Data protection

The grow.inc spaces GmbH and its subsidiaries (hereinafter jointly referred to as “grow.inc spaces”) are very delighted that you have shown interest in our enterprises and in our joint online appearances.
Data protection is of a particularly high priority for the management of the grow.inc spaces. The use of all Internet pages and social media appearances of the grow.inc spaces is generally possible without the indication of personal data that reveal your identity directly to us and in addition, certain information regarding your end devices or technical equipment are processed in the course of visiting web services which, although it does not allow any direct conclusions to be drawn about your identity, qualify as personal data by law or are protected by law for other legal reasons; however, if a data subject wants to use special services via our websites or our offerings on social media, processing of personal data may become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.

1. Purpose of this Data Protection Notice
This Data Protection Notice generally applies to the online offerings and appearances of grow.inc spaces, which can be accessed on the websites available under the URL "growinc.io" and further URLs, also including its presences on social media, wherever they are linked to this Data Protection Notice (hereinafter jointly referred to as "our website(s)" or as well our “web service(s)”).
As a person affected by data processing through our websites, you are entitled to several rights concerning your personal data under the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection. In particular, you have the legal right to information on your processed personal data and by means of this Data Protection Notice, we would therefore like to inform you comprehensively about the processing of your personal data when using our websites.
Further, you may as well have the rights to deletion and correction of the personal data we may process and to objection against the processing of your personal data. With regard to all your rights and the exercise thereof, please refer to the following section "Rights of Data Subjects" within this Data Protection Notice.
This Data Protection Notice can be retrieved, downloaded and printed out at any time under the URL https://growinc.io/en/legal/cookies. We reserve the right to adapt this Data Protection Notice at any time so that it always meets the current legal requirements or to reflect changes in the application procedure or the like. Since changes in the law or changes in our internal processes may make it necessary to adapt, we ask you to read this Data Protection Notice regularly.

2. Personal data
Personal data is information about personal or factual circumstances of a specific or identifiable natural person. This includes information such as your name, address, telephone number and date of birth, but also data about your specific career, etc., which can be assigned to a specific person with reasonable effort.
Information that is anonymized and not associated with your identity, however, is not personal data.

3. Purposes of the processing of personal data
Some of the personal data and further information we may collect from you is necessary to enable us to provide you with the services you request, to fulfil our contracts with you, to comply with legal requirements or if we have a legitimate interest in the use of your information, for example, when we use your personal data to be able to offer you an extensive and interesting offer via our websites and our web services and to constantly improve these.
When we collect data directly from you, we may ask you for your consent and clearly mark mandatory information (e.g. with an asterisk (*)). You voluntarily provide us with any other information that is not marked.
We will generally collect, process and use the personal data you provide online only within the legal bases provided for within the applicable data protection legislation or within the borders of your consent and as well only for the purposes disclosed to you.

4. General legal bases
The legal bases for the processing of your personal data may be the following:

5. Which personal data is collected and processed?
You can generally browse our websites without providing us with personal data (e.g. name, address, telephone number or e-mail address) that reveal your identity directly to us, unless you make them available to us voluntarily (e.g. for registrations for events, enquiries or surveys) or you have consented to the intended use or otherwise the corresponding legal provisions on the protection of your data permit the specific use of your personal data according to the aforementioned legal bases for specific purposes.
Particularly, your personal data may be used as follows:

6.1 Applications and the application procedures
If you apply to us electronically, i.e. by e-mail or via our web form, we collect and process your personal data for the purpose of handling the application procedure and carrying out pre-contractual measures.

