Privacy policy of QGram

We are very pleased about your interest in QGram. To be able to offer QGram, we of course require certain data about you. We take the protection of personal data very seriously and always process it in compliance with applicable data protection regulations, in particular the European Union General Data Protection Regulation (GDPR). With this privacy policy, we aim to fully inform you about how, why and to what extent we process personal data, and what your rights are as a data subject.

1. Data controller and general information

Your data will be processed by Axel Springer SE, Axel-Springer-Straße 65, 10888 Berlin, phone: +49 30 2591 0, email: information@axelspringer.de (service provider for the purposes of the Act for Telecommunication Media Services (TMG) and data controller for the purposes of the General Data Protection Regulation (GDPR).

When we use terms such as “we” or “us”, this is who we are referring to.

We consider QGram to mean any sub-pages, content and functions (for instance discussion forums, prize draws) present in this document www.qgram.com and the various apps of QGram .Individual elements of QGram are also referred to as “online services” below. The same is meant wherever we refer to a website or app below.

Our services are intended for the general public, and not for children. We do not knowingly collect personal data from users who are regarded as children under applicable national legislation.

2. Collection and processing of personal data

You can usually use online services that do not require payment or registration without providing personal data. In certain cases, however, we may process personal data listed under point 3. This is only done as is necessary to provide a functioning website or app, our content and our services. We also process personal data in connection with the use of QGram insofar as you provide such data voluntarily, for instance for the purpose of registration, a prize draw, sending us an enquiry, submitting an application to us, subscribing to a publication, or some other legal basis (see point 4). If you do not wish to provide personal data, you will unfortunately not be able to make use of our services or will only be able to use them to a limited degree.

3. Categories of processed data

As soon as you make use of QGram, our system will automatically collect information from the computing device accessing the service. The following data may be collected by way of example:

- Information about the browser type and version used

- The operating system of the user

- Date and time of the access

- Web analysis data / pseudonymised user profiles (cookie ID, ad ID, etc.)

- Websites from which the users access our website

- Websites that the users access from our website

We also process the following personal data insofar as there is a contract in effect between you and us or if you have provided us with the data by other means:

- Personal details (name, address, date of birth)

- Contact details (telephone number, email address)

4. Legal basis and purposes of processing

We only process your data on the basis of one or several potential legal bases.

Pursuant to the GDPR, personal data may be processed in particular under the terms of a contract or to perform pre-contractual activities, if consent is provided, if there is a legitimate interest or compelling statutory cause, or if it becomes necessary to protect vital or public interests.

On the internet, every device requires a unique address to transmit data, known as an IP address. This IP address must be stored, even if only temporarily, for technical reasons in order to enable the website to be downloaded to the user’s end device. Unless stipulated otherwise in this privacy policy, we shorten IP addresses prior to any processing and only process IP addresses in anonymised form. Our servers will also store your IP address for a period of 14 days for internal security purposes (Art. 6 para. 1 point f GDPR).

For processing activities encompassed by none or several of the aforementioned legal bases, processing is performed insofar as it is necessary to uphold a legitimate interest and insofar as this interest is not outweighed by your interests, fundamental rights or freedoms following a thorough consideration of the interests as a whole. A legitimate interest can be assumed if the data subject is a customer of the data controller. If personal data is processed on this basis, our particular legitimate interest here is in the performance of our business activities for the benefit of all of our employees and our shareholders.

Another legitimate interest lies in ensuring that business processes function well, and processing is performed in this connection for internal administrative purposes (e.g. address management / accounting).

You can object to processing performed on the basis of a legitimate interest at any time (see point 10).

If data is processed for a purpose other than that specified upon collection, a compatibility test is performed pursuant to Art. 6 para. 4 of the GDPR. Continued processing is then only permitted if the original purpose is compatible with the new purpose or if this processing is permitted on a specific legal basis. Recognised compatible purposes include the establishment, exercise or defence of legal claims under civil law, unless outweighed by an interest of the data subject, in which case we will inform you about the change in purpose. If the new purpose is not compatible with the purpose specified upon collection, the data will be collected again on a new legal basis. We will also inform you about the change in purpose in this case.

