Privacy Policy

We are pleased about your visit to our website https://www.keyou.de and your interest in our company. With the aim of providing you with the highest possible level of transparency, we inform you in the following about the type, scope, and purpose of the collection, processing, and use of personal data that occur during the use of our website. The General Data Protection Regulation (hereinafter referred to as 'GDPR') can be accessed here as a complete document.

Table of Contents

1. Definitions of terms

The following terms that we use in our privacy policy are defined in Art. 4 GDPR. This is only an excerpt from Art. 4 GDPR. All definitions can be found in the GDPR (available here).
‍

  • Personal data (Art. 4 No. 1 GDPR)
    Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    ‍
  • Processing (Art. 4 No. 2 GDPR)
    Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    ‍
  • Pseudonymization (Art. 4 No. 5 GDPR)
    Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
    ‍
  • Controller (Art. 4 No. 7 GDPR)
    The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
    ‍
  • Processor (Art. 4 No. 8 GDPR)
    A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    ‍
  • Third party (Art. 4 No. 10 GDPR)
    A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
    ‍
  • Consent (Art. 4 No. 11 GDPR)
    Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
    ‍
  • Company (Art. 4 No. 18 GDPR)
    An enterprise is a natural or legal person engaged in an economic activity, irrespective of its legal form, including associations or partnerships regularly engaged in an economic activity (Art. 4 No. 18 GDPR).
    ‍

2. Controller pursuant to Art. 4 No. 7 GDPR

KEYOU GmbH
Arnulfstr. 60
80335 Munich, Germany
Telephone: +49 89 6931484-0
E-mail: info@keyou.de

You can access our complete imprint here: https://www.keyou.de/legal/imprint
‍

For each processing operation described in our privacy policy, we will inform you of the corresponding legal basis on which the processing is carried out. A distinction is made between the following groups of cases in which processing is lawful:
‍

  • You have given us consent to the processing of personal data concerning you for one or more specific purposes (Art. 6 para. 1 sentence 1 lit. a GDPR).
    ‍
  • There is a contract between you and us for the performance of which the processing is necessary or the processing is necessary for the performance of pre-contractual measures taken at your request (Art. 6 para. 1 sentence 1 lit. b GDPR).
    ‍
  • The fulfillment of a legal obligation to which we are subject requires the processing (Art. 6 para. 1 sentence 1 lit. c GDPR).
    ‍
  • The protection of your vital interests or those of another natural person requires processing (Art. 6 para. 1 sentence 1 lit. d GDPR).
    ‍
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 6 para. 1 sentence 1 lit. e GDPR).
    ‍
  • Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 para. 1 sentence 1 lit. f GDPR).
    ‍

4. Storage of data / deletion of data

Within the processing described in our privacy policy, we will inform you of the corresponding storage period or the times of deletion or blocking of data. If no explicit storage period is defined, the data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies.
Data may be stored beyond the defined periods if statutory provisions to which we are subject (e.g. Section 147 AO, Section 247 HGB) provide for a different storage period.
‍
Following the storage period, the personal data will be deleted or blocked unless further storage is required by us on a legal basis. In addition, storage beyond the specified period is possible in the event of a (possible) legal dispute with you or other legal proceedings.
‍

5. Disclosure of personal data

If your personal data is passed on, you will be informed accordingly at the respective point in our data protection declaration. If your personal data is transferred outside the European Economic Area and thus to so-called third countries, you will be informed accordingly at the respective point in our data protection declaration. In principle, we only transfer personal data to third countries where the EU Commission has confirmed an adequate level of protection or where we can guarantee the careful handling of personal data on the basis of contractual agreements or other suitable guarantees.
‍

6. Collection of personal data

In the following, we will inform you about the collection of personal data (such as name, e-mail address, address or user behavior).
‍

6.1 Use of our website for information purposes only

If you do not register on our website (e.g. in the form of a newsletter) or transmit data to us in any other way (e.g. by using a contact form), only the personal data transmitted by your browser to our server will be collected. This is data that is technically necessary for us to make the website available for you to view while ensuring a secure and stable display. This is the following information, which is derived from a log file line:
‍

  • Internet Protocol address (IP address)
  • Time zone difference to Greenwich Mean Time (GMT)
  • Time and date of the respective access
  • The specific page accessed
  • Status of the access / Hypertext Transfer Protocol (http)
  • Amount of data that was transferred in each case
  • Website from which our website was accessed (referrer URL)
  • Internet browser used (incl. language and version)
  • Operating system used
    ‍

