Storykids photo books

Data Protection Policy

Controller

This data protection policy applies to the processing of data by the controller:

Storykids GmbH
Managing director: Jonathan Lavigne
Brunnenstrasse 155
10115 Berlin
E-Mail: data@storykids.com

Collected Data and Regulations

We process data pursuant to

  • Art. 6 para. 1 sentence 1 lit. a GPDR in conjunction with Art. 7 GDPR
  • Art. 6 para. 1 sentence 1 lit. b GDPR
  • Art. 6 para. 1 sentence 1 lit. c GDPR
  • Art. 6 para. 1 sentence 1 lit. f GDPR

We collect traffic data or meta/communication and usage data whenever you access our app and website. This is necessary to be able to present the offer itself respectively in the appropriate form and with corresponding performance.

Registration requires personal data (name, e-mail address and the recipient's address).

If you use the "Connect with Facebook" function to register, data will be synchronized between us and Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook") for the purpose of accessing the site. We solely collect the information listed hereafter: e-mail address. In addition, you consent to Facebook's collection of the information you provide to us. For details on Facebook's privacy policy, please refer to Facebook's Privacy Policy: (https://www.facebook.com/policy.php).

For the purpose of delivery we collect shipping addresses. You are responsible for ensuring that the data of third parties may also be shared with us in this regard. The shipping addresses are collected and used solely for the fulfillment of the contract.

We use the data provided by you for the fulfillment and processing of your order with your consent; in this context, we only pass on data required for delivery or contract processing to third service providers.

If you contact us, we will use the data provided by you for processing your request based on our legitimate interest, Art. 6 para. 1 sentence 1 lit. f GDPR. After answering your request, we will delete the data, unless it is necessary for contract fulfilment or other reasons.

Statistical Analysis

We archive anonymised data on the usage of our service (e.g. also about the provided image files), to improve our product based on our legitimate interest in doing so.

Transfer to Processors and Third Parties

If any data is disclosed to, transmitted to or otherwise accessed by other parties (data processors or third parties) during processing, we will only act on the basis of legal permission (e.g. if a transmission of the data to third parties, such as payment, printing or shipping service providers, is required under Art. 6 para. 1 sentence 1 lit. b GDPR), you have given your consent, there is a legal obligation to do so or based on our legitimate interests (e.g. when using agents, web hosts, etc.), Art. 6 para. 1 sentence 1 lit. f GDPR.

We solely authorise third parties to process data based on a Data Processing Agreement in accordance with Art. 28 GDPR.

Transmission to Third Countries

The processing of data in third countries (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the use of third-party services or the disclosure or transmission of data to third parties is only permitted to the extent necessary to fulfil (pre-)contractual obligations, based on your consent, a legal obligation or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only under the special prerequisites of Art. 44 ff. GDPR.

We are using service providers in the US that have submitted to the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework). The status of the relevant service provider can be verified on that website.

Payment Service Provider

For the processing of payments we use the payment services provider Stripe (Stripe Payments Europe, Ltd.). The processing occurs for the purpose of contract performance, in our legitimate interest and based on your consent. The data will be synchronised or transferred to process the payment. The payment services provider collects your data required to process the payment and may as necessary use the data within this limited scope to conduct credit rating and know your customer checks. We will only be provided with information regarding the status of your payment. Please refer to the payment services provider's privacy policy for further details: https://stripe.com/de/privacy.

Administration and Accounting

As part of our business activities, we continuously use providers to handle administrative and organisational tasks. All data collected by us, but in particular contract and payment data, may be affected. To the extent required by data protection regulations, we share such data on the basis of Data Processing Agreements. The processing is based on our legitimate interest.

Hosting

We use external hosting providers for our website and app. Upon visiting our website, these providers receive, traffic data or meta/communication and usage data. This primarily serves our legitimate interest in offering and improving our services within the scope of Art. 6. para. 1 sentence 1 lit. f GDPR.

We use Google App Engine and Google Cloud Storage from Google LLC (USA) ("Google") as external hosting providers. Information about the use of the data by Google as well as the setting and objection possibilities can be found in the privacy policy of Google: https://policies.google.com/privacy.

