Data protection declaration for the insight.out website www.testbox.de

I. General Information

insight.out GmbH, Hauptstraße 101, 67433 Neustadt an der Weinstraße places great importance on the protection of personal data of the users of the website www.testbox.de. Below we would like to inform you in detail about which data we collect from you when you visit our website and use our offers there, how we process or use them, and what rights you have in this regard.

Your personal data will only be processed by us on the basis of the legal data protection regulations, i.e. the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG-new) and the Telemedia Act (TMG).

The scope of the data collected and processed by us depends on whether you only visit our website to retrieve information or also use services offered by us on our website.

II. Person responsible

The person responsible within the meaning of the General Data Protection Regulation as well as other data protection regulations is:

insight.out GmbH, Hauptstraße 101, 67433 Neustadt an der Weinstraße, represented by the managing director Franca A. Rupprecht.

Phone: +49 631 3437 7637

Email: info@insio.de

III. Our data protection officer

The data protection officer of the controller is:

Mr. Lawyer Oliver Pikolleck,
External Data Protection Officer (Tüv-cert.)
HiLevDATA GmbH & Co. KG

Contact: pikolleck@hiLevDATA.de

Any data subject may, at any time, directly contact our data protection officer with all questions and suggestions regarding data protection.

IV. Definitions

Our privacy policy uses the terminology of the EU General Data Protection Regulation (GDPR), which we would like to explain briefly for you to make it easier to understand. You can find these and other definitions in Art. 4 GDPR.

1. Personal data

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Data subject

"Data subject" means any identified or identifiable natural person whose personal data is processed by the controller.

3. Processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Restriction of processing

"Restriction of processing" means the marking of stored personal data with the aim of limiting their processing in the future.

5. Pseudonymization

"Pseudonymization" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

6. Controller

"Controller" means the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

7. Processor

"Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

8. Recipient

"Recipient" means a natural or legal person, public authority, agency, or another entity to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be considered recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

9. Third party

"Third party" means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

10. Consent

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

V. General Information on Data Processing

1. Categories of Personal Data

We process the following categories of personal data:

• Master data (e.g. names, addresses, functions, organizational affiliation, etc.);
• Contact data (e.g. email, telephone/fax numbers, etc.);
• Content data (e.g. text entries, image files, videos, etc.);
• Usage data (e.g. access data);
• Meta/communication data (e.g. IP addresses)
• If applicable, special categories of data pursuant to Art. 9 GDPR (e.g. inquiry of health data, etc.).
2. Recipients or categories of recipients of personal data

If, as part of our processing, we disclose data to other persons and companies such as web hosts, contract processors or third parties, transmit it to them or grant them access to the data in any other way, this will only be done on the basis of a legal permission (e.g. if a transfer of the data to third parties pursuant to Art. 6 para. 1 lit. b GDPR is necessary for the performance of a contract), if the data subjects have consented to this or if there is a legal obligation to do so.

3. Duration of storage of personal data

The criterion for the duration of the storage of personal data is the respective legal retention period. After the expiry of the period, the corresponding data will be deleted if they are no longer required for the achievement of the purpose, the fulfillment of the contract, or the initiation of a contract.

4. Transfers to third countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs as part of the use of third-party services or disclosure or transmission of data to third parties, this will only be done to fulfill our (pre-)contractual obligations, based on your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will process the data in a third country only if the special requirements of Art. 44 ff. GDPR are met, i.e., the processing is based, for example, on special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

VI. Data Processing During Visits to Our Website

1. Log Files

Every time a data subject accesses our website, general data and information are stored in the log files of our system:

• Date and time of access (timestamp);
• Request details and target address (protocol version, HTTP method, referer, user agent string);
• Name of the accessed file and amount of transferred data (requested URL including query string, size in bytes);
• Message indicating whether the access was successful (HTTP status code).

When using this general data and information, we do not draw any conclusions about the data subject. There is no personal evaluation or analysis of the data for marketing purposes or profiling. The legal basis for the temporary storage of data is Art. 6 para. 1 lit. f GDPR. The collection of data for the provision of the website and the storage of data in log files is necessary for the secure operation of our website. Therefore, there is no possibility of objection on the part of the data subject.

2. Malware detection and log data analysis

We collect log data that accumulates during the operation of communication technology in our company and automatically analyze it, insofar as this is necessary to detect, narrow down, or eliminate disruptions or errors in communication technology or to defend against attacks on our information technology or to detect and defend against malware.