The legal basis for the collection of the listed data results from Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in ensuring an error-free connection setup and convenient use of our website as well as analyzing system stability and security and using the data for other administrative purposes.
‍

6.2 Making contact by email

If you contact us via the e-mail address provided in section 2 or other e-mail addresses of our company that are published on our website, we will store your e-mail address and other contact details provided in your e-mail (e.g. your name or telephone number) in order to process your request. This data will be deleted immediately as soon as further storage is no longer necessary. If statutory retention periods apply to the data, the processing of the data will be restricted accordingly instead of being deleted. Depending on the reason for sending the email, the legal basis for processing the data results from Art. 6 para. 1 sentence 1 lit. b GDPR or from Art. 6 para. 1 sentence 1 lit. f GDPR, i.e. either for processing the contract concluded with you and for fulfilling our (pre)contractual obligations or is based on our legitimate interest in contacting people interested in our services.
‍

6.3 Contact form

If you contact us using the contact form on our website, the contact data you provide will be stored and processed by us in order to process your request. Depending on the reason for contacting us, the legal basis for processing the data results from Art. 6 para. 1 sentence 1 lit. b GDPR or from Art. 6 para. 1 sentence 1 lit. f GDPR, i.e. either for processing the contract concluded with you and for fulfilling our (pre)contractual obligations or is based on our legitimate interest in contacting people interested in our services.
‍

6.4 "Get our brochure" form!

When you submit the "Get our brochure!" form on our website, the data you provide will be stored and processed by us in order to process your request and provide you with the brochure. The legal basis for processing the data is based on our legitimate interest in contacting people interested in our services (Art. 6 para. 1 sentence 1 lit. f GDPR).
‍

6.5 Declaration of intent

If you contact us using the contact form on our website, the contact details you provide will be stored and processed by us in order to process your request. Depending on the reason for contacting us, the legal basis for processing the data results from Art. 6 para. 1 sentence 1 lit. b GDPR or from Art. 6 para. 1 sentence 1 lit. f GDPR, i.e. either for processing the contract concluded with you and for fulfilling our (pre)contractual obligations or is based on our legitimate interest in contacting interested parties for our services.
‍

6.6 Job applications

Job vacancies are published on our website. If you click on the "Apply now" button next to the respective job advertisement, you will be redirected to the https://keyou-gmbh.jobs.personio.de page. This is a subdomain of www.personio.de of the HR software Personio of the company Personio SE & Co. KG, Seidlstraße 3, 80335 Munich (hereinafter referred to as "Personio"), Imprint: https://www.personio.de/impressum/, which we use to organize our application process. Personio's privacy policy can be found here: https://www.personio.de/datenschutzerklaerung/. Personio uses Amazon Web Services Europe (AWS) as its hosting provider. According to Personio, the AWS data centers are DIN ISO/IEC 27001 and DIN ISO/IEC 27018 certified and guarantee the highest level of data protection security. In addition, all customer data is stored on servers within the European Union. Personio states that it takes additional technical and organizational measures to ensure the security of processing. You can find more information here: https://www.personio.de/datenschutz/. We have concluded an order processing contract with Personio. The legal basis for data processing is therefore Art. 6 para. 1 sentence 1 lit. b GDPR.

‍
When you apply using the relevant form, the data you provide will be stored by us and processed for the purposes of the application process. The legal basis for the processing of this data is the fulfillment of our pre-contractual obligations in the context of the application process in accordance with Art. 6 para. 1 lit. b GDPR in conjunction with Β§ 26 Federal Data Protection Act (BDSG). Furthermore, an additional legal basis may arise from Art. 6 para. 1 lit. f GDPR if data processing becomes necessary, for example in the context of legal proceedings. If applicants voluntarily submit special categories of personal data in accordance with Art. 9 para. 1 GDPR, these will be processed by us in accordance with Art. 9 para. 2 lit. b GDPR. If we request data in accordance with Art. 9 para. 1 GDPR, the data processing is always based on your express consent (Art. 9 para. 2 lit. a GDPR). If the application results in an employment relationship, the applicant data will be further processed by us to establish an employment relationship in accordance with Art. 6 para. 1 lit. b GDPR in conjunction with Β§ 26 BDSG. Otherwise, the applicant data will be stored by us exclusively for the duration of the application procedure and at the longest in accordance with the generally recognized and statutory retention periods and then deleted (at the latest 6 months after the position has been filled - in order to be able to react to applicant claims under the General Equal Treatment Act (AGG)). This also applies to withdrawn applications. Further data may also be stored beyond this period to fulfill other legal obligations.
‍

