PRIVACY POLICY
Valid as of August 14th, 2024
- INTRODUCTION
We are very delighted that you have shown interest in our enterprise, our website, our VR App Experience ‘Out of Scale: A Kurzgesagt Adventure’ and/or our App ‘Universe in a Nutshell’. The following statement is valid for all of the mentioned products even if only the website is mentioned specifically. Data protection is a particularly high priority for In a nutshell – kurzgesagt GmbH (“KGS”). The processing of personal data, such as the name, address, e-mail address, or telephone number will be conducted in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to KGS. By means of this privacy policy, our enterprise would like to inform you of the nature, scope, and purpose of the personal data we collect, use and process.
The legal standards require comprehensive transparency regarding the processing of personal data. Only if the processing is comprehensible to you, you are sufficiently informed about the meaning, purpose and scope of the data processing. Below we therefore inform you in detail about the way your data is handled when using this website, other services of KGS and your rights regarding your personal data.
The personal data we collect consists of (i) information provided to us by you directly, e.g. when you subscribe to our newsletter or contact us and (ii) information collected automatically, e.g. information collected via cookies on our website.
- CONTROLLER AND DATA PROTECTION OFFICER
2.1 Controller is:
In a nutshell – kurzgesagt GmbH ("KGS"),
Landwehrstraße 39, 80336 Munich, Germany,
Phone +49 (0)89 9545 730 20, e-mail: [email protected]
2.2 Our data protection officer (“DPO”) is:
LS Sport GmbH, Widenmayerstraße 28, 80538 München,
Germany, e-mail: [email protected]
Should you have any further questions regarding data protection, please do not hesitate to contact our DPO or us by e-mail at [email protected].
3. GENERAL INFORMATION ON DATA PROCESSING
The use of the websites of KGS is generally possible without any indication of personal data; however, if you want to use special enterprise services via our website, processing of personal data could become necessary (e.g. contact form, newsletter subscription).
Please note that links and features on our website may take you to other websites which are not operated by us but by third parties (e.g. blog, patreons, etc.). Such links are either clearly marked by us or are recognizable by an obvious change in the address line of your web browser. We are not responsible or liable for compliance with the respective data protection regulations and safe handling of your personal data on these websites operated by third parties.
4. PROCESSING DURING THE USE OF THE WEBSITE / LOGFILES
Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer. This general data and information are stored in the server log files. The following data is logged:
- IP address of the calling computer
- Operating system of the calling computer
- Browser type and version of the calling computer
- Name of the retrieved file/website
- Date and time of retrieval
- Transferred amount of data
- Referring URL
When using these general data and information, we do not draw any conclusions about you. The mentioned data will be processed by us for the following purposes:
- deliver the content of our website correctly and guarantee the smooth running of our website,
- optimize the content of our website as well as its advertisement,
- ensure the long-term viability of our information technology systems and website technology,
- provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
We analyse anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by potential customers. We do not combine this personal data with other data sources. Disclosure only takes place if it is necessary for the operation of our website or services, e.g. by storing it with our host provider. We do not transfer your personal data to a third country outside EU in this context.
This data is regularly deleted after a few days. However, we reserve the right to check the server log files retrospectively if there are concrete indications of illegal or system-inappropriate use of our website.
5. PROCESSING BY USING THE SERVICES VIA OUR WEBSITE
Various services are available on or in the context of our websites, where we collect personal data from you if you decide to use them:
5.1 Contact form / Contact us by e-mail
If you use the contact form on our websites or send us an e-mail, we will process the personal data you provide us (e.g. name, e-mail address, your IP address and the date and time of the contact request). This information is transmitted by your browser or e-mail client and processed in our IT systems. The processing of this personal data is necessary to answer your request. In addition, misuse of the contact form should be prevented and the security of our IT systems ensured.
The personal data will be processed as long as necessary to respond to your request. Should your request lead to a later conclusion of the contract, processing will take place as long as this is necessary to carry out pre-contractual measures or to fulfil the contract. We do not merge your personal data with other data sources. Your personal data will not be disclosed to third parties. A transfer to a third country or to an international organization is not intended. You are not obliged to provide your personal data, but it is not possible to use the contact form or send an e-mail without providing it.
If you contact us by e-mail or message via the contact form, you can object to the storage of your personal data at any time by contacting us by e-mail or letter (see Sec. 12).
5.2 Newsletter
Registration and scope of data processing
On our website, you can register to receive a newsletter by email. During registration, the data from the input mask, the IP address of the calling computer and the date and time of registration are transmitted to us. For the processing of the data, your consent is obtained during registration and reference is made to this Privacy Policy.
