Name and contact details of the controller responsible for processing and the company data protection officer
This Data Protection Policy applies to data processing by:
Controller: Chrono24 GmbH (hereinafter "Chrono24")
Haid-und-Neu-Str. 18, 76131 Karlsruhe
Phone: 49 (0) 721 96693-0
Fax: 49 (0) 721 96693-990
Collection and storage of personal data and the nature and purpose of its use
a) When visiting the website
When you visit the Chrono24 website, the browser you are using on your device automatically sends information to the server for our website. This information is temporarily stored in a log file. The following information is automatically collected and subsequently automatically deleted after a period of 20 weeks:
- the IP address of the querying computer
- the date and time of access
- the name and URL of the retrieved file
- the website from which access is occurring (referrer URL),
- the session ID
- the user agent
- the browser used and in some cases the operating system of your computer and the name of your access provider.
We process the aforementioned data for the following purposes:
- to ensure a trouble-free connection with the website
- to ensure convenient use of our website and optimise our platform
- to monitor and ensure system security and stability.
- to detect and prevent attacks on our website, and
- for other internal statistical and administrative purposes.
We never use collected data to reference you as a person. In the event of an attack on our network infrastructure however, your IP address will be identified in order to assert or defend against legal claims.
We process data in accordance with our legitimate interests in line with Article 6 para. 1 sentence 1 item f of the General Data Protection Regulation (GDPR). Our legitimate interests proceed from the data collection purposes specified above.
b) Registering as a user on our platform
Buyers, private sellers and commercial merchants can create a user account on our platform. The mandatory data required to set up a user account must be entered under i), ii) and iii). This data is processed
- to identify you as our contract partner
- to enter into, structure, execute and amend contracts with you governing the use of our platform and services offered thereupon
- to assess the plausibility of the data entered
- to contact you as necessary for with any questions, and
- to assert any claims against you as necessary.
The data specified under points i), ii) and iii) are processed upon your placement of an inquiry for the purposes outlined above and are required for use of the platform in accordance with Article 6 para. 1 sentence 1 item b of the GDPR, and thus required for fulfilment of the contract and of pre-contractual actions.
You may have the option of providing voluntary information/data depending on the type of user account. We process voluntarily provided information/data in accordance with our legitimate interests in line with Article 6 para. 1 sentence 1 item f GDPR. This information/data is used to facilitate contact with you and ensure rapid clarification of any questions.
After deletion of your user account your data are automatically deleted to prevent further use unless, in accordance with Article 6 para. 1 sentence 1 item c GDPR, it must be stored for a longer period of time pursuant to retention and documentation requirements under tax or commercial code (HGB, StGB, AO), or if you have consented to storage for a longer period of time in line with Article 6 para. 1 sentence 1 item a GDPR.
i) myChrono24 user accounts
The following mandatory data must be entered to register as a user (buyer) and set up a user account:
- a valid email address
- a password of your choice.
These constitute the login data for your user account.
You can also provide this voluntary user data:
- Your first and last name
- A profile picture
- Your address (street, post code, city/town, country)
- Your phone number.
ii) Private sellers
To place sale offers as a private seller you must first have a user account (see i)). To place a sale offer on the platform you must enter the following data:
- Your first name and last name,
- your address (street, postcode, city/town, country),
- your phone number and
- your date of birth.
In order to be able to sell your goods in the Trusted Checkout process, you must register for the sale as a private seller via the trustee service.
When registering for the trustee service, apply to open a Trusted Checkout account at the payment service Mangopay (https://www.mangopay.com/ ) of Leetchi Corp. S.A., (registered office in 59 Boulevard Royal, L-2449 Luxembourg). Payments assigned to you as part of Trusted Checkout will then be posted via this account.
In accordance with laws on the prevention of money laundering and the financing of terrorist organisations, Leetchi Corp. S.A. is obligated to identify each seller based on the documents and information specified.
When registering for the trustee service, the following data and documents are thus collected from you and forwarded onto Leetchi Corp. S.A.:
- Family name, first name, email address, date of birth as well as nationality and the country of residence.
- Information about which bank account should be used for the payments.
- A copy of a valid official ID document:
- German identity card (front and reverse) for Germans, passport for foreigners resident in Germany or abroad.
- Within the EEA: Passport or national ID card or driving licence. A residence permit for people from third-party countries.
- Outside of the EEA: Passport or driving licence for the USA and Canada.
The following data must be entered to register as a commercial merchant:
- Your company name
- A contact person (first and last name)
- Your company address (street, post code, city/town, country)
- A phone number
- A valid e-mail address
- A username of your choice
- A password of your choice.
You can also provide this voluntary user data:
- Your fax number
- A mobile phone number
- An internet address.
To activate two-factor authentication for your dealer account, you will receive a text message upon the creation of your account. This involves sharing your phone number with the cloud communications platform Twilio Inc. (645 Harrison St., Third Floor, San Francisco, CA 94107). Twilio conducts two-factor authentication using the phone number provided.
Personal data is processed according to Article 6 Paragraph 1 Sentence 1 Point (f) of the General Data Protection Regulation (GDPR). Chrono24 GmbH's legitimate interests required by this clause are the general improvement of the marketplace's security and the associated optimization of the transaction process.
We use Twilio Inc.'s services for conducting this form of two-factor authentication. We have signed a data processing agreement with Twilio Inc. as laid out in Article 28 of the GDPR. With this agreement, Twilio Inc. guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.
Twilio Inc. is located in the United States of America. For EU citizens, this means the transfer of their phone numbers to a third country. Data transfer to the USA is permitted since Chrono24 GmbH has signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Twilio Inc. has implemented additional measures to ensure adherence to an appropriate level of data protection.
By registering as a professional dealer on the platform, it is possible that we will send you print mail to keep you up to date on the latest watch trends. This involves forwarding the following personal data to the corresponding service provider:
- Your first and last names
- Your address
The processing of personal data is allowed according to Article 6 Paragraph 1 Sentence 1(f) of the GDPR. Chrono24 GmbH's legitimate interest required by this clause is the implementation of direct mail. This is a legally recognized legitimate interest according to Recital 47 of the GDPR.
c) Using the internal messenger on our platform
As a registered user, you are able to use the internal messenger provided on the website to communicate with us or with a dealer/buyer/private seller on the platform. Registration is required to use the internal messenger on the platform (see 2. b).
When you use our internal messenger on the platform, messages that you send will be scanned and analyzed by us, both automatically and manually. The purpose of doing so is to
- prevent fraud,
- detect any illegal activities and violations of our general terms and conditions,
- and improve our communication and customer services.
