Wunderflats

Privacy policy

Ladies and Gentlemen,

Thank you for your interest in Wunderflats GmbH and your visit to our website https://wunderflats.com/. In the following data protection declaration, we would like to inform you comprehensively about the data processing that is carried out on the specified website.

General

With reference to the definition in Art. 4 No. 1 of Regulation (EU) 2016/679 (hereinafter referred to as the "General Data Protection Regulation" or "GDPR"), the term "personal data" means all data that can be related to you personally. This includes, for example, your name, address, email address and user behavior. Regarding the other terms, in particular the terms "processing", "controller", "processor" and "consent", we refer to the statutory data protection definitions in Art. 4 GDPR.

We only process personal data to the extent necessary to provide a functional website and the content and services we offer. The processing of personal data only takes place regularly if you have given us your consent within the meaning of Art. 6 para. 1 lit. a) GDPR or if the processing is permitted by legal regulations, in particular by one of the legal bases mentioned in Art. 6 para. 1 lit. b) to lit. f) GDPR.

Data Controller

The controller within the meaning of Art. 4 No. 7 GDPR, other data protection laws applicable in the Member States of the European Union and other provisions and regulations of a data protection nature, is:

You can find further details about the data controller in our imprint from our imprint.

Processing of personal data when using our website for information purposes

If you visit our website without registering or otherwise providing us with information ("informational use"), we collect personal data that your web browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to enable you to view our website and to ensure stability and security:

  • IP address
  • Date and time of the request
  • Time zone difference to GMT
  • Content of the website
  • Access status (HTTP status)
  • Amount of data transferred
  • Website from which you came to our website
  • Web browser
  • Operating system
  • Language and version of the browser

The aforementioned data is also stored in log files on our servers. This data is not stored together with your other personal data.

The collection and temporary storage of the IP address is necessary to enable the delivery of our website to your end device. For this purpose, your IP address must be stored for the duration of your visit to our website. The storage of the above-mentioned data in log files serves to ensure the functionality and optimization of our website and to ensure the security of our information technology systems. This data is not analyzed for marketing purposes.

The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR, provided that the page visit is made in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 lit. f) GDPR due to our legitimate interest in enabling website access and the permanent functionality and security of our systems.

The above data for the provision of our website is stored in log files for 30 days and then deleted. The collection of the above data for the provision of our website and the storage of this data in log files is absolutely necessary for the operation of our website.

Further data processing when using our website is described in the following sections. The use of cookies and similar technologies is explained in sections 5 to 9.

Further functions and offers of our website

In addition to the aforementioned informational use of our website, we offer various services that you can use if you are interested. This usually requires the provision of further personal data. We require this data to provide the respective service. The above data processing principles apply.

In some cases, we use external service providers who have been carefully selected and commissioned by us to process this data. These service providers are bound by our instructions and are regularly monitored by us. Insofar as personal data is passed on to third parties in the course of services that we offer together with partners, you can find more detailed information in the following descriptions of the individual services. Further information on this can be found in section 12. If these third parties are based in a country outside the European Union, you can find more detailed information on the consequences of this circumstance in the following descriptions of the individual services. Please also refer to section 13.

a) Contacting us

If you contact us by e-mail, the personal data you send us with your e-mail will be stored. We also have a contact form on our website that you can use to contact us. The data you enter in the input mask will be transmitted to us and stored:

  • Salutation
  • First name
  • Name
  • E-mail address
  • Phone number
  • Content of your request

If we do not use a third-party provider named below to provide the contact function, the data will not be passed on to third parties. We also record your IP address and the time of sending.

Purpose of the processing:

The processing of the above personal data serves solely to process your inquiries. The processing of other personal data that is generated through the use of the contact form on our website serves to prevent misuse and to ensure the security of our information technology systems.

Legal basis:

Insofar as the processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures, the legal basis is Art. 6 para. 1 lit. b) GDPR. Otherwise, the legal basis for processing is our legitimate interest in answering or processing your request, Art. 6 para. 1 lit. f) GDPR.

Duration of processing:

The data will be deleted as soon as we have finally processed your request, unless they must be retained due to contractual obligations, statutory retention periods or for evidence purposes.

b) Registration

In order to use additional functions of our website, we offer the option of registering by providing personal data. The data is entered into an input mask and transmitted to us and stored. The mandatory information requested during registration is marked accordingly and must be provided in full. Otherwise we will reject the registration. The following data in particular is collected as part of the registration process:

  • Salutation
  • First name
  • Name
  • E-mail address
  • password

Mandatory information is highlighted accordingly. At the time of registration, the IP address and the date and time of registration are also stored.

You also have the option of logging in with your Google, Facebook, LinkedIn or Apple account. If you register with one of these accounts, we refer you to the information in section 7. a) with regard to the data processing that takes place.

Purpose of the processing:

Registration is required for the provision of certain content and services on our website. We use the data entered for the purpose of using the respective offer or service or to provide the services for which you have registered. In the event of important changes to our offers, services or benefits, for example regarding the scope of the offer or in the event of technically necessary changes, we will use the e-mail address provided during registration to inform you of this.

Legal basis:

The legal basis for processing the data required for registration is Art. 6 para. 1 lit. b) GDPR. For all other data, the legal basis is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR to enable you to customize, adapt and change your account, or your consent pursuant to Art. 6 para. 1 lit. a) GDPR, insofar as you have given us this.

