Information Obligations according to Article 13 EU General Data Protection Regulation GDPR (DSGVO)

1. Name and Contact Information of the Responsible Controller

These information obligations apply to the processing of personal data by the responsible entity: CHLNGE GmbH, Dolivostraße 17, 64293 Darmstadt, Germany (hereinafter called ‘CHLNGE’), email: privacy[at]chlnge.app, phone: 0049 (0)6151 6290120.

We place great importance on the protection of your personal data. Personal data includes all information that relates to an identified or identifiable natural person; a natural person is considered identifiable, if they can be directly or indirectly identified, particularly with assignment of an identifier such as a name, an identification number, location data, online identification or multiple specific characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person according to Article 4 number 1 General Data Protection Regulation (Datenschutz-Grundverordnung (DSGVO)). Your name or your email address are for instance considered personal data. Information that cannot be associated with your identity such as for instance favored websites of all users, number of users of a page, statistic or anonymized data, are not personal data.

2. Reasons for Data Processing, Legal Bases, Storage Duration

The processing of collected personal data during the use of our mobile app ‘CHLNGE’ (hereinafter called ‘mobile app’) takes place while adhering to the valid data protection regulations and only to the extent necessary.

This Data Privacy Information applies exclusively to the use of data between you and CHLNGE.

It is explained hereinafter which personal data is collected during the use of our mobile app and how it is used.

a) Download of the Mobile App via the App Store

You have to download our mobile app from the App Store of the company Apple Inc., CA, USA, https://apps.apple.com/app/chlnge/id1506910826 or Google LLC, CA, USA, https://play.google.com/store/apps/details?id=de.chlnge.app in order to be able to use our mobile app. Additionally, you should own a device with current operating systems such as iOS or Android, in order for the mobile app to function properly.

The App Stores are operated by the above mentioned companies Apple Inc. and Google LLC and their collaborating companies. The App Stores have their own data privacy policies and terms of use, which may have to be accepted by the user. CHLNGE is neither responsible for the regulations and data processing of or at the above mentioned companies and their cooperation partners, nor can CHLNGE influence them. This particularly applies to the collection and processing of registration and payment information within the App Store and the affiliated device information.

CHLNGE is not affiliated with the operators of the App Stores and does not represent them. With the download and the use of this mobile app, you also acknowledge that the operators of the App Stores are not obliged to provide any support or maintenance of the mobile app. All rights and obligations with respect to the use of the mobile app only exist between you and CHLNGE in accordance with the valid Terms of Use.

When downloading the mobile app, all required information is transmitted to the respective App Store, particularly the user name, email address and customer ID of your account with the App Store, time of download, payment information and the individual device number of the used terminal device. CHLNGE only processes data if necessary for the download or installation of the mobile app on your mobile device.

b) Setting up a User Account

You must set up an account via the registration function in order to be able to use our mobile app. We offer various options.

The user name and profile picture are freely selectable in all options. You are not obliged to provide your real name or a picture of yourself. If a user name and profile picture is chosen, it only serves the purpose of differentiating the individual users.

aa) Registration with an Email Address

You have the option of registering with your email address. We therefore need to know your email address. This is needed in order to carry out the registration, in order to be able to differentiate the individual users and to inform users in the frame of the contract implementation via email (e.g. for a password reset). Your email address is not used for other purposes. Additionally, you need a personal password.

bb) Login via Facebook Account

You can also register via your existing Facebook account with your Facebook login data. This takes place via a respective interface (API) of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (‘Facebook’). In this case, a direct connection is established with the Facebook servers.

We will receive general and public information stored in your profile, depending on your personal data privacy settings and any consent you may have given via interface. Facebook user ID, the stored name, the profile picture, age and gender are part of this information. We will only store your email address, in order to be able to distinguish the individual users and to inform users in the frame of the contract implementation via email (e.g. for a password reset). Your email address is not used for other purposes. All other data transmitted via Facebook is immediately deleted.