6.1 By submitting an application on our recruiting page and sending us your application documents, you express your interest in joining us to work for our companies and make your personal data available to grow.inc spaces for the purpose of applying for a specific position advertised by us. In this context, you provide us with personal data which we use and store exclusively for the purpose of your job search/application.
In particular, the following data is collected:

6.1.1. Retention of your application data
Your data will generally be stored for a period of 180 days after the end of the application process. As a rule, this is done to fulfil legal obligations or to defend against any claims arising from legal regulations. We are then obliged to delete or anonymize your data. In this case, the data is only available to us as so-called metadata without direct personal reference for statistical evaluations (for example, proportion of applications regarding gender, number of applications per period, etc.).
The legal basis for this data processing is that of Article 6 para. 1 s. 1 lit. b GDPR (which permits the processing of data to fulfil a contract or pre-contractual measures), in this context directed towards the conclusion of an employment contract with you and Article 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to safeguard the data controller's legitimate interests), in this context, directed at our legitimate interest in being able to defend ourselves in the event of legal claims being brought against us on the basis of general equality legislation. With regard to the processing of (possibly special categories of) personal data provided in addition to the mandatory data, the legal basis is that of Article 6 para. 1 s. 1 lit. a GDPR (which permits data processing on the basis of your consent)

6.1.2. Data processing within the scope of the employment relationship
If you receive and accept an offer of employment with us as part of the application process, we will store the personal data collected during the application process at least for the duration of the employment relationship.
The legal basis for this data processing is that of Article 6 para. 1 s. 1 lit. b GDPR (which permits the processing of data to fulfil a contract or pre-contractual measures), in this context directed towards the conclusion of an employment contract with you and Article 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to safeguard the data controller's legitimate interests), in this context, we use your personal data mainly for the purpose of establishing, implementing and, if necessary, processing and terminating the employment relationship entered into with you. You will be informed in detail about the processing of your personal data and the legal bases thereof within the scope of the employment relationship entered into with the companies of the grow.inc spaces when the employment contract is concluded.

6.2 Contact forms on our websites
For general inquiries and contact requests, please use our contact form at growinc.io or send us an e-mail [email protected] When you contact us via our contact form or via e-mail, we use your personal data exclusively to answer your inquiries according to your requests and to your satisfaction. To do so, we generally process your full name (name and last name) and also e-mail address to reply to your individual inquiry. Further, it is generally your free decision which data you provide to us. However, we may not be able to fulfil your contact request without certain details required in individual cases.
The legal basis for this data processing is that of Article 6 para. 1 s. 1 lit. b GDPR (which permits the processing of data to fulfil a contract or pre-contractual measures), Article 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to safeguard the data controller's legitimate interests) . Our legitimate interest within the meaning of the GDPR is the optimization and fulfilment of our online offers and our web services.

6.3 Server-Log files
Your visit to our websites is automatically logged by our web servers. In connection with the retrieval of the information you requested from our web services, data is collected for the provision of our various services or for evaluation and security purposes and, if necessary, stored in anonymized form (without personal reference). The web servers we use automatically store data about the retrieval of our web services in so-called server log files. These are the following data:

The processing of the above data is done for security purposes, for general fraud prevention and as a precaution against attacks on our web services. An automated combination of this data with data from other data sources does not take place.
If we also automatically log your IP address, this is automatically deleted after 30 days at the latest.
Furthermore, we store the URL accessed with the associated page title and optional information on the page content; information on the terminal device used, operating system and browser. This information is generally transmitted with each individual page request when using the Internet. However, unlike cookies and similar technologies, no information is read from the memory of the user's terminal device and no information is stored on this terminal device.
Since the privacy of our visitors is important to us, this data is processed without being merged with other data provided by you, such as your contact details, and furthermore, data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymized or pseudonymized immediately after collection by deleting the last number block. No other use, combination with other data or disclosure to third parties takes place.
This data processing is based on the legal basis of Article 6 para.1 s. 1 lit. f GDPR, which allows data processing based on our legitimate interest. Our legitimate interest within the meaning of the GDPR is the optimization and technical security of our online offers and our web services.
Apart from that, only general information is recorded, e.g. when which content from our offer is called up or which pages are visited most frequently, the names of the requested files as well as their call-up date and time. These data are evaluated to improve our offer and do not allow any conclusions about your person. We will not use this information for any other purpose.
The legal basis for the data processing is Art. 6 para. 1 p. 1 lit. f GDPR, which allows the processing of data to protect the legitimate interests of the data controller.

