Vibadou

Data Protection Provisions of Vibadou GmbH for the Use of VIBADOU Services

When you use VIBADOU, you have chosen a service which opens up a variety of possibilities for you and your friends to share your life moments, to inform yourself and others and to communicate with one another. In order to offer these possibilities to you, within the framework of VIBADOU, we provide certain services (hereinafter: „Services“) on the basis of our general terms of use (hereinafter „Terms“).

As with participation in every social network, use of our Services requires disclosure of personal data (hereinafter “data”). Personal data refers to specific data when such contains individual information about personal or factual circumstances of certain identified persons or identifiable natural persons and which can be traced to this certain individual. Your data (e.g. name, e-mail, telephone number, etc.) is processed by us according to the German and European Data Protection Laws. In particular, the General Data Protection Regulation (GDPR), the German Federal Data Protection Law (Bundesdatenschutzgesetz, BDSG) and the German Telemedia Act (Telemediengesetz, TMG) serve as the legal bases herefor.

We would like to make the following transparent for you: the data we collect within the framework of our Services, how we use said data, with whom we share it and which possibilities you have to control, access and change it. The following data protection provisions inform you with regard to the type, scope and purpose of the processing of personal data by us within the framework of your use of VIBADOU.

In this context, we would like to point out to you that the security of your data is very important for us. This is why we always take respective IT security precautions in accordance with the current state of the art. Internet-based data transmissions and any form of software can nevertheless always be subject to security gaps so that unfortunately no complete protection against access by third parties can be technically guaranteed.

For us, the following principles govern the handling of personal data

  • transparency for our customers,
  • imas a rule, storing only absolutely necessary data (data minimisation) and
  • securing our services in accordance with the current state of the art.

We regard your trust in our Services as our greatest asset.

 

Who are we?

Data Protection Controller as defined in the GDPR is

Address:
Vibadou GmbH

c/o CapitaNova GmbH
Harry-Blum-Platz 2
50678 Köln

Germany

 

registered in the Commercial Registry of the Local Court Cologne under HRB 95973

E-Mail: support@vibadou.com

Represented by Managing Director Stephan Niggemeyer

 

What happens with my data when I download the VIBADOU App?

Upon downloading the VIBADOU App, the information necessary for it is transferred to the App Store, i.e. in particular, your user name, e-mail address, customer data of your account, the time of the download, any payment information and the individual device identifiers. However we have no control of this data processing and are not responsible for it. In this respect, the data protection provisions for use of the respective App Store are exclusively relevant.

 

What data do we collect when you register with VIBADOU?

For the purposes of use of our Services, we set up a user account for you as a user. In this context, we process the data which you transmit to us within the framework of the registration process and as stated in the input mask of the registration form. Such data will be processed by us in accordance with these provisions. Such data shall always include:

  • your e-mail address
  • your real name
  • your user name
  • your telephone number
  • your chosen password

When other Vibadou users have stored your telephone number in their address books, they can see that you are also a Vibadou user.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. b GDPR for the performance of the contract concluded with us related to the use of Vibadou.

Furthermore, within the framework of the registration process or later following registration, you can also still transmit additional information by respective entries in your user account which shall be processed by us according to these provisions. Included herein are in particular:

  • your date of birth
  • your profile photo
  • your first name and surname
  • your gender

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. b GDPR for the performance of the contract concluded with us related to the use of Vibadou.

With your consent (iOS: “Vibadou would like to access your contacts” Android: “Allow Vibadou to access your contacts”), for purposes of synchronization and establishment of contacts between you and other users of VIBADOU, a list of hash values of the telephone numbers stored in your contacts are loaded to our server and synchronized. In these cases, you are responsible that your contacts are in agreement with the transfer of their personal data, in particular, their telephone number. Your contacts‘ telephone numbers are not stored. When you have registered with VIBADOU, the persons who have your telephone number stored in their telephone book and who also use VIBADOU shall be informed of your registration. Through your registration, you declare that you are in agreement that also the hash values of your telephone number are transmitted to us for these purposes by other persons registered with VIBADOU and processed by us accordingly.
The hash value is an artificially generated number using the telephone number from which the original telephone number cannot be calculated back.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. a GDPR in the scope of the consent which you have given us.

 

Which data will be processed when I log in via Facebook Connect?

If you want to use our service, you have the possibility to log in with Facebook Connect for VIBADOU. Instead of registering in our app, you are able to log in to VIBADOU via your Facebook account. You will be redirected to the Facebook website where you can log in with your Facebook user data. By using Facebook Connect, Facebook and VIBADOU are connected to each other. Facebook will then send us your personal information through Facebook. We use these only to identify you.

