Privacy Policy of VIPrize GmbH

We, VIPrize GmbH (“VIPrize” or "we"), appreciate your interest in our website and our services offered on our website (together “the Online Service”).
We are aware of the importance of data protection when using our Online Service. In the following, we would like to inform you how we handle your personal data when you use our Online Service and which rights you have. Personal data in this privacy policy refers to all information relating to an identified or identifiable natural person. This includes, for example, your name, e-mail address, telephone number, postal address or credit card details.

1. CONTROLLER

Controller for the processing of your personal data is VIPrize GmbH, Blumenstraße 28, 80331 Munich, Germany. If you have any questions regarding the processing of your personal data and your related rights, we are happy to answer them. Please contact us in writing at the address above or via e-mail to support@viprize.org

2. USE OF YOUR PERSONAL DATA

2.1 Access data
Each time you access our website, we collect information about you. These access data (so-called log files) include:
• Name of the website,
• File, date and time of retrieval,
• Amount of data transferred,
• The type of browser used and the version of the browser,
• Operating system of your device,
• Your Internet Provider,
• Referrer URL (i.e. the page from which you have accessed our website),
• IMEI of your device (i.e. the ID number of your device),
• The IP address of your device (i.e. a specific combination of numbers used to identify your device connected to the Internet).
Processing this data, in particular the IP address of your device, by us or our hosting provider is necessary in order to enable delivery of the website. For this purpose, the IP address of your device must be stored for the duration of the session. The legal basis for the data processing enabling the use of our website is Art. 6 (1) (f) of the General Data Protection Regulation (“GDPR”), whereby our legitimate interest is the provision of the Online Service.
In addition, we use this data for statistical evaluations for the purposes of securing and optimizing the Online Service. We also reserve the right to subsequently check the log files in case of suspected illegal use of our Online Service. The legal basis for this data processing is Art. 6 (1) (f) GDPR, whereby our legitimate interest is the security of our IT systems, the improvement of the Online Service and the prevention of misuse of the Online Service.

2.2 Cookies
Cookies are used on our website. Cookies are small text files that the websites operated by us send to your browser, which stores them on your device. Cookies are used to store information related to your device and contain, among other things, the name of the domain from which the cookie originates, the "lifespan" of the cookie and a value, usually a unique random number. We use technically necessary cookies, which are absolutely essential for the use of our Online Service, as well as functional cookies and cookies for marketing purposes.

The use of cookies set by us is necessary in order to make our Online Service available, and to provide visitors to our website with a functioning online offering and to make visiting and using the website as pleasant and efficient as possible. The legal basis for the use of techni-cally necessary cookies or similar technologies on your end device is Section 25 (2) No. 2 TDDDG. We cannot draw any conclusions about your person with the cookies that are absolutely necessary.

We also use functional cookies and cookies for marketing purposes. These cookies enable the website to provide enhanced functionalities and personalization. We only place these cookies after you have given your consent. You can give your consent at the beginning of your visit to our website via the cookie consent tool. The cookies set following your consent are used to improve and analyze your visits to our website, in particular to provide you with offers tailored to your interests. The legal basis for the use of functional cookies or similar technologies on your end device is your consent in accordance with Section 25 (1) TDDDG. The legal basis for the following data processing is your consent according to Art. 6 (1) (a) GDPR. You can withdraw your consents at any time without affecting the lawfulness of processing based on consent before its withdrawal. The easiest way to revoke your consent is via our support e-mail support@viprize.org.

You can set your browser so that you can decide case by case whether you exclude the acceptance of cookies for certain cases or in general, or that cookies are completely prevented. You can delete cookies that are already stored on your device at any time, either manually or by using browser functions. We would like to point out, however, that the use of the websites operated by us and the raffles carried out might be only possible to a limited extent without cookies or with only restricted cookies.
Our website uses a cookie consent tool for obtaining your consent and for the corresponding data protection-compliant documentation. The provider is OneTrust, LLC, Munich, Mühldorf-straße 8, 81671 Munich, Germany (hereinafter referred to as "OneTrust"). We have concluded a data processing agreement with OneTrust in accordance with Art. 28 GDPR. OneTrust processes the personal data collected exclusively on our behalf and in accordance with our instructions. The legal basis for the processing of your personal data in connection with the legally required obtaining of consent for the use of cookies is Art. 6 (1) (c) GDPR in conjunction with section 25 TDDDG.

In connection with the aforementioned functions, OneTrust processes the data outside the EU, in particular on the servers of OneTrust LLC, 1200 Abernathy Rd, Suite 700, Atlanta, Georgia 30328, in the USA and in the United Kingdom. This involves the transfer of data to third countries. For the USA, the EU-U.S. Data Privacy Framework is an adequacy decision of the EU Commission. Companies certified under the EU-U.S. Data Privacy Framework guarantee an adequate level of data protection within the meaning of the GDPR. OneTrust is certified under the EU-U.S. Data Privacy Framework and entered in the list maintained by the U.S. Department of Commerce (Data Privacy Framework List). Therefore, when data is transferred to OneTrust, a level of data protection according to the GDPR is guaranteed. The data transfer to the USA is based on Art. 45 (1) sentence 1 GDPR. For data transfers to the United Kingdom, there is also an adequacy decision pursuant to Art. 45 (1) sentence 1 GDPR (EU 2021/1772), so that an adequate level of data protection is secured also in this regard.

2.3 Google Analytics services
We use Google Analytics. This is a web analysis service provided by Google Ireland Ltd, Gordon House Barrow Street, Dublin 4, Ireland (“Google”), which uses cookies to analyze your use of our website. The information generated by these cookies is transmitted by Google to a Google server in the USA and subsequently stored there. We use the extension “anony-mize_IP”. By activating this extension for our website, your IP address will be shortened within the member states of the EU or other contracting states of the European Economic Area before being sent in the USA. Google uses the information on our behalf to evaluate your use of our website, to generate reports regarding the website activity and to provide us with other services relating to website and internet use.
You can prevent the storage of cookies by selecting the respective settings in your browser. In this case, however, you might no longer be able to use the full functionality of our website. Furthermore, you can prevent Google from collecting and processing the data generated by the cookies and relating to your use of our website and services (including your IP address) by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout.
Alternatively, in particular for browsers on mobile devices, you can click on the following link to prevent Google Analytics from collecting data from this website in the future: Deactivate Google Analytics. An opt-out cookie is stored on your device. If you delete cookies, you must therefore click this link again if you wish to continue objecting the data collection by Google.

Further information regarding how Google processes personal data in in relation to Google Analytics can be found on the corresponding Google website (https://www.google.com/analytics/terms/de.html) and in Google’s privacy policy (https://policies.google.com/privacy ).
Google also processes the data collected via Google Analytics for its own purposes in accordance with its own privacy policy. Google may use this data to create usage profiles that are used to improve products, develop new products, measure the effectiveness of certain advertising and market research, and personalize content and advertisements. We have no influence on the further processing of your data by Google. You can find more information on this in Google's privacy policy at https://policies.google.com/privacy.
In connection with our Online Service, we also use the Google Data Studio service provided by Google to create and display reports based on data collected by Google Analytics.

We use Google Analytics and Google Data Studio to analyze the use of our website and services and to continuously develop our website and services in terms of user-friendliness. The basis for the use of Google Analytics is your consent in accordance with Art. 6 (1) (a) GDPR. You give us your consent via the cookie consent tool implemented on the website. The legal basis for the use of cookies or similar technologies on your end device is Section 25 (1) TDDDG. You can withdraw your consents at any time without this affecting the lawfulness of the processing up to the point of withdrawal. The easiest way to revoke your consent is to contact our support e-mail support@viprize.org.
Google may also transfer the collected data to servers outside the EU, in particular to Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, insofar as this is neces-sary for the provision of these services. For the transfer to the USA, the EU-U.S. Data Privacy Framework exists as an adequacy decision of the EU Commission pursuant to Art. 45 (1) sentence 1 GDPR. Companies certified under the EU-U.S. Data Privacy Framework guarantee an adequate level of data protection within the meaning of the GDPR. Google LLC is certified under the EU-U.S. Data Privacy Framework and entered in the list maintained by the U.S. Department of Commerce (Data Privacy Framework List). This means that when data is transferred to the USA, an adequate level of data protection in accordance with the GDPR is ensured.

2.4 Embedding of YouTube videos
Our Online Services may include content (such as videos) from the YouTube platform. This platform is operated by YouTube , a subsidiary of Google. Google Ireland Ltd, Gordon House, Barrow Street Dublin 4, Ireland, is responsible for data processing in Europe. When you visit a part of the Online Service with YouTube content embedded in it, YouTube and Google connect to the servers of YouTube and Google, respectively. The fact that you have visited our Online Service will be disclosed when you play the YouTube videos. If you are logged into your YouTube account, this information may also be directly associated with your personal profile. You can prevent this by logging out of your YouTube account. Details on Google's privacy policy, in particular on the type, scope and purpose of data processing, can be found at: https://policies.google.com/privacy.

