Data privacy

Experience One AG’s privacy policy is based upon the terms as used in the legal regulations, e.g. those of the GDPR. To make our privacy policy as easy to read and understand as possible, the most important terms are described in the following.

Personal data

Personal data is all information related to an identified or identifiable natural person (referred to in the following text as the “data subject”). A natural person is considered identifiable if they can be identified, either directly or indirectly, by association with identifying values such as a name, identification number, location information, online identifiers (e.g. IP address) or one or more special characteristics.

Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the data processor – e.g. by means of collection, storage, or use.

Processing

Processing is any activity applied to personal data, with or without the help of automated methods (e.g. electronic processing) or any such string of activities performed on personal data, e.g. collection, organisation, storage, modification, export or publication by transfer.

Restriction on processing

Saved personal data can be marked as restricted. This is intended to prevent or hinder any further processing.

Profiling

Profiling is any form of automated processing of personal data with the intention of using this personal data to assess particular personal aspects of a natural person. This particularly relates to analysing or predicting aspects such as employment, financial situation, personal preferences or interests.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that is it not possible to identify a specific data subject unless other additional information is also considered.

Data controller

The data controller or processor is a natural person, legal entity, authority, institution or other office that, alone or together with others, determines the purposes of the data processing and the means (i.e. tools) with which the personal data will be processed.

Commissioned data processor

The commissioned data processor is a natural person or legal entity, authority or other office that carries out the processing of personal data on behalf of the data controller.

Recipient

The recipient is a natural person or legal entity, authority or other office to which personal data is provided without being commissioned as a data processor on behalf of the data controller. Public authorities that receive personal data within the scope of their duties are not considered recipients.

Third party

A third party is a natural person or legal entity, authority or other office other than the data subject, data controller, commissioned data processor or other persons who are authorised under the direct responsibility of the data controller or commissioned data processor to process personal data, e.g. employees.

Consent

Consent is any expression of will (e.g. declaration or other unambiguous action of affirmation) given voluntarily by the data subject for specified purposes and in response to unambiguous notification and information about his or her rights by which the data subject indicates that he or she consents to have the personal data related to him or her processed.

The data controller according to the applicable data protection regulations is:

Experience One AG

Seidenstr. 19
70174 Stuttgart
Germany

Phone: +49 711 25 35 99 60
Email: hello@experienceone.com
Website: www.experienceone.com

The data controller has appointed a data protection officer in accordance with current legislation. The data protection officer can be reached at:

Tel.: +49 160 94 81 00 58
Email: datenschutz@experienceone.com

Data subjects may make direct contact with the data protection officer at any time with any questions and comments they may have regarding data protection and privacy issues.

Whenever we receive your consent for a particular processing purpose, this consent falls under Article 6 Paragraph 1 Item a of the GDPR. If personal data must be processed in order to fulfil a contract to which you are party (e.g. delivery of goods), then such processing will fall under Article 6 Paragraph 1 Item b of the GDPR.

Whenever Experience One AG has a legal obligation to process data, such as to meet tax related obligations, then such processing will fall under Article 6 Paragraph 1 Item c of the GDPR.

In rare cases, personal data may need to be processed in order to protect the life of the data subject or another natural person, e.g. if a visitor to our business were to get injured and their personal data needed to be passed on to a doctor, hospital or other third party. In these cases, processing falls under Article 6 Paragraph 1 Item d of the GDPR.

Most data processing activities fall under Article 6 Paragraph 1 Item f of the GDPR. This states that the documented legitimate interests of Experience One AG (e.g. notification of our services) are a sufficient basis for data processing, provided that the interests, fundamental rights and basic freedoms of data subjects are not infringed upon. Legitimate interests particularly include our ability to carry out business activities to ensure the wellbeing of our staff and partners.

The personal data collected via our website serves a range of purposes, some of which make use of external service providers (see below). The primary purposes (unless otherwise stated below) are:

• Web analysis / tracking:
  • Optimisation of our website for the benefit of its visitors
  • To provide evidence of possible attacks against the website and to provide information for prosecution
• Contact form:
  • To enable simple and fast contact with the company
  • To provide a means to contact relevant departments
• Application form
  • To allow potential new members of staff to submit applications

Our website uses cookies. Cookies are text files created by web browsers and stored on your computer.

