initiation
With the following information, we would like to give you an overview of the processing of your personal data on our website https://getmy.anybill.de (hereinafter referred to as “website”). We would also like to inform you about your rights under data protection laws. We always process your personal data in accordance with the General Data Protection Regulation (hereinafter referred to as “GDPR”) and all applicable country-specific data protection regulations.
Table of contents
1. Responsible person
2. Data Protection Officer
3. Provision of the website
4. Digital retrieval of a cash receipt
5. Use of third-party services
6. Sharing the email address with retailers
7. Joint responsibility
8. Your rights
9. Timeliness and changes to the privacy policy
1. Responsible person
Responsible person within the meaning of the GDPR is:
anybill GmbH
Franz-Mayer-Strasse 1
93053 Regensburg
email: datenschutz@anybill.de
https://anybill.de/imprint
2. Data Protection Officer
You can contact our data protection officer as follows:
Kertos GmbH
DPO: Dr. Kilian Schmidt
Address: Klosterhofstraße 6, 80331 München
email: dsb@kertos.io
You can contact our data protection officer directly at any time if you have any questions or suggestions regarding data protection and to exercise your rights.
3. Provision of the website
3.1 General information
When using our website for informational purposes only, we only collect data that your browser transmits to our server (in so-called “server log files”). Each time a page is accessed, our server collects a range of general data and information. This general data and information is stored in the server's log files. The following information is collected:
• User Agent
• URL
• Time of server request
• IP address
3.2 Purpose of processing
When using this general data and information, we do not draw any conclusions about you personally. The purposes we pursue include in particular:
• ensuring a smooth connection to the website,
• ensuring convenient use of our website,
• clarifying acts of abuse or fraud,
• network problem analyses,
• evaluation of system security and stability, and
• other administrative purposes.
3.3 Legal basis
The legal basis for data processing is our legitimate interest within the meaning of Article 6 (1) (f) GDPR. We have a legitimate interest in being able to offer our offer in a technically flawless manner.
3.4 Storage period
For security reasons (e.g. to clarify abusive or fraudulent acts), the log files are stored for a maximum of 7 days and then deleted. Data whose further storage is required for evidentiary purposes will be kept until the matter is finally resolved.
4. Digital retrieval of a cash receipt
4.1 General information
You have the option of retrieving a digital receipt on our website. For this purpose, we collect all information that we must provide to you in order to comply with our obligation to issue receipts. Instead of a paper receipt, these data categories are made available on our website in the form of a digital document. You can use a QR code to receive the receipt as a PDF, send it to your email address or add it to a supported app. In addition, we process the document data to improve our products and services. Based on pure documentary data, we are unable to establish a personal reference within the meaning of the GDPR. The document data includes:
• Retailer's company name
• Dealer address
• Purchased items
• Number of items
• Item price
• Tax rates per item
• discount on one item
• Total shopping cart
• Tax rates with amount
• discount on the total purchase
• Redeemed coupons
• Coupons issued
If you have paid for your purchase electronically, the following data will also be collected:
• The “Primary Account Number” (PAN) of your credit card or debit card in masked form
• Card expiration date
• Card sequence number
• Payment date
If you send the receipt to your email address, we will also process your email address.
4.2 Purpose of processing
The purpose of processing is to provide a digital cash receipt.
4.3 Legal basis
According to Article 6 (1) (b) GDPR, the legal basis for processing your personal data is the fulfilment of the contract and implementation of pre-contractual measures as well as our legitimate interest in accordance with Article 6 (1) (f) GDPR. We have a legitimate interest in being able to offer our offer in a technically flawless manner and to improve our products and services.
4.4 Storage period
In principle, we store your personal data until the purpose of processing no longer applies. Please note that personal data about you as part of merchant payment documents, which are created by the merchant's payment service provider at the cash register when making a card payment, must be stored for 10 years due to legal requirements of the Han-Dels Code and the Tax Code.
5. Deposit of bank or credit card for digital receipt
5.1 General information
You have the option of receiving your receipt without scanning the QR code on the customer display of the cash register system by depositing your bank card or credit card with cooperating retailers and receiving your receipt directly to your e-mail address when paying with the stored card. This is a voluntary option to receive your digital cash receipt.
To register or deposit your card with the respective merchant for the first time, the last 4 digits of your bank card/credit card and your e-mail address are required.
After registration, the hash value of your transaction data (in particular Primary Account Number (PAN)) of the stored card is saved for each document and linked to your email. In this case, we receive the PAN from the payment service provider of the cooperating merchant. This data is used to assign the documents to the email so that we can send you your receipt.
5.2 Purpose of processing
The purpose of processing is to provide a digital cash receipt.
5.3 Legal basis
According to Article 6 (1) (b) GDPR, the legal basis for processing your personal data is contract fulfilment.
5.4 Storage period
In principle, we store your personal data until the purpose of processing no longer applies. Please note that personal data about you as part of merchant payment documents, which are created by the merchant's payment service provider at the cash register when making a card payment, must be stored for 10 years due to legal requirements of the Han-Dels Code and the Tax Code.
