Privacy Policy

‍

This Privacy Policy informs you about the processing of personal data and the access to and storage of information on your device when using ThankU for Business (hereinafter referred to as the “Platform”), accessible at www.thanku.business.

‍

1. Data Controller and Contact Information

‍

The data controller responsible for processing your personal data when you visit and use the Platform, in accordance with the General Data Protection Regulation (GDPR), is:

‍

In The Now GmbH (hereinafter also referred to as “ITN”) 

Willibald-Alexis-Str. 3, 10965 Berlin  

HRB 197549 B (Berlin-Charlottenburg)  

Managing Director: Lukasz Belza  

Email: info@thanku.business  

Website: www.thanku.business  

‍

For any questions regarding data privacy in connection with our services on the Platform, you may contact us at any time. Please refrain from including sensitive information, such as a copy of your ID, with your inquiry.

‍

2. Data Processing on Our Platform

‍

We log your usage of our Platform, such as when you access Platform features. We use device and browser information, IP addresses, and interactions with content and functionalities on the Platform for the following purposes:

‍

• Ensuring Platform Functionality and Security: We use the logged data to ensure the proper functioning of our services, to prevent unauthorized access, and to detect potential security threats.
• Optimizing User Experience: We analyze usage data to improve the user interface, functionalities, and content of the Platform continuously.

‍

The legal basis for this processing is Article 6(1)(b) of the GDPR, as far as the data is necessary to fulfill a contract. Additionally, the legal basis is Article 6(1)(f) of the GDPR, reflecting our legitimate interest in offering you customized services.

‍

3. Use of Tools on the Platform

‍

3.1. Technologies Utilized

‍

The Platform utilizes various services and applications (collectively referred to as “Tools”), either provided by us or third parties. These include Tools that use technology to store information on your device or access information stored on it, including:

‍

• Cookies: Information stored on your device, typically consisting of a name, a value, the storing domain, and an expiration date. Session cookies (e.g., PHPSESSID) are deleted after the session, while persistent cookies are deleted after the set expiration date. Cookies can also be removed manually.

‍

• Web Storage (Local Storage / Session Storage)**: Information stored on your device, consisting of a name and a value. Information in Session Storage is deleted after the session, while information in Local Storage does not have an expiration date and remains stored unless a deletion mechanism is in place (e.g., storing Local Storage with a time entry). Data in Local and Session Storage can also be removed manually.

‍

• JavaScript: Embedded or called programming codes (scripts) on the website, which may set cookies and Web Storage or actively gather information from the device or on user behavior. JavaScript may potentially be used for “active fingerprinting” and creating user profiles. JavaScript can be blocked in browser settings, though many services may no longer function as a result.

‍

Through these technologies, and also through merely establishing a connection to a webpage, “fingerprints” can be created - user profiles that may identify returning visitors without the use of cookies or Web Storage. Fingerprints created due to connection setup cannot be fully prevented manually.

‍

Most browsers are set by default to accept cookies, execute scripts, and display graphics. However, you can typically adjust your browser settings to reject all or certain cookies, block scripts, or block graphics. If you fully block cookies, graphics, and scripts, our services may not function or may not function without issues.

‍

3.2. Legal Basis and Right to Withdraw Consent

‍

3.2.1. Legal Basis

‍

We use tools necessary for the operation of our platform based on our legitimate interests pursuant to Article 6(1)(f) of the GDPR, to provide the core functionalities of our platform. In specific cases, these tools may also be necessary for fulfilling a contract or for carrying out pre-contractual measures, in which case the processing is conducted pursuant to Article 6(1)(b) of the GDPR. Access to and storage of information on the end device in these cases are essential and conducted based on the implementation laws of the EU ePrivacy Directive in Member States, such as Section 25(2) of the TTDSG in Germany. 

All other non-essential (optional) tools that provide additional features are used based on your consent under Article 6(1)(a) of the GDPR. Access to and storage of information on the end device is then carried out based on the implementation laws of the EU ePrivacy Directive in Member States, such as Section 25(1) of the TTDSG in Germany. Processing of data using these tools only occurs if we have obtained your prior consent.