The legal basis for the temporary storage and evaluation of data is Art. 6 para. 1 lit. f GDPR. The storage and evaluation of the data is essential for the provision of the website and for its secure operation. Consequently, there is no possibility of objection on the part of the data subject.

3. Cookies

We use so-called cookies on our website. Cookies are small text files that are exchanged between the web browser and the hosting server. Cookies are stored on the user's computer and transmitted to our site. In the web browser you are using, you can restrict or prevent the use of cookies through appropriate settings. Stored cookies can be deleted at any time. If cookies are disabled for our website, this may result in the website not being displayed or used to its full extent.

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.

4. Hosting

The hosting services we use are for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we use to operate our website.

In this context, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of users of our website based on our legitimate interests in an efficient and secure provision of this online offering pursuant to Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).

5. Use of login/registration function

Our website offers you the possibility to register and create an account. The data you enter for this purpose will only be collected and stored for the use of our service. Your data will not be disclosed to third parties.

6. Data processing in the context of using the demo version

Our website offers you the possibility to test our service in a demo version. The data you enter for this purpose (email address, password, profession) will only be collected and stored for the use of our service. Your data will not be disclosed to third parties. Providing additional information is optional.

7. Payment processing via Unzer

If you choose to pay by invoice, credit card, direct debit, PayPal, GiroPay or Sofortüberweisung on our website, the payment will be processed through Unzer E-Com GmbH. Unzer E-Com GmbH, Vangerowstraße 18, 69115 Heidelberg, is a payment service provider and certified according to the Payment Card Industry Data Security Standard (PCI DSS). For more information, visit https://www.unzer.com.

1. For payment by credit card via Unzer, the payment data collected during the ordering process will be transmitted to Unzer E-Com GmbH for the purpose of processing the payment. To the extent necessary, Unzer E-Com GmbH will pass on the data to Unzer Luxembourg S.A., 1 Place du Marché, L-6755 Grevenmacher, Luxembourg, which collects the corresponding payments from the card companies.
2. When paying with Sofortüberweisung, the online payment system of SOFORT GmbH, Theresienhöhe 12, 80339 Munich, the online banking data (PIN and TAN) entered by you in the digital transfer form provided by SOFORT GmbH during the ordering process are transmitted in encrypted form to your bank for the purpose of executing the transfer. Your online banking data is neither stored by us nor by SOFORT GmbH. Sofort GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden). You can access the privacy policy through the following link: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy .
3. For payment with the online payment service PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, your data required for the payment process (name, address, company, email address, telephone number, and IP address) will be automatically transmitted to PayPal.

   The data transmitted to PayPal may be forwarded by PayPal to credit reporting agencies. This transmission is for the purpose of verifying your identity and creditworthiness. PayPal may also disclose your data to third parties to the extent necessary for the fulfillment of contractual obligations or if the data is to be processed on behalf of third parties. For the privacy policy, please follow the link below: https://www.paypal.com/de/webapps/mpp/ua/privacy-full/ .

4. When paying with the payment service of GiroPay GmbH, An der Welle 4, 60322 Frankfurt/Main, Germany, GiroPay collects various transaction data and forwards it to the bank with which you are registered with GiroPay. In addition to the data required for the payment, GiroPay may collect additional data such as your shipping address or individual items in the shopping cart as part of the transaction processing. GiroPay then authenticates the transaction using the authentication method deposited with the bank. The payment amount is then transferred from your account to our account. Neither we nor any third party has access to your account information.

   For the privacy policy, please follow the link below: https://www.giropay.de/rechtliches/datenschutz-agb/ .

5. The legal basis for data processing is Art. 6 para. 1 b) GDPR, as the processing of data is necessary for payment with PayPal and thus for the performance of the contract.

   When purchasing on account and by direct debit via Unzer, you will be subjected to a check by a credit agency commissioned by Unzer E-Com GmbH on our behalf using mathematical-statistical procedures (credit check/scoring). Your data required for the credit check (name, postal address, e-mail address, telephone number and date of birth) will be transmitted to Unzer E-Com GmbH, which may pass on the data to the following credit agencies for the purpose of credit checking.

   The legal basis for data processing for the purpose of credit checking is Art. 6 para. 1 f GDPR. It is our legitimate interest to check your creditworthiness and thus protect ourselves against financial loss. You can object to data processing for the purpose of credit checking at any time by informing us via the contact options listed below or by contacting Unzer. Further information can be found at https://www.un-zer.com/de/datenschutz/ .

8. Social Media

We do not use social media plugins on our website, but rather social bookmarks (these are links to the corresponding services). If the graphic embedded by the user is clicked, the user will be redirected to the page of the respective provider. We would like to point out that as the provider of our website, we have no knowledge of the data transmitted to and used by the respective social media channel.

