Data protection

1 Introduction

In the following, we inform you about the processing of personal data when using

• our website www.surein.de

• our profiles on social media.

Personal data is any data that relates to an identifiable natural person, e.g. their name or IP address.

1.1 Contact Details

The controller according to Art. 4 Para. 7 EU General Data Protection Regulation (GDPR) is SureIn GmbH (limited liability), Urbanstraße 71, 10967 Berlin, email: info@surein.de. We are legally represented by Daniel Dierkes and David Schara. Our data protection officer is heyData GmbH, Kantstr. 99, 10627 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2 Scope of Data Processing

We will detail the processing purposes and legal bases as well as the extent of data processing further down. The following generally apply as legal bases for data processing:

• Art. 6 Para. 1 Sentence 1 lit. a GDPR serves as our legal basis for processing operations for which we obtain consent.

• Art. 6 Para. 1 Sentence 1 lit. b GDPR is the legal basis where the processing of personal data is necessary for the performance of a contract, e.g., when a visitor purchases a product from us or we provide them with a service. This legal basis also applies to processing necessary for pre-contractual measures, such as inquiries regarding our products or services.

• Art. 6 Para. 1 Sentence 1 lit. c GDPR applies when we fulfill a legal obligation through the processing of personal data, as may be the case under tax law.

• Art. 6 Para. 1 Sentence 1 lit. f GDPR serves as the legal basis when we can rely on legitimate interests for the processing of personal data, e.g., for cookies that are necessary for the technical operation of our website.

1.3 Data Processing Outside the EEA

As far as we transmit data to service providers or other third parties outside the EEA, we guarantee the security of the data during transmission, as long as (e.g. for the UK, Canada, and Israel) there are adequacy decisions of the EU Commission (Art. 45 Para. 3 GDPR). If there is no adequacy decision (e.g. for the USA), the legal basis for the data transmission is typically the standard contractual clauses unless we provide a different notice. These are a set of rules adopted by the EU Commission and part of the contract with the respective third party. According to Art. 46 Para. 2 lit. b GDPR, they ensure the safety of data transmission. Many providers have given contractual guarantees that go beyond standard contractual clauses, which protect data beyond the standard contractual clauses, such as guarantees regarding the encryption of data or regarding a duty of the third party to inform affected individuals when law enforcement agencies wish to access data.

1.4 Retention Period

Unless explicitly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer necessary for their intended purpose and no legal storage obligations prevent deletion. If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted, i.e., the data will be blocked and not processed for other purposes. This applies, for example, to data that we must keep for commercial or tax reasons.

1.5 Rights of Affected Persons

Affected persons have the following rights regarding their personal data:

• Right to information,

• Right to rectification or deletion,

• Right to restriction of processing,

• Right to object to processing,

• Right to data portability,

• Right to withdraw consent at any time.

Affected persons also have the right to complain to a data protection supervisory authority about the processing of their personal data.

1.6 Obligation to Provide Data

Customers, interested parties, or third parties are required to provide us only with those personal data necessary for establishing, conducting, and terminating the business relationship or for another relationship of which we are legally obliged to collect. Without this data, we will generally have to refuse the conclusion of a contract or cannot provide a service or continue an existing contract or other relationship. Mandatory information is marked as such.

1.7 No Automatic Decision-Making in Individual Cases

For establishing and conducting a business relationship or other relationship, we generally do not use fully automated decision-making as per Article 22 GDPR. Should we employ such procedures in individual cases, we will inform you separately about this if required by law.

1.8 Contacting Us

When contacting us, e.g., by email or phone, the data provided to us (e.g., names and email addresses) will be stored to answer inquiries. The legal basis for processing is our legitimate interest (Art. 6 Para. 1 Sentence 1 lit. f GDPR) in answering inquiries directed to us. The data collected in this context will be deleted after storage is no longer necessary or the processing will be restricted if there are legal storage obligations.

1.9 Customer Surveys

From time to time, we conduct customer surveys to better understand our customers and their wishes. We collect the respective data requested. It is our legitimate interest to better know our customers and their wishes, so the legal basis for data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. We delete the data once the survey results have been evaluated.

