1) Information about the collection of personal data and contact details of the data controller
1.1 We are pleased that you are using our application (hereinafter referred to as "App"). Below, we inform you about the handling of your personal data when using our App. Personal data is any data that can be used to identify you personally.
1.2 The data controller for the processing of data concerning this App in accordance with the General Data Protection Regulation (GDPR) is MonsterShack UG (limited liability), Sandkamp 1, 22111 Hamburg, Germany, Tel.: +4915256087751, E-Mail: hello@itchy-monsters.de. The data controller is the natural or legal person who decides alone or jointly with others on the purposes and means of processing personal data.
1.3 This App uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or inquiries to the data controller). You can recognize a secure connection by the string "https://" and the lock symbol in your browser's address bar.
2) Logfiles when using our mobile App
If you download our mobile App via an App Store, the necessary information will be transmitted to the App Store, particularly the username, email address, and customer number of your account, time of download, payment information, and the individual device identifier. We have no control over this data collection and are not responsible for it. We process the data only to the extent necessary for downloading the mobile App to your mobile device.
When using our mobile App, we collect the personal data described below to enable comfortable use of the functionality. If you want to use our mobile App, we collect the following data that is technically necessary for us to provide you with the functions of our mobile App and to ensure stability and security:
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request
- Access status/HTTP status code
- Amount of data sent in bytes
- Source/reference from which you came to the page
- Browser used
- Language and version of the browser software
- Operating system used and its interface
- IP address used (if applicable: in anonymized form)
The processing takes place in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our App. There will be no transfer or other use of the data. However, we reserve the right to review the aforementioned log files afterwards should there be concrete indications of illegal use.
Furthermore, we need your unique device identifier number (IMEI = International Mobile Equipment Identity), unique number of the network participant (IMSI = International Mobile Subscriber Identity), mobile number (MSISDN), possibly MAC address for WLAN use, and the name of your mobile device.
3) Hosting & Content Delivery Network
Supabase
We use the web hosting service "Supabase" of Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992, Singapore, for hosting and displaying the App content based on processing on our behalf.
All data collected in our App will be processed on servers of Supabase, which are located exclusively within the European Union (Frankfurt).
We have concluded a data processing agreement with Supabase which obliges Supabase to protect the data of our website visitors and not to disclose it to third parties.
Further information on Supabase's data protection can be found at https://supabase.com/privacy
Another processing on other servers than those mentioned above by Supabase will only take place within the framework communicated below.
4) Use of your address book, calendar, photos, and memories
At the beginning of using our mobile App, we will ask you in a pop-up for permission to use your address book and/or calendar and/or photos and/or memories. If you do not grant consent, we will not use this data. In this case, you may not be able to use all features of our App. You can grant or revoke consent later in your operating system settings.
If you allow access to this data, the mobile App will only access your data and transmit it to our server as far as necessary for providing functionality. Your data will be treated confidentially and deleted when you revoke the right to use or if it is no longer necessary for providing the service and there are no legal retention obligations. The legal basis for processing is Art. 6 para. 1 S. 1 lit. f GDPR.
5) Contacting us
In the context of contacting us (e.g. via contact form or email), personal data is collected. What data is collected in the event of using a contact form is apparent from the respective contact form in the App. This data will only be stored and used for the purpose of answering your inquiry or for contacting you and the associated technical administration. The legal basis for processing this data is our legitimate interest in answering your inquiry in accordance with Art. 6 para. 1 lit. f GDPR. If your contact is aimed at entering into a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted once your inquiry has been conclusively processed. This is the case when it can be inferred from the circumstances that the matter in question has been conclusively clarified, and provided no legal storage obligations stand in the way.
6) Data processing when opening a customer account
According to Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed when you provide it to us for the execution of a contract or when opening a customer account. What data is collected is apparent from the respective input forms. You can delete your customer account at any time by sending a message to the above-mentioned address of the data controller. We store and use the data you provide to carry out the contract. After complete execution of the contract or deletion of your customer account, your data will be restricted with regard to tax and commercial law retention periods and deleted after the expiry of these periods unless you have expressly consented to further use of your data or a legally permitted further use of data has been reserved, of which we will inform you below accordingly.
7) Data processing for contract execution
- RevenueCat
In-app payments are made through RevenueCat Inc., 300 Euclid Avenue, San Francisco, CA 94118, USA, to whom we pass on the information you provided during the ordering process along with information about your order. The disclosure of your data takes place in accordance with Art. 6 para. 1 lit. b GDPR exclusively for the purpose of payment processing and only to the extent necessary for this purpose. We have concluded a data processing agreement with RevenueCat Inc., obliging the provider to protect the data of the App users and not to pass them on to third parties.
