PRIVACY POLICY (ART. 13 GDPR)

The protection of your personal data is a particularly important and high concern for us. With the following privacy policy, we try to explain our data protection provisions to you in an understandable way and, above all, to inform you about your rights as a data subject.

I. Controller according to Art. 4 No. 7 GDPR

For the processing of personal data within the meaning of the European General Data Protection Regulation (hereinafter: GDPR) as well as other national data protection laws and provisions, the responsible party is

2Spicy Entertainment GmbH
Borsigstraße 15,
65205 Wiesbaden,
Germany
Phone: +49 0619 0808 9370
Email: [email protected]

II. Terminology

For the definition of the following terms "data processing", "processing", "processing of data", the definitions of Art. 4 GDPR are used as a basis.

III. Data processing in general

1. Scope of data processing

The processing of personal data generally only takes place to enable the provision of a functional website, the display of content, and the provision of our services. Data processing usually only takes place after obtaining the user's consent. Consent is not obtained if this is not possible for factual reasons and/or the processing of data is permitted by legal regulations and is therefore lawful even without the prior consent of the data subject, or if the data processing is justified by our legitimate interests according to Art. 6 para. 1 sentence 1 lit. f GDPR.

2. Relevant legal bases for the processing of personal data

Unless otherwise stated, the relevant legal bases for the processing of personal data are the following:
Consent, Art. 6 para. 1 sentence 1 lit. a GDPR,
if we have obtained the consent of the data subject, Art. 6 para. 1 sentence 1 lit. a GDPR is the legal basis for the processing of their personal data,
Performance of a contract and pre-contractual measures, Art. 6 para. 1 sentence 1 lit. b GDPR,
if personal data must be processed for pre-contractual measures relating to the data subject or for the performance of a contract with the data subject, Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis for data processing,
Compliance with legal obligations, Art. 6 para. 1 sentence 1 lit. c GDPR,
if the processing of data is necessary for compliance with legal obligations to which we are subject, Art. 6 lit. c GDPR is the legal basis,
Legitimate interest, Art. 6 para. 1 sentence 1 lit. f GDPR,
if the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, then Art. 6 para. 1 sentence 1 lit. f GDPR is the legal basis for data processing.

3. Disclosure of personal data to third parties

In order to offer our services and to continuously improve them, personal data is also transmitted to other companies and, if necessary, disclosed to them. This includes companies entrusted with IT tasks, which are responsible, for example, for hosting the website or payment institutions that handle payment processing. We also use other services and products from other companies, for example, to ensure that no fraudulent registrations occur. In any case, we comply with the legal requirements and conclude data processing agreements with the respective companies in accordance with Art. 28 GDPR. If there is joint responsibility, we will ensure through so-called joint controller agreements in accordance with Art. 26 GDPR that the third-party company complies with the provisions of data protection law.

4. Data processing in third countries

When using the companies mentioned under 5.1., it may happen that personal data is transferred to a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) and processed there. In such a case, this only occurs in accordance with legal requirements.

We only allow personal data to be processed in third countries with a recognized level of data protection. These are only third countries that belong to the "Privacy Shield" certified US processors, or are processed on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

5. Data deletion and storage duration

Personal data will be deleted as soon as the purpose of storage no longer applies. In addition, storage may occur if we are legally obliged to do so. Deletion or blocking of data also occurs when a statutory storage period exists. This does not apply if the storage of the data is necessary for the conclusion and/or performance of a contract with the data subject.

IV. Specifics regarding the provision of this website

1. SSL / TLS encryption

Our site uses SSL encryption for security reasons, especially to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize SSL encryption by the fact that "https://" appears at the beginning of your browser's address bar and, in addition, a lock symbol appears in the browser bar. With SSL encryption, third parties generally cannot read data during transmission.

2. Server log files

Our website is hosted by Amazon LCC.
When you visit our website, our system automatically collects information from the computer system of the calling computer. The following data is collected here:
We only store anonymized IP addresses of website visitors.
At the web server level, this is done by storing an IP address such as 123.123.123.XXX in the log file by default instead of the visitor's actual IP address, e.g., 123.123.123.123, where XXX is a random value between 1 and 254. It is no longer possible to establish a personal reference.
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.
Storage in log files is done to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
Our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR also lies in these purposes.
Backups are kept for 14 days in encrypted form.
The legal basis for this temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3. Cookies

Cookies must be used to display and use our website. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. As soon as a user calls up our site, a cookie can be stored on this user's operating system. This cookie contains an individual character string that enables unique identification of the user's browser when the website is called up again.
We do not currently use cookies on our website.

4. Contact options

You can contact us via the email address and telephone number provided in the imprint.
The legal basis for processing data transmitted in the course of sending an email is Art. 6 para. 1 sentence 1 lit. f GDPR. If the email aims at concluding a contract with us, an additional legal basis for processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
The processing of the data that you provide to us by contacting us by email serves solely to record your request and to contact you.
The data transmitted via the contact form's input mask, as well as through contact by email, will be deleted after the purpose of their processing has been achieved. This is the case when the conversation between the data subject and us has finally ended. The conversation is ended when it is clear from the circumstances that the matter has been finally clarified.
In the case of contact by email, the data subject can object to the storage of their personal data at any time. In such a case, however, we cannot continue the conversation with the data subject.
The revocation can be declared in text form, e.g., by email, but also orally or by telephone.
All personal data stored in the course of contacting us will be irrevocably deleted in this case.

5. Services used, service providers and plugins

Google Fonts: We integrate the fonts (called "Google Fonts" in this privacy policy) of the provider Google, whereby user data is used solely for the purpose of displaying the fonts in the user's browser. The integration is based on our legitimate interests in a technically secure, maintenance-free and efficient use of fonts, their uniform display, and taking into account possible licensing restrictions for their integration.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, Website: https://fonts.google.com/
Privacy policy: https://policies.google.com/privacy; Privacy Shield (guarantee of data protection level when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

V. Your rights

1. Right of access

You have the right to know whether personal data concerning you is being processed. If this is the case, you have the right to access information about the personal data and about...

2. Right to rectification

You have a right to rectification and/or completion against us as the data controller if the personal data processed by us concerning you is incorrect or incomplete. We must carry out the rectification without delay upon request.

3. Right to erasure ("Right to be forgotten")

You have the right to request that we delete the personal data concerning you without undue delay, and we are obliged to delete this data without undue delay if one of the following reasons applies:
If the controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 GDPR, he shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure does not exist to the extent that processing is necessary...

4. Right to restriction of processing

You have the right to request from us as the data controller the restriction of the processing of your personal data if one of the following conditions is met:
– You have contested the accuracy of your personal data. For the period enabling us to verify the accuracy of the contested personal data, processing of your personal data will be blocked.
– The processing of the personal data proves to be unlawful and you as the data subject oppose the erasure of the personal data and request the restriction of their use instead.
– We, as the controller of the personal data, no longer need them for the purposes of processing, but you as the data subject require them for the establishment, exercise or defense of legal claims.
– You as the data subject have objected to processing pursuant to Article 21(1) GDPR. Pending the verification whether the legitimate grounds of the controller override those of the data subject, processing of the personal data will be blocked.

5. Right to information

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
(1) the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons must not be adversely affected by this.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves for the establishment, exercise or defense of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility, in the context of the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

8. Right to withdraw data protection consent declaration

You have the right to withdraw your data protection consent declaration at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the controller,
(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or
(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
With regard to the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.