We would like to point out that a transfer of the user IDs of your friends and the friend list can take place, if this is marked as ‘public’ in your privacy settings with Facebook. The data transmitted by Facebook is however immediately deleted and not stored.

Conversely, based on your consent to Facebook, we can transmit data from us (e.g. information about your surfing behavior) to your Facebook profile.

The processing of the above mentioned data is based on Article 6 section 1 sentence 1 letter f) GDPR (DSGVO). We have a legitimate interest in offering our users different registration options, in order to facilitate the use of our mobile app and to make it more user-friendly and comfortable. The data processing is still based on Article 6 section 1 sentence 1 letter a) GDPR (DSGVO) with respect to the provided consent to Facebook and additionally, on Article 6 section 1 sentence 1 letter b) GDPR (DSGVO), if you decided in favor of this registration option because the processed data is required in order to fulfill the contractual relationship with you.

cc) Login via Google Account

Furthermore, you have the option to register via your existing Google account via the service “Google Sign-In“, by Google LLC, Amphitheatre Parkway 1600, 94043 Mountain View, CA, USA (“Google”). In this case a direct connection is established with the Google servers.

A link is established during the login process via Google Sign-In with your Google profile with our mobile app. We receive the following information: Your email address, your stored name, your date of birth, your gender and the stored country. Depending on your privacy settings with Google and any consent you may have given, we will also receive information regarding your surfing behavior, your phone number and possible stored profile pictures with Google.

We only store your email address, in order to be able to distinguish between the individual users and to inform users in the frame of the contract implementation via email (e.g. for a password reset). Your email address is not used for other purposes. All other data transmitted from Google is immediately deleted.

In exchange, we transmit certain data to Google when you “Login with Google”. This can lead to the data transfer to the USA. Google receives your IP address and depending on your settings in your Google account, also information on your surfing behavior.

Google uses Standard Contractual Clauses (SCCs) for the transfer of personal data to the USA. These guarantee an adequate level of data protection with Google according to Article 46 section 2 letter c) GDPR (DSGVO). More information can be found at https://privacy.google.com/businesses/compliance/.

The processing of the above mentioned data is based on Article 6 section 1 sentence 1 letter f) GDPR (DSGVO). We have a legitimate interest in offering our users different registration options, in order to facilitate the use of our mobile app and to make it more user-friendly and comfortable. The data processing is still based on Article 6 section 1 sentence 1 letter a) GDPR (DSGVO) with respect to the provided consent to Google and additionally, on Article 6 section 1 sentence 1 letter b) GDPR (DSGVO), if you decided in favor of this registration option because the processed data is required in order to fulfill the contractual relationship with you.

dd) Login via Apple Account

You can also register via your existing Apple account via the service “Login with Apple”, Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA ("Apple") when using an Apple iOS mobile device. In this case a direct connection is established with the Apple servers.

A link is established during the login process via “Sign-in with Apple” with your Apple profile and our mobile app. We receive the following information: Your email address, your stored name, your date of birth, your gender and the stored country. Depending on your privacy settings with Apple and any consent you may have given, we will also receive information regarding your surfing behavior, your phone number and possible stored profile pictures with Apple. You can determine whether Apple transmits your email address or a pseudonymized, unique email address in your Apple account settings.

We only store your email address, in order to be able to distinguish between the individual users and to inform users in the frame of the contract implementation via email (e.g. for a password reset). Your email address is not used for other purposes. All other transmitted data by Apple is immediately deleted.

In exchange, we transmit certain data to Apple when you “Login with Apple”. This can lead to the data transfer to the USA. Apple receives your IP address and depending on your settings in your Apple account, also information on your surfing behavior.

Apple uses Standard Contractual Clauses for the transfer of personal data to the USA. These guarantee an adequate level of data protection with Apple according to Article 46 section 2 letter c) GDPR (DSGVO). More information can be found at https://www.apple.com/de/legal/privacy/de-ww/.