7. Our social media appearances
We maintain publicly available profiles in social networks. The individual social networks we use can be found below.
7.1 Data processing through social networks
Social networks such as Facebook, Twitter etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g., like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:
If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.
Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.
Please also note that we cannot retrace all processing operations on the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policy of the respective social media portals.
7.2 Legal bases
Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Article 6 para. 1 s. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Article 6 para. 1 s. 1 lit. a GDPR).
7.3 Responsibility and assertion of rights
If you visit one of our social media sites (e.g., Facebook), we, together with the operator of the social media platform, are responsible for the data processing operations triggered during this visit. You can in principle protect your rights (information, correction, deletion, limitation of processing, data portability and complaint) vis-à-vis us as well as vis-à-vis the operator of the respective social media portal (e.g., Facebook).
Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.
7.4 Storage time
The data collected directly from us via the social media presence will be deleted from our systems as soon as you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Mandatory statutory provisions - in particular, retention periods - remain unaffected.
We have no control over the storage duration of your data that are stored by the social network operators for their own purposes. Particularly cookies and similar techniques stored on your device by the respective social media provider may remain until you delete them (please refer to the following section 8 for further information on the cookies that we use on our website). For details, please contact the social network operators directly (e.g., in their privacy policy, see below).
7.5 Our profiles on individual social networks
Specifically, we maintain profiles on the following social media platforms. For detailed information on the processing of your personal data by their providers, please refer to the respective information and links:
7.5.1. Instagram
We have a profile on Instagram. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381.
For details on how they handle your personal information, see the Instagram Privacy Policy: https://help.instagram.com/519522125107875.

8. Anonymous usage evaluations and use of cookies and similar technologies
We do not create personal user profiles. In connection with the viewing of the information you have requested form our websites, data is only stored on our servers in anonymised form for the provision of our various services or for evaluation purposes. In this context, general information in accordance with section 6.3 of this Data Protection Notice is also logged in order to determine the frequency of use and the number of users of our web pages. In this way, we learn which area of our websites our users have visited.
However, this usage data does not contain personal data and does not allow any conclusions to be drawn about the identity of the individual user. All of this anonymised usage data is not combined with your personal data and is deleted immediately after the end of the statistical evaluation.
The legal basis for this data processing is that of Art. 6 para. 1 s. 1 lit. f GDPR (which permits the processing of data to protect the legitimate interests of the data controller).e.g. when which content from our offer is accessed or which pages are visited most frequently.

Our websites do not use cookies or similar technologies. We also do not use any similar technologies ourselves in our social media profiles mentioned in section 7 of this Data Protection Notice.
With regard to the use of such technologies by the respective providers of these social media platforms, we kindly ask you to inform yourself in this regard under the specified information sources supplied by the providers themselves.

9. Period for which the personal data will be stored
We only store personal data that you provide to us for as long as they are needed to fulfil the purposes for which these data were provided or as long as this is required by law:

Generally, we delete or anonymize your personal data from our systems and records, so that you can no longer be identified, when they are no longer needed. We may retain certain personal data in order to comply with our legal and regulatory obligations and to enable us to administer our rights (e.g. to enforce our claims in court), or for statistical purposes (in anonymous form).

