As of October 2024
Valid from version 5.13.0
The present Privacy Policy serves to inform you about our processing of your personal data when you use our givve® Card App (hereinafter the “App”). Personal data shall be information relating to an identified or identifiable individual. This includes all information that allows conclusions to be drawn about your identity, such as your name, phone number, address or email address. Certain identifiers such as your IP address or the ID of the device that you use also fall under personal data.
Contact and the so-called data controller, i.e. the party responsible for the processing of your personal data when you use the App, within the meaning of the General Data Protection Regulation (GDPR) is
PL Gutscheinsysteme GmbH
Ainmillerstrasse 11
80801 Munich
Germany
E-mail: datenschutz@givve.com
If you have any questions regarding data protection in connection with our products and services or the use of our App, please contact our data protection officer (“DPO”) at any time. To do so, please write to the above postal address or mail to the address previously provided (please mention: “FAO DPO”). We expressly point out on the fact that if you use the above email address, you mail will not only be accessible to our DPO. If you want to share confidential information, please use the said email address first to request direct contact details.
The use of your givve® Card shall be subject to the Terms of Use for givve® Card Holders, which apply between you and the Company that provides you with the givve® Card for use: https://givve.com/media/givve_card/04_dokumente/2023.05.24_PL_Gutscheinsysteme_GmbH_Nutzungsbedingungen_givveCard_V.5.0_English.pdf.
These terms of use shall form the contractual basis for most data processing activities related to the givve® Card App. In addition, please refer to the Privacy Policy for givve® Card Users: https://givve.com/en/datenschutz-fuer-kartenhalter
Below you find an overview on how we process your data in relation to your use of the givve® Card App:
So that you can download and install our App from an app store, you will first have to register an account with the provider of the respective app store (e.g. Apple App Store or Google Play) and enter into a corresponding usage agreement. This is beyond our reasonable control, and in particular we are not a party to suchlike user agreements.
When you download and install the App, the information required (in particular your name, email address and account ID, the time of download, payment information and the individual device identifier) will be transferred to the respective app store.
Suchlike data collection is beyond our reasonable control and responsibility. We only process the data provided to the extent that this is necessary for downloading and installing the App on your mobile device (e.g. smartphone, tablet). Said data will not be stored beyond this scope.
The legal basis for our data processing activities is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to facilitate providing the App. For any data processing, which is the sole responsibility of the app store operator, please refer to their respective privacy policies:
Google Play: https://policies.google.com/privacy?hl=de;
Apple App Store: https://www.apple.com/legal/privacy/de-ww/.
In order to use the App, you will have to verify your email address once. To verify your email address, we use the so-called double opt-in procedure, i.e. you can only use the App if you confirm that you own the specified email address by clicking on a link in our notification email.
For our consent management, we make use of consent management service Usercentrics, provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich.
Within the scope of using Usercentrics, the following data are processed:
Legal basis for data processing is the need to fulfil our legal obligations stipulated by Art. 6 para. 1 lit. c GDPR, which results from Art. 7 GDPR and Section 25 TDDDG.
Consent information will be stored for one year and then deleted immediately.
We have entered into a data processing agreement (DPA) with Usercentrics. For more information on Usercentrics’ data processing activities, please refer to: https://usercentrics.com/privacy-policy/
Whenever you use our App, we process connection data that your device automatically transmits. Suchlike connection data includes the so-called HTTP header information, including the user agent, as well as in particular:
Processing this connection data is vital to facilitate the use of the App, to ensure the long-term functionality and security of our systems and to generally maintain, manage and administer our App.
Legal basis for the respective processing is Art. 6 para. 1 lit. b GDPR, our performance of the ToU entered into with you (see Section 2.1), and as for the rest Art. 6 para. 1 lit. f GDPR our legitimate interest in enabling access to the content as well as the long-term functionality and security of our systems.
In order to improve our App’s reliability and to identify code errors, we use the Sentry service provided by service provider Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA (“Sentry”). Sentry collects the following data particularly as part of the analysis of technical incidents:
Said information is used exclusively for technical analysis to improve the App’s reliability and to identify code errors.
The legal basis is our legitimate interest according to Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to enable access to the content as well as the long-term functionality and security of our systems. You can object to the processing at any time in the privacy settings.
If you give your consent, we will collect your user ID in addition to the above-mentioned data so that we can reproduce errors more easily. The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR.
This data will be deleted once said analysis has been completed. We have entered into a DPA with Sentry. Sentry is a party to the EU-U.S. Data Privacy Framework, which is why the transfer of data to the US is in this case based on the adequacy decision for the US in accordance with Art. 45 GDPR. For more information on Sentry’s data processing activities, please refer to: https://sentry.io/privacy/. Our App is hosted by Amazon Europe Core S.à r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg.
When the App is being installed or used, the device-related authorizations on technical level (i.e. to send push notifications) might be requested.
Basically, these App-related authorizations are required to provide our App. In respective cases, access to and storage of information on the device is essential and carried out based on the EU member states’ Implementation Acts to the ePrivacy Directive, in Germany in accordance with Section 25 para. 2 TDDDG. Legal basis for the processing of personal data is then Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1), or Art. 6 para. 1 lit. f GDPR, as well as our legitimate interests in facilitating the provision and basic functions of the App.
Said authorizations shall not constitute consent in the sense of data protection law. If, due to the authorizations granted, information that is not essential for providing the App should be stored or read in the terminal device, or if personal data is processed that cannot be based on the contractual basis or our legitimate interests, we shall have to obtain your consent separately. This shall then be done as provided for by the EU member states’ Implementation Acts to the ePrivacy Directive, in Germany in accordance with Section 25 para. 1 TDDDG or – for the processing of personal data – in accordance with Art. 6 para. 1 lit. a GDPR.
You may set up access to the App and activate it using your existing givve® Card. For this purpose, the following data will be processed:
Legal basis for processing this data is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1).
You may contact us, for example by making use of the “Support and Help” area in the App settings and then via “Contact Support”. In this context, we process your data exclusively for the purpose of communicating with you.
Legal basis for this processing is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1) and as for the rest Art. 6 para. 1 lit. f GDPR our legitimate interest that you contact us and we can answer your query.
The data we collect when you contact us shall be deleted automatically once your request has been fully processed, unless we still need your request to fulfil contractual or legal obligations (see Section 5 “Retention Period”).
The following data shall be processed within the scope of administering the App. You may change this data at any time via the “Manage my data” area in the App settings:
Legal basis for processing this data is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1).
Moreover, you can manage your givve® Card in the App. There, you can view online payments and your PIN as well as block your Card and PIN. The following data shall be processed as part of this function:
Legal basis for processing data within the scope of Card management is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1).
The App provides the option to view the history of your transactions. As part of these functions, the following data shall be processed:
Legal basis for processing is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1).
Based on the first two digits of the respective postcode or as colour-coding as part of a map view, the App provides the option of viewing the postcode districts in the “Your Region” area, in which payments can be made at all MasterCard acceptance points. Within this scope, the postcode of your address will be processed.
Legal basis for displaying the first two digits of the respective postcode is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1).
To display the map with colour-coded postcodes and the respective acceptance points, we use Google Maps (Maps SDK for Android, Maps DSK for iOS) from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), if you click on “View Map”.
In order for the Google map material we use to be integrated and displayed in our App, your App will have to establish connection to a Google server, which might be located in the US, when you access the corresponding area with the integrated map. By integrating the map material, Google will be informed that the map material was retrieved by the App. Date and time of the access, location data, IP address, URL, usage data, search keywords and geographical location will then be processed. Google may use the information collected to improve its products and services. Google shall be solely responsible for any further processing of the data collected in our App. For more information on Google’s data processing activities, please refer to: https://policies.google.com/privacy
Legal basis for displaying the postcode districts with Google Maps shall be your consent as per Art. 6 para. 1 lit. a GDPR. In respective cases, access to and storage of information on the terminal device shall be in accordance with Section 25 para. 1 TDDDG. Data generated in this context may be transmitted by Google Ireland Limited to Google LLC in the US. Google LLC is partner to the EU-U.S. Data Privacy Framework, which is why transmission in this case is based on the adequacy decision for the US in accordance with Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have concluded standard contractual clauses in accordance with Art. 46 para. 2 lit. c GDPR.
If you have given your respective consent, we will provide you with marketing communications via push notification and e-mail. Marketing communications may include the following:
You shall be free to deactivate push notifications at any time through the settings on your mobile device. Related instructions are e.g. available at:
The respective legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the terminal device is then carried out based on the EU member states’ Implementation Acts to the ePrivacy Directive, in Germany in accordance with Section 25 para. 1 TDDDG.
To send push notifications, we make use of the CleverPush service offered by CleverPush GmbH, Brauhausstrasse 15A, 22041 Hamburg, Germany. CleverPush processes the following data:
The push token or your device ID is used to display the push notification accurately for your mobile device. The push token serves to ensure secure sending and receipt of push notifications for your specific terminal device. In addition, aggregated statistical analysis of the use of our push notifications will take place.
Your data will be stored within Germany and transmitted in encrypted form. The respective data shall be deleted as soon as they are no longer needed for the purpose they were collected for and generally when subscription is terminated.
We have entered into a DPA with CleverPush. To the extent that CleverPush uses sub-processors who transmit personal data to third countries, CleverPush ensures that said data transmission is performed in accordance with the GDPR standards for third countries (Art. 44 ff. GDPR). For more information on third country transmission, please refer to Section 4.
As you use our App, you may receive e-mail notifications from us if you have enabled this feature in the App. We process your e-mail address to facilitate this service. Suchlike notifications may include:
Topping up-related notifications shall generally relate directly to your use of the givve® Card. The respective legal basis is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1).
We may use a newsletter to inform you about news and functions regarding your givve® Card, if you have subscribed to our newsletter. Legal basis for processing shall be your consent as per Art. 6 para. 1 lit. a GDPR. You may revoke your consent at any time with future effect by unsubscribing from the newsletter. To do so, you can, for example, go to the “Manage App” area in your App’s settings and deactivate the newsletter. Furthermore, each newsletter contains an “unsubscribe”- link. Of course, a message sent to the contact details provided above or in the newsletter (e.g. by e-mail or postal mail) shall also suffice.
The following data shall be processed within the scope of subscription:
We will process said data until you unsubscribe from the newsletter. The data’s storage serves the sole purpose of being able to send you the newsletter and provide evidence of your registration. We will also analyse if our newsletter can actually be delivered.
To send e-mail notifications and the newsletter, we make use of the Mailchimp service offered by The Rocket Science Group LLC, a company of Intuit Inc., 2700 Coast Avenue, Mountain View, CA 94043, USA (“Mailchimp”). We have entered into a DPA with Mailchimp. Mailchimp Google LLC is partner to the EU-U.S. Data Privacy Framework, which is why transmission in this case is based on the adequacy decision for the US in accordance with Art. 45 GDPR. For more information on Mailchimp’s data processing activities, please refer to: https://www.intuit.com/privacy/statement/
We use various cloud services that are part of Google Firebase. Google Firebase is operated for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC 1600 Amphitheater Parkway Mountain View, CA 94043, USA (together “Google “).
We have entered into a (DPA) with Google. Your personal data may be transmitted by Google Ireland Limited to Google LLC in the US. Google LLC is partner to the EU-U.S. Data Privacy Framework, which is why transmission in this case is based on the adequacy decision for the US in accordance with Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have concluded standard contractual clauses in accordance with Art. 46 para. 2 lit. c GDPR.
As you use our App, you may receive push notifications from us if you have enabled this feature in the “Manage App” section of the App’s settings and granted respective App authorization. Suchlike notifications may include:
We will also display them when you are not using the App. Suchlike notifications shall generally relate directly to your use of the givve® Card.
You shall be free to deactivate push notifications at any time through the settings on your mobile device. Related instructions are e.g. available at:
The respective legal basis is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1). In suchlike cases, access to and storage of information on the terminal device is essential and carried out based on the EU member states’ Implementation Acts to the ePrivacy Directive, in Germany in accordance with Section 25 para. 2 TDDDG.
We make use of the Firebase Cloud Messaging service to send push notifications. Firebase Cloud-Messaging processes the following data:
Firebase Cloud Messaging enables push notifications to be delivered to your specific mobile terminal device using the Firebase installation ID and an authentication token. The Firebase installation ID is assigned as an identifier for the specific App installation on your terminal device. It is unique to each individual App and does not allow any direct conclusions to be drawn about you as a person. The authentication token serves to ensure that the notification is sent and received securely only to the intended terminal device. It will be assigned anew for each notification. In addition, aggregated statistical analysis of the use of our push notifications will take place.
With Firebase Cloud Messaging, the data at rest and the data’s transmission will be encrypted (on Android: point-to-point encryption). The respective data shall be deleted as soon as they are no longer required for the purpose they were collected for and generally when subscription is terminated.
We make use of the Firebase Remote Config cloud service to facilitate adjusting the performance and appearance of our App without users having to download an update. Remote Config also allows us to make new functions available to certain users. For this purpose, we add a new condition and select a random percentage from our users. For more information on Firebase Remote Config, please refer to: https://firebase.google.com/docs/remote-config?hl=de
Within the scope of using Firebase Remote Config, the following data are processed:
The respective legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to test new functions in order to continually develop and optimize our App. Access to and storage of information in the terminal device is essential and then out based on the EU member states’ Implementation Acts to the ePrivacy Directive, in Germany in accordance with Section 25 para. 2 TDDDG.
You have the option of adding your card to Google Pay and using Google Pay for your givve® card. Google Payments is operated for users from the European Economic Area by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google“).
As part of the Google Pay registration for your givve® card via the app, your token will be processed. The token is used to check whether the card has been added to Google Pay. For the provision of Google Pay, we use the service of MeaWallet AS (Akersgata 41, N-0158 Oslo, Norway), a service provider integrated with Thredd Group Limited (6th Floor Victoria House, Bloomsbury Square, London, WC1B 4DA).
Data processing in the context of using Google Pay takes place in accordance with the terms of service and information on data processing by Google Pay. These can be found at:
Google Pay Terms of Service: https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de
Google Payments Privacy Notice: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice
The respective legal basis is Art. 6 para. 1 lit. b GDPR, performance of the ToU entered into with you (see Section 2.1). We process your data for the purpose of enabling the use of Google Pay to process payments.
Your personal data may be transmitted by Google Ireland Limited to Google LLC in the US. Google LLC is partner to the EU-U.S. Data Privacy Framework, which is why transmission in this case is based on the adequacy decision for the US in accordance with Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have concluded standard contractual clauses in accordance with Art. 46 para. 2 lit. c GDPR.
We use the web analysis service PostHog by the provider PostHog Inc., 2261 Market St., #4008, San Francisco, CA 94114, USA (“PostHog”) for statistical collection and analysis of general user behaviour.
When using PostHog, the following data is processed in aggregated form:
The respective legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the terminal device is then carried out based on the EU member states’ Implementation Acts to the ePrivacy Directive, in Germany in accordance with Section 25 para. 1 TDDDG. The purpose of the processing is the statistical collection and analysis of general user behaviour to improve our app.
The data in the PostHog Cloud is automatically deleted after one month.
We have entered into a DPA with PostHog. Your data is stored on a server in the EU, Frankfurt (PostHog Cloud EU). As the provider is based in the USA and in the event that personal data is transferred to the USA, we have concluded standard contractual clauses with PostHog in accordance with Art. 46 para. 2 lit. c GDPR. In addition, PostHog is a party to the EU-U.S. Data Privacy Framework, which is why transmission in this case is based on the adequacy decision for the US in accordance with Art. 45 GDPR. For more information on PostHog’s data processing activities, please refer to: https://posthog.com/privacy.
We shall generally only disclose data collected by us if there is a legal basis under data protection law in the specific case, in particular if:
Part of the data processing may be carried out by our service providers. In addition to the service providers specified in this Privacy Policy, this may include, in particular, IT service providers who service our systems, agencies, market research companies, group companies, or consulting firms. If we disclose data to our service providers, they may only use the data to fulfil their tasks. Our service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have appropriate technical and organizational measures in place to protect the rights of data subjects, and are regularly reviewed by us. For more information on the service providers assigned by us, please refer to our Privacy Policy for givve® Card Users (see Section 2.1).
If and to the extent that data is transmitted to so-called third countries (outside the European Union or the European Economic Area) and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken adequate measures to ensure an appropriate level of data protection for suchlike data transmission. This includes e.g. the European Union’s standard contractual clauses or binding corporate rules.
We generally only store personal data for as long as necessary to fulfil the purposes for which said information was collected. We will then delete the data immediately, unless we need the data until the end of the statutory limitation period for evidentiary purposes for civil claims, due to statutory retention obligations or, in a specific individual case, there is another legal basis under data protection law for the continued processing of your data. For more information on the retention period applicable to your data, please refer to our Privacy Policy for givve® Card Users (see Section 2.1).
You shall be entitled to the data subject rights stipulated by Art. 7 para. 3, Art. 15 – 21, Art. 77 GDPR at any time, provided the respective legal requirements are met:
If you want to exercise your above rights, please turn to the above contact details at any time. The same applies if you would like to obtain copies of the warrantees regarding the provision of an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection-related request.
Your requests to assert data protection rights and our responses to them will be retained for documentation. The respective legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil law claims according to Art. 82 GDPR, avoiding fines according to Art. 83 GDPR and meeting our accountability obligations under Art. 5 para. 2 GDPR.
You have the right to withdraw your consent at any time. As a result, we will cease to process respective data based on this consent. The withdrawal of consent shall not affect the lawfulness of any processing undertaken on the basis of this consent before its withdrawal.
Insofar as we process your data based on legitimate interests, you shall have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to data processing for direct advertising purposes, you have a general right to object, which we will accept even without reasons.
If you would like to exercise your right of withdrawal or objection, all you need to do is to send an informal message to the above contact details.
Finally, you shall have the right to file a complaint with a data protection supervisory authority. You may e.g. exercise this right with a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement. In Munich, where we are based, the competent supervisory authority is: Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision BayLDA), PO Box 1349, 91504 Ansbach, Germany (postal address). E-mail: poststelle@lda.bayern.de.
We may, from time to time, update the present Privacy Policy, for example if we adapt our App or if legal or regulatory requirements change.
Below you will find an overview of the main changes we have made to the app's privacy policy over time: