Privacy Notice.

for the use of the cvift.-service of cvift. GmbH, Belfortstrasse 4A, 50668 Cologne

The protection of personal data is important to us at cvift. Therefore, we conduct our activities in accordance with the applicable legislation on the protection of personal data and data security. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.

Please read the following data protection declaration carefully, with which we would like to inform you about our processing operations and at the same time comply with the legal obligations, in particular those arising from the EU General Data Protection Regulation (“GDPR”). If you have a question about data protection that you cannot answer with the help of this data protection declaration, please contact us at privacy@cvift.com.

1. Responsible Party, Contact

Data controller according to Art. 4 Abs. 7 GDPR is

cvift. GmbH

Belfortstrasse 4A

50668 Cologne

Germany

www.cvift.com

(see also our imprint at www.cvift.com/imprint).

Our privacy team can be reached by e-mail at privacy@cvift.com or our postal address with the addition "the privacy team".

2. Scope of this Privacy Policy

In the following we inform you about the processing of personal data when you visit our website, when you use our cvift.-service online or via mobile application or if you should contact us by e-mail or by post.

3. Information about the collection of personal data

What data we collect:

Information that you as a user provide to us:

When using our Services, you choose to provide us with certain information. These include:

• When creating an account, you provide us with the following data categories: name, e-mail address, postal address, mobile phone number, billing information if applicable, password.
• When creating a candidate profile, please provide us with the following data categories: professional background, professional experience, level of knowledge, postal code, requirements for a new position such as hours, salary expectations, perks and benefits, training, etc.
• When creating a company profile, you may provide us with the contact details of your contact persons and employees.
• When you contact us by e-mail or by post, the data you provide (in particular your name and your e-mail address or postal address) will be stored by us in order to answer your questions.

Information we receive from third parties:

In addition to the information you provide to us directly, we may also receive information about you from third parties:

• Other Users: Other users of the cvift. services, particularly corporate customers, may provide information about you, e.g. when they interact with you or when they submit a report concerning you.

Information automatically generated and collected when using the service:

When you use our website and service, technical data is generated about what features you used, how you used them, and what devices you use to access our services. These include:

• Server log files/protocol files: The provider of the website and our service portal automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. The legal basis for the processing is our legitimate interest, Art. 6 Abs. 1 S. 1 lit. f) GDPR. The following data is transmitted:

• Date and time of retrieval
• IP address of the calling device
• Hostname of the accessing device
• Website from which the website was accessed
• Websites accessed through the website
• Visited page on our website
• mount of data transferred
• Message whether the retrieval was successful
• Information about the browser type and version used
• Operating system

This data is not merged with other data sources. We reserve the right to subsequently check this data if we become aware of specific indications of illegal use.

• Cookies:

(1) We use cookies on our website. Cookies are text files that are stored by the browser on your hard drive and assigned to the browser you are using, so that certain information flows to the place that sets the cookie. Cookies are primarily used to make the website faster and more user-friendly.

By default, your browser accepts and stores these cookies as they do not pose a security risk. If you do not want cookies be set from cvift., you can deactivate this function in your browser. However, we would like to point out that in this case you may not be able to use all the functions of our website in full. Necessary cookies are required for the basic functions and error-free display of our website.

(2) When you visit our website and at any later stage, you can choose whether you want to generally allow the setting of cookies or which individual additional functions you want to select. You can edit your cookie settings at any time here:

(3) So-called transient cookies, in particular session cookies, are automatically deleted when the browser is closed or when you log out. They contain a so-called session ID. In this way, various requests from your browser can be assigned to the joint session and your computer can be recognized when you return to our website. On the other hand, so-called persistent cookies are automatically deleted after a specified period of time, which varies depending on the cookie. You can view the cookies that have been set and their runtimes at any time in your browser settings and delete the cookies manually.

(4) The following types of cookies are used by cvift. used:

Plausible: We use "Plausible Analytics" to analyze the usage behavior of our website in order to continuously optimize its content and technology. Plausible is a trademark of Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia, registration number 14709274, hereinafter referred to as "Plausible". Plausible Analytics is fully GDPR-compliant.

Plausible pursues a particularly data protection-friendly approach to analyzing your visit. For this purpose, Plausible collects the following information, among others Date and time of your visit, title and URL of the pages visited, incoming links, the country you are in and the user agent of your browser software. Plausible does not use or store "cookies" on your end device. All personal data (e.g. your IP address) is stored completely anonymized in the form of a so-called hash. A hash is an encryption of data that cannot be reversed, i.e. cannot be "decrypted". In this way, we can analyze your visit without storing personal data in a form that could be read by us, Plausible or third parties.

Further information on data protection at Plausible can be found at https://plausible.io/data-policy.

The legal basis for the processing is Art. 6 para. 1 lit. f) GDPR.



