You can download the current data protection information as a PDF here.
Data protection is a matter of trust and your trust is important to us. The data processing of JOOLI.com GmbH, represented by Mrs. Annette Freising and Mr. Florian Spatz, Erkelenzdamm 59/61, 10999 Berlin, Germany, Local Court of Charlottenburg, HRB 193357 B (hereinafter also referred to as “we” or “us”) as the responsible persons within the meaning of Art. 4 No. 7 GDPR is, of course, based on the statutory provisions. This data usage notice informs visitors and customers of how data is collected, processed and used during visits, any registrations and contract conclusions as well as their rights of objection, revocation and other rights to which they are entitled as persons affected by the collection and use of data. The following linked headings are intended to make it easier for users to access the desired information.
- What do we do with your personal data?. 2
- What is personal data. 2
- Data collection and data use. 2
- a) Installing the app. 2
- b) Further usage of the app. 3
- c) Place of processing. 4
- d) Push messages. 4
- Analysis data. 4
- Evaluation of the app. 6
- Deletion. 6
- What rights do I have?. 7
- The right to confirmation and information 7
- The right to rectification. 7
- The right of objection 8
- The right of withdrawal 8
- The right to deletion (right to be forgotten) 8
- a) Prerequisites for deletion. 8
- b) Further right to be forgotten. 9
- c) Exceptions to the deletion. 9
- The right to restriction of processing. 9
- The right to data portability 10
- Assertion of your rights. 10
- What do we do with your personal data?
- What is personal data?
Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). No name is necessarily required in order for a person to be identifiable. Indirect identifiability, e.g. by means of assignment to an identification number, to location data, to an online identifier or to one or more special characteristics is also sufficient. It is therefore a question of a person’s identity. This includes, for example, the person’s name, but also the phone number, address and other data that a person provides us with. Many legal bases for our data processing can be found in the European General Data Protection Regulation (GDPR), the text of which and the associated recitals can be found here, for example. In the following notes, we refer to corresponding regulations as the respective legal basis for our processing.
- Data collection and data use
- a) Installing the app
The offerings of the JOOLI platform can first be found in the JOOLI App. This app provides information on the offerings on a variety of items that can be purchased from third parties (“partners”). The offer information is created by our partners. Clicking on the corresponding link leads to the offers of the articles of our partners on their websites.
The JOOLI app can be used without providing the person’s name or any other information. We assign an identification (“Instance ID”) during installation, for which we store the data collected, however we do not link it to a device ID.
If a link invitation to install the JOOLI App is received from a partner, we store the identity of the partner of JOOLI through whose link invitation the JOOLI App has been downloaded to the Instance ID.
If a link invitation to install the JOOLI App is received from a third party ambassador for Jooli, we will store the identity of the JOOLI ambassador whose link invitation was used to load the JOOLI App for Instance ID. For more information about JOOLI ambassadors, please visit https://www.jooli.com/#botschafter_werden.
- b) Further usage of the app
When the JOOLI app is used, we evaluate the person’s search and, if applicable, the respective selection of content posted by our partners on JOOLI (e.g., speed and frequency with which the display of product videos is changed, the duration of engagement with the offer, detailed information called up, click on the partner link) and thus determine which other product offers might appeal to that person, which we subsequently display to them.
If someone looks for more information about an item or would like to purchase it, we register when he or she clicks on the corresponding partner link. We then transmit to the corresponding partner via a coding (“token”) the information associated with that person’s instance ID that the person found the way to the offer via JOOLI. In the case of a purchase, we receive a message from the corresponding partner for this purpose (item, price, token) and use the information to bill our services to our partners and ambassadors. The legal basis for this is our legitimate interest (Art. 6 para. 1 lit. f GDPR). When someone contacts us, we store their name, if applicable, their contact data and their request. The legal basis for this is our legitimate interest in processing a request as quickly as possible (Art. 6 para. 1 lit. f GDPR).
