PIVACY POLICY

The protection of personal data and the responsible handling of data that you entrust to us is an important and special concern for us, the ModelMe UG ("ModelMe"/"We"). We process your personal data only in accordance with the statutory regulations, in particular with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

In accordance with Art. 13 and 14 GDPR, this Privacy Policy informs you about the processing of personal data and your rights as a data subject in the case of

  •  the general use of our website www.modelme.tech and

  •  the registration and use of our platform and software

  •  visiting our social media presences

Furthermore, we inform you at this point about the protection of your privacy on the terminal equipment you use within the meaning of section 25 of the Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutz-Gesetz – TTDSG).

In section A of this Privacy Policy you will find general information about the data processing and your data subject rights. In section B, we inform you about the data processing when you visit our website, the registration process and the use of our platform and software.

A. GENERAL INFORMATION

1. Data Controller

We, ModelMe UG (haftungsbeschränkt), Prenzlauer Allee 36 G, 10405 Berlin, Germany are the data controller for the data processing described in this Privacy Policy. You can contact us (also for questions regarding data protection) by email at info@modelme.tech.

2. Data Subject Rights

You have the following rights under the respective legal requirements:

  •  The right to obtain confirmation as to whether we are processing your personal data. (Art. 15 GDPR).

  •  The right to information about your personal data processed by us and to a copy of the data (Art. 15 GDPR)

  •  The right to rectification in the event that your personal data is inaccurate (Art. 16 GDPR).

  •  The right to erasure of your personal data (Art. 17 GDPR).

  •  The right to restriction (blocking) of your personal data (Art. 18 GDPR).

  •  The right to data portability (Art. 20 GDPR).

In the event that your personal data is processed on the basis of Article 6(1)(e) or (f) GDPR, you may also object to the processing in question under the conditions of Article 21(1) of the GDPR.

You can object to the processing of your personal data for direct marketing purposes at any time and without giving reasons with effect for the future (Art. 21(2) GDPR).

If the processing is based on your consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, you may withdraw your consent at any time with effect for the future (Art. 7(3) GDPR).

You also have the right to contact the competent Data Protection Supervisory Authority (Art. 77 GDPR).

If you have any questions or complaints about data protection at ModelMe or would like to exercise any of your data protection rights, you can contact us any time using the contact details provided above.

3. Storage period and deletion of your personal data

We erase your personal data,

  •  as soon as the processing is no longer necessary for the purposes explained in this Privacy Policy;

  •  in the event you object pursuant to Art. 21(1) GDPR and no compelling reasons worthy of protection on our part stand in the way of deletion;

  •  or in the event you withdraw your consent (Art. 7 GDPR) and there is no other legal basis for the processing.

If and as long as a deletion conflicts with legal retention obligations, we limit the processing of your data to this archiving purpose (so-called data blocking) and erase your data upon expiry of the retention period. Typical retention periods under German commercial and tax law are six years at the end of the year for business letters (including emails) and ten years at the end of the year for accounting-related data.

4. Recipients of your Data

We use technical service providers (e.g. for hosting, customer data management software and telecommunication providers) as well as service providers for the provision of our services, who process your data according to our instructions on the basis of order processing contracts pursuant to Art. 28 GDPR. We only disclose your data to other third parties if we are legally obliged to do so or if there is another legal basis for doing so.

5. Data Transfers to Third Countries

We may transfer your personal data to recipients in countries outside the European Union ("EU") and the European Economic Area (“EEA”), in particular to the United States of America ("USA"). If, as in the case of the USA, the level of data protection there does not correspond to the level of data protection within the EU, we provide suitable guarantees within the meaning of Art. 46 GDPR. This may include the agreement of the Standard Contractual Clauses of the EU Commission and any additional measures required to ensure an adequate level of data protection. In individual cases, we make the transfer to third countries dependent on your consent to this data transfer in accordance with Article 49(1)(1)(a) GDPR.

6. Automated Decision Making

We do not make any decisions based solely on the automated processing of your data that produce legal effects vis-à-vis you or similarly significantly affect you (Art. 22 GDPR).

7. Amendment of this Privacy Policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The Privacy Policy will then be adapted accordingly. You will always find the latest version on our website and platform.

B. DATA PROCESSING WHEN USING OUR WEBSITE AND PLATFORM

When you visit our website or use or platform, we process different categories of personal data for different purposes, depending on which services you use.

