Data protection declaration. Compliance GDPR & CCPA
- GENERAL INFORMATION
The protection of your personal data is important to us, Xpaiz. Therefore, we would like to offer you comprehensive transparency regarding the processing of your data in our services through this data protection declaration. Because only if the processing is comprehensible to you as a data subject are you sufficiently informed about the scope, purposes and benefits of the processing and we have complied with the requirements of the GDPR and CCPA.
The person/team responsible within the meaning of the Basic Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other data protection regulations is:
Hereinafter referred to as “responsible party” or “we”.
- GENERAL INFORMATION ON DATA PROCESSING
- Information about our authorizations
We process personal data within the legally permissible limits. This means that data processing operations are based on a legal basis. These are standardised in Art. 6 Para. 1 GDPR. Most data processing operations are based on a legitimate interest on our part (Art. 6 para. 1 lit. f GDPR), on processing operations necessary for the performance of the contract (Art. 6 para. 1 lit. b GDPR) or on the basis of consent granted by you (Art. 6 para. 1 lit. a GDPR). In the latter case you will be informed separately (e.g. via a cookie banner) of the consent procedure.
Personal data will only be passed on in the cases described below.
We process personal data only for clear purposes (Art. 5 para. 1 lit. b GDPR). As soon as the purpose of the processing ceases to apply, your personal data will be deleted or protected by technical and organisational measures (e.g. by pseudonymisation).
The same applies to the expiry of a prescribed storage period, subject to the cases in which further storage is necessary for the conclusion or fulfilment of a contract. In addition, a legal obligation may arise for longer storage or disclosure to third parties (in particular to law enforcement agencies). In other cases, the storage period and the type of data collected as well as the type of data processing depends on which Xpaiz functions you use in each individual case. We will be happy to provide you with information on this in individual cases, in accordance with Art. 15 GDPR.
- Information about the technical process of our app
Our app or the technical backend of our app (“network”) is connected to various market research companies, marketplaces and enterprises (collectively “marketplaces”). These marketplaces regularly create surveys for their customers (companies). For these surveys, the marketplaces are looking for participants to participate in the surveys. In order to support the marketplaces in their search for participants, we have built our app with the services Xpaiz. We bring the marketplaces that are looking for participants together with the participants, i.e. you. As a user of the app, you deposit personal data in your user account when creating a user account and when using a user account. This personal data is also called “qualifications” in our app. This is because we have to filter each new survey for which participants are being sought to determine whether you are eligible for the survey. Either we can find this out based on the qualifications you have already provided or we will ask you again to complete some additional qualifications that you can store in your user account. If you are eligible for a survey because the qualifications required by the marketplaces and the qualifications you have stored match, you have the opportunity to participate. If you decide to participate, we will pass on the matching qualifications to the marketplace. The survey itself is either conducted in our app itself or on the marketplace website or the website of the market research company or a company. A link in our app will connect you directly to the survey.
- DATA PROCESSING IN CONNECTION WITH THE USE OF Xpaiz APP
The use of Xpaiz app with all its functions requires the processing of certain personal data.
3.1 Informational use of the services of Xpaiz app
The purely informational calling of Xpaiz app requires the processing of the following personal data and information: the operating system used, the address of the terminal device with which you access Xpaiz app (IP address) as well as the time of calling Xpaiz app. All this information is automatically transmitted from your app, unless you have configured it in such a way that transmission of the information is suppressed.
These personal data are processed for the purpose of the functionality and optimization of Xpaiz app, as well as to ensure the security of our information technology systems. These purposes are at the same time legitimate interests according to Art. 6 para. 1 lit. f. GDPR.
to information according to Art. 15 para. 1 GDPR.
