Privacy policy for the Nelly website
Status: Februar 2024
This privacy policy applies to data processing by Nelly Solutions GmbH ("Controller", "we" or "us") when you visit our website "https://www.getnelly.de/" ("Website").
When you use our website, we process your personal data. Personal data is any information relating to an identified or identifiable natural person. When we process personal data, this means that we collect, store, transmit, delete or otherwise use this data. When processing your personal data, we comply with the applicable data protection laws, in particular the Data Protection Regulation ("DSGVO") and the Federal Data Protection Act ("BDSG").
With the following data protection information, we inform you about the type, scope and purposes of the collection, use and other processing of personal data when using our website.
If there are changes to the data processing carried out by us, we will adapt our data protection information. We therefore ask you to inform yourself regularly about the content of our privacy policy. If the change requires an act of cooperation on your part, such as consent, or other individual notification, we will inform you.
1. Controller for data processing
Nelly Solutions GmbH is responsible for the processing of your data;
address: Spreeufer 3, 10178 Berlin
E-mail: info@nelly-solutions.com
2. Data protection
If you have any questions about data protection or wish to exercise your rights under section 8 of this privacy policy in connection with the use of our website, you can contact us at any time:
Name: Mr. Martin Bastius
E-mail address: datenschutz@heydata.eu
3. Collection and storage of personal data as well as the type and purpose of their processing and the relevant legal basis
In the following, we will inform you about which personal data we process when you visit our website. We also explain the purpose for which we process your data and the legal basis on which we do so. Insofar as the processing of personal data is based on Art. 6 para. 1 sentence 1 lit. f) GDPR, the purposes mentioned also represent our legitimate interests.
4. Accessing the website
When you visit our website to use it for information purposes, we collect, store and process so-called "log data". We store these temporarily and anonymized as so-called server log files on our web server in order to ensure the display of our website and its stability and security.
This concerns, for example:
operating system and information on the Internet browser used, including installed add-ons;
IP address (Internet Protocol address) of the end device from which the online offer is accessed;
Internet address of the website from which the online offer was accessed (so-called origin or referrer URL);
Name of the service provider used to access the online service;
Name of the files or information accessed;
Date and time and duration of access. Processing is carried out on the basis of a balancing of interests in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR, which always takes your interests into account.
5. Use of the software
As a processor for the practices, we may process the following data from you:
Name
Address
If applicable, bank details
Medical history data
Date and signature
Contact details
Contract data
The controller within the meaning of the GDPR for this data is your practice / your attending physician.
6. Contact form
When you use our contact form on our website, we collect the following data from you:
Your name;
Your email address;
The data will only be used to answer your questions. The data will not be passed on to third parties unless this is expressly stated in this privacy policy. We process the aforementioned data in order to answer the questions or inquiries submitted via the contact form. The legal basis for data processing is therefore our legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.
7. Data processing for personal contact
If you give us your express consent, we will send you information about our offers and services by e-mail or call you for these purposes. For this purpose, we process your name, your telephone number and your e-mail address. If you register to receive the aforementioned information, we use the so-called double opt-in procedure. This means that after you have registered with your e-mail address, we will send you an e-mail to the e-mail address provided in which we ask you to confirm that you actually wish to receive the information. The legal basis for sending our information is Art. 6 para. 1 lit. a) GDPR.
8. Website optimization, Analysis and Marketing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on your computer. The cookie contains a string of characters that enables your system to be uniquely identified when you return to the website.
Most of the cookies we use ("session cookies") and the data stored and transmitted in them are automatically deleted at the end of your visit. Other cookies ("persistent cookies") remain stored on your end device until you delete them.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. You can delete cookies that have already been saved at any time. If cookies are deactivated, the functionality of the website may be restricted.
Some elements of our website require that the accessing browser can be identified even after a page change. Cookies may be stored for this purpose, which enable us to recognize your browser on your next visit.
If personal data is processed by the cookies, we process this on the basis of a balancing of interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, which always takes your interests into account.
9. Analysis and marketing cookies
When you visit our website, cookies are also set that enable your use of the website to be analyzed for reach measurement and advertising purposes ("analysis cookies").