Duration of processing:

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case if the registration on our website is canceled or modified. You have the option of canceling your registration at any time. You can have the data stored about you changed at any time. Statutory retention periods remain unaffected.

c) Booking

Furthermore, when booking an apartment, additional documents may be requested to verify the reason for the stay and creditworthiness:

  • Proof of salary or bank statement
  • Proof of enrollment
  • Confirmation of the project assignment

Purpose of the processing:

Making a booking via our platform.

Legal basis:

The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR.

Duration of processing:

These documents will be deleted 30 days after successful verification. The documents are uploaded to our website and stored on the server of an external provider within the European Union.

Automated decision making:
As part of our rental processes, we use automated decision making to assess the creditworthiness of potential tenants. This assessment is used to determine a maximum rent, which serves as an upper limit for booking requests by the tenant. This practice is carried out in accordance with Art. 22 GDPR. We would like to point out that you have the right to request a manual review of the decision, to present your views and to contest the decision.

d) Payment processing

If you wish to make your payments for bookings by credit card, you must enter your credit card details on our website or in our application. The credit card details you enter are not stored by us, but by our payment service provider in a certified infrastructure that meets the high security standards of the Payment Card Industry (PCI). We only manage a so-called credit card alias, which is linked to the credit card data at the payment service provider. The following data categories are processed:

  • Payment data
  • Bank details
  • Credit card details

Purposes of processing:
Payment of the service fee for the corresponding bookings and transmission of payment data as part of the booking process.

Legal bases:
The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR.

Duration of processing:
Until you change your payment method or payment information. The financial data will be stored until the statutory retention periods expire and then deleted.

Processing of personal data by cookies and similar technologies (tools) and social media plugins

a) What cookies and similar technologies do we use?

We use cookies and similar technologies (collectively "tools") on our website.

Cookies are small text files that are stored on the storage medium of your end device, for example on a hard disk. The information contained in the cookie can be read by us, for example with the help of JavaScript. Cookies cannot execute programs or transfer viruses to your end device. This website uses the following types of tools, the scope and function of which are explained below.

Cookies that are stored associated with your web browser:

  • Transient cookies: These cookies are automatically deleted when you close your web browser. These include session cookies in particular. These store, for example, a so-called session ID, which can be used to assign various requests from your web browser to the shared session.
  • Persistent cookies: These cookies are automatically deleted after a specified period, which may vary depending on the cookie. Persistent cookies make it possible, for example, to recognize your device when you return to our website. You can delete these cookies at any time in the settings of your web browser.

The aforementioned cookies are stored on your end device and transmitted from it to our server or read by us. You can therefore configure the processing of data and information by cookies yourself. You can make appropriate configurations in the settings of your web browser, through which you can, for example, reject third-party cookies or cookies altogether. In this context, we would like to point out that you may then not be able to use all the functions of our website properly. We also recommend that you regularly delete cookies and your browser history manually.

Comparable technologies include web storage (local / session storage), which is stored on your end device, as well as JavaScript, tags or pixels, which are used to read information from your end device or transmit it passively. These technologies can also be used to create fingerprints.

The processing of personal data by necessary tools serves to make our website more user-friendly and effective for you. Some functions of our website cannot be offered without the use of these tools. In particular, some functions of our website require that your web browser can be identified even after a page change. If you have an account, we use tools to identify you for subsequent visits. This prevents you from having to log in again each time you visit our website. The data processed by tools that are required to provide the functions of our website are not used to create user profiles.

Where optional tools are used for analysis purposes, these serve to improve the quality and user-friendliness of our website, its content and functions. They enable us to understand how the website, which functions are used and how often they are used. This enables us to continuously optimize our offering.

Our legitimate interest in data processing lies in the aforementioned purposes, provided they are necessary tools (section 8). The legal basis in these cases is Art. 6 para. 1 lit. f) GDPR. If the necessary tools are required for the fulfillment of a contract or for the implementation of pre-contractual measures, the legal basis is Art. 6 para. 1 lit. b) GDPR.

Insofar as these are not necessary tools, but functional tools (section 7), analysis tools (section 6) or marketing tools (section 9), we only use these with your express consent, Art. 6 para. 1 lit a) GDPR.

To obtain and manage your consent, we use the CookieFirst tool from the provider Digital Data Solutions B.V., Plantage Middenlaan 42a, 1018DH, Amsterdam, Netherlands. This generates a banner that informs you about the data processing on our website and gives you the option of consenting to all, individual or no data processing through optional categories of tools. This banner appears the first time you visit our website and when you call up the selection of your settings again in order to change them or revoke your consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or if the cookie or the elements in CookieFirst's local storage have been deleted or have expired.

As part of your website visit, your consent or revocation, your IP address, information about your browser, your end device and the time of your visit are transmitted to Digital Data Solutions. CookieFirst also sets necessary cookies ("cookiefirst-consent" (360 days)) and stores information in local storage ("cookiefirst-consent", "cookiefirst-id", "cookie-first-old-consent") in order to retain your consents and revocations. If you delete your cookies or information in local storage, we will ask you for your consent again when you visit the site at a later date.

Data processing by CookieFirst is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for the use of CookieFirst is Art. 6 para. 1 lit. f) GDPR, justified by our legitimate interest in fulfilling the legal requirements for cookie consent management.

To revoke your consent, please refer to section 14. You can adjust the tools used under the heading "Privacy settings" at the end of this privacy policy and revoke your consent for them there.

If personal data is transferred to third countries, we refer you to Section 13, also with regard to any associated risks. We will inform you if we have concluded standard contractual clauses with the providers of certain tools or if other suitable guarantees apply. If you have given your consent to the use of certain tools, we will (also) transfer the data processed when using the tools to third countries on the basis of this consent (Art. 49 para. 1 lit. a) GDPR)

d) Which social media plugins do we use?

