Skip to content

Privacy Policy for the Use of the roclub Platform

Version 6 as of May 27 2024

In the context of the use of the roclub platform (hereinafter "roclub" or "roclub platform"), personal data (hereinafter "personal data" or "data") are processed by the data controller and stored for the period necessary to fulfill the specified purposes and legal obligations. In the following, we provide information about what data is involved, how it is processed, and what rights the data subjects have in this regard.

1. Name and Contact Details of the Controller and the Data Protection Officer

This Privacy Policy applies to data processing in the context of the use of the roclub Platform by the responsible party:

roclub GmbH
Windscheidstr. 20
10627 Berlin
Germany
www.roclub.com
E-mail: privacy@roclub.com.

If you have any questions about data protection law or your data subject rights, you can contact the data protection officer at any time:

DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
+49 89 7400 45840
www.dataguard.de

2. Processing of Personal Data and Purposes of Processing

a) Use of the Platform

In the course of using the roclub Platform, we collect and process the following log files and data:

  • Date and time of login and logout operations
  • IP Address
  • Browser type and version, operating system type, and version
  • Dates and times of the pages accessed and functions performed

The legal basis is Art. 6 (1) p. 1 lit. f GDPR. Our legitimate interest in data processing lies in the trouble-free and smooth provision of the Platform. The data collected is stored for 30 days. The data is then deleted.

b) Registration and User and Customer Account

For the use of the roclub Platform, registration and the creation of a personal user account are required. We store your personal data in this user account to provide you with the Platform's range of services, enable easy, fast, and direct operation, and comply with documentation obligations.

To create a password-protected user account, we collect the following data from you in particular:

  • Contact information (e.g., name, gender, e-mail address, phone number)
  • Profile data (e.g., photo, job title)
  • Company affiliation and role assignment

For the use of the services of the roclub Platform, it is additionally necessary to set up an account for the organization. In particular, the following personal data is stored in this customer account:

  • Contact details of the organization's contact person and legal representatives (e.g., name, e-mail address, telephone number)

The legal basis for the data processing is the performance of a contract or contract-like agreements concluded between you, the Customer, and us according to Art. 6 (1) p. 1 lit. b GDPR. After the deletion of your user account or the customer account, the personal data processed here will be deleted for further use unless we are obliged to store it for a longer period of time due to legal storage and documentation obligations or you have consented to the storage beyond this in accordance with Art. 6 para. 1 p. 1 lit. a GDPR.

c) Payment Information

In the course of payment and invoicing for the provision of the roclub Platform, the following personal data of you will be processed:

  • Contact details
  • Invoice data

The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR, i.e., the data processing is necessary to perform the contract concluded with the Customer. After deletion of your customer account, the personal data processed here will be deleted for further use unless we are obliged to store it for a longer period of time due to statutory retention and documentation obligations, or you have consented to the storage beyond this in accordance with Art. 6 para. 1 p. 1 lit. a GDPR.

d) Use of the Platform in the "Marketplace" Option

Within the scope of using the roclub Platform in the "Marketplace" option, users can offer their services as employees of an organization or as self-employed persons to other organizations via the Marketplace.

Users who wish to offer their services through the Marketplace must create a Marketplace profile. The following personal data of the user is stored in this profile:

  • Information on training (e.g., training periods, vocational qualifications, language skills)
  • Work experience information
  • Information on other skills and knowledge
  • Data for verification of training and skills and knowledge
  • Services offered
  • Availabilities for bookings of the services

When booking and performing services, the following data is stored, for example:

  • Contract data for bookings (e.g., date, time, type of service, price)
  • Invoice and payment data of the services processed via the Marketplace
  • Reviews
  • Usage data of the Platform
  • Booking data of the booked sessions
  • Availability date of the users
  • Contract data for bookings
  • Chat logs between users in the Marketplace

The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR, provided that the processing is within the scope of the essential service of the Platform. Furthermore, the legal basis is in Art. 6 para. 1 p. 1 lit. f GDPR, as we have a legitimate interest in the above purposes. After the deletion of your user or customer account, the personal data processed here will be deleted for further use unless we are obliged to store it for a longer period of time due to legal storage and documentation obligations or you have consented to the storage beyond this in accordance with Art. 6 para. 1 p. 1 lit. a GDPR.

e) Contacting the Platform

You can send general inquiries to us via the contact indicated under item 1. In this context, we process the personal data received, in particular your e-mail address, telephone number, and - if you provide it - other information. We process the personal data to respond to your request.