7. Webflow

Our website is hosted by the company Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103 (hereinafter referred to as "Webflow"). Webflow also provides the content management system for our website. We have concluded an order processing contract with the company, which contains the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (available here in German). You can access Webflow's global privacy policy here: https://webflow.com/legal/privacy. You can access the privacy policy for the EU and Switzerland here: https://webflow.com/legal/eu-privacy-policy. Data processing within the USA is possible in this respect. The USA is a so-called third country within the meaning of the GDPR. The data transfer to this third country is justified in the present case in accordance with Art. 44 and 45 GDPR, as Webflow is an active participant in the so-called "EU/US - Data Privacy Framework". This is a data protection agreement between the EU and the USA in which the level of data protection for certified companies in the USA has been declared appropriate ("adequacy decision").
‍

7.1 Hosting

Webflow hosts our website using the content delivery networks of the US companies Fastly Inc. and Amazon Web Services, Inc. A content delivery network is a network of geographically distributed, possibly interconnected servers. The server closest to the respective user of the website is always used. The CDN used here includes servers in North America and parts of Europe. You can find more information on the following Webflow page: https://webflow.com/blog/what-to-look-for-in-a-web-hosting-service.
‍

7.1.1 Fastly

Webflow hosts our website using the content delivery network of the US company Fastly Inc. 475, Brannan St. #300, San Francisco, CA 94107 (hereinafter referred to as "Fastly"). You can access the company's privacy policy here: https://www.fastly.com/privacy/. Data processing within the USA is possible in this respect. The USA is a so-called third country within the meaning of the GDPR. The data transfer to this third country is justified in the present case in accordance with Art. 44 and 45 GDPR, as Fastly is an active participant in the so-called "EU/US - Data Privacy Framework". This is a data protection agreement between the EU and the USA in which the level of data protection for certified companies in the USA has been declared adequate ("adequacy decision")
‍

7.1.2 Amazon CloudFront

Webflow hosts our website using the content delivery network of the US company Amazon Web Services, Inc, 410 Terry Avenue North, Seattle WA 98109 (hereinafter referred to as "AWS"). The CDN is called Amazon CloudFront. You can access the company's legal notice here: https://aws.amazon.com/de/impressum/?nc1=f_cc. You can access the company's privacy policy here: https://aws.amazon.com/de/privacy/?nc1=f_pr. Data processing within the USA is possible in this respect. The USA is a so-called third country within the meaning of the GDPR. The data transfer to this third country is justified in the present case in accordance with Art. 44 and 45 GDPR, as AWS is an active participant in the so-called "EU/US - Data Privacy Framework". This is a data protection agreement between the EU and the USA in which the level of data protection for certified companies in the USA has been declared adequate ("adequacy decision")
‍

7.2 Cloudflare

In order to ensure cross-browser compatibility so that the modern functionality of Webflow pages is also available in older browsers that do not natively support it, Webflow integrates JavaScript using Cloudflare's Content Delivery Network. The CDN is operated by Cloudflare, Inc, 101 Townsend St., San Francisco, CA 94107 (hereinafter referred to as "Cloudflare"). You can access the company's privacy policy here: https://www.cloudflare.com/de-de/privacypolicy. Data processing within the USA is possible in this respect. The USA is a so-called third country within the meaning of the GDPR. The data transfer to this third country is justified in the present case in accordance with Art. 44 and 45 GDPR, as Cloudflare is an active participant in the so-called "EU/US - Data Privacy Framework". This is a data protection agreement between the EU and the USA in which the level of data protection for certified companies in the USA has been declared adequate ("adequacy decision")
‍

7.3 website-files.com

There is also a connection to the website-files.com domain. This domain belongs to the company Webflow. It hosts images and other assets that are integrated into our website. This domain of the company Webflow is also hosted via the CDNs Fastly and Amazon CloudFront.
‍

The legal basis for data processing within the meaning of the above lies in Art. 6 para. 1 sentence 1 lit. f GDPR and is based on our interest in providing you with a fast, secure and user-friendly website. As far as the circumstance of data processing in the third country USA is concerned, the legal basis, as explained, results from Art. 44 and 45 GDPR (since all companies involved are active participants in the so-called "EU/US - Data Privacy Framework"), as well as otherwise from Art. 46 para. 1, para. 2 lit. c GDPR (standard contractual clauses).
‍