The videos will only be loaded and played if you expressly consent to the use of YouTube. In this case, Google sets various cookies and may also receive your IP address together with information about the respective video and your use of the playback function. You have the option of deactivating content from YouTube and thus preventing the transfer of data to YouTube and Google by not giving your consent. However, we would like to point out that, in this case, you will not be able to use the functions of the YouTube services. The basis for the data collection related to the implementation of YouTube content is therefore your consent in accordance with Art. 6 (1) (a) GDPR. The legal basis for the use of cookies or similar technologies on your end device is Section 25 (1) TDDDG. You can withdraw your consent at any time without this affecting the permissibility of processing up to the point of withdrawal. The easiest way to withdraw your consent is via our support e-mail support@viprize.org.

Data may also be transmitted to Google's servers outside the EU when YouTube is in-tegrated. Transmission to Google is based on Art. 45 (1) sentence 1 GDPR. As already explained in the previous section, the EU Commission has issued an adequacy decision regarding the transmission of data to the USA, the EU-U.S. Data Privacy Framework. Google LLC is included in the Data Privacy Framework List.

2.5 Social Media

2.5.1 Facebook Button
We have included so-called social plug-ins ("Plug-Ins") of the social network face-book.com (such as the Facebook button) in our websites, which are operated by Me-ta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ire-land ("Meta").

We use a two-step procedure to prevent unintentional transmission of data to Face-book (so-called "2-click solution"): A Plug-In must be activated by a first click in order for it to unfold its actual function. Only then a raffle can be posted by clicking again.
If you activate a Plug-In of Meta, your device establishes a direct connection with the Meta servers, which may also be located in the USA. The content of the Plug-In is transmitted directly from Meta to your device, which integrates it into our Online Service. User profiles can be created from the data processed by Meta. We have no influence on the extent of the data that Meta collects with these Plug-Ins.
By activating the Plug-Ins, Meta receives the information that you have accessed the corresponding page of our Online Service. If you are logged in to Facebook, Meta can associate the visit with your Facebook account. If you interact with the Plug-Ins, for example by sharing the raffle on your Facebook profile, the corresponding information is transferred directly from your device to Meta and stored there. If you do not have a Facebook account, there is still the possibility that Meta receives and stores your IP address. According to Meta, only an anonymous IP address is stored with respect to Germany.

The purpose and scope of the data collection and the subsequent processing and use of the data by Meta as well as the related rights and options for the protection of your privacy can be found in Facebook's privacy policy: https://www.facebook.com/privacy/policy/.
If you have a Facebook account and do not want Meta to collect data about you via our Online Service and link it with your account data stored by Facebook, you must log out of the Facebook account before using our Online Service and delete your cookies. Further settings and the declaration of your objection against the use of your data for advertising purposes can be made within the Facebook profile settings: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are adopted for all devices used, such as desktop computers or mobile de-vices. We would like to point out that you can deactivate Plug-Ins in your browser with the help of browser add-ons.

As already explained in the previous sections, the EU Commission has issued an adequacy decision, the EU-U.S. Data Privacy Framework, on data transmission to the USA. Facebook is also one of the companies certified and included in the so-called Data Privacy Framework List.
Legal basis for the use of the Plug-Ins is your consent pursuant to Art. 6 (1) (a) GDPR, Art. 45 (1) sentence 1 GDPR.

In addition, we operate a presence on the social network Facebook (Facebook fan page) to interact with Facebook users who access the fan page. To our fan page on Facebook: https://www.facebook.com/viprize.charity. To the Meta privacy policy: https://de-de.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.
We are joint controllers with Meta for this Facebook fan page in accordance with Art. 26 GDPR. The agreement on joint controllers can be found at the following link https://www.facebook.com/legal/terms/page_controller_addendum.