2 Newsletter

We reserve the right to inform customers who have already used our services or purchased goods from time to time via email or other electronic means about our offers, provided they have not objected to this. The legal basis for this data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. Our legitimate interest lies in direct marketing (recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without additional costs, for example via the link at the end of each email or by email to the above-mentioned email address. Based on the consent of the recipients (Art. 6 Para. 1 Sentence 1 lit. a GDPR), we also measure the open and click rates of our newsletters to understand which content is relevant to our recipients. We send newsletters with the tools

• SendGrid and Twilio from the provider Twilio, Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA (Privacy policy: https://www.twilio.com/legal/privacy)

• Mailchimp from the provider Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (Privacy policy: https://mailchimp.com/legal/privacy/). The provider processes content, usage, meta/communication data, and contact data in the USA.

• Intercom from the provider R&D Unlimited Company 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Ireland (Privacy policy: https://www.intercom.com/legal/privacy).

The providers process content, usage, meta/communication data, and contact data in the USA.

3 Data Processing on Our Website

3.1 Informational Use of the Website

When using the website for informational purposes, i.e., when visitors do not transmit specific information to us, we collect the personal data that the browser transmits to our server to ensure the stability and security of our website. This is our legitimate interest, so the legal basis is Art. 6 Para. 1 Sentence 1 lit. f GDPR. This data includes:

• IP address

• Date and time of the request

• Time zone difference to Greenwich Mean Time (GMT)

• Content of the request (specific page)

• Access status/HTTP status code

• Data amount transferred at each instance

• Website from which the request originates

• Browser

• Operating system and its interface

• Language and version of the browser software.

This data is also stored in log files. They will be deleted when their storage is no longer necessary, at the latest after 14 days.

3.2 Web Hosting and Provision of the Website

Our website is hosted by Bubble Group, Inc. 61 Regent Street, Cambridge CB2 1AB, UK. The provider processes personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact data. Our legitimate interest is to provide a website, so the legal basis for data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

3.3 Contact Form

When contacting us via the contact form on our website, we store the requested data and the content of the message. The legal basis for processing is our legitimate interest in answering inquiries directed to us. Therefore, the legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. The data collected in this context will be deleted after storage is no longer necessary, or the processing will be restricted if there are legal storage obligations.

3.4 Job Advertisements

We publish job openings that are available in our company on our website, on pages connected to the website, or on third-party websites. The processing of the data provided during the application process occurs to carry out the application procedure. If these are necessary for our decision to establish an employment relationship, the legal basis is Art. 88 Para. 1 GDPR in conjunction with § 26 Para. 1 BDSG. We have marked or pointed out the data necessary for the application procedure. If applicants do not provide this data, we cannot process the application. Further data is voluntary and not required for an application. If applicants provide additional information, their consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR) is the basis. We ask applicants to refrain from providing information about political opinions, religious beliefs, and similarly sensitive data in the resume and cover letter. They are not required for an application. If applicants still provide such information, we cannot prevent their processing as part of processing the resume or cover letter. Their processing is then also based on the consent of the applicants (Art. 9 Para. 2 lit. a GDPR). Finally, we process applicants' data for further application procedures if they have given us their consent. In this case, the legal basis is Art. 6 Para. 1 Sentence 1 lit. a GDPR. We share the applicants' data with the relevant personnel in the HR department, with our processors in the recruitment area, and with other employees involved in the application process. If we enter into an employment relationship with the applicant after the application process, we delete the data only after the employment relationship has ended. Otherwise, we delete the data at the latest six months after rejection of an applicant. If applicants have given us permission to use their data for further application procedures, we delete their data only one year after receiving the application.

3.5 Appointment Booking

Visitors can book appointments with us on our website. For this, we process data entered along with meta or communication data. We have a legitimate interest in offering interested parties a user-friendly way to schedule appointments. Therefore, the legal basis for data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. If we use a tool from a third party for scheduling, the information on this can be found under 'Third Parties'.