8. reportic (web tracking)

We use the reportic service of never final GbR, partners Johannes Zimmer & Lukas Schardt, Pastorenstraße 16, 20459 Hamburg, imprint: https://www.reportic.de/impressum (hereinafter referred to as "reportic") on our website. You can access reportic's privacy policy here: https://www.reportic.de/datenschutz. We have concluded a corresponding data processing agreement with the company. We use reportic on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, in this case in the interest of evaluating our website and improving it for you as a user. By default, reportic does not use cookies and does not describe the storage, but records the visit behavior by means of purely technical parameters within a session (website visit) by means of session tracking. The tracking is anonymized.

You can object to data processing here at any time: Just click here to opt-out
‍

9. HubSpot Forms

We use the inbound marketing & sales software HubSpot from the American company HubSpot, Inc., 25 First Street, Cambridge, MA 02141 USA (hereinafter "HubSpot" - the imprint can be found here: https://legal.hubspot.com/de/impressum, the privacy policy here: https://legal.hubspot.com/de/privacy-policy) to integrate forms on our website. A data transfer to the USA and thus to a third country is therefore possible. The data transfer to this third country is justified under Art. 44 and 45 GDPR, as HubSpot is an active participant in the Data Privacy Framework. This is a data protection agreement between the EU and the USA, in which the level of data protection for certified companies in the USA is declared adequate ("adequacy decision"). The legal basis for processing the data depends on the purpose of the form and is either Art. 6 para. 1 s. 1 lit. b GDPR or Art. 6 para. 1 s. 1 lit. f GDPR, either for the execution of the contract concluded with you and the fulfillment of our (pre-)contractual obligations or based on our legitimate interest in contacting prospects of our services.
‍

10. YouTube

We embed YouTube videos on our website. This is a video portal of the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, imprint: https://www.google.de/intl/de/contact/impressum.html. The parent company of this Ireland-based company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google"). Google's privacy policy can be accessed here: https://policies.google.com/privacy?hl=de. We have embedded the videos in the so-called "enhanced privacy mode," which ensures that no cookies are set and – according to Google - the playback of the video is not used by Google for personalizing the use of the YouTube platform. Likewise, the playback of the video – according to Google - is not used for personalizing advertising. A data transfer to the USA and thus to a third country takes place. The data transfer to this third country is justified under Art. 44 and 45 GDPR, as Google is an active participant in the Data Privacy Framework. This is a data protection agreement between the EU and the USA, in which the level of data protection for certified companies in the USA is declared adequate ("adequacy decision"). The legal basis for processing the data is otherwise based on Art. 6 para. 1 s. 1 lit. f GDPR, thus based on our legitimate interest in providing videos on our website for our website users to inform themselves about our services. When you play the video, the Local- and Session-Storage are written to, which is technically necessary for you to be able to play the video.
‍

11. Newsletter

To stay informed about current topics, you can subscribe to our newsletter. To successfully register for the newsletter, you only need to enter your email address in the registration form.
‍

11.1 Registration and Confirmation (Double Opt-In Process)

The only mandatory information within the registration form is your email address. Registration is done using a double opt-in process. This means you will receive an email to the email address you provided after your registration. This email contains a link. By clicking on this link, you can confirm that you would like to receive our newsletter from now on. After confirmation, we store your email address and any additional data you voluntarily provided (the legal basis for this is Article 6 (1) s. 1 lit. a GDPR) to send you the newsletter in the future. If this confirmation does not occur, the information you provided (such as your email address and other voluntarily provided data) will be automatically and immediately deleted. Furthermore, only your IP address and the times of newsletter registration, newsletter confirmation, and newsletter unsubscription are stored on our side after sending the last newsletter for the period required for us to keep proof of your registration including your confirmation and your unsubscription as well as to clarify any misuse of your data (the time of deletion is thus determined by the limitation period of any claims).
‍

11.2 Unsubscribing

You have the right to revoke your consent to receive our newsletter at any time, resulting in an unsubscription from the newsletter, without incurring costs other than the transmission costs according to the basic tariffs. There are two ways to do this. You can send us an email to info@keyou.de or click on the "Unsubscribe from newsletter" link, which is present at the end of every newsletter you receive from us.
‍

