In this Privacy Notice, we inform you about the processing of personal data when using our website or our services.

Personal data is information that relates to an identified or identifiable person. This primarily includes information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or email address. However, personal data also includes certain identifiers such as your IP address or the device ID of the device you are using.

1. Responsible Person and Contact Person

The contact person and data controller for the processing of your personal data when you visit this website is

Fotografen Online Service GmbH
Hausvogteiplatz 12
10117 Berlin

E-mail: privacy@gotphoto.com

If you have any questions about data protection in connection with our services or the use of our website, you can contact us at any time using the above mentioned email address.

2. Data Storage and Integration

2.1 AWS Aurora and AWS DynamoDB

We use AWS Aurora and AWS DynamoDB from Amazon Web Services EMEA Sarl, 38 John F. Kennedy, L-1855, Luxemburg (“AWS”) to store your data. These databases may store the following information:

• Your details: email address, phone number (if applicable), first name, last name
• Subject details: first name, last name, group/grade, teacher, gender, birthdate, organization, address
• Order details: Billing address, purchased products and photos, order amount, order date, delivery address
• Technical data: IP Address, User-Agent / Browser Information, Operating System, Referrer URL, Cookies, Timestamp, Session ID
• Data analytics: location (based on IP address), device/browser information, where did they come from (referral), user behavior and events (clicks, scrolls, session recordings, task completion, etc)

Data processing by AWS is necessary to provide you with the secure storage of your data.

The AWS Data Processing Addendum (https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf) is incorporated into the AWS service terms.

Further information can be found in AWS’ privacy policy at https://aws.amazon.com/privacy/.

2.2 Snowflake

We use Snowflake provided by Snowflake Computing Netherlands B.V., FOZ Building, Gustav Mahlerlaan 300-314, 1082 ME Amsterdam, Netherlands (“Snowflake”) as a data warehouse. Snowflake enables us to securely store and analyse all data.

All data in Snowflake is anonymized and encrypted.

Further information can be found at https://www.snowflake.com/privacy-policy/.

2.3 Airbyte

Airbyte provided by Airbyte, Inc., 2261 Market Street, Suite 4381, San Francisco, CA 94114, United States (“Airbyte”) is a powerful data integration engine that enables us to consolidate all of the data processed and stored in the databases and data warehouse listed above.

For our core data we have deployed the self-managed version of Airbyte in our own infrastructure. The data does not leave our servers and Airbyte has no access to any of the data processed.

2.4 Metabase

Metabase provided by Metabase, Inc., 9740 Campo Rd. Suite 1029, Spring Valley, CA 91977 (“Metabase”) is a data intelligence tool that we use to visualize data, gain insights from such data and share the corresponding reports with our team for collaborative data analysis.

We self-host Metabase on our servers and Metabase has no access to any of the data processed.

Further information on data processing by Metabase can be found at https://www.metabase.com/privacy-policies.

2.5 Wiz.io

We use the Wiz.io cloud security platform, provided by Wiz, Inc. 395 9th Avenue, Floor 52, New York, NY 100001, United States (“Wiz”), to monitor and secure our cloud infrastructure. Wiz enables us to detect vulnerabilities, misconfigurations and potential security risks in the environments where our systems and customer data are hosted.

When operating, Wiz may process the following personal data of our customers:

• Security and access metadata: identifiers contained in system logs, which may indirectly reference customer data.
• System and infrastructure data: cloud resource identifiers that point to customer data storage.
• Scan results and classifications: metadata about security issues and data exposure (e.g. whether a storage bucket or database may contain personal data such as names, contact details, or photographic images).
• Customer and end-customer personal data: Wiz Sensitive Data Scanning may scan and classify files containing personal data that we process for our customers. Wiz does not copy or permanently retain the full contents of such files but may store metadata and limited redacted snippets to enable classification and verification.

We use Wiz for the following purposes:

• To protect our IT systems and the personal data we process on behalf of our customers.
• To identify and remediate vulnerabilities, misconfigurations, and accidental data exposure.
• To comply with our legal obligation under UK GDPR to implement appropriate technical and organisational measures to protect personal data.

We have concluded a data processing agreement with Wiz.