3.2 Contact form / Contact by e-mail
We process the data you provide us with when contacting us for the purpose of answering your enquiry, your e-mail or your request for a callback. Processed data categories are master data, contact data, content data, possibly usage data, connection data and possibly contract data. In individual cases, we forward this data to companies affiliated with us, i.e. only within our company/group. The legal basis of the processing depends on the purpose:
- Basically, it is based on our legitimate interest and thus on Art. 6 para. 1 lit. f GDPR;
- If the aim is to conclude a contract, the authorization is based on Art. 6 para. 1 lit. b GDPR.
3.3 Creation and use of a user account
You can create a user account (hereinafter also referred to as “profile”) in our services in order to use the Xpaiz app services and your features.
Other personal data that you can independently store in your user account or that you will be asked for in the context of the qualification query for a new survey include your age, your location, your gender and, if applicable, other personal characteristics (“qualifications”) required by the survey partners for joining a survey.
When you log in to your profile, Xpaiz app places cookies on your device to allow you to stay logged in – even if you need to reload the app in the meantime. By creating your profile, you can use the functions of Xpaiz app.
The processing procedures connected with the creation and completion of a profile serve the purpose of being able to assign future usage procedures and to be able to access the entire range of Xpaiz app Services. Directly connected with this is, for example, the checking whether you are suitable for surveys that we receive from the marketplaces. In order to participate in surveys, you must meet the criteria requested for the specific survey. We will check whether you meet the criteria either by asking you (if we have not yet asked you for the criteria of the survey) or automatically (if we have already asked you for the criteria of the survey) after receiving the survey by comparing the criteria with the information you have provided about yourself. The processing of your data thus serves the implementation of the contract, is therefore purpose-bound and necessary in accordance with Art. 6 para. 1 lit. b GDPR.
The storage of IP address and time of registration is necessary to ensure the security of our information technology systems. This is also in our legitimate interest, which is why the processing is also lawful in accordance with Art. 6 para. 1 lit. f GDPR.
The storage of the personal data entered by you is carried out up to the time of the deletion of your profile at Xpaiz app, beyond that only as long as the processing is necessary for possible fulfilment of the contract.
It is not intended to pass on your data to third parties. All checks on the requested criteria in a survey are carried out by us on our servers.
3.4 Processing of payment & provision of credits
To process the payout of credits you receive through participation in surveys in or via our app, we offer various payment methods, some of which use payment service providers such as PayPal. Processed data in this context are usage data, connection data, master data, payment data, contact data or even contract data. The legal basis for the use of payment service providers results from Art. 6 para. 1 lit. b GDPR. We have signed an order processing contract with each of the payment service providers so that the security of the processing of your data is guaranteed at all times. The Payment Service Providers are in detail:
It is possible to process the payment process with the online payment service PayPal. PayPal makes it possible to make online payments to third parties. The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. If you choose PayPal as your payment method, your data required for the payment process will be automatically transmitted to PayPal. This is regularly the following data:
3.5 Tracking & Tools
Information on the cookies used
Cookies are small files that are stored on your device (computer, tablet or smartphone). When a website is accessed, the cookie stored on a device sends information to the party that placed the cookie.
We distinguish between
- Required cookies, which are absolutely necessary for the technical functions of the app
- statistics cookies, which allow us to analyze the use of the app, and
- Marketing cookies that are placed by advertisers to display advertising that is relevant to your interests.
We offer you the opportunity to choose your preferences regarding functional and marketing cookies when you first visit our app and at any time thereafter.
- RIGHTS OF DATA SUBJECTS
If your personal data is processed, you are the person concerned within the meaning of the GDPR and you as a user have the following rights vis-à-vis the person responsible:
4.1 Right to information
You can request confirmation from the person responsible as to whether personal data concerning you is being processed by us.
If such processing has taken place, you can request information from the data controller about the following:
– the purposes for which the personal data are processed
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
- the planned duration of storage of the personal data concerning you or, if it is not possible to give specific details, criteria for determining the duration of storage;
- the existence of a right of rectification or erasure of personal data concerning you, a right to have the processing limited by the controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- any available information as to the source of the data where the personal data are not collected from the data subject;
- the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) DPA and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing on the data subject.