Data Processing during the general use of our Website and Platform

When you access our website and platform, we collect and process internet connection data (see a.) as well as certain telemedia and usage data stored in the browser of your device (see b.).

a. Internet Connection Data

When you access our website and/or platform, we process the internet connection data that your browser automatically transmits to our server. This will be your IP address and other usage data (e.g. date and time of the visit, name of the page you called up, amount of data transferred and the requesting provider). We need this information to enable you to use our website and /or platform, for example by adapting the website to the technical requirements of your device.

This internet connection data may also be personal data. The legal basis for this data processing is our legitimate interest in ensuring the security and usability of our website, Art. 6(1)(f) GDPR. We store this personal data for a period of 100 days.

b. Access and Storage on your Device ("Cookies")

We use tracking technologies on our website and platform that enable us or our service providers to collect data relating to the use of our websites. These tracking technologies are usually referred to as cookies, which is why we also use this term in the following. However, the following also applies accordingly to other tracking technologies or file formats, such as local storage, pixels, beacons or tags.

Cookies are text files that are stored to the browser on your device. User-related pseudonymous data can be stored for these files. This data can then be read out in turn.

When you visit our website and/or platform for the first time, we display a so-called “Cookie Consent Banner” to inform you about the tracking technologies we use and to give you the choice of which optional cookies you would like to agree to. You can change your selection at any time in the Privacy Preference Centre on our websites (see (v) below).

i. Technically Necessary Cookies

In certain cases, the storage of information on your terminal device or the access to information already stored on your terminal device is absolutely necessary so that we can make our website available to you for use ("necessary cookies"). In these cases, access to your terminal device takes place on the basis of section 25(2)(2) TTDSG. Insofar as this information has a personal reference and is processed by us in our IT systems, the legal basis for this data processing is our legitimate interest in providing our website and guaranteeing data security, Art. 6(1)(f) GDPR. If you are already registered on one of our websites and the data processing serves the fulfilment of a contract, its legal basis is Art. 6 (1)(b) GDPR.

ii. Cookies that require your Consent

We only use cookies that are not technically necessary with your consent. Therefore, we use the following categories of cookies that require you consent:

  •  Performance cookies: These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website and platform. They help us answer questions about which pages are most popular, which are least used and how visitors move around the site. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you visited our website and platform.

  •  Functional cookies: These cookies enable the website and platform to provide enhanced functionality and personalisation. They may be set by us or by third parties whose services we use on our sites. If you do not allow these cookies, some or all of these services may not work properly.

  •  Cookies for marketing purposes: These cookies may be set by our advertising partners through our website and platform. They may be used by these companies to profile your interests and show you relevant ads on other websites. They do not directly store personal data, but are based on a unique identification of your browser and internet device. If you do not allow these cookies, you will receive less targeted advertising.

You can find more information about the file names, storage duration, provider and category of the respective cookie in the cookie settings of the cookie consent banner or the privacy preference centre of the respective website.

By clicking on the respective button (e.g. "Accept all cookies" or "Confirm selection") in the cookie consent banner or the data protection preference centre, you consent both to the storage and reading of information in these optional cookies (section 25(1) TTDSG) via our website and platform and to the further processing of any personal data read out (Art. 6(1)(a) GDPR).

iii. Consent to Third Country Transfer

We also use cookies from third-party providers on our websites that are based in third countries outside the European Union (EU) and the European Economic Area (EEA) or use servers in such third countries. The level of data protection in such third countries is regularly not comparable with that of the EU. This applies in particular to the USA, where surveillance authorities can access your data without any reason and, if you are not a citizen of the USA, you currently have only very limited legal remedies against any access to your data. Such government access may not be effectively prevented even by additional agreements between us and the relevant third party provider. Although the EU Commission and the US government announced a "Trans-Atlantic Data Privacy Framework" in March 2022 as a new mechanism for US data transfers, which is intended to provide EU citizens with additional remedies, this framework is not expected to be implemented until the end of 2023. Therefore, in our Cookie Consent Banner or the Privacy Preference Centre for our website and platform, we also obtain your consent to such a third country data transfer (Article 49(1)(a) of the GDPR).

Therefore, when deciding which cookies you wish to accept, please bear in mind that by agreeing to the setting of the cookies in question, you are also consenting to any associated transfer of your personal data to insecure third countries.

