Privacy Policy (Crumbs)

Privacy notice (short version)

Your protection and data confidentiality is of utmost importance to us ("eyeo", "we", "our"). The following privacy notice shall provide you with a general overview about the collection, processing and use (hereinafter together referred to as "processing") of your personal data on our website https://crumbs.org (hereinafter referred to as “website”) and in connection with your use of our sustainable privacy extension Crumbs (hereinafter referred to as “Crumbs”). For more information regarding our processing activities, please view our complete Privacy Policy.

What kind of personal data do we process?

  1. While using Crumbs (automatically):
    • Browsing history
    • URL and content of visited webpages
    • Browser version
    • Operating system
    • IP address
    • Cookies and other cached information that are already set in the browser (for the purpose of offering their deletion)
    • Location
  2. When using our website, by default:
    • IP address (stored separately)
    • Date and time of access
    • The URL accessed
    • Browser name/version
    • URL of previously visited webpage
    • Amount of data sent

How do we collect data?

List of techniques and tools we use for data collection:

How and why do we process your data?

What is the legal basis of data processing?

We process your personal data in compliance with the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the applicable EU laws and German national data protection laws.

How long do we keep data?

Note: “Aggregated usage statistics”, such as web log data and other data without any connection to a single user, may be retained beyond these periods.

Our values

We collect as little data as possible. As far as anonymous or pseudonymous use is possible we anonymize or pseudonymize your data. We aim to empower you as an end user, to be in control of the data that is being shared with, and informed about what and how it is being shared. We believe in your right to remain anonymous and will enable you to prevent an illegitimate exploitation of your information.

We aspire to restore and maintain the value exchange between content creators and users and to ensure the free usage of the web.

What rights do you have?

In compliance with the GDPR, and the applicable EU laws and German national data protection laws and to the extent legally permitted, you have the right to:
  • Receive information about the personal data processed by us and how we process your data as well as to gain access to such data.
  • Rectify inaccurate personal data and restrict details.
  • Receive all your personal data in a structured, commonly used and machine-readable format, as well as having such data transmitted to another controller.
  • Request erasure of your data, unless such data needs to be retained for legal purposes.
  • Object to the processing of your data.
  • Withdraw your consent at any time, when you have provided us with your consent to the processing of your personal data.
  • Lodge a complaint with the respective supervisory authority.

Questions?

Contact our Data Protection Officer, Dr. Judith Nink, via email or phone.

Privacy policy (long version)

General information about your privacy

The following information applies to the collection, processing and use of personal data in connection with our services, as but not limited to, the Crumbs extension and on our websites.

General notes

Your protection and data confidentiality is of utmost importance to us ("eyeo", "we", "our"). We take the protection of your personal data very seriously and collect as little data as possible. Nevertheless, collecting data helps our products and websites function correctly, and allows us to communicate with you. Our general privacy policy is to avoid collecting more data than necessary. Collected data is anonymized, if possible, and deleted when no longer needed. This privacy policy shall inform you about the collection, processing and use of your personal data. We gather and use personal data firmly within the provisions of the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the applicable EU Laws and German national data protection laws. In the following text we will inform you about the specific data, the scope and the purpose of the collection and use of personal data by eyeo when using our products and visiting our websites.

Who is responsible for data collection and processing (contacts)?

The legal person responsible for the collection, processing and / or use of personal data in connection with the website ("Controller") is:

Controller
eyeo GmbH
Lichtstr. 25
50825 Cologne
Germany
Data Protection Officer

If you have any questions regarding your personal data, please do not hesitate to contact our Data Protection Officer:

Dr. Judith Nink

Phone
+49 (0) 221 / 65028 598
Email
privacy@eyeo.com
Fax
+49 (0) 221 / 65028 599

What is personal data?

The purpose of data protection is to protect personal data. Personal data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This information includes, for example, details such as name, postal address, email address or telephone number, but also nicknames, certificates and information about your interests.

What is the purpose of data processing and what is the legal basis?

Purpose of data collection and processing

In compliance with Art. 5 (b) GDPR, we collect and process your personal data for specified, explicit and legitimate purposes and do not further process your data in a manner that is incompatible with those purposes.

We collect and process your personal data solely for the following purposes:
  • We collect browsing and browser history data to provide you with our services in Crumbs, which is providing you with secured behavioral and more relevant advertising.
  • We share anonymized data points with the advertising and marketing industries to provide you with secured behavioral and more relevant advertising.
  • We collect and process your personal data, such as website logs. We collect and process such data to prevent security attacks and are thus able to provide our services to you in a secure and data-efficient manner.

Legal basis of data collection and processing

We collect and process your personal data in compliance with the GDPR and the applicable EU laws and German national data protection laws.

