Privacy Policy

1. Responsible Party

eKomi Holding GmbH, Berlin, Zimmerstraße 11, 10969 Berlin, HRB 189779 B (District Court Berlin-Charlottenburg), is, unless acting as a data processor in the context of eKomi services, the responsible party for the processing of personal data.

2. Use of the eKomi Websites

Using our website is generally possible without providing personal data. If personal data (e.g., name, address, or email addresses) is collected on our pages, this is always done, as far as possible, on a voluntary basis. We point out that data transmission over the Internet (e.g., when communicating via email) may have security gaps. A complete protection of data from access by third parties is not possible.

The use of contact data published as part of the legal disclosure obligations by third parties for the purpose of sending unsolicited advertising and information materials is hereby expressly prohibited. The operators of these pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.

3. Access Data and Log Files

When you access the eKomi website, we record access data that your browser automatically transmits to us, such as the IP address, date and time of access, and technical information about your browser and device. The IP address is a numeric identifier for the device used to access the website. Browser information may include details about your browser type, language, and time zone.

We collect this information to trace back the device used in cases of abusive or unlawful use of our website or services. We also use the IP address to determine your approximate location (on a city level) to know which of our general terms of use apply to your use of our website or services.

The data processing is absolutely necessary to enable the visit to the website, to ensure the permanent functionality and security of our systems, and for general administrative maintenance of our website. The data mentioned is also automatically and temporarily stored in internal log files on our web server to identify and counteract the causes of repeated or criminal accesses that endanger the stability and security of our website.

The legal basis is Article 6(1)(b) GDPR if the page visit occurs as part of the initiation or execution of a contract, and otherwise Article 6(1)(f) GDPR due to our legitimate interest in enabling website access and ensuring the continuous functionality and security of our systems.

The information stored in the log files is retained for 30 days and then archived after anonymization.

4. Contact

You have various options to contact us, including our contact form, live chat, telephone number, and email address. In this context, we process data solely for communication with you. Mandatory fields in the contact form are marked accordingly.

Personal data is collected if you voluntarily provide it during contact. We use your data solely to provide the requested information, meaning only the data absolutely necessary to respond to your request or process the contractual relationship will be stored and processed.

The legal basis is Article 6(1)(b) GDPR, as far as your details are required to respond to your inquiry or to initiate or carry out a contract, and otherwise Article 6(1)(f) GDPR based on our legitimate interest in enabling you to contact us and respond to your inquiry. We only make promotional calls if you have given your consent. If you are not an existing customer, we also only send promotional emails based on your consent. The legal basis in these cases is Article 6(1)(a) GDPR.

The data we collect when you contact us will be automatically deleted after your request has been fully processed, unless we still need your inquiry to fulfill contractual or legal obligations.

 

5. Registration and Account Use

You have the option to register for our login area in order to use our platform. The data you are required to provide is marked as mandatory fields. These include in particular:

  • Personal data: first and last name, email address, currency, username;

  • Company data: company name, company description, address (street, postal code, city, country), phone number, website name, website address.

Without this data, registration and subsequent use of the platform are not possible. If you order, subscribe to, or make use of products and services, payment data (credit card, PayPal, direct debit) is also collected. The legal basis for processing is Article 6(1)(b) GDPR.

We also store the data you provide during a demo request, such as name, email address, and telephone number. If you use customer support or technical support, you may need to complete a form that requires personal information such as name, address, email address, and telephone number. This information is stored in our database.

6. Newsletters and Notification Emails

We collect data from our customers who wish to receive our newsletter or notifications regarding their account, e.g., invoices. If you no longer wish to use these services, you can log in to your customer account and change the settings or contact us at “dataprotection@ekomi-group.com”.

To subscribe to our newsletter, we use the so-called double opt-in procedure, meaning we will only send you newsletters by email if you confirm your email address by clicking on a link in a notification email. Once confirmed, we store your email address, the time of registration, and the IP address used for the registration, until you unsubscribe. This storage serves solely the purpose of sending you the newsletter and proving your registration. You can unsubscribe at any time. An unsubscribe link is included in every newsletter. A message to the contact details above (e.g., by email or letter) is also sufficient. The legal basis for this processing is your consent in accordance with Article 6(1)(a) GDPR.