When you visit our Facebook fan page, Meta collects and processes personal data on the basis of its legitimate interest. With the fan page, we want to be able to get in touch with you on a modern Internet platform and enable you to interact via Facebook. The legal basis for this is Art. 6 (1) (f) GDPR. Some of this data is provided to us in sum-marized form via the so-called "Insights" (Facebook user statistics). A cookie is stored on the user's device for this purpose. This serves the purpose of being able to use this information again at a later point in time. The cookie remains active for a period of two years if it is not deleted. Further information from Meta on the use of cookies can be found in the Facebook cookie policy at https://de-de.facebook.com/policies/cookies/. The transmission of these user statistics takes place exclusively in anonymized form and there is no possibility for us to access the underlying data.

If you are already logged in to Facebook via your personal user account, the infor-mation about your visit to our website is automatically forwarded to Facebook. It is then possible for Facebook to assign the visit to the website to your account.

Details of the legal basis for processing on Facebook can be found at http://www.facebook.com/about/privacy/legal_bases/. Whether Meta transfers per-sonal data to third parties is beyond our control. It is possible that Meta Platforms Inc. based in the USA processes personal data outside the EU. For the transfer to the USA, an adequacy decision of the EU Commission exists, i.e. the EU-U.S. Data Priva-cy Framework. Meta is one of the companies certified and included in the Data Privacy Framework List.

2.5.2 X Button
Within our Online Service we use Plug-Ins of the social network X, offered by X Corp. 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. For users based in the EU, the controller is Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, Ireland ("Twitter").
Here, too, we use the two-step procedure to prevent the unintentional transmission of data to Twitter (so-called "2-click solution"): A Plug-In must be activated with a first click in order for it to unfold its actual function. Only then you can make a recommen-dation with another click.

If you activate an X Plug-In, your browser establishes a direct connection to Twitter servers, possibly in countries outside the European Union such as the USA, so that personal data may be transferred there. If you have an X account, Twitter can associ-ate the activation of the above-mentioned Plug-Ins to your profile there. You can find X's privacy policy on: https://x.com/de/privacy and the opt-out procedure on: https://x.com/settings/account/personalization.

As already explained in the previous sections, the EU Commission has issued an ade-quacy decision, the EU-U.S. Data Privacy Framework, for transmission to the USA. X Corp. is also one of the companies included in the Data Privacy Framework List. Transmission to X Corp. in connection with the Plug-Ins is based on your consent pur-suant to Art. 6 (1) (a) GDPR and, with regard to data transmission to the USA, pursu-ant to Art. 45 (1) sentence 1 GDPR.

We also have an X profile. To our fan page at X: https://x.com/viprize_chartiy https://x.com/viprize_chartiy. To the privacy policy of X: https://x.com/de/privacy. When you visit our fan page, X collects and processes personal data on the basis of its legitimate interest. With the fan page, we would like to be able to get in touch with you on a modern Internet platform and enable you to interact via X. The legal basis for this is Art. 6 (1) (f) GDPR.

This may also result in data being transferred to the USA, in which case the infor-mation in this section applies.

2.5.3 Instagram Button
Within our Online Service, we use plug-ins from the social network Instagram (e.g. the Instagram button), offered by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta").

We also use the two-step process here to prevent the unintentional transmission of data to Instagram (so-called "2-click solution"): A plugin must first be activated by a first click in order to be able to develop its actual function. Only then can a recommendation be made by clicking again.

When you activate an Instagram plug-in, your browser establishes a direct connection to Meta's servers, including in countries outside the EU such as the USA, so that personal data can be transferred there. If you are a member of Instagram, Meta can as-sign the access to the above-mentioned plug-ins to your profile there. You can find Meta's privacy policy at https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

As already explained in the previous sections, there is an adequacy decision by the EU Commission for transfers to the USA, the EU-U.S. Data Privacy Framework. As indicated above, Meta is also one of the companies certified and included in the Data Privacy Framework List.

The legal basis for the use of these plug-ins is your consent in accordance with Art. 6 (1) (a), Art. 45 (1) sentence 1 GDPR.
We also have a presence on the Instagram platform to get in touch with you. To our fan page on Instagram: https://www.instagram.com/viprize?/igsh=OHJ1b3U0NmxxZGMz. To Meta's privacy policy: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.

When you visit our Instagram profile, Meta collects and processes personal data, like your IP address, on the basis of its legitimate interest. With the profile, we would like to be able to get in touch with you on a modern Internet platform and enable you to inter-act via Instagram. The legal basis for this is Art. 6 (1) (f) GDPR.
We would like to point out that we have no knowledge of the content of the transmitted data or its use by Meta. Further information can be found at: https://help.instagram.com/519522125107875.