The basis for this data processing is our legitimate interests pursuant to Art. 6(1) sentence 1 (f) GDPR. The GDPR recognizes data processing for the aforementioned purposes as a legitimate interest.
You can manage messages you have sent and received on your own or submit a request to have them deleted by us. In the event of a fraud attempt, an illegal activity or a violation of our general terms and conditions, we may continue to store any relevant messages based on our legitimate interests pursuant to Art 6(1) sentence 1 (f) GDPR for use as evidence and for establishing, exercising or defending our legal rights, even after you have submitted a deletion request.
d) Automated customer profile creation
We create a customer profile for your user account in order for you to use our platform as a registered user/merchant. We categorise your customer profile and supplement it with additional data so that you only receive information likely to be of interest to you. To do so we utilise this data:
- Your personal information (e.g., your basic profile information);
- The length of your membership;
- Statistical information (e.g., the type, frequency, and intensity of your website's usage); and
- A history of the listings, brands, and sellers you've visited.
We process the aforementioned data for the following purposes:
- For statistical evaluation
- For market research
- To ensure smooth functioning of the platform and to design the platform around user needs
- To personalise our services, and
- To deliver advertising to you which is exclusively targeted to your actual or predicted needs so as to eliminate irrelevant advertising.
We process data in accordance with our legitimate interests in line with Article 6 para. 1 sentence 1 item f GDPR. Data processing for the aforementioned purposes is a recognised legitimate interest in accordance with the GDPR.
You may file objection to the creation of a user profile and/or the evaluation and personalisation of our services or advertising at any time by clicking on this link, in which case processing will be stopped and your user profile will be immediately deleted unless you have consented to longer data retention per Article 6 para. 1 sentence 1 item a GDPR.
e) Using the Trusted Checkout service
In order to initiate and conclude purchase agreements with dealers/private sellers via our Trusted Checkout Service, you will first need a user account (see section 2.b)i) ). Furthermore, it is necessary to specify the following information:
- Your first and last name,
- your address (street, postcode, city/town, country) and
- your phone number.
The listed information is processed by us for the following purposes:
- to check and identify who the dealer/private seller’s contract partner is;
- to support the justification, content design and execution of the purchase contracts; and
- where required to make the necessary contact with you in case of further queries.
In case you request a purchase offer with a dealer/private seller or conclude a purchase contract with the dealer/private seller, we also transfer your personal data to the dealer/private seller for the purposes stated above.
The processing of your aforementioned data takes place on your request and is required in accordance with Art. 6 (1) (1) (b) GDPR for the aforementioned purposes for the use of the platform and thus for the fulfilment of the contract and pre-contractual measures.
f) Paying on Chrono24 via credit card or bank transfer
Upon entering a sales agreement for a watch, you can pay the amount due via credit card, wire transfer, or direct deposit. To ensure the general processing of these payment methods and prevent attempted fraud, payments are processed by the service provider Mangopay SA (10 Boulevard Royal, L-2449, Luxembourg). This involves forwarding the following personal data to Mangopay:
- Your first and last names
- Your address
- Your bank account or credit card information
This data is processed based on Article 6 Paragraph 1 Sentence 1 Point (b) of the General Data Protection Regulation (GDPR) since it is necessary for the performance of a contract to which the data subject is party.
If you pay via credit card, you can also have the payment processed by the service provider Checkout Ltd. (54 Portland Place, London, W1B 1DY, United Kingdom). This involves forwarding the following personal data to Checkout:
- Your first and last names
- Your email address
- Your billing address
- Your shipping address (if different from the billing address)
This data is also processed based on Article 6 Paragraph 1 Sentence 1 Point (b) of the General Data Protection Regulation (GDPR) since it is necessary for the performance of a contract to which the data subject is party.
Checkout Ltd. is located in the United Kingdom. For EU citizens, this means the transfer of their personal data to a third country. Data transfer to the United Kingdom is permitted since the European Commission has made an adequacy decision for the United Kingdom as described in Article 45 Paragraph 3 of the GDPR. Thus, the United Kingdom offers an adequate level of protection for transferred personal data. You can find more information in the European Commission's statement .
g) Registering for our newsletter
We use your e-mail address to send you our personalised regular newsletter if you have expressly consented thereto in accordance with Article 6 para. 1 sentence 1 item a GDPR. To receive the newsletter it suffices to provide your e-mail address.
To receive more personalised newsletter content you can create a customer profile about you based on your collected personal data. This data relates to personal preferences such as product affinities observed on the basis of orders, interests, purchase decisions, preferred shopping time, etc. and is automatically processed and analysed so that relevant offers are predicted for you. Profiling may also be performed without consent on the basis of Article 6 para. 1 item f GDPR given a legitimate interest (see item 2.c) ).
We may also use your e-mail address without your express consent to send you information about similar products of our company if you are an existing customer and have not objected to the use of your e-mail address. Processing for purposes of marketing to existing customers is done on the basis of our legitimate interests in accordance with Article 6 para. 1 sentence 1 item f GDPR. Processing of your e-mail address for the purpose of direct marketing is a statutorily recognised interest under the GDPR.
For the purpose of mailing our newsletter, we use the Mailchimp tool developed by The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
You can find more information about how sellers handle data here: https://mailchimp.com/legal/privacy/.
Provided that you have expressly given your consent for us to do so in accordance with Art. 6(1) Sentence 1 Section (a) GDPR, we pass your email address on to our partners Zeitauktion GmbH, Mendelejewstr. 2, 09117 Chemnitz, Germany and Fratello Watches B.V., Het Kleine Loo 284, 2592CK Den Haag, The Netherlands. Our partners use your email address to send you your personalised newsletter with offers, new products and promotions at regular intervals. Provision of an email address is sufficient to receive the newsletter.
h) Using our contact form
You can use a form provided on the website to contact us with questions or contact a merchant or private seller. If you wish ask your question to a merchant or private seller, we forward your contact inquiry to them. For the use of the contact form, the following data is required, without exception:
- a valid e-mail address and
- Your specific question or message.
We process the aforementioned data for the following purposes:
- to identify you
- to answer your question, and
- for forwarding to the relevant merchant or private seller as necessary.
Additionally, you can voluntarily provide your name and telephone number to enable quicker contact.
When you use our contact form, we may scan and analyse your message. This is done for fraud prevention purposes and to generally improve communication and customer service.
Data is processed upon placement of your inquiry, and such processing is required for the above purposes to fulfil the contract and pre-contractual actions in accordance with Article 6 para. 1 p. 1 item b GDPR. Data from contact inquiries is also processed on the basis of our legitimate interests per Article 6 para. 1 sentence 1 item f GDPR. These interests proceed from the aforementioned purposes.