We use standard technologies in our newsletters to measure interactions (e.g., opening the email, clicked links). This data is used in pseudonymized form for statistical analysis and to optimize content and communication. This is done using small graphics embedded in the newsletters (so-called pixels). The data is collected exclusively in pseudonymized form and is not linked to your personal data. The legal basis is your consent in accordance with Article 6(1)(a) GDPR. If you do not wish this analysis, you can unsubscribe from the newsletter or deactivate graphics in your email program by default.

To provide, manage, and send newsletters, we use the services of Mailjet by Mailgun Technologies, Inc., with data storage in the EU, and Mandrill by The Rocket Science Group LLC, USA (Mailchimp). We have concluded data processing agreements and standard contractual clauses with both service providers.

7. Advertising to Existing Customers via Email

If you register with us or make a purchase, we also use your contact details to send you further relevant information about our products and services via email (“existing customer advertising”). This may include new features, promotions, offers, surveys, etc.

The legal basis for this data processing is Article 6(1)(f) GDPR in conjunction with § 7(3) UWG, allowing data processing for legitimate interests regarding the storage and use of data for advertising. You may object to the use of your data for advertising at any time by using the link provided in the emails or by contacting us directly, without incurring costs other than transmission fees at base rates.

8. Job Applications

If you apply for a job at eKomi, personal data will be collected as part of the application process. The data you provide during your application will be used exclusively for the purpose of filling the advertised position and handling your application.

The legal basis for processing your application documents is Article 6(1)(b) and Article 88(1) GDPR in conjunction with § 26(1) BDSG.

After completion of the application process, your data will be blocked for further use and deleted after any legal retention periods have expired, unless you have given written consent for us to keep your data for future contact.

We use, among others, the assessment tool Plum.io from Plum.io, Inc., Canada. Participation in the assessment is voluntary.

You can also send unsolicited applications. By submitting your documents for such an application, you consent to the processing of your personal data for the purpose of evaluating your application (Art. 6 GDPR). If interested, we will contact you; otherwise, your data will be promptly deleted.

 

9. Cookies and Similar Technologies

To make your visit to our website and our review platform attractive and to enable the use of certain functions, we use cookies and comparable technologies (collectively referred to as “tools”).

Cookies are small text files stored on your device that save certain settings and data for exchange with our system via your browser. Some cookies are deleted after the browser session ends; others remain on your device and allow us to recognize your browser on your next visit. Comparable technologies include web storage (local/session storage), fingerprints, tags, or pixels.

Most browsers accept cookies and similar technologies by default. However, you can usually set your browser to reject or only accept them with your consent. If you reject cookies or similar technologies, some of our offers may not function properly for you.

Legal Basis
We use tools necessary for the operation of the website or review platform (e.g., login functionality) without consent pursuant to § 25(2) TTDSG. Processing personal data is based on our legitimate interest under Article 6(1)(f) GDPR to enable the use of our website and platform efficiently. In certain cases, this processing may also be necessary to fulfill a contract or pre-contractual measures, pursuant to Article 6(1)(b) GDPR.

All other tools, especially those for analysis and marketing, are used based on your consent under § 25(1) TTDSG. The processing of personal data for these tools is based on Article 6(1)(a) GDPR and only occurs if we have received your prior consent.

If data is transferred to third countries, please refer to the section “Data Transfers to Third Countries.” We will inform you if we have entered into standard contractual clauses or other safeguards with certain tool providers. If you have given consent, data processed by these tools may also be transferred to third countries based on that consent.

Consent Management
To obtain and manage your consents, we use the tool CookieScript by Objectis Ltd., Lithuania. This tool creates a banner that informs you about data processing and allows you to agree to all, individual, or no optional data processing. This banner appears during your first visit or when you access the settings again. It also reappears if you delete your cookie settings.

CookieScript processes your consents or withdrawals, anonymized IP address, browser/device info, and the time of your visit. It also stores necessary information in a cookie (“CookieScriptConsent”) to record your choices. If you delete cookies, we will ask for your consent again upon revisiting.

Processing via CookieScript is necessary to provide legally required consent management and fulfill our documentation obligations. The legal basis is Article 6(1)(f) GDPR, as we have a legitimate interest in meeting legal consent requirements.

10. Data Disclosure

We only disclose collected data if:

a. You have given explicit consent under Article 6(1)(a) GDPR;

b. Disclosure is necessary under Article 6(1)(f) GDPR to assert, exercise, or defend legal claims and there is no overriding interest in not disclosing your data;

c. We are legally obliged under Article 6(1)(c) GDPR; or

d. It is legally permitted and required for contract processing or pre-contractual measures under Article 6(1)(b) GDPR.

