Protecting your privacy and your identity is extremely important to us at F&P GmbH, Karl-Liebknecht-Strasse 12, 04107 Leipzig, Germany. In this document, we explain how your data is processed in accordance with data protection legislation on the basis of the applicable regulations (GDPR). This Data Protection Policy relates to the online services we offer, referred to generally in this Policy as “online offerings” and specifically as the “platform” on websites and the “app” on mobile applications.

In principle, we process personal data only as necessary in order to provide functional online offerings and our content and services. As a rule, personal data is processed only after you have granted your consent. An exception is made in those cases in which it is not possible for practical reasons to obtain your prior consent and the processing of data is permitted by law.

1. Name and contact details of the Controller and Data Protection Officer

1.1 Controller

This Data Protection Policy covers data processing by:
F&P GmbH

Karl-Liebknecht-Strasse 12

04107 Leipzig, Germany

Email: dsb@fp.de

1.2 Data Protection Officer

Our Data Protection Officer can be contacted as follows:

F&P GmbH

Data Protection Officer
Karl-Liebknecht-Strasse 12

04107 Leipzig, Germany

Email: dsb@fp.de

2. General information on the processing of personal data

The operation of our online offering is subject to the natural dynamics of the Internet, and for this reason it is not possible to go into all the details of its functioning. Our goal in this Policy is to cover the most important elements of our data processing.

Personal data is all information relating to an identified or identifiable natural person. Data is processed in order to enable us to present the offerings you want, to fulfil our contractual obligations, and to enable us to take the required pre-contractual measures in response to your enquiry. Further purposes of the processing are primarily:

• to optimise your user experience and the associated technical and content development
• to provide basic functions and algorithms that are in line with the core concept of a community and the associated expectations regarding networking
• to address IT security issues

As a rule, personal data is deleted as soon as it is no longer needed in order to fulfil the purpose for which it was collected and no statutory retention periods would oppose its deletion. If not explicitly stated, the retention periods for third-party tools can be found in the data protection policy of the respective third-party provider.

3. Processing of data when using our offerings

You can access our offerings through various channels (e.g., website, app). Access to our offerings is partly free-of-charge, whereas other parts can only be accessed for a fee. Some offerings can be used for purely informative purposes; other offerings require you to register and enter into a free or fee-based user agreement. If you use our offerings, personal data is processed either by us or by service providers. The purposes, procedures and legal bases of processing are described in more detail below.

3.1 Applied technology without user recognition

Information is automatically sent to our servers each time our online offerings are accessed. This information is stored temporarily in a so-called “log file”.

During this process, the following information is collected and saved until it is deleted automatically:

• • • IP address of the querying device
    • Date and time of access
    • Name and URL of the accessed file or interface
    • Website from which the access originated (referrer URL)
    • Browser/browser ID (“user agent”) installed on the device, the operating system and name of the device, and the name of your Internet service provider
    • If apps are used, the app version
    • User account if registered, user ID and session ID
    • Any errors which may occur (anonymised)

We process the above data for the following purposes:

• • • To deliver online content correctly to various devices and browsers
    • To protect our IT systems and technology against misuse
    • To ensure the continuing functionality of our IT systems and technology
    • To provide necessary information to law-enforcement authorities for prosecution
    • To evaluate system security and stability
    • To optimise online content

Art. 6(1.1f) GDPR provides the legal basis for data processing. Our legitimate interest lies in the purposes of the data collection listed above. We will never use the collected data for the purpose of identifying you as an individual. The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected.

3.2 User-recognition technologies

Our app uses various methods device-identification methods in order to be able to provide certain features, evaluate errors and to publish user-specific content and information. We use device-identification characteristics in order to be able to allocate chargeable services to devices and offer push notifications as part of the app’s functionality. To identify devices, we use the “Ad ID” for iOS devices and the “Google advertising ID” for Android devices. We do not use these IDs to target ads.

3.3 When subscribing to newsletters

Provided you have granted your express consent under Art. 6(1.1a) GDPR, we use your email address to send you newsletters at regular intervals. To receive the newsletter, you only need to provide your email address. The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected. You can unsubscribe at any time using the link which appears at the end of each newsletter, for example. Alternatively you can email us at dsb@fp.de to unsubscribe at any time.