Facebook
Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland ("Facebook"); Further information on data protection can be found here: https://www.facebook.com/privacy/policy/.

Instagram
Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland ("Instagram"); Further information on data protection can be found here: https://privacycenter.instagram.com/policy/.

LinkedIn
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"); Further information on data protection can be found here: https://www.linkedin.com/legal/privacy-policy.

Analysis tools

We use certain tools to statistically record and analyze general usage behavior based on access data ("analysis tools"). We also use analysis services to evaluate the use of our various marketing channels.

In the following section, we would like to explain these technologies and the providers used for this in more detail. The data collected may include in particular

  • the IP address of the device;
  • the identification number of a cookie or information in web storage;
  • the device identifier of mobile devices (device ID, advertising ID);
  • Referrer URL (previously visited page);
  • Pages accessed (date, time, URL, title, duration of visit);
  • Downloaded files;
  • Clicked links to other websites;
  • if applicable, achievement of certain goals (conversions);
  • Technical information: Operating system; browser type, version and language; device type, make, model and resolution;
  • Approximate location (country and city if applicable).

The legal basis is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. In the event that personal data is transferred to the USA or other third countries, your consent also expressly extends to the data transfer (Art. 49 para. 1 lit. a) GDPR). Please refer to section 13 for the associated risks. Please refer to section 14 to withdraw your consent.

a) Google Analytics

We use "Google Analytics" on our website, a web analysis service of Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as "Google").

Google uses JavaScript and pixels to read information on your end device, as well as cookies, i.e. small text files that are stored on your end device. This enables your use of our website to be analyzed. The information collected about the use of our website is generally transmitted to a Google server in the USA and stored there. As part of the analysis, Google Analytics also uses artificial intelligence such as machine learning to automatically analyze and enrich the data.

The following cookies are set and read by Google Analytics:

  • "_ga" for usage analysis and recognition of users by means of a visitor ID for a period of two years;
  • "_gid" for usage analysis and recognition of users by means of a visitor ID for a period of one day;
  • "_ga_XQLMYV7TJ8" to retain the information of the current session for a period of two years.

Google will use this information on our behalf to evaluate your use of our website, to compile reports on website use and to provide us with other services relating to website use and internet use. Pseudonymous user profiles can be created from the processed data. The IP address transmitted when using Google Analytics is not merged with other Google data. We only use Google Analytics with activated IP anonymization. This means that your IP address is only processed by Google in abbreviated form.

We use Google Analytics for the purpose of analyzing the use of our website and continuously improving individual functions and offers as well as the user experience. By statistically evaluating user behavior, we can improve our offer and make it more interesting for you as a user. In addition, we use target group remarketing through GA Audience.

We have concluded an order processing agreement with Google in order to oblige Google to process the transmitted data only in accordance with our instructions and to comply with the applicable data protection regulations. Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Further information on the use of data by Google, setting options and data protection can be found on the following Google websites:

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Data at user and event level that is linked to cookies, user identifiers (e.g. user ID) and advertising IDs (e.g. DoubleClick cookies, Android advertising ID, IDFA [Apple identifier for advertisers]) is deleted, takes place after 14 months at the latest.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

You can prevent the collection of your data by Google Analytics in addition to your revocation in particular by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this website: Deactivate Google Analytics. Please note that this setting will be deleted if you delete your cookies.

b) Hotjar

We use "Hotjar" on our website, a web analysis service of Hotjar Ltd, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta (hereinafter referred to as: "Hotjar").

Hotjar uses JavaScript (so-called tracking code) to read information from your end device and, among other things, cookies and local storage, i.e. information that is stored locally in the web browser on your end device. This makes it possible to analyze your use of our website, including the creation of so-called heat maps, which graphically display your interactions on our site in aggregated form in terms of frequency and duration. The cookies used by Hotjar are stored on your device for different lengths of time, sometimes only during your visit, sometimes for 365 days. The information collected is transmitted to Hotjar on a server in Ireland and stored there.

The following cookies are set and read by Hotjar:

  • "_hjid" for usage analysis and storage of the visitor ID for a period of one year;
  • "_hjFirstSeen" to store the first page view in a session of a new visitor for the duration of the session;
  • "_hjAbsoluteSessionInProgress" to save the first page view in a session for a period of 30 minutes;
  • "_hjIncludedInSessionSample" for the usage analysis in connection with the defined session limit for the duration of 30 minutes;
  • "_hjIncludedInPageviewSample" for the usage analysis in connection with the defined pageview limit for the duration of 30 minutes;
  • "_hjSessionUser_751125" to store the user data and the user ID for a period of one year;
  • "_hjSession_751125" to store the session data for a period of 30 minutes.

The following information is set and read by Hotjar in the local storage or session storage:

  • "_hjid" for usage analysis and storage of the visitor ID;
  • "hjActiveViewportIds" for saving the visitor's viewports;
  • "hjViewportId" to store the visitor's viewport for the duration of the session.