6. Use of third-party services
We use third-party services on our website. In doing so, we transfer data to third countries. These are countries outside the European Union. We only transfer data to third countries that have an adequate level of data protection or appropriate guarantees in accordance with Art. 44-49 GDPR. You have the right to request a copy of the appropriate guarantees we have made.
6.1 Microsoft Azure
We use Microsoft Azure.
Provider: Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland
Purpose: Storage of digital cash receipts and provision of the web service.
Legal basis: Legitimate interests in accordance with Article 6 (1) (f) GDPR. The legitimate interest corresponds to our purpose of processing.
Storage period: We delete your personal data as soon as it is no longer required to achieve the purpose of collection.
Third-country transfer: Data is transferred to the USA. We have concluded standard data protection clauses from the European Commission with Microsoft. Microsoft has also implemented additional protective measures.
6.2 Datadog
We use Datadog.
Provider: Data Dog Inc., 620 8th Avenue, Floor 45, New York, NY 10018, USA
Purpose: Enabling technical logging on the website
Legal basis: Legitimate interests in accordance with Article 6 (1) (f) GDPR. The legitimate interest is the proper provision of our website.
Storage period: We delete your personal data as soon as it is no longer required to achieve the purpose of collection. For the purpose of providing the services, this is the case when the respective session has ended.
Third-country transfer: Data is transferred to the USA. We have concluded standard data protection clauses from the European Commission with Datadog. More information about Datadog's associated Transfer Impact Assessment can be found here. More information about Datadog's privacy policy can be found here.
7. Sharing the email address with retailers
7.1 General information
When you receive your receipt via the website, you have the option of signing up for e-mail communication with a retailer or anybill (e.g. newsletter). Personal data (e.g. name, gender or date of birth) and contact details (e.g. e-mail address) are affected as personal data in this process. As soon as you opt for email communication with a merchant or anybill, anybill processes, stores and makes the data available to the merchant in accordance with data protection guidelines. In addition, the retailer's privacy policy applies.
7.2 Purpose of processing
The purpose of processing is to use the personal and contact details of anybill or the merchant to contact you for personalized advertising.
7.3 Legal basis
The legal basis for data processing is your consent within the meaning of Article 6 (1) (a) GDPR. This can be issued as part of a checkbox below the email address entered on the website after receipt of the digital receipt.
7.4 Storage period
In principle, we store your personal data until the purpose of processing no longer applies. In the case of newsletters, this is the case if you withdraw your consent to the processing of personal data to receive newsletters from individual retailers, e.g. by opting out. In the event of a withdrawal, retailers are instructed to delete their email address.
8. Joint responsibility
Insofar as we are joint controllers with other companies in the context of providing a digital cash receipt in accordance with Article 26 of the GDPR, we jointly determine the purposes and means of data processing for the following processing operations:
• 4. Digital retrieval of a cash receipt
As part of joint responsibility, you can assert your rights as a person concerned (9th rights) both against us and against the respective other company. You can find out whether we are jointly responsible with a specific company in the data protection notices as part of the corresponding collaboration (e.g. in the privacy policy of an app that we offer together with another company).
9. Your rights
9.1 Right to confirmation
You have the right to request confirmation from us as to whether personal data concerning you is being processed.
9.2 Information (Art. 15 GDPR)
You have the right to receive information from us at any time, free of charge, about the personal data stored about you and a copy of this data in accordance with legal provisions.
9.3 Correction (Art. 16 GDPR)
You have the right to request that incorrect personal data concerning you be corrected. You also have the right to request the completion of incomplete personal data, taking into account the purposes of processing.
9.4 Deletion (Article 17 GDPR)
You have the right to request that we delete personal data concerning you immediately if one of the reasons provided for by law applies and insofar as processing or storage is not necessary.
9.5 Restriction of processing (Art. 18 GDPR)
You have the right to ask us to restrict processing if one of the legal requirements is met.
9.6 Data portability (Article 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. You also have the right to transfer this data to another person responsible without notice from us to whom the personal data has been provided, provided that the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR and the processing is carried out using automated procedures, provided that the processing is not for the performance of a task is necessary that is in the public interest or in the exercise of public interest Violence takes place that has been given to us.
In addition, when exercising your right to data portability in accordance with Article 20 (1) GDPR, you have the right to have the personal data transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other persons.
9.7 Objection (Article 21 GDPR)
For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you based on data processing in the public interest in accordance with Article 6 (1) (e) GDPR or on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR.
This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.
If you file an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
In individual cases, we process personal data for direct marketing purposes. You can object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling insofar as it is associated with such direct advertising. If you object to us processing for direct marketing purposes, we will no longer process the personal data for these purposes.
In addition, you have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you carried out by us for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, unless such processing is necessary to perform a task in the public interest.
9.8 Withdrawal of consent under data protection law
You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.
9.9 Complaint to a supervisory authority
You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.
10. Timeliness and changes to the privacy policy
This privacy policy is currently valid and is as of July 2024.
If we continue to develop our website and offers or legal or regulatory requirements change, it may be necessary to change this privacy policy. You can access the latest privacy policy here at any time.