Jimdo GmbH, Stresemannstr. 375, 22761 Hamburg, Germany ("Jimdo" or "We"), as the Jimdo Finance App provider, would like to explain to Jimdo Finance App users ("You" or "Jimdo User") how your personal data is processed when you use the Jimdo Finance App. This privacy notice applies exclusively to our Jimdo Finance app. For information on the processing of your personal data as a Jimdo customer in connection with your use of the Jimdo Online Service, please refer to the Jimdo Platform Privacy Notice.
Table Of Contents
- In Section 1. you can find the Jimdo Contact Information.
- In Section 2. you can find information about the Cooperation between Jimdo & Solarisbank.
- In Section 3. you can find information about the processing of your personal data via the Jimdo Finance App.
- In Section 4. you can find information about the transfer of data to third countries.
- In Section 5. you can find information about how long your personal data is stored.
- In Section 6. you can find information about your rights in connection with the processing of your personal data.
1. Contact information
1.1 Contact information for Jimdo GmbH
Jimdo GmbH Stresemannstraße 375 22761 Hamburg privacy(at)jimdo.com
1.2 Contact details of the Jimdo data protection officer
Jimdo has appointed a Data Protection Officer who can be reached at the following address:
B3 Datenschutz GmbH Papenbergallee 34 25548 Kellinghusen privacy(at)jimdo.com
2. Cooperation with the Solarisbank
Solarisbank is a provider of banking services with a German banking license. While Jimdo manages your bank account on behalf of Solarisbank and provides you with your overview and related features under a user agreement, Solarisbank is the account-holding bank.
2.1 Data Processing in accordance with Article 28 GDPR
The processing of your personal data in connection with the provision of banking services falls generally within the responsibility of Solarisbank, as the provider of the banking services. In this respect, some purposes and means of the personal data processing are defined exclusively by Solarisbank e.g. the data collection required for registration or transaction-related data, so that Jimdo and Solarisbank have concluded a data processing agreement in accordance with Article 28 GDPR for these processes.
2.2 Joint Controllership in accordance with Article 26 GDPR
Jimdo will forward to Solarisbank all data collected from you in the course of registering and using the Jimdo Finance App, which at the same time serves to execute the customer contract with Solarisbank. Solarisbank requires your data in order to fulfill the payment service framework agreement concluded with you. Only the execution of the customer contracts on behalf of Jimdo, by Solarisbank leads to the fact that Jimdo can fulfill the User Agreement (i.e. the Agreement entered into between You and Jimdo for the provision of the Jimdo Finance App as evidenced in your acceptance of the Jimdo Finance App Terms and Conditions) concluded with you for the management of the bank account via the Jimdo Finance App.
2.3 The essential Aspects of the Joint Controllership Agreement
In general, the collection, processing and use of personal data in connection with the provision of banking services is the responsibility of Solarisbank and in connection with the User Agreement is the responsibility of Jimdo.
With respect to these processing activities, Solarisbank and Jimdo are Joint Controllers pursuant to Art. 26 GDPR and jointly determine the purposes and means of processing the data. As Jimdo remains the customer's contact partner, Jimdo will respond to all inquiries from data subjects, including personal data processed by Solarisbank.
In addition, Solarisbank and Jimdo have jointly undertaken to notify each other as soon as they become aware of a data protection violation or a suspected violation of data protection law.
You can find the data protection notice of our cooperation partner Solarisbank here: https://www.solarisgroup.com/customer-information/germany/de-iban/english/customer-information-on-data-processing
3. The Data Processing
3.1 Data Processing via the Jimdo Finance App
Jimdo uses your data, as a Jimdo Finance App User’s personal data primarily to fulfill and perform the contract with you and to provide our Jimdo Finance App services (Art. 6 (1) (b) GDPR). This encompasses the following processing activities:
3.1.1 Jimdo Finance App Login, Registration und Use
To use the Jimdo Finance app, you must first download the Jimdo Finance app from the Apple App Store and/or the Google Playstore. This involves a data transfer to Google or Apple, which is explained accordingly in the respective App Store / Playstore privacy notices.
Before you can apply for a bank account via the Jimdo Finance app, you must register in the Jimdo Finance app to be able to log in. The next step will be to create a User Profile i.e. to apply to open a bank account.