Furthermore we process the following information from Facebook: Your full name, your profile picture, and your email-address.

  • The processing of this data takes place on the legal basis of Art. 6 para. 1 sentence 1 lit. b GDPR for the conclusion and performance of the contract concluded with us for the use of VIBADOU.

For more information about Facebook Connect terms of use and privacy, visit the Facebook Connect web pages.

 

What of my personal data is processed when I use VIBADOU?

When you use our Services, we process additional data regarding how you use our Services. This is necessary to be able to technically provide our Services, to read content of other users and to share content with other users. This relates to your following data:

Use Data:

  • The manner in which you use our Services, e.g. which moments and groups you look at and use or which search inquiries you send,
  • The manner in which you communicate with other VIBADOU users such as, e.g. their name, the time and date of your communication, how many and which content you exchange with other users and how you use the content, e.g. when you open a group or a moment.

Data about Content:

  • Data about content posted by you in VIBADOU,
  • Data about the recipients of content including the metadata connected therewith,
  • Location of the photos or videos made by you if you give us your permission hereto through your Smartphone,
  • Comments and Pics which you generate in the groups.

Device Information:

  • Specific data related to the end device used by you, e.g. the model, the operating system version, the time zone, the advertising ID, unequivocal identifier IDs, unequivocal device IDs, language

Protocol Data:

  • Device data,
  • Access times,
  • Contents accessed,
  • the IP address,
  • where applicable, also IDs of cookies or other technologies which can unequivocally identify your device or your browser

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. b GDPR for the performance of the contract concluded with us related to the use of Vibadou or respectively, Art. 6 (1) Sentence 1 lit. a GDPR when you have given us your consent to access your location.

When you give us your permission by respective settings within the VIBADOU App or through your device, the App accesses the following data:

Telephone book of the device:

  • Data from your telephone book.

Camera, microphone and photos:

  • Photos, videos and other data from the camera of your mobile phone.

Location data:

  • Data on your location by means of GPS, wireless networks, radio towers, WLAN access points and other sensors.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. a GDPR in the scope of the consent which you have given us. You can withdraw this consent at any time by changing the technical settings in your Smartphone.

 

We process the data collected from you only for the following purposes:

  • to provide you and the other users with our Services,
  • to further develop, maintain and protect our Services,
  • in order to communicate with you,
  • to enable third parties other than registered users of VIBADOU to communicate with you if you wish such and have given consent hereto,
  • to provide targeted further offers for you within the framework of use of our App,
  • for compliance with legal obligations and
  • for enforcement of legal claims and to solve and prevent criminal offences.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. a GDPR in the scope of the consent which you have given us, Art. 6 (1) Sentence 1 lit. b GDPR for the performance of the contract concluded with us related to the use of Vibadou, Art. 6 (1) Sentence 1 lit. c GDPR insofar as this is necessary in order to fulfil a legal obligation which concerns us and Art. 6 (1) Sentence 1 lit. f GDPR when we enforce legal claims; our legitimate interest stems enforcing our claims or defending ourselves with legal disputes or to solve or prevent criminal offences or violations of our Terms in order to protect ourselves and our users.

 

To whom is the data collected about me transferred?

We transfer the data collected from you and the following specified data to third parties only as follows:

  • Within the framework of our Services, we transfer to other registered users of VIBADOU:
    • your user name,
    • your profile photo, and
    • the content transferred by you in accordance with the recipients chosen by you within the framework of the use of VIBADOU.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. b GDPR for the performance of the contract concluded with us related to the use of Vibadou.

We also provide users who operate a public group with statistics from which these users can see how the public group is used. This includes, for example, the number of active users per day and per month, the number of members and followers, the number of moments, the number of views. These statistics contain only anonymous data, which we generate by aggregating your data with the data of other users and removing information that points to you as an individual. We create the statistics based on the data of all users of the respective public group. This data includes, among other things, the total number of followers of a public group, when and which and how often contents of the user of the public group were opened, device information (model, operating version, language), age of the users and gender of the users as well as the location of the users. Before we pass on this data, we will combine and distort the data in such a way that the data can no longer be traced back to you as an individual user. For example, we do not share an exact location, but only share locations for counties and cities. In particular, we do not pass on any information that could identify you individually.

  • To third parties other than the registered users of VIBADOU only:
    • if the transfer is required for legal reasons in order to fulfil the requirements of judicial or administrative proceedings or to comply with legal regulations.

