Legal
Data protection
Hoodie Hoo Agency GmbH
Max-Keith-Straße 29
45136 Essen
GERMANY
1. Introduction
Below we inform about the processing of personal data when using our mobile app (hereinafter only "app").
Personal data is all data that can be related to a specific natural person, e.g. their name or their IP address.
1.1. Contact details
The controller pursuant to Art. 4 para. 7 EU General Data Protection Regulation (GDPR) is Hoodie Hoo Agency GmbH, Max-Keith-Straße 29, 45136 Essen, Germany, Email: hello@hoodiehoo.com. We are legally represented by Johannes Kautz.
Our data protection officer is heyData GmbH, Kantstr. 99, 10627 Berlin, www.heydata.eu, Email: datenschutz@heydata.eu.
1.2. Scope of data processing, processing purposes and legal bases
We provide detailed information on the scope of data processing, processing purposes and legal bases below. As a legal basis for data processing, the following generally come into consideration:
● Art. 6 para. 1 sentence 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent.
● Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g. when a user purchases a product from us or we perform a service for him. This legal basis also applies to processing operations that are necessary for pre-contractual measures, such as inquiries about our products or services.
● Art. 6 para. 1 sentence 1 lit. c GDPR applies when we fulfill a legal obligation in the processing of personal data, as may be the case, for example, in tax law.
● Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis when we can refer to legitimate interests in the processing of personal data, e.g. for cookies that are necessary for the technical operation of our website.
1.3. Data processing outside the EEA
To the extent that we transmit data to service providers or other third parties outside the EEA, we guarantee the security of the data when it is transferred, insofar as (e.g. for the UK, Canada, and Israel) there are adequacy decisions of the EU Commission (Art. 45 para. 3 GDPR).
If there is no adequacy decision (e.g. for the USA), the legal basis for the data transfer is generally, unless we provide a different indication, standard contractual clauses. These are a set of rules adopted by the EU Commission and are part of the contract with the respective third party. According to Art. 46 para. 2 lit. b GDPR, they ensure the security of the data transfer. Many of the providers have given contractual guarantees that go beyond the standard contractual clauses and protect the data beyond the standard contractual clauses. These include, for example, guarantees regarding the encryption of the data or regarding an obligation of the third party to notify data subjects if law enforcement agencies want to access the data.
1.4. Storage period
Unless expressly stated otherwise in this data protection declaration, the data stored by us will be deleted as soon as it is no longer necessary for its intended purpose and there are no legal retention obligations preventing deletion. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that we are required to keep for commercial or tax law reasons.
1.5. Rights of data subjects
Data subjects have the following rights regarding their personal data:
● Right to information,
● Right to correction or deletion,
● Right to restriction of processing,
● Right to object to processing,
● Right to data portability,
● Right to revoke consent at any time.
Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data.
1.6. Obligation to provide data
Customers, prospects, or third parties only need to provide us with personal data that is necessary for the establishment, execution, and termination of a business relationship or other relationship, or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude a contract or provide a service or will no longer be able to carry out an existing contract or other relationship.
Mandatory information is marked as such.
1.7. Automated individual decision making
In establishing and conducting a business relationship or other relationship, we generally do not use fully automated decision-making processes in accordance with Article 22 GDPR. If we use these procedures in individual cases, we will provide separate information about this, if required by law.
1.8. Contact
When contacting us, for example by e-mail or telephone, the data provided to us (e.g. names and e-mail addresses) will be stored by us to answer questions. The legal basis for processing is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in answering inquiries addressed to us. We delete the data accrued in this context once its storage is no longer necessary or restrict the processing if there are legal retention obligations.
2. Data processing in the app
2.1. Downloading the app
Our app is available for download from Apple's App Store and Google's Play Store (hereinafter "stores"). When users download the app, the necessary information is transmitted to the stores, in particular the user's name, e-mail address, and customer number of the account, the time of the download, payment information, and the individual device identifier. We have no influence on this data collection and are not responsible for it. We only process the data to the extent necessary to download the mobile app to the user's mobile device.
2.2. Hosting
Our app is hosted by the provider Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA (Data protection declaration: https://aws.amazon.com/de/privacy/?nc1=f_pr.). The provider processes the personal data transmitted via the app, e.g. content, usage, meta/communication data, or contact data. It is our legitimate interest to provide an app, so the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR.
2.3. Informational use of the app
When users use our app, we collect the data that is technically necessary for us to offer users the functions of our app and to ensure stability and security. This is our legitimate interest, so the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.
The data processed in this respect is:
● IP address
● Date and time of the request
● Time zone difference to Greenwich Mean Time (GMT)
● Content of the request (specific page)
● Access status/HTTP status code
● Amount of data transmitted in each case
● Browser
● Operating system and its surface
● Language and version of the browser software
2.4. Access to functions or data
The app requests access from the user to functions of the mobile device or to data of the mobile device in order to be able to execute app functions. By granting access, the user consents to the associated data processing, so the legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR. Users can revoke their consent at any time by ending access in the settings of the mobile device. Revocation does not affect the lawfulness of processing until revocation.
The functions or data processed in this respect are:
● Camera
● existing photo shoots
● Sending notifications
2.5. Data processing to provide functions
In the app, we process data to provide users with app functions. The legal basis for processing is the user agreement concluded with the user for the app.
The data processed in this respect is the Universal Unique Identifier of the mobile device (UUID).
2.6. User account
Users can open a user account in the app. We process the data requested in this context to fulfill the user agreement concluded for the account, so the legal basis for processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
2.7. Single sign-on
Users can log into our app using one or more single sign-on methods. They use the log-in data already created for a provider. The condition is that the user is already registered with the respective provider. When a user logs in using a single sign-on method, we receive information from the provider that the user is logged in with the provider and the provider receives information that the user is using the single sign-on method on our website. Depending on the user's settings in his account on the provider's page, additional information may be provided to us by the provider. The legal basis for this processing is the user agreement between the user and the provider.
Providers of the offered methods are:
● Apple Inc., Infinite Loop, Cupertino, CA 95014, USA (Data protection declaration: https://www.apple.com/legal/privacy/de-ww/).
● Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Data protection declaration: https://policies.google.com/privacy).
2.8. Purchasing goods
We offer the option to purchase goods through our app. In the ordering process or shipping, we involve the following service providers, who only receive the personal data necessary to provide a service. The processing of the data is carried out to fulfill the contract concluded with the respective user (Art. 6 para. 1 sentence 1 lit. b GDPR).
2.9. Payment service providers
We use payment processors to process payments, who are themselves data controllers within the meaning of Art. 4 No. 7 GDPR. If they receive data and payment data entered by us in the ordering process, we fulfill the contract concluded with our customers (Art. 6 para. 1 sentence 1 lit. b GDPR) thereby.
These payment service providers are:
● American Express Europe S.A.
● Apple Inc., USA (for Apple Pay)
● Mastercard Europe SA, Belgium
● PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
● Stripe Payments Europe, Ltd., Ireland
● Visa Europe Services Inc., United Kingdom
3. Changes to this data protection declaration
We reserve the right to change this data protection declaration for the future. The current version is always available here.
4. Questions and comments
For questions or comments regarding this data protection declaration, we are available at the contact details provided above.