The processing of the above mentioned data is based on Article 6 section 1 sentence 1 letter f) GDPR (DSGVO). We have a legitimate interest in offering our users different registration options, in order to facilitate the use of our mobile app and to make it more user-friendly and comfortable. The data processing continues to be based on your consent to Apple according to Article 6 section 1 sentence 1 letter a) GDPR (DSGVO) and additionally, if you have decided for this registration option, based on Article 6 section 6 sentence 1 letter b) GDPR (DSGVO), since the processed data is required to fulfill the user relationship with you.

c) User Comments and Contributions

You can write contributions and posts (“challenges”) in the mobile app. These are all visible to all registered users of our mobile app, or within closed user groups are only visible privately to its members. It is subject to your free decision, if you publish personal data on our mobile app.

We store your IP address and the time of access based on our legitimate interest according to Article 6 section 1 sentence 1 letter f) GDPR (DSGVO) for a maximum of 7 days. This takes place for a possible use due to safety interest, if i.e. the posts infringe the rights of third parties or illegal content is left behind (i.e. Insults, lies, demagogic contents) or in case our technical systems are attacked. The reason is that we can be legally held responsible for comments or contributions or unsafe IT systems. There is no disclosure to third parties, unless such a disclosure is legally indicated or required for legal defense.

d) Other Requests

We will store and process your personal data for the purpose of handling your request, if you contact us via email, phone or fax. This data is not disclosed without your consent. The processing of these data takes place based on article 6 section 1 sentence 1 letter b) GDPR (DSGVO), if your request has to do with the fulfillment of a contract concluded with us or if the implementation of pre-contractual measures is required. Otherwise the processing is based on Article 6 section 1 sentence 1 letter f) GDPR (DSGVO), since we have a legitimate interest in the effective processing of questions directed at us.

Furthermore, we are obliged to process the mentioned data in order to allow for a fast, electronic contact and immediate communication with us according to Article 6 section 1 sentence 1 letter c) GDPR (DSGVO).

Your data is only used for the purpose of processing and answering your question. After the final processing, your data is immediately anonymized or deleted, if no legal storage obligation is in place.

e) Data Processing on the Terminal Device

You must first register via one of the above mentioned forms of registration via a login dialog in order to use our mobile app.

You can retrieve, vote and comment on information about challenges, other users and their comments on the mobile app via mobile communications or WLAN. You can also post own challenges.

Our mobile app process the above mentioned personal data only for the purpose of using the functions of the mobile app and for the prevention of fraud and abuse and the warranty of the required technical and organizational safety measures.

Legal basis for the processing is Article 6 section 1 sentence 1 letter b GDPR (DSGVO) (fulfillment of contract) and with respect to the fraud and abuse prevention Article 6 section 1 sentence 1 letter c (legal obligation to implement risk-adequate safety measures) and letter f GDPR (DSGVO) (legitimate interests).

f) Data Collection and Processing on the Servers of CHLNGE

All data mentioned under letter b) to e) is encrypted on our secure servers and exchanged with the mobile app. Every transmission to the mobile app is temporarily stored on our secure servers in a protocol file.

The IP address of the requesting computer, the date and time of the access, the time zone difference to Greenwich Mean Time (GMT), the name and the URL of the retrieved data, the transmitted data amount, the notification if the retrieval was successful, the content of the request (concrete page), the access status/http status code, the type of used browser and the used operating system, the status and the version of the browser software, the name of the Internet access provider, the URL through which the access takes place (referrer URL) and the device number (JMEI) until the automated deletion has taken place..

The processing of this data takes place in order to facilitate the use of the mobile app, the administration of the network infrastructure, the adequate implementation of technical-organizational measures for IT system and information security considering the state of the art, the provision of user-friendliness of the use and optimization of our mobile app offer.