If any personal data is transferred to third countries, we refer you to Section 6 (“Data Transfers to Third Countries”), which provides information regarding any potential risks associated with such transfers. We will inform you if an adequacy decision exists for the relevant third country or if standard contractual clauses or other safeguards have been put in place for specific tools. If you have consented to the use of certain tools and the accompanying transfer of your personal data to third countries, we transfer the data processed through these tools to third countries based on this consent under Article 49(1)(a) of the GDPR.

‍

3.2.2. Right to Withdraw Consent or Change Your Selections

‍

You may withdraw your consent for certain tools, specifically regarding the storage and access to information on the end device, the processing of your personal data, and the transfer of your data to third countries, at any time with future effect. To do so, please click on the following link:

Cookie Settings

Here, you may also modify your selection of tools for which you wish to give consent, as well as obtain additional information on the tools in use. Alternatively, you may withdraw consent for specific tools directly from the provider.

‍

3.2.3. Necessary Tools

‍

We use certain tools to enable the core functionalities of our platform ("necessary tools"). These include, for example, tools for preparing and displaying platform content. Without these tools, we would be unable to provide our services. Therefore, necessary tools are used without requiring consent.

The legal basis for necessary tools is the requirement to fulfill our legitimate interests pursuant to Article 6(1)(f) of the GDPR in providing the relevant core functions and operating our platform. In cases where the provision of these functions is required to fulfill a contract or to carry out pre-contractual measures, the legal basis for data processing is Article 6(1)(b) of the GDPR. Access to and storage of information on the end device is essential in these cases and is carried out based on the implementation laws of the EU ePrivacy Directive in Member States, such as Section 25(2) of the TTDSG in Germany.

If personal data is transferred to third countries, we refer, in addition to the information below, to Section 6 ("Data Transfers to Third Countries").

‍

The legal basis for necessary tools is the requirement to fulfill our legitimate interests pursuant to Article 6(1)(f) of the GDPR in providing the relevant core functions and operating our platform. In cases where the provision of these functions is required to fulfill a contract or to carry out pre-contractual measures, the legal basis for data processing is Article 6(1)(b) of the GDPR. Access to and storage of information on the end device is essential in these cases and is carried out based on the implementation laws of the EU ePrivacy Directive in Member States, such as Section 25(2) of the TTDSG in Germany.

If personal data is transferred to third countries, we refer, in addition to the information below, to Section 6 ("Data Transfers to Third Countries").

‍

3.2.4. Proprietary Tools

‍

We use proprietary necessary tools that access or store information on the end device, particularly for

• load balancing, and
• saving your language preferences.

‍

3.2.5. Functional Tools

‍

We use optional tools to enhance the user experience on our platform and offer additional features ("Functional Tools"). While these tools are not strictly necessary for the core functionality of the website, they provide users with benefits, particularly in terms of usability.

The legal basis for using Functional Tools is your consent in accordance with Article 6(1)(a) of the GDPR. Access to and storage of information on your device occurs under the implementation laws of the EU ePrivacy Directive in Member States, such as Section 25(1) of the TTDSG in Germany. For information on withdrawing your consent, see Section 3.2.2: “Withdrawal of Consent or Changes to Your Selection.

If any personal data is transferred to third countries, we also refer you to Section 6 (“Data Transfers to Third Countries”) for further information.

‍

4. ThankU Shopify App

‍

We offer operators of Shopify stores the ability to thank their customers in an environmentally friendly manner through the ThankU Shopify App. With this app, Shopify stores can deliver a widget to customers upon checkout completion, allowing the store to communicate a specific environmental impact (such as tree planting, wildlife protection, or ocean plastic removal) as a gesture of appreciation for the purchase.

The ThankU Shopify App collects, processes, and stores the following data:

• Shop Data: some text
  • shopify_domain
  • shopify_token (access scopes)
• Order Data:some text
  • order ID
  • total price (order total sum)
  • checkout token (checkout ID)
  • language (checkout language)
• Charge Data:some text
  • usage record ID
• ThankU Account Data:some text
  •  ThankU account email address
  •  account nickname
  •  account slug

No personal data of end customers of the Shopify stores is collected, processed, or stored by us.

Data processed within the ThankU Shopify App is only shared with third parties if necessary to fulfill contractual obligations.

Data processed through the ThankU Shopify App is retained only as long as necessary for the purposes of data processing or as required by statutory retention periods, after which it is deleted.