5. Place of processing

We personally will not transmit your personal data to countries outside of the European Economic Area, except where permitted by the GDPR. We cannot know and cannot influence whether third parties with whom you have concluded a separate contractual agreement (for instance with Facebook, if you have a Facebook account) transmit data to countries outside of the European Economic Area.

We also process data in countries outside of the European Economic Area (“EEA”). To ensure the protection of your personal rights, including in connection with such data transmissions, we use the standard contractual clauses of the European Commission in accordance with Art. 46 para. 2 point c of the GDPR when establishing contracts with recipients in Third Countries. These are available on demand at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF, and these documents can also be requested from us by contacting us using one of the methods specified below.

For the USA, the European Commission ruled on 12 July 2016 that the terms of the EU-U.S. Privacy Shield provide a suitable level of data protection (adequacy decision, Art. 45 GDPR). Further information – including on the certification of the service providers that we employ – can be obtained at https://www.privacyshield.gov. We only use US service providers certified under the EU-U.S. Privacy Shield.

6. Origin of data

In certain cases, we also receive data because you have consented to its transmission to us.

As you know, apps are regularly provided for download on third-party sites (such as iTunes, Google, etc.). If Axel Springer SE becomes your contract partner for the acquisition of the app under the effective terms of use of such a provider, we will process the data provided to us by the third-party provider to the extent necessary to fulfil the contract so that you can download the app onto your mobile end device.

Information on the use of apps

Our app uses the following permissions for the subsequently listed purposes, which provide it with access to certain functions of your mobile device:

• Gallery - Selection of the background image and saving the photos

7. Transmission of your data to third parties

We will only transmit your personal data to third parties if transmission is required to comply with our contractual obligations to you if this evidently needs to be done through or jointly with another provider (e. g. partnerships), if we are permitted or required by law to transmit the data in any other fashion, or if you have provided us with the corresponding consent.

To provide our service, selected personal data may be transmitted to certain departments within our company, including employees of the Accounting, Product Management, Marketing and IT departments.

In certain cases we also employ external service providers or affiliates commissioned by us to process data on our behalf on the basis of instructions. We ensure that such service providers are contractually bound by the strict terms of the GDPR as data processors and that they are prohibited from using your data for any other purposes. Data processors employed by us provide the following services in particular: web/app analytics tools. See point 8 for details on Web/App analytics tools.

Data is transmitted to data processors on the basis of Art. 28 para. 1 of the GDPR, and also on the basis of our legitimate interest in economic and technical advantages afforded by the employment of specialist data processors as permitted by Art. 6 para. 1 point f of the GDPR.

Insofar as we are required to do so by law or are permitted to do so under data protection law, we will transmit personal data to public authorities such as the police or public prosecution service (Art. 6 para. 1 point c GDPR). This data is transmitted on the basis of our legitimate interest in preventing abuse, prosecuting criminal acts and securing, establishing and enforcing legal claims, unless outweighed by your rights and interests in the protection of your personal data, Art. 6 para. 1 point f of the GDPR.

8. Web/App analytics tools

In order to continuously improve our services and adapt them to the interests of our users, and in order to display usage-based online advertising, we make use of a number of analysis services that collect and analyse data on our website and in the app on our behalf. Where these service providers are not controllers within the meaning of data privacy law, they always process the pseudonymised user data under instruction on the basis of a data processing agreement. You can deactivate the individual analysis services at any time with effect for the future. Specific information on the individual analysis services employed by us can be found below:

Google Firebase

In our apps we use Firebase technology from Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Irland. This is a real-time database that can be used to embed real-time information into our website so that we can better understand user behaviour in our apps and optimise our apps. Other Firebase functions are also used that enable better user navigation or analysis of causes of app crashes:

Firebase Analytics enables the use of our website to be analysed. Information about the use of our app is therefore collected, transferred to Google and stored there. To do so, Google uses the advertising ID of the device. Google uses the information indicated to analyse the use of our app in anonymised form and to provide other services to us that are connected to the use of apps. You can restrict the use of the advertising ID in the device settings (iOS: Privacy / Advertising / No Ad Tracking; Android: Account / Google / Ads).