We use analysis cookies exclusively on the basis of your consent in accordance with § 25 para. 1 TTDSG and Art. 6 para. 1 subpara. 1 lit. a GDPR via our cookie banner. You can also access further information about the cookies we use via our cookie banner. You can also revoke your consent to the processing of your data by analysis cookies at any time via the cookie banner.
10. Google Analytics, Google Tag Manager and Google AdWords
To analyze your use of our website, we use "Google Analytics" together with the "Google Tag Manager" and "Google Adwords", services of companies of the Google LLC Group, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), on the basis of a contract for commissioned data processing in accordance with Art. 28 GDPR. Google uses cookies. The information generated by cookies about your use of our website is usually transmitted to a Google server in the USA and stored there. The storage of cookies and the use of this analysis tool are based on your express consent in accordance with Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TTDSG. Your consent can be revoked at any time.
We have activated the IP anonymization function. This means that your IP address will be shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity and providing us with other services relating to website activity and internet usage.
You have the option of preventing the storage of cookies by changing the settings of your browser software accordingly. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
For more information on the processing of user data by Google Analytics, please refer to Google's privacy policy at: https://support.google.com/analytics/answer/6004245?hl=en.
11. LinkedIn Insight Tag
Our website uses the conversion tool "LinkedIn Insight Tag" from LinkedIn Ireland Unlimited Company, 70 Sir John Rogerson's Quay, Dublin 2, Dublin. This tool sets a cookie in your web browser, which enables the following data to be collected: IP address, device and browser properties and page events (e.g. page views). This data is encrypted, anonymized within seven days, and the anonymized data is deleted within 90 days. LinkedIn does not share any personal data with us, but offers anonymized reports on website audience and ad performance. In addition, LinkedIn offers the option of retargeting via the Insight Tag. We can use this data to display targeted advertising outside the website without identifying you as a visitor to the website. For more information on data protection at LinkedIn, please refer to LinkedIn's privacy policy.
LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To deactivate the Insight tag on our website ("opt-out"), click here.
12. Meta
We also use tracking cookies from Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland ("Meta") to analyze your use of the website. Through the marketing tools used, your browser automatically establishes a direct connection with the Meta server. We have no influence on the scope and further use of the data collected by Meta through the use of this tool and therefore inform you according to our level of knowledge: By integrating the Meta pixel, Meta receives the information that you have called up the corresponding website of our Internet presence or clicked on an advertisement from us. If you are registered with a Meta service, Meta can assign the visit to your account. Even if you are not registered with Meta or have not logged in, it is possible that the provider will learn and store your IP address and other identifying features.
In this context, we process your data as joint controllers with Meta. For information on Meta's data processing, including the legal basis on which Meta relies and the possibilities for asserting the data subject's rights against Meta, please refer to Meta's Privacy Notice. When processing as joint controllers, we have entered into an agreement with Meta to determine the respective responsibilities for compliance with the obligations under the GDPR in relation to joint processing (https://www.facebook.com/legal/controller_addendum), under which Meta Ireland is responsible, in particular between the parties, for enabling the rights of data subjects under Articles 15-20 of the GDPR in relation to the personal data stored by Meta following joint processing.
13. Mouseflow
Our website uses Mouseflow, a web analysis tool from Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. The web analysis tool Mouseflow records randomly selected individual visits (only with anonymized IP addresses). This creates a log of mouse movements and clicks with the intention of randomly playing back individual website visits and deriving potential improvements for the website. The data collected with Mouseflow will not be used to personally identify the visitor to this website and will not be merged with personal data about the bearer of the pseudonym without the separately granted consent of the person concerned. If personal data is collected in the course of this, this is only done on the basis of your express consent in accordance with Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TTDSG.
Your consent can be revoked at any time. Further information on data protection at Mouseflow can be found at: https://mouseflow.com/legal/.
14. Data recipients
In addition to the service providers mentioned in section 3.4, we use other services from external service providers (IT providers, transport companies, payment service providers) to process your personal data. Some of these third parties act as their own controllers under data protection law, while others act as processors on our behalf and in accordance with our instructions pursuant to Art. 28 GDPR.
15. Aircall
We use Aircall, a technology from Aircall, 42, rue du Faubourg Poissonniere, 75010, Paris, France, to communicate by telephone. Your contact details are processed in the process. We have concluded an order processing contract with Aircall in accordance with Art. 28 GDPR. The processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 f) GDPR.