In order to verify that a registration for the newsletter is made by the actual owner of an email address, we use the so-called "double opt-in" procedure. In this process, after registration of an email address, a confirmation email is sent to the registered email address. Registration for the newsletter is only completed when a confirmation link contained in the confirmation e-mail is activated. The IP address of the calling computer and the date and time of activation of the confirmation link are also transmitted to us.
We will use your data to send you our newsletter, in which we inform you about all our services and news.
You can unsubscribe from the newsletter any time by using the unsubscribe link contained in each newsletter or by contacting us directly (please see Sec. 12). Your data will be deleted immediately after you unsubscribe.
Newsletter Analytics/Tracking
The newsletter of KGS contains so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such e-mails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, KGS may see if and when you opened an e-mail, and which links in the e-mail were called up by you.
These personal data will not be passed on to third parties. You are at any time entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. After withdrawal, these personal data will be deleted by us. KGS automatically regards a withdrawal from the receipt of the newsletter as a withdrawal of this data processing.
Newsletter Service Provider
As of August 2024, we use an external service provider as a data processor located in the US for sending and analyzing our newsletter on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR, which obliges the service provider to implement appropriate security measures and grants us comprehensive control powers. Additionally, our service provider is certified in accordance with the EU-U.S. Data Privacy Framework. In this context, the personal data you provided will be transferred to our service provider in the US. This is necessary to continue sending you our newsletter and is therefore based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. If you do not wish your data to be transferred, you can object at any time by contacting us directly (see Sec. 12)
5.3 Participation in sweepstakes, competitions or surveys
If you participate in one of our sweepstakes, competitions or surveys (together hereinafter referred to as “Competitions”), we collect and process the personal data that you provide to us as part of your participation and that are necessary for the implementation and completion of the Competitions (regularly your first and last name and your address, where applicable also your date of birth and your e-mail address). The collected personal data of the participants will be used for the implementation and completion of the Competitions, including any draw/winner selection, notification of the winner and prize shipment. Your personal data may be shared with our authorized distributor in order to deliver the prize (outside EU regularly to DFTBA Records LLC, 5845 Sandpiper Dr Missoula, MT 59808, USA) as well as with the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the prize.
Regularly, no later than six (6) months after the end of the Competition, all collected data in this context will be deleted in full, unless a longer storage period is required for contractual or statutory reasons.
Participation in Competitions can take place via our channels on social media platforms. Please note the relevant information under “Integration of social media” in this Privacy Policy (see Sec. 7).
5.4 Job applications and the application procedures
We collect and process the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail or by means of a web form on the website to us.
If we conclude an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by us, the application documents will be automatically deleted six (6) months after notification of the refusal decision, provided that the applicant has not given consent for a longer storage of the application documents and no other legitimate interests of us are opposed to the erasure. These processing operations are lawful because the reply to your application represent legitimate interests. Our legitimate interest for the storage of your application for a period of six (6) months is to give us the possibility to defend ourselves against any claims arising from legal provisions (e.g. under the General Equal Treatment Act (AGG)).
If you give your express consent, we store your application data above six (6) months (up to two (2) years) after the application process has been concluded for the purpose of adding it to our Talent Pool in order to identify any other vacancies that may be of interest to you. This includes, for example, also applications for apprenticeships or internships. Disclosure only takes place if it is necessary in this context, e.g. by storing personal data with an HR service provider. With regard to appropriate safeguards in accordance with Art. 44 et seq. GDPR, if needed, please see Sec. 11.
5.6 The KGS online-shop (EU and US)
If you visit our online shops, we may process further personal data of you. Please note that we have separate privacy policies for our EU- and US-online-shops, which inform you about all data processing when you visit and use our online shop, e.g. create an account or place an order.
EU Online-Shop: https://shop-eu.kurzgesagt.org/pages/privacy
US Online-Shop: https://shop-eu.kurzgesagt.org/pages/privacy
6. VIRTUAL REALITY APP EXPERIENCE
If you use our Virtual Reality (“VR”) App Experience ‘Out of Scale: A Kurzgesagt Adventure’ (“App”), we process further personal data of you.
The App can access your display name and user name as well as your profile pictures and avatars, your follower list and a list of people you follow who also have the App as well as your achievements in the App via Deep linking. We do not combine this personal data with other data sources.
Depending on the VR platform you are using our App on, personal data may be disclosed to the providers of these platforms. The platform providers usually act as independent data controllers as they determine their own purposes of data processing in the context of making the platform available and may conclude their own user agreement with you as the user of the platform.
For information on the purpose and scope of data collection and processing by the providers of the respective platform usable for our App, the provider identification, a contact option and your rights and setting options for data protection, please refer to the respective privacy policy of the platform providers.