The ThankU Shopify App is accessible via the Shopify App Store. In addition to our Privacy Notice, the privacy policy of Shopify also applies in this context: https://www.shopify.com/legal/privacy

‍

5. Data Sharing

‍

Data we collect is only shared when there is a legal basis for doing so, particularly if:

• You have given explicit consent pursuant to Art. 6(1)(a) GDPR;
• Data sharing is required under Art. 6(1)(f) GDPR for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding interest in the non-disclosure of your data;
• We are legally obligated to share data under Art. 6(1)(c) GDPR, particularly for law enforcement or compliance with legal proceedings in response to official requests or court orders; or
• Disclosure is lawful and required under Art. 6(1)(b) GDPR for processing contractual relationships with you or for pre-contractual measures initiated at your request.

Certain data processing may be carried out by our service providers. Besides those listed in this Privacy Notice, these may include data centers that store our website and databases, software vendors, IT service providers, agencies, research companies, affiliated companies, and consulting firms. Data shared with these providers is strictly for the performance of their duties. These providers are carefully selected, contractually bound by our instructions, have implemented appropriate technical and organizational measures to protect individuals’ rights, and are regularly audited by us.

‍

6. Data Transfers to Third Countries

‍

As described in this Privacy Notice, we use services from providers located in “third countries” (outside the EU/EEA) or that process personal data in such locations, where the data protection level may not match that of the EU. Where there is no adequacy decision by the European Commission for these countries under Art. 45 GDPR, we have taken measures to ensure an adequate data protection level, such as the EU’s standard contractual clauses or binding corporate rules.

Where this is not feasible, we rely on exceptions under Art. 49 GDPR, including your express consent, or if the transfer is necessary for contract performance or pre-contractual measures.

If a third-country data transfer is necessary without an adequacy decision or appropriate safeguards, it is possible that authorities in the third country (e.g., intelligence services) may gain access to and analyze the data, and you may not be able to enforce data subject rights. Information on this risk will be provided when obtaining your consent through the consent banner.

‍

7. Data Retention Period

‍

We store personal data only for as long as necessary to fulfill the purposes for which it was collected. We then delete the data unless needed as evidence under statutory limitation periods, for statutory retention obligations, or due to another lawful basis for continued processing.

To maintain evidence, we retain contract data for three years from the end of the year in which business relations with you end, in line with the statutory limitation period.

For accounting purposes, certain data must be retained due to statutory recordkeeping obligations, which may arise from the Commercial Code, the Tax Code, the Banking Act, the Anti-Money Laundering Act, or the Securities Trading Act. Retention periods range from two to ten years.

‍

8. Your Rights, Including Withdrawal and Objection

‍

You have the following rights under GDPR, subject to applicable legal requirements:

• Right to withdraw consent (Art. 7(3) GDPR);
• Right to object to processing of your personal data (Art. 21 GDPR);
• Right to access your personal data (Art. 15 GDPR);
• Right to correct inaccurate personal data (Art. 16 GDPR);
• Right to erasure of your personal data (Art. 17 GDPR);
• Right to restrict processing of your personal data (Art. 18 GDPR);
• Right to data portability (Art. 20 GDPR).

To exercise these rights, you may contact us using the contact details provided above. If you wish to receive copies of safeguards demonstrating an adequate level of data protection, please let us know. If legal conditions are met, we will process your data privacy requests.

Data privacy requests and our responses will be retained for up to three years for documentation purposes and, if necessary, for assertion, exercise, or defense of legal claims beyond this period. The legal basis is Art. 6(1)(f) GDPR, based on our interest in defending against civil claims, avoiding fines, and fulfilling our accountability obligations under Art. 5(2) GDPR.

You may withdraw consent at any time. The withdrawal applies to future data processing; however, it does not affect the lawfulness of processing based on consent before withdrawal.

If we process your data based on legitimate interests, you may object to such processing at any time for reasons related to your specific situation. If the objection relates to direct marketing, we will honor your objection without requiring any reason.

To exercise your right of withdrawal or objection, simply send an informal message to the above contact details.

You also have the right to lodge a complaint with a supervisory authority, such as the authority in the EU Member State of your residence, place of work, or the location of the alleged violation. In Berlin, where we are based, the competent supervisory authority is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin.

‍

9. Changes to this Privacy Notice

‍

This Privacy Notice may be updated periodically, for example, when our platform is modified or legal or regulatory requirements change.

‍

‍

Version: 2.0 / Updated: September 2024

‍