3.6 Single Sign-On Procedure

Visitors can log in to our website using single sign-on procedures. They use the credentials that have already been created for another provider. The prerequisite is that the visitor is already registered with the respective provider. When a visitor logs in using a single sign-on procedure, we receive information from the provider that the visitor is logged in with that provider, and the provider receives information that the visitor is using the single sign-on procedure on our website. Depending on the visitor's settings in their account on the provider's page, it may be that additional information is provided to us by the provider. The legal basis for this agreement are the terms of service between the visitors and the provider. The providers are:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Privacy policy: https://policies.google.com/privacy).

• Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook").

What data we receive from Facebook is communicated to visitors during the Facebook login process. Information about Facebook and the contact details of the data protection officer, as well as further information on how Facebook processes personal data, including the legal basis and options for exercising rights as an affected person against Facebook, can be found at https://www.facebook.com/about/privacy. We are jointly responsible with Facebook for the data processing that occurs when using the procedure and have entered into an agreement with Facebook regarding joint responsibility (Art. 26 GDPR). There, we have defined the respective responsibilities for fulfilling obligations under the GDPR regarding joint processing. We are required to provide the above information, and Facebook has assumed responsibility for further affected rights according to Articles 15-20 GDPR.

3.7 Data Processing for Insurance Brokerage

We broker insurance for customers. In doing so, we process the following data:Contact data: Name, address, date of birth, age, telephone number, email addressBank account detailsData concerning your company: Establishment dateNumber of employees (full-time and part-time)Estimated revenues and salesSecurity of the location to be insured

Data related to insurance:Application data (data provided with the application for the conclusion of insurance)Contract data for a specific contract (such as policy number, sum insured, duration, premium, risk)Performance data (insurance claims, data upon occurrence of damage or performance case)The mentioned data are processed for taking over, managing, or brokering an insurance mandate. If the conclusion of new insurances is desired, we will pass on the data, except for bank account details, to the broker pool we employ, the German Broker Association, Dammtorwall 7a, 20354 Hamburg, which shares them with member insurances. If a customer requests the conclusion of a specific insurance, we also share the relevant data, including bank account details, with the insurer. The described processing is necessary for the execution of the brokerage contract. The legal basis is Art. 6 Para. 1 Sentence 1 lit. b GDPR. 

3.8 Technically Necessary Cookies

Our website uses cookies. Cookies are small text files stored in the web browser on the visitor's device. Cookies help make the offering more user-friendly, effective, and secure. As far as these cookies are necessary for the operation of our website or its functions (hereafter referred to as "Technically Necessary Cookies"), the legal basis for the associated data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR. We have a legitimate interest in providing customers and other website visitors with a functional website. Specifically, we use technically necessary cookies for the following purpose or purposes:Cookies that adopt language settingsCookies that store login data

3.9 Third Parties

3.9.1 Hotjar

We use Hotjar for analysis. The provider is Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's, STJ 3141, Malta. The provider processes usage data (e.g., visited web pages, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the EU. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing is based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. We will delete the data when the purpose of their collection has lapsed. Further information can be found in the privacy policy of the provider at https://www.hotjar.com/legal/policies/privacy/.

3.9.2 Facebook Custom Audiences

We use Facebook Custom Audiences for advertising. The provider is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g., visited web pages, interest in content, access times) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. We will delete the data when the purpose of their collection has lapsed. Further information can be found in the privacy policy of the provider at https://www.facebook.com/policy.php.

3.9.3 Calendly

We use Calendly for scheduling. The provider is Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA. The provider processes usage data (e.g., visited web pages, interest in content, access times), contact data (e.g., email addresses, phone numbers), and basic data (e.g., names, addresses) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. We will delete the data when the purpose of their collection has lapsed. Further information can be found in the privacy policy of the provider at https://calendly.com/pages/privacy.

3.9.4 Google Marketing Platform

We use Google Marketing Platform for analysis and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g., visited web pages, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. We will delete the data when the purpose of their collection has lapsed. Further information can be found in the privacy policy of the provider at https://policies.google.com/privacy?hl=de.