7. SOCIAL MEDIA
To provide up-to-date information and interact with our target groups we operate our own social network accounts on YouTube, X (Twitter), Facebook, Instagram, Patreon, Reddit, Bēhance, Discord, TikTok and LinkedIn and use their buttons on our website.
7.1 Buttons on our website
Social media buttons of various social media networks (e.g. LinkedIn, Instagram, X (Twitter), YouTube, Facebook, Patreon, Reddit, Bēhance, Discord, TikTok) are integrated on our website.
The providers of the social platforms whose buttons we have integrated on the website may have their registered office (often via the parent company) outside the EU or the EEA – an adequate level of data protection in accordance with the GDPR may therefore not exist.
The buttons/links are clearly marked on our website. To ensure data protection on our website, we only use such buttons if you have given your consent as part of the cookie consent tool or together with the so-called “two-click” solution. This application prevents the buttons integrated on our website from transmitting data to the providers as soon as you enter the website for the first time. Only when you have given your express consent using the opt-in function or activate the respective button by clicking on the associated button (implied consent), a direct connection to the provider’s server will be established. As soon as you activate the button, the provider of the respective social media network may receive the information that you have visited our website with your IP address. If you are logged into your respective social media account (e.g. Facebook or Instagram) at the same time, the providers can assign the visit to our website to your user account. Activating the button/link constitutes implied consent. You can withdraw both express and implied consent at any time with effect for the future.
For information on the purpose and scope of data collection and processing by the providers of the respective social media network, the provider identification, a contact option and your rights and setting options for data protection, please refer to the respective privacy policy of the providers of the social media networks:
- YouTube: https://policies.google.com/privacy?hl=de
- X (Twitter): https://twitter.com/privacy?lang=de
- Facebook: https://www.facebook.com/policy.php
- Instagram: https://help.instagram.com/478745558852511
- Patreon: https://www.patreon.com/privacy
- Reddit: https://www.redditinc.com/policies/privacy-policy
- Bēhance: https://www.adobe.com/de/privacy/policies/behance.html
- Discord: https://discord.com/privacy
- LinkedIn: https://de.linkedin.com/legal/privacy-policy
- TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/de
7.2 Social Media Accounts
We also have our own accounts on the various social media platforms (e.g. LinkedIn, Instagram, X (Twitter), YouTube, Facebook, Patreon, Reddit, Bēhance, Discord, TikTok).
If you visit our social media pages/accounts on the various platforms and are logged in to the respective social media network, the provider of the respective social media network can analyze your usage behavior and assign the information collected to your account with the social media network and enrich it there. Even if you are not logged in or if you do not have an account with the respective social media network, personal data may be collected by the provider of the respective social media network, for example your IP address or data collected via a cookie.
The providers of the social media networks can use this data to create user profiles. Based on your user profile, you can then be shown interest-based advertisements both on the websites of the social media network and on other websites.
If you visit one of our social media pages, we are, usually, jointly responsible with the provider of the social media network for the collection and processing of your personal data that takes place there if the respective social media network provider shares insights about your usage behavior with us. In these cases, we have therefore concluded a joint controllership agreement with the providers of the social media networks we are joint controllers with in accordance with Art. 26 para. 1 GDPR.
Social media network providers that do not share any insights about your usage behavior with us usually act as our data processors on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR.
We have selected the most data protection-friendly settings possible for the use of the respective account. With regard to appropriate safeguards in accordance with Art. 44 et seq. GDPR, if needed, please see Sec. 11.
For information on the collection and processing of your personal data that takes place there, we refer you to the privacy policy of the respective social media network (please see Sec. 7.a.).
You can assert your rights in accordance with the GDPR (please see Sec. 12) both towards us and the provider of the respective social media network. In this context, we would like to point out that we can only influence the processing of personal data and the implementation of your rights as a data subject within the framework of our social media pages within the scope of the possibilities made available to us by the respective provider.
8. USER-GENERATED CONTENT (“UGC”)
Most of the aforementioned social media networks used by us allow users to post their own content. If you give us your express consent to do so, we will process your user-generated content, possibly in connection with your name or username on the respective social media network, by sharing or posting it on our social network channels or using it to promote our products, especially on our social network channels. You can withdraw this consent at any time with effect for the future.
We will delete or restrict the processing of your personal data connected with your user-generated content as soon as the data is no longer necessary to the purposes for which they were processed and/or we have no further legitimate interest in continuing the processing. Please note, however, that we cannot carry out deletion within the respective social network. Please check the privacy policies of the respective providers listed above.
9. COOKIES AND THIRD-PARTY TOOLS/FUNCTIONS
In order to make visiting our website attractive and to enable the use of certain functions on our website as well as to statistically record and analyze the use of our websites, we use cookies and third-party tools or functions.
Please note our separate cookie policy, which informs you about all data processing by cookies: https://kurzgesagt.org/cookies.