3.4 When using contact forms and support functions

If you have any questions, we give you the option of contacting us. To do so, you must provide a valid email address or an active login so that we know from whom the enquiry originated and can reply to it. You can provide further information voluntarily.

Data is processed for the purpose of answering contact queries either on the basis of Art. 6(1.1.b) GDPR in order to take steps prior to entering into a contract or to fulfil contractual obligations, or in accordance with Art. 6(1.1a) GDPR on the basis of your freely granted consent.

The personal data that we collect for making contact or communicating is automatically deleted once your enquiry has been dealt with.

Registered users also have the option to report content and request support services.

In such cases we store the name of the person who sent the enquiry, the content of the enquiry and the content, if any, that is reported. The conversation with the user is stored in our support system. Calls via support hotlines are handled without data being stored unless it was essential to establish the caller’s identity in order to clarify the situation and the caller provided this information. In such cases, a support ticket is created. This records the information provided during the conversation or any unresolved issues.

Data used to provide support services is processed in accordance with Art. 6(1.1a) GDPR on the basis of your freely granted consent, in accordance with Art. 6(1.1b) GDPR in order to fulfil contractual or pre-contractual matters with us or with an affiliated payment-service provider, and in accordance with Art. 6(1.1c and f) GDPR to secure the handling of content notifications, such as notifications that must be documented in accordance with the German Network Enforcement Act (NetzDG).

Personal data that we collect for the use of support functions is automatically deleted as soon as your enquiry has been dealt with, provided there is no legal obligation for further retention of this data.

3.5 Ordering a product in an app store

When you buy a product or subscription via an app store (iTunes or Google Play Store), the transaction ID for the purchase and the purchased product or subscription will be stored in order to associate these with your account.

This data is stored in order to fulfil contractual obligations in accordance with Art. 6(1.1b) GDPR. The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected.

3.6 User accounts and profiles

As a user of our online offerings, you have the option of using the offering as a guest without a registered account or registering in order to be able to use further functions. The scope of functions available without registration may be strictly limited.

When you visit our online offering, a contractual relationship is established. The data collected is processed in accordance with Art. 6(1.1b) GDPR in order to fulfil a contract or to implement precontractual measures. No further fees arise unless you intentionally purchase membership and expressly consent to this after registering.

You are not legally obliged to provide personal information. However, some mandatory information is required before we can enter into a user agreement with you. It is a good idea to provide additional information. If you do not provide certain information or object to its use, certain features or services may be unavailable to you.

3.6.1 Host

Guests can access our online offering without obligation and use the basic functions and content provided. During the visit user data and technical data are collected to provide and optimise the content as described in this Data Protection Policy. No further personal data is collected. Since guests cannot enter any further personal data, no data is processed or stored. For special types of use such as subscribing to a newsletter that do not require separate registration, the relevant passages of this Data Protection Policy apply.

Guests can access a registration form for the purpose of registering a user account. Once the registration process has begun, you have to enter the required data as shown on the input form. This data is stored for a short time so that you can verify your email address (opt-in). If you do not opt in, the data is deleted immediately.

3.6.2 Registered user

You have the option of registering by providing additional personal data. The additional personal data that is transmitted to us depends on which input form you use to register. We require this data in order to provide you with the service offering that you have requested within the framework of the existing user relationship.

You can also use the input options to optimise your image within the community and thus increase your chances of making contact. This data includes information such as your user name, age, region and personal preferences. Additional privacy settings are also available for some functions and types of input. These can be used to activate or block display.

Sensitive data such as your exact date of birth or email address is generally not publicly visible and is collected and stored for internal use only. We can forward the data to one or more contracted external processors, which also use it exclusively for internal purposes on our behalf. You can deactivate the annual display of your birthday on your date of birth yourself at any time using the privacy settings. Registered users have the option at any time to correct the data entered during registration.

Data that is accessible only to you is stored to ensure various functions. This includes the internal email communication system, the visitors to your profile and other data that does not generally appear in your public profile or that can be excluded from being displayed using the privacy settings.

For statistical purposes and to optimise our offering, we collect key data on the use of the online offering by individual registered users at regular intervals and in the event of relevant incidents.