Printing/ Production

We have enganged a third party to print photo albums as part of our service. The tranfer of your data, image files and recipients is necessary for contract performance in this regard and the use of a third party provider is also based on our legitimate interest. We limit access to such data extent necessary for contract performance and restrict the data use accordingly.

Customer Support

We use the website and customer relations management app of Zendesk Inc, 989 Market Street #300, San Francisco, CA 94102, USA (“Zendesk") (https://www.zendesk.com/company/customers-partners/privacy-policy/) to process support and customer inquiries.

This entails the collection of personal data which our users provide themselves in the messages and use for their communication (e.g. e-mail address, concerns, etc.) as well as cookies and usage data.

The submitted and transmitted data will only be used to answer the individual request. Depending on your request, this may serve contract performance in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR as well as our legitimate interest within the meaning of Art. 6 para. sentence 1 lit. f GDPR in effective and efficient processing and answering of your request.

Newsletter

We use the service provider The Rocket Science Group, LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (“MailChimp") (https://mailchimp.com/legal/privacy/) for our newsletters. Subscription requires your express consent. We will only transmit your name and e-mail address to MailChimp to provide you with a regular, user-friendly newsletters for information purposes and with respect to current events. You can unsubscribe from the newsletter at any time and use the link provided for this purpose in the newsletter.

MailChimp uses the data (e.g. time at which messages were viewed, clicks on links) in a pseudonymized form for the sole purpose of sending and statistically evaluating the newsletter on our behalf, to improve and adapt our product and to optimize the service itself.

Cookies and Google Firebase

We use Google Firebase from Google LLC (USA) ("Google") to analyse and categorise user groups. Information on the usage of Google's data within Firebase as well as the possibilities for preferences and objections can be found in the data protection policy (https://firebase.google.com/terms/data-processing-terms/) and from Google (https://policies.google.com/privacy).

Both we and third parties assigned by us also use cookies. Cookies are small and temporary packets of data stored on your device. We use cookies to enable the full use as well as to improve and personalise our online services, e.g. to automatically provide the website operator with specific data about your device and internet connection, based on our legitimate interest. You can check the respective storage period in the system of your device.

You may also use the website without cookies. Stored cookies can be deleted in the system settings of your browser. The settings for deactivation can be found in the system settings of your browser or device. Deactivating the cookies may limit the use of the website.

The collection of data accessing the website and app and the use of cookies is based on your given consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR and our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

Rights of the data subject

You have the right

  • pursuant to Art. 15 GDPR to obtain from the controller confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the information;
  • pursuant to Art. 16 GDPR to obtain rectification of inaccurate personal data concerning yourself;
  • pursuant to Art. 17 GDPR to erasure (‘right to be forgotten’);
  • pursuant to Art. 18 GDPR of restriction of processing;
  • pursuant to Art. 20 GDPR of data portability (receiving and transmitting);
  • pursuant to Art. 21 GDPR to object to processing personal data on the grounds of your particular situation;
  • pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority.

Right to withdrawal and objection

You have the right to withdraw your consent pursuant to Art. 7 para. 3 GDPR at any time to the future.

You have the right to object at any time to the future processing of the data relating to you and your situation pursuant to Art. 21 GDPR. You may object in particular to the processing for the purpose of direct marketing.

Deletion of data

All data will be deleted within a reasonable timeframe when the intended purposes have been achieved. This is subject to regular review.

The direct deletion is regularly opposed by legal retention obligations, in particular sections 147 para. 1 German Fiscal Code, 257 para. 1 items 1 and 4, para. 4 German Commercial Code (10 years) and section 257 para. 1 items 2 and 3, para. 4 German Commercial Code (6 years).

Unless the data has not been deleted because it is necessary for other and legally permitted purposes, its processing will be restricted with the result that the data will be blocked from general access and not processed for other purposes.

Safety Measures

We transmit your sensitive data securely through encrypted connections. We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. We continuously improve our security measures in line with technological developments.

Status

The data protection policy is up to date and effective as of March 2019.

As a result of ongoing developments of our services online or due to changes in legal or official stipulations, amendments to the data protection declaration may be necessary. The current data protection declaration can be accessed at any time on the website and in the app and can be printed out and saved to your device.

By using this website you agree to the use of cookies. For more information, read our privacy policy