You can find out which third-party providers and cookies this concerns in detail in the cookie settings of the cookie consent banner or the data protection preference centre of the respective website.

iv. Google Analytics

As a tracking tool of a US provider, we use the web analytics service Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA on our website and platform. If you consent to the setting of the relevant cookies in our Cookie Consent Banner or the Privacy Preference Centre, Google will collect data relating to your use of our website. This is done by storing cookies for your browser with a pseudonymous user ID assigned by Google. This enables Google to assign data relating to usage behaviour on our website to this respective pseudonymous user. We have commissioned Google to use this information to evaluate the usage behaviour of the website, to compile reports on website activity and to provide us with other services related to website and internet usage. You can view Google's Privacy Policy here. The legal basis for the use of Google Analytics is your consent, which you can revoke at any time with future effect (Art. 6(1)(a) GDPR, section 25(1) TTDSG).

The data collected via Google Analytics is also stored on Google servers in the USA. We have activated the IP anonymisation function on our websites. This means that your IP address is shortened by Google within member states of the EU or the EEA before being transmitted to the USA. Only in exceptional cases, the full IP address will be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Nevertheless, you should take into account when making your decision that the protective measures taken by Google are not sufficient, at least in the opinion of various European data protection authorities, to effectively prevent possible access by the US authorities to your usage data. When giving your consent to the setting of Google cookies, please bear in mind that Google is a US company and that by giving your consent to the setting of the cookies in question, you also consent to any associated transfer of your personal data to the USA. We have concluded a Data Processing Agreement with Google, which fulfils the requirements of Art. 28 GDPR.

v. Hotjar

We also use the analysis service Hotjar, of Hotjar Limited (Malta), Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe, in order to better understand the needs of our users and to continuously improve the offer on our website and platform. To do this, Hotjar sets cookies - depending on the consent you have given - to collect data about your device, in particular the IP address of the device (only collected and stored in anonymised form during your website use), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language. Hotjar stores this information in a pseudonymised user profile. Hotjar is contractually prohibited from selling the data collected on our behalf. We have concluded an order processing agreement with Hotjar that meets the requirements of Art. 28 GDPR. The legal basis for the use of Hotjar is your consent, which you can withdraw at any time with effect for the future (Art. 6(1)(a) GDPR, section 25(1) TTDSG). Further information on data protection at Hotjar can be found here. We have also concluded a Data Processing Agreement with Hotjar, which fulfils the requirements of Art. 28 GDPR.

vi. Lucky Orange

We also use Lucky Orange, an analytics service provided by Lucky Orange LLC, 8665 W 96th St Suite #100, Overland Park, KS 66212, USA. By using Lucky Orange, we can analyse and better understand user behaviour on our website and platform and thus optimise our website and platform. Lucky Orange sets cookies that process certain data about you, in particular your IP address, mouse and scroll movements and clicks. Lucky Orange can also determine how long you have stayed on a certain spot with the mouse pointer. From this information, Lucky Orange creates so-called heat maps, which can be used to determine which areas of the website and platform users prefer to view. The legal basis for the use of Lucky Orange is your consent, which you can withdraw at any time with future effect (Art. 6(1)(a) GDPR, section 25(1) TTDSG). When giving your consent to the setting of Lucky Orange cookies, please bear in mind that Lucky Orange is a US company and that by giving your consent to the setting of the relevant cookies, you also consent to any associated transfer of your personal data to the USA. We have also concluded Data Processing Agreement with Lucky Orange, which fulfils the requirements of Article 28 GDPR. You can find Lucky Orange’s Privacy Policy here.

vii. Userlike

On our website and within the platform, we offer you the opportunity to ask questions via a live chat. For this purpose, we use the service provider Userlike UG (haftungsbeschränkt), Probsteigasse 44-46, 50670 Köln, which sets cookies on our website and our platform that process certain personal data of yours, in particular your IP address and personal data of yours resulting from the chat messages (e.g. your name). The legal basis for the use of Userlike is your consent, which you can withdraw at any time with effect for the future (Art. 6(1)(a) GDPR, section 25(1) TTDSG). We have concluded a Data Processing Agreement with Userlike UG (haftungsbeschränkt) that fulfils the requirements of Art. 28 GDPR. Information on data protection at Userlike can be found here.

viii. Mixpanel

We also use Mixpanel, a service provided by Mixpanel Inc, 1 Front Street 28th Floor San Francisco, CA 94111 USA. We have implemented Mixpanel as an analytics service to improve our website, platform and software. Mixpanel sets cookies on our website and platform, which process certain personal data about you, in particular your IP address, and can thereby provide us with information about how our website and platform are frequented and used. The legal basis for the use of Mixpanel is your consent, which you can withdraw at any time with future effect (Art. 6(1)(a) GDPR, section 25(19 TTDSG). We have concluded a Data Processing Agreement with Mixpanel, which fulfils the requirements of Art. 28 GDPR. In order to reduce the risks associated with any data transfer to the USA, we have agreed the so-called "European Data Residency" with Mixpanel. In this way, Mixpanel guarantees that the personal data processed is processed exclusively in the EU (Netherlands). Information on data protection at Mixpanel can be found here.