Personal data we collect when you use the contact form is automatically deleted upon completion of your inquiry.
i) When contacting us via WhatsApp
We also offer you the option of contacting us via WhatsApp using a widget, which is visible when you use Chrono24.de under “You have questions”. To use this service, you must provide the following information:
- Your cellphone number
- Your specific question or message
We process the data listed above for the following purposes:
- to identify you
- to reply to your message
We may also be able to view your WhatsApp profile image due to your privacy settings.
When you contact us via WhatsApp, we may also scan and analyze your message. We do so to prevent fraud and generally improve communication and customer service.
When you contact us via WhatsApp, your data is processed on the legal basis of Art. 6(1)(1)(f) GDPR. Our legitimate interest required to do so is based on facilitating contact, enhancing the effectiveness of our response to your questions and the above-mentioned purposes.
Your messages will be received by a smartphone dedicated to contact with you. Your contact with us will not be saved and any personal data we collect will be deleted manually once your concerns have been addressed.
We use the services of WhatsApp, Inc. for this form of contact. We have concluded an order processing agreement with WhatsApp, Inc. in accordance with Art. 28 GDPR. This contract guarantees that WhatsApp, Inc. processes the data on our behalf in accordance with the General Data Protection Regulation and protects the rights of the data subject.
We use HubSpot (2nd Floor 30 North Wall Quay, Dublin 1, Ireland) to improve our online marketing activities. This is a software solution with which we cover various aspects of our online marketing.
In particular, this includes:
- Email marketing
- Contact management
- Contact forms
This information is stored on the servers of our software partner HubSpot. It can be used by us to get in touch with visitors to our website and to determine which of our company’s services are of interest to you. The following personal data is collected:
- Email addresses
- First and last names
- Customer data
The processing of your data is based on our legitimate interest in accordance with Art. 6(1)(f) GDPR. This results from the optimization of our activities in online marketing.
k) Using the chatbot
We offer a chatbot, giving you the opportunity to ask questions around the clock, which will be answered immediately. You can also contact us using the digital form.
If you use any input fields, the data you enter – such as your email address and your name – will be recorded by us to answer your questions. The legal basis is Art. 6 para. 1 sentence 1 item b and Art. 6 para. 1 sentence 1 item a of the General Data Protection Regulation (GDPR).
When the chatbot is used for the first time, a Universally Unique Identifier (UUID) is assigned to the user once. This allows an interrupted conversation, search or input with the chatbot to be continued at any time (similar to cookies on websites). It is also stored in events. The UUID remains stored in the browser and assigned to the user until local data is deleted. In order to continuously improve the quality of the chatbot, we record events such as “Bot was displayed” and click events such as “User clicked on answer X”.
The data entered into the chatbot is collected by our order processor (Solvemate, Tempelhofer Ufer 1, 10961 Berlin) and is made available to us for the purpose of evaluation.
l) When submitting a comment in our magazine
You can post a comment on articles in the magazine at https://www.chrono24.ae/magazine/. The following data must be provided, without exception in order to post a comment:
- Your name
- a valid e-mail address
- the comment.
Posting comments on articles is voluntary. We utilise your personal data to publish your comments and allow other users to respond to them. We require your e-mail address to contact you and pursue any legal violations.
Your data are processed for the above purposes on the basis of our legitimate interests per Article 6 para. 1 sentence 1 item f GDPR.
In order for comments to be posted in our magazine, we use Disqus, a service provided by Disqus, 717 Market Street, Suite 700, San Francisco, CA 94103.
You can find more information about how sellers handle data here: https://help.disqus.com/en/articles/1717103-disqus-privacy-policy.
m) Customer ratings via Trustpilot
Your opinion about our products and our service is important to us. We therefore offer you the option of submitting a rating about our platform via Trustpilot A/S's rating service at www.trustpilot.com (Pilestræde 58, 3rd floor, 1112 Copenhagen K, Denmark, hereinafter "Trustpilot"). If you submit a rating, it will be published on our website and on the Trustpilot website. We however reserve the right to delete or not publish the rating.
Upon successful completion of a purchase, you will receive an email from us requesting you to rate our platform and our service. The email will contain a "Business Generated Link" from Trustpilot that will allow you to access Trustpilot and submit a rating regarding your transaction. The "Business Generated Link" will include your first and last name, your country of origin (for example, Germany), your email address and the transaction ID. After you click on the link, your personal information will be transmitted to Trustpilot, so that we can assign your rating to your purchase and ensure the rating's authenticity.
We have signed a data processing agreement with Trustpilot for the use of the rating service. With this agreement, Trustpilot ensures that they process data in accordance with the General Data Protection Regulation and ensure the protection of the data subject's rights.
Ratings submitted directly to Trustpilot can also be published on our website, provided that we were able to ensure the rating's authenticity.
Data processing as part of customer rating via Trustpilot takes place on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. By doing so, we want to ensure the needs-based design and optimisation of our website.
n) Customer reviews on Sitejabber
If you have a billing address in the United States, we invite you to leave us a review on www.sitejabber.com (GGL Projects, Inc. 1528 South El Camino Real, Suite 110, San Mateo, CA 94402). Any review you leave will be published on Sitejabber.
Upon completing your purchase, we will send you an email asking you to review our platform and services. The email will include a "Review request" from Sitejabber. This will take you to Sitejabber's website, where you can leave a review of your transaction. The "Review request" will contain your first and last names, email address, transaction ID, and transaction date. Once you click on the link, your personal information will be forwarded to Sitejabber so that we can match your review to your purchase and guarantee the review's authenticity.
The legal basis for data processing as part of customer reviews on Sitejabber is our legitimate interest per Article 6 Paragraph 1 Point (f) of the GDPR. Data processing enables us to develop needs-based designs and optimize our website based on the information and feedback in customer reviews.
We have signed a data processing agreement, as laid out in Article 28 of the GDPR, with Sitejabber for the use of their review service. With this agreement, Sitejabber ensures that they process data in accordance with the General Data Protection Regulation and guarantees the protection of the data subject's rights.
Sitejabber is located in the United States of America. For EU citizens, this means the transfer of personal data to a third country. Data transfer to the USA is permitted since we have signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Sitejabber has implemented additional measures to ensure adherence to this level of data protection.
o) When using Watch Collection
You have the option of maintaining and managing your watch collection online in your personal Watch Collection by adding watches, storing data and uploading your own pictures of your watches. You can view and manage the Watch Collection from home or on the road. You can also use the Watch Collection to keep an eye on watches that you do not yet own. And you can likewise use the Watch Collection to quickly and easily estimate the value of your watch.