3. Data Processing on our Website

3.1 Accessing our Website / Technical Information

Each time you use our website, we collect technical information that your browser automatically transmits to enable you to visit the website. This technical information consists of the so-called HTTP header information, including the user agent, and includes in particular

• IP address of the requesting device,
• Method (e.g. GET, POST), date and time of the request,
• Address of the requested website and path of the requested file,
• if applicable, the previously accessed website/file (HTTP referrer),
• Information about the browser and operating system used,
• Version of the HTTP protocol, HTTP status code, size of the delivered file,
• Request information such as language, type of content, encoding of content, character sets,
• If applicable, the user name applied for authentication in the case of directory password protection.

The processing of this technical information is absolutely necessary to enable your visit of the website, to ensure the permanent functionality and security of our systems and to maintain our website. The technical information is temporarily stored in internal log files for the purposes described above, limited in content to what is absolutely necessary, in order to find the cause and take action in the event of repeated or criminal access that jeopardises the stability and security of our website. For these storage purposes your IP address will be anonymised immediately.

3.2 Contact

You have several options to contact us. These include email, telephone, our contact form and our live chat. In this context, we process data exclusively for the purpose of communicating with you.

The data collected by us when you contact us will be automatically deleted after your enquiry has been fully processed, unless we still need this data to fulfil contractual or legal obligations (see section 9 “Storage period”).

3.2.1 Contact Form

The contact form, which can be accessed via our Help Centre (https://help.gotphoto.com/hc/de), is provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States, who process your data on our behalf. We have a data processing agreement in place with Freshworks Inc.

Further information on data protection can be found here: https://www.freshworks.com/legal/.

3.2.2 Live Chat (HubSpot)

Our live chat, which is used to improve communication with website visitors, is provided by HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland (“HubSpot”).

In order to answer live enquiries, the chat content you provide is collected and stored for the duration of the chat. We only collect your email address and telephone number, if you voluntarily provide them to us and give us permission to contact you subsequently. The chat will be deleted immediately as soon as the chat conversation has ended.

We have concluded a data processing agreement with HubSpot.

Further information can be found in HubSpot’s privacy policy.

3.3 Registration for Photographers

You have the option to register for a user account in order to use the full range of functionalities of our software and to operate a photography online shop via our platform.

The data fields first and last name, the selection criteria (professional or amateur photographer or photo order), email address, telephone number (optional), desired domain or shop name must be provided by you. Registration is not possible without the provision of this data.

For the operation of the online shop we collect further data if this is necessary for the fulfilment of the contract between us.

3.4 Orders

Photographers have the option to order software licences or physical products in our online shop. During the ordering process we collect the mandatory information required to fulfil the contract:
First name and surname,
Email address,
Telephone number,
Billing and shipping address.

3.5 Newsletter

You have the option to subscribe to our newsletter, in which we regularly inform you about webinars, new guides, innovations to our products and promotions.

We will only send you newsletters if we have your express consent in accordance with Canada’s Anti-Spam Law (CASL). Consent is usually obtained through our website sign-up form or another clear opt-in method. You can unsubscribe from the newsletter at any time. An unsubscribe link is included in every newsletter. You may also withdraw your consent by contacting us at the details provided above or in the newsletter (e.g. by email or letter).

3.6 Advertising to Existing Customers by Email

If you register for a user account or make a purchase from us, we will also use your contact details to send you further information about our products and services by email. This may include news, promotions and offers as well as feedback and other surveys.

These communications are permitted under CASL where we have an existing business relationship with you. You can opt out of receiving such emails at any time by clicking the unsubscribe link in the message or by contacting us at the details provided above (e.g. by email or letter).

3.7 Surveys

You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service.

You can object to receiving a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the above-mentioned contact details (e.g. by e-mail or letter) without incurring any costs other than the transmission costs according to the basic rates.

3.8 Contests

In the context of contests, we use your data for the purpose of organising the contest and notifying the winners. Detailed information can be found in the terms and conditions for the respective contest.

4. Use of Tools on the Website or to Provide our Services

Our website and services comprise a range of applications and features (collectively “tools”), that are provided either by us or by third parties.

The tools we use are listed below organised by category. We inform you about the providers of the tools, the personal information collected and any disclosure to third parties. We also explain to you in which cases we obtain your consent to use the tools and how you can withdraw this consent at any time.