The tracking code collects the following information: Device-dependent data collected by your end device and your web browser:

  • IP address of your end device (collected and stored in an anonymized format)
  • E-mail address including your first and last name, if you have provided this to us via our website
  • Screen size of your end device
  • Device type and browser information
  • Geographical data (country only)
  • Language used to display our website
  • User interactions
  • Mouse commands (movement, position and clicks)
  • Keyboard entries

Log data that is automatically used by our server when using Hotjar:

  • Referring domain
  • Websites visited
  • Geographical data (country only)
  • Language used to display our website
  • Date and time of access

Hotjar uses this information for the purpose of evaluating your use of our website, compiling reports on website activity and providing other services relating to website activity and internet usage. Hotjar also uses third-party services (e.g. Google Analytics and Optimizely) to provide its services. These third-party companies may store or otherwise process information that your browser transmits when you visit our website (possibly including your IP address).

We use Hotjar for the purpose of analyzing the use of our website and continuously improving individual functions and offers as well as the user experience. By statistically evaluating user behavior, we can improve our offer and make it more interesting for you as a user.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

In addition to your revocation, you can also prevent the collection of data by Hotjar by setting an opt-out cookie on the website linked below: https://www.hotjar.com/opt-out. Please note that this setting will be deleted if you delete your cookies.

We have concluded an order processing contract with Hotjar.

Further information on the use of data by Hotjar, setting options and data protection can be found on the following Hotjar website: https://www.hotjar.com/privacy

c) Google Optimize

We use Google Optimize, a service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland ("Google Optimize"). Google Optimize analyses the use of different variants of the website (e.g. different positions of elements, different colors, fonts, buttons, text lengths, paragraphs, headings, graphics, images) so that we are able to adapt the user-friendliness to the behavior of the website users (e.g. reducing the bounce rate, increasing the length of stay) (so-called A/B test). Google Optimize is a tool integrated into Google Analytics and uses JavaScript and cookies in particular. The IP address received in this way is anonymized immediately after processing. The transmitted IP address is not merged with other Google data.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

We have concluded a data processing agreement with Google Ireland Limited. Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Further information can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.

d) Google Tag Manager

We use "Google Tag Manager" on our website, a service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as "Google"). Google Tag Manager enables us as marketers to manage website tags via an interface. The Google Tag Manager tool, which implements the tags, does not itself set any cookies and does not collect any personal data itself.

Google Tag Manager triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

We have concluded a data processing agreement with Google Ireland Limited. Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Further information on data protection can be found on the following Google websites:

Functional tools

We use certain tools to improve the user experience on our website and to offer you more functions ("functional tools"). Although these are not absolutely necessary for the basic functionality of the website, they can bring significant benefits to users, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels.

The legal basis is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. In the event that personal data is transferred to the USA or other third countries, your consent also expressly extends to the data transfer (Art. 49 para. 1 lit. a) GDPR). Please refer to section 13 for the associated risks. Please refer to section 14 to withdraw your consent.

a) Logging in with social network user accounts (Facebook Login, Google Sign-In, Sign-In with Linkedin, Apple)

Our website offers you the option of logging in with an existing user account for the social networks listed below:

  • Facebook Login: Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland (for users outside the USA and Canada) or Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, USA (for all other users) -. Data protection information
  • Google Sign-In for Websites: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for users from the European Economic Area and Switzerland) or Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (for all other users) -. Privacy policy
  • Sign In with LinkedIn: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland (for persons from the European Economic Area and Switzerland) or LinkedIn Corporation, 2029 Stierlin Ct. Ste. 200 Mountain View, California 94043, USA for all other persons) - Privacy Notice
  • Sign in with Apple: Apple Inc, 1 Apple Park Way. Cupertino, CA 95014, USA - Privacy Policy

Once you have logged in with one of your existing user accounts, additional registration is no longer required. If you wish to use the function, you will first be redirected to the relevant social network. There you will be asked to log in with your user name and password. We do not, of course, take any notice of this login data. The server to which a connection is established may be located in the USA or in other third countries.

By confirming the corresponding log-in button on our website, the corresponding social network learns that you have logged in to our site with your user account and links your user account with your customer account on our website. The following data is also transmitted to us:

  • Facebook login: e-mail address, public profile information (in particular Facebook ID, name, profile picture), possibly other profile information such as age, date of birth, Facebook friends, gender, place of residence, like information, profile URL, locations, posts, photos, videos; cookies used in particular: "fbsr"
  • Google Sign-In for Websites: E-mail address, Google ID, name, profile picture URL
  • Sign In with LinkedIn: Profile overview (in particular LinkedIn ID, name, job details, number, profile picture URL, number of LinkedIn contacts and other profile details) and - if you allow this in your LinkedIn settings - the primary e-mail address stored on LinkedIn; cookies used in particular. "bsookie" for 2-factor authentication
  • Sign in with Apple: ID, name, e-mail address, verification code

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Meta, Google and LinkedIn to the USA and processed there. Meta Platforms Inc, Google LLC and LinkedIn Corporation have joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR. The transfer of your data at Apple is based on your express consent in accordance with Art. 49 para. 1 lit. a GDPR.

b) Twilio

We have integrated functions and content of the Twilio service on our website. The provider is Twilio Inc, 375 Beale Street, Suite 300, San Francisco, CA 94105, USA. These buttons allow you to share a post or a page using Twilio and to contact us via Twilio or to leave us a contact request or we can contact you via Twilio. In addition, we use Twilio to send you an SMS if you have consented to SMS notification. We also use Twilio to validate/confirm your telephone number. We use Twilio to notify you if any action is required on your part during the booking process, such as accepting or rejecting a tenant or signing a contract. Contact details, in particular name and telephone number, are processed for this purpose.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

We have concluded an order processing agreement with Twilio Inc. Your personal data may also be transferred by Twilio Inc. to the USA and processed there. Twilio Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Further information can be found in Twilio's privacy policy at https://www.twilio.com/legal/privacy.

c) Rollbar

We use Rollbar, an error detection, analysis and troubleshooting tool from Rollbar Inc, 665 3rd Street 150, San Francisco, USA ("Rollbar"). Rollbar uses the technical information of your end device together with the visitor ID and the session ID and - if you are logged in - with the user ID in order to recognize errors that occur and to be able to rectify them with the help of the transmitted data.