Our presence in social networks:

(1) We have various presences on so-called social media platforms. We have presences with the following providers:

LinkedIn

Website: https://de.linkedin.com/

Privacy: https://de.linkedin.com/legal/privacy-policy?trk=seo-authwall-base_footer-privacy-policy

Twitter

Website: https://twitter.com/

Privacy: https://twitter.com/de/privacy

Reddit

Website: https://www.reddit.com/

Privacy: https://www.reddit.com/de-de/policies/privacy-policy

(2) For these information services, we use the technical platform and the services of the providers. We would like to point out that you use our presences on social media platforms and their functions at your own risk. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating). When you visit our website, the providers of the social media platforms record, among other things, your IP address and other information that is available on your end device in the form of cookies. This information is used to provide us, as the operator of the accounts, with statistical information about interactions with us.

(3) The data collected about you in this context will be processed by the platforms and, if necessary, transferred to countries outside the European Union, in particular the USA. According to their own statements, all of the aforementioned providers maintain an appropriate level of data protection that corresponds to that of the former EU-US Privacy Shield and we have concluded the standard data protection clauses with the companies. We do not know how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored and whether data is passed on to third parties. Data processing can differ depending on whether you are registered and logged in to the social network or visit the site as a non-registered and/or non-logged in user. When accessing a post or the account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your end device can be used to track how you have navigated the web. Via buttons integrated into websites, it is possible for the platforms to record your visits to these pages and to assign them to your respective profile. Based on this data, content or advertising tailored to you can be offered. If you want to avoid this, you should log out or deactivate the "remember me" function, delete the cookies on your device and restart your browser.

(4) As the provider of the information service, we only process the data from your use of our service that you provide to us and that require interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing, which we describe in this privacy statement. The legal basis for the processing of your data on the social media platform is Art. 6 Abs. 1 S. 1 lit. f GDPR.

(5) To exercise your rights as a data subject, you can contact us or the provider of the social media platform. If one party is not responsible for answering or has to receive the information from the other party, we or the provider will then forward your request to the respective partner. If you have any questions about creating a profile or processing your data when using the website, please contact the operator of the social media platform directly. If you have any questions about the processing of your interaction with us on our site, write to the contact details we have provided above.

(6) The providers describe what information the social media platform receives and how it is used in their data protection declarations (see link in the table above). There you will also find information about contact options and the setting options for advertisements.

Purposes, legal basis and storage period of the personal data

(1) Account management (creating an account, verifying identity, etc.)

Processed personal data:

Personal data: last name, first name, date of birth, identification document* (identity card, passport)

Contact details: e-mail address, telephone number, postal address.

Password.

*cvift. may request a photocopy of an identification document to ensure the identity of the user at the time of creating their account.

Legal basis for processing:

Necessary for the fulfilment of the contract we have with you or for taking steps at your request prior to entering into a contract.

(Art. 6 Abs.1 S.1 lit. b) GDPR).

Retention period:

3 months after the end of the contractual relationship.

Storage of a copy of an ID card until complete identification.

(2) Execution of the contract

Processed personal data:

Data you provide in your profile.

Messages that you exchange with other users.

Payment details.

Legal basis for processing:

Fulfillment of the contract concluded with you (Art. 6 Abs. 1 S.1 lit.) b GDPR).

Retention period:

3 months after the end of the contractual relationship.

(3) Billing, Accounting

Processed personal data:

Transaction-related information such as payment details, name, address, e-mail.

Legal basis for processing:

Fulfillment of the contract concluded with you (Art. 6 Para. 1 S.1 lit.) b GDPR) and our legitimate interest (Art. 6 Abs. 1 S.1 lit. f) GDPR).

Retention period:

3 months after the end of the contractual relationship and possibly longer if there are statutory retention requirements.

(4) Improving and developing our service

Processed personal data:

User behavior, e.g. which pages are visited and which functions are used.

Legal basis for processing:

Your consent (Art. 6 Abs. 1 S. 1 lit. f) GDPR).

Retention period:

Max. 14 months.

(5) Controlling and ensuring compliance with our Terms of Use and applicable law

Processed personal data:

In particular, content made available in the profile and messages sent to other users

Legal basis for processing:

Fulfillment of the contract concluded with you (Art. 6 Abs. 1 S.1 lit.) b GDPR) and our legitimate interest (Art. 6 Abs. 1 S.1 lit. f) GDPR) as well as legal obligations (Art. 6 Abs. 1 lit. c) GDPR)

Retention period:

3 months after the end of the contractual relationship and possibly longer if there are statutory retention requirements.

(6) support

Processed personal data:

Contact details.

Your request.

Legal basis for processing:

Fulfillment of the contract concluded with you (Art. 6 Abs. 1 S.1 lit.) b GDPR) and our legitimate interest (Art. 6 Abs. 1 S.1 lit. f) GDPR).

Retention period:

3 months after the end of the contractual relationship.

(7) Analysis of the use of applications and devices (navigating the website and using the cvift. app)

Processed personal data:

Server log files, log files.

Legal basis for processing:

Our legitimate interest (Art. 6 Abs. 1 S.1 lit. f) GDPR).

Retention period:

For connection logs: 6 months.

For the IP address: 1 year from the date of registration.

(8) Marketing and analytics through cookies and analytics services

Processed personal data:

Connection and usage data.

https://www.cvift.com.