We can be contacted via the contact forms “Become an Ambassador” (https://www.jooli.com/#botschafter_werden) or “Become a Merchant” (https://www.jooli.com/haendler-werden/). We use the service Pipedrive to respond to requests. Pipedrive is a CRM platform from Pipedrive OÜ
Mustamäetee 3a 10615 Tallinn. The personal data entered will be transmitted to our Pipedrive account and the data of EU users will be stored on servers in Frankfurt. The legal basis for this is our legitimate interest (Art. 6 lit. f GDPR)
The data we collect in connection with Pipedrive is:
- Telephone (optional)
- Company name
- Homepage (optional)
For more information on data processing, please visit https://www.pipedrive.com/en/privacy.
- c) Place of processing
We only store data on the device that is needed to use the app. Otherwise, we store the data we have collected on the servers provided by our service provider in the European Union. The service provider is Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
- d) Push messages
If the user gives us his/her consent, he/she will receive push messages from us about new products and/or new functionalities of the app, even if they are not in the app. Push messages are short messages that are shown on the display of the device with prior consent.
The use of push messages is based on the user’s express consent pursuant to Art. 6 (1) p. 1 lit. a GDPR. We ask you for this when you first install (Android) or use (iOS) the app. Consent may be revoked at any time in the system settings of the operating system of the respective device.
- Analysis data
In order to provide our service, certain data is collected and stored on servers (not on the user’s device). Only access data without direct personal reference is collected, e.g.
- The usage time of the app
- The number of users and sessions
- The click-through rate of individual pages
- The operating system used
- Products and content in which the user is interested and the expression of interest, such as duration, frequency, interaction with forms, navigation elements and links
- The device type is recorded anonymously
- Operating systems
- Device models
- First time starts
- App uses
- App updates
- Click on the partner links
It is not possible for us to draw any conclusions about the user on the basis of this data, and we will not attempt to merge the above data with personal data without consent, unless it is for the purpose of prosecuting legal violations and attacks on our systems.
We use Google Analytics for Firebase to provide our service. This is a service provided by Google Ireland Limited (“Google”), a company incorporated and operated under the laws of Ireland (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland.
The aforementioned data forms the basis for statistical, anonymous evaluations and helps us to analyze user behavior in the app and to adapt and improve the offer based on this analysis. The anonymization of IP addresses is always activated via the Firebase SDK. This means it is not possible for us to assign the above data to a specific person. More information on data processing and anonymization of the IP address at Google Firebase SDK can be found at: https://support.google.com/analytics/answer/2763052?
- A/B tests
In order to continuously improve our app offering, we conduct tests on individual pages, to find out more about the best possible design or the greatest possible clarity of our pages, for example. For such testing purposes, we also collect statistical data and use the Firebase A/B Testing web analytics system from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (https://firebase.google.com/docs/ab-testing/). Firebase does not collect any personal data. The information on how the website is used is transmitted anonymously to a Firebase server and stored there. The legal basis for this is our legitimate interest in improving our app offerings (Art. 6 lit. f GDPR).
- Crash reports
We send anonymized and aggregated usage and diagnostic data about the function of the app or dysfunctions (crash reports) to Google. It is impossible for us to identify individual users. If the user agrees to the collection of usage and diagnostic data, certain data concerning the function of the app or dysfunctions (crash reports) will be sent to Google. We use “Firebase Crashlytics,” a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We use this data exclusively to improve the app.
An anonymized Crashlytics installation UU ID is stored to identify the user. The following data is stored, among other types, for the crash report:
– Device properties
– System versions
– App version
– Regional settings
– Utilization time
– Location data
Firebase Crashlytics deletes the data collected after max. 90 days.
- Use of the information
Google will use this information to evaluate the use of the app on our behalf and to compile reports on activities for us. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Further information on Google’s use of data can be found in Google’s Partner Policy.
- Transmission to the USA.
The aforementioned information on the use of the app and, if applicable, our website that can be accessed via it may also be transferred to Google computers in the USA and be stored there for up to 14 months, unless stated otherwise. The time is based on our interest in being able to make temporal comparisons with statistical data. In this case, the transfer takes place outside the scope of EU law. However, Google must first truncate the IP addresses in member states of the European Union or in other contracting states of the Agreement on the European Economic Area.
For more information on how Google processes data, please visit https://policies.google.com/privacy .
- Evaluation of the app
After using the app, you may be asked if you would like to submit a review of it. If you agree, you will be redirected to a corresponding page where the rating can be submitted.
The ratings you provide will then be included in a review that will be displayed in the respective app store and in search results.