We automatically collect the following data in the process:
- Reference number, brand, model, condition of the watch
- Watch ownership status
You can also specify the purchase price, time and place of purchase and upload a picture of your watch. This information is nevertheless provided only voluntarily.
We process the data listed above for the following purposes:
- to document and assess the value of the user’s personal collection
- to register the user’s interest in individual watches they do not yet own
- to perform a statistical evaluation of everything related to our users’ watches
- to expand our product catalog to include watches previously unknown to us
The data we collect is person-related rather than personal. Person-related data is data with no direct reference to a person from which a person’s identity can be derived. We thus also require a legal basis for processing person-related data.
The processing of such person-related data is based on our legitimate interest in accordance with Art. 6(1)(1)(f) GDPR.
Our legitimate interest in this case is to use the Watch Collection as a source of information on the watch market by statistically evaluating the data in order to enhance our know-how about the current market situation and to optimize our services to better meet the demand in the future.
If you have given your express consent in accordance with Art. 6(1)(1)(a) GDPR, the listed data will also be used for the purchase and sale of the watches in your Watch Collection.
p) Watch purchase and sale in cooperation with Zeitauktion
If you have decided to sell your watch directly to Chrono24 and have given your express consent hereto in accordance with Art. 6(1)(1)(a) GDPR, we will contact you by email and, in cooperation with our subsidiary Zeitauktion GmbH, make you a purchase offer. The following personal data must be transferred to Zeitauktion GmbH for this purpose:
- First and last name
- Email address
- Your free text message, if applicable
- Basic information about the offered watch (brand, model, reference number)
You can also enter your telephone number, which we will then forward to Zeitauktion. This information is nevertheless provided voluntarily.
The above-mentioned personal data is transferred to Zeitauktion GmbH for the purpose of processing the purchase transaction.
Data processing within the meaning of transmission of said data to Zeitauktion GmbH is carried out only after you have given your express consent in accordance with Art. 6(1)(1)(a) GDPR.
We offer you the service of purchasing a watch in cooperation with our subsidiary Zeitauktion GmbH. In doing so, the following personal data is transferred to Zeitauktion GmbH:
- First and last name
- Message from the customer to the dealer’s account
The data listed above is collected in order to sell the watch to customers and ship the sold watch.
We also offer you advice regarding any questions you may have about direct sales in cooperation with Zeitauktion GmbH. To provide you with professional support and process your request as quickly as possible, the following personal data is transmitted to Zeitauktion in order to include its expertise in responding to your questions:
- First and last name
- Telephone number
- The customer’s concerns
The data listed above is processed upon your request and, according to Art. 6(1)(1)(b) GDPR, is necessary for the smooth processing of the purchase transaction and thus for fulfilling the contract and pre-contractual measures.
q) Collection of personal data from third parties
On rare occasions, users may communicate to us personal data from third parties (e.g. authorised representatives, contact persons, different account holders). In such instances where we collect personal data – not from the third party data subjects themselves, but rather through our users – our contractual partners are required to provide information only with the knowledge of the third party data subject. In particular, this includes information about us as the data controller, as well as the disclosed data and the purpose of said disclosure. In all other respects, this data protection information applies to third party data subjects, to the extent that said information is not only relevant for contractual partners. This includes, in particular, information about us as the data controller and our data protection officer, as well as information about the rights of data subjects. Should we, as an exception, receive contact data for a third party data subject, we will inform the data subject directly. However, we do not typically request contact data from third parties. We will only use the third party information for the intended purpose (e.g. necessary contact, payment processing using the account details provided). The data of third party data subjects will be deleted at the latest upon the deletion of the data pertaining to the stated person, or if this person amends or deletes the data concerned. The legal basis for the processing of the data of third party data subjects is Article 6 (1) 1 f GDPR, where said processing is necessary for the pursuit of our legitimate interest in granting our contractual partners the opportunity to involve third parties.
r) The use of live chats
Chrono24 uses a live chat service provided by the company Userlike UG (limited liability). You can use the live chat like a contact form to chat with one of our employees in near real-time. When starting a chat, the following data is logged:
- The date and time the chat was initiated
- Your browser type and version
- Your operating system
- The URL of the website where the chat was initiated
Over the course of the conversation with our employees, other personal data you enter may also be logged. The data this applies to largely depends on your request and/or the issue you've contacted us about. Processing this data enables us to offer you a quick and efficient way to contact us and, thus, improve our customer service.
We have signed a data processing agreement with Userlike for the use of the live chat service. With this agreement, Userlike ensures that they process data in accordance with the General Data Protection Regulation (GDPR) and guarantees the protection of the data subject's rights.
Data processing occurs on the basis laid out in Article 6, Section 1, Paragraph 1, Sentence (f) of the GDPR, which requires a legitimate interest from the party wishing to use the data. In this case, we collect data in the interest of facilitating communication and, thus, improving our customer service.
s) Participation in user studies
You are offered the opportunity to participate in user studies on the platform. The purpose of these voluntary user studies is to gather targeted insights into users' behavior, needs, and motivations. This helps optimize Chrono24's platform, apps, products, and processes.
If you decide to participate in a user study, you will be forwarded to a screening questionnaire in a tool called Hotjar. This questionnaire checks whether you are a good match for the study. This involves the processing of the following data:
- Your name
- Your email address
- Your phone number
With your consent, this data is processed based on Article 6 Paragraph 1 Sentence 1 Point (a) of the General Data Protection Regulation (GDPR).
For the questionnaires, we work with the service provider Hotjar Ltd. (Level 2, St. Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta). Chrono24 GmbH has signed a data processing agreement with Hotjar Ltd. as laid out in Article 28 of the GDPR. With this agreement, Hotjar Ltd. guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.
Furthermore, in the questionnaire, you will be asked which additional processing of your personal data you consent to as part of the user study. With your consent, the following processing occurs according to Article 6 Paragraph 1 Point (a) of the GDPR:
- Recording the conversation
- Sharing and recording your screen
The recording facilitates the internal evaluation of the study and is deleted upon the study's completion. It takes place using the video and telecommunication software called Zoom. Zoom is a service provided by Zoom Video Communications Inc. (55 Almaden Blvd., 6th Floor, San Jose, CA 95113) in the United States of America. For EU citizens, this means the transfer of their personal data to a third country. Chrono24 GmbH has signed a data processing agreement with Zoom Video Communications as laid out in Article 28 of the GDPR.
