With the following data protection information we would like to inform you which types of your personal data (hereinafter "data") we process for which purposes and to what extent. The data protection information applies to the processing of personal data carried out by us, in particular on our product website "cardess" , in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer"), on which we present our product "cardess".
MCON Germany GmbH
Mettlacher Strasse 5
Telephone: +49 (0)40 806008 100
Fax: +49 (0)89 36487 9637
Authorized representative: Günther Kreuzpaintner, Sören Malchow (management)
Contact Data Protection Officer
MCON Germany GmbH
- Data Protection Officer -
Mettlacher Strasse 5
Relevant legal bases
In the following we inform you about the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process the personal data. In addition to the regulations of the GDPR, the national data protection regulations apply in your or our country of residence and headquarters. If, in individual cases, more specific legal bases may be relevant, we will inform you of them below.
Appropriate technical and organizational measures are taken in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk.
The measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, securing availability and their separation. In addition, procedures have been set up to ensure that the rights of data subjects are exercised, data is deleted and reactions to data threats are made. Furthermore, the protection of personal data is already taken into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
Shortening of the IP address: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address will be shortened (so-called "IP masking"). The last two digits of the IP address are removed or replaced by placeholders. The purpose of shortening the IP address is to prevent or make it much more difficult to identify a person based on their IP address.
SSL encryption (https): In order to protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of the browser.
Provision of the online offer and web hosting
In order to be able to provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed as part of the provision of the hosting offer may include all information relating to the users of our online offer that arises in the course of use and communication. This regularly includes the IP address, which is necessary in order to be able to deliver the content of online offers to the browser, and all entries made within our online offer or on websites.
E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as other information regarding the e-mail dispatch (e.g. the providers involved) and the content of the respective e-mails are processed. The aforementioned data can also be processed for SPAM detection purposes. We ask you to note that e-mails are generally not sent in encrypted form on the Internet. As a rule, e-mails are encrypted during transport, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, we cannot accept any responsibility for the transmission path of the e-mails between the sender and receipt on our server.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data for each access to the server (so-called server log files). The address and name of the retrieved websites and files, date and time of retrieval, amounts of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP Addresses and the requesting provider belong.
The server log files can be used on the one hand for security purposes, e.g. to avoid overloading the server (especially in the case of abusive attacks, so-called DDoS attacks) and on the other hand to ensure server utilization and stability.
Types of data processed: content data, usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Affected persons: users (e.g. website visitors, users of online services).
Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR).
Services and service providers used:
Amazon Web Services (AWS): services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity);
Service Provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA;
; https://aws.amazon.com/de/ Website:
Web analysis, monitoring and optimization
The web analysis (reach measurement) serves to evaluate the flow of visitors to our online offer and can include behavior, interests or demographic information about the visitors, such as age or gender, as pseudonymous values. With the help of range measurement, we can, for example, recognize the time at which our online offer or its functions or content are used most frequently or invite users to reuse them. We can also understand which areas need optimization.
In addition to web analysis, we can also use test procedures, for example to test and optimize different versions of our online offering or its components.
For these purposes, so-called user profiles can be created and stored in a file (so-called "cookie") or similar processes can be used for the same purpose. This information can include, for example, content viewed, websites visited and elements used there and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this can also be processed depending on the provider.
The IP addresses of the users are also saved. However, we use an IP masking process (ie pseudonymization by shortening the IP address) to protect users. In general, no clear user data (e.g. e-mail addresses or names) are stored in the context of web analysis, A/B testing and optimization, but pseudonyms. This means that we and the providers of the software used do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective process.
Types of data processed: usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Affected persons: users (e.g. website visitors, users).
Security measures: IP masking (pseudonymization of the IP address).
Legal bases: Consent (Art. 6 Para. 1 lit. a GDPR), legitimate interests (Art. 6 Para. 1 lit. f GDPR).
Services and service providers used:
Matomo: The information generated by the cookie about your use of this website is only stored on our server and is not passed on to third parties; Web analysis / range measurement in self-hosting;
Service provider: MCON Germany GmbH
Website: https://matomo.org/ ;
Deletion of data: The cookies are stored for a maximum of 13 months.
Presence in social networks (social media)
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.
We would like to point out that user data can be processed outside the EU/EEA area. This can result in risks for the user because, for example, the enforcement of user rights could be made more difficult.
Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, usage profiles can be created on the basis of usage behavior and the resulting interests of users. The usage profiles can in turn be used, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of the user. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and the interests of the users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
For a detailed description of the respective forms of processing and the possibility of objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.
Also in the case of requests for information and the assertion of data subject rights, we would like to point out that these must be asserted directly with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly.
Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Affected persons: users (e.g. users of online services).
Legal basis: Legitimate interests (Art. 6 Para. 1 lit. f GDPR).
Services and service providers used:
LinkedIn: Social Network;
Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
Website: https://www.linkedin.com ;
Objection option (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out .
YouTube: social network and video platform;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA;
Possibility of objection (opt-out): https://adssettings.google.com/authenticated .
Newsletters and electronic notifications
We send newsletters, e-mails and other electronic notifications (hereinafter "newsletters") only with the consent of the recipient or legal permission. If the content of a newsletter is specifically described, they are decisive for the consent of the user. Otherwise Our newsletters contain information about our services and us.
In order to register for our newsletter, it is generally sufficient if you enter your e-mail address. However, we may ask you to provide a name so that we can address you personally in the newsletter, or other information if this is necessary for the purposes of the newsletter.
Double opt-in procedure: Registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registration you will receive an e-mail in which we ask you to confirm your registration. This confirmation is required so that nobody can register with someone else's email address. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the shipping service provider are also logged.
Deletion and restriction of processing: We can store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we delete them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the previous existence of consent is confirmed at the same time. In the case of obligations to permanently observe contradictions, we reserve the right to store the e-mail address in a blacklist for this purpose alone.
The registration process is logged on the basis of our legitimate interests for the purpose of proving that it was carried out properly. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure shipping system.
Notes on the legal basis: The newsletter is sent on the basis of the consent of the recipient or, if consent is not required, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g. in the case of advertising for existing customers. If we commission a service provider to send emails, this is done on the basis of our legitimate interests. Appropriate agreements for the protection of personal data and lawful processing have been concluded with the service provider (order processing agreement). The registration process is recorded on the basis of our legitimate interests to demonstrate that it has been carried out in accordance with the law.
Content: Information about us, our services, promotions and offers.
Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).
Affected persons: communication partners.
Purposes of processing: direct marketing (e.g. by e-mail, SMS or post).
Legal bases: Consent (Art. 6 Para. 1 lit. a GDPR), legitimate interests (Art. 6 Para. 1 lit. f GDPR).
Possibility of objection (opt-out): You can stop receiving our newsletter at any time, ie revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter at the end of each newsletter or you can use one of the contact options given above, preferably email.
Services and service providers used:
Twilio: Cloud communication platform as Platform as a Service (SMS sending). The electronic notifications can also be sent as SMS text messages (or are sent exclusively via SMS if the authorization to send, e.g. consent, only includes sending via SMS).
Service Provider: Sengrid, 1801 California Street Suite 500, Denver, CO 80202, USA.
Sengrid: email marketing platform; Sending newsletters and analysis.
The data you enter for the purpose of receiving the newsletter will be stored on the Sendgrid servers. For the purpose of analysis, the e-mails sent with Sendgrid contain a so-called “tracking pixel” that connects to the Sendgrid servers when the e-mail is opened. In this way it can be determined whether a newsletter message has been opened. Furthermore, we can use Sendgrid to determine whether and which links in the newsletter are clicked on. All links in the message are so-called tracking links that can be used to count your clicks. If you do not want an analysis by Sendgrid, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link at the end of each newsletter. Duration of storage: The data you have stored with us for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter distribution list and will be deleted both from our servers and from the Sendgrid servers after you have unsubscribed from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the members' area) remain unaffected.
Service Provider: Sendgrid, 1801 California Street Suite 500, Denver, CO 80202, USA.
Transmission and Revelation
of personal data
As part of our processing of personal data, it may happen that the data is transmitted to other bodies, companies, legally independent organizational units or persons or that it is disclosed to them. The recipients of this data can include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In this case, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data transfers within the organization: We may transfer personal data to other entities within our organization or allow them access to this data. If this transfer takes place for administrative purposes, the transfer of the data is based on our legitimate corporate, association and business interests or takes place if it is necessary to fulfill our contractual obligations or if the consent of the person concerned or legal permission is available.
deletion of data
The data processed by us will be deleted in accordance with the legal requirements as soon as your consent to processing is revoked or other permissions are no longer applicable (e.g. if the purpose of processing this data no longer applies or it is not required for the purpose).
