Data protection

# Website Privacy Policy getmy.anybill.de

## Introduction

The following information is intended to give you an overview of the processing of your personal data on our website https://getmy.anybill.de (hereinafter referred to as "website"). We also want to inform you about your rights under the data protection laws. The processing of your personal data by us is always in accordance with the General Data Protection Regulation (hereinafter referred to as "GDPR") and all applicable country-specific data protection regulations.

## Table of contents

1. Responsibility
2. Data Protection Officer
3. Provision of the Website
4. Digital retrieval of a cash receipt
5. Use of third party services
6. Passing on the e-mail address to merchants
7. Joint controllers
8. Your rights
9. Up-to-dateness and changes of the data protection notice

## 1. Responsibility

Responsible in the sense of the GDPR is:

techreach GmbH
Franz-Mayer-Straße 1
93053 Regensburg

Phone: +49 941 7508 9008
E-Mail: datenschutz@anybill.de  
https://anybill.de/imprint

## 2. Data Protection Officer

You can reach our data protection officer as follows:

Niklas Hanitsch
secjur GmbH
Steinhöft 9
20459 Hamburg

Phone: +49 40 228 599 520
E-mail: dsb@secjur.com

You can contact our data protection officer directly at any time with all questions and suggestions regarding data protection and the exercise of your rights.

## 3. Provision of the Website

### General information

When using our website for informational purposes only, we only collect data that your browser transmits to our server (in so-called "server log files"). Our server collects a series of general data and information with each page request. This general data and information is stored in the server log files. The following information is collected:

- User Agent
- URL
- Time of the server request
- IP address

### Purpose of the processing

When using this general data and information, we do not draw any conclusions about your person. The purposes pursued by us include in particular:

- the guarantee of a smooth connection set-up of the website,
- the guarantee of a comfortable use of our website,
- the clarification of acts of abuse or fraud,
- problem analyses in the network,
- the evaluation of system security and stability, and
- other administrative purposes

### Legal basis

The legal basis for data processing is our legitimate interest within the meaning of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our service in a technically flawless manner.

### Storage period

The log files are stored for security reasons (e.g. for the clarification of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further retention is required for evidentiary purposes will be retained until the matter has been finally clarified.

## 4. Digital retrieval of a cash receipt

### General information

You have the option to retrieve a digital receipt on our site. For this purpose, we collect all the information that we need to provide to you in order to fulfill our obligation to issue receipts. Instead of a paper receipt, these data categories are made available in the form of a digital receipt on our site. You have the option of using a QR code to receive the receipt as a PDF, send it to your email address or add it to a supported app. In addition, we process the receipt data to improve our products and services. On the basis of the pure receipt data, we are not able to establish a personal reference in the sense of the GDPR. The cash receipt data include:

- Company information of the merchant
- Address of the merchant
- Purchased articles
- Quantity of the articles
- Price of the article
- Tax rates per article
- Discount on an article
- Total of the shopping cart
- Tax rates with amount
- Discount on the sum of the purchase
- Redeemed coupons
- Issued coupons

If you paid for your purchase electronically, the following data is also processed:

- The "Primary Account Number" (PAN) of your credit card or debit card in masked form
- Card expiration date
- Card sequence number
- Date of payment

If you send the receipt to your e-mail address, we also process your e-mail address.

### Purpose of the processing

The purpose of the processing is to provide a digital cash receipt.

### Legal basis

The legal basis for the processing of your personal data is the fulfillment of the contract and the implementation of pre-contractual measures according to Art. 6 (1) (b) GDPR as well as our legitimate interest according to Art. 6 (1) (f) GDPR. We have a legitimate interest in being able to offer our services in a technically flawless manner and to improve our products and services.

### Storage period

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. Please note that personal data of you in the context of merchant payment receipts, which are created by the payment service provider of the merchant at the checkout in case of a card payment, must be stored for 10 years due to legal requirements of the German Commercial Code and the German Fiscal Code.

## 5. Depositing a bank or credit card for digital receipt storage

### General information

You have the option of receiving your receipt without scanning the QR code on the customer display of the checkout system by depositing your bank card or credit card with cooperating retailers and receiving your receipt directly to your e-mail address when paying with the deposited card. This is a voluntary option for receiving your digital receipt.

The last 4 digits of your bank card/credit card and your e-mail address are required to register or to deposit your card with the respective merchant for the first time.

After registration, the hash value of your transaction data (in particular Primary Account Number (PAN)) of the deposited card is saved with each receipt and linked to your e-mail. We receive the PAN from the payment service provider of the cooperating merchant. This data is used to allocate the receipts to the e-mail in order to be able to send you your receipt.