4.1 Technologies Used

Some of the tools used on this website or within our services rely on technologies that enable the storage of, or access to, information on your device, including:
Cookies: Information stored in the browser, consisting of a cookie name, a value, the storing domain and an expiry date. So-called session cookies are deleted after the session, while other cookies are deleted after the specified expiry date. Cookies can also be removed manually.

• Local Storage / Session Storage: Information stored in the browser, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored. Information in local and session storage can also be removed manually.
• Fingerprints: Profile stored by a service, created on the basis of automatically transmitted connection information (“passive fingerprinting”) and/or by retrieving the information through scripts (“active fingerprinting”) (in particular IP address, information about end user device, browser, plugins/add-ons, operating system, language, time zone, scripts, fonts, screen resolution, time of access). Fingerprints make it possible to recognise visitors. They cannot be prevented completely. However, active fingerprinting can be reduced or prevented by blocking scripts. In this case, however, most services will no longer work.
• Pixel/ web beacon: A graphic automatically loaded by a service which makes it possible to recognise visitors or, for example, to determine when an email has been opened. Similar to fingerprints, information can be retrieved and profiles can be created. The use of pixels can be prevented by blocking images in emails.
  Information about the cookies we use can be found in our cookie declaration at https://www.gotphoto.com/cookie-declaration/. This cookie declaration is automatically generated by Usercentrics.

4.2 Data Processing, Consent and Withdrawal

4.2.1 Necessary and Optional Data Processing

We use tools strictly necessary for the operation of our website and the provision of our services. These are used in order to customize the use of our website and to make it as convenient and time-saving as possible. In certain cases, such tools may also be required for the performance of a contract or for taking steps prior to entering into a contract. In these situations, access to and storage of information on your device is essential.

We also use other tools, for instance tools to improve the user experience on our website and to offer you more functions and tools for statistical recording and analysis of general user behavior. In these cases, we obtain your consent before using such tools and you can decline or withdraw your consent at any time.

Some tools may involve processing personal information outside of Canada. More information is provided in section 8 “Data Transfer to Third Countries”.

4.2.2 Obtaining Your Consent

We use the Cookiebot tool from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (“Usercentrics”) to obtain and manage your consent. The tool generates a consent banner that informs you about the data processing on our website and gives you the opportunity to consent to all, individually elected or no data processing when using optional tools. This banner appears the first time you visit our website and when you call up the selection of your settings again in order to change or revoke your consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or if the cookies or information in Usercentrics’ local storage have been deleted or have expired.

When you visit our website, your consent or withdrawal, your IP address, information about your browser, your device and the time of your visit are transmitted to Usercentrics. Usercentrics also stores the necessary information on your device in order to retain the consents and withdrawals you have given. If you delete your cookies or information in local storage, we will ask you for your consent again when you visit the site at a later date.

4.2.3 Withdrawing Your Consent or Changing Your Selection

You can withdraw your consent given for certain tools at any time. To do so, click on the following button:

Change cookie settings

By clicking the button you can also change the selection of tools you wish to consent to and obtain additional information on the tools used. Alternatively, you can withdraw your consent for the use of certain tools directly with the provider.

You may withdraw your consent at any time. Withdrawal will take effect going forward and does not affect processing that has already occurred.

4.3 Essential Tools

We use certain tools to enable the basic functions of our website (“essential tools”). Without these tools, we would not be able to provide our service. For this reason, the use of essential tools does not require explicit consent. By using our website and services, you agree to the use of essential tools.

4.3.1 Google Tag Manager

Our website uses Google Tag Manager, a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by Google Tag Manager with your consent.

Google collects information about the tags integrated through our website for the purpose of ensuring stability and functionality for the use of Google Tag Manager, but generally no personal data is collected, in particular no data about user behaviour, the IP address or the pages visited.

We have concluded a data processing agreement with Google Ireland Limited.

Further information can be found in Google’s privacy policy.

4.3.2 Freshdesk (HelpCentre)

We use Freshdesk provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States (“Freshworks”) for our HelpCentre.

In our HelpCentre you can, for example, ask questions about our services, the website or our company and leave us a comment.

When using Freshdesk, the IP address of the device and the address of the subpage from which you access Freshdesk are recorded. Moreover, Freshdesk processes all data, messages and other material provided by you through the HelpCentre. This may include your first name, last name, business name, telephone number and email address.