Further information on data protection at Aircall can be found at https://aircall.io/privacy/.
16. Amazon Web Services
We process the data stored by us on servers of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, Luxembourg, L-1855, Luxembourg ("AWS"). We store both data that you enter yourself on our website on the AWS servers (registration data such as e-mail address) and data that we automatically collect from you when you visit our website (such as your IP address and your location). We have concluded an order processing contract with AWS in accordance with Art. 28 GDPR. Your personal data is stored exclusively on servers in Frankfurt and is therefore not transferred to data recipients outside the European Union.
Further information on data protection at AWS can be found at https://aws.amazon.com/de/compliance/germany-data-protection/.
17. Hubspot
We use the HubSpot service for various purposes. HubSpot is a technology of Hubspot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland.Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. These include: analytics cookies, email marketing, social media publishing & reporting, reporting, calendar management, contact management (e.g. user segmentation & CRM), and live chat. The following of your information may be stored on the servers of our software partner HubSpot when HubSpot tracks or enters your data: Contact details, IP address, device identifier, operating system, geographic location. They can be used by us to contact visitors to our website and to determine which of our company's services are of interest to them. We have concluded an order processing agreement with HubSpot in accordance with Art. 28 GDPR. The legal basis for this is your express consent in accordance with Art. 6 para. 1 lit. a) for tracking and Art. 6 para. 1 lit. f) GDPR for the legitimate interest in using a CRM system. You can revoke your consent at any time.
Further information on HubSpot's data protection can be found at: https://legal.hubspot.com/de/privacy-policy.
18. Lever
We use the service of Lever Inc. 989 Market Street, #500 San Francisco, CA 94103 for your applications to us. We have concluded an order processing contract with Lever in accordance with Art. 28 GDPR. As part of the application process, we may process the following data from you First name, last name, e-mail address, telephone number and any attachments such as CV, cover letter. The legal basis for the processing of your data and application documents is Art. 6 para. 1 sentence 1 lit. b) and Art. 88 para. 1 GDPR in conjunction with Section 26 para. 1 sentence 1 BDSG.
Further information on data protection at Lever can be found at: https://www.lever.co/privacy/.
19. Webflow
We use Webflow, a website construction kit system, for our website. The service provider is the American company Webflow, Inc. 398 11th St., Floor 2, San Francisco, CA 94103, USA Webflow uses so-called standard contractual clauses (= Art. 46. para. 2 and 3 GDPR) as the basis for data processing or data transfer. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, Webflow undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA.
20. Stripe
If you pay via our software, the payment is processed via the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, ("Stripe"). We transmit to Stripe the information you provide during the process together with information about your payment (name, address, credit card information, invoice amount, currency and transaction number). Your data will only be passed on for the purpose of payment processing with Stripe and only to the extent that it is necessary for this purpose. The data entered will only be processed by Stripe and stored by Stripe. This means that we do not receive any account or credit card-related information, but only information with confirmation or negative information about the payment.
The transmission of your data to Stripe is necessary for the processing of the contract with you and is therefore based on Art. 6 para. 1 lit. b) GDPR.
You can find more information on Stripe's data protection at: https://stripe.com/de/privacy#translation.
21. Security of the website
We use suitable technical and organizational security measures to protect stored personal data against manipulation, partial or complete loss and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data is stored exclusively on servers hosted in the EU that are certified in accordance with DIN ISO/IEC 27001 (as amended).
22. Is your data transferred to third countries or international organizations?
Google: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Hubspot: 25 First Street, 2nd Floor, Cambridge, MA 02141, USA.
Lever: 1125 Mission Street, San Francisco, CA 94103, USA.
Meta: 1 Hacker Way, Menlo Park, CA 94025, USA.
Webflow: 398 11th Street, Floor 2, San Francisco, CA 94103, USA.
In the context of the transfer of personal data to a third country, we will regularly ensure through suitable guarantees, for example by concluding the standard contractual clauses of the European Commission, that data is only transferred to a third country on the basis of a level of protection corresponding to the GDPR.