Further information on data protection from RevenueCat can be found here: https://www.revenuecat.com/privacy
8) Registration in the App
You can register in our App by providing personal data. What personal data is processed for registration is evident from the input mask used for registration. We use the so-called double opt-in procedure for registration, i.e., your registration is only complete once you have confirmed your registration via a confirmation email sent to you for this purpose by clicking on the link contained therein. If you do not confirm your registration within 24 hours, your registration will be automatically deleted from our database. The provision of the above-mentioned data is mandatory. All other information may be voluntarily provided by you using our portal.
If you use our App, we will store the data necessary for contract fulfillment, including any payment method information, until you permanently delete your access. Furthermore, we will retain the data you voluntarily provide throughout your use of the portal unless you delete it beforehand. You can manage and change all information in the protected customer area. The legal basis is Art. 6 para. 1 lit. f GDPR.
Moreover, we store all contents you publish (e.g. public posts, wall entries, guestbook entries, etc.) in order to operate the App. We have a legitimate interest in providing the App with complete user-generated content. The legal basis for this is Art. 6 para. 1 lit. f GDPR. If you delete your account, your particularly published comments in the forum will remain visible to all readers, but your account will no longer be accessible. All other data will be deleted in this case.
9) Use of your data for direct marketing
Subscription to our email newsletter
If you subscribe to our email newsletter, we will regularly send you information about our offers. The mandatory information for sending the newsletter is solely your email address. Providing additional data is voluntary and is used to personalize our communication with you. For sending the newsletter, we use the so-called double opt-in procedure. This means that we will only send you an email newsletter once you have explicitly confirmed that you consent to receive the newsletter. We will then send you a confirmation email asking you to confirm that you wish to receive the newsletter by clicking on a corresponding link.
By activating the confirmation link, you give us your consent to the use of your personal data in accordance with Art. 6 para. 1 lit. a GDPR. When signing up for the newsletter, we will store the IP address registered by the Internet Service Provider (ISP) as well as the date and time of registration in order to trace any possible misuse of your email address at a later time. The data we collect during the newsletter registration will be used exclusively for the purposes of advertising outreach via the newsletter. You can unsubscribe from the newsletter at any time via the designated link in the newsletter or by corresponding notification to the responsible party mentioned at the beginning. After unsubscribing, your email address will be immediately deleted from our newsletter distribution list unless you have explicitly consented to further use of your data or we have reserved a more extensive data use that is legally permitted and of which we will inform you in this declaration.
10) Sending Push Notifications
You can sign up to receive our push notifications. You will regularly receive information about our services through our push notifications.
To register, you must confirm receipt of notifications or allow them in your operating system settings. This process will be documented and stored. This includes the storage of the registration timestamp as well as your device identifier. The collection of this data is necessary so that we can display the push notifications as well as trace the processes in case of misuse, and therefore serves our legal protection. The processing of this data is based on Art. 6 para. 1 lit. a GDPR.
You can revoke your consent to the storage and use of your personal data for receiving our push notifications and the previously described statistical collection at any time with effect for the future. For the purpose of revoking your consent, you can unsubscribe from push notifications in the appropriate settings of your App in your operating system.
Your data will be deleted as soon as they are no longer necessary for achieving the purpose of their collection. Thus, your data will be stored as long as the subscription to our push notifications is active.
11) Web analysis services
Aptabase
This App uses "Aptabase", a web analytics service of Sumbit Labs Limited, 51 Bracken Road, Sandyford, Dublin D18 CV48, Ireland, which enables an analysis of your use of our App.
By reading web server and connection data, information is collected and used in a pseudonymised manner to evaluate your use of the App, compile reports on App activities for us, and provide further services related to App usage and internet usage.
Aptabase does not use cookies or similar technologies and deletes collected information according to its own statements after 24 hours.
To the extent that personal data is processed in the described processes, this takes place based on our legitimate interest in the statistical analysis of user behaviour for optimisation and marketing purposes in accordance with Art. 6 para. 1 lit. f GDPR.
You can permanently object to the collection and storage of your visitor data for the future through corresponding functions in the App.
Further details on Aptabase's data protection can be found here: https://aptabase.com/legal/privacy
12) Tools and Miscellaneous
- Sentry
For the creation of anonymised crash reports, we use "Sentry", a service of Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA, to improve the stability and reliability of our App.
Only based on your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR, in the event of a crash of the App, anonymous information will be transmitted to the servers of the provider (state of the App at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the phone, last log messages).
When using an iOS-based device, you can provide consent in the App settings or after a crash. When using an Android-based device, there is the possibility to generally agree to the transmission of crash notifications to Google and app developers during setup.