We have a data processing agreement in place with Freshworks Inc.

Further information on data protection can be found here: https://www.freshworks.com/legal/.

4.3.3 Intercom

Intercom is a provider of proactive customer engagement tools. These tools are provided in the United States by Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States and for all other geographical areas by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland (together „Intercom“).

We use Intercom to share relevant technical information related to the GotPhoto platform, for instance downtimes, planned maintenance, bugs, new features or significant system changes. Intercom also enables us to offer you context-sensitive help and information in the form of tool tips and product tours as well as guidance around the best usage of the GotPhoto platform. Educating our customers can help them make more money and save time. All this information is displayed in the admin area of our customers’ GotPhoto account.

The following information is processed by Intercom in order to provide the described features: customer first name, last name, email address and basic user behavior (page visits).

We have concluded a data processing agreement with Intercom.

4.4 Functional Tools

We also use optional tools to enhance the user experience on our website and in the provision of our services, as well as to offer additional features (“functional tools”). While these tools are not strictly necessary for the basic operation of the website, they can provide significant benefits, particularly by improving user-friendliness and enabling additional communication, display or payment options.

We only use functional tools with your consent. You may provide or withdraw your consent at any time through the consent settings described in section 4.2 “Data Processing, Consent and Withdrawal”.

4.4.1 FIN AI Chatbot

Our website uses FIN, a service provided in the United States by Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States and for all other geographical areas by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland (together „Intercom“).

FIN is an AI chatbot that uses sophisticated AI language models to automatically solve customer service issues. The AI chatbot understands complex queries, asks clarifying questions and fully converses with the user.

The following information is processed: any personal data contained in questions, data, content or information submitted by you during each conversation with FIN.

FIN uses OpenAI as a sub-processor of any personal data submitted to FIN. Any processing of personal data by OpenAI is governed by a data processing agreement in place between Intercom and OpenAI.

OpenAI has activated zero retention for all customer inputs and outputs. As a result, the inputs and outputs will not be stored by OpenAI. OpenAI is contractually prohibited from using customer data to improve or train its AI model.

We have concluded a data processing agreement with Intercom.

4.4.2 tl;dv

We use the meeting assistant tl;dv provided by tldx Solutions GmbH, Kaiser-Friedrich-Allee 51, 52074 Aachen, Germany (“tl;dv”).

tl;dv records, transcribes and summarizes meetings. It provides valuable insights from the meetings. tl;dv processes the following data:

• Your name and email address to set up meeting
• IP address
• geographical location (approximate)
• operating system, browser type, version
• browser configuration, plugins
• language preferences, cookie data
• pages accessed (date, time, URL, title, length of visit)
• device type, device settings, application IDs, unique device identifiers
• video recording and transcript of the meeting.

More information on data processing by tl;dv can be found here: https://tldv.io/privacy/.

4.4.3 Gong

Gong is a revenue intelligence platform provided by Gong.io, Inc., 201 Spear Street, 13th Floor, San Francisco, CA 94105, United States (“Gong”).

We use Gong to record, transcribe and analyze sales calls. The call recordings are also used for internal training purposes to improve the communication with our (potential) customers.

“Gong bot” joins each scheduled sales call to record the session (both audio and video are recorded). Each call is transcribed from speech to text and analyzed by conversation analytics technology.

Gong processes the following data:

• (Potential) customer’s name, email, phone number, time zone, usually city, state, and country,
• lead status, lifecycle stage
• (Potential) customer’s business address, phone number, GMV, company size, number of heads
• Contract commitment/commitment, history of deals
• Meeting/call/interaction (like a text or email) that we have with the (potential) customer

We have concluded a data processing agreement with Gong.io, Inc.

4.4.4 Google Meet

Google Meet is a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

We use Google Meet to conduct and record interviews with our (prospective) customers in order to get feedback on our products and services. Google processes the customer’s name and email to set up the interview as well as audio and video recording of the customer during the interview.

Further information can be found in Google’s privacy policy: https://policies.google.com/privacy.

4.5 Analysis Tools

To improve our website and services, we use optional tools for statistical recording and analysis of general user behaviour based on access data (“analysis tools”). We also use such tools to evaluate the effectiveness of our various marketing channels.