The following cookies are used for these purposes:

  • "visitorId" for tracking and recognizing users who are not logged in for a period of 1 year;
  • "sessionId" for tracking and recognizing users who are not logged in for the duration of the session.

The data is stored for 7 days and then automatically deleted. We have concluded standard contractual clauses with Rollbar.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

We have concluded an order processing agreement with Rollbar Inc. Your personal data may also be transferred by Rollbar Inc. to the USA and processed there. Rollbar Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Necessary tools

We use certain tools to enable the basic functions of our website ("necessary tools"). Without these tools, we would not be able to provide our service. Therefore, necessary tools are used without consent on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR or for the performance of a contract or in order to take steps prior to entering into a contract pursuant to Art. 6 para. 1 lit. b) GDPR.

In addition to the tools listed below, we use the following cookies in particular:

  • "listing-filter" to save the visitor's current search filter for a period of 7 days;
  • "TRAEFIK_BACKEND_WEBSITE" and "TRAEFIK_BACKEND_API" to ensure and establish a secure connection between the website and our server for the duration of the session;

a) Freshworks

We use a CRM system from the provider Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA ("Freshworks"), to process our booking requests. The following data is automatically transmitted by our servers:

  • Name
  • First name
  • E-mail address
  • Phone number
  • Employer, if applicable
  • Job title, if applicable

The use of Freshworks enables us to track and process booking requests in detail.

The listed data is required to communicate with users and thus serves to fulfill the contract (Art. 6 para. 1 lit. b) GDPR).

We have concluded an order processing agreement with Freshworks Inc. Your personal data may also be transferred by Freshworks Inc. to the USA and processed there. Freshworks Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Privacy policy of Freshworks: https://www.freshworks.com/de/datenschutz/.

b) Stripe

We use the services of Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland for payment processing on our platform in order to receive and process payments made to us on our behalf. The following data is automatically transmitted by us to Stripe:

  • Payment data
  • Bank details
  • Credit card details

Stripe also uses JavaScript and cookies for this purpose. We do not store any personally identifiable data or financial information such as credit card numbers. Instead, the payment data (in particular contact and transaction data such as credit card details or bank details) is forwarded directly to Stripe.

The following cookies are set and read by Stripe for fraud prevention and detection with the respective storage duration:

  • "__stripe_mid" for a period of one year;
  • "__stripe_sid" for the duration of 30 minutes;
  • "m" for a period of two years.

The legal basis for the processing of the data is the fulfillment of the contract (Art. 6 para. 1 lit. b) GDPR).

We have concluded an order processing agreement with Stripe Payments Europe Ltd. Your personal data may also be transferred by Stripe Payments Europe Ltd. to Stripe Inc, Corporation Trust Center, 1209 Orange Street, Wilmington, New Castle, DE 19801 in the USA. Stripe Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Privacy policy of Stripe: https://stripe.com/privacy .

c) Veriff

We use the services of Veriff OÜ, Niine 11, 104014 Tallinn, Estonia ("Veriff") for fraud prevention, identity fraud prevention and to verify the identity of users on our platform. Veriff also uses AI for this purpose. In addition, there is also the option of verifying the address or age. In particular, the following categories of data are automatically transmitted by us to Veriff as part of the use of the services:

  • Identity card data, such as name, gender, personal identification code, date of birth, nationality
  • Photos, sound and video data, for example of your face and ID card
  • technical data, including the IP address
  • Biometric data

Veriff may also access your microphone and camera to fulfill the above-mentioned purposes, for example to record and check your ID data and to compare your face with your ID data. You can find information on the use of cookies at: https://www.veriff.com/cookie-policy.

The legal basis for the processing of the data is the fulfillment of the contract (Art. 6 para. 1 lit. b) GDPR).

You can find Veriff's privacy policy at: https://www.veriff.com/privacy-notice.

d) Klippa

We use Klippa of Klippa App B.V., Laan Corpus den Hoorn 1, 9728 JM Groningen, Netherlands for the purposes of document automation on our platform, including in the context of bookings. In particular, the following categories of data are automatically transmitted by us to Klippa:

  • Account statements
  • Employment contract, if applicable

The legal basis for the processing of the data is the fulfillment of the contract (Art. 6 para. 1 lit. b) GDPR). The data is stored for a period of 30 days.

More about data protection at Klippa at: https://www.klippa.com/de/daten-und-datenschutz/.

e) Azure

We use Azure as the cloud computing platform of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland to scale our applications.

The legal basis for the processing of the data is the fulfillment of the contract (Art. 6 para. 1 lit. b) GDPR).

Your personal data may also be transferred by Microsoft Ireland Operations Limited to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 in the USA. Microsoft Corporation has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Further information on data security can be found here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

f) Cloudflare

We use the Content Delivery Network of Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107 USA to secure our data and to improve the user experience on our website by caching and thus faster output of content displayed on our website.

Cloudflare offers a globally distributed content delivery network in which copies of our website are created and stored on Cloudflare servers. This ensures that when you visit our website, the content is delivered from the server that can display our website to you the fastest. Cloudflare also blocks threats and limits abusive bots and crawlers that would slow down the retrieval of the website or attack our systems. To use the Content Delivery Network, the data traffic between your browser and our website flows via the Cloudflare infrastructure. When using the Content Delivery Network, Cloudflare receives information about IP addresses and connection protocol data (such as the HTTP header with the user agent information).