2.6 Cloudflare
We use the Cloudflare service on our website, a service provided by Cloudflare Deutschland GmbH, Rosental 7, c/o Mindspace, 80331 Munich. Cloudflare is a content delivery network and enables us to have a fast and secure internet presence. Cloudflare enables us to provide the content of our website, such as graphics, quickly, securely, and reliably and to make your website visit more pleasant.
Cloudflare collects in particular the IP address, traffic data and browser settings as well as system configuration information when our website is accessed. Further information on the data collected can be found at https://www.cloudflare.com/de-de/privacypolicy/. The processing of this data serves the provision and smooth operation of our website and enables you to access it.

The legal basis for the collection and further processing of the information is our legitimate interest in the efficient provision of our Online Service in accordance with Art. 6 (1) (f) GDPR. We also base our legitimate interest on ensuring the stability and functionality of the website.
To ensure that Cloudflare only processes your data in accordance with our instructions and on our behalf, we have concluded a data processing agreement with Cloudflare in accordance with Art. 28 GDPR.

In connection with the functions, Cloudflare may also transfer the data to servers outside the EU, in particular to Cloudflare Inc, 101 Townsend St, San Francisco, CA 94107 USA, insofar as this is necessary for the provision of the services. For the USA, the EU-U.S. Data Privacy Framework is an adequacy decision of the EU Commission, which certifies that certified companies have an adequate level of data protection within the meaning of the GDPR. Cloudflare Inc. is certified under the EU-U.S. Data Privacy Framework and is also entered in the list maintained by the U.S. Department of Commerce (Data Privacy Framework List). A consistently high level of data protection is therefore guaranteed when data is transferred to Cloudflare Inc. servers in the USA. Insofar as data is transferred to the USA, such a third country transfer is based on Art. 45 (1) sentence 1 GDPR.

2.7 Google Tag Manager
We also use Google Tag Manager on our website in connection with Google Analytics. The provider is again Google. Google Tag Manager is a tool that we can use to integrate tracking or statistics tools (in this case Google Analytics) and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store any cookies, and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the USA (see the above information on the US transfer of Google Analytics). If you do not activate tracking by Google Analytics (see above), you will not be recorded by the Google Tag Manager.

2.8 Amazon Web Services
For the provision of our Online Service, we use the services of Amazon Web Services (“AWS”), a service of Amazon Web Services Inc, 410 Terry Avenue North, Seattle, WA 98109, USA. AWS is a cloud computing service and hosts our website and thus serves as a hosting service provider. AWS stores and processes your personal data, in particular the data listed above in the log files. We use AWS to be able to deliver our website to you. The legal basis for this is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. We use the service to make our IT infrastructure efficient and secure and to be able to offer our Online Service to you. To ensure that Amazon processes the data collected exclusively on our behalf and in accordance with our instructions, we have concluded a data processing agreement in accordance with Art. 28 GDPR.

In connection with the functions, Amazon Web Services Inc. also transmits the data to servers outside the EU, in particular to the USA, insofar as this is necessary for the provision of the services. For the USA, the EU-U.S. Data Privacy Framework is an adequacy decision of the EU Commission, which certifies that certified companies have an adequate level of data protection within the meaning of the GDPR. Amazon Web Services Inc. is certified under the EU-U.S. Data Privacy Framework and is also entered in the list maintained by the U.S. Department of Commerce (Data Privacy Framework List). A consistently high level of data protection is therefore guaranteed when data is transferred to Amazon Web Services, Inc. servers in the USA. Insofar as data is transferred to the USA, such a third country transfer is based on Art. 45 (1) sentence 1 GDPR.

2.9 Data for the fulfilment of mutual contractual obligations
In order to use our services, including some parts of our Online Service, you must register and create a user account. We collect your chosen user name and e-mail address, other contact information (such as your name, address and telephone number), your bank account details and the payments made for our services. In addition, the IP address of your device is transmitted to us during registration. The provision of this data is not required by law, but is necessary for the performance of the user contract with you.
The collection and processing of the aforementioned data takes place for the purpose of concluding and subsequently fulfilling the user contract, including the payments made by you, on the basis of Art. 6 (1) (b) GDPR.

We work with PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxem-bourg ("PayPal") to process your payments, including the processing of invoices. PayPal is an independent data controller under GDPR, as PayPal collects and processes personal data for its own purposes. We do not pass on any personal data collected by us to PayPal. Further information on data protection at PayPal can be found at https://www.paypal.com/webapps/mpp/ua/privacy-full.