Some processing may be done by service providers. These include:

  • Third parties like providers, consultants, and service providers acting on our behalf;

  • eKomi subsidiaries and companies within the eKomi group;

  • Authorities to ensure legal compliance and respond to requests or legal actions;

  • Regulatory bodies in connection with investigations or complaints;

  • Third parties enforcing our terms and policies;

  • Third parties protecting our business or that of affiliates;

  • Third parties to pursue legal remedies or limit damages;

  • Third parties investigating fraud or abuse;

  • Third parties in the event of restructuring, mergers, acquisitions, sales, or similar transactions.

Our service providers may only use data to perform their tasks. They are carefully selected, contractually bound, have suitable technical and organizational measures, and are regularly monitored. Data may also be disclosed to authorities if legally necessary.

 

11. Data Transfers to Third Countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there. These countries may not offer the same level of data protection as within the EU. If there is no adequacy decision by the European Commission for these countries (Article 45 GDPR), we ensure an adequate level of data protection through appropriate safeguards. These include, for example, the EU Standard Contractual Clauses or binding corporate rules.

Where this is not possible, we rely on exceptions under Article 49 GDPR, in particular your explicit consent or the necessity of the transfer for contract performance or pre-contractual measures.

If data is transferred to third countries without an adequacy decision or suitable safeguards, it is possible that authorities in the third country (e.g., intelligence services) may access the transferred data, analyze it, and that your rights as a data subject cannot be enforced. You will also be informed about this when giving consent via the cookie banner.

12. Data Retention

In principle, we only store personal data for as long as it is necessary to fulfill the purposes for which it was collected. Afterwards, we delete the data immediately, unless we need it until the expiration of legal limitation periods for evidence in civil claims or due to legal retention obligations.

For evidence purposes, we must retain contract data for three years after the end of the year in which our business relationship ends. Any claims expire by law at the earliest after this period.

We must also retain some data for accounting purposes due to legal obligations under the Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act, and the Securities Trading Act. Retention periods for such documents are two to ten years.

13. Your Rights

You have the right to request information at any time about how we process your personal data. We will explain data processing and provide an overview of stored data. If your data is incorrect or outdated, you can request correction. You may also request deletion of your data. If deletion is not possible due to legal reasons, your data will be restricted and only available for that legal purpose.

You can also restrict processing, for example, if you believe the stored data is incorrect. You have the right to data portability, meaning we can provide you with a digital copy of your provided personal data upon request.

To exercise your rights, you can contact us at the above-mentioned contact details. This also applies if you wish to obtain copies of guarantees showing an adequate data protection level. If legally required, we will fulfill your request.

Requests and our responses regarding your data protection rights are stored for up to three years for documentation purposes and in individual cases for legal claims. The legal basis is Article 6(1)(f) GDPR, based on our interest in defending against civil claims, avoiding fines, and fulfilling accountability obligations under Article 5(2) GDPR.

You also have the right to lodge a complaint with a data protection supervisory authority. You may contact an authority in your place of residence, work, or where you believe a violation has occurred. In Berlin, where eKomi is based, the competent authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin.

14. Right of Withdrawal and Objection

You have the right under Article 7(2) GDPR to withdraw any consent you have given at any time. This means we will no longer process data based on that consent in the future. Withdrawal does not affect the legality of processing prior to the withdrawal.

If we process your data based on legitimate interests under Article 6(1)(f) GDPR, you have the right to object to processing based on reasons arising from your particular situation. For direct marketing purposes, you can object without giving reasons.

To exercise your right of withdrawal or objection, a simple message to the contact details mentioned above is sufficient.

15. Data Protection Officer

eKomi confirms that, according to Article 37 GDPR and, if applicable, § 38 BDSG, we have appointed a Data Protection Officer and monitor compliance with data protection and data security regulations. The Data Protection Officer of eKomi is:

Kathrin Schürmann
Lawyer, ISiCO Datenschutz GmbH
Am Hamburger Bahnhof 4 │ 10557 Berlin
T: +49 (0)30-213 00 28 50 │ F: +49 (0)30-213 00 28 99
dataprotection@ekomi-group.comwww.isico-datenschutz.de

16. Changes to this Privacy Policy

We reserve the right to change this privacy policy. Should we make significant changes, we will notify you on our website or through other means, allowing you to review the changes before they take effect.