For security reasons, Cloudflare uses the required cookie "__cf_bm" for the detection of bots and defense against cyber attacks for a period of 30 minutes. You can find more information about the cookies stored by Cloudflare at https://developers.cloudflare.com/fundamentals/get-started/reference/cloudflare-cookies/.

The legal basis for the processing is our legitimate interest in the fast, secure and proper presentation of our website, Art. 6 para. 1 lit. f) GDPR.

We have concluded a data processing agreement with Cloudflare. Your personal data may also be transferred by Cloudflare to the USA and processed there. Cloudflare has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

You can find more information about data protection at Cloudfare here: https://www.cloudflare.com/gdpr/introduction/

Marketing tools

We use certain tools for advertising purposes ("marketing tools"). Some of the access data collected when you use our website is used for interest-based advertising. By analyzing and evaluating this access data, we are able to present you with personalized advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers.

In the following section, we would like to explain these technologies and the providers used for this in more detail. The data collected may include in particular

  • the IP address of the device;
  • the identification number of a cookie or information in web storage;
  • the device identifier of mobile devices (device ID, advertising ID);
  • Referrer URL (previously visited page);
  • Pages accessed (date, time, URL, title, duration of visit);
  • Downloaded files;
  • Clicked links to other websites;
  • if applicable, achievement of certain goals (conversions);
  • Technical information: Operating system; browser type, version and language; device type, make, model and resolution;
  • Approximate location (country and city if applicable).

The legal basis is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. In the event that personal data is transferred to the USA or other third countries, your consent also expressly extends to the data transfer (Art. 49 para. 1 lit. a) GDPR). Please refer to section 13 for the associated risks. Please refer to section 14 to withdraw your consent.

a) Google Ads conversion tracking

We use the online advertising program "Google Ads" on our website and, in this context, conversion tracking (visit action evaluation). Google Conversion Tracking is an analysis service provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google").

If you click on an advertisement placed by Google, a cookie for conversion tracking is stored on your computer. These cookies have a limited validity. If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognize that you clicked on the ad and were redirected to this page. Each Google Ads customer receives a different cookie. The information obtained with the help of the conversion cookie is used to create conversion statistics. This tells us the total number of users who clicked on one of our ads and were redirected to a page with a conversion tracking tag. We also use Google Ads Conversion Tracking to record other customer actions such as page views, registrations and downloads. In addition to cookies, Google Ads Conversion Tracking also uses JavaScript, pixels and other technologies. Your data may be transferred to the USA.

The following cookies are set and read by Google Ads:

  • "gcl_au" to store and track clicks on advertisements for a period of 90 days.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

You can find more information and Google's privacy policy at https://policies.google.com/privacy.

b) Google Ads Remarketing

We use the remarketing or "similar target groups" function on our website, which is offered for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google").

The application serves the purpose of analyzing visitor behavior and visitor interests. Google uses cookies to carry out the analysis of website usage, which forms the basis for the creation of interest-based advertisements. Cookies are used to record visits to the website and anonymized data on the use of the website. If you subsequently visit another website in the Google Display Network, you will be shown advertisements that are highly likely to take into account previously accessed product and information areas. In addition to cookies, Google Ads Remarketing also uses JavaScript, pixels and other technologies. Your data may be transferred to the USA.

The following cookies are set and read by Google Ads:

  • "gcl_au" to store and track clicks on advertisements for a period of 90 days.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to withdrawing your consent, you also have the option of opting out of personalized advertising in the Settings for advertising settings at Google.

You can find more information about Google Remarketing and the associated privacy policy at https://www.google.com/privacy/ads/.

c) Google Marketing Platform and Ad Manager (DoubleClick)

Our website uses the Google Marketing Platform and Google Ad Manager, services provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google").

These services use cookies and similar technologies to present you with advertisements that are relevant to you. The use of the services enables Google and its partner websites to serve ads based on previous visits to our or other websites on the Internet. In addition, this service is used to create and evaluate reports on advertising campaigns. The service is also used to avoid multiple displays of the same advertisement and to generate commission statements. The data collected in this context may be transferred by Google to a server in the USA for analysis and stored there.

If you have not consented to the use of Google Marketing Platform and Ad Manager, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to withdrawing your consent, you also have the option of opting out of personalized advertising in the Settings for advertising settings at Google.

In particular, Google sets the following cookies for the specified purpose with the respective storage duration:

  • "IDE" to recognize and distinguish website visitors by means of a user ID, to record interaction with advertising and as part of the display of personalized advertising for a period of 13 months;
  • "NID" for settings for Google services and other functions for advertising purposes for a period of six months;
  • "1P_JAR" for the optimization of personalized advertising, avoiding the repeated display of the same advertisement for a period of one month;
  • "DV" to store user preferences, such as language, for a period of 5 minutes.
  • "CONSENT" to store consent to tracking and personalized advertising for a period of 36 months.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

You can find more information on this in the privacy policy of Google.

d) Microsoft Advertising (Bing Ads)

Our online offers also use conversion tracking from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Microsoft Advertising places a cookie on your computer if you have reached our website via a Microsoft Bing ad. In this way, Microsoft and we can recognize that someone has clicked on an ad, has been redirected to our website and has reached a predetermined target page (conversion page). We only learn the total number of users who clicked on a Bing ad and were then redirected to the conversion page. Microsoft Advertising also uses JavaScript and local storage.