Collection and processing is based on your consent - Art. 6 (1) a GDPR, Art. 4 (11) GDPR

We will always ask for your consent to collect and process your personal data for the aforementioned specific purposes, unless the collection and processing of your personal data is permitted by statutory laws. Where you have provided us with your consent to the collection and processing of your personal data for the aforementioned specific purposes, you have the right to withdraw your consent at any time.

Collection and processing is necessary for taking steps prior to enter into a contract - Art. 6 (1) b GDPR

The collection and processing of your personal data may be necessary for the performance of a contract to which you may be a party. Prior to entering into such a contract, the collection and processing of your personal data may also be necessary in order to take steps at your request. This applies for installation (data gathered by the browser and / or app store) and the use of Crumbs.

Collection and processing is necessary for compliance with a legal obligation to which the controller is subject – Art. 6 (1) c GDPR

Collection and processing of your personal data may be necessary for compliance with a legal obligation to which we are subject under EU laws or the laws of an EU Member State.

Collection and processing is necessary for the purposes of our legitimate interests - Art. 6 (1) f GDPR

The collection and processing of your personal data may be necessary for the purposes of our legitimate interests. We collect and process website logs for technical reasons, such as, but not limited to, preventing denial of service attacks. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. Preventing such overloads of our systems and any security issues by denial of service attacks is in your and our vital interest and therefore we use the website logs. We use information collected and processed via subscription downloads, extension update checks, emergency notifications and feedback data sent by you, for technical reasons, such as, but not limited to, ensuring the security of the extension version used by you. Ensuring the security of our extension is in your and our vital interest and therefore we use such data. Furthermore, we collect and process such data to ensure that our website and extension are constantly improved and adjusted to the changing requirements for an efficient usability and the technical environment.

Do we disclose any personal data?

We may only transfer your personal data to third parties without informing you separately beforehand in the following exceptional cases as explained below:
  • If required for legal proceedings/investigations, personal data will be transferred to the criminal investigation authorities and, if appropriate, to injured third parties. We will only do this if there are concrete indications of illegal and/or abusive behavior. We are also legally obliged to give certain public authorities information. These are criminal investigation authorities, public authorities which prosecute administrative offenses entailing fines and the German finance authorities.
  • As part of the further development of our business it may happen that the structure of eyeo GmbH changes. The legal structure may be adapted, subsidiaries, business units or components may be created, bought or sold. In such transactions, customer information may be shared with the transmitted part of the company. In the event of a transfer of personal information, softgarden will ensure that it is done in accordance with this Privacy Policy and the German data protection laws.

We will not transfer your personal data to third parties as a matter of course without letting you know in advance. We will ask for your prior permission unless the transfer of such data is permitted by GDPR or any other applicable EU laws and German national data protection laws.

International data transfers

For the following services, we use non-EU/EEA service providers. We have carefully selected these external service providers and review them regularly to ensure that your privacy is preserved. The service providers provide sufficient guarantees to ensure an adequate level of data protection and may only use personal data for the purposes stipulated by us and in accordance with our instructions. We also contractually require the service providers to treat your personal data solely in accordance with this Privacy Policy and the European data protection laws:

We use an external service provider tool for email (GSuite). This service is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In order to ensure an adequate level of data protection, we have entered into a data processing agreement including the EU Standard Contractual Clauses (processors) – Commission Decision C(2010)593. You can access a copy of this agreement here.

What rights do you have?

In compliance with the GDPR and the applicable EU laws and German national data protection laws and to the extent legally permitted, you have the following rights to protect your personal data collected and processed by us:

Information, access, rectification and restriction rights

Naturally you have the right to receive, upon request, information about the personal data stored by us about you and information about how we collect, process and store your personal data. Where that is the case, you have the right to gain access to such personal data stored by us. You have the right to request from us the rectification of your inaccurate personal data. Taking into account the purposes of collecting and processing your data, you have the right to have incomplete personal data completed. You have the right to request restriction of processing.

Right to data portability

You also have the right (1) to receive all personal data concerning you and which you have provided to us, in a structured, commonly used and machine-readable format and (2) to transmit that data to another controller.

Right to erasure of your data

You have the right to demand from us the erasure of your personal data, where – inter alia – one of the following grounds applies:
  • If we no longer need your personal data for the aforementioned purposes.
  • If you withdraw your consent on which the collection and processing is based and where there are no other legal grounds for the collection and processing.
  • If you object to the collection and processing and there are no overriding legitimate grounds for the collection and processing.

Please note, if data needs to be retained for legal purposes pursuant to Art. 17 (3) GDPR, we will restrict the use of the respective data.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the collection and processing of personal data relating to you infringes the GDPR.

Right to object to the processing of your data

You have the right to object at any time to the collection processing of your personal data on grounds relating to your particular situation, when collection and processing is based on our legitimate interest (Art. 6 (1) f GDPR).

Right to withdraw your consent at any time

You have the right to withdraw your consent at any time, when you have provided us with your consent to the collection and processing of your personal data for one or more specific purposes.