We also use the service from micropayment GmbH, Scharnweberstrasse 69, 12587 Berlin, Germany ("micropayment"). micropayment collects and processes your payment data on our behalf. To ensure that your data is collected exclusively in accordance with our instructions and on our behalf, we have concluded a data processing agreement with micropayment in accordance with Art. 28 GDPR. We use micropayment on our website to be able to offer you various payment methods for donations. The transfer of your data to micropayment is based on Art. 6 (1) (b) GDPR for the fulfillment of the contract.

2.10 Newsletter
We would like to inform you about our company and our raffles and services through a newsletter to which you can subscribe.
In order to verify that you are the owner of the e-mail address provided during subscription and that you agree to receive the newsletter, we use the so-called double opt-in procedure to obtain your consent. After subscribing for the newsletter, you will receive an e-mail to the e-mail address you provided, in which you will be asked to confirm your registration. This confirmation is necessary so that nobody can register with another person's e-mail address. Only after the confirmation of the registration the newsletters you have subscribed to will be sent. We store the subscription for the newsletter in order to be able to prove the subscription process according to the legal requirements. For this purpose, the IP address and the date of subscription and confirmation are stored. This data will only be processed for the purpose of sending the newsletter and will not be passed on to third parties.
If you no longer wish to receive a newsletter, you can of course unsubscribe from the newsletter at any time. You can object to the use of your e-mail address for advertising purposes at any time without giving reasons. All you have to do is send an informal e-mail to support@viprize.org or click on the unsubscribe link contained in each newsletter.
The data processing for the purpose of sending the newsletter explained above is carried out on the basis of your consent (Art. 6 (1) (a) GDPR).
You may withdraw your consent to the storage of your e-mail address and its use to send the newsletter at any time in the future. The withdrawal can be made via a unsubscribe link in the newsletters themselves or by sending a message to the contact options listed above.

The newsletter is sent via the "Elastic Email" service, a newsletter mailing platform of the provider Elastic Email Inc., 329 Howe St PMB 2135 Vancouver, BC V6C 3N2, Canada (hereinafter: "Elastic Email"). Your e-mail address will be sent to Elastic Email and stored on Elastic Email's servers in Canada. Elastic Email uses this information to send the newsletter on our behalf.

We strictly adhere to the requirements of GDPR including the IT and data security require-ments. Elastic Email also strictly complies with these requirements. Furthermore, we have concluded a data processing agreement pursuant to Art. 28 GDPR with Elastic Email , in which Elastic Email is again committed to protect your personal data and use the data only in accordance with the relevant data protection provisions on our behalf and not disclose them to third parties. The EU Commission has issued an adequacy decision for the transfer of personal data to Canada regarding certain categories of companies (Decision No. 2002/2/EC). Elastic Email falls under the scope of this adequacy decision. The transfer of data to Elastic Email is based on Art. 45 (1) sentence 1 GDPR.

2.11 Contacting us
When you contact us (e.g. by e-mail), we process the personal data you provide to process your enquiry and in the event that follow-up questions arise. This applies both to the sending of information material and to the answering of individual enquiries.
If the data processing is carried out for conducting pre-contractual steps, which are conduct-ed at your request, or if you already have a contractual relationship with us, the legal basis for this data processing is Art. 6 (1) (b) GDPR.
Otherwise, the data will be stored and used on the basis of Art. 6 (1) (f) GDPR, whereby our legitimate interest is the processing of your request. In particular, it is in our legitimate interest to reply to your e-mail.

3. DISCLOSURE OF PERSONAL DATA
Your personal data will only be disclosed to third parties with your express consent. Exempt from this are only disclosures to our service providers or cooperation partners, which we need to provide the Online Service and which we have commissioned accordingly (e.g. technical service providers). Accordingly, we transmit user data to such service providers and cooperation partners for the purpose of fulfilling the contract in accordance with Art. 6 (1) (b) GDPR. In addition, your separate consent pursuant to Art. 6 (1) (a) GDPR may serve as the legal basis.

Insofar we disclose data to service providers or cooperation partners within the scope of our processing, transfer data to them or otherwise grant them access to the data, we, as well as our service providers and partners, strictly comply with the requirements of GDPR. Of course, before passing on your personal data, we ensure that our service providers and cooperation partners have taken the necessary technical and organizational measures to ensure an appropriate level of protection. The scope of the disclosure of data is limited to the minimum required in each case.