Both parties have also agreed to standard data protection clauses that guarantee an adequate level of protection. Furthermore, we have implemented additional security measures by changing our Zoom configurations so that all "online meetings" are only processed by data centers in the European Union, European Economic Area, or secure third countries like Canada or Japan.
t) After-sales activities through an external call center
To improve the lead time of after-sales calls, we make use of a call center. If you potentially initiated a purchase on the platform, you will be forwarded to a call center so that you can be called to confirm whether or not a sale took place. This involves forwarding the following personal data to the call center:
- Your first and last names
- Your phone number
Personal data is processed according to Article 6 Paragraph 1 Sentence 1 Point (f) of the General Data Protection Regulation (GDPR). Chrono24 GmbH's legitimate interests required by this clause are the improvement of the lead time of after-sales calls and the associated improved customer experience.
We use the services of Termitel GmbH (Zehntwiesenstr. 37, 76275 Ettlingen, Germany) to conduct after-sales calls. Chrono24 GmbH has signed a data processing agreement with Termitel GmbH as laid out in Article 28 of the GDPR. With this agreement, Termitel GmbH, as the call center operator, guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.
u) Using the Private Client Advisor Service
If you make use of our Private Client Advisor Service, we will process your data to provide the following services:
- Personal data from your contact request or Chrono24 account so we can contact you.
- Information about your use of the Chrono24 marketplace and its features (e.g., the Notepad, saved searches, the Watch Collection) to help search for watches and provide you with suitable watch offers.
- Information about ongoing requests and orders to offer you proactive support on our platform.
- Your previous communication with Chrono24 to have an overview of what's already been discussed.
The legal basis for data processing is your permission according to Article 6 Paragraph 1 Point (a) of the GDPR. You can revoke this permission at any time in your user account or by sending an email to email@example.com.
Disclosure of data
We only disclose your personal data to third parties if:
- you have expressly consented thereto in accordance with Article 6 para. 1 p. 1 item a GDPR
- there is a legal disclosure obligation pursuant to Article 6 para. 1 sentence 1 item c GDPR
- disclosure is required pursuant to Article 6 para. 1 sentence 1 item f GDPR in order to assert or defend against claims or exercise legal rights and there are no grounds to assume that you have a prevailing legitimate interest in non-disclosure of your data.
Information in accordance with Article 26 (2) (2) GDPR
about joint responsibility for the processing of personal data
a) Chrono24 GmbH and subsidiaries
Chrono24 and our subsidiaries (hereinafter jointly referred to as “parties” or “we”) work closely together in many areas due to our organisational structure. We use uniform EDP systems across all our businesses and operate joint databases in which, in particular, customer data from both parties is processed.
In doing so, we process the personal data of dealers and users of the online platforms of Chrono24 as joint controllers in accordance with Article 26 GDPR. Due to this joint responsibility, we have concluded an agreement with regard to the personal data concerned.
Chrono24 is responsible for the processing of personal data as far as this relates to the provision of EDP systems and internal databases to customers.
Both parties are responsible for entering data into the internal databases and maintaining the records of personal data of both registered and unregistered platform users, as well as personal data of registered dealers.
As part of our joint responsibility, we have in particular also agreed the specific obligations under the GDPR that each party shall fulfil. This concerns, in particular, the exercise of the rights of data subjects and compliance with the information obligations under Articles 13 and 14 GDPR.
Both parties have agreed that Chrono24 shall publish on its platforms the information required in accordance with Articles 13 and 14 GDPR relating to joint data processing and the essential content of the processing conditions.
Both parties shall also inform each other of data protection rights asserted by affected users. They shall provide each other with all the information necessary to respond to requests for information.
Data protection rights can be asserted against Chrono24 as well as against the respective dealer. Chrono24 undertakes to comply with the rights of data subjects to information about, correction, erasure or blocking of their personal data upon request.
b) With dealers of Chrono24 GmbH
We and our contractual partner (hereinafter “dealer”) work together contractually in connection with the online marketplace for watches. Chrono24 operates the online platform on which the respective dealer can sell and buy watches.
In this context, Chrono24 and the respective dealer process the personal data of users of the platform as jointly responsible parties, under Article 26 GDPR. Chrono24 and the respective dealer have concluded an agreement based on this joint responsibility with regard to the personal data concerned.
Under this agreement, Chrono24 is responsible for the processing of personal data, as far as it concerns the techniques for analyzing the behavior of users on the website, the statistical evaluation and provision of statistical data for the dealer, and the transmission of customer contact data for the purpose of order processing/shipping. The respective dealer, on the other hand, is responsible for the processing of personal data, insofar as this concerns the parameterization of statistical data via the drop-down function and the receipt and use of contact data for shipping the object of purchase.
Chrono24 and the respective dealer have in particular also agreed, in the context of the joint responsibility, which of them will fulfil which obligation under GDPR. This concerns in particular the exercise of the rights of the data subjects and the fulfilment of the information obligations under Articles 13 and 14 GDPR.
Both parties have stipulated that Chrono24 shall publish on its platform the information required under Articles 13 and 14 GDPR with regard to the data processing regulated within the scope of joint responsibility as well as the essential content of the processing conditions.
Both sides shall also inform each other of any data protection rights asserted by affected users. They shall provide each other with all information necessary to respond to requests for information.
Data protection rights can be asserted against Chrono24 as well as against the respective dealer. Chrono24 shall comply with the obligation to provide information, as set out in Art. 15 GDPR, and to provide the persons concerned with the information they are entitled to, as set out in Art. 15 GDPR, on request.
Visibility of your data to third parties
a) As user and private seller
Personal data stored in connection with your user account (myChrono24, see items 2.b) i) and ii) ) cannot be viewed by third parties unless you have published offers on the platform. When you publish an offer on the platform as a private seller, registered and unregistered users will only be able to see your provider data on the platform if have expressly consented to their publishing in accordance with Article 6 para. 1 sentence 1 item a GDPR.
b) As merchant
If you are registered as a merchant and publish offers on the platform, registered and unregistered users can view your provider data on the platform (as per item 2.b) iii)). You can restrict the visibility of your data during registration so that your address is not displayed, and thereafter in your profile settings.
The publication of the merchant data is required to fulfil and execute the contract between Chrono24 and the merchant as part of use of the platform in accordance with Article 6 para. 1 sentence 1 item b GDPR.
Cookies and pixels
Where in the case of technically necessary cookies personal data is also processed, this processing is based on our legitimate interests in accordance with Art. 6(1)(f) GDPR. Our ability to operate our website without interference is considered a legitimate interest within the meaning of the aforementioned provision. Scripts that are not technically necessary will only be activated following your prior express consent. For information on the specific scripts used, see Section 6.
Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not harm your device and do not contain any viruses, Trojans or other malicious software.
The cookie stores information that arises in connection with the specific device used. This does not mean, however, that we obtain direct knowledge of your identity.
On the one hand, cookies are used to make using our offer more pleasant for you. For example, we use what are known as session cookies to recognize that you have already visited individual pages of our website or have already logged into your user account. These will be automatically deleted after you leave our site.
In addition, we also use temporary cookies, which are stored on your device for a specified time, to optimize the user experience. If you revisit our site to use our services, we will automatically recognize that you have already visited us and which entries and settings you have made, to save you from having to re-enter them.
Most browsers accept cookies automatically. However, you can configure your browser to reject cookies or to notify you before a new cookie is saved. Complete deactivation of cookies can, however, mean you are unable to use all of the functions of our website.
Pixels, also known as tracking pixels, are small 1x1 pixel GIF files that can be stored in graphics or emails, e.g. when you visit a website. Pixels also do not harm your device and do not contain any viruses, Trojans or other malicious software.
The pixels send to a web server your IP address, the referrer URL of the visited website, the time at which the pixel was viewed, the browser used and previously saved cookie information. This makes it possible for us to carry out reach measurements and other statistical evaluations to optimize our platform and our offer.
Most browsers accept pixels automatically. You can prevent the use of pixels on our pages by using appropriate tools or browser add-ons (e.g. via the “AdBlock” add-on for Firefox).
a) Tracking tools
The respective data processing purposes and data categories can be found in the following list.
i) Google Analytics
- Browser type/version
- Operating system used
- Referrer URL (page last visited)
- Host name of accessing computer (IP address)
- Server query time
is transferred to a Google server in the USA and stored there. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
The information is used to evaluate use of the website, to compile reports on website activity, and to provide further services associated with website and Internet use for the purposes of market research and needs-based design of these web pages. This information may also be forwarded to third parties as appropriate, insofar as this is prescribed by law or insofar as these parties process the data on behalf of the commissioning party. Under no circumstances will your IP address be merged with other data from Google. IP addresses are anonymized to exclude all possibility of such association (IP masking).
The user can prevent the installation of cookies by adjusting his/her browser accordingly from the outset; however, we must point out that in this case not all functions of the website may be available to the user to their full extent.
Further information on data protection in connection with Google Analytics can be found in Google Analytics Help .
ii) Google Adwords Conversion Tracking
We also use Google conversion tracking in order to statistically record the use of our website and for the purpose of optimizing our offer for you. Google AdWords saves a cookie (see Section 5) on your computer if you have accessed our website via a Google ad. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
These cookies will expire after 30 days and will not be used for personal identification. If the user visits certain pages of the AdWords customer’s website and the cookie has not yet expired, Google and the customer can recognize that the user has clicked on the ad and has been redirected to this page.
Each AdWords customer receives a different cookie. Cookies cannot be tracked via the websites of AdWords customers. The information collected via the conversion cookie is used to generate conversion statistics for AdWords customers who have chosen conversion tracking. AdWords customers see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.
We use the Hotjar analytics service (3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe) on our website. Hotjar is a tool for studying user behaviour that enables us to measure and evaluate the behaviour of visitors to our website (such as mouse movement, clicks and scroll height).
Hotjar places cookies for this purpose (see item 5) on the devices of site visitors which can store their browser information, operating system, data on time spent on the site, etc. in anonymised form.
iv) Bing Ads
We utilise Bing Universal Event Tracking (UET) from Microsoft Bing Ads. This is a service of the Microsoft Corporation ("Microsoft") that allows us to track user activity on our website when the user navigates to our website via Bing Ads advertisements.
A cookie is placed on your computer when you visit our website via a Bing Ads ad, (see item 5). A Bing UET tag is integrated into our website. This tag is a code which in combination with the cookie stores certain non-personally data about your use of the site. This includes the time spent visiting the website, the areas of the website that were visited and the ads via which the user navigated to the website. Information about your identity is not collected.
This information is transmitted to Microsoft servers in the USA and stored there for a maximum of 180 days. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
For more information on Bing analytics services, visit the Bing website.
See the Microsoft Data Privacy Policies for further information about data protection at Microsoft .
For the purpose of fraud prevention, we transmit your IP address and information about the device you are using to the service provider MaxMind, Inc. (14 Spring Street, 3rd Floor Waltham, MA 02451, USA, hereinafter referred to as “MaxMind”). Your data will be transmitted to a MaxMind server in the USA and stored there. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection. This gives us statistical analyses of IP addresses, devices used, and locations in order to detect and prevent fraud attempts.
Your data is processed exclusively for this purpose. This data is deleted when you end usage. Further information on data protection in connection with MaxMind can be found here.
You can prevent geolocalisation by blocking the placement of cookies by changing the settings on your browser accordingly; in such case however you may not be able to fully utilise the entire range of the features of this website.
Our mobile app uses crashlytics analysis software of Google Ireland Limited with registered office at Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Crashlytics"). Crashlytics collects app usage data specifically relevant to system crashes and errors. Data is gathered about the device and app version installed as well as other information which facilitates troubleshooting, such as data relating to the user's software and hardware. For further information see the Crashlytics Data Protection Policy: https://try.crashlytics.com/terms/privacy-policy.pdf.
You can opt out of the use of Crashlytics in the privacy settings of our Mobile App.
b) Targeting tools
The respective data processing purposes and data categories can be found in the following list.
i) Google Adwords remarketing
Google then removes the last three digits of the IP address, rendering definite cross-referencing of the IP address impossible. Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and provide other website and internet usage-related services.
Google may also forward this information to third parties as appropriate, insofar as this is prescribed by law or insofar as these parties process the data on behalf of Google. Third-party providers, including Google, place ads on websites on the Internet. Third-party providers, including Google, use stored cookies to place ads based on a user’s previous visits to this website. Under no circumstances will Google combine your IP address with other Google data.
More information about Google's terms can be found here .
ii) Google Double Click
Cookies are used on our website to collect and evaluate data for the purpose of optimising advertising (see item 5). For this we use targeting technologies of Google Inc. (Double Click, Double Click Exchange Buyer, Double Click Bid Manager). These technologies enable us to serve advertising to you in targeted fashion based around your interests. The cookies are used, for example, to record information about which of our products you are interested in. Using this information we can market offers to you on our website or third-party websites which are oriented around your specific interests as predicted based on your historical user behaviour. Data collected and evaluated pertaining to your user behaviour exclusively on a pseudonymous basis so that it is not possible for us to identify you. In particular, this data is not merged with personal data about you.
Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
The cookie is automatically deleted after 30 days.
You can also configure setting for the display of interest-based advertising via the Google Ads Settings Manager.
iii) Facebook Custom Audiences
We utilise Facebook Website Custom Audiences, a service of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). This Facebook marketing service allows us to display personalised and interest-based advertising on Facebook for particular groups of pseudonymised visitors to our website who use Facebook.
In an automated process there it is checked whether you have a Facebook cookie stored. The Facebook cookie automatically determines whether you belong to the target group relevant for us. If you belong to the target group, we then show you relevant ads of ours on Facebook. In this process, you are not personally identified, either by us or by Facebook.
You can also object to the use of the Custom Audiences service on the Facebook website. After logging into your Facebook account, you will be taken to your Facebook ad settings.
This website uses technologies from Criteo SA (32 Rue Blanche, 75009 Paris, France) to collect and store data for marketing and optimization purposes. Together with Criteo, we determine the purposes and means of processing and are therefore jointly responsible for processing. Chrono24 is responsible for the processing of data subjects’ rights.
When Criteo is used, additional pixels of partners of Criteo are loaded as well. An overview of all publishers and networks that load pixels is provided here .
Please note that if you disable the displaying of personalized ads by Criteo and other advertising partners, you will continue to receive advertisements but they will be less tailored to your interests/browsing behavior.
Information about your user behaviour on our website is collected and evaluated via cookies on our website (see paragraph 5) by our service provider CrossEngage GmbH (Bertha-Benz-Strasse 5, 10557 Berlin). This allows us to tailor our marketing activities around your actual or predicted interests and display ads on other websites or advertising channels.
Further information on data protection in connection with CrossEngage can be found here .
Social Media Plug-ins
Social media buttons are integrated using a specially developed solution that prevents a connection to a social network being established just because you call up a page with a social media button without activating it. This means that information is not transmitted to the social network until you activate the button.
Our platform uses social media plug-ins of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland) to personalise the experience through usage of "LIKE" and "SHARE" buttons. These are a Facebook offering.
When you visit a page of our website featuring such a plug-in and you activate that plug-in yourself, your browser establishes a direct connection to Facebook servers. The plug-in content is sent by Facebook directly to your browser and integrated into the page.
When a plug-in is integrated, Facebook receives the data the browser you used to access the page of our website in question even if you do not have a Facebook account or are currently not logged in to Facebook. This data (including your IP address) is transmitted by your browser directly to a Facebook server in the US and stored there.
If you are logged into Facebook, Facebook can directly reference your visit to our website your Facebook account. If you interact with a plug-in such as by pressing a "LIKE" or "SHARE" button, the corresponding information data is also transmitted directly to a Facebook server and stored. This data is posted on Facebook and displayed to your Facebook friends.
Facebook can use this data for the purposes of advertising, market research and structuring Facebook pages in line with user needs. This involves Facebook creating user, interest and relationship profiles, for example to evaluate your use of our website in relation to advertisements displayed on Facebook, to inform other Facebook users of your activities on our website and to provide other services related to use of Facebook.
If you do not want Facebook to reference information about you from our website to your Facebook account, you must log out of Facebook before visiting our website.
Please see the Facebook data privacy notices for information regarding the purpose and scope of data collection, further processing and use of data by Facebook, your data privacy rights and data privacy configuration settings.
Plug-ins of the news and social networking firm Twitter International Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland, hereinafter "Twitter") are integrated into our web pages. Twitter plug-ins (Tweet button) bear the Twitter logo, making them identifiable on our website. An overview of Tweet buttons can be found here .
When you visit a page of our website featuring such a plug-in and you activate that plug-in yourself, a direct connection is established between your browser and a Twitter server. Twitter then receives the information that you have visited our page, and your IP address. You can link content from our webpages with your Twitter account by clicking on the Twitter "Tweet" button while logged into your Twitter account. This enables Twitter to cross-reference your visit to our webpages to your user account. Please note that as website provider we have no knowledge of the content of the data transmitted or regarding its use by Twitter.
You should log out of your Twitter account first if you do not want Twitter to be able to cross-reference your visit to our webpages to your Twitter user account.
Our website utilises Instagram social plug-ins ("plug-ins") operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram").
The plug-ins bear an Instagram logo, such as the "Instagram camera".
When you visit a page of our website featuring such a plug-in and you activate that plug-in yourself, your browser establishes a direct connection to Instagram servers. The plug-in content is sent by Instagram directly to your browser and integrated into the page. When a plug-in is integrated, Instagram receives the data the browser you used to access the page of our website in question even if you do not have an Instagram profile or are currently not logged in to Instagram.
This data (including your IP address) is transmitted by your browser directly to an Instagram server in the US and stored there. If you are logged into Instagram, Instagram can directly reference your visit to our website your Instagram account. If you interact with a plug-in such as by pressing an Instagram button, the corresponding information data is also transmitted directly to an Instagram server and stored.
This data is also published on your Instagram account and displayed to your contacts there.
If you do not want Instagram to directly reference information about you from our website to your Instagram account, you must log out of Instagram before visiting our website.
On our website, you have the option of being redirected straight to our YouTube page. This is not a link requiring consent pursuant to Art. 6(1)(a) GDPR. In addition, we use YouTube’s privacy-enhanced mode to prevent these links from saving cookies that analyze usage behavior.
The controller for this external link is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Tool for sending emails
In order to send transaction and service emails, we pass on your email address to an email service provider. We use the following service providers:
We use the Mailgun tool developed by Mailgun Technologies, Inc., 535 Mission St., San Francisco, CA 94105, USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
You can find more information about how sellers handle data here: https://www.mailgun.com/privacy-policy.
We use the Sparkpost tool developed by Message Systems Inc., 301 Howard St. Suite 1330 San Francisco, CA 94105, USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
You can find more information about how sellers handle data here: https://www.sparkpost.com/policies/privacy/.
Data processing as part of sending transaction and service emails takes place on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. By doing so, we wish to ensure that communication processes are automated in a needs-based manner, in particular with regard to those actions undertaken by you, or in order to be able to inform you about security-relevant matters as quickly as possible.