 

B. Use of Our Website

Below, we explain the use of tools when visiting our website.

1. Necessary Tools

We use certain tools to enable the basic functions of our website (“necessary tools”). Without these tools, we cannot provide our services. Therefore, necessary tools are used without consent pursuant to § 25(2) TTDSG or, if personal data is processed, based on our legitimate interests according to Article 6(1)(f) GDPR, or as required to fulfill a contract or carry out pre-contractual measures pursuant to Article 6(1)(b) GDPR.

Own Cookies
The following strictly necessary cookies are used:

  • “PHPSESSID” (Session): Maintains the user session.

  • “p.gif” (Session): Detects special fonts for internal analysis, without collecting visitor data.

Chargebee
We use the external payment service provider Chargebee, operated by Chargebee, Inc., USA. Chargebee works with various payment providers and receives payment information for processing payments. We do not store any personally identifiable data or financial information (e.g., credit card numbers). Instead, this data (especially contact and transaction data like credit card details or bank account information) is sent directly to Chargebee, whose privacy policy governs the use of your data.

  • Legal basis: Article 6(1)(b) GDPR (contract fulfillment), and Article 6(1)(f) GDPR (our legitimate interest in offering an additional payment option via Chargebee).

  • We have a data processing agreement with Chargebee. Data processing may occur on servers in the USA. Standard contractual clauses pursuant to Article 46(2)(c) GDPR apply.

  • More info: Chargebee Privacy Policy.

Google reCAPTCHA
Our website uses Google reCAPTCHA, provided for users in the EEA by Google Ireland Limited, and for others by Google LLC, USA.

reCAPTCHA prevents bots from abusing our site, checking whether inputs are made by humans. The following data is processed:

  • Referrer URL;

  • IP address;

  • Google cookies;

  • Browser snapshot;

  • User input behavior (e.g., speed, sequence, number of clicks);

  • Technical data: browser type, plugins, size/resolution, date, language, CSS, JavaScript.

Google also reads cookies from services like Gmail, Search, and Analytics. If you do not want this, you need to log out of your Google account before visiting a page using reCAPTCHA.

Data is encrypted and sent to Google. According to Google, the data is not used for personalized ads.

  • Legal basis: Article 6(1)(b) GDPR, e.g., during registration, payments, demo requests, contact forms, or newsletter subscriptions. reCAPTCHA protects IT security and prevents misuse.

  • Data may be processed on servers in the USA under Article 49(1)(b) GDPR.

  • More info: see Google Privacy Policy.

2. Functional Tools

We use additional tools to enhance the user experience on our website and offer more functionality (“functional tools”). While not essential, they provide significant user benefits, especially for usability and additional communication/display/payment options.

  • Legal basis: Your consent under § 25(1) TTDSG and Article 6(1)(a) GDPR. If data is transferred to the USA or other third countries, your consent also applies to such transfers (Article 49(1)(a) GDPR).

Own Functional Cookies used:

  • “ekomi_tracking_SHOP_ID” (1 year): Records whether a customer has viewed a shop’s certificate page.

Intercom
When using the live chat tool, the data you voluntarily enter (name, email, message) is stored by Intercom R&D Unlimited Company, Ireland, with servers in the USA, and processed only to respond to your inquiry.

Data processed by Intercom includes:

  • If provided: name, email, phone;

  • Technical info about your device, browser, OS, language;

  • IP address and derived location;

  • Usage data during chat (time, duration, clicked links, viewed pages);

  • Chat input data.

Cookies by Intercom:

  • “intercom-id-[ID]” (9 months): Identifies users, especially for showing existing conversations;

  • “intercom-session-[ID]” (7 days): Stores conversation until logout, up to 7 days.

Local/Session Storage:

  • “intercom.played-notifications”;

  • “intercom.intercom-state-[ID]”.

Standard contractual clauses have been concluded with Intercom.
More info: Intercom Privacy Policy.

Adobe Fonts (formerly Typekit)
We use Adobe Fonts for appealing design. Adobe Systems Software Ireland Ltd., provides access to Adobe’s font library. Your browser connects to Adobe’s server in the USA to download fonts. Adobe receives technical data including your IP address.

These details are used to deliver fonts, diagnose delivery issues, and for billing purposes, particularly via aggregated usage reports.
More info: Adobe Privacy Policy.