We only transmit data to public institutions and authorities entitled to receive such information within the scope of statutory disclosure obligations or if we are obligated by a court decision. In this case, the disclosure of your data is necessary to fulfil a legal obligation we have, in accordance with by Art. 6 (1) (c) GDPR.

4. STORAGE PERIOD AND DELETION OF DATA
Unless specifically stated otherwise, we will only store personal data for as long as necessary to fulfil the purposes for which the data was collected.
If the data is stored in log files, these will be deleted no later than 30 days after accessing the website. Any further storage only takes place for anonymized log files.

Apart from this, the personal data relating to you will be deleted as soon as the purpose of the data processing no longer applies. If good reasons within the meaning of Art. 17 (3) GDPR do not allow for a deletion, such as statutory storage or safekeeping obligations, the processing of this data will be restricted. In this case, the data will be deleted if the reason for further storage is no longer given, e.g. the legally prescribed storage period expires.

5. YOUR RIGHTS AS DATA SUBJECT
Under applicable law, you have various rights with respect to your personal data. If you wish to exercise these rights, please send your request by e-mail or by post to the address stated in section 1.
Below you can find an overview of your rights.
• You have the right to obtain from us in writing the personal data we have stored about you, the purposes for which it is processed, its origin if we have not collected the data directly from you, which data has been passed on to which recipients or categories of recipients, the duration of the storage period and the rights of data subjects available to you. You can receive a free copy of your data from us. Should you be interested in fur-ther copies, we reserve the right to charge you for the further copies.
• In addition, you have the right to demand the correction of incorrect data, the re-striction of data processing and the deletion of your personal data at any time unless there are justified reasons within the meaning of the statutory provisions to prevent the deletion. In the latter case, you can demand the restriction of the processing of the da-ta stored about you under the legal prerequisites. Insofar personal data which is nec-essary for the provision of services to you is included, the deletion or restriction of the processing of these data can only take place if you no longer use our Online Service, whereby legal storage obligations must also be complied with if applicable.
• You may object to the processing of your personal data at any time for reasons arising from your particular situation, provided that the data processing is based on Art. 6 (1) (f) GDPR, unless we can prove compelling legitimate grounds for a processing which overrides your interests, rights and freedoms, or the processing serves the estab-lishment, exercise or defense of legal claims. If we process your data for the purpose of direct marketing, you may object to the processing at any time.
• If you provide data concerning you and we process this data on the basis of your consent or to fulfil the contract, you may request that we send you this data in a struc-tured, commonly used and machine-readable format, which you can transmit without hindrance to another controller, or we transmit this data to another controller as far as this is technically possible (so-called right to data transfer).
• Any consent to the use of personal data given by you may be freely withdrawn by you at any time with effect for the future.
• You can also lodge a complaint with the supervisory authority if you are of the opinion that data processing by us violates the statutory provisions.

6. LOCATION OF DATA PROCESSING
The processing of your personal data takes place within the European Union. Exempt are solely the data processing operations outside the European Union or the European Economic Area which are listed in this privacy policy.

7. DATA SECURITY
We make every effort to ensure the security of your data within the framework of the applica-ble data protection laws and technical possibilities.
Your personal data will be transmitted encrypted. We use the SSL (Secure Socket Layer) coding system, but point out that data transmission over the Internet (e.g. communication by e-mail) may have security gaps. A complete protection of the data against access by third parties is not possible.
In order to secure your data, we maintain appropriate technical and organizational security measures in accordance with Art. 32 GDPR, which we continually adjust in accordance with the state of the art.

8. NO AUTOMATED DECISION-MAKING
VIPrize does not conduct automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR.

9. THIRD PARTY WEBSITES
Naturally, this privacy policy can only apply to our Online Service and does not include such contents and websites of third parties to which our Online Service merely links. This applies, for example, to linked pages operated by third parties on platforms such as Facebook, X and Instagram. You will find information on the handling and protection of your personal data on these platforms in the privacy policy of the respective platform and the respective operator of the site.

10. CHANGES TO THIS PRIVACY POLICY
We reserve the right to change the data processing measures described here - within the framework of the existing statutory provisions - and to update our privacy policy if this is indicated, for example, due to new technical developments or changes in jurisdiction or in our business operations. We therefore ask you to always view and observe the current version of this privacy policy.