Solutions for fraud prevention
We want to make the sales process on Chrono24 as secure as possible for you. We therefore use solutions from specialized service providers in order to prevent fraud and obtain information from these service providers about transactions on Chrono24. The IP address of the device that accesses our website, other data related to the use of Chrono24, etc. are processed. It is not possible for us to assign such data to a specific user. We will only do this in cases where fraudulent behavior is suspected based on the information. The specialized service providers may be companies based in the USA. Only service providers working in accordance with the EU Commission’s so-called standard contractual clauses will be selected accordingly. This ensures that we only work with service providers who meet the level of data protection required within the EU. The legal basis is Art. 6 (1)(1)(f) GDPR. Preventing fraudulent acts that are detrimental to our clients as well as to us is expressly recognized by GDPR as a legitimate interest.
To identify users of our platform we use the AutoIdent solution from IDnow (Auenstraße 100, 80469 Munich, Germany). This is a verification app that uses a smartphone camera to capture the end user’s ID document and then proceed with online verification. The following personal data is collected:
- First name
- Last name
- Date of birth
- ID number
- Video recordings of the user’s face
We also collect personal data on the ID document that confirm the identity of the user beyond a doubt.
The AutoIdent solution is not a fully automated process. As soon as the verification app detects any discrepancies, IDnow employees manually double-check the data.
We have concluded an order processing contract with IDnow that entitles us to use the AutoIdent solution. This contract guarantees that IDnow processes the data accordance with the General Data Protection Regulation and protects the rights of the data subject.
Personal data is collected in accordance with Article 6(1)(1)(b) of the GDPR as a pre-contractual measure.
Data is also collected on the basis of Article 6(1)(1)(f) of the GDPR. The general increase in the security of the marketplace constitutes the legitimate interest in this case.
All the information we collect is subject to the data protection regulation. We use all the information exclusively to verify and identify our users.
b) Reporting a listing
If you suspect that a listing is an attempt to commit fraud, you can report the listing to Chrono24 using the appropriate form. This involves forwarding the following personal data to the email delivery services Sparkpost and Mailgun:
- Your name
- Your email address
- Your phone number
Personal data is processed according to Article 6 Paragraph 1 Sentence 1 Point (f) of the General Data Protection Regulation (GDPR). Chrono24 GmbH's legitimate interests required by this clause are preventing fraud and, thus, improving the marketplace's security.
To offer the service and guarantee that the service effectively meets the aforementioned purpose, we make use of the services provided by Message Systems, Inc. (dba SparkPost) (301 Howard St., Suite 1330, San Francisco, CA 94105) and Mailgun Technologies, Inc. (548 Market St. #43099, San Francisco, CA 94104). We have signed data processing agreements with Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. as laid out in Article 28 of the GDPR. With these agreements, Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. guarantee that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.
Both Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. are located in the United States of America. While your personal data is stored on European servers, the potential for personal data to be transferred to the United States remains due to the CLOUD Act. For EU citizens, this means the transfer of their personal data to a third country. Data transfer to the USA is permitted since Chrono24 GmbH has signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. have implemented additional measures to ensure adherence to an adequate level of data protection.
Collection of personal data to comply with US sales tax
We rely on the cloud-based solution AvaTax from the service provider Avalara to comply with US tax laws and regulations. This solution automates both the determination of the applicable sales tax rate and the complex calculation of US sales tax. The following personal data are processed with respect to dealers based in the US:
The purpose of data collection is to determine the regional tax regulations we are subject to. In the US, these differ not only at state level but, to some extent, also from county to county. This is why we need to know the exact dealer location in the US in order to use AvaTax to determine the correct sales tax rate.
We have concluded a data processing agreement with Avalara for the use of the cloud-based tax compliance solution. Under this agreement, Avalara guarantees that the data processing will meet the requirements of the General Data Protection Regulation (GDPR) and ensure the protection of the rights of the data subjects.
The legal basis for data collection is Article 6(1)(c) GDPR, as the processing is necessary to fulfill our legal obligation to comply with US tax laws.
Rights as data subject:
You have the right:
- to revoke consent you have granted us at any time in accordance with Article 7 para. 3 GDPR. This applies non-retrospectively, so that without your consent we are no longer allowed to process data thereafter
- to request information about the personal data of yours which we are processing in accordance with Article 15 GDPR. In particular, you are entitled to receive information about the processing purposes, the types of personal data, the types of recipients to whom your data has been disclosed, the intended storage retention period, about your rights to demand correction, deletion, processing restriction and to file objection, about your complaint rights, the source of your data if not collected by us, and whether automated decision-making is utilised, including profiling, along with relevant details as appropriate
- to demand the correction of incorrect personal data and the addition of incomplete personal data we have stored, in line with Article 16 GDPR
- to demand the deletion of your personal data stored by us, except if processing is necessary to exercise freedom of expression speech and information rights, to fulfil a legal obligation, for reasons of public interest or to assert or defend against legal claims or exercise rights, in line with Article 17 GDPR
- to demand the restriction of your personal data from processing in accordance with Article 18 GDPR if you dispute the correctness of the data or processing is unlawful but you reject its deletion and we no longer need the data yet you require the data in order to assert or defend against legal claims or exercise rights, or if you have filed objection to processing in accordance with Article 21 GDPR
- to receive your personal data from us in a commonly used, structured, machine-readable format, and to request such to be sent to a different data controller in line with Article 20 GDPR
- to lodge complaint with a supervisory authority in line with Article 77 GDPR. Generally you should contact the supervisory authority for your primary place of residence, your place of work or our company headquarters.
Right to file objection
If your personal data are processed on the basis of on legitimate interests in accordance with Article 6 para. 1 sentence 1 item f GDPR, you have the right to file an objection against the processing of your personal data pursuant to Article 21 GDPR given reasons for doing so which pertain to your special circumstances or the objection pertains to direct advertising. In the latter case you enjoy a general right to file objection which we will act upon without your having to outline any special circumstances.
We utilise the widely used TLS (Transport Layer Security) method for our website in combination with the highest level of encryption supported by your browser. TLS is a secure and proven standard utilised in online banking, for example. A secure TLS connection is indicated among other things by the letter ‘s’ appended on the ‘http’ (i.e. https://..) in the address bar of your browser, and by a lock icon appearing at the bottom of your browser.
We furthermore implement appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction and unauthorised access by third parties. The security measures we implement are continuously upgraded to remain in line with technological progress.
If you register with us as a user, you can only access your user account after entering your personal password. You should always keep your access data confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.
We take company-internal data protection very seriously as well. We bind our staff and commissioned service provider firms to uphold confidentiality and comply with data protection regulations.
Version of and changes to this Data Protection Policy
This Data Protection Policy is the latest, valid version, last updated in January 2022.
Changes to our website and offers marketed via the website and changes in legal or regulatory requirements may necessitate updating of this Data Protection Policy. You can view and print out the latest updated version of this Data Protection Policy at any time on the website