Many cookies contain what is known as a “cookie ID”. A cookie ID uniquely identifies a particular cookie. These can be used to identify a particular computer or data subject, to differentiate these from others and recognise repeat visits. Using cookies allows us to provide you with certain user-friendly services which would otherwise be impossible to implement.

Further information on the usage of cookies can be found in our CookieStatement (Link within the site footer).

The data subject can prevent cookies from being set by our website by clicking on “cookies” in the footer of our website. Furthermore, any cookies that have already been set can be deleted via your web browser. Please be aware that disabling cookies may render some or all of the features on our website unusable.

Collection of general data and information

When you consent to the use of cookies via your web browser and/or by confirming as such on the cookie banner that appears on our website, we will collect a range of general data and information. This information is stored in the log files on our server. We may collect, for example:

• the browser and operating system being used
• the Internet site from which you reached our site (known as the “referrer”)
• the sub-pages accessed on our site
• the date and time of your visit as well as an anonymised/shortened form of your Internet Protocol Address (IP address)
• your Internet service provider (e.g. Deutsche Telekom)
• any other data and information that could be useful to us in the event of an attack on our systems

Experience One AG infers nothing about the data subject through the use of this general data and information. Rather, this data is required in order to:

• deliver and optimise the content of our Internet site
• ensure the ongoing functionality of our IT systems and website
• provide the necessary information to the prosecuting authorities in the event of a cyber attack

This anonymous and pseudonymous information is statically evaluated by us. The server log files are stored separately from all personal data provided by a data subject and are deleted after a period of 6 months.

Experience One AG makes use of certain services from external providers who may be based outside of the EU. Such providers include:

• Google Inc (for Google Analytics, Google Maps, Google Tag Manager, Google Google ReCaptcha – USA)
• Kenjo GmbH (Recruting - Germany)
• HubSpot, Inc. (CRM, Marketing & Advertising – USA)
• Vimeo LLC (Videos - USA)
• LinkedIn Ireland Unlimited Company (Tracking - Ireland)
• Podigee GmbH (Podcast Player and Hosting – Germany)

For more detailed information about these recipients, please see below.

Personal data will not be forwarded to third parties without your consent unless Experience One AG is legally obligated to do so.

Where your personal data is processed by Experience One AG, you have the following rights as a data subject. If you would like to exercise one of these rights, you may contact our data protection officer or a member of our staff at any time.

Right to access

All data subjects are entitled to request information from the data controller at any time about whether or not their personal data is being processed, free of charge. Furthermore, a data subject may request to see the personal information held on them and receive a copy of this. This copy of the personal data contains information on:

• the processing purpose
• the categories of personal data
• the recipients or categories of recipients, particularly where recipients are based abroad
• the intended retention period, or where this cannot be given, the criteria used to determine the retention period
• an explanation of the rights of the data subject, particularly with regard to the right to rectify, delete or restrict their data and the right to withdraw consent
• the existence of a right to legal appeal by a regulating authority
• the source of the data (if data was not received from the data subject)
• the existence of an automated decision-making process including profiling and detailed information about the logic and weightings involved, if applicable
• information about the appropriate measures taken to ensure data is protected (when transferring data abroad)

Right to rectification

If the data held about you contains errors, you are entitled to have any incorrect personal data immediately rectified. This also applies to having missing data added, with supplementary consent given where necessary.

Right to deletion (right to be forgotten) and right to restrict processing

All data subjects are entitled to request the immediate deletion of their personal data by the data controller, provided that such a request is based upon one of the following reasons and insofar as processing is not required:

• The processing purpose no longer applies, and the data is no longer required
• Consent has been withdrawn and there is no other legal basis for processing
• An objection to processing has been submitted and there are no overriding reasons why the objection should not be accepted
• Data has been processed unlawfully

The data protection officer will review the request with regard to its legitimacy and the existence of any overriding obligations (e.g. minimum retention periods for tax reasons) and inform any data recipients of the request for deletion. If it is not possible to delete the data, you will be informed of the reasons why.

Whenever the purpose for processing no longer applies, but legal retention periods have not expired, or the data is required in order to make or defend against legal claims, then it is possible for your data to be restricted.