If the data is not deleted because it is required for other, legally permissible purposes, its processing will be restricted to these purposes (so-called blocking). This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.
You will be informed about further storage periods as part of this data protection notice.
Commercial and Business Services
We process the data of our contractual and business partners, e.g. customers and interested parties (contractual partners) in the context of contractual and comparable legal relationships and related measures and in the context of communication with the contractual partners (or pre-contractual), e.g. to answer inquiries about our product.
We process this data to fulfill our contractual obligations, to safeguard our rights and for the purposes of the administrative tasks associated with this information and the corporate organization. We only pass on the data of the contractual partners to third parties within the framework of the applicable law insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations (e.g. to telecommunications services involved and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities) or with the consent of the persons concerned. The contractual partners will be informed about other forms of processing, e.g. for marketing purposes, within the framework of this data protection notice.
We inform the contracting parties which data is required for the aforementioned purposes before or as part of the data collection, e.g. in online forms or in person.
We delete the data after statutory warranty and comparable obligations have expired, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. for as long as it has to be kept for legal archiving reasons (e.g. usually 10 years for tax purposes). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order, generally after the end of the order.
Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.
Customer account: Contractual partners can create an account within this online offer (customer account). If it is necessary to register a customer account, contractual partners will be informed of this as well as of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration and subsequent registrations and uses of the customer account, we store the IP addresses of the customers together with the access times in order to be able to prove the registration and to prevent any misuse of the customer account.
If the customer order is terminated, e.g. by termination, the data relating to the customer account will be deleted, subject to their retention being required for legal reasons. It is the customer's responsibility to back up their data upon termination of the customer account.
Offer of software and platform services: We process the data of our users, registered users and any test users in order to be able to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our offer and to be able to develop it further. The information required is marked as such within the framework of the conclusion of the contract, order or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations.
Further information on commercial services: We process the data of our customers and clients in order to enable them to select, purchase or commission the selected services or works and related activities as well as their payment and delivery or execution or provision.
The information required is marked as such within the framework of the conclusion of the contract, order or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any consultations.
Types of data processed: Inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contract data (e.g. subject matter of contract, contract history), usage data (e.g. websites visited, interest in content, access times ), meta/communication data (e.g. device information, IP addresses).
Affected persons: Interested parties, business and contractual partners.
Purposes of processing: provision of contractual services and customer service, contact requests and communication, office and organizational procedures, management and response to requests, security measures.
Legal basis: Fulfillment of contract and pre-contractual inquiries (Art. 6 Para. 1 lit. b GDPR), legal obligation (Art. 6 Para. 1 lit. c GDPR), legitimate interests (Art. 6 Para. 1 lit. f GDPR).
Linking of third-party offers and services
On our website we also refer to other websites, for example those of our partners. When calling up these third-party offers, we have no influence on how the provider handles your data. Please find out more about this in their data protection declaration.
We also integrate useful services from other providers on our website that we consider useful. If data collected about you is processed or used when you use it, this only happens if you enter data yourself. The contact person for this ("responsible person") is the respective provider. The data protection declaration of the respective provider applies to the use and processing of your data.
Rights of data subjects
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR result in:
Right of objection: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
Right of withdrawal for consent: You have the right to withdraw your consent at any time.
Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.
Right to rectification: In accordance with legal requirements, you have the right to request the completion of the data concerning you or the correction of incorrect data concerning you.
Right to deletion and restriction of processing: You have the right, in accordance with the legal requirements, to request that data concerning you be deleted immediately, or alternatively to request a restriction of the processing of the data in accordance with the legal requirements.
Right to data portability: You have the right to receive the data that you have provided to us in accordance with the legal requirements in a structured, common and machine-readable format or to request that it be transmitted to another person responsible.
Complaint to the supervisory authority: You also have the right, in accordance with the statutory provisions, to lodge a complaint with a supervisory authority, in particular in the member state of your usual place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of data concerning you personal data violates the GDPR. The responsible supervisory authority for MCON Germany GmbH: Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach.
Change and update of the data protection information
We ask you to inform yourself regularly about the content of our data protection information. We adapt these if changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
If we provide contact information of companies and organizations, please note that the addresses can change over time and ask you to check the information before contacting us.
The above data protection notices refer to the "cardess" product from MCON Germany GmbH (see responsible person). For more information on data protection, please read here: https://www.mcon.net/privacy-statement
As of February 10, 2021