You can also provide various data voluntarily. In this case, too, the purpose of the storage and processing is the general provision of the online offering with community functions (Art. 6 [1.1a] GDPR). We also have a legitimate interest in accordance with Art. 6(1.1f) GDPR in making specific data accessible in the form of profiles within the online offering and in connecting functions used for the operation of the online offerings in keeping with the expectations of all users regarding basic functionality.

We will provide information on request at any time on which personal data is stored. We will also correct or delete personal data on request or on receipt of instructions provided that this does not conflict with any statutory retention periods or breach the purpose limitation. Data not subject to retention periods will be deleted as soon as no longer required to fulfil the purpose for which it was collected, and at the latest on deletion of the user account. Our Data Protection Officer is your contact person for questions relating to this.

3.7 Confirmation of authenticity and verification of legal age

With its combined authenticity check and age verification, JOYCE is committed to taking resolute action against fake profiles and ensuring the protection of minors. All JOYCE members can be verified as genuine for free in just a few minutes. At the same time, we verify that you are of legal age.

During the authenticity check and age verification, we check the authenticity of your profile data, particularly with regard to gender and legal age, by means of a video recording. In case of doubt, we may require you to complete an authenticity check by presenting an ID document. The data is stored on servers within Germany and only for the short period of time necessary to carry out the check. Once the check has been completed, the submitted video material, which can be viewed only by the members of the JOY team performing the checks, is immediately and irreversibly deleted. The data is not disclosed to third parties.

Participation in the combined authenticity check and age verification is voluntary. The legal basis for processing the aforementioned data is therefore consent in accordance with Article 6(1a) GDPR, as well as Article 6(1c) GDPR in conjunction with Section (2) of the German Treaty on the Protection of Minors (JMStV) for legal-age verification. Data will be deleted in full immediately after the check has been completed.

The video verification process is not the only way to complete the authenticity check / age verification. There are also opportunities for in-person checks at select events, for example.

3.8 Competitions and surveys

If you participate in surveys or competitions, you have the chance to win virtual and physical prizes. In the latter case, the prize must be shipped to the winner, and for this reason we collect your postal address and real name. This data is processed on the basis of your express consent in accordance with Art. 6(1.1a) GDPR for the purpose of shipping the prize.

Address data will be deleted following the shipment.

4. Disclosure of data

Your personal data will only be disclosed to others for the purposes listed below.

We will only disclose your personal data to third parties if:

• you have granted your express consent to this under Art. 6(1.1a) GDPR
• disclosure is required under Art. 6(1.1f) GDPR in order to assert, exercise or defend legal claims and there is no reason to believe that you have an overriding legitimate interest in your data not being disclosed
• we are legally obliged to disclose it under Art. 6(1.1c) GDPR
• disclosure is permitted by law and necessary under Art. 6(1.1b) GDPR in order to process contractual relationships or orders with you
• a legitimate interest in optimising our offering exists under Art. 6(1.1f) GDPR

5. Tracking and analytical tools

The tracking and analytical measures described below are used by us on the basis of Art. 6(1.1f) GDPR. We use these tracking methods to ensure that the design of our online offerings is tailored to our users’ needs and continually optimised. We also use tracking methods to compile statistics on the use of our online offerings and to evaluate them in order to optimise our offering for you. These interests are legitimate within the meaning of the above legislation.

The purposes of the data processing and the categories of data are set out under the respective tracking tools.

5.1 Google

We use the products and tools of Google Inc. (hereinafter referred to as “Google”). Different data protection regulations of the Google company apply for data processed by Google. You can view these here: https://www.google.com/intl/en/policies/privacy/. You can find out specifically how we use the products below.

We use Google Firebase to optimise our applications and to publish push notifications. The anonymised information on your use and duration of use is transferred to a Google server in the USA and stored there. This information may also be transferred to third parties if required by law or if the data is processed by contracted third parties. Under no circumstances is your IP address associated with other data by Google. IP addresses are anonymised so that association with an individual user is impossible (IP masking).

You can deactivate the use of Google Firebase in the app at any time.

You can find more information on data protection and how this works in connection with Google Firebase, as well as information on data storage periods, at https://firebase.google.com/support/privacy/

The data is processed in accordance with Art. 6 (1.1a) GDPR and Art. 6(1.1f) GDPR on the basis of our legitimate interest in tailoring the design of our applications to our users’ needs and continuously optimising them, as well as in publishing push notifications.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you that is performed on the basis of Art. 6(1.1f) GDPR.