10. With whom do we share Personal Data?
If these cases are not listed in this Data Protection Notice, we will not sell or market your personal data to third parties or forward them on for any other reason.
In addition to the other cases mentioned in this Data Protection Notice, your personal data will only be passed on without your express prior consent in the following cases:

11. Who is involved in processing your Personal Data?
We process your personal data collected through the website and may also engage third parties to assist us according to our instructions and therefore, your personal data can also be processed on our behalf by our reliable, external service providers ("contract processors"). We solely rely on trusted and reliable contract processors who conduct a number of business processes on our behalf and only provide them with the information they need to provide their services to us. We make every effort to ensure that all contract providers with whom we work strictly protect your personal data and use them only for the purposes to which we assign them and on our behalf. For example, we can commission the following services for which the processing of your personal data is necessary to our contract processors or our contract processors may be

The legal basis for data transmission is Article 6 para. 1 s. 1 lit. b GDPR, which permits the processing of data in order to fulfil a contract or pre-contractual measures and Article 6 para. 1 s. 1 lit. f GDPR, which permits the processing of data in order to safeguard the data controller's legitimate interests.
We have concluded a contract with all our contract processors on the commissioned data processing on our behalf in accordance with Article 28 GDPR and fully implement the strict requirements of the German data protection authorities when using their services.

12. Data transfers to “Third Countries”
If we process data in a Third Country (i.e., outside the European Union (EU), the European Economic Area (EEA), where the privacy laws may not be as protective as those in your location) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this is only done in accordance with the strict legal requirements of the EU and we ensure that your data is treated in accordance with the provisions of this Data Protection Notice.
Subject to express consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognized level of data protection, contractual obligation through the so-called standard protection clauses of the EU Commission (SCC), in the presence of certifications or binding internal data protection regulations according to Articles 44 to 49 GDPR; further information can be found on the websites of the EU Commission under the URL https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en. Where necessary, we and our contract processors will, where applicable, also take supplementary measures to ensure the protection of your privacy rights, the confidentiality of your personal data and compliance with the applicable laws and regulations of the EU.

13. Data Security
We make every effort to take extensive technical and organisational security measures to protect your personal data against unintentional or unlawful deletion, alteration or loss and against unauthorised disclosure or access. All our employees are accordingly bound to secrecy and data protection. Insofar as it is within our sphere of influence, we use modern encryption techniques and a large number of other measures in particular to prevent unauthorised access by third parties. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption exists, the data you exchange with us cannot be read by third parties.
Further, our security precautions are regularly checked and adapted to technological progress.
However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions for which we are not responsible. In particular, unencrypted data can be accessed by third parties - particularly if this is done by e-mail. We have no technical influence on this. In such cases, it is the responsibility of the user to protect the data provided by him against misuse by encryption or in any other way.

14. Rights of the data subject
If we process personal data as the data controller, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and purpose of the processing, in particular the right of access (Article 15 GDPR), the right to rectification (Article16 GDPR), the right to erasure (‘right to be forgotten’) (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to data portability (Article 20 GDPR), the right to object (Article 21 GDPR). If the processing of personal data is based on your consent, you have the right to revoke this data protection consent in accordance with Article 7 para. 3 GDPR.
If you wish to exercise your above rights, please contact us using the contact details given in section 2.
Please note that we may require proof of identity and full details of your request before we can process your request.

15. Right to lodge a complaint with the competent supervisory authorities
In the event of data protection violations on our part, you have a right of appeal to the responsible supervisory authority.

16. Name and Address of the Data Protection Officer
Within our companies, everyone is responsible for privacy and data protection issues. In addition, we have decided to appoint a data protection officer for each of our companies. To ensure the independence of the data protection officer, we have appointed an external data protection officer:
Mr Stephan Krämer, LL.-M. (Attorney at law, Germany) KINAST Rechtsanwaltsgesellschaft mbH Hohenzollernring 54 50672 Cologne
You can contact our data protection officer via his website at http://www.kinast.eu

17. Hyperlinks to other websites
Our websites contain so-called hyperlinks to websites of other providers. When these hyperlinks are activated, you are redirected from our website directly to the websites of other providers. Despite careful control we assume no liability for the content of external links. The operators of the sites we link to are solely responsible for the content of linked pages and any processing of personal data on these websites.

Last updated: March 2022