As of 1st June 2021
Responsible: Thomas Niemann
Company: pay & relax GmbH
Street & No.: Lautenschlagerstr. 16
Zip code, City, Country: 70173 Stuttgart, Germany
Commercial register no.: HRB 752781
Managing director: Thomas Niemann, Felix Hagspiel
Phone number: +49(0)711-25 25 96 40
E-mail address: [email protected]
1. Basic information on data processing and legal basis
The terms used, such as “personal data” or their “processing” we refer to the definitions in Article 4 of the General Data Protection Regulation (DSGVO).
The personal data of users processed within the scope of this online offer includes inventory data (e.g., e-mail address, names and addresses of users), contract data (e.g., services used, names of clerks, payment information), usage data (e.g., the visited web pages of our online offer) and content data (e.g., details of escrow payment, chat messages, images).
The term “user” includes all categories of data subjects. They include our business partners, customers, interested parties and other users of our online offer. The terms used, such as “user”, are to be understood as gender-neutral.
We process users’ personal data only in compliance with the relevant data protection provisions. This means that user data will only be processed if a legal permission exists. I.e., in particular if the data processing is necessary for the provision of our contractual services as well as online services, or is required by law, a consent of the user is available, as well as due to our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO, in particular in the case of range measurement, creation of profiles for advertising and marketing purposes, and collection of access data and use of third-party services.
We point out that the legal basis of the consents Art. 6 para. 1 lit. a. and Art. 7 DSGVO, the legal basis for processing for the performance of our services and implementation of contractual measures Art. 6 para. 1 lit. b. DSGVO, the legal basis for processing to fulfill our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to protect our legitimate interests Art. 6 para. 1 lit. f. DSGVO is.
2. Security measures
We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
The security measures include in particular the encrypted transmission of data between your browser and our server.
3. Transfer of data to third parties and third-party providers
Data is only passed on to third parties within the framework of legal requirements. We only pass on users’ data to third parties if this is necessary, for example, on the basis of Art. 6 para. 1 lit. b) DSGVO for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f. DSGVO in the economic and effective operation of our business.
If we use subcontractors to provide our services, we take appropriate legal precautions and corresponding technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal provisions.
If content, tools or other means from other providers (hereinafter collectively referred to as “third party providers”) are used within the scope of this data protection declaration and their named registered office is located in a third country, it is to be assumed that a data transfer to the third party providers’ countries of domicile takes place. Third countries are countries in which the GDPR is not directly applicable law, i.e. basically countries outside the EU or the European Economic Area. The transfer of data to third countries takes place either if there is an adequate level of data protection, user consent or otherwise legal permission.
4. Provision of contractual services
We process inventory data (e.g., names and addresses as well as contact data), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 lit b. DSGVO.
Website visitors can create a user account on our website, with which they can in particular create, view and manage their trust payments. For the opening of the user account as well as for the disbursement of the funds, the following personal data are collected:
Name, first name
Date of birth
Address (street, house number, postal code, city, country)
Bank details (e.g. IBAN, BIC)
For so-called business accounts, the following data is also collected:
Name of the company
Sales tax identification number or tax number
Address of the company
For registration we use the so-called double-opt-in procedure. This means that registration is not completed until the user confirms registration by clicking a link in a verification e-mail sent for this purpose.
The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regard to the user account will be deleted, subject to their retention being necessary for reasons of commercial or tax law in accordance with Art. 6 para. 1 lit. c DSGVO.
For the purpose of carrying out trustee payments, personal data will be processed as follows
First and last name
Status of identification (identification open / identification completed)
as well as information and status messages on the escrow payments are exchanged between the parties involved.
The user consents to pay & relax GmbH that we may transmit the data to the persons or companies involved in the escrow payment.
The payments initiated via PAYLAX are processed via the electronic payment system by our payment service provider MANGOPAY S.A., 10 Boulevard Royal, L-2449 Luxembourg (“MANGOPAY”). For this purpose, your data (see 4.2.) will be forwarded to MANGOPAY. Required data beyond this (e.g. identification data or company documents for identification, credit card data for payment processing with credit card) are not stored by PAYLAX, but forwarded directly to MANGOPAY.
5. PAYLAX Connect
Via the PAYLAX Connect interface, it is possible for third-party platforms (e.g. online marketplaces or online stores) to integrate PAYLAX as a payment method.