ix. CookieFirst

We also use CookieFirst, a service provided by Digital Data Solutions B.V., which sets cookies on our website and our platform that process certain personal data of yours, in particular your IP address. We have implemented CookieFirst as our cookie consent manager to obtain and manage user consent for the use of cookies on our website. The legal basis for the use of CookieFirst is your consent, which you can withdraw at any time with effect for the future (Art. 6(1)(a) GDPR, section 25(1) TTDSG). We have concluded a Data Processing Agreement with Digital Data Solutions B.V. that fulfils the requirements of Art. 28 GDPR. Information on data protection at CookieFirst can be found here.

x. Withdrawal of your Consent

You can withdraw your consent given in the Cookie consent banner at any time for the future (Art. 7 para. 3 GDPR). To do so, call up the "Cookie settings" on our respective website via a link provided in the footer of the website ("Individual cookie settings").

Under "Cookie Settings" you have the option of revoking any consent you have already given by deselecting the relevant cookies. However, you can also select additional cookies there and declare further consent or grant new consent.

Your choice of optional cookies will in turn be stored as a cookie in your browser.

2. Hosting

a. Hosting of the website

We use Netlify, Inc, 44 Montgomery Street, Suite 300, San Francisco, CA 94104 as the hosting service provider for our website. We have concluded a Data Processing Agreement with Netlify, which fulfils the requirements of Art. 28 GDPR. This also includes - due to the data transfer to the USA - the Standard Contractual Clauses of the EU Commission (June 2021). Netlify also guarantees supplementary technical and organisational measures (e.g. encryption of data) in the Data Processing Agreement in order to ensure an appropriate level of data protection. The legal basis for the use and data processing by Netlify is our legitimate interest (Art. 6 (1)(f) GDPR) in outsourcing the hosting of our website to ensure its effectiveness. You can find more information about data protection at Netlify here.

b. Hosting of the platform

We host our platform on servers of Amazon Web Services EMEA Sàrl, Avenue John F. Kennedy 38, 1855 Luxembourg (AWS). We have concluded a Data Processing Agreement with AWS, which fulfils the requirements of Art. 28 GDPR. In addition, we have selected the EU/EEA as the region for hosting, so that only servers of AWS in the EU/EEA are used for hosting the data by AWS. The legal basis for the use and data processing by AWS is our legitimate interest (Art. 6(1)(f) GDPR) in outsourcing the hosting of our platform to ensure its effectiveness. You can find more information about data protection at AWS here.

3. Newsletter

You have the ability to register for our newsletter on our website. To do this, we ask you to enter your e-mail address. After you have provided your email address, we will send you a confirmation email with a confirmation link, which you must click in order to subscribe to our newsletter (so-called double opt-in procedure). The legal basis for the processing of your data in this context is Art. 6 para. 1 letter a GDPR, which you can withdraw at any time with effect for the future. To do so, click on the unsubscribe link contained in every newsletter email from us.

In the event of your revocation, we will delete your data processed by us up to that point. This does not apply to data that we need in order to prove that you have given us consent in the past and that we have made lawful use of this consent. The processing of such data is then limited to this documentation and verification purpose. The storage is based on Art. 6(1)(c) as well as Art. 5(1)(a), Art. 5(2), Art. 7(1) GDPR and Art. 6(1)(f) GDPR and for the duration of the respective statutory limitation periods under criminal and civil law or separate, legally mandated retention periods.

For our newsletter, we use the collaborative tools Mailjet and Mailgun of Sinch Sweden AB, Legal Dept. Lindhagensgatan 74, 112 18 Stockholm, Sweden as a processor, with whom we have entered into a Data Processing Agreement that meets the requirements of Art. 28 GDPR.

4. Embedded YouTube Videos

Our website contains embedded videos from the streaming service Youtube. This service is operated by Google Ireland Limited, Gordon House, Barrow St, Dublin 4, Ireland. If you follow the links or play videos, information may be transmitted to Google. The purpose and scope of the data collection and the further processing and use of the data by Google, as well as your rights in this regard and setting options for protecting your privacy, can be found in Google's privacy policy: https://policies.google.com/privacy?hl=de.