You can revoke your consent at any time by
- in iOS, disabling the "Crash reports" feature in the App settings
- in Android, adjusting the system settings. To do this, open the App settings, select "Google" and then in the three-dot menu at the top right, select "Usage & Diagnosis". Here you can disable sending the relevant data.
For more information about data protection, please refer to the privacy notices of "Sentry" at https://sentry.io/terms/
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European data protection level based on an adequacy decision of the European Commission.
13) Rights of the data subject
13.1 The applicable data protection law grants you comprehensive rights (rights of access and intervention) regarding the processing of your personal data against the data controller, of which we inform you below:
- Right of access pursuant to Art. 15 GDPR: You have the right to obtain information about your personal data processed by us, the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage duration or the criteria for determining the storage duration, the existence of a right to correction, deletion, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if they were not collected from you by us, the existence of automated decision-making including profiling and, if applicable, meaningful information about the logic involved and the significance and intended effects of such processing on you, as well as your right to be informed which guarantees exist regarding the transfer of your data to third countries in accordance with Art. 46 GDPR;
- Right to rectification pursuant to Art. 16 GDPR: You have the right to obtain the rectification of inaccurate data concerning you and/or completion of your incomplete data stored with us without undue delay;
- Right to deletion pursuant to Art. 17 GDPR: You have the right to request the deletion of your personal data where the requirements of Art. 17 para. 1 GDPR are met. However, this right does not exist particularly if the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;
- Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request the restriction of processing your personal data as long as the accuracy of your data contested by you is verified, if you refuse deletion of your data for unlawful processing and instead request the restriction of processing your data, if you need your data for the establishment, exercise or defence of legal claims after we no longer need that data for the purposes pursued, or if you have objected on grounds relating to your particular situation, as long as it is still not clear whether our legitimate grounds override your rights;
- Right to notification pursuant to Art. 19 GDPR: If you have asserted your right to rectification, deletion or restriction of processing against the data controller, the latter is obliged to inform all recipients to whom your personal data have been disclosed of this rectification or deletion of data or restriction of processing unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.
- Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data provided to us in a structured, commonly used and machine-readable format or to request the transfer to another controller as far as technically feasible;
- Right to withdraw consents given pursuant to Art. 7 para. 3 GDPR: You have the right to withdraw any consent you have given to the processing of data at any time with future effect. In the event of withdrawal, we will delete the affected data without delay unless further processing is based on a legal ground justifying processing without consent. The withdrawal of consent does not affect the lawfulness of processing based on the consent until the withdrawal;
- Right to lodge a complaint pursuant to Art. 77 GDPR: If you believe that the processing of the personal data concerning you is in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your workplace or of the place of the alleged infringement, without prejudice to any other administrative or judicial remedy.
13.2 RIGHT TO OBJECT
IF WE PROCESS YOUR PERSONAL DATA BASED ON A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION TO THIS PROCESSING WITH EFFECT FOR THE FUTURE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE AFFECTED DATA. HOWEVER, FURTHER PROCESSING REMAINS RESERVED IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR IF THE PROCESSING IS NECESSARY FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US IN ORDER TO ENGAGE IN DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSES OF SUCH MARKETING. YOU CAN EXERCISE THE RIGHT TO OBJECT AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE AFFECTED DATA FOR DIRECT MARKETING PURPOSES.
14) Duration of storage of personal data
The duration of storage of personal data is determined by the respective legal basis, the purpose of processing and, if applicable, additionally by the applicable statutory retention period (e.g., commercial and tax retention periods).
In the case of processing personal data based on an explicit consent in accordance with Art. 6 para. 1 lit. a GDPR, the data concerned will be stored until you revoke your consent.
If there are statutory retention periods for data that are processed in the context of contractual or quasi-contractual obligations based on Art. 6 para. 1 lit. b GDPR, this data will be routinely deleted after expiry of the retention periods unless they are no longer necessary for fulfilling the contract or initiating the contract and/or we have no legitimate interest in further storage.
In the case of processing personal data based on Art. 6 para. 1 lit. f GDPR, this data will be stored until you exercise your right to object under Art. 21 para. 1 GDPR unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing is necessary for the establishment, exercise or defence of legal claims.
In the case of processing personal data for the purpose of direct marketing based on Art. 6 para. 1 lit. f GDPR, this data will be stored until you exercise your right to object under Art. 21 para. 2 GDPR.
Unless otherwise specified in the other information provided in this declaration about specific processing situations, stored personal data will be deleted when they are no longer necessary for the purposes for which they were collected or otherwise processed.