We only use analytical tools with your consent. You may provide or withdraw your consent at any time through the consent settings described in this Privacy Notice.

4.5.1 Google Universal (Google Analytics)

Our website uses Google Analytics, a service provided in Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (together “Google”).

Google Analytics uses JavaScript and pixels to read information on your device, as well as cookies to store information on your device. Google Analytics serves to evaluate your usage behaviour and improve our website. We will process the information obtained to analyse your use of the website and to compile reports on website activity for the website operator. The data collected in this context may be transmitted by Google to a server in the US and stored there.

We have chosen the following data protection settings for Google Analytics:

• IP anonymisation (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity);
• Automatic deletion of old logs/limitation of storage duration;
• Deactivated Measurement Protocol;
• Deactivated cross-page tracking (Google signals);
• Deactivated data sharing with other Google products and services.

The following data is processed by Google Analytics:

• IP address;
• Referrer URL (previously visited page);
• Pages accessed (date, time, URL, title, length of visit);
• Downloaded files;
• Clicked links to other websites;
• If applicable, achievement of certain goals (conversions);
• Technical information: Operating system; browser type, version and language; device type, make, model and resolution;
• Approximate location (country and, if applicable, city, based on anonymised IP address).

We have concluded a data processing agreement with Google Ireland Limited.

Further information can be found in Google’s privacy policy.

4.5.2 PostHog

Our website uses PostHog, an analysis tool provided by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, United States (“PostHog”).

PostHog tracks user behaviour on and interaction with our website. We use this information to improve product performance, troubleshoot issues and optimize the overall user experience.

PostHog processes anonymized behavioral data such as clicks, page views, session duration, and interaction events.

Further information on data processing by PostHog can be found in https://posthog.com/privacy.

4.5.3 HubSpot

Our website uses an analysis and tracking tool from Hubspot. This tool can be used to monitor and analyse visitors’ interactions with our website. This helps us to attribute your visits to specific campaigns we have created and generally analyze the sources for our website traffic. The tool can recognize and differentiate between new and returning visitors.

The following data is processed by HubSpot:

• IP address
• geographical location
• type of browser
• duration of visit
• websites accessed
• actions you take on our site, such as page views, clicks, form submissions, and other

We have concluded a data processing agreement with HubSpot.

Further information can be found in HubSpot’s privacy policy.

4.5.4 Microsoft Clarity

Our website uses Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States (“Microsoft”).

Clarity is a behavioral analysis tool that captures how you use and interact with our website through metrics, heatmaps, and session replay. In order to do so, the following information is processed: IP address, location, browser information, visited website and subpages, date and time of access to the website, clicks, scrolls and mouse movements. Clarity assigns each user a unique user ID and uses tracking technologies to determine online activity. We use this information for site optimization and advertising.

For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-gb/privacystatement.

4.6 Marketing Tools

We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when you use our website is used for interest-based advertising. By analysing and evaluating this access data, we are able to show you personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers.

We only use marketing tools with your consent. You may provide or withdraw your consent at any time through the consent settings described in section 4.2 “Data Processing, Consent and Withdrawal”.

The data collected by marketing tools may include in particular

• the IP address of the device;
• the information of a cookie or in local storage or session storage;
• the device identifier of mobile devices (e.g. device ID, advertising ID);
• Referrer URL (previously visited page);
• Pages accessed (date, time, URL, title, length of visit);
• Downloaded files;
• Clicked links to other websites;
• If applicable, achievement of certain goals (conversions);
• Technical information: Operating system; browser type, browser version and
• browser language; device type, device make, device model and device resolution;
• Approximate location (country and city, if applicable).

This information does not directly identify you, but may still be used to recognize your device or browser when you return to our website or visit other websites that use the same tools.

4.6.1 Hubspot

We use Hubspot for tracking and remarketing purposes. Hubspot processes your pseudonymized email address and shares it with Meta Platforms and Google Ads.

This allows us to achieve conversion tracking and optimize our marketing campaigns. By sharing the data with the platforms we are able to retarget a specific audience.

We have concluded a data processing agreement with HubSpot.

Further information can be found in HubSpot’s privacy policy.

4.6.2 Intercom

We use Intercom to market relevant product and service offers to our customers. This marketing information is displayed directly in the admin area of our customers’ GotPhoto account.