### Purpose of the processing

The purpose of the processing is to provide you with a digital receipt.

### Legal basis

The legal basis for the processing of your personal data is the fulfilment of the contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

### Storage period

We generally store your personal data until the purpose of the processing no longer applies. Please note that your personal data in the context of merchant payment receipts, which are created by the merchant's payment service provider at the checkout when a card payment is made, must be stored for 10 years due to legal requirements of the German Commercial Code and the German Fiscal Code.

## 6. Use of third party services

We use third-party services on our website. In doing so, we transmit data to third countries. These are countries outside the European Union. We only transfer data to third countries in which there is an adequate level of data protection or appropriate guarantees as defined in Art. 44-49 GDPR are in place. You have the right to request a copy of the appropriate safeguards we have put in place.

### Microsoft Azure

We use Microsoft Azure.

Provider: Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland
Purpose: Storage of digital cash receipts and provision of the web service.
Legal basis: Legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interest corresponds to our purpose of processing.
Storage period: We delete your personal data as soon as they are no longer necessary to achieve the purpose of collection.
Third country transfer: Data is transferred to the US. We have concluded standard contractual clauses of the European Commission with Microsoft. Furthermore, Microsoft has implemented additional protective measures.

### Datadog

We use Datadog.

Provider: Data Dog Inc., 620 8th Avenue, Floor 45, New York, NY 10018, USA
Purpose: Enabling technical logging on the website
Legal basis: Legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interest is the proper provision of our website.
Storage period: We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. For the purpose of providing the services, this is the case when the respective session has ended.
Third country transfer: Data is transferred to the US. We have concluded standard data protection clauses of the European Commission with Datadog. You can find more information about Datadog's associated Transfer Impact Assessment here. More information on Datadog's privacy policy can be found here.

## 7. Passing on the e-mail address to merchants

### General information

You have the option of registering for e-mail communication with a retailer (e.g. newsletter) when you receive your receipt via the website. The personal data involved in this process is personal data (e.g. name, gender or date of birth) and contact details (e.g. email address). As soon as you decide in favour of e-mail communication with a retailer and consent to the processing, the data protection information of the respective retailer applies.

### Purpose of the processing

The purpose of the processing is the transfer of personal and contact data to the merchants for the delivery of a newsletter.

### Legal basis

The legal basis for the data processing is your consent within the meaning of Art. 6 (1) (a) GDPR. This consent can be given by clicking a checkbox below the entry of the e-mail address on the website after receiving the digital receipt.

### Storage period

We generally store your personal data until the purpose of the processing no longer applies. In the case of newsletters, this is the case if you revoke your consent to the processing of personal data to receive newsletters from individual retailers, e.g. by opting out. The retailers are instructed to delete your e-mail address in the event of cancellation.

## 8. Joint controllers

Insofar as we are joint controllers pursuant to Art. 26 GDPR with other companies within the scope of the provision of a digital cash receipt, we jointly determine the purposes and means of data processing for the following processing operations:

- 4. Digital retrieval of a cash receipt

Within the scope of joint responsibility, you can assert your rights as a data subject (9. Your rights) both against us and against the respective other company. You can find out whether we are jointly responsible with a particular company in the data protection notices in the context of the relevant cooperation (e.g. in the privacy policy of an app that we offer jointly with another company).

## 9. Your rights

### Right to confirmation

You have the right to request confirmation from us as to whether personal data relating to you is being processed.

### Information (Art. 15 GDPR)

You have the right to receive information from us at any time and free of charge about the personal data stored about you as well as a copy of this data in accordance with the statutory provisions.

### Rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, taking into account the purposes of the processing.

### Erasure (Art. 17 GDPR)

You have the right to demand that we erasure the personal data concerning you without delay if one of the reasons provided for by law applies and insofar as the processing or storage is not necessary.

### Restriction of processing (Art. 18 GDPR)

You have the right to demand that we restrict processing if one of the legal requirements is met.

### Data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. Furthermore, you have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

In addition, when exercising your right to data portability pursuant to Article 20 (1) GDPR, you have the right to have the personal data transferred directly from one controller to another controller, insofar as this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.

### Objection (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of data processing in the public interest pursuant to Article 6 (1) (e) GDPR or on the basis of our legitimate interest pursuant to Article 6 (1) (f) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

In individual cases, we process personal data in order to carry out direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.

### Revocation of consent under data protection law

You have the right to revoke your consent to the processing of personal data at any time with effect for the future.

### Complaint to a supervisory authority

You have the right to complain about our processing of personal data to a supervisory authority responsible for data protection.

## 10. Up-to-dateness and changes of the data protection notice

This data protection notice is currently valid and has the following status: January 2024.

If we continue to develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information at any time here.