Insofar as the use of the data mentioned under 6.1, data is transferred to a third country, in particular the USA, for which there is no adequacy decision by the Commission, this is done on the basis of standard contractual clauses in accordance with Art. 46 para. 2 lit. c GDPR in conjunction with appropriate technical and organizational measures to protect your data.
A copy of the standard contractual clauses or further information on the standard contractual clauses used is available at further information on the standard contractual clauses used can be downloaded from the respective websites of the service providers we use:
Google: https://privacy.google.com/businesses/processorterms/mccs/
Hubspot: https://legal.hubspot.com/dpa
Lever: https://www.lever.co/wp-content/uploads/2021/09/Lever-DPA_Presigned_September2021.pdf
Meta: https://www.facebook.com/privacy/policy/
Prismic: https://prismic.io/security
23. When do we delete your data?
We delete your data when it is no longer required for the purposes for which it was originally collected.
Irrespective of this, we store your data processed when you purchase our products or use our services until the expiry of the statutory or possible contractual warranty rights. After expiry of this period, we retain the information required under commercial and tax law for the contractual relationship for the periods specified by law. For this period, the data will only be processed again in the event of a review by the tax authorities.
24. Your rights
With regard to our processing of your personal data, you are entitled to the following rights free of charge:
1. Right to information in accordance with Art. 15 GDPR
You have the right to obtain information from us as to whether and what data we process about you. This also includes information on how long and for what purpose we process the data, from which source it originates and to which recipients or categories of recipients we pass it on. We can also provide you with a copy of this data.
2. Right to rectification pursuant to Art. 16 GDPR
You have the right to obtain from us without undue delay the rectification of inaccurate or no longer accurate personal data concerning you. You can also request that we complete your incomplete personal data. If this is required by law, we will also inform third parties about this correction if we have passed on your personal data to them.
3. Right to erasure pursuant to Art. 17 GDPR
You have the right to obtain from us the erasure of your personal data without undue delay where one of the following appliesYour data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or the purpose has been achieved;
You withdraw your consent and there is no other legal basis for the processing;
You object to the processing and there are no overriding legitimate grounds for the processing; in the case of the use of personal data for direct marketing purposes, a mere objection on your part to the processing is sufficient;
your personal data have been unlawfully processed;
the erasure of your personal data is necessary for compliance with a legal obligation under European Union law or the law of a Member State to which we are subject.Your right to erasure may be restricted on the basis of statutory provisions. This includes in particular the restrictions listed in Art. 17 GDPR and Section 35 BDSG.
4. Right to restriction of processing pursuant to Art. 18 GDPR
You have the right to obtain from us restriction of processing of your personal data where one of the following grounds applies
You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
we no longer need your personal data for the purposes of the processing;
however, you need them for the establishment, exercise or defense of legal claims, or
you have objected to processing pending the verification whether our legitimate grounds override yours.
If you have obtained a restriction of processing in accordance with the above list, we will inform you before the restriction is lifted.
5. Right to data portability pursuant to Art. 20 GDPR
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller. The exercise of this right does not affect your right to erasure.
6. Right to object in accordance with Art. 21 GDPR
In accordance with Art. 21 GDPR, you have the right to object to the processing of your data at any time for reasons arising from your particular situation if we base this processing on legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR. If you object, we will no longer process your personal data, except in two cases:
we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
the processing is for the establishment, exercise or defense of legal claims.
In particular, if we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for this purpose.
7. Right to withdraw consent in accordance with Art. 7 GDPR
You can withdraw the consent you have given us at any time with effect for the future. This revocation can be made in the form of an informal message to the above-mentioned contact addresses. If you withdraw your consent, this will not affect the lawfulness of the data processing carried out up to that point.
8. Right to lodge a complaint with the supervisory authority
If you believe that the processing of your data by us violates applicable data protection law, you have the right to lodge a complaint with one of the competent supervisory authorities. The supervisory authority responsible for us is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Phone: 030 13889-0
Fax: 030 2155050
Email: mailbox@datenschutz-berlin.de
You can also lodge a complaint with the data protection supervisory authority responsible for you at your place of residence. You can find an overview of data protection supervisory authorities at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
25. Automated decisions in individual cases including profiling in accordance with Art. 22 GDPR
We do not process your data for automated decisions in individual cases, including profiling within the meaning of Art. 22 GDPR.