The following information is processed by Intercom: customer first name, last name, email address and basic user behavior (page visits).

We have concluded a data processing agreement with Intercom.

4.6.3 Veed.io

We use Veed.io, a video editing platform offered by Veed Limited, 17-18 Clere Street, London, EC2A 4LJ, United Kingdom, to prepare and enhance organic social media videos for publishing on our channels (“Veed”). These videos may contain voices, images, quotes or testimonials of individuals who are employees or our customers and have provided their explicit consent to appear in such content.

Veed provides AI-powered editing functionality, which may involve scanning the internet for keywords or related context for editing purposes. However, Veed is not embedded into our website and does not collect any website visitor data or install cookies through our online presence.

Veed may process the following categories of personal data:
Audio-visual content including identifiable voices and facial images
Testimonial statements or quotes.

Veed enables us to edit and optimize uploaded media for our social media communication. It leverages AI capabilities to enhance content, for example with automatic captioning or keyword tagging.

We have concluded a data processing agreement with Veed. Any sub-processors of Veed are bound by data processing agreements as well.

4.6.4 Metricool

We use the social media management platform Metricool, operated by Metricool Software S.L., Calle Téllez, n. 12, Entreplanta H, 28007 Madrid, Spain, for the purpose of planning, publishing and analyzing our presence on social media platforms (“Metricool”). Metricool is not integrated into our website; no scripts or trackers from Metricool are embedded on our site.

When we upload or schedule media content via Metricool, the following categories of third-party personal data may be processed by Metricool on our behalf:

• Name, username, handle: posts may include direct mentions or tags of individuals or companies (e.g. @username)
• Images or videos containing identifiable individuals: uploaded content (such as photos or videos from events or promotional campaigns) may include individuals who can be identified via facial features, voice or other physical characteristics
• Tagged individuals: tags applied to individuals in social media posts (e.g. on Instagram or Facebook)
• Links to third-party personal profiles or content: posts may contain URLs that link to personal websites, portfolios, or social profiles of identifiable individuals.

We process personal data in line with applicable data protection laws and only where necessary to manage our social media communications and outreach.

For more details on how we protect third-party data in social media contexts, please refer to section 5. “Online Presences in Social Networks” and section 7. “Disclosure of Data” below.

4.6.5 Meta- Pixel (formerly Facebook- Pixel)

Our website uses the Meta-Pixel service for marketing purposes, which is offered outside the US and Canada by Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland and in the US and Canada by Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, United States (together “Meta Platforms”).

We use Meta-Pixel to analyse the general use of our website and to track the effectiveness of Facebook advertising (“conversion tracking”). We also use Meta-Pixel to display personalised advertising messages based on your interest in our products (“retargeting”). This also involves target group remarketing through custom audiences.

Meta Platforms processes data that the service collects via JavaScript, cookies and other technologies on our website. This includes in particular

• HTTP header information such as information about the browser used (e.g. user agent, language);
• Information on events such as “page view”, other object properties and buttons clicked by visitors to the website;
• Online identifiers such as IP addresses and, where provided, Facebook business-related identifiers or device IDs (such as advertising IDs for mobile operating systems) and information on the status of deactivation/restriction of ad tracking.
• Meta Platforms acts as our processor for matching, measurement and analysis services, in particular for analysing the use of our website, matching user IDs and creating reports on our advertising campaigns. We have concluded a data processing agreement with Meta Platforms.

In addition, we and Meta Platforms are jointly responsible for the processing of event data for the targeting of advertisements (through the creation and selection of target groups), the delivery of commercial and transactional messages, the improvement of ad delivery and the personalisation of functions and content when using Meta-Pixel. The mutual obligations were set out in a joint contract, which can be accessed at the following address:
https://www.facebook.com/legal/controller_addendum.

Meta Platforms also processes the event data for the protection and security of Meta Platforms’ products, for research and development purposes and to maintain the integrity of the products and improve them.

If you are a member of Facebook or Instagram and have allowed Meta Platforms to do so via the privacy settings of your account, Facebook or Instagram may also link the information collected about your visit to our website to your member account and use it for targeted advertising. You can view and change the privacy settings of your Facebook profile at any time: https://www.facebook.com/settings/?tab=ads. You can prevent the linking of data collected outside Instagram for the display of personalised advertising in Instagram as described here:
https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE.