5. Registration and User Account

By clicking on the "Try Now" button on our website, you have the opportunity to register for our platform by entering your name, email address and details of the company to which you belong. You can also write us a message in the free text field. After successful registration, you will receive an e-mail from us with a confirmation link, which you must click to complete the registration. Upon completion of registration, we will provide you with a personal, password-protected user account. We process the above-mentioned data from you in order to provide you with our platform and the associated software (as a service) and to generate your user account. The legal basis for the processing of your personal data is Art. 6(1)(b) GDPR, namely the initiation and execution of the contract for the use of our platform and software with us. In order to manage the logins (username and password), including single sign-ons in our system, we use the service Auth0, of Okta Inc, P.O. Box 743620, Los Angeles, CA 90074 - 3620, USA. Okta processes on our behalf in particular your e-mail address and IP address, as well as information about the successful login. We have concluded Data Processing Agreement with Okta, which fulfils the requirements of Art. 28 GDPR and is based on the Standard Contractual Clauses of the EU Commission (June 2021). In order to minimise the data transfer to the USA and the associated risks, Okta ensures that additional technical and organisational measures are taken. You can find more information about Okta's data protection here. You also have the option of inviting third parties to use the platform via email. These persons will then be added to your user account so that you can work together on projects. The processing of personal data of these persons is based on Art. 6(1)(f) GDPR, namely our legitimate interest in processing data to fulfil the user contract with you.

6.Data processing when using our software

a. Upload photos

As a registered user of our platform you have the possibility to upload your own photos. Our software provided to you generates new images of models from these photos. The photos you upload will contain personal data of third parties (namely their image). We process this personal data in order to fulfil the contract with you, Art. 6(1)(b) GDPR. Before using a photo, please ensure that you have the consent of the person depicted on it to use the photo on our platform. In this context, please also note our terms of use.

b.Further development of our software

Our software can only develop further and improve its functionality if it receives data. Therefore, we also use the personal data from the photos you provide to us via upload (and no other data from you, such as your name or email address) for teaching our software. The legal basis for this is Art. 6(1)(f) GDPR, namely our legitimate interest in improving and further developing our software. You can object to data processing for further development at any time under the conditions of Art. 21 GDPR. To do so, write us an email to the contact details mentioned above.

7. Payment via Stripe and Paypal

a. Stripe

To process payments, we use the payment service provider Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). This serves to provide a possibility for easy payment. The legal basis for the use of Stripe is therefore Art. 6(1)(b) GDPR. As soon as the payment is to be made, you will be redirected to the Stripe website. Stripe asks you for the relevant data for the payment (such as name, credit card details, etc.) and processes these on its own controlership. We do not receive any payment data from Stripe. Information on data protection at Stripe can be found here.

b. Paypal

We also offer you the option to settle payments via PayPal, a service of PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. The legal basis for this is Art. 6(1)(b) GDPR, namely the execution of the contract with you. As soon as the payment is to be made, you will be redirected to the PayPal website or the PayPal app. PayPal asks you for the data relevant for the payment (such as name, credit card data, booking number) and processes them on its own controllership. We do not receive any payment data from PayPal. Please note the Privacy Policy of PayPal, which you can find here.

8. Social Media Presences

We maintain presences in the following social networks

In this way, we provide information about ourselves and communicate with the respective users. This privacy policy and our imprint also apply to the aforementioned online presences. If you contact us via social networks - for example, for application purposes or with other requests - we will treat your data as described in this privacy policy. The legal basis is, unless otherwise stated, our legitimate interest in external presentation and communication (Art. 6(1)(f) GDPR). The providers of the social networks regularly process the users' data for advertising purposes and create usage profiles for this purpose based on the users' activities. For this purpose, the social networks also use cookies and other tracking technologies. We have no influence on this data processing by the providers. More detailed information on this can be found in the data protection statements of the respective provider. There you will also find information on the assertion of information claims and other data subject rights against the providers. Facebook provides us as fan page operator with aggregated information about the users of the website (so-called Facebook Insights). We use this information in our legitimate interest in advertising and the needs-based design of our internet presences (Art. 6(1)(f) GDPR). With regard to the processing of user data, there is a joint responsibility between us and Facebook in this respect. Facebook has undertaken to fulfill all obligations arising from the GDPR with regard to the processing of Insights data, including the rights of data subjects (such as claims for information). Therefore, please contact Facebook directly with corresponding requests. Finally, we would like to point out that the providers of social networks may process users' data outside the European Economic Area, for example in the USA. In this case, there may be a lower level of data protection than within the EU, and it may be more difficult for users to enforce their rights against the providers on the basis of EU law.

Status: May 2023