The data processing is carried out in the context of answering the contact request on the basis of our legitimate interest in answering requests, according to Art. 6 para. 1 p. 1 lit. f GDPR. If your request is aimed at concluding a contract with us, Art. 6 para. 1 p. 1 lit. b GDPR is the legal basis for data processing. The personal data will be erased as soon as your inquiry has been finally answered, and the deletion does not conflict with any legal obligations to retain data.

3. Transfer of Personal Data

a) General

A transfer of your personal data to third parties only comes into consideration if:

  • You have given your express consent to this in accordance with Art. 6 para. 1 p. 1 lit. a GDPR
  • As far as this is legally permissible and necessary according to Art. 6 para. 1 p. 1 lit. b GDPR for performing a legal contract with you
  • In the event that there is a legal obligation for the transfer following Art. 6 para. 1 p. 1 lit. c GDPR
  • Insofar as this is legally permissible and necessary in accordance with Art. 6 para. 1 p. 1 lit. f GDPR to protect our legitimate interests or those of third parties

The data transferred may be used by the third-party exclusively for the purposes stated. A transfer of personal data also takes place in the context of the use of processors.

b) Third-Country Transfer

In connection with data processing by roclub, data may be transferred to third countries, i.e., to recipients outside the EU or the European Economic Area (EEA). As far as a decision of the European Commission on the existence of an adequate level of protection (cf. Art. 45 para. 3 GDPR) exists with regard to the third country, no additional measures are required for the data transfer. In the case of data transfer to recipients located in the USA, this is carried out on the basis of the so-called Transatlantic Data Privacy Framework (TADPF) of July 10th, 2023, provided that the recipient has the corresponding certification. A listing of currently certified companies can be found on the Data Privacy Framework website (https://www.dataprivacyframework.gov/s/participant-search). In other cases, as well as in the case of data transfers to other so-called non-secure third countries, a data transfer only takes place if the prerequisites of Art. 46 et seq GDPR are met. In concrete terms, this means that a transfer to a third country only takes place if:

  • Sufficient so-called safeguards are provided by the recipient in accordance with Art. 46 GDPR for the protection of personal data
  • You have expressly consented to the transfer, after which we have informed you of the risks in accordance with Art. 49 para. 1 lit. a GDPR
  • The transfer is necessary for the performance of contractual obligations between you and us
  • Another exception pursuant to Art. 49 GDPR applies

Which of the aforementioned bases applies in individual cases is shown in you at the respective processing. Data transfers to recipients located in the USA that do not have a TADPF certification and with regard to which an adequate level of data protection cannot be established by means of guarantees within the meaning of Art. 46 GDPR can be established but will only be carried out with your consent within the meaning of Art. 49 para. 1 lit. a GDPR. We would like to point out that for recipients based in the USA without TADPF certification, it is not possible to guarantee an adequate level of data protection comparable to that in the EU. The following risks, therefore, exist with such a transfer of personal data: There is a risk that US authorities may gain access to personal data on the basis of the PRISM and UPSTREAM surveillance programs based on Section 702 of FISA (Foreign Intelligence Surveillance Act) and on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective legal protection against these accesses in the USA or the EU.

c) Deployment and hosting of the software-as-a-service application

For the provision and hosting of the Software-as-a-Service (SaaS) application, we use the services of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg (hereinafter "AWS"); Bubble Group, Inc, 22 W 21st Street, 2nd Floor, New York, NY 10010 (hereinafter "Bubble.io"), Google Ireland Limited, Gordon House Barrow Street, Dublin 4, Ireland (hereinafter "Google Cloud"), as well as Xano, Inc., 20700 Ventura Blvd. Ste 210 Woodland Hills, California 91364, USA (hereinafter "Xano").

The offer of a platform requires the commissioning of services for the provision and hosting of SaaS applications. The use of AWS, Bubble.io, Google Cloud and Xano takes place in accordance with Art. 6 para. 1 p. 1 lit. b GDPR due to our legitimate economic interest in providing our offer on this Platform. In connection with hosting, the service providers process personal data on our behalf that is generated when using the Platform.

We have entered into a Data Processing Agreement with AWS, Bubble.io, Google Cloud and Xano, respectively. Through this contract, the service providers assure that they process the data in accordance with the GDPR and ensure the protection of the rights of the data subject.

The data processing site for these service providers is Germany.