11.3 Service Provider HubSpot

To send our newsletter, we use the inbound marketing & sales software HubSpot from the American company HubSpot, Inc., 25 First Street, Cambridge, MA 02141 USA (hereinafter "HubSpot" - the imprint can be found here: https://legal.hubspot.com/de/impressum, the privacy policy here: https://legal.hubspot.com/de/privacy-policy). A data transfer to the USA and thus to a third country is therefore possible. The data transfer to this third country is justified under Art. 44 and 45 GDPR, as HubSpot is an active participant in the Data Privacy Framework. This is a data protection agreement between the EU and the USA, in which the level of data protection for certified companies in the USA is declared adequate ("adequacy decision"). The legal basis for processing the data is based on our legitimate interest in informing prospects of our services about news.
‍

12. Your rights

Below we inform you about your rights under the GDPR. The GDPR can be accessed here as a complete document.
‍

  • Right of access under Article 15 (1) GDPR
    You have the right to request confirmation from us as to whether personal data concerning you is being processed. If this is the case, in addition to the right to information about these personal data, you have the right to information about processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your personal data have been or will be disclosed (especially to recipients in third countries or international organizations), the storage duration or criteria for determining the storage duration, the existence of a right to rectification or deletion of personal data concerning you or to restriction of processing on our part, as well as a right to object to such processing, the existence of a right to lodge a complaint with a supervisory authority, all available information on the source of the data (in case they were not collected by us), the existence of automated decision-making including profiling and, if applicable, meaningful information on the involved logic as well as the significance and the envisaged consequences of such processing.
    ‍
  • Right to rectification under Article 16 GDPR
    You have the right to request the immediate rectification of inaccurate personal data concerning you and the completion of incomplete personal data.
    ‍
  • Right to erasure ("right to be forgotten") under Article 17 (1) GDPR
    You have the right to demand that we delete personal data concerning you without undue delay. However, this right does not apply under Article 17 (3) GDPR if processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the field of public health, for archiving purposes in the public interest or for the establishment, exercise or defense of legal claims.
    ‍
  • Right to restriction of processing under Article 18 (1) GDPR
    You have the right to demand that we restrict the processing of your personal data if you dispute the accuracy of your personal data (the restriction applies for the period that allows us to verify the accuracy), if the processing of your personal data is unlawful and you refuse deletion, if we no longer need your personal data for processing purposes, but you need them to assert, exercise or defend legal claims, or if you have objected to processing under Article 21 (1) GDPR (the restriction applies as long as it is not yet determined whether our legitimate reasons outweigh yours).
    ‍
  • Right to Data Portability according to Article 20 GDPR
    You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit this data to another controller without hindrance from us (or to request a direct transmission from us to another controller, where technically feasible), if the processing is based on consent or a contract, or was carried out by automated means.
    ‍
  • Right to Withdraw Consent according to Article 7(3) GDPR
    You have the right to withdraw your consent at any time, effective for the future, so that the data processing based on this consent may not be continued for the future. However, this does not affect the lawfulness of the processing carried out until your withdrawal.
    ‍
  • Right to Lodge a Complaint according to Article 77 GDPR
    Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data relating to you infringes the GDPR. As a rule, you can turn to the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement. Further information can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information.
    ‍

13. Right to Object

In addition to the rights mentioned, you also have the right to object at any time to the processing of your personal data which is based on the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6(1)(e) GDPR), or for the protection of legitimate interests of ours (Art. 6(1)(f) GDPR), effective for the future, if there are reasons arising from your particular situation. In the event of an objection, no further processing of the personal data will be carried out unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing is for the establishment, exercise, or defense of legal claims. In the case of processing your personal data for the purpose of direct marketing or profiling, where it is related to direct marketing, you have a general right to object without having to provide reasons arising from your particular situation. In the event of an objection, we will immediately stop processing the personal data for these purposes. To exercise your right of withdrawal or objection, an email to info@keyou.de is sufficient.
‍

14. Data Security

On our website, the encryption and communication protocol TLS 1.3 (Transport Layer Security) is used. The TLS certificate issued by a certification authority and used by us enables encrypted data exchange between the web browser and the web server, preventing sensitive data from being read by third parties. We use the procedure with the highest level of encryption supported by your browser, which will generally be 256-bit encryption. The higher the bit number, the longer the key, and thus the better the protection from third parties.

‍
This privacy policy was created specifically for this website by Frame for Business GmbH in cooperation with the law firm Dr. Schultheiß.

‍