10. LEGAL BASIS
When processing your personal data as described above this is based on the following legal sources in accordance with the GDPR. The respective legal basis for each data processing depends on the specific purpose (as outlined above) of the respective data processing:
10.1 Performance of a contract (Art. 6 para. 1 lit. b) GDPR)
This applies when you participate in our Competitions or contact us regarding the conclusion of a contract, and we therefore conclude a contract with you or communicate with you about it. This includes processing your personal data to run the Competition, manage the communication.
10.2 Legitimate Interest (Art. 6 para. 1 lit. f) GDPR)
This applies with regard to data processing with regard to necessary measures to operate the website, detecting and preventing fraud or abuse to protect the safety of our visitors, our own safety and that of third parties regarding our website, and when we show you interest-based, direct advertising. In these cases, you may have the right to object the respective data processing by contacting us (see Sec. 12).
10.3 Consent (Art. 6 para. 1 lit. a) GDPR)
This applies when we ask for your consent to process your personal data for a specific purpose notified to you (i.e. also via our cookie consent tool). In these cases, you may freely withdraw your consent at any time by contacting us and we will stop processing your personal data for that purpose (see Sec. 12).
10.4 Legal obligations (Art. 6 para. 1 lit. c) GDPR)
This applies when we process your personal data to comply with a legal obligation. For example, need to store specific order information due to retention obligations under statutory commercial or tax law.
10.5 Other legal grounds in accordance with GDPR
Other legal grounds according to Art. 6 GDPR may apply depending on the purposes for which we use personal information.
11. RECIPIENTS OF DATA
Within our company, those internal departments or organizational units receive your data which they need to fulfill their tasks, e.g. to answer your questions, for data processing with your consent or to safeguard our overriding legitimate interests.
Data will only be passed on to third parties within the framework of legal requirements and as described with regard to the respective data processing above.
In accordance with Art. 44 para. 1 GDPR, we transfer personal data to a recipient in a third country outside the EU only if an adequacy decision has been issued by the EU Commission for this third country in accordance with Art. 45 GDPR or if appropriate guarantees are complied with in accordance with Art. 46 GDPR and enforceable rights and effective legal remedies are available to the data subjects, or if you have given your voluntary consent.
We will provide you with proof of appropriate safeguards in accordance with Art. 44 et seq. GDPR with regard to any recipients in the context of the data processing described above, if needed, at any time upon request.
12. YOUR RIGHTS
You have the rights explained below with regard to the personal data processed by us concerning you:
12.1 Right of Access
You can request information in accordance with Art. 15 GDPR about your personal data that we process.
12.2 Right to Rectification
If the information concerning you is not (or no longer) accurate, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.
12.3 Right to Erasure
You may request the erasure of your personal data in accordance with Art. 17 GDPR.
12.4 Right to Restriction of Processing
In accordance with Art. 18 GDPR you have the right to request restriction of processing of your personal data.
12.5 Right to Object to Processing
You have the right to object at any time on grounds relating to your particular situation to the processing of your personal data which is carried out on the basis of Art. 6 para. 1 lit. e) or lit. f) GDPR in accordance with Art. 21 para. 1 GDPR. In this case, we will not further process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert and exercise or defend against legal claims (Art. 21 para. 1 GDPR).
In addition, according to Art. 21 para. 2 GDPR, you have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing; this also applies to any profiling, insofar as it is related to such direct advertising.
12.6 Right to Withdraw Consent
Insofar as you have given your consent for processing in accordance with Art. 6 para. 1 lit. a) GDPR, you have the right to withdraw your consent pursuant to Art. 7 para. 3 GDPR at any time without giving reasons. The consequence of this is that we may no longer continue the data processing based on this consent in the future. However, the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
12.7 Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format ("data portability") as well as the right to have this data transferred to another controller if the conditions of Art. 20 para. 1 lit. a) and b) GDPR are met.
12.8 Exercise of Rights
If you wish to exercise the above mentioned rights, simply send an e-mail to [email protected].
12.9 Right of appeal to the supervisory authority
Finally, in accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office. The supervisory authority responsible for our registered office is Bayerisches Landesamt für Datenschutz.
13. RETENTION AND DELETION
We process and store your personal data only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which KGS as the controller is subject to. The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.
If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.
14. DATA SECURITY
As the controller, KGS has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. Our website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data that you send to us.
15. MODIFICATION OF THIS PRIVACY POLICY
Due to the further development of our website and services or due to changed legal or regulatory requirements, it may become necessary to change this Privacy Policy. In the event of significant adjustments, we will inform you in an appropriate manner. You can call up and print out the current privacy policy at https://kurzgesagt.org/privacy/ at any time.