Firebase Crash Reporting is used to improve the stability of the app. Information about the device used and the use of our app is collected in this respect (e.g. the time stamp indicating when the app was launched and when the crash occurred), enabling us to diagnose and fix problems. You can find more information about how Crashlytics works here: https://firebase.google.com/products/crashlytics/.

Firebase Remote Config enables app settings to be configured so that we can change the app on devices it is installed on, without it having to be completely re-installed from the relevant app store. To this end, device information, language settings and country settings are transferred to Google and processed there. You can find more information about how Remote Config works here: https://firebase.google.com/products/remote-config/.

Firebase Cloud Messaging is used so that push notifications or in-app messages can be sent. A pseudonymised push reference is assigned to the mobile device in this respect, which is used as the destination for push notifications or in-app messages. Push notifications can be disabled and enabled again at any time in the settings of the mobile device. You can find more information about how Cloud Messaging works here: https://firebase.google.com/products/cloud-messaging/.

More information can also be found in the Firebase privacy policy at https://www.firebase.com/terms/privacy-policy.html. In the app, tracking by all Firebase services can be blocked, taking future effect, by adjusting the slider accordingly.

9. Storage duration

We only store personal data as long as we are authorised to do so and as long as the purpose of processing is still relevant. Statutory retention periods govern how long personal data is stored for. Once this period has expired, the corresponding data is routinely erased, provided it is no longer needed to initiate or perform a contract.

10. Contact details and your rights as a data subject

Should you have any queries or comments on data protection and privacy or wish to exercise your rights as a data subject, please contact our data protection officer at any time:

Axel Springer SE
Datenschutz
Axel-Springer-Straße 65
10888 Berlin
datenschutz@axelspringer.de

Information and rectification

You can receive information at any time and at no charge about whether we are processing personal data related to you and also about which information we are specifically storing about you. You are also entitled to receive a copy of the stored information. You can also have errors in your data corrected and missing information completed.

Erasure, restriction of processing and “right to be forgotten”

You can request that your data be erased and its processing restricted. Please note that statutory retention obligations are in effect for contracts relating to paid services (such as the purchase of a subscription to QGram) and that we will therefore not always be able to fully erase your data completely in all cases. In this case, your data will be labelled to the effect that future processing should be restricted.

Data portability

Where applicable, you also have the right to have your personal data transmitted to you or to another data controller in a structured, standardised and machine-readable format, as long as processing is performed on the basis of consent or contract using automated procedures. This does not apply, however, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. You also have the right to have the personal data transmitted directly from one data controller to another, provided that it is technically feasible to do so and does not infringe upon the rights and freedoms of other persons.

Withdrawal of consent, objecting to processing

You can withdraw your previously-given consent at any time with effect for the future by contacting the aforementioned address.

Moreover, you have the right to object to the processing of your personal data at any time (where such processing is based on a legitimate or public interest) for reasons arising from your particular circumstances. This also applies to profiling activities based on these provisions. If such an objection is received, we will cease to process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, of if the processing is for the establishment, exercise or defence of legal claims.

If we are processing personal data for the purpose of direct marketing, you have the right to object to the processing of your personal data at any time for the purpose of such marketing by contacting the aforementioned address. This also applies to profiling insofar as it is connected with such direct marketing. You also have the right to file an objection for reasons arising from your particular circumstances against processing of your personal data that we are engaged in for scientific, historical research or statistical purposes, unless such processing is required to perform a task that is in the public interest.

Right of complaint

You also have the right to submit a complaint to the competent supervisory authority and to seek legal remedies. The supervisory authority to whom the complaint was submitted will notify the complainant about the status and result of their complaint, including the option of seeking a legal remedy through a court of law.

Existence of automated decision-making processes

We do not perform any automated decision-making or profiling.

Last revised: July 16, 2019