For these purposes, we process Login Data, User Profile Data, Onboarding Data and Bank Account Data, as well as Transaction Data. The processing serves the preparation and fulfillment of our contractual obligations (Art. 6 (1) (b) GDPR). As part of the processing, we transfer the personal data to the following categories of recipients: joint controllers, as well as hosting providers. We transfer the personal data to order processors in the USA for this purpose. For information on the transfer of personal data to third countries, see section 4. For information on the duration of storage of the various categories of personal data, see section 5.
3.1.2 Verification of Identity and Proof of Profession
When you apply to open a bank account or create a User Profile in the Jimdo Finance App, you enter into a payment services framework agreement with Solarisbank. Due to the German Money Laundering Act ("GwG"), Solarisbank as a banking institution is obliged to verify your identity, proof of profession and age when you open a bank account. The video identification process, which requires a valid identification document is used in order to verify your identity. During the creation of your User Profile within the Jimdo Finance, you will be directed to the video identification process via a link. You may be required to provide additional documents, such as certificates of completion or proof of insurance, to verify your entrepreneurial status in accordance with Section 14 BGB. Successful completion of the video identification process is a prerequisite for the provision of the services offered by Jimdo via the Jimdo Finance App.
3.1.3 Error Analysis, Crash Reporting
In order to improve the stability and reliability of the Jimdo Finance App, we rely on anonymized crash reports. The data is stored and analyzed in anonymized form. This means that we store the data in a form that does not allow identification of the data subject. Crash reports are only sent with your explicit consent. When using iOS apps, you can give your consent in the settings of the app or after a crash (via a device prompt). For Android apps, you have the option to generally agree to the transmission of crash notifications to Google and app developers when setting up the mobile device. The legal basis for the data transfer in this case is Art. 6 (1) (a) GDPR.
3.1.4 Security of the IT infrastructure and Log information
We temporarily store data in log files on our web server and evaluate them to ensure the security of the IT infrastructure used for the provision of the app, in particular for the detection, elimination and evidentiary documentation of faults. For the processing described, we use App-HTTP-Data. The Jimdo server automatically collects data from logged-in Jimdo Finance app users in a so-called app activity log about the way the Jimdo Finance app was used. The information is used to analyze and maintain the technical operation of our servers and network and thereby improve the Jimdo Finance app, as well as to combat abuse. For these purposes, we process usage data, event data, onboarding data, and App-HTTP-Data. The legal basis of this processing is the fulfillment of the contract concluded with you pursuant to Art. 6 (1) (b) GDPR as well as our legitimate interest (Art. 6 (1) (f) GDPR) in; providing the content of the app accessed by you; ensuring the stability as well as the improvement of our app; ensuring the security of the IT infrastructure used for the provision of the app, in particular for the detection, elimination and evidentiary documentation of faults. We have implemented control mechanisms to align our interests with the rights of the Jimdo Finance App user.
As part of these processing operations, data is transferred to the following categories of recipients: Hosting providers; Error detection and resolution services; Performance monitoring and logging providers, Log data analysis tools. Your personal data will be transferred to processors in the United States for this purpose. For information on the transfer of personal data to third countries, see section 4. For information on the duration of storage of the various categories of personal data, see section 5.
3.1.5 Push Notifications
If you have provided your consent, Jimdo will send you push notifications or in-app messages with information about functionalities and activities in the Jimdo Finance app (e.g., about your new transactions, etc.). A pseudonymized Device Token ID is assigned to the end device, i.e. a unique connection number generated from the device ID, which Jimdo can use to address the push messages or in-app messages to you, as the Jimdo Finance App User. You can adjust your consent to be notified by in-app messages at any time in the app settings.
For this purpose, we process In-App-Notification-Data. This includes, for example, your consent. The legal basis of the processing is your consent (Art. 6 (1) (a) GDPR). You can revoke your consent at any time via the app settings.
In the course of processing, your data will not be transmitted to other recipients. Your data stored for this purpose will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Your data will therefore only be stored as long as the subscription for push notifications is active.
3.1.6 Fraud prevention and anti-money laundering checks
When you install the Jimdo Finance App to use the banking services offered by Solaris SE, Cuvrystraße 53, 10997 Berlin, Germany (“Solaris”), and on an ongoing basis while you use such services, Solaris will perform risk assessments for fraud prevention and anti-money laundering purposes. For such purposes, Solaris uses SEON Technologies Kft. (Rákóczi út 42. 7. em., Budapest 1072, Hungary) as a service provider under a data processing agreement with Solaris in accordance with Art. 28 GDPR. For the processing activities described in this section, we have entered into a joint controllership agreement with Solaris (Art. 26 GDPR). We will provide you with further information at any time upon request.