The legal basis for the transfer of this data is Art. 6 (1) Sentence 1 lit. c GDPR for compliance with legal obligations to which we are subject.

  • In order to examine or prosecute possible violations of legal provisions or the Terms, in particular, also for the protection of our rights or those of our users or other persons.

The legal basis for the transfer of this data is Art. 6 (1) Sentence 1 lit. b GDPR for the performance of the contract concluded with us related to the use of Vibadou, Art. 6 (1) Sentence 1 lit. c GDPR for compliance with legal obligations to which we are subject as well as Art. 6 (1) Sentence 1 lit. f GDPR for the protection of our legitimate interests or the legitimate interests of third parties; our legitimate interest stems from contractual and legally compliant use of our Services, enforcement of our Terms and the protection of other users.

  • Insofar as necessary in order to recognise, prevent or remedy abuses of our Services or security gaps, in cases of the existence of concrete evidence, we send your telephone number for verification purposes per SMS to a service. This service is sending a text to you. This is currently https://ringcaptcha.com (ThriveCom, Inc. 704C E 13th St (124) Whitefish, MT 59937) or https://www.lox24.eu/ (LOX24 GmbH, Seestraße 109, D-13353 Berlin). These providers do not receive any additional personal information.
  • So-called Crash-Reports to the service BuddyBuild (https://www.buddybuild.com, Doe Pics Hit Inc, 415 West Cordova Street Suite 208, Vancouver, BC V6B 1E5). They contain information which permits us to find errors in Vibadou more easily and to remedy these faster.
  • Insofar as this is necessary to carry out pending corporate changes on our part. Included herein are mergers or takeovers by or with us or if we participate in mergers, share sales, financing, liquidations, bankruptcy proceedings or takeovers with regard to a part or all parts of our company by another company. In the afore-mentioned cases, we may transfer your data to these companies prior to and after conclusion of the transactions.

The legal basis for this transmission is Art. 6 (1) Sentence 1 lit. c GDPR for fulfilment of legal obligations to which we are subject as well as Art. 6 (1) Sentence 1 lit. f GDPR for the protection of our legitimate interests or the legitimate interests of third parties; our legitimate interest stems from the protection of our ownership rights as well as in the interest of a progressive commercial improvement of our company.

  • Data for which you have expressly give us your consent to transfer to third parties by a respective separate permission within the framework of the use of our Services.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. a GDPR in the scope of the consent which you have given us.

  • If you have registered on our website for receipt of our Newsletter, we send this with the service CleverReach (https://www.cleverreach.com of CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede). In this context, we transfer your e-mail address to CleverReach.

The legal basis for the processing of this data is Art. 6 (1) Sentence 1 lit. a GDPR in the scope of the permission which you have given us and Art. 28 GDPR.

 

Are analysis and advertising services provided by third parties used?

Yes, we use Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 („Google“). In this context, we use the functions „trackPageview“ and “trackEvent”. Only Page Views are transferred hereby, i.e. we see which pages/sites of the mobile App are accessed by you and events, such as views, creation or deletion of groups, moments or Picks. However no personal data of any kind is transferred to Google. You can prevent the collection of this anonymized data and the processing thereof by not agreeing to the use of Google Analytics upon registration or disable the use of Google Analytics within the settings of the VIBADOU app.
The information generated with regard to your use of our Services shall be anonymized and transferred to a server of Google in the USA and stored there. Google shall use this information to evaluate the use of the App, to compile reports for us regarding the App activities and to perform additional services comparable with the use of our Services and the Services connected with Internet Use. Where applicable, Google shall also transfer this information to third parties insofar as this is prescribed by law or insofar as third parties process this on behalf of Google. In no case shall Google connect your IP address with other data which is stored by Google. You can find more detailed information hereto under http://www.google.com/intl/de/policies/privacy/ (general information related to Google Analytics and data protection).
We point out that Google Analytics was expanded in this App by the code „gat._anonymizeIp();“ in order to guarantee the anonymized registration of IP address (so-called IP masking).

In order for us to use Google Analytics, you must agree to the use of Google Analytics. With your consent you help us to improve our services. If you do not agree, Google Analytics will not be used. You can grant or revoke your consent at any time in the App’s settings. The legal basis is the consent granted by you via the App in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

We also use the Google Tag Manager. The Google Tag Manager is a solution that allows marketers to manage website tags through a single interface. The Google Tag Manager service itself (which implements the tags) is a cookie-less domain and does not collect any personal information. The Google Tag Manager service triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If disabled at the domain or cookie level, it will remain disabled for all tracking tags implemented with Google Tag Manager.