For more information on data usage by the respective app store, please check the details listed there.
The user’s data will be used for as long as necessary for the stated purposes or, if applicable, in the case of interest-based data use until the interest ceases to exist or until an objection is raised or, in the case of consent, until it is revoked. Irrespective of this, for their security we delete all data relating to their preferences after an appropriate period of time, usually after 3 years from the respective collection. This does not apply to data relating to a purchase, insofar as commercial and tax law obliges us to archive data from concluded transactions for the duration of the statutory retention periods. The legal basis for the corresponding remaining data uses is Art. 6 para. 1 lit. c GDPR.
- What rights do I have?
As a person affected by data processing, you may assert certain rights under the law.
- The right to confirmation and information
According to Art. 15 DSGVO, you have the right to request confirmation from us as to whether personal data concerning you is being processed. In the event that we process such data, you have a right to free information on your stored data. The information includes information about
- the purposes of processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or to obtain the restriction of processing by the controller, or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- If the personal data is not collected from the data subject: All available information about the origin of the data;
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
Furthermore, the data subject shall have the right to obtain information as to whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer. If you have any questions regarding the collection, processing or use of personal data, or if you wish to request information or otherwise assert your rights, simply contact us using the contact details listed at the end of this notice.
- The right to rectification
You have a right to rectification and/or completion vis-à-vis the controller, insofar as the processed personal data concerning you is inaccurate or incomplete. The controller shall carry out the rectification without undue delay.
- The right of objection
Your right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of a balance of interests pursuant to Article 6 (1) (f) GDPR; this also applies to profiling based on these provisions (cf. e.g. term II. number 2). In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
You have the right to object to the processing of your personal data for direct marketing purposes at any time, with the consequence that the data will no longer be processed for these purposes.
- The right of withdrawal
You have the right to revoke any consent you may have given at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
- The right to deletion (right to be forgotten)
- a) Prerequisites for deletion
You have the right to request the deletion of personal data concerning you. Please note that a right to immediate erasure (Art. 17 DSGVO) (“right to be forgotten”) only exists if one of the following reasons applies:
- The personal data is no longer needed for the purposes for which it was collected or otherwise processed.
- You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.
- You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes pursuant to Article 21(2) of the GDPR.
- The personal data concerning you has been processed unlawfully.
- The deletion of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
- The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) DSGVO.
- b) Further right to be forgotten
If we have made the personal data concerning you public and we are obliged to delete it pursuant to Article 17(1) of the GDPR, we shall take reasonable measures, including technical measures, to inform data controllers processing the personal data that you, as the data subject, have requested deletion of all links to or copies or replications of such personal data, taking into account the available technology and the cost of implementation.
- c) Exceptions to the deletion
In addition to the above requirements, please note that the following exceptions may warrant denial of your deletion request:
The right to deletion does not exist insofar as the processing is necessary
- to exercise the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right to deletion is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
- for the assertion, exercise or defense of legal claims.
- The right to restriction of processing
You have the right to restrict processing if you dispute the accuracy of the personal data for a period of time that enables us to verify the accuracy of the personal data or if you refuse deletion in the event of unlawful processing and instead request restriction of the use of personal data. You also have this right if we no longer need the data and you need this personal data to assert, exercise or defend legal claims. Finally, you may assert this right if you have objected to the processing pursuant to Article 21 (1) GDPR and it is not yet clear whether the legitimate grounds of the controller override your grounds.
If processing has been restricted, this data may only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. The possibility of continued storage remains unaffected. If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.
- The right to data portability
You also have the right to data portability of the data you have provided to us, which we have processed on the basis of effective consent or the processing of which was necessary to enter into or fulfill an effective contract, in a “structured, common and machine-readable format” to you. You also have the right to request direct transfer to another controller where technically feasible.
The right exists only insofar as the rights and freedoms of other persons are not affected.
- Assertion of your rights
Please contact our customer service (see below for contact details) if you have any questions or wish to exercise your rights.
You can also contact our data protection officer. This person is responsible in cases of complaint. You can reach our data protection officer via the following e-mail: email@example.com.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes on legal provisions.
Erkelenzdamm 59/61, 10999 Berlin, Germany
Phone number: 030/695979-0