In order to perform the risk assessment, the following browser data, device data, traffic data and location data are collected from your mobile device and transmitted to Solaris: IP address including type (e.g. commercial, mobile line, university) and whether it is listed as harmful, TOR value, VPN, proxy, number of accessories attached to your device, whether your phone is muted or not, device system’s volume, country code and name of carrier (a) associated with the SIM card and (b) the device is currently using, device model type and unique identifier, system uptime, iCloud token, version and name of device given by the user in iOS settings, when the device last booted in UNIX time format and UTC time zone, country code and ID associated with device, cookie session ID, and browser details / settings including scrolling behavior. Solaris as an independent controller (Art. 4 Nr. 7 GDPR) may add additional information and will then transfer such data to SEON along with your email address, name and phone number for performance of a risk analysis regarding potential fraudulent or other illicit activities. SEON analyses this personal data based on a mathematically-statistically recognised and proven procedure and will provide Solaris with a fraud risk score. As part of the analysis, SEON may perform email analysis, social media lookup or address profiling. Based on the analysis and risk score, you will be able to complete your registration, be rejected as a new customer, or may be guided through an extended registration process. The decision-making process is automated. If you want to challenge the automated decision and want to have a human review of this automated decision, you can get in touch with us by contacting firstname.lastname@example.org. Once you have given your consent and are onboarded, Solaris will continuously collect the above data and perform additional risk analysis via SEON for ongoing fraud risk assessment. The legal basis of the processing is your consent and the implementation of necessary steps for entering into a contract requested by you (Art. 25 TTDSG, Art. 6 (1) lit. a, Art. 22 (2) lit. a GDPR). While you are free to give your consent, as a new customer you cannot use the banking service provided by Solaris without consenting, because the fraud prevention and anti-money laundering check is necessary for a secure provision of the banking services by Solaris. As a licensed bank, Solaris has a statutory obligation to fight money laundering by setting up a functioning risk management system and internal security measures as well as an ongoing screening of customers’ activities (sections 4, 6 and 10 of the German Anti-Money-Laundering Act). You can withdraw your consent with effect for the future at any time by email to email@example.com, but without consent you will not be able to continue using Solaris’ services. Your personal data will be stored until the purposes of processing these data as set forth above have been achieved, and be deleted within 12 months after performance of the risk assessment at the latest, unless statutory retention obligations apply (e.g. under anti-money laundering, commercial or tax law).
3.2 Customer Support
You can contact us with questions by email, via a private message in the “settings” area of the Jimdo Finance App, via our contact form on our website(s) or via our live chat (when available). In addition, we offer the option of talking to a Jimdo employee over the phone to discuss your query. We store your query in a ticket system in order to process it and to improve and make our service more transparent. Personal information is only used to deal with your query and to authenticate your identity. This is necessary so we can ensure that we do not give out information to an unauthorized person. When a customer query is submitted via the Jimdo Finance App, we automatically collect client-user-agent-data, i.e. browser type, system language, app version, and the device from which you sent the query. This information helps our support team to understand the issue and provide comprehensive support.
In addition, you have the option of sharing your experiences with customer support with us after your issue has been successfully dealt with. Feedback takes place directly in the ticket dialog. We only use the feedback to improve our Jimdo customer support. If you no longer wish to receive support feedback requests you can send us an email at any time to specify your wishes (privacy(at)jimdo.com) and we will then register your opt-out request in our system. We also analyze the queries dealt with by our Customer Support team to improve our customer support. Furthermore, we evaluate individual user enquiries in pseudonymous form for the further development and improvement of our services.
In order to provide the contact form and the live chat function on our website, information from the contact form session/live chat session may be stored in cookies on your device. The cookies and the information stored in them may be read whilst you use the contact form/the live chat function in order to maintain your session.