3.9.5 Google Tag Manager

We use Google Tag Manager for analysis and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g., visited web pages, interest in content, access times) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. We will delete the data when the purpose of their collection has lapsed. Further information can be found in the privacy policy of the provider at https://policies.google.com/privacy?hl=de.

3.9.6 Segment

We use Segment for analysis. The provider is Segment.io, Inc., 100 California Street Suite 700 San Francisco, CA 94111, USA. The provider processes usage data (e.g., visited web pages, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. We will delete the data when the purpose of their collection has lapsed. Further information can be found in the privacy policy of the provider at https://segment.com/legal/privacy/.

3.9.7 Facebook Conversion API

We use Facebook Conversion API for analysis. The provider is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g., visited web pages, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. The data is deleted when the purpose of their collection has lapsed, and no retention obligation contradicts it. Further information can be found in the privacy policy of the provider at https://www.facebook.com/policy.php.

3.9.8 Google Analytics

We use Google Analytics for analysis. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, D04e5w5, Ireland. The provider processes usage data (e.g., visited web pages, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. The data is deleted when the purpose of their collection has lapsed, and no retention obligation contradicts it. Further information can be found in the privacy policy of the provider at https://policies.google.com/privacy?hl=de.

3.9.9 Mailchimp

We use Mailchimp for email marketing and email management. The provider is Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. The provider processes usage data (e.g., visited web pages, interest in content, access times), contact data (e.g., email addresses, phone numbers), meta/communication data (e.g., device information, IP addresses), and basic data (e.g., names, addresses) in the USA. The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. Processing occurs based on consents. Affected persons can withdraw their consent at any time by contacting us using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of processing until withdrawal. The legal basis for transferring data to a country outside the EEA is standard contractual clauses. The security of data transmitted to a third country (i.e., a country outside the EEA) is guaranteed by standard data protection clauses issued in compliance with the verification procedure under Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed with the provider. The data will be deleted when the purpose of their collection has lapsed and no retention obligations contradict it. Further information can be found in the privacy policy of the provider at https://mailchimp.com/legal/privacy/.

4 Data Processing on Social Media Platforms

We are represented in social media networks to present our company and our services there. The operators of these networks regularly process data of their users for advertising purposes. Among other things, they create user profiles from their online behavior, which are used to show ads on the pages of the networks and elsewhere on the Internet that correspond to the users' interests. To do this, the operators of the networks store information about user behavior in cookies on the users' computers. It is also not excluded that the operators may combine this information with other data. Further information and indications on how users can object to the processing by the operators can be found in the privacy policies of the respective operators listed below. It may also be that the operators or their servers are located in non-EU countries, where they process data. This can pose risks for users, e.g., because the enforcement of their rights is made more difficult or state authorities access the data. If users of the networks contact us through our profiles, we process the data shared with us to answer the inquiries. This is our legitimate interest, so the legal basis is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

4.1 Facebook

We maintain a profile on Facebook. The operator is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy can be accessed here: https://www.facebook.com/policy.php. One option to object to data processing is through settings for advertising: https://www.facebook.com/settings?tab=ads. Based on an agreement, we are jointly responsible under Art. 26 GDPR with Facebook for the processing of the data of the visitors to our profile. Facebook explains exactly which data is processed at https://www.facebook.com/legal/terms/information_about_page_insights_data. Affected persons can exercise their rights against both us and Facebook. According to our agreement with Facebook, we are obligated to forward inquiries to Facebook. Affected persons will receive faster feedback if they contact Facebook directly.

4.2 LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy can be accessed here: https://https://www.linkedin.com/legal/privacy-policy?_l=de_DE. One option to object to data processing is through advertising settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. 

5 Changes to This Privacy Policy

We reserve the right to change this privacy policy with future effect. A current version (2024) is available here. 6 Questions and CommentsFor questions or comments regarding this privacy policy, we are happy to assist at the contact details provided above.