Right to data portability

You are entitled to receive a copy of the personal data you have provided us with in a structured, common and machine-readable format. This data can then be made available to another provider or service, or you may ask us to send this data directly to them. This right applies insofar as you have given us consent to process your data. This includes automatically collected data which does not infringe upon the rights and freedoms of other persons and where this is technically possible.

Right to object

Data subjects are entitled to object to their personal data being processed for reasons resulting from their particular circumstances at any time. This also applies to profiling performed according to these conditions. The data will then no longer be processed unless we can demonstrate compelling reasons to do so that outweigh your interests. The right to object applies in particular to the use of personal data for advertising purposes.

Automated decision making for individual cases including profiling

You are entitled to not be submitted to an exclusively automated decision-making process, including profiling, that has legal consequences for you or otherwise impacts you in a negative and significant way. This applies insofar as this automated decision-making process is not necessary for the conclusion of a contract between you and Experience One AG and you have not given your explicit consent to automated decision-making.

Right to withdraw consent

European lawmakers guarantee data subjects the right to withdraw consent to the processing of their personal data at any time.

Data subjects who would like to exercise this right can contact our data protection officer or one of the data controller’s staff at any time.

Right to lodge a complaint with supervisory authority

Data subjects whose data is processed by Experience One AG are entitled to lodge a complaint against the data controller. This applies in particular if you believe that Experience One AG has processed your data in breach of data protection regulations or you have not received a prompt response to an enquiry, or the response contained incorrect information. An overview of supervisory authorities for non-public sectors (e.g. businesses) can be found at

https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Experience One AG is overseen by the supervisory authority of Baden-Württemberg (where the data controller is based). However, you may contact any supervisory authority (e.g. that for the place where you are resident).

Personal data held about a data subject is stored only for the period necessary for the processing purpose, or for a legally required retention period. When the processing purpose no longer applies and/or legal retention periods have expired, personal data is routinely blocked or deleted in accordance with legal requirements.

• With regard to the tracking of visitors to the Experience One AG website, the period is generally a maximum of six months.
  
• For applications that do not lead to employment or inclusion in the talent pool, a period of six months also applies.
  
• Inquiries via the contact form will be deleted after six months at the earliest, provided that the processing of the inquiry has been completed.
• All other deadlines are based on tax and commercial law requirements.

Our data protection officer can provide you with information about the specific ways in which your data is processed.

It may be legally required for certain data to be processed (e.g. tax regulations) or for processing to be done due to the terms of a contract (e.g. providing information to the contractual partner). The same applies when concluding a contract (e.g. employment contract). Failure to provide data here would result in us being unable to conclude the contract with you. Our data protection officer will be happy to advise you as a data subject on a case by case basis.

As a responsible company we do not make use of automated decision-making processes or profiling.

Our website provides information on how you can get in touch with us via email and telephone as well as an online contact form. This fulfils the legal regulations relating to the provision of a fast, electronic method of contact as all data is sent to a central email address and therefore enters a self-hosted ticket system.

When you choose to contact us via e-mail or via the contact form, the personal data you send to us will be stored. Data collected in this way is used for the purposes of handling your enquiry or getting back in touch with you. This data will not be sent to any third parties.

Should any further contact take place after the initial contact, e.g. making an appointment to meet, this data will be forwarded to the appropriate member of staff and processed. The data will also be stored in our CRM tool HubSpot. Further information can be found in the corresponding paragraph of this statement.

We collect and process personal data from applicants for the purpose of carrying out the application procedure. Processing is performed electronically. This is particularly the case if you send us your application documents via electronic means such as via email or via the web form.

Based on a separate agreement, the data is processed on behalf of Experience One AG by the company Kenjo GmbH, Urbanstraße 71, 10967 Berlin. The data transfer to Kenjo is encrypted (Transport Layer Security, TLS). For more information on data protection at Kenjo, please visit: https://www.kenjo.io/legal/datenschutz

When an employment contract is made with an applicant, the transferred data will be stored for the purposes of arranging the employment relationship in accordance with legal regulations. When an employment contract is not offered to the applicant, the application documents will be stored for a period of at least two months and no longer than 6 months. After this period, they will be automatically deleted unless any reasons not to do so exist.