We process query data, communication device data, and communication data. The legal basis for processing the data is our legitimate interest in answering customer queries and improving our support services (Art. 6 (1) (f) GDPR), as well as fulfilling the contract concluded with you in accordance with Art. 6 (1) (b) GDPR. Should the contact be intended to conclude a contract or perform services as part of a contract then our legitimate interest is taking steps prior to entering into a contract or contractual measures (Art. 6 (1) (b) GDPR). We transfer your data to the following categories of recipients as part of this processing: Customer support service providers, providers of customer support analysis software. We transfer your personal data to processors in the USA for these purposes. You can find information about the transfer of personal data to third countries in Section 4. Information about the length of time for which the various categories of personal data are stored can be found in Section 5.
3.3 Legal Obligations and Protecting Vital Interests
In addition to the purposes of processing stated above, Jimdo may also be obligated to process personal data for legal reasons (Art. 6 (1) (c) GDPR).
This applies especially in the following cases:
- When participating in investigations and proceedings carried out by state bodies (authorities and/or courts), in particular to clarify, investigate, and prosecute illegal acts.
- Fulfillment of statutory right to information requests that third parties have made to us (such as in the event of an infringement of intellectual property rights or other illegal activities).
- Retention and storage of personal data to fulfill statutory retention obligations (further information about the storage of your data by Jimdo can be found in Section 4).
In addition, Jimdo may process personal data in order to protect your vital interests or the vital interests of another individual (Art. 6 (1) (d) GDPR). This applies especially in the following cases:
- Prevention, detection, containment, and investigation of illegal activities that may lead to an impairment of your vital interests or the vital interests of another natural person, unless there is already a legal obligation to do so.
As part of the processing outlined above, your data may be transmitted to the following categories of recipients: Prosecutorial authorities, courts, other governmental bodies, third parties (who assert statutory right to information requests against us or who are involved in legal proceedings if they provide us with a legal order, court order, or equivalent legal order), external service providers/(sub)contractors, payment service providers, etc. In the event that personal data is transferred to third countries, this will only be done in strict compliance with the relevant legal provisions. Information about the length of time for which the various categories of personal data are stored can be found in Section 5.
4. Data Transfers to Third Countries
Jimdo ensures that your data is processed in the EU or in the European Economic Area. Should this not be possible and data needs to be transferred to a third country, Jimdo will ensure, after prior review, that an adequate level of data protection that meets the requirements of the Court of Justice of the European Union and the EU Commission is adhered to in the country the data is transferred to.
In these cases, the data is transferred on the basis of an Adequacy Decision of the European Commission or the Standard Contractual Clauses for the transmission of personal data to third countries in its currently valid version. These can be accessed here. In addition to the standard contractual clauses, we examine within our standard framework of a transfer impact assessment, the relevant laws of the third country, their potential impact on the data subjects, as well as which further measures we can take to protect the personal data concerned and the overall risk of the data transfer. In each case we document our results and can make them available to the competent supervisory authority upon request.
Data transmission to a third country may also take place on the basis of your consent. You will be provided with details of this separately, if applicable.
5. Storage duration of your personal data
We store your personal data for various reasons (such as technical reasons and legal reasons) for different durations. Generally, we only store your data for as long as necessary for the respective purpose or where we are contractually or legally obligated to store the data for a longer period.
We store HTTP data and server log files for a maximum of three (3) months unless there is a security incident. In the event of a security incident, server log files will be stored until the incident has been rectified and fully investigated.
We store and use the data provided to us by Jimdo users to process contracts. After the contract has been implemented in full or the customer’s account has been deleted, the data will be blocked taking fiscal and legal retention periods into consideration and then erased after the expiry of such periods, provided the Jimdo user has not expressly consented to the further use of their data or where we are permitted by law to further use the data, which the user will be informed about separately.
6. Your Rights as a Data Subject
As the data subject you have the following rights with regard to the processing of your personal data by Jimdo, in the event of the respective legal requirements:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure ("right to be forgotten") (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Please use the information in Section 1 to contact us if you wish to exercise your rights.
We are obligated to carefully verify your identity when dealing with your requests to exercise your rights. Please note that we reserve the right to request further information or proof of your identity depending on the sensitivity of the data. This is in place to protect your data against access by unauthorized third parties.
We reserve the right to not process inquiries which are received with unreasonable frequency or without corresponding proof of identity. You will be separately informed of this.
Your request and notification will be stored on our system for a period of two (2) years. Any copies of proof of identity that we receive will be immediately destroyed after your identity has been verified. The legal grounds for processing is Article 6 (1) (c) GDPR.