9. Integration of YouTube videos

We use the platform YouTube.com to upload and make our own videos publicly accessible. YouTube is an offer of a third party not affiliated with us, namely YouTube LLC.

Some pages of our website contain links or connections to YouTube's platform. In general, we are not responsible for the content of websites that are linked to. In case you follow a link to YouTube, we would like to point out that YouTube stores user data (such as personal information, IP address) according to their own data usage policies and uses them for business purposes.

We have embedded YouTube videos into our online offering, which are stored on http://www.YouTube.com and can be played directly from our website. They are all embedded in "extended privacy mode," which means that no data about you as a user is transmitted to YouTube unless you play the videos. Only when you play the videos, the data mentioned in paragraph 2 is transmitted. We have no control over this data transmission.

By visiting the website, YouTube receives information that you have accessed the corresponding subpage of our website. In addition, the aforementioned server data is transmitted. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not wish to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for purposes of advertising, market research, and/or customized design of its website. Such evaluation takes place in particular (even for non-logged-in users) for the provision of customized advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, but you must contact YouTube to exercise this right.

Further information on the purpose and scope of data collection and its processing by YouTube can be found in the privacy policy. There, you will also find further information on your rights and options for protecting your privacy: https://www.google.de/intl/de/policies/privacy .

VII. Data processing in the context of contacting us

1. Contacting us by email

Contacting our company by email is possible using the email addresses published on our website.

If you use this contact method, the data you transmit (e.g. name, address), at least the email address, as well as the information contained in the email including any personal data transmitted by you, will be stored for the purpose of contacting you and processing your request. In addition, the following data is collected by our system:

• IP address of the computer used to make the request;
• Date and time of the email.

The legal basis for processing personal data in the context of emails sent to us is Art. 6 para. 1 lit. b or lit. f GDPR.

2. Contact via website contact form

If you use the contact form provided on our website to communicate with us, your email address is required. Without this data, we cannot process your request submitted via the contact form. The address field is optional and allows us to process your request by postal mail if desired.

In addition, the following data is collected by our system:

• IP address of the calling computer;
• Date and time of registration.

The legal basis for processing personal data in the context of emails transmitted to us is Article 6(1)(b) or (f) GDPR.

3. Contact by letter and fax

If you send us a letter or a fax, the data transmitted by you (e.g. name, first name, address) and the information contained in the letter or fax, including any personal data transmitted by you, will be stored for the purpose of contacting you and processing your request.

The legal basis for processing personal data in the context of letters and faxes transmitted to us is Article 6(1)(b) or (f) GDPR.

VIII. Your rights

As a data subject, you have the following rights in connection with the processing of your personal data:

1. Right to information
2. (1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
   1. The purposes of the processing;
   2. The categories of personal data being processed;
   3. The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
   4. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the right to correction or deletion of their personal data or to restriction of processing by the controller or the right to object to such processing;
   6. the right to lodge a complaint with a supervisory authority;
   7. if the personal data was not obtained from the data subject, all available information on the origin of the data;
   8. the existence of automated decision-making, including profiling, pursuant to Art. 22 para. 1 and para. 4 GDPR, and - at least in these cases - meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject.

   (2) If personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

3. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4. Right to erasure

(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based according to Art. 6(1) lit. a) or Art. 9(2) lit. a) GDPR, and where there is no other legal ground for the processing.
3. The data subject has objected to the processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
4. The personal data have been unlawfully processed.
5. Deletion of personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
6. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

(2) If the controller has made the personal data public and is obligated pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the implementation costs, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary

1. for the exercise of the right to freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h) and i) as well as Art. 9 para. 3 GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 para. 1, to the extent that the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
5. for the establishment, exercise or defence of legal claims.
5. Recht auf Einschränkung der Verarbeitung

(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
4. the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

(2) If processing has been restricted in accordance with paragraph 1, such personal data may – apart from being stored – only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

6. Right to data portability

(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

1. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
2. the processing is carried out by automated means.

(2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

In connection with the use of services of the information society, the data subject may exercise his or her right to object by automated means using technical specifications, notwithstanding Directive 2002/58/EC.

8. Right of Withdrawal

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Recht auf Beschwerde bei einer Aufsichtsbehörde

Each data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data relating to them infringes this Regulation.

IX. Changes to this Privacy Policy

We reserve the right to change these privacy policies at any time with effect for the future. An up-to-date version is available on the website. Please check the website regularly and inform yourself about the applicable privacy policies.