3. Analytics Tools

To improve our website, we use tools for the statistical collection and analysis of general usage behavior based on access data (“analytics tools”). We also use analytics services to evaluate the use of our various marketing channels.

  • Legal basis: Your consent under § 25(1) TTDSG and Article 6(1)(a) GDPR. If data is transferred to the USA or other third countries, your consent explicitly extends to these transfers (Article 49(1)(a) GDPR). The associated risks are described in the section “Data Transfers to Third Countries.”

Google Analytics

Our website uses Google Analytics 4, a web analytics service provided by Google LLC. For users in the EU/EEA and Switzerland, the responsible entity is Google Ireland Limited, Dublin.

Google Analytics uses cookies to analyze your use of our websites. The information generated is usually transferred to a Google server in the USA and stored there.

  • We use the User-ID feature to assign a unique, persistent ID to one or more sessions (and activities within those sessions), allowing us to analyze user behavior across devices.

  • We also use Google Signals to collect additional user information (interests and demographics) and to run cross-device remarketing campaigns.

IP anonymization is enabled by default in Google Analytics 4. This means your IP address is shortened within the EU or EEA before being sent to Google. Only in exceptional cases will the full IP address be transmitted to Google in the USA and then shortened. According to Google, IP addresses are not merged with other Google data.

During your visit, your user behavior is tracked via “events”, including:

  • Page views,

  • First visit to the site,

  • Session start,

  • Click path and interactions,

  • Scrolling (when you scroll to 90% of the page),

  • Clicks on external links,

  • Internal searches,

  • Video interactions,

  • File downloads,

  • Ads seen/clicked,

  • Language settings.

Additional data collected includes:

  • Approximate location (region),

  • IP address (shortened),

  • Browser and device info (language, resolution),

  • Internet provider,

  • Referrer URL.

Purpose of processing: Google processes this data on our behalf to evaluate usage and create reports for website performance analysis.

Recipients:

  • Google Ireland Limited (data processor),

  • Google LLC (USA),

  • Alphabet Inc. (USA).

There is a risk that US authorities may access data stored by Google.

Data transfers: We have entered into EU Standard Contractual Clauses with Google to ensure adequate data protection.

Retention period: Data linked to cookies is deleted after 14 months. Deletion of expired data occurs automatically once a month.

Legal basis & withdrawal: We process data using Google Analytics 4 based on your consent (Article 6(1)(a) GDPR in conjunction with § 25 TTDSG). You can withdraw your consent at any time with future effect (Article 7(3) GDPR).

You can prevent the storage of cookies by adjusting your browser settings. However, doing so may limit website functionality. You can also prevent data collection by Google by either not giving consent or by using Google’s browser add-on for deactivating Analytics here.

More info: Google Terms and Privacy Policy.

Yieldify

We use Yieldify, an analytics tool from Zeus Enterprises Limited, UK.

Yieldify collects data such as:

  • URL of visited pages/products,

  • IP address,

  • Technical details about your device, browser, and operating system.

This data is stored in the EU and used for analyzing website usage. Yieldify also uses anonymized, aggregated data for improving usage analysis. Data is stored for a maximum of 90 days before anonymization.

More info: Yieldify Privacy Policy.

4. Marketing Tools

We also use tools for advertising purposes (“marketing tools”). Some access data collected on our platform is used for interest-based advertising. By analyzing this data, we can show you personalized ads that match your interests both on our website and on other providers’ websites.

  • Legal basis: Your consent under § 25(1) TTDSG and Article 6(1)(a) GDPR. If personal data is transferred to the USA or other third countries, your consent explicitly includes these transfers (Article 49(1)(a) GDPR). Risks are outlined under “Data Transfers to Third Countries.”

The data collected typically includes:

  • IP address,

  • Cookie ID or web storage data,

  • Mobile device ID,

  • Referrer URL,

  • Visited pages (date, time, URL, title, duration),

  • Downloaded files,

  • Clicked external links,

  • Conversion tracking data,

  • Technical data: OS, browser type/version/language, device type/brand/model/resolution,

  • Approximate location (country and city, if applicable).

Data is stored pseudonymously, preventing direct identification of individuals.

Google Ads Conversion Tracking and Ads Remarketing (formerly AdWords)

Our website uses Google Ads, provided for users in the EEA and Switzerland by Google Ireland Limited, and for all other users by Google LLC, USA.