Furthermore we use the Facebook SDK from Facebook, Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA („Facebook“). The Facebook SDK logs the following information:

  • Explicit events – information from events that the advertiser explicitly configures their app to send, such as „AddtoBasket“ or „logPurchase“, along with any additional parameters provided.
  • Implicit events – information from events that are logged implicitly if the advertiser chooses to make use of other features of the Facebook SDK, such as integration with Facebook Login or the „Like“ button.
  • Automatically logged events – basic interactions in the app (e.g. app installs, app launches) and system events (e.g. SDK loading, SDK performance) that are collected automatically.
  • Facebook app ID – a unique identifier provided by Facebook to reference the advertiser’s website and mobile app.
  • Mobile advertiser ID – the iOS IDFA or Android Advertising ID.
  • Metadata from the request – the mobile OS type and version, the SDK version, app name, app version, the device opt-out setting, the user agent string and the client IP address. It also collects the following device related metrics: time zone, device OS, device model, carrier, screen size, processor cores, total disk space, remaining disk space.

The Facebook SDK collects the following information when you use Facebook Login:

  • App Events: This covers generic App Events (e.g. App Install, app launch) and other standard logging for product metrics (e.g. SDK loading and SDK performance).
  • Configuration data: After a user has logged in, the SDK makes periodic background requests to manage the lifetime of the access token automatically.
  • Error information: The SDK captures error information, including during initialisation of the SDK, which may include a user ID of individuals who are logged in to Facebook.
  • Short-term data: The SDK measures some user activity for purposes of managing fraud and abuse. This data is only retained for a very short period for those not logged in to Facebook.

When using this feature, third parties, including Facebook, may receive information and use that information to provide measurements and ad targeting. This allows us to track the users behaviour after they have clicked on a Facebook-ad to be redirected to the provider’s website. This allows us to evaluate the effectiveness of Facebook Ads for statistical and market research purposes and to optimize future advertising efforts. The transmitted data can also be used to address you specifically on Facebook with individualized advertising, if you have a Facebook account.

The collected data is anonymous for us we cannot draw any conclusions about the identity of the users. However, the data is processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook data policy. This allows Facebook to enable the placement of advertisements on pages of Facebook and outside of Facebook. This use of the data cannot be influenced by us as a site operator.

In order for us to use the Facebook SDK, you must agree to its use. With your consent you help us to improve our service. If you do not consent, Facebook SDK will not be used. The legal basis is the consent granted by you via the app in accordance with Art 6 para. 1 sentence 1 lit. a GDPR.

 

 

Withdrawal of consent

You can grant or revoke your consent at any time in the App’s settings. The legal basis is the consent granted by you via the App in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

In the context of a browser-based website, this can also be done via the following websites http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.

Will my data be processed outside the European Union?

The inclusion of third parties in the performance of services – in particular, providers from the USA- means that the respective data shall be processed in part also outside the European Union and the European Economic Area. In this case, by exercise of reasonable precautions, we ensure that a comparable data protection level is guaranteed. In particular, we conclude standard data protection clauses with our service providers which are approved by the EU Commission. You can obtain further information as well as a copy of the documents at our Data Protection Officer (cf. below).

 

How long will my data be stored?

Your data will be stored by us for the term of the contract. In addition, we then store your data until expiry of the statute of limitations period for any legal claims from the contract to be able to use such as evidence, where applicable. The statute of limitations period is generally between 12 and 36 months but, however, can also be up to 30 years. Upon expiry of the statute of limitations period, we delete your data unless a legal storage obligation exists, e.g. from the German Commercial Code (Handelsgesetzbuch, HGB) (§§ 238, 257, para. 4 HGB) or the German Tax Code (Abgabenordnung, AO) (§ 147, para. 3, 4 AO). These storage obligations can be two to ten years.

 

How can I control, restrict or end the use of my data?

Our goal is to make it possible for you to have the greatest control possible over your data within the framework of our Services: We meet this goal as follows:

  • Settings in the App: In the settings of your device you are able to control which data we may collect and process:
    • Access to camera, microphone and photos
    • Access to the current location
    • Access to contacts of the telephone book

According to the setting chosen by you, this can mean however that we no longer can provide certain Services or parts thereof.

 

What rights do I have with regard to my personal data?

Subject to the legal requirements, you are entitled to the following rights as data subject under the data protection law which you can either already exercise in the settings of the App or under support@Vibadou.com:

  • Right of Access to Information: Within the framework of Art. 15 GDPR, you can request from us a confirmation of whether we process personal data related to you; if this is the case, then you are entitled further within the framework of Art. 15 GDPR to access information regarding this personal information as well as certain additional information (inter alia, purpose of the processing, categories of personal data concerned, categories of recipients, planned storage period, your rights, the origin of the data, the use of an automated decision-making and, in the case of a third country transfer, the suitable guarantees) and a copy of the data.
  • Right to Rectification: According to Art. 16 GDPR, you have to right to request that we rectify personal data stored about you if this data is inaccurate or incorrect.
  • Right to Erasure: Subject to the requirements of Art. 17 GDPR, you are entitled to request that we erase your personal data without undue delay. The right to erasure does not exist, inter alia, if the processing of personal data is necessary for (i) exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation to which we are subject (e.g. legal storage obligations) or (iii) for the establishment, exercise or defence of legal claims.
  • Right to Restriction of Processing: Subject to the requirements of Art. 18 GDPR, you are entitled to request that we restrict the processing of your personal data.
  • Right to Data Portability: Subject to the requirements of Art. 20 GDPR, you are entitled to request that we transfer to your personal data provided by you to us in a structured, commonly used and machine-readably format.
  • Right to Withdrawal of Consent: You have the right to withdraw your consent once given to the processing of personal data at any time with legal effect for the future. You can declare the withdrawal in part yourself directly in the App or, respectively, in your Smartphone. Otherwise, address the withdrawal of your consent to support@Vibadou.com.
  • Right to Object: Subject to the requirements of Art. 21 GDPR, you are entitled to object to the processing of your personal data so that we must end the processing of your personal data. The objection exists only in the limits foreseen in Art. 21 GDPR. In addition, our interests can oppose an ending of the processing so that we are entitled to process your personal data in spite of your objection.
  • Right to Lodge a Complaint with a Supervisory Authority: Subject to the requirements of Art. 77 GDPR, you are entitled to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, your place of work or the location of the alleged violation if you are of the opinion that the personal data related to you violates the GDPR. The right to file a complaint exists notwithstanding any other administrative law or judicial proceedings.

 

 

How secure is my data?

We make intensive efforts to protect your data against unauthorised access by third parties and against the unauthorised change, transfer or destruction thereof. In this regard, among other things, we take the following measures:

  • Our servers are secured according to the current state of the art against access by third parties. For data storage of moments, we are currently using the database and the backend application logic Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Compute Cloud (Amazon EC2) from Amazon Web Services (440 Terry Ave N, Seattle, WA 98109),
  • All connections between the end devices and our servers and Services are SSL-encrypted.

We endeavour at all time to further develop our protection measures in order to be able to offer our users the best possible protection.

 

How can I obtain information regarding what of my personal data is stored?

Insofar as you require information in addition to the information already provided here and, in particular, you would like to have information regarding what data we have stored about you, you can contact us at any time:

Vibadou GmbH
c/o CapitaNova GmbH
Harry-Blum-Platz 2
50678 Köln

Germany

E-Mail: privacy@vibadou.com
Reference: Data Protection

 

Am I obligated to provide my data?

In principle, you are not obligated to provide us with your personal data. However, if you do not do so, we will not be able to provide you with our Services or be able to respond to your inquiries. Personal data which we do not absolutely require for the above-named processing purpose shall only be asked for on a voluntary basis within the App.

 

Will an automated decision-making or profiling be used?

No, we do not use any automated decision-making or profiling.

 

How long do the data protection provisions in the current version apply?

We will amend these Data Protection Provisions in the future, so that you are always informed about how we handle your personal data, not least because legal regulations or their interpretation by courts and authorities can change in the same way as also the Services to be rendered by us. We shall notify you about changes in these Data Protection Provisions in advance in an appropriate form, e.g. within the App.

 

As of: 4 June 2020

Right to Object

You have the right to object at any time insofar as reasons exist relating to your particular situation to the processing of your personal data by us on the basis of Art. 6, (1) lit. e GDPR (performance of a task carried out in the public interest) or Art. 6, (1) lit. f GDPR (legitimate interests pursued by the controller); this applies also for profiling supported by these provisions. We shall not process the respective personal data any longer unless we can prove absolute reasons requiring protection in favour of the processing which override your interests, rights and freedoms or the processing serves the claim, exercise or defence of legal claims.

Should your personal data be processed to carry out direct advertising, you have the right to file an objection at any time against the processing of your personal data for the purpose of such advertising. If you object to the processing for purposes of direct advertising, your personal data shall no longer be processed for these purposes.