If you are accepted into a talent pool, then we require your consent to do so. Your data will not be deleted if you agree to be entered into the talent pool.

We can also remove you from the Talent Pool if you wish.

Experience One AG has integrated the Google Analytics component (with an anonymisation feature) into this website for the purposes of web analytics. A web analytics service collects various data including the Internet site from which a data subject used to access another site (known as the “referrer”), which of our sub-pages were accessed and how often and for how long. This information can be used to optimise the Internet site. We use the suffix “_gat._anonymizeIp” for our web analytics. This suffix means that the IP address will be shortened and anonymised.

Google Analytics is operated by Google LLC., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. (European representation: Gordon House, Barrow Street, Dublin 4, Ireland).

Google uses the data it collects for a variety of purposes. These include evaluating how our website is used in order to generate online reports for us and in order to provide further services associated with the use of our Internet site.

Google Analytics cookies are stored on your computer for this purpose. This cookie enables Google to analyse the use of our Internet site. By doing so, Google receive personal data such as your IP address. Data is therefore sent to Google in the United States of America every time you visit our website. Google may pass on this data to third parties.

Processing by Google is based on appropriate safeguards. This means that a processing agreement has been concluded with Google. This is based on the standard contractual clauses issued by the European Commission.

You can prevent cookies from being set, as described, at any time using the relevant settings in your browser. Furthermore, any cookies that have already been set by Google Analytics can be deleted via your web browser or other software programmes at any time. You also have the option to install a browser add-on (https://tools.google.com/dlpage/gaoptout). This is installed on your computer and prevents web analytics. The add-on uses JavaScript.

Further information and Google’s current data privacy policy can be found at https://www.google.de/intl/de/policies/privacy and http://www.google.com/analytics/terms/de.html. Google Analytics is described in more detail at the following link: https://www.google.com/intl/de_de/analytics.

Experience One AG has integrated the Google Maps component into this website in order to display an interactive map.

Google Maps is operated by Google LLC., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. (European representation: Gordon House, Barrow Street, Dublin 4, Ireland).

By using this service, Google receives personal data, such as your IP address. Data is therefore sent to Google in the United States of America every time you visit our website. Google may pass on this data to third parties.

Processing by Google is based on appropriate safeguards. This means that a processing agreement has been concluded with Google. This is based on the standard contractual clauses issued by the European Commission.

You can prevent cookies from being set, as described, at any time using the relevant settings in your browser. Furthermore, any cookies that have already been set by Google Analytics can be deleted via your web browser or other software programmes at any time. You also have the option to install a browser add-on (https://tools.google.com/dlpage/gaoptout ). This is installed on your computer and prevents web analytics. The add-on uses JavaScript.

Further information and Google’s current data privacy policy can be found at https://www.google.de/intl/de/policies/privacy and https://www.google.com/intl/de_de/help/terms_maps.html.

Experience One AG uses videos on its website that are hosted by the Vimeo portal. The purpose of this is to ensure content is transported more effectively and is made easier to understand, while also improving website performance by not hosting videos locally.

Vimeo is operated by Vimeo LLC at 555 West 18th Street, New York, New York 10011, USA.

A data processing contract has been made with Vimeo to ensure an appropriate level of data privacy. The contract is based upon the standard data privacy clauses set down by the EU.

When you visit one of our pages equipped with a Vimeo plugin, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. In addition, Vimeo obtains your IP address. This also applies if you are not logged in to Vimeo or do not have an account with Vimeo. The information collected by Vimeo is transmitted to the Vimeo server in the USA. If you are logged into your Vimeo account, you enable Vimeo to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Vimeo account.

Processing by Vimeo is based on appropriate safeguards. This means that a processing agreement has been concluded with Vimeo. This is based on the standard contractual clauses issued by the European Commission

For more information on the handling of user data, please see Vimeo's privacy policy at: https://vimeo.com/privacy.

The component Podigee is integrated on this website by Experience One AG to play and host podcasts. The podcasts are downloaded or streamed from Podigee.

Provider of Podigee is die Podigee GmbH, Schlesische Straße 20, 10997 Berlin, Germany.