You can prevent cookies from being stored by configuring the relevant technical settings in your browser. However, please note that, if you do so, you may not be able to use all the functions of our online offerings to their full extent.

You can deactivate personalised ads using Google’s advertising settings. You can find instructions on this at https://support.google.com/ads/answer/2662922?hl=en

5.2 Use of AppsFlyer technology

We use the services of AppsFlyer Ltd., 14 Maskit Street, Herzliya, Israel (“AppsFlyer”, www.appsflyer.com) to learn more about how our users get to know about our app and how they use it. Certain information regarding the devices used by users, their online usage behaviour and content retrieved, is collected, processed and used in this process. This includes, but is not limited to:

• • • individual user identifiers, such as IP addresses, user agent, IDFA (identifier for advertisers), Android ID (for Android devices), Google advertising ID
    • technical data, such as information about the operating system of the device used, device information and settings, applications, opt-out declarations for advertising, downloads, impressions, clicks and installation of apps,

in-app behaviour, movement details.

AppsFlyer uses this data on our behalf to analyse and assess the performance of our marketing actions and channels so as to find out how users respond to certain campaigns and how they use and interact with the app. The above data is not used to identify individual users or associate the data with a particular person. The information is also used in cases of so-called “mobile fraud”, i.e., to discover and prevent manipulative and fraudulent acts in connection with our marketing activities. AppsFlyer uses the collected and subsequently aggregated data to reveal to us whether certain actions related to our app, such as downloads or installations, have been caused by manipulative acts. This is also in our economic interest, given that actions attributable to mobile fraud are taken into consideration in the remuneration of our partners (advertising networks and affiliate sites that display our advertisements). Data is therefore processed on the basis of the clause on legitimate interest in Article 6(1f) GDPR and is within the scope of our legitimate interest as described above.

If you would like to prevent AppsFlyer from collecting your data, you can deactivate the “Diagnosis & usage” item in the “Privacy” section of the app settings. By deactivating this item, you will prevent your data from being sent to AppsFlyer.

5.3 Matomo

We use the web-analytics service Matomo provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, on our website. Its purpose is to ensure the needs-based design and continuous optimisation of our website. We also use this service to compile statistics on the use of our website and to optimise our website content for you. The legal basis for this is Art. 6(1f) GDPR.

Matomo uses a session cookie, which is stored on your computer and is automatically deleted when you close your browser. When you visit the website, your IP address is immediately anonymised, preventing the identification of a particular individual. This method helps us to improve the quality of our website continuously and customise it even more appropriately for our users’ needs.

If you do not want the data relating to your visit to the website to be stored and analysed, you can object to the storage and use of this data at any time. You can also prevent the setting of the cookie by selecting the appropriate settings on your browser software.

You can prevent your activities on this website from being analysed and linked. This will protect your privacy, but will also prevent the provider from learning from your activities and making the website easier for you and others to use.

Your visit to this website is currently being recorded by the Matomo web-analytics service. Tick this box to opt out.

6. Other providers

6.1 Videos and GIFs

6.1.1 YouTube Player and Vimeo

We use the providers YouTube and Vimeo to embed videos. YouTube is operated by YouTube LLC, headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA. Google is represented by Google Ireland Ltd., with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Videos from YouTube are embedded into our online content with the enhanced data protection setting activated. This means that no information about visitors to our online presence is collected and stored by YouTube unless the visitor plays the video. Further information regarding data processing and tips on data protection by YouTube (Google) can be found at https://policies.google.com/privacy and https://www.youtube.com/static?template=privacy_guidelines.

Vimeo is operated by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. Further information regarding data processing and tips on data protection are available at https://vimeo.com/privacy.

6.1.2 Giphy, Tenor

We use the providers Tenor and Giphy to embed animations (GIFs). Tenor is operated by Tenor, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information regarding data processing and tips on data protection can be found at https://tenor.com/legal-privacy.

Giphy is operated by Giphy Inc., 416 West 13th Street, Suite 207, New York, New York 10014, USA. Further information regarding data processing and tips on data protection can be found at https://support.giphy.com/hc/en-us/articles/360020028332-GIPHY-Privacy-Policy.