If the user on a third-party platform agrees to the connection of his PAYLAX account with the third-party platform via PAYLAX Connect, the third-party platform receives the following data of the user:
PAYLAX user ID
Identification status of the account (Open / Started / Failed / Successful)
Whether the account is a business account
For business accounts, type of company ( retailer / organization or association / legal entity)
First and last name
Name of the company
Country of residence or registered office of the company
Whether the email address has already been verified
The user can remove the connection with the third party platform at any time via his PAYLAX account.
6. Contacting us
When contacting us (by e-mail or telephone), the information is processed for the purpose of handling the contact request and its processing in accordance with Art. 6 para. 1 lit. b) DSGVO.
The user’s/customer’s details may be stored in our Customer Relationship Management System (“CRM System”) or comparable inquiry organization.
7. Collection of access data and log files
We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO, we collect data about each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud).
8. Cookies & Reach Measurement
Cookies are pieces of information that are transmitted from our web server or third-party web servers to the web browsers of the users of our online offering and stored there for later retrieval. Cookies may be small files or other types of information storage.
We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status and thus the use of our online offer at all). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and log out, for example.
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
9. Google Analytics
Google is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous usage profiles of the users can be created from the processed data.
We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (so-called “Remarketing Audiences”, or “Google Analytics Audiences”). With the help of Remarketing Audiences, we also want to ensure that our ads correspond to the potential interest of users and do not have a harassing effect.
We only use Google Analytics with IP anonymization enabled. This means that the IP address of users is truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
For more information about Google’s data use, settings and opt-out options, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use our partners’ websites or apps”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Manage information Google uses to serve you ads”).
If you do not agree with the collection, you can prevent it with the one-time installation of the browser add-on to disable Google Analytics https://tools.google.com/dlpage/gaoptout
With the following instructions, we inform you about the contents of our free newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.
Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. Insofar as the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our products, offers, promotions and our company.
Double opt-in and logging: Registration for our newsletter is carried out in a so-called double opt-in process. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.
Furthermore, according to its own information, the shipping service provider may use this data in pseudonymous form, i.e. without assigning it to a user, to optimize or improve its own services, e.g. to technically optimize the shipping and display of the newsletters or for statistical purposes to determine which countries the recipients come from. However, the dispatch service provider does not use the data of our newsletter recipients to address them itself or to pass them on to third parties.
Registration data: To sign up for the newsletter, it is sufficient to provide your e-mail address.
Statistical collection and analyses - The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include the determination of whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
The use of the dispatch service provider, performance of the statistical surveys and analyses as well as logging of the registration process, are carried out on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO. Our interest is directed towards the use of a user-friendly as well as secure newsletter system that serves our business interests as well as meets the expectations of the users.
Cancellation/revocation - You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. This will simultaneously terminate your consents to its dispatch by the dispatch service provider and the statistical analyses. A separate cancellation of the dispatch by the dispatch service provider or the statistical analysis is unfortunately not possible. A link to cancel the newsletter can be found at the end of each newsletter. If users have only registered for the newsletter and cancelled this registration, their personal data will be deleted.
11. integration of third-party services and content
We use within our online offer on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the display of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
The following presentation provides an overview of third-party providers and their content, along with links to their privacy statements, which contain further information on the processing of data and, in part already mentioned here, opt-out options:
Our website uses the web analytics service Hotjar from Hotjar Ltd. Hotjar Ltd. is a European company based in Malta (Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe, Tel.: +1 (855) 464-6788).
This tool can be used to track movements on the websites on which Hotjar is used (so-called heat maps). For example, it is possible to see how far users scroll and how often they click on which buttons. The tool also makes it possible to obtain feedback directly from website users. Above all, Hotjar’s services can improve the functionality of the Hotjar-based website by making it more user-friendly, more valuable, and easier to use for end users.
We pay special attention to the protection of your personal data when using this tool. For example, we can only track which buttons are clicked, mouse history, how far scrolled, device screen size, device type and browser information, geographic location (country only) and preferred language to display our website. Areas of the websites in which personal data of you or third parties are displayed are automatically hidden by Hotjar and are therefore not traceable at any time. In order to exclude a direct personal reference, IP addresses are only stored and processed anonymously. However, Hotjar uses various third-party services such as Google Analytics and Optimizely. It may therefore be the case that these services collect data transmitted by your browser as part of web page requests. This would be, for example, cookies or your IP address. In these exceptional cases, this processing is carried out in accordance with Art. 6 (1) lit. a DSGVO on the basis of the consent you have given for the purpose of statistical analysis of user behavior for optimization and marketing purposes.