AWS and Bubble have a TADPF certification for the third-country transfer at hand.

d) Accounting

We use the DATEV service of DATEV eG, Virnsberger Straße 63, 90431 Nuremberg (hereinafter "DATEV") and Pathway Solutions GmbH, Alstertwiete 3, 20099 Hamburg, Germany (hereinafter "Pathway") for accounting. Data necessary for accounting purposes will be passed on. Your data will be passed on exclusively for accounting purposes. The legal basis for the use of the service is our legitimate interest, according to Art. 6 para. 1 p. 1 lit. b GDPR, the efficient accounting.

We have concluded a Data Processing Agreement with DATEV.

Through this contract, DATEV assures that they process the data in accordance with the Basic Data Protection Regulation and ensure the protection of the rights of the data subject.

The data processing site for these service providers is Germany.

e) Payment processing

We process payments using the payment service provider Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (hereinafter "Stripe"). The information necessary for billing purposes provided during the registration process is passed on along with information about your bookings (e.g., name, address, account number, bank routing number, credit card number if applicable, invoice amount, currency, and transaction number). This only applies if the data subject acts as the contact person for the recipient of the invoice and for the "marketplace" option, in which the data subject acts as the contractual partner and their personal data can therefore be processed. The transfer of your data takes place exclusively for the purpose of payment processing with the payment service provider. The legal basis for using the service is our legitimate interest, according to Art. 6 para. 1 p. 1 lit. f GDPR to be able to offer you an efficient and secure payment service.

We have concluded a Data Processing Agreement with Stripe. Through this contract, Stripe assures that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

The data processing site for this service provider is Germany.

Stripe has a TADPF certification for the third-country transfer at hand.

f) User authentication and authorization

We use the services of Auth0, 0900 NE 8th Street, Bellevue, WA 98004, USA (hereinafter "Auth0") to facilitate identification and authentication in order to provide secure authentication and authorization of users. The use of Auth0 is in accordance with Art. 6 para. 1 p. 1 lit. f GDPR based on our legitimate economic interest to provide you with an authentication and authorization service.

We have concluded a Data Processing Agreement with Auth0. Through this contract, Auth0 assures that it will process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

The data processing site for this service provider is Germany.

Auth0 has TADPF certification for the third-country transfer at hand.

g) Video conference

We use the Daily service of Daily, Co, 548 Market St, Suite 39113, San Francisco, California 94104 US (hereinafter "Daily") and Livekit, Inc., 12151 Saraglen Drive, Saratoga, California, 95070, USA (hereinafter "LiveKit") as a video conferencing system and to conduct video conferences between users of the Platform. The legal basis for the processing is the performance of the contract, according to Art. 6 para. 1 p. 1 lit. b GDPR.

We have concluded a Data Processing Agreement with Daily and LiveKit, respectively. Through this contract, the service providers assure that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

Beide Dienstleister verarbeiten Daten in Deutschland.

Daily and LiveKit have a TADPF certification for potential third-country transfer at hand.

h) Sending of E-mails and notifications

We use the services novu of Noti-Fire Apps Ltd., Derech Ben Gurion 132, Ramat Gan, Israel (hereinafter "novu") and Twilio der Twilio Ireland Limited, 70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland (hereinafter "Twilio") for further notifications in context of the roclub app. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

We have concluded Data Processing Agreements with novu, and Twilio. Through these contracts, the service providers assure that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

The data processing location of novu and Twilio is Germany.

i) User and customer support

For the processing of user and customer requests, support tickets, as well as user and customer communication, we use the service HubSpot of HubSpot, Inc., 25 First Street, Cambridge, MA 02141 USA. For the processing of requests, necessary data such as surname, first name, telephone number, and e-mail address are collected via our website or the Platform. In principle, inquiries are also only possible with the specification of the e-mail address and without specifying your name. We use HubSpot to process requests quickly and efficiently. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

Data processing site is Germany. Furthermore, HubSpot has a TADPF certification for potential third-country transfer at hand. Additionally, we use services of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland (hereinafter "Microsoft") to ensure further customer communication. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The place of data processing for Microsoft services is Germany. However, data may also be transferred to the USA for individual functionalities. Microsoft Corporation is certified according to the EU-US Data Privacy Framework, so that the EU Commission's adequacy decision of 10 July 2023 applies. We have concluded a data processing agreement with Microsoft.

j) Contract management

We use the PandaDoc service from Pandadoc Inc, 3739 Balboa St. #1083, San Francisco, CA 94121, USA (hereinafter "PandaDoc") for the secure and legally valid signing of documents. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

The data processing site is Germany.

We have concluded a data processing agreement with PandaDoc. Through this contract, PandaDoc assures that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

k) Logistics and order management

We use the service Billbee from Billbee GmbH, Arolser Str. 10, 34477 Twistetal, Germany (hereinafter referred to as "Billbee") for the management of logistics and order processes. Address data of contractual partners are passed on for the processing and administration of orders. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

We We have concluded a data processing agreement with Billbee.