Legal bases for the above mentioned processing of the contact with our web servers are according to Article 6 section 1 sentence 1 letter b GDPR (DSGVO) (Requirement for the fulfillment of the mobile app usage relationship and their administrators), Article 6 section 1 sentence 1 letter c GDPR (DSGVO) (legal obligation to implement technical-organizational measures to ensure the data processing according to Article 32 GDPR (DSGVO)) and Article 6 section 1 sentence 1 letter f GDPR (DSGVO) (legitimate interest in processing data for the network and information security) and Article 6 section 1 sentence 1 letter f GDPR (DSGVO) (legitimate interests in the user-friendly design and optimization of our offer).

The above mentioned data is deleted from the server, after a pre-defined period, which will maximally be 7 days. IP addresses are deleted at the latest after this time or anonymized through abbreviation. Your data is anonymized or deleted, if your data does not need to be stored for the respective purpose or processed longer for the purpose of abuse or fraud prevention or in concrete security incidents.

Your data is otherwise deleted from the servers of CHLNGE, if you request this of us and the legal stipulation of Article 17 GDPR (DSGVO) is present. Statutory storage obligations remain untouched thereof.

g) Deletion of Personal Data

You can use the delete function in your user account, if you would like to delete personal data. After the use of the delete function, no personal data is stored on the mobile app and on our servers. Statutory storage obligations remain untouched thereof. The deinstallation of the mobile app does not lead to the deletion of personal data from our servers. We will remind you of using your user account or to delete it, should you not use it for an extended period of time.

h) No Further Processing

Personal data is not processed beyond the above mentioned cases, except if you expressively and voluntarily agree beforehand to further processing for instance for the receipt of a newsletter or for the purpose of personalized advertisement.

3. Transfer to Third Parties, Processors, Recipient Categories

The transmission of your personal data to third parties, i.e. other natural or juristic persons other than you (person concerned), the responsible person (CHLNGE), the processor and the persons, who are under the direct authority of the responsible person or the processor are authorized to process personal data, takes only place due to the following reasons:

● You have given your expressive and voluntary consent according to Article 6 section 1 sentence 1 letter a GDPR (DSGVO),

● The transmission is required for the handling of contract relationships with you for instance to suppliers or recipients of goods or services according to Article 6 section 1 sentence 1 letter b GDPR (DSGVO).

● There is a legal requirement to transmit the data according to Article 6 section 1 sentence 1 letter c GDPR (DSGVO), for instance to financial or law enforcement authorities.

The transmission is necessary according to Article 6 section 1 sentence 1 letter f GDPR (DSGVO) for the assertion, exercise or defense of legal claims and there is no reason to believe that you have an overriding interest in the non-disclosure of your data; such a transmission can take place for instance in the case of an attack on our IT systems in state institutions and law enforcement authorities.

We have commissioned as processor as described above, Facebook, Google and Apple for the various registration options according to Article 28 GDPR (DGVO). Google LLC, Amphitheatre Parkway 1600, 94043 Mountain View, CA, USA, furthermore stores the mobile app and user data for CHLNGE on Google servers worldwide.

CHLNGE remains responsible for the data protection even in the involvement of processors.

There is no adequate data privacy level in the sense of the GDPR (DSGVO) in third countries outside of the European Economic Area such as for instance the USA, inter alia, due to the possible access to personal data by local law enforcement authorities. There is no adequacy decision of the European Commission for the USA as a country. CHLNGE has however concluded with an EU standard data protection clause with Apple and Google in the sense of Article 46 section 2 letter c) GDPR (DSGVO), that can be requested as a copy at privacy[at]chlnge.app and, in conjunction with the Apple’s and Google’s technical and organisational security measures, create an adequate data privacy level at Apple and Google.

4. Reach Measurement and Analysis

Similar to the use of Cookies on websites, our mobile app stores sets of data on your mobile terminal device and our web servers that can be retrieved from the mobile app again later. These particularly serve the improvement of the performance and the optimization of our mobile app.

Our mobile app uses Google Analytics for Firebase, a web analysis service by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, 94043 (“Google”), https://firebase.google.com/. Google Analytics for Firebase allows us to analysis the use of our offer. The collected data helps us to better understand the use of the mobile app through our users and to improve the offer.