  • Google Ads Conversion Tracking allows us to track actions defined by us (such as ad clicks, page views, downloads) and analyze them.

  • Google Ads Remarketing enables us to show personalized ads about our products on Google partner websites. We also use GA Audience to support these services.

Cookies and similar technologies are used for this.

The data collected may be transmitted to and stored on a Google server in the USA. We have entered into Standard Contractual Clauses with Google to ensure data protection.

If you use a Google account, Google may associate your web and app history with your account and use data from it to personalize ads. If you don’t want this, log out of Google before visiting our website.

If you have not given consent for Google Ads, only general, non-personalized ads will be displayed.

In addition to withdrawing your consent, you can also deactivate personalized ads in your Google ad settings.

Cookies set by Google Ads:

  • _gcl_au (90 days),

  • _gcl_aw (90 days).

More info: Google Privacy Policy.

Google Marketing Platform and Ad Manager (formerly DoubleClick)

Our website uses Google Marketing Platform and Google Ad Manager, services provided for the EEA and Switzerland by Google Ireland Limited, and elsewhere by Google LLC, USA.

These services use cookies and similar technologies to present you with relevant ads based on your previous website visits.

The collected data may be sent to and processed on Google servers in the USA. Standard Contractual Clauses have been signed with Google.

If you do not consent to the use of these services, only general ads will be shown, not tailored based on your activity.

You can also deactivate personalized ads in Google’s ad settings.

Cookies used by Google Marketing Platform:

  • IDE (13 months): Identifies and distinguishes users, tracks ad interactions, serves personalized ads.

  • 1P_JAR (1 month): Optimizes personalized ads, avoids repeat ad displays.

  • DV (5 minutes): Stores user preferences like language.

  • NID (6 months): Stores settings for Google services and advertising functions.

More info: Google Privacy Policy.

YouTube

We embed videos stored on YouTube, a service of YouTube LLC, USA (part of Google LLC).

When you visit a page with an embedded YouTube video, YouTube and Google are informed of your visit, regardless of whether you are logged in. This data is used for advertising, market research, and personalized website design by YouTube/Google. If you are logged into your YouTube or Google profile, this visit may be linked to your account. To prevent this, log out before visiting.

Cookies used by YouTube:

  • VISITOR_INFO1_LIVE (5 months): Estimates bandwidth to optimize video display.

  • GPS (30 minutes): Stores a unique ID to track user location.

  • YSC (Session): Tracks watched videos.

You can also deactivate personalized ads in Google’s settings. Then only non-personalized ads will be shown.

More info: Google Privacy Policy.

AdRoll

We use AdRoll, an e-commerce marketing platform by NextRoll Limited, Ireland (parent company in the USA), to analyze usage, segment users, deliver interest-based ads, and evaluate ad campaign success.

Data processed by AdRoll:

  • If provided: email address, shopping data;

  • IP address and derived location;

  • Technical device, browser, OS, and language details;

  • Browsing history;

  • Ad impressions and interactions;

  • Ad campaign success (conversions);

  • Data from ad partners.

More info: AdRoll Privacy Policy.

Cookies used by AdRoll:

  • __adroll_fpc (10 minutes),

  • __ar_v4 (1 year): Tracks users across sessions/devices.

We have signed data processing agreements and Standard Contractual Clauses with AdRoll.

C. Use of Our Review Platform

Our customers act as data controllers. As such, they are responsible for ensuring compliance with data protection laws under the GDPR. The company (our customer) is also responsible for:

i. How end-users are contacted and informed about the opportunity to leave star ratings & reviews, and for obtaining any necessary consents from end-users;

ii. Verifying the legal permissibility of using reviews (including their manner of use) in advertising, particularly regarding competition and advertising laws (e.g., under the German Drug Advertising Act);

iii. Ensuring compliance with competition, data protection, and other legal requirements, and obtaining necessary end-user consents.

EKOMI IS NOT LIABLE FOR DAMAGES RESULTING FROM BREACHES OF THESE OBLIGATIONS.

1. Nature and Purpose of Data Processing

The nature and purpose of personal data processing by eKomi as a processor are set out in the main contract with our customer. These include:

a. Generating reviews;
b. Moderating reviews;
c. Marketing services (e.g., SEO optimization) & reputation management (e.g., providing certificate pages, seals & awards);
d. Collecting, analyzing, and processing data as part of the service.