How to exercise your rights

To exercise your rights, please contact us via email or mail to:
eyeo GmbH
Lichtstr. 25
50825 Cologne
Germany

Changes to this Privacy Policy

This Privacy Policy may be changed from time to time. The respective current version is available at crumbs.org/privacy.

What kind of data do we collect and process, and how?

Crumbs

When you use the Crumbs browser extension, we collect and process the browsing and browser history data, including:
  • Language
  • Browser type
  • Device type
  • Operating system
  • Age
  • Gender
  • Interests
  • Information related to consumption of products
  • Information about preferences and behaviour for the purpose of optimizing user experience.

Based on this data, Crumbs is creating a local profile of you in the Crumbs extension. This profile cannot be accessed by anyone else than you. Based on this profile, Crumbs is sharing some anonymized data points with supported advertisers.

Data retention

Browser history profile data is stored for as long as Crumbs is installed on the browser. Users however may reset their profile history at any given time, by uninstalling Crumbs. More advanced profile management choices are available in the application.

Collection and processing on our websites

When using our websites, we automatically collect the following data in order to provide you with our services, and for security reasons.

Automatically collected information

Website logs

All requests to our websites are recorded in the website logs. Data stored includes your IP address (solely for the purpose of IT security and only accessible by eyeo's IT Security team), the time at which the request was made, the web address accessed, the browser identifier and the referring page. This data (IP address only aggregated via hashing with a daily changing salt) is used to generate usage statistics as well as to investigate potential security issues and forum or blog spam. Detailed logs are retained for a period of 30 days, after which only the aggregated usage statistics that cannot be connected to a single user remain. Everything else is deleted.

Data retention

The website logs are stored for a period of 7 days.

California Privacy Notice

This section only applies to California residents. It explains how we collect and use Personal Information as well as the rights available to California residents under the California Consumer Protection Act (“CCPA”). The words in this section have the same meaning given to them in the CCPA. Please note that the words as described under the CCPA may be broader than their common meaning.

“Personal Information,” for example, refers to information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to you or your household. Personal Information does not include information that is aggregated or information that cannot be reasonably linked to you.

What types of Personal Information we collect and how we use them

In order to provide you with our products and services (“Products”), we must process certain Personal Information about you. We do not sell any of your Personal Information, and we never will. For a detailed explanation about the kinds of information that we collect and how we use it, please review the information provided above. Here is a summary of the CCPA categories of Personal Information that we may have collected about you over the past 12 months:
  • Identifiers;
  • Internet or other electronic network activity information, including information about your browser, extension, and operating system;
  • Characteristics of protected classifications under California law or U.S. federal law, including gender and age;
  • Geolocation data; and
  • Inferences drawn from any of the information identified that reflect your preferences and attitudes.
We may have collected these categories of Personal Information for the following business purposes:
  • To personalize the Products we provide to you;
  • To evaluate and improve our Products;
  • To provide limited analytic services;
  • To facilitate advertising and other business services;
  • To communicate with you;
  • To ensure security and functionality of our Products; and
  • To perform other business purposes.

How we share Personal Information

Subject to the limitations in this Privacy Policy, we share non-personally identifiable information with advertisers. We may also share your Personal Information with law enforcement or other third parties as necessary to comply with legal requirements.

Sources from which we collect Personal Information

We receive Personal Information from you and your device(s). The categories of sources from which we have collected or received Personal Information include:
  • You: We collect information you provide when you use our Products, including browsing and browsing history information.
  • Your device(s): We receive information from and about the computers, phones, and browsers that you use in connection with our Products.
  • Our Websites: We collect information about how you interact with and use our websites.

What are your rights under the CCPA?

The CCPA provides you with the following rights:
  • Right to Know: You have the right to request that we disclose to you the categories of Personal Information that we have collected, the categories of sources from which we have collected the Personal Information, the business purpose for collecting Personal Information, the categories of third parties with whom we have shared Personal Information, and the specific pieces of Personal Information about you that we have collected;
  • Right to Request Deletion: You have the right to request that we delete any Personal Information about you that we have collected; and
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

Please note that we have a duty to verify your identity whenever you exercise your Right to Know and/or your Right to Request Deletion. In order to do so, we will request Personal Information from you to match against the Personal Information in our records. In some cases, we may also request additional documentation to verify your identity.

Please also note that the CCPA allows you to exercise these rights yourself or designate an authorized agent who will exercise these rights on your behalf. In the event that an authorized agent exercises rights on your behalf, we may request a written permission from you that establishes the individual as your authorized agent as well as other information necessary to verify the identity of the authorized agent.

To exercise any of these rights, please submit a request to privacy@eyeo.com.

Contact for more information

If you have any questions about this section or how to exercise your rights under the CCPA, please contact us.

October 2020