- “App-HTTP-Data” refers to protocol data that has arisen by design when accessing the Jimdo Finance App via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes your IP address, type, and version of your browser, the operating system you used, the page you accessed, as well as the date and time of your visit.
- "Query data" means data that you have shared with us as part of the request. This includes all/some of the following: title, first name, surname, postal address (invoice address), telephone number, email address, and the content of your query.
- "Processor" means a natural or legal person who processes personal data on behalf of the controller (here Jimdo, or you as our customer).
- "Bank Account Data" refers to the IBAN and BIC provided by Solarisbank after successful registration, as well as the name of the Account Holder .
- "Client-User-Agent-Data" refers to the browser type, system language, app version and the device from which you sent the support query or on which the problem occurred in the Jimdo Finance app.
- "Communication data" refers to data that you have provided to us when communicating with us. This includes information that you have provided to us for example via the contact form in the Jimdo Finance App, by email or via a chat bot. This may primarily include the following data: Name, date of birth, address, telephone number, email address, and the content of your query.
- "Communication Device Data" means data that has been assigned to your device when using the respective communication channels. This includes a unique session ID for your communication session as well as the expiry date of your session.
- "Controller" means an individual or legal entity, public authority, agency, or other body that, either alone or jointly with others, decides on the purposes and means of the processing of personal data.
- "Device data" refers to data that has been assigned to your device via app analysis software.
- "Event data" refers to data that the app analytics tool collects by associating it with the unique User ID of the respective Jimdo Finance App User. This includes actions that take place in the app (so-called "Events").
- "International Organization" refers to an organization under international law and its subordinate bodies or any other body created by or on the basis of an agreement concluded between two or more countries.
- “In-App-Notification-Data” refers to the data you provide to manage in-app messaging settings for the Jimdo Finance app and the data associated with your End Device when you use the Push Notification Settings Management feature.
- "Login Data" refers to data that is generated when you register for and log in to the Jimdo Finance App. This includes your email address and your password, as well as your telephone number. It also includes a unique ID for the session during which you are logged in(so-called "Session ID"), as well as the expiration date of your respective session.
- "Onboarding Data" refers to data required by Jimdo and, vicariously, SolarBank to troubleshoot app issues, identify Jimdo Finance app users, provide customer support, and ensure that you have a positive, hassle-free onboarding experience as a Jimdo Finance App User. In particular, this is the data used to track the Jimdo Finance App User's progress in the registration process, including the time and date of completion of the registration steps ("Event Data" as well as Usage Data, User Profile Data, End Device Data and Client User Agent Data).
- "Personal data" or "Data" means all information which can be attributed to an identified or identifiable natural person ("data subject"); a natural person is deemed to be identifiable if they can be directly or indirectly identified, in particular by an identifier, such as a name, identification number, location data, online identifier, or by one or more particular characteristics specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of this natural person.
- "Processing" refers to any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Recipient" refers to an individual or legal entity, public authority, agency, or other body to which Personal Data is disclosed, whether it is a third party or not.
- "Third country" refers to a country which is not a Member State of the European Union ("EU") or a signatory to the Agreement on the European Economic Area. ("EEA").
- "Third party" refers to an individual or legal entity, public authority, agency, or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.
- "Transaction Data" refers to data required by Solarisbank to provide the basics of the banking service, including transaction type, date, amount, beneficiary/sender account number & BIC, customer reference.
- "User Profile Data" or “Account Registration Data” refers to data that you provide to us or rather via Jimdo to the Solarisbank in the respective registration form in the App in order to register for bank account for the first time (i.e. the creation of a User Profile). This primarily includes the following mandatory information: Email address, name, postal address, date of birth, place of birth, gender, phone number, profile picture/avatar, title, contact address, nationality, country of permanent residence, employment status, tax information, country in which you are taxable, whether you are taxable in the U.S., marital status, website/social media presence, business name and address, as well as technical information, such as: The operating system used by the accessing system, browser types and versions used, the website from which an accessing system accesses our website (so-called referrer), the sub-websites that are accessed via an accessing system on our website, the date and time of access to the website, IP address, internet service provider of the accessing system.
- "Usage Data" according to § 15 TMG [German Telemedia Act] includes information about the type, scope and time of use of the app. This data identifies you or your device directly and is partly stored in your device, e.g. as log files. Some Usage Data is collected during the use of our services and products. With this data, it is possible for us to quickly detect and correct any errors that occur and to continuously develop our services for you.