The following cookies are set and read by Microsoft Advertising:

  • "_uetsid" to store the session ID for the duration of one day;
  • "_uetvid" for usage analysis, visitor recognition and the display of personalized advertising for a period of 390 days;
  • "MUID" for visitor recognition, usage analysis and the display of personalized advertising for a period of 390 days.

The following information in the Local Storage is set and read by Microsoft Advertising:

  • "_uetsid" to store the session ID;
  • "_uetvid" for usage analysis, visitor recognition and the display of personalized advertising;
  • "_uetvid_exp" to store the expiry time of the "_uetvid" cookie.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Microsoft Ireland Operations Limited to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 in the USA. Microsoft Corporation has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

In addition to withdrawing your consent, you also have the option of deactivating personalized advertising in the advertising settings in your Microsoft account.

Further information on data protection and the cookies used by Microsoft Bing can be found on the Microsoft website: https://privacy.microsoft.com/de-de/privacystatement .

e) LinkedIn Analytics and Ads (Insight Tag)

On our website, we use the analysis and conversion tracking technology of the LinkedIn platform, which is offered for persons from the European Economic Area and Switzerland by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland and for all other persons by LinkedIn Corporation, 2029 Stierlin Ct, Mountain View, CA 94043, USA (hereinafter referred to as "LinkedIn").

With the aforementioned LinkedIn technology, you can be shown more relevant advertising, offers and recommendations based on your interests on LinkedIn (retargeting). We also receive aggregated reports from LinkedIn about advertising activities and information about how you interact with our website (conversion tracking). To do this, LinkedIn uses a JavaScript code (Insight tag), which in turn uses a pixel or stores and uses the following cookies in your web browser:

  • "long" to save the language setting for the duration of the session;
  • "lidc" to optimize the selection of the data center for a period of 24 hours;
  • "lissc" to ensure that all cookies in the same browser use the same SameSite attribute for a period of one year;
  • "li_sugr" for the recognition and probable matching of a user;
  • "bcookie" to prevent misuse for a period of two years;
  • "UserMathHistory" for usage analysis, retargeting and synchronization of IDs with LinkedIn Ads for a period of 30 days;
  • "AnalyticsSyncHistory" to synchronize the usage history for a period of one month.

Further information on cookies can be found at: https://www.linkedin.com/legal/l/cookie-table.

The LinkedIn Insight tag collects data about the use of our website, including URL, referrer URL, IP address, device and browser characteristics, timestamps and page views. The data collected via the LinkedIn Insight tag is encrypted and anonymized within 7 days. The anonymized data is deleted within 90 days. LinkedIn only provides summarized reports on website audience and ad performance.

In connection with the use of LinkedIn Insight Tag, the information collected is also processed on LinkedIn Corporation servers in the USA.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by LinkedIn Ireland Unlimited Company to LinkedIn Corporation in the USA. LinkedIn Corporation has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

In addition to your revocation, you can also prevent data collection in particular by clicking on the following opt-out link: https://www.linkedin.com/psettings/enhanced-advertising . Please note that this setting will be deleted if you delete your cookies.

Further information on data protection at LinkedIn can be found here: https://de.linkedin.com/legal/privacy-policy.

f) Meta Pixel

We use the "Meta Pixel" service on our website, which is offered for persons outside the USA and Canada by Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland and for persons from the USA and Canada by Meta Platforms Inc, 01 Willow Road, Menlo Park, California 94025, USA (hereinafter referred to as "Meta Platforms"), to analyze the general use of our websites and to track the effectiveness of Facebook advertising ("conversion tracking"). We also use Meta Pixel to display personalized advertising messages in Meta Platforms' social networks (such as Facebook and Instagram) based on your interest in our products ("retargeting"). This also includes target group remarketing through Custom Audience.

Meta Pixel enables Meta Platforms to display our ads on Facebook and Instagram only to users who have visited our website, in particular those who have shown an interest in our online offering or in certain topics or products. Meta Pixel makes it possible to check whether a user was redirected to our website after clicking on our advertisement.

Among other things, Meta Pixel uses cookies, i.e. small text files that are stored locally in the web browser on your end device. If you are logged in to Facebook or Instagram with your user account, your visit to our online offering will be noted in your user account. Meta Platforms can also link this data to your user account there. We have no influence on the scope and further use of data collected by Meta Platforms through the use of Meta Pixel. In addition to cookies, Meta Pixel also uses JavaScript and other technologies.

Meta Platforms processes the following data in particular with Meta Pixel:

  • HTTP header information such as information about the browser used (e.g. user agent, language);
  • Information on events such as "page view", other object properties and buttons clicked by visitors to the website;
  • Online identifiers such as IP addresses and, where provided, Facebook business-related identifiers or device IDs (such as advertising IDs for mobile operating systems) and information on the status of deactivation/restriction of ad tracking.

The following cookies are set and read by Meta Pixel:

  • "_fbp" for usage analysis and retargeting for a period of three months;
  • "fr" for retargeting and displaying personalized advertising for a period of three months;
  • "ATN" to analyze usage and to record advertising already viewed for the duration of the session.

To the best of our knowledge, Meta Platforms receives the information that you have accessed the relevant part of our website or clicked on an advertisement from us. If you have a user account with Facebook or Instagram and are registered, Meta Platforms can assign the visit to your user account. Even if you are not registered with Facebook or Instagram or have not logged in, there is a possibility that Meta Platforms will find out and store your IP address and any other identifying features.