6.1.3 Please note

The legal basis for the processing of users’ personal data is Article 6(1f) GDPR. Processing our users’ personal data enables us to display useful information visually.

When you access our online content, the technology used to embed files can transmit data such as your IP address back to the platforms. You can prevent tracking cookies from being set when playing videos by activating the corresponding setting in your browser to disable their storage. However, we advise you that should you choose to do so, you may not be able to use all of the functionalities of our online content to their full extent.

We have no influence over how the platforms use the data. You can find further information regarding the individual operators directly via the links above and adjust your privacy settings as you deem necessary.

6.2 Video chat

If you use our video chat feature provided by Nexmo Inc., 23 Main Street, Holmdel, NJ 07733, USA (hereinafter referred to as “Nexmo”), the actual streaming content data generated during the chat (video image and audio track) and the meta- und communication data required for client integration (time and duration of use, source and target identification, location, IP address) are transmitted to the provider’s servers. The data is stored only to the extent required to set up the chat and to enforce security measures.

This processing is carried out solely for the purpose of providing the video chat service and Art. 6(1b) GDPR provides the basis for its legitimacy.

Processing is carried out on our behalf and according to our instructions by the provider Nexmo. The data can be processed on servers in various countries. If the processing is carried out in third countries, it is ensured that the EU Standard Contractual Clauses for this processing apply and thus sufficient guarantees for an adequate level of data protection are provided.

Further information on data processing by Nexmo is available here: https://www.vonage.com/legal/privacy-policy/

6.3 Push notifications

We use AWS Pinpoint, a technology of Amazon Web Services EMEA Sarl, Rue Plaetis 5, 2338 Luxembourg, so that we can send you personalised push notifications. This will only happen if you have consented to receiving push notifications when installing the app or later in the settings. When you give consent, the device’s unique identification number is sent to our server and the service provider, which enables us to specifically assign and send the messages. The legal basis for the processing is your consent in accordance with Art. 6(1.1a) GDPR. You can revoke this consent at any time by deactivating push notifications.

7. Rights of data subjects

You have the right:

• to obtain information about your personal data processed by us under Art. 15 GDPR. In particular, you can request information about the purposes of the processing, the categories of personal data, the categories of recipients to whom your data has been or is disclosed, the envisaged duration for which it will be stored, the existence of a right to rectification and erasure, and to restrict the processing or object to it, the existence of a right to complain, the source of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if appropriate, meaningful information concerning its details
• to have incorrect personal data stored by us rectified or completed without undue delay under Article 16 GDPR
• to have your personal data stored by us erased under Article 17 GDPR, provided processing is not necessary to exercise the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or to establish, exercise or defend legal claims
• to request that the processing of your personal data be restricted under Art. 18 GDPR and to object to the processing under Art. 21 GDPR
• to receive the personal data that you have provided to us in a structured, commonly used, machine-readable format or to have it transmitted to another controller under Art. 20 GDPR
• to withdraw the consent that you have granted to us under Art. 7(3) GDPR at any time. This will prevent us from continuing to process data based on such consent.
• to lodge a complaint with a supervisory authority under Art. 77 GDPR, in particular in the Member State in which you live or work or in which the alleged infringement took place, if you are of the opinion that the processing of personal data relating to you is in breach of the GDPR.

8. Right to object

If your personal data is processed on the basis of legitimate interests in accordance with Art. 6(1.1f) GDPR, you have the right under Art. 21 GDPR to object to the processing of your personal data where there are grounds relating to your particular situation or the objection relates to direct marketing. In the latter case, you have a general right to object that we will implement without the need to specify a particular situation.

If you wish to exercise your right to withdraw consent or to object, simply email us at dsb@fp.de.

9. Data security

When our online offerings are accessed, we use the widely used SSL (Secure Socket Layer) protocol in conjunction with the highest level of encryption that your device supports. Generally this is 256-bit encryption. If your device does not support 256-bit encryption, we use 128-bit v3 technology instead.

We make use of appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss or destruction and against unauthorised access by third parties. Our security measures are continually enhanced in line with technological advances.

10. Validity of and changes to this Data Protection Policy

This Data Protection Policy (correct as of 16 July 2020) is currently in force.

It may be necessary to make changes to this Data Protection Policy following further development of our online offerings or due to legislative or administrative changes. You can access and store the currently valid Data Protection Policy at any time.