If you have not consented to the use of Meta-Pixel, Meta Platforms will only display generic adverts that are not selected based on the information collected about you on this website.

Further information, e.g. regarding joint responsibility and contact details, can be found in Meta Platforms’ privacy policy, in particular for the social networks Facebook and Instagram: https://www.facebook.com/about/privacy/.

4.6.6 Google Ads

Our website uses the Google Ads service, which is offered in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

Applying Google Ads Conversion Tracking we define customer actions (such as clicking on an ad, page views, downloads) that are recorded and analysed. We use Google Ads Remarketing to show you individualised advertising messages for our products on Google partner websites. Both services use cookies, JavaScript, pixels and other technologies for this purpose.

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings stored in your Google account. If you do not desire a link to your Google account, you must log out of Google before visiting our website.

If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to withdrawing your consent (see 4.2.3: “Withdrawing Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings:
https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:
in the notice on data use: https://policies.google.com/technologies/ads;
in Google’s privacy policy: https://policies.google.com/privacy.

4.6.7 Google Marketing Platform and Ad Manager (formerly DoubleClick)

Our website uses Google Marketing Platform and Google Ad Manager, services provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (together “Google”).

These services use cookies and other technologies to show you adverts that are relevant to you. The use of the services enables Google and its partner websites to display adverts based on previous visits to our or other websites on the Internet.

If you have not consented to the use of Google Marketing Platform and Ad Manager, Google will only display generic advertising that has not been selected based on the information collected about you on this website. In addition to withdrawing your consent (see 4.2.3: “Withdrawing Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:
in the notice on data use: https://policies.google.com/technologies/ads;
in Google’s privacy policy: https://policies.google.com/privacy.

4.6.8 Microsoft Advertising (formerly Bing Ads)

Our website uses Microsoft Advertising, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). Microsoft uses JavaScript, cookies and local storage to present you with adverts that are relevant to you. The use of these technologies enables Microsoft and its partner websites to display adverts based on previous visits to our or other websites on the Internet. Microsoft may transfer the data collected in this context for analysis to a server in the US and store the data there.

The following information in the Local Storage is stored and read by Microsoft Advertising:

• “_uetsid”: Session ID;
• “_uetvid”: Recognition of visitors, usage analysis, display of personalised advertising;
• “_uetsid_exp”, “_uetvid_exp”: Information about the expiry date of the information in Local Storage.

In addition to withdrawing your consent (see 4.2.3: “Withdrawing Your Consent or Changing Your Selection”), you may deactivate the personalised ads in Microsoft Advertising or in the settings for ads in your Microsoft account:

• Personalised ads: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/personalisierte-anzeigen;
• Settings for displays: https://account.microsoft.com/privacy/ad-settings/signedout.

Further information can be found in Microsoft’s privacy policy: https://privacy.microsoft.com/en-gb/privacystatement.

4.7 External Media (Wistia)

We use the video hosting and embedding service provided by Wistia, Inc., 120 Brookline Street, Cambridge, Massachusetts 02139, United States, to display videos on our website.

When you view or interact with a Wistia video, usage information may be collected, such as how much of the video you watched, whether you paused or resumed it, and how many videos you viewed. Wistia also processes certain technical data such as your IP address, device type (desktop or mobile), operating system, browser, the page on which the video is embedded, and session start time. Local storage on your device may also record whether you have viewed embedded content and actions you take (e.g. play, pause).
We only use Wistia videos with your consent, which can be withdrawn at any time using the options described in section 4.2.3: “Withdrawing Your Consent or Changing Your Selection”.
Further information can be found in Wistia’s privacy policy.

5. Online Presences in Social Networks

We maintain an online presence on social networks in to communicate with customers and interested parties and to provide information about our services. Personal data is generally processed by the social networks themselves for their own purposes, such as market research and advertising. This may include the creation of user profiles and the use of cookies and other identifiers to deliver advertising on the social network or on third-party websites.

For our online presences, we may receive information such as statistics on the use of these platforms. These statistics may include demographic information (e.g. age, gender, region), data on the interaction with our pages (e.g. likes, comments) and information on which types of content are most relevant to our users. We use this information to improve our content and communication with our audience.