We use meta pixels for marketing and optimization purposes, in particular to place relevant and interesting ads for you on Facebook and thus improve our offer, make it more interesting for you as a user and avoid annoying ads.

You can make settings regarding which types of advertisements are displayed to you within Facebook on the following Facebook website: https://www.facebook.com/settings?tab=ads. You can prevent the linking of data collected outside Instagram to display personalized advertising in Instagram as follows: https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE. Please note that this setting will be deleted if you delete your cookies.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Meta Platforms Ireland Ltd. to Meta Platforms Inc. in the USA. Meta Platforms Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR.

Further information from the third-party provider on data protection can be found on the following Facebook website: https://www.facebook.com/about/privacy. Information on Facebook Pixel can be found on the following Facebook website: https://www.facebook.com/business/help/651294705016616

Automated decision making

As part of our letting processes, we use automated decision-making to assess the creditworthiness of potential tenants. This assessment is used to determine a maximum rent, which serves as an upper limit for booking requests by the tenant. This practice is carried out in accordance with Art. 22 GDPR. We would like to point out that you have the right to request a manual review of the decision, to present your views and to contest the decision.

Storage period

In principle, we only store personal data for as long as necessary to fulfill the purposes for which we collected the data. We then delete or anonymize the data immediately, unless we still need the data for evidence purposes until the statutory limitation period for civil law claims expires or due to statutory retention obligations.

For evidence purposes, we must retain contract data for three years from the end of the year in which the business relationship with you ends. Any claims become time-barred in accordance with the statutory limitation period at the earliest at this time.

Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise, for example, from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents are two to ten years.

Transfer of data to third parties

The data collected by us will only be passed on if:

  • you have given your express consent to this in accordance with Art. 6 para. 1 lit. a) GDPR,
  • the disclosure pursuant to Art. 6 para. 1 lit. f) GDPR is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
  • we are legally obliged to disclose data in accordance with Art. 6 para. 1 lit. c) GDPR, in particular if this is necessary for legal prosecution or enforcement due to official inquiries, court orders and legal proceedings, or
  • this is legally permissible and required under Art. 6 (1) (b) GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that are carried out at your request.

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include, in particular, data centers that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may only use the data to fulfill their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us.

Data transfer to third countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) and/or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. If this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions under Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the fulfillment of the contract or for the implementation of pre-contractual measures.

If a transfer to a third country is planned and no adequacy decision or suitable guarantees exist, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyze it, and that the enforceability of your data subject rights cannot be guaranteed. If your consent is obtained via the cookie banner, you will also be informed of this.

Your rights

In accordance with the General Data Protection Regulation (GDPR), you have the following rights, which you are welcome to assert via our contact form or alternatively by post. If the respective legal requirements are met, we will comply with your data protection request.

Right to information

In accordance with Article 15 of the GDPR, you have the right to request information about the processing of your data by us. This includes information on processing purposes, categories of data, recipients, storage duration, legal claims such as correction, deletion or restriction, rights of appeal, data origin (if not collected by us) as well as information on automated decision-making and profiling, if applicable.

Right to rectification

In accordance with Article 16 of the GDPR, you can request the immediate correction of your data stored by us if it is incorrect or incomplete.

Right to erasure

In accordance with Article 17 of the GDPR, you can request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for the fulfillment of legal obligations, for reasons of public interest or for the assertion, exercise or defense of legal claims.

Right to restriction of processing

In accordance with Article 18 of the GDPR, you have the right to request the restriction of the processing of your data, for example if the accuracy of the data is disputed or the processing is unlawful.

Right to data portability

In accordance with Article 20 of the GDPR, you have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format or to have it transmitted to another controller (data portability).

Right to object

In accordance with Article 21 of the GDPR, you may object to the processing of your data, in particular if the processing is not necessary for the performance of a contract (Article 6(1)(e) or (f) of the GDPR). If it is not an objection to direct marketing, we ask you to inform us of the reasons for your objection. In the event of a justified objection, we will either terminate or adapt the data processing and provide you with compelling legitimate grounds for continuing the processing.

Right of revocation

In accordance with Article 7(3) of the GDPR, you can withdraw your consent to data processing at any time, provided that you have given such consent. If you withdraw your consent, we will no longer be permitted to carry out the data processing based on this consent in the future.

Right of appeal

In accordance with Article 77 of the GDPR, you have the right to complain to a data protection supervisory authority about the processing of your personal data in our company. You can assert this right, for example, with a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. The supervisory authority responsible for us is

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61
10555 Berlin
Entrance Alt-Moabit 60
Tel.: +49 30 13889-0
Fax: +49 30 2155050
E-Mail: mailbox@datencshutz-berlin.de

Questions on data protection

If you have any questions about data protection in connection with our products/services or the use of our website, you can also contact our data protection team at datenschutz@wunderflats.com at any time. You can also contact our data protection officer at the postal address below and at the e-mail address provided (keyword: "Attn. data protection officer"). We expressly point out that if you use this e-mail address, the content will not be viewed exclusively by our data protection officer. If you wish to exchange confidential information by e-mail, please contact us directly via this e-mail address first.

E-mail: datenschutz@wunderflats.com
Wunderflats GmbH Rosenstraße 16
10178 Berlin
Phone: + 49 (0) 30 120 862 259

The privacy policy is valid now and is current as of 24th April 2024.

Use the buttons below to download your user data or have it removed completely.

Privacy Preferences

We use cookies and similar technologies that are necessary for the operation of our website, as well as tools necessary to evaluate performance and marketing.