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The data will be deleted no later than 12 months after it has been collected.
Hotjar offers each user the option of using a “Do Not Track header” to prevent the use of the Hotjar tool so that no data is recorded about the visit to the respective website. This is a setting that all common browsers support in current versions. To do this, your browser sends a request to Hotjar with the instruction to deactivate the tracking of the respective user. If you use our websites with different browsers/computers, you will have to set up the “Do Not Track header” separately for each of these browsers/computers.
When visiting a Hotjar-based website, you can prevent Hotjar from collecting your data at any time by going to our opt-out page at https://www.hotjar.com/legal/compliance/opt-out/ and clicking Disable Hotjar.
For more information about Hotjar Ltd. and about the Hotjar tool, please visit: https://www.hotjar.com.
To accept and manage contact requests, we use the Freshdesk customer service system (hereinafter “Freshdesk”), a service provided by Freshworks Inc, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA (hereinafter “Freshworks”). When you contact us (by e-mail), your details are stored in Freshdesk for the purpose of processing the contact request and handling it.
pay & relax GmbH has concluded an order processing contract with Freshworks for the use of Freshdesk. Through this contract, Freshworks assures that they process the data in accordance with the Basic Data Protection Regulation and ensure the protection of the rights of the data subject.
The corresponding data processing is based on Art. 6 para. 1 p.1 lit. b DSGVO and may be necessary for the execution of the contract with you or pre-contractual measures. In addition, the data processing is based on our legitimate interests pursuant to Art. 6 para. 1 S.1 lit. f DSGVO. Our legitimate economic interest lies in optimizing the management of contact requests and improving customer care in order to provide our services.
More information about “Freshdesk” and data protection at Freshworks can be found at https://www.freshworks.com/privacy/.
We use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich Germany (Cloudflare) to increase the security and delivery speed of our website. This corresponds to our legitimate interest (Art. 6 para. 1 lit. f DSGVO). A CDN is a network of [globally] distributed servers that is able to deliver optimized content to the user. For this purpose, personal data may be processed in server log files by Cloudflare.
Cloudflare is a recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f DSGVO not to operate a content delivery network ourselves.
You have the right to object to the processing. Whether the objection is successful is to be determined as part of a balancing of interests.
The processing of the data provided under this section is not required by law or contract. The functionality of the website is not guaranteed without the processing.
Your personal data will be stored by Cloudflare for as long as necessary for the purposes described.
For more information on objection and removal options vis-à-vis Cloudflare, please visit: Cloudflare DPA
Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf
We use the CRM, sign-up and marketing automation system “HubSpot”, from the provider HubSpot Inc. (25 First Street, 2nd Floor, Cambridge, MA 02141, USA) with offices in Ireland (One Dockland Central, Dublin 1, Ireland) and Germany (Am Postbahnhof 17, 10243 Berlin) based on our legitimate interests (efficient and fast processing of user inquiries, applications and optimization of our online offering). For this purpose, we have concluded a contract with HubSpot with so-called standard contractual clauses, in which HubSpot undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level.
12. Rights of the users
Users have the right to obtain, upon request and free of charge, information about the personal data that we have stored about them.
In addition, users have the right to correct inaccurate data, restrict processing and delete their personal data, if applicable, to assert their rights to data portability and, in the event of the assumption of unlawful data processing, to file a complaint with the competent supervisory authority.
Likewise, users may revoke consents, in principle with effect for the future.
13. Deletion of data
The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations. If the user data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for reasons of commercial or tax law.
According to legal requirements, data is stored for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).
14. Right of objection
Users may object to the future processing of their personal data in accordance with the legal requirements at any time. The objection can be made in particular against processing for purposes of direct advertising.
15. changes to the data protection declaration
We reserve the right to change the data protection declaration in order to adapt it to changed legal situations, or in the event of changes to the service as well as data processing. However, this only applies with regard to declarations on data processing. Insofar as user consents are required or components of the data protection declaration contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users.
Users are requested to inform themselves regularly about the content of the data protection declaration.