Legal basis for processing:

Your consent (Art. 6 Abs. 1 S. lit. a) GDPR).

Retention period:

Max. 14 months.

(9) Anonymization of user data for the purposes of analyses, studies and market reports

Processed personal data:

All data specified in the profile or search profile.

All data is rendered anonymous and can no longer be assigned to a specific person.

Legal basis for processing:

Our legitimate interest (Art. 6 Abs. 1 S.1 lit. f) GDPR).

Retention period:

--

In individual cases, there may be statutory retention requirements and the storage period may be longer than the specified period.

4. Disclosure of your data to third parties

• To enable companies and candidates to be matched, we pass on the data you provide in your profile in pseudonymised form to other registered users of the cvift. service (corporate customers). Other users can only see your full profile upon request and with your personal approval.
• In order to operate and make our service available, we pass on data to service providers. We have contract processing agreements in place with all of our subcontractors. Our subcontractors are:

Amazon Web Services Inc.

Head office:

410 Terry Avenue North Seattle WA 98109, USA

Server location:

USA

Type of service:

Content Delivery Network

Service:

Provision of scalable storage and delivery capacities

checkdomain GmbH a dagado group company

Head office:

Große Burgstraße 27/29, 23552, Lübeck, Germany

Server location:

Germany

Type of service:

Hosting

Service:

Hosting provider for our website

Facebook Inc.

Head office:

1 Hacker Way Menlo Park, CA 94025, USA

Server location:

USA

Type of service:

Social network

Service:

Social networking platform, instant-messaging

Fonticons Inc.

Head office:

307 S Main St Ste 202 Bentonville, AR, 72712-9214, USA

Server location:

USA

Type of service:

Rendering

Service:

Provision of fonts and website icons

salesforce.com Germany GmbH

Sitz:

Erika-Mann-Straße 31, 80636 München, Germany

Server location:

Germany

Type of Service:

Content Management, Cloud CRM System

Service:

Management of customer contacts, organization of sales and communication processes

Mouseflow ApS

Headoffice:

Flaesketorvet 68, 1711 Kopenhagen, Dänemark.

Server location:

EU

Typ of Service:

Websiteoptimisation

Service:

Monitoring  Websiteusage

Functional Software, Inc / Sentry.io

Headoffice:

45 Fremont Street 8th Floor San Francisco, CA 94105.

Server location:

USA

Typ of Service:

Errorlogging

Service:

Errorlogging

• We may share your information if reasonably necessary: ​​(i) to comply with a legal process, such as a court order, subpoena or search warrant, governmental/criminal investigation, or other legal process; (ii) to assist in the prevention and investigation of crime (in each case subject to applicable law); or (iii) to protect the safety of others.
• We may disclose your information: (i) where disclosure would reduce our liability in an actual or threatened lawsuit, (ii) where necessary to protect our legal rights and the legal rights of our users, business partners or other stakeholders, (iii ) to perform our contract with you and (iv) to investigate, prevent or take other action against illegal activity, suspected fraud or other wrongdoing.

5. Cross-Border Data Transfer

To provide its services, cvift. Use service providers based outside the European Union. If the transfer takes place to a third country in which the protection of personal data has not been judged to be adequate by law, cvift. ensure that appropriate measures are taken in accordance with the GDPR and that, where necessary, in particular standard contractual clauses or equivalent ad hoc clauses are included in the data processing agreement.

6. Your Rights

You have the following rights towards us with regard to your personal data:

• Right to revoke your given consent

If you have given us your consent to certain processing operations, you can revoke this at any time with effect for the future. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation. The easiest way to withdraw consent is via our Consent Manager https://www.cvift.com or by sending a message to privacy@cvift.com.

• Right to information (Art. 15 GDPR):

Any subject whose personal data we process has the right to access their personal data by requesting information about the personal data we hold.

• Right to rectification or erasure (Art. 16, 17 GDPR):

Each subject can demand the correction of incorrect or incomplete information in their personal data at cvift. As the subject, you can request the deletion of your personal data if this data is no longer required for the purposes of processing. It is possible that a request for deletion cannot be granted, for example if the retention of the personal data is necessary to comply with a legal regulations.

• Right to restriction of processing (Article 18 GDPR):

Any subject may request that the processing of their personal data be restricted or suspended for a specified period of time or - in certain circumstances - indefinitely.

• Right to object to processing (Art. 21 GDPR):

Each subject can object to the further processing of their personal data, which is in the legitimate interest of cvift. or a third party.

• Right to data portability (Art. 20 GDPR):

On the basis of the right of data transfer, a subject may request from cvift. receive stored personal data in a common, machine-readable format, e.g. in CSV or Excel format.

You also have the right, in accordance with Art. 77 GDPR, to complain to a data protection supervisory authority about the processing of your personal data by us.

Responsible data protection authority for cvift. GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen

Kavalleriestraße 2-4

40213 Düsseldorf

Germany

If you have further questions about data protection or want to report a violation of data protection regulations, please contact privacy@cvift.com.