If you interact with us on a social network, for example by commenting on a post or sending us a direct message, the handling of your information is subject to the privacy policy of the social network. If we transfer personal information from a social network to our own systems, for example to follow up on a service request, we are responsible for that processing in accordance with this Privacy Notice.

For more information about how each social network processes your data and how you can exercise your privacy rights, please refer to their respective privacy policies, linked below. Requests relating to data processed directly by social networks are best directed to the providers themselves, as only they have full access to the relevant information.

Below is a list with information on the social networks where we have an online presence:
Facebook, Meta Platforms, Inc.
Privacy policy: facebook.com/about/privacy
Ad preferences: facebook.com/settings?tab=ads
General opt-out: youronlinechoices.com

Instagram, Meta Platforms, Inc.
Privacy policy: help.instagram.com/519522125107875
Ad preferences: facebook.com/help/instagram/2885653514995517

YouTube, Google LLC
Privacy policy: policies.google.com/privacy
Ad preferences: google.com/settings/ads

X, X Corp.
Privacy policy: x.com/en/privacy
Personalization settings: x.com/settings/account/personalization

LinkedIn, LinkedIn Corporation
Privacy policy: linkedin.com/legal/privacy-policy
Ad preferences: linkedin.com/psettings/guest-controls/retargeting-opt-out

6. Automated Decision-Making and Profiling

We do not use your personal information to make automated decisions about you. In particular, we do not use automated systems to determine eligibility for employment, credit, insurance, housing or other similar services.

We use analytics and marketing tools to improve our platform and to provide relevant communications to our customers.These activities are carried out at an aggregate or general level and are not used to make decisions about individual customers.

7. Disclosure of Data

We only disclose personal information in the following situations:

• with your consent,
• as required or authorized by law (e.eg. in connection with the defence of legal claims),
• where necessary to comply with a court order, subpoena or official investigation, or
• as needed to carry out a contract with you or to take steps you have requested before entering into a contract.

We also use trusted service providers to support our operations. These may include photo labs, data centres that host our website and store our databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. Service providers are only permitted to use personal information to perform their specific tasks on our behalf. We remain responsible for the handling of personal information by our service providers and require them to protect it in line with applicable laws and contractual safeguards.

8. Data Transfers outside Canada

GotPhoto is a German company and does not operate servers or process personal information in Canada. If you are located in Canada and use our services, your personal information will be collected and processed outside of Canada, primarily in the European Union and the United Kingdom. Some of our service providers are also located in the United States or other countries.

When personal information is transferred to another country, it may be subject to the laws of the country and may be accessible to courts, law enforcement and national security authorities in those jurisdictions.

Regardless of where processing takes place, we remain responsible for the personal information we control. We require our service providers to protect the information in a manner that is consistent with this Privacy Notice and with applicable Canadian privacy laws, including appropriate contractual and technical safeguards.

9. Storage Period

As a German company, GotPhoto is subject to German statutory retention requirements. Accordingly, personal information is retained in line with German law. In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need to retain the data as evidence for civil law claims (until the statutory limitation period expires) or due to statutory retention obligations.

In accordance with the statutory limitation period, claims expire at the earliest three years from the end of the year in which the business relationship with you ends. For evidence purposes, we must retain contract data for that long.

Thereafter, we still have to store some of your personal data for accounting reasons. We are obliged to comply with statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified for the retention of documents are between two to ten years.

10. Your Rights

As a Canadian customer you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Access: You have the right to request access to the personal information we hold about you.
• Correction: You have the right to request that inaccurate or incomplete personal information be corrected.
• Withdraw consent: You may withdraw your consent to our collection, use or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal will not affect the lawfulness of processing that took place before consent was withdrawn.
• Complaint: You have the right to make a complaint to the Office of the Privacy Commissioner of Canada, if you believe your privacy rights have not been respected.

To exercise these rights, please contact us at privacy@gotphoto.com.

Your requests and our responses may be retained for documentation purposes for up to three years or longer where necessary to establish, exercise or defend legal claims.

If you wish to contact the Office of the Privacy Commissioner of Canada directly, you can reach them at:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3

Website: https://www.priv.gc.ca

11. Changes to the Privacy Notice

We occasionally update this privacy notice, for example when we customise our website or when legal or regulatory requirements change.