- You have the right to request information as to whether the personal data concerning you are being transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 DPA in connection with the transfer.
4.2 Right of rectification
You have the right to ask the data controller to correct and/or complete the data if the personal data processed concerning you is incorrect or incomplete. The data controller shall make the correction without delay.
4.3 Right to limit processing
Under the following conditions, you may request the restriction of the processing of personal data concerning you:
- if you dispute the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data;
- the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data;
- the controller no longer needs the personal data for the purposes of the processing, but you need the personal data in order to assert, exercise or defend legal claims; or
- if you have lodged an objection to the processing pursuant to Art. 21 para. 1 DPA and it has not yet been established whether the legitimate reasons given by the controller outweigh your reasons.
- If the processing of personal data relating to you has been restricted, such data may be processed, with the exception of storage, only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4.4 Right of cancellation
4.4.1 You may request the controller to delete immediately the personal data concerning you and the controller is obliged to delete such data immediately if one of the following reasons applies:
- the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed
- you revoke your consent on which the processing was based pursuant to Art. 6 para. 1 letter a or Art. 9 para. 2 letter a DPA and there is no other legal basis for the processing.
- You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
- The personal data concerning you have been processed unlawfully.
- The deletion of personal data concerning you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data concerning you have been collected in relation to information society services offered, in accordance with Article 8(1) of the GDPR.
4.4.2 If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 DPA, he shall take reasonable measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as a data subject, have requested them to delete all links to this personal data or to make copies or replications of this personal data.
4.4.3 The right of cancellation does not apply where processing is necessary
- on the exercise of the right to freedom of expression and information;
- to comply with a legal obligation to which the processing relates under Union or national law to which the controller is subject or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 letters h and i and Art. 9 para. 3 GDPR;
- for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the law referred to in para. 1 is likely to render the attainment of the objectives of such processing impossible or seriously prejudice it, or
- to assert, exercise or defend legal claims.
4.5 Right to information
If you have asserted the right to rectify, erase or limit the processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort.
You have the right vis-à-vis the controller to be informed of these recipients.
4.6 Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. You also have the right to have this data communicated to another person in charge without interference from the person in charge to whom the personal data has been communicated, provided that the processing is based on a consent pursuant to Art. 6 para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR or on a contract pursuant to Art. 6 para. 1 letter b GDPR and the processing is carried out by means of automated procedures.
In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data transferability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4.7 Right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out pursuant to Article 6 paragraph 1 letter e or f FADP; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless he can demonstrate compelling reasons for processing which are justified on grounds of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing, including profiling, insofar as it is linked to such direct marketing.
If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for those purposes.
You have the possibility to exercise your right of objection in relation to the use of information society services, without prejudice to Directive 2002/58/EC, by using automated procedures involving technical specifications.
4.8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the legality of the processing that has taken place on the basis of your consent until revocation.
The processing is lawful until your revocation – the revocation therefore only affects the processing after receipt of your revocation. You can informally revoke your consent by mail or e-mail. Your personal data will then no longer be processed, subject to the permission of another legal basis. If this is not the case, your data must be deleted immediately after the revocation in accordance with Art. 17 para. 2 GDPR. Your right to revoke your consent subject to the above-mentioned conditions is guaranteed.
Your revocation must be addressed to:
4.9 Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data concerning you is in breach of the DPA.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
- AUTOMATED DECISIONS IN INDIVIDUAL CASES INCLUDING PROFILING
Automated decisions in individual cases, including profiling, are not carried out.
- NOTIFICATION OBLIGATIONS OF THE RESPONSIBLE PERSON
If your personal data have been disclosed to other recipients (third parties) for legal reasons, we will inform them of any correction, deletion or restriction of the processing of your personal data (Art. 16, Art. 17 para. 1 and Art. 18 GDPR). The obligation to notify is not applicable if it involves a disproportionate effort or is impossible. We will also inform you of the recipients upon request.