For information on specific data categories, please contact our customer directly. eKomi will provide information to authorized persons under its duty to inform. Contact: dataprotection@ekomi-group.com.

2. Categories of Data Subjects

These categories arise from the eKomi main contract with our customers (data controllers) and may include:

a. Customers (our clients);
b. Prospective customers;
c. End-users;
d. Employees contacted on behalf of our clients to provide reviews;
e. Prospects, end-users, or employees of our clients who provide data to submit reviews.

For further information, please contact our customer. eKomi will provide information to authorized persons upon request.

3. Types of Personal Data

The types of personal data processed are defined in the main contract with our customers and may include:

a. Personal details (name, title, academic degree, date of birth);
b. Contact details (email, phone number, address);
c. Contract details (contract information, services, customer number);
d. Employee data;
e. Photos;
f. Videos;
g. Electronic communication data (IP address, visited pages, device info, OS, browser);
h. Specific information (e.g., height, hair color, etc.).

For detailed information about transmitted data, please contact our customer. eKomi provides information to authorized individuals.

4. Data Retention and Deletion

Data retention and deletion practices include:

a. Reviews: Personal data within reviews is anonymized according to eKomi’s communication rules by the Customer Feedback Management Team. After this, data is only accessible to system administrators and team leads and is deleted from eKomi’s systems upon contract termination.

b. Customer Dialogues: Personal data provided during customer dialogues is deleted from eKomi’s systems upon contract termination.

c. Complaints: Personal data provided during complaints or review link requests is deleted after the issue is resolved.

Upon contract termination, eKomi must return all personal data and related documents to the customer and delete them in compliance with data protection and security regulations, including backups.

This does not apply to data created through third-party services (e.g., Google Feed), which will be deleted according to third-party policies. Data that legally becomes eKomi’s property under the contract will not be deleted but retained according to data protection regulations.

5. Information about Children

Our website is not designed for children. If you believe a child under 13 has submitted personal data, please contact us.

6. Review Links / Verification

Reviewers may request a review link from eKomi’s certificate pages if they have not received one from the provider, and if their request is valid under eKomi’s communication rules. A transaction must be verified with an invoice or similar document. Providing such documents and related data is voluntary and only necessary for verification. Irrelevant information can be redacted. After verification, documents are destroyed. Data is not shared with third parties without explicit consent.

 

7. Necessary Tools (Review Platform)

We use certain tools to enable the basic functions of our review platform (“necessary tools”). Without these tools, we cannot provide the service. Therefore, necessary tools are used without consent under § 25(2) TTDSG or, where personal data is processed, based on legitimate interests under Article 6(1)(f) GDPR, or as required for contract fulfillment under Article 6(1)(b) GDPR.

Strictly necessary session cookies used:

  • PHPSESSID (Session): Stores PHP session information;

  • laravel_session (Session);

  • cookie_test (Session);

  • syncConnect (Session): Synchronizes user hierarchy;

  • _rpt_session (Session);

  • SESSION_ID (Session);

  • current_language (Session): Stores the user’s language;

  • sf_redirect (Session).

Strictly necessary persistent cookies used:

  • XSRF-TOKEN (2 hours): Stores CSRF token;

  • AWSALB (7 days): AWS server load balancing;

  • remember_token (5 years);

  • _pulse-backend_session (30 minutes): Stores server session information.

8. Functional Tools (Review Platform)

We also use tools to improve the user experience on our review platform and offer more features (“functional tools”). These are not essential for basic functionality but offer benefits like better usability and additional channels for communication/display/payment.

  • Legal basis: Your consent under § 25(1) TTDSG and Article 6(1)(a) GDPR. If personal data is transferred to third countries, your consent includes this transfer (Article 49(1)(a) GDPR).

Functional cookies used:

  • product_id__swlik__shopId__swlik__orderId (5 years) &
    product_id__swdis__shopId__swdis__orderId (5 years): Enables “like/dislike” functionality in the Intersport widget;

  • _easyadmin_navigation_iscollapsed (1 year);

  • current_language (Session): Stores selected language;

  • bing_translator_access_token (10 minutes);

  • current_organization (10 minutes): Stores company ID;

  • advanced_referer_title (10 minutes): Stores page title;

  • advanced_referer_url (10 minutes): Stores requested URL;

  • compaign (10 minutes): Stores campaign information;

  • venue_sorting (10 minutes): Venue sorting;

  • venue_cost_information (10 minutes): Stores display of hidden venue costs;

  • coupon (10 minutes): Stores coupon values;

  • promo (10 minutes): Stores promo values;

  • app_maintenance_notice_ID (10 minutes): Stores maintenance ID;

  • _rpt_session (50 years): Stores user session.

