art. 6, para. (1) s.1, lit. (f) of the EU GDPR. This also applies to the processing of personal data for the purpose of direct mail and profiling insofar as it is associated with direct mail. Users may use the contact form on the PLATFORM for such objection. Users can unsubscribe from the cvlogin newsletter at any time in their own notification settings in the cvlogin Dashboard or by e-mail.

 

b. Information

 

Users have the right to ask the OPERATOR for confirmation whether he is processing their personal data. If that is the case, users furthermore have the right to receive information about these personal data. If personal data are transmitted to a third country or to an international organization, affected users have the right to be informed about the appropriate guarantees (pursuant to Art. 46 EU GDPR) in connection with the transfer.

 

c. Correction

 

Users have the right to demand that the OPERATOR correct incorrect personal data without delay. In consideration of the purposes of the processing, they have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

 

d. Deletion

 

Users have the right to demand that the OPERATOR immediately delete their personal data if any of the following applies:

­   The data are no longer necessary for the purposes for which they were collected or otherwise processed.

­   The consent on which the processing was based has been revoked in accordance with Art. 6, par. (1); s.1, lit a) or 9, para. (2) lit. a) EU GDPR and there is no other legal basis for the processing.

­   In accordance with Art. 21 (1) or (2) of the EU TDSO, users object to the processing and there are no legitimate reasons for the processing.

­   The data was processed unlawfully.

­   The deletion of the data is necessary to fulfill a legal obligation under Union or national law to which the OPERATOR is subject.

­   The data was collected in relation to information society services offered directly to a child under the age of 16, in accordance with Art. 8, para. (1) EU GDPR.

 

Upon request by the user, the OPERATOR is obliged to immediately delete the relevant data. The legality of the processing carried out on the basis of the consent before the revocation remains unaffected.

 

e. Restriction of Processing

 

Users who deny the accuracy of their personal data are entitled to request a restriction on the processing of these data for the duration that allows the resposnible party to verify the accuracy. If the processing is unlawful and users reject the deletion of the personal data and instead demand the restriction of the use of this data, this will be done. The restriction of processing also applies if the OPERATOR no longer requires personal data for processing purposes, but the users concerned require them for the assertion, exercise or defense of their own legal claims, or objections to the processing pursuant to Art. 21 par. 1 EU GDPR have been filed, as long as it is not certain whether the legitimate reasons of the person responsible outweigh the users‘ reasons. The affected users will be notified before the restriction is lifted.

 

f. Data Portability

 

Users have the right to receive personally identifiable information which they have provided to the OPERATOR in a structured, common and machine-readable format, as well as to share that information with another operator without interference from the OPERATOR provided that

­   processing is based on on consent (Art. 6, para. (1). s.1, lit. a) and Art. 9, para. (2), lit a) EU GDPR) or on an agreement (Art. 6, par. (1), s.1, lit b) EU GDPR) and

­   the processing is done by automated methods.

When exercising the right to data portability, users may request that the personal data be transmitted directly by the OPERATOR to another responsible entity where technically feasible.

 

g. Revocation of Consent

 

If the processing is based on consent, users have the right to revoke the consent at any time. The lawfulness of the processing carried out on the basis of the consent prior to the revocation will not be affected.

 

h. Complaint

 

If users believe that the processing of their personal data by the OPERATOR is unlawful, they may complain to a regulatory agency. In particular, they may contact the supervisor of their habitual residence, their place of work or the place of alleged infringement. The supervisory authority responsible for the OPERATOR is the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, Phone: +49 (0) 30 13889-0, Fax: +49 (0) 30 2155050, Email: [email protected]; www.datenschutz-berlin.de. Further rules on the appeal procedure can be found in Art. 77 EU GDPR.

 

10. DATA PROTECTION OFFICER

 

Users can also send suggestions, praise, questions and complaints to the cvlogin data protection officer, accessible at [email protected].

cvlogin.com