All IP-addresses are only transmitted to Google and stored in an anonymous form. Therefore the collected data cannot be used to personally identify persons.

Google Analytics for Firebase still uses an advertising ID. You can restrict their use in the settings of your mobile device (for Android: Settings – Google – Advertising – reset advertising IDs;
For iOS: Settings – Data privacy – Advertising – No Ad-Tracking). Personal data is not stored then.

In addition, we use Firebase Remote Config. This allows us to carry out A/B tests and adapt the behavior and appearance of the mobile app without the need of downloading a new version.

Google uses Standard Contractual Clauses (SCCs) for the transfer of personal data to the USA. These guarantee an adequate level of data protection with Google according to Article 46 section 2 letter c) GDPR (DSGVO). More information can be found at https://privacy.google.com/businesses/compliance/. Subcontractors, who use Google in the frame of Google Analytics for Firebase, can be seen in the following link: https://firebase.google.com/terms/subprocessors.

Further information about Google Analytics for Firebase and Data Protection can be found here: https://www.google.com/policies/privacy.

Legal basis for the use of Google Analytics for Firebase is Article 6 section 1 sentence 1 letter f) GDPR (DSGVO) (i.e. our legitimate interest in the analysis, optimization and the economic operation of our mobile app).

5. Access Right to the Terminal Device

In the frame of the above described processing purposes the mobile app has the following access rights to your terminal device Internet connection, WLAN, mobile communications, web browser components, keyboard, camera, microphone, access to the gallery, write access to files.

6. Data Subject Rights

You have the right:

7. Right of Objection

If your personal data is processed based on legitimate interest according to Article 6 section 1 sentence 1 letter f) GDPR (DSGVO), you have the right to objection according to Article 21 GDPR (DSGVO) against the processing of your personal data, if there are reasons resulting from a special situation or the objection is against direct advertising. In the last case, you have a general right of objection that is implemented by us without the statement of a special situation.

You can contact us under the above mentioned contact data and send for instance an email, if you would like to make use of your right of cancellation or objection.

8. Data Security

We use adequate technical and organizational measures to secure data processing, particularly to protect your data from random or intentional manipulations, loss, and destruction or against the access of unauthorized persons. We take into account the state of the art. Our security measures are continuously adapted to an adequate extent in accordance with the technological development.

We continue to use the commonly used SSL procedure (Secure Socket Layer) in connection with the highest encryption level that is supported by your terminal device for the communication of the mobile app. It usually is a 256 bit encryption. Our data processor for the web hosting, Google LLC, is additionally certified according to ISO 27001. The same applies to Facebook and Apple.

We additionally ensure that the access to and the processing of personal data only takes place at our direction and that all involved parties are bound by an obligation to confidentiality and are respectively trained.

We would like to inform you that the confidentiality of transmitted information cannot be ensured, should you contact us via unencrypted email. The content of not encrypted emails can be viewed by third parties. We therefore recommend to send confidential information via mail.

9. Links to Offer of Other Providers

Our app may contain links to offers of other providers. We point out that this Data Privacy Information is exclusively valid for the mobile app CHLNGE. We do not have influence on and do not check, whether other providers adhere to valid data privacy rules.

10. Inclusion, Validity and Topicality of Data Privacy Information

You agree to the above described use of data with the installation and use of our mobile app. Otherwise, the installation and use is not permitted.

This Data Privacy Information is valid and dated as of August 12, 2020

It may be necessary to change the Data Privacy Information for the future due to changed legal framework conditions, further development of our mobile app, the implementation of new technologies or due to changed legal or official requirements. The valid Data Privacy Information can be retrieved, stored or printed off in the user configurations of our mobile app.

11. Children and Adolescents

Minor users may not transmit personal data without the consent of their legal guardians.

12. Severability Clause

Should single provisions of the Data Privacy Information be or become partially or fully invalid or unenforceable, the validity of the other provision shall not be affected thereof. The same applies in case of loopholes.