AddThis

We use AddThis, a social media plugin by Oracle America, Inc., USA, to simplify sharing content via social networks.

Data processed by AddThis:

  • Visitor ID (stored as a cookie);

  • IP address and geographic location;

  • Technical data about your device, browser, OS, and language;

  • Time of visit;

  • Referrer URL (previously visited page) and search engine if applicable.

AddThis uses this data to categorize users by interest and create usage profiles.

More info: AddThis Privacy Policy

AddThis cookies:

  • __atuvc (1 year): Shows updated share counts;

  • __atuvs (30 minutes): Shows updated share counts;

  • uvc (1 year): Usage analytics for AddThis services;

  • ssc (1 year): Usage analytics;

  • loc (1 year): Geolocation.

We have signed Standard Contractual Clauses with AddThis.

9. Analytics Tools (Review Platform)

We use tools for statistical analysis of access data (“analytics tools”) to improve the review platform. We also evaluate how our marketing channels are used.

  • Legal basis: Your consent under § 25(1) TTDSG and Article 6(1)(a) GDPR. If data is transferred to third countries, your consent includes this transfer (Article 49(1)(a) GDPR).

Google Analytics

Our review platform uses Google Analytics, provided for Europe by Google Ireland Limited, and for other users by Google LLC, USA.

Google Analytics uses cookies and similar technologies to analyze and improve our platform. Google processes the data on our behalf to evaluate usage and compile reports. Data may be transferred to the USA. IP addresses are anonymized before analysis.

Data processed:

  • Anonymized IP address;

  • Referrer URL;

  • Pages visited (date, time, URL, title, duration);

  • Downloaded files;

  • Clicked external links;

  • Conversions;

  • Technical info (OS, browser type/version/language, device type/brand/model/resolution);

  • Approximate location (country/city, based on anonymized IP).

Google Analytics cookies:

  • _ga (2 years) & _gid (24 hours): Identify and distinguish visitors via User-ID;

  • _gat (1 minute): Reduces requests to Google servers.

We have signed Data Processing Agreements and Standard Contractual Clauses with Google.

More info: Google Privacy Policy.

10. Marketing Tools (Review Platform)

We also use marketing tools to display interest-based ads. Some access data is used to display personalized ads matching your interests.

  • Legal basis: Your consent under § 25(1) TTDSG and Article 6(1)(a) GDPR. If data is transferred to third countries, your consent includes this (Article 49(1)(a) GDPR).

Data collected includes:

  • IP address;

  • Cookie ID or web storage info;

  • Device ID;

  • Referrer URL;

  • Visited pages (date, time, URL, title, duration);

  • Downloads;

  • Clicked links;

  • Conversions;

  • Technical data: OS, browser type/version/language, device info;

  • Approximate location (country, possibly city).

All data is pseudonymized, no direct identification is possible.

Google Marketing Platform & Ad Manager

As before, these services show personalized ads based on previous site visits. Data may be processed in the USA. Standard Contractual Clauses are in place.

Google cookies used:

  • IDE (1 year): User-ID, tracks ad interaction, personalized ads.

More info: Google Privacy Policy.

YouTube

We embed videos from YouTube. When you visit a page with an embedded video, Google/YouTube are notified. If logged in, this can be linked to your account.

YouTube cookies:

  • VISITOR_INFO1_LIVE (5 months);

  • GPS (30 minutes);

  • YSC (Session).

You can disable personalized ads in Google settings.
More info: Google Privacy Policy.

AdRoll

We use AdRoll for user analysis, segmentation, personalized ads, and campaign tracking.

Data processed by AdRoll:

  • Email (if provided), shopping data;

  • IP and location;

  • Technical data;

  • Browsing history;

  • Ads shown/interactions;

  • Conversions;

  • Ad partner data.

More info: AdRoll Privacy Policy.

Cookies used:

  • __adroll_fpc (10 min), __ar_v4 (1 year).

We have signed Data Processing Agreements and Standard Contractual Clauses with AdRoll.