The place of data processing is Germany. Through this contract, PandaDoc assures that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject.

l) Analysis of user activities

We use the service Clarity from Microsoft within our application. Clarity is a tool for analyzing user behavior that provides insight into how users interact with our app through session recordings. Interactions such as mouse movements and clicks are recorded based on pseudonymized user IDs. Individual recordings cannot be assigned to specific users.

Furthermore, no personalized content is recorded or analyzed. This is ensured by the function of so-called data masking, in which fields with potentially personal data are hidden. Equally, the transmitted image of the medical device is completely excluded from the recording. All data processing takes place in Germany.

Clarity sets cookies on your device. You will initially be asked for your consent when you access our app. The integration of the Clarity cookie, which is not technically necessary, is based on your expressed consent, which you can give via the cookie banner. The basis for the storage and access to information in this case is § 25 para. 1 TTDSG with Art. 6 para. 1 lit. a), Art. 7 GDPR. You can revoke your consent at any time with effect for the future or grant it again at a later date by configuring your cookie settings accordingly.

The provisions of the Telecommunications Telemedia Data Protection Act (TTDSG) apply to the storage of information in the end user's terminal equipment and/or access to information already stored in the end user's terminal equipment.

m) Freelancers

We engage freelancers to cater to specific needs to improve our processes and products. In particular, we may contract specialized external personnel for the development and configuration of systems. For this purpose, select personal data, such as user activity logs, might be made available. Furthermore, we engage freelancers for support in customer care. Select personal data might be made available, such as customer contact and support data or user contact data. Patient data is not transferred at any time.

Appropriate data protection safeguards are ensured by working with freelancers within the EEA and by basing the data transfer on the standard contractual clauses by the European Commission in case of transfer to third countries.

4. Automated Decision-Making or Profiling

No automated decision making, including profiling, takes place.

5. Data Subject Rights

You have the right:

  • In accordance with Art. 3 Para. 3 GDPR, to withdraw your once-given consent to us at any time. As a consequence, we may no longer continue the data processing that was based on this consent in the future;
  • In accordance with Art. 15 GDPR, to access information about your personal data processed by us. In particular, you may access information as to the purposes of the processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the envisaged storage period, the existence of a right of rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data, if not collected from us, and the existence of automated decision making including profiling and, where applicable, meaningful information on the details of the data;
  • In accordance with Art. 16 GDPR, to demand the rectification of incorrect or incomplete personal data stored by us without undue delay;
  • In accordance with Art. 17 GDPR, to demand the erasure of your personal data stored with us, unless the processing is necessary to exercise the right to freedom of expression and information, to perform a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  • In accordance with Art. 21 GDPR, to demand the restriction of the processing of your personal data, if the accuracy of the data is contested by you, if the processing is unlawful, but you refuse to delete it, and we no longer require the data, but you require it for the establishment, exercise or defense of legal claims or you have lodged a complaint to the processing pursuant to Art. 6 GDPR;
  • In accordance with Art. 20 GDPR, to receive your personal data that you have provided us in a structured, commonly used, and machine-readable format or to request that it be transferred to another controller; and
  • In accordance with Art. 77 GDPR, to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority at your usual place of residence or work or at our company headquarters for this purpose.

6. Information about your right to object according to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Art. 6 (1) p. 1 lit. f GDPR (data processing on the basis of a balance of interests); this shall also apply to profiling within the meaning of Art. 4 No. 4 GDPR based on this provision.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or the processing serves the purpose of asserting, exercising, or defending legal claims.

If your objection is directed against the processing of data for the purpose of direct marketing, we will immediately stop the processing. In this case, it is not necessary to specify a particular situation. This also applies to profiling insofar as it is associated with such direct advertising.

If you wish to exercise your right to object, simply send an e-mail to privacy@roclub.com..

7. Data Security

All data transmitted by you personally will be encrypted using the commonly used and secure standard TLS (Transport Layer Security). TLS is a secure and proven standard that is also used in online banking, for example. Among other things, you can recognize a secure TLS connection by the appended "s" to http (i.e., https:// .. ) in your browser's address bar or by the lock icon at the bottom of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

8. Actuality and Change of This Privacy Policy

Due to the further development of our offers or due to changed legal or official requirements, it may become necessary to change this data protection declaration. The current privacy policy can be accessed at any time at https://knowledgebase.roclub.io.