Using Podigee enables the provider to gain knowledge about personal data like the IP addresses and device information to enable podcast downloads / playbacks and statistical data such as to determine the number of downloads. This data is anonymized by Podigee before they are stored in the database, unless they are required for the provision of the podcasts.

The use is based on our legitimate interests, i.e. interest in a secure and efficient provision, analysis and optimization of our podcast offer in accordance with Art. 6 (1) letter (f) GDPR. Furthermore, the data is processes based on separate agreement on behalf of Experience One AG.

Further information and options to object can be found in Podigee’s data protection declaration: https://www.podigee.com/en/abo....

We use Google Tag Manager on our website to manage website tags.

The operator is Google LLC., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
(European representation: Gordon House, Barrow Street, Dublin 4, Ireland).

Tag Manager is a cookie-free application and does not collect any personal data. However, the Tag Manager can trigger the setting of additional tags, which may collect data. Google Tag Manager does not access this data.

Processing by Google is based on appropriate safeguards. This means that a processing agreement has been concluded with Google. This is based on the standard contractual clauses issued by the European Commission

Further information and the applicable Google privacy policy can be found at https://www.google.de/intl/de/policies/privacy/ and https://www.google.de/intl/de/policies/privacy/ as well as https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

If you have opted out of Google Cookies, this also applies to all tracking tags that are implemented in Google Tag Manager.

Further information and the applicable data protection provisions of Google can be found at https://www.google.de/intl/de/policies/privacy/ and https://www.google.de/tagmanager/use-policy.html.

We use HubSpot as a CRM & marketing tool for processing and storing contact data, follow up on leads, planning of marketing and advertising measurements. Among others this includes e-mail-marketing (newsletter, mailings) social media publishing & reporting, reporting (e.g. source of traffic, visits etc.), contact management, (e.g. user segmentation & CRM), landing pages and contact forms.

The provider is HubSpot, Inc., 25 First Street, 2nd Floor,Cambridge, MA 02141 (USA).)

If you use the contact form on our website, the request will be forwarded to us and the data will then be saved in the CRM tool. Furthermore, contact data from fairs, events or other relevant partners will be stored in the tool.

Processing by Hubspot is based on appropriate safeguards. This means that a processing agreement has been concluded with Hubspot. This is based on the standard contractual clauses issued by the European Commission.

For more information on how HubSpot handles user data, please see HubSpot's privacy policy at https://legal.hubspot.com/product-privacy-policy and https://www.hubspot.de/data-privacy/gdpr.

We use the reCAPTCHA function to ensure the security of inquiries and avoid spam through our web forms.

Google Maps is operated by Google LLC., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. (European representation: Gordon House, Barrow Street, Dublin 4, Ireland).

This function primarily serves to differentiate between manual entry of a person and automated entry by a machine (bot). The user's IP is transmitted to Google and, if necessary, further data. As part of this, personal data can also be transmitted to the servers of Google LLC in the US.

Processing by Google is based on appropriate safeguards. This means that a processing agreement has been concluded with Google. This is based on the standard contractual clauses issued by the European Commission.

Further information and the applicable data protection provisions of Google can be found at https://www.google.de/intl/de/policies/privacy/ .

We use the LinkedIn Insight Tag for conversion tracking on our website. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn Ireland is a subsidiary of LinkedIn Corp (USA).

LinkedIn uses the data obtained to evaluate the use of our website, to compile online reports for us and to provide other services related to the use of our website.

For this purpose, cookies are placed on your computer by LinkedIn. By setting the cookie, LinkedIn is able to analyze the use of our website. As part of this, LinkedIn gains knowledge of personal data, such as the IP address. Every time you visit our website, data is transmitted to LinkedIn in the United States of America. LinkedIn may share this data with third parties or use the data for behavioral advertising. However, the data is encrypted and anonymized.

Processing by LinkedIn is based on appropriate safeguards. This means that a processing agreement has been concluded with LinkedIn. This is based on the standard contractual clauses issued by the European Commission.

As shown, you can prevent the setting of cookies at any time by setting your browser accordingly. In addition, a cookie already set by LinkedIn can be deleted via the internet browser or other software programs. An opt-out of tracking is also possible at any time, provided you call up the following page: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out?trk=microsites-frontend_legal_cookie-policy

Further information and the applicable data protection regulations of LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy.