1. Data protection
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations and this data protection information.
This data protection notice applies to the processing of personal data by us on our website (“Website”). This notice explains the type, purpose and scope of data processing within the framework of the Website.
We would like to point out that data transmission over the Internet may have security gaps. It is not possible to completely protect data from access by third parties.
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Controller of the Website:
SpotMe Holding SA
Avenue du Théâtre 1
- Data Protection Officer
Prof. Dr. Christian Rauda
Attorney and board-certified specialist for information technology law
GRAEF Rechtsanwälte Digital PartG mbB
Tel. +49.40.80 6000 9-0
Fax +49.40.80 6000 9-10
2. General information on data processing
- Scope of the processing of personal data
As a matter of principle, we collect and use personal data of our users only to the extent necessary to provide our Website, our content and our services. The collection and use of personal data of our users is regularly only carried out with the consent of the user. An exception is made in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal regulations.
- Legal basis for the processing of personal data
The basis for the processing of personal data in Switzerland is Art. 4 et seq. of the DSG. Insofar as the processing falls under the scope of the GDPR, Art. 6 para. 1 lit. a – f DSGVO forms the legal basis for processing operations of personal data.Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations which are necessary to carry out pre-contractual measures.Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.If the processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
- Data deletion and storage period The personal data of the user will be deleted or blocked as soon as the purpose of the storage no longer applies. Furthermore, data may be stored if this has been provided for by the Swiss, the European or national legislator in EU ordinances, laws or other regulations to which the person responsible is subject. Data will also be blocked or deleted when a storage period prescribed by the above-mentioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.
- Transfer in third countries
If we process data in a third country (i.e. outside Switzerland, the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this will only occur if it is done in order to fulfill our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. GDPR are met. I.e. the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to Switzerland or the EU (e.g. for Canada, Japan) or compliance with officially recognized special contractual obligations (so-called “EU standard contractual clauses”). The EU Standard Contractual Clauses are provided at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087
3. Provision of the Website and creation of log files
Whenever our Website is accessed, our system automatically collects data and information from the computer system of the calling computer. The following data is collected for a limited time:
- IP address of the User
- Date and time of access
- request URL
- the method utilized to submit the request to the server
- the size of the file received in response
- the numerical code indicating the status of the server’s answer (successful outcome, error,etc.)
- the country of origin
- the features of the browser and the operating system utilized by the User
- the various time details per visit (e.g., the time spent on each page within www.spotme.com)
- the details about the path followed within www.spotme.com with special reference to the sequence of pages visited, and other parameters about the device’s operating system and/or the User’s IT environment.
The data is stored in the log files of our system. This data is only needed for the analysis of possible errors. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR in the EU. The temporary storage of the IP address by the system is necessary to enable the Website to be delivered to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the Website. In addition, the data serves us to optimize the Website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context and no conclusions are drawn about your person. The data processing for the provision of the Website and the storage of the data in log files is absolutely necessary for the operation of the Website. Consequently, there is no possibility of objection on the part of the user.
You can contact us via our contact forms, via e-mail or by mail. Your details from the inquiry, including the contact details you provide there, will be stored by us solely for the purpose of processing the inquiry and in the event of follow-up questions.
For processing your inquiry and simplifying the process of filling out our contact form, we use the “Clearbit” service of APIHub, Inc. 548 Market St #95879 San Francisco, CA 94104-5401. Their privacy policies can be found here: https://clearbit.com/privacy We entered into a Data Processing Agreement with APIHub. APIHub processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of Art. 16 para. 2 d. Swiss DSG and of Art. 46 para. 1, para. 2 lit. c) DSGVO in the EU.
The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR in the EU. Our interest in answering your inquiry outweighs your interest; since you are writing to us, an answer is also in your interest and you are aware that we must process your data in order to answer your inquiry. If the e-mail contact aims at the conclusion of a contract, the legal basis for processing is Art. 6 para. 1 lit. b GDPR in the EU.
The usage of Clearbit and Concierge is based on our legitimate interests in accordance with Art. 6 para. 1 let. f GDPR in the EU. In this way, we improve your experience and make it easy for you to schedule meetings with us. APIHub, Inc. and Chili Piper, Inc. may also use the of recipients to optimize and improve their services.
The data will be deleted as soon as they are no longer required for the purpose of their processing. This is the case when the respective conversation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified.
You can register for a newsletter on our Website. For this we require your email-address. In addition, we check in compliance with the relevant law whether you are the true holder of the email-address and agreed to receive the newsletter. For this purpose, we send you a validation email. Our newsletter informs about important announcements, exclusive insights into the development and invitations for beta-versions of our new games.
As receiving the newsletter is dependent from your consent, you may revoke your consent to the collection and storage of your data at any time, without giving reasons. Use the “unsubscribe” link on the bottom of every email or contact us.
For sending the newsletter we use the “MailChimp” service of the online dispatch service Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, U.S.A. (“Rocket Science”). Their privacy policies can be found here: https://mailchimp.com/legal/privacy/. We entered into a Data Processing Agreement with Rocket Science. Rocket Science processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of Art. 16 para. 2 d. Swiss DSG and of Art. 46 para. 1, para. 2 lit. c) DSGVO in the EU.
The usage of MailChimp is based on our legitimate interests in accordance with Art. 6 para. 1 let. f GDPR in the EU. We have an interest to see whether the newsletter is opened and which parts of it are read. In this way, we improve our services in the future. Rocket Science may use the pseudonymized data of recipients to optimize and improve their services, for instance in respect to the technical dispatch of the newsletter or for statistical purposes. Rocket Science does not use the data to send you newsletters themselves and the data will not be transmitted to third-parties.
We use “Cookies” on our Website. Cookies consist of portions of code installed in the browser that assist us in providing the service according to the purposes described. Some of the purposes for which the Cookies are installed may also require the User’s consent.
7. Google services
We use Google Fonts and Google ReCaptcha on this Website. These are the “Google Fonts” of the company Google Inc. and a test to exclude robot programs (bots) from website use. For the European area and Switzerland, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. When visiting our Website, the fonts are reloaded via a Google server using Google Fonts and any bots are excluded via Google ReCaptcha. Through these external calls, data such as the IP address of the user is transmitted to the Google servers, including in the USA. The legal basis for the data processing for Google Fonts and Google ReCaptcha is our overriding legitimate interest in the appealing presentation, security and simple functionality of our Website in accordance with Art. 6 (1) lit. f) GDPR in the EU. Google processes the data in the USA on the basis of EU standard contractual clauses and thus provides sufficient guarantees within the meaning of Art. 16 para. 2 d. Swiss DSG and of Art. 46 para. 1, para. 2 lit. c) DSGVO in the EU. For more information on data usage by Google, setting and objection options, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners
8. Content Delivery Networks
On the basis of our legitimate interests (interest in optimization and economic operation of our online-service in accordance with Art. 6 para. 1 let. f GDPR) we use Content Delivery networks (CDN). CDN offer server infrastructure which enables a faster and safer access to data because of the proximity the user. CDN’s main task is to forward data to the user. Which data will be forwarded depends on your use of our services as well as the user’s request.
These CDN are Intercom, Inc., 55 2nd St, Suite 400, San Francisco, Ca 94105, USA (“Intercom”), NitroPack Ltd., located at 3 Prof. Georgi Bradistilov, entr. A, 3rd floor, Sofia, Bulgaria (“NitroPack”), OpenJS Foundation (“jQuery”), 1 Letterman Drive, Building D, Suite D4700, San Francisco, CA 94129, USA and Prospect One Sp. z o.o. Ul. Krolewska 65A 1 Krakow; Malopolskie; Postal Code: 30-081 (“Prospect One”). Intercom, NitroPack, jQuery and Prospect One may process data in the USA on the basis of EU Standard Contractual Clauses and thus offer sufficient guarantees within the meaning of Art. 16 para. 2 d. Swiss DSG and of Art. 46 para. 1, para. 2 lit. c) DSGVO in the EU.
Further information about the used CDN’s and their privacy policies can be found here:
CDN’s services are provided as commissioned data processing, please address us if you would like to object to the use of the data. We notify you that in the case of an objection you might not be able to use our Website anymore.
9. Applications via Greenhouse
We use the Greenhouse service (“Greenhouse”), which is operated by Greenhouse Software, Inc., 18 West 18th St., 11th Floor, New York, NY 10011, USA, for the purpose of handling application procedures. Greenhouse processes the data in the USA on the basis of EU standard contractual clauses and thus provides sufficient guarantees within the meaning of Art. 16 para. 2 d. Swiss DSG and of Art. 46 para. 1, para. 2 lit. c) DSGVO in the EU. For more information on data usage by Greenhouse, please visit Greenhouse’s websites: https://www.greenhouse.io/de/privacy-policy
When using the electronic application procedure via Greenhouse, we collect and process personal data for the purpose of processing the application procedure. In addition to the name and e-mail address, the data includes in particular the corresponding application documents, which are transmitted electronically if initiated by you. If we conclude an employment contract with you, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If no employment contract is concluded with you, the application documents will be automatically deleted after notification of the rejection decision, provided that no other legitimate interests of the controller are opposed to deletion.
10. Social media links
We maintain online presences on social networks and platforms to communicate with clients, interested parties, and users who are active on those networks, and to be able to inform clients, interested parties, and users of our services.
Our Website therefore links to the website of Facebook (“Facebook”), operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, U.S.A., or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Our Website also links to the website of Twitter (“Twitter”), operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, U.S.A. or, if you reside in the EU, Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.
Our Website also links to the website of LinkedIn (“LinkedIn”), operated by Instagram Inc., 1201 Willow Road, Menlo Park, CA, 94025, U.S.A. or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Our Website also links to the website of YouTube (“YouTube”), operated by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A., or, if you reside in the EU, Google Ireland Limited (“YouTube”), Gordon House, Barrow Street, Dublin 4, Ireland.
Our Website uses the “Heatmaps” service which is operated by Hotjar Ltd., Dragonar Business Centre, 5 th floor, Dragonara Road, Paceville St Julian’s STJ3141, Malta, to make recordings and heatmaps of users interacting with the Website. Hotjar Heatmaps work by creating a copy of your page's HTML code, then categorizing each element by their tag, parent elements, and IDs or classes where relevant. When you have given consent and view the page, Hotjar collects usage behavior and maps all the elements you interact with to the master heatmap report. Hotjar Ltd. processes the data in the EU. For more information on data protection at Hotjar, please refer to the Hotjar data protection notices: https://www.hotjar.com/legal/policies/privacy/
If your personal information is processed, you have the following rights under the GDPR.
- Right of access
You have the right to obtain from us confirmation as to whether or not personal information concerning you are being processed, and, where that is the case, access to the personal data and the following information:(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(4) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal information or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from you, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
- Right of rectification
You have the right to obtain from us within undue delay the rectification of inaccurate or incomplete personal information. Taking into account the purposes of the processing, you shall have the right to have incomplete personal information completed, including by means of providing a supplementary statement.
- Right to restriction of processing
You shall have the right to obtain from us restriction of processing where one of the following applies:
(1) the accuracy of the personal data is contested by yourself, for a period enabling us to verify the accuracy of the personal data;
(2) the processing is unlawful and the data subject opposes the erasure of the personal information and requests the restriction of their use instead;
(3) we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(4) You have objected to processing pursuant to Art. 21 para. 1 pending the verification whether the legitimate grounds override those of the data subject.Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
If you have obtained restriction of processing pursuant to the above, you shall be informed by us before the restriction of processing is lifted.
- Right to erasure (‘right to be forgotten’)
You shall have the right to obtain from us the erasure of personal information concerning without undue delay and we shall have the obligation to erase personal information without undue delay where one of the following grounds applies:
(1) the personal information is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to Art. 6 para.1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para 2 GDPR;
(4) the personal information has been unlawfully processed;
(5) the personal information has to be erased for compliance with a legal obligation in the European Union
(6) the personal information has been collected in relation to the offer of information society services referred to in Article 8 para.1.Where we have made the personal information public and is obliged pursuant to the above to erase the personal information, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by the European Union or for the performance of a task carried out in the public interest
(3) for reasons of public interest relating to public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the DPA;
(4) for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to make it impossible or seriously impede the attainment of the objectives of such processing, or (3) for the establishment, exercise or defence of legal claims.
- Notification regarding rectification or erasure of personal data or restriction of processing
We shall communicate any rectification or erasure of personal data or restriction of processing carried to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.
- Right to data portability
You have the right to receive the personal information, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal information have been provided, where:
(1) the processing is based on consent pursuant to Art. 6 para 1 lit. a or Art. 6 para 1 lit. b or Art. 2 para 2 lit. a
(2) the processing is carried out by automated means.The right shall not adversely affect the rights and freedoms of others.
In exercising your right to data portability you shall have the right to have the personal information transmitted directly from one controller to another, where technically feasible.
The exercise of this right shall be without prejudice to the right of erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 para. 1 lit e) or lit. f). We shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.Where personal information is processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.Where you object to processing for direct marketing purposes, the personal information shall no longer be processed for such purposes.At the latest at the time of the first communication with you, the right referred to above shall be explicitly brought to your attention shall be presented clearly and separately from any other information.In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise his or her right to object by automated means using technical specifications.
- Right to revoke the declaration of consent
You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the legality of the processing that has taken place on the basis of your consent until revocation.
- Automated individual decision-making
The you shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects youThis shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and us
(2) is authorised by European Union law and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.We shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express our point of view and to contest the decision.
Decisions shall not be based on special categories of personal data referred to in unless Art. 9 para.2 lit. a) or lit g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
- Right of complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the European Member State where you reside, work or suspect of infringement, if you believe that the processing of personal information concerning you is not in compliance with GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.In the area of application of the Swiss FADP, data subjects have a right to information pursuant to Art. 25, 26, 27 Swiss FADP and a right to data surrender or transfer pursuant to Art. 28, 29 Swiss FADP.
Last updated: March 7, 2022