Treasury Intelligence Solutions GmbH (hereafter: TIS) operates a website with general information on the company and its services. TIS places great importance on the protection of privacy and complies with the applicable data protection regulations. In the following, you will find an explanation of how we handle your personal data.
Please note that TIS website users and visitors can make changes to their consent status at any time by clicking on the below link:
Manage Consent1. Who is responsible for the website?
The responsible party (controller) pursuant to data protection laws, in particular the EU General Data Protection Regulation (GDPR), is
Treasury Intelligence Solutions GmbH
Charlottenstraße 17
10117 Berlin
Phone: +49 6227 69 82 40
E-mail: info@tispayments.com
together with its affiliates Treasury Intelligence Solutions Bulgaria Ltd., Treasury Intelligence Solutions Belgium, Treasury Intelligence Solutions Inc. and Treasury Intelligence Solutions CF Inc.
Treasury Intelligence Solutions GmbH has appointed a data protection officer:
Data protection officer of Treasury Intelligence Solutions GmbH
c/o activeMind.legal Rechtsanwaltsgesellschaft mbH
Potsdamer Straße 3
80802 Munich
Phone: +49 89 91 92 94 900
E-mail: dataprotection@tispayments.com
2. Which processing activities are carried out within our website?
2.1. Provision of the website and collection of general information during a visit to our website
Type and purpose of the processing
When you access our website, i.e. even if you do not register or otherwise submit any information, information of a general nature is automatically collected. This information (server log files) include, for example, the type of web browser and the operating system used, the domain name of your Internet service provider, your IP address and the like.
In particular, these data are processed for the following purposes:
- ensuring a problem-free website connection,
- ensuring seamless use of our website,
- evaluation of system security and stability, and
- optimization of our website.
We do not use these data to draw conclusions about your person. We might statistically analyze them in an anonymized form in order to optimize our website and its underlying technology.
Legal basis and legitimate interest
The processing is carried out pursuant to Art. 6(1)(f) GRPR on the basis of our legitimate interest in improving the stability and functionality of our website.
Data recipients
Recipients of the data may be our technical service providers acting as data processors in the area of operation and maintenance of our website.
In particular, our website is hosted by WPEngine, Inc., and preceded by CloudFlare Content Delivery Network.
Both WPEngine, Inc. and CloudFlare, Inc. are located in the USA and have certified under the EU-U.S. Data Privacy Framework. Transfers of data to them are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data will be deleted as soon as they are no longer required for the purpose for which they were collected. With regard to the data processed with the aim of website provision, this is generally the case after the respective session has ended.
Data stored in log files will be deleted after 30 days at the latest. Storage beyond this period is possible, in which case we will anonymize the IP addresses of the users so that an assignment of the calling client is no longer possible.
Mandatory or required provision
The provision of the aforementioned personal data is neither statutory nor contractually required. However, without the IP address, the service and functionality of our website cannot be guaranteed. Furthermore, individual services may be unavailable or limited. Hence, objection to the aforementioned processing is not possible.
2.2. Contact form
Type and purpose of the processing
On our website, we offer several contact forms, by way of which you can for example send us a query about our products or ask for a personalized demo. The data you enter into the contact form will be used for the purpose of individual communication with you. A valid e-mail address, phone number, your name and your company’s name are required for this communication, e.g. in order to allocate your query internally to the responsible team. Providing additional information is optional.
The integration of the contact form into our website aims at providing you an easy way to contact us. The information you submit will be used to process the inquiry and saved for possible follow-up questions.
Legal basis
If you contact us to request an offer, the processing will occur in order to implement pre-contractual measures (Art. 6(1)(b) GDPR). In other cases, the processing will be based on our legitimate interests in successful communication with customers and prospects (Art. 6(1)(f) GDPR).
Recipients & third-country transfer
Recipients of the data may be our data processors, which are contractually obliged to treat your data confidentially.
In particular, your data may be transferred into the HubSpot CMS provided by our data processor HubSpot, Inc. HubSpot, Inc. is located in the USA and has certified under the EU-U.S. Data Privacy Framework. Transfers of data to it are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
We will delete the data no later than 6 months after processing the inquiry.
If we enter into a contract, the data will be kept as long as required by the statutory retention periods, established for example in the German Commercial Code (Handelsgesetzbuch). We will delete your data according to the respective deadlines.
Mandatory or required provision
The provision of your personal data is voluntary. However, we can only process your inquiry if you provide us your name, e-mail address and the reason for your inquiry.
2.3. Newsletter
Type and purpose of the processing
Your data will only be used to send you the newsletter you have subscribed to by e-mail. Your name is processed in order to be able to address you personally in the newsletter and, if applicable, to identify you if you wish to exercise your rights as a data subject.
In order to verify that a registration is actually made by the respective holder of an e-mail address, we use the “double opt-in” procedure (DOI procedure). This means that you will receive an e-mail after your newsletter registration, in which you must confirm your newsletter registration once again.
Legal basis
The legal basis for this processing activity is your consent, Art. 6(1)(a) GDPR.
Recipients
We use service providers who act as our data processors for the dispatch of newsletters. All service providers are contractually obligated to treat your data confidentially.
In particular, we use HubSpot for the sending of newsletters. The service is provided by HubSpot, which is located in the USA. It is certified under the EU-U.S. Data Privacy Framework. Transfers of data to it are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
Data will only be processed as long as your consent remains valid.
Mandatory or required provision
The provision of your personal data is voluntary, based solely on your consent. Without valid consent, we can unfortunately not send you our newsletter.
Withdrawal of consent
You can withdraw your consent to the storage of your personal data and its use for the newsletter mailing at any time. There is a corresponding link in each newsletter. In addition, the withdrawal can be made via the other contact options provided on the website.
2.4. Webinars and video conferences with Zoom and GoToWebinar
Purpose, legal basis and legitimate interest
To conduct telephone conferences, online meetings, video conferences and webinars, we use video conference tools Zoom and GoToWebinar. Zoom is a service provided by Zoom Video Communications, Inc., while GoToWebinar is offered by LogMeIn, Inc. Both service providers are based in the USA.
You can find more information on the respective data processing under the following links: https://explore.zoom.us/en/trust/privacy/ (Zoom) and https://www.goto.com/de/company/legal/privacy/us / (GoToWebinar).
We use both conference tools based on our legitimate interest in carrying out user-friendly webinars and conferences for the purpose of customer acquisition and marketing (Art. 6(1)(f) GDPR).
Data recipients
The recipient of the data is Zoom Video Communications, Inc., or LogMeIn, Inc., respectively.
Third country transfer
Your data may be transferred to a third country, namely the USA. To protect your data after the transfer, we have concluded standard contractual clauses with both service providers. Please let us know should you want to obtain a copy thereof.
Retention period
Data are generally stored for a maximum period of six months after a webinar has taken place.
Mandatory or required provision
Providing your personal data is voluntary. However, we can only offer a webinar with the associated data processing.
Objection to the processing
Please read the information on your right to object according to Art. 21 GDPR below.
2.5. Job applications
Purpose and legal basis
You can submit your job application to TIS online via our application portal. We process the data you provide to review your application and your suitability for the advertised position, and to carry out the application process and contact you.
The processing occurs in order to establish an employment relationship, and is based on Art. 6(1)(b) GDPR.
Data recipients
Within our company, only the departments which need your data to fulfill their contractual, legal, and supervisory obligations, and to safeguard our legitimate interests, will obtain access to your data.
We use a recruiting software provided by Hi Bob GmbH, Factory Berlin Mitte, Rheinsberger Straße 76/77 10115, Berlin to help us manage the application process and job postings. We have concluded a data processing agreement with the service provider.
Retention period
Should your application be rejected, your data will be deleted as follows:
- EU (except Bulgaria): six months after rejection,
- USA and Bulgaria: two years after rejection.
If your application is successful, the application documents will be saved at least for the duration of your employment at TIS.
Mandatory or required provision
The provision of your personal data is neither legally nor contractually required. However, without the provision of the data, we unfortunately cannot process your application.
2.6. Cookies and comparable technologies
2.6.1 Technically necessary cookies
Type and purpose of the processing
We use technically necessary cookies to make our website more user-friendly and to simplify the use of the website. Some elements of our website require the identification of the calling browser even after a page change. Furthermore, some features of our website cannot be provided without the use of cookies. For these features, it is necessary that the browser be recognized even after a page change.
Furthermore, we also use technically necessary cookies to manage consents. For this purpose, we use the consent tool “Borlabs Cookie” of the provider Borlabs GmbH.
Legal basis and legitimate interest
The setting of technically necessary cookies is based on § 25(2) of the German Telecommunications-Telemedia Data Protection Act (TTDSG). The subsequent processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in a user-friendly design of our website and the management of the cookies and similar technologies used and the related consents.
Data recipients
Recipients of the data may be our technical service providers, who work on the operation and maintenance of our website as data processors.
Mandatory or required provision
The provision of the aforementioned personal data is neither statutory nor contractually required. However, without this data, the service and functionality of our website cannot be guaranteed. Individual services may be unavailable or limited.
Right to object
Please find the information on your right to object to the processing according to Art. 21 GDPR further below.
2.6.2 Technically not necessary cookies, statistics, marketing and comparable tools
Type and purpose of the processing
We also use cookies to better tailor our website to the interests of the website visitors, and to improve our website based on statistical evaluations.
In this section, you will find general information pertaining to all such services. You can find details on the specific tools embedded into our website further below.
Legal basis
The legal basis for these processing activities is your consent according to Art. 6(1)(a) GDPR. Furthermore, consent pursuant to § 25(1) of the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz) is relied upon to place cookies on your device and to access information already stored in your terminal equipment.
Data recipients
Recipients of the data may be our service providers. Further below, you will find the recipients of the data listed separately for each processing activity.
Mandatory or required provision
Of course, you can in principle visit our website without cookies being placed and similar technologies being used. In general, Internet browsers are set to accept cookies. You can disable cookie usage at any time in your browser settings. Please note that individual features of our website may not function if you have deactivated cookie usage.
Withdrawal of consent
You can withdraw your consent at any time via our consent banner.
Profiling
With the help of the tracking tools, the browsing behavior of our website visitors can be evaluated and their respective interests analyzed. For this analysis, we create pseudonymous user profiles.
Google Analytics
Type and purpose of the processing
This website uses Google Analytics, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies which enable us to analyze your usage of our website and to make inferences about user behavior on our website. The information generated by the cookies about your use of this website is transmitted to a Google server in the USA and stored there. However, due to the activation of IP anonymization on our website, your IP address will be truncated beforehand by Google within the European Union or in an EEA country. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there. On behalf of TIS, Google will use this information to evaluate your use of the website, summarize reports on website activities and provide other services related to website usage to TIS.
You can find more information on the data processing by Google under the following link: https://policies.google.com/privacy.
Recipients and third country transfer
The data is shared with Google as our processor. To enable this, we have entered into a data processing agreement with Google.
Google processes your data in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data is deleted as soon as you have withdrawn your consent or it is no longer required to achieve the purposes of processing. In principle, the deletion occurs 14 months after the provision of the data.
Withdrawal of consent
You can prevent the storage of cookies by modifying the settings of your browser. However, if you do this, you may not be able to use all functions of this website in their entirety. Furthermore, you can prevent the transmission of the data collected via a cookie and the data related to your use of the website (including your IP address) to Google, and the processing of this data by Google, by downloading and installing the browser plug-in available under the following link: browser add-on to deactivate Google Analytics.
In addition to, or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our web pages by clicking on this link. This will set an opt-out cookie on your device and prevent future data collection by Google Analytics for this website and browser for as long as the cookie remains stored on your device.
In addition to, or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our web pages by through this button.
Google Audiences (Google Remarketing)
Type and purpose of the processing
This website uses the remarketing function of Google LLC. The operating company of the Google Remarketing services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The purpose of this service is to display advertising to users based on their interests. This requires an analysis of website use, which is carried out using cookies. In this process, the cookies store anonymized or pseudonymized data regarding the use of the website. If you visit additional websites that also use these services, you will be shown advertising that matches your previous interests.
You can find more information at https://www.google.com/privacy/ads/
Recipients and third country transfer
With every visit of our website, personal data, including your IP address, is transmitted to Google in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data is deleted as soon as you have withdrawn your consent or it is no longer required to achieve the purposes of processing. In principle, the deletion will occur 30 days after the provision of the data.
Withdrawal of consent
If you do not want Google’s Remarketing feature to be used, you can disable it under the following link: https://adssettings.google.com. Alternatively, you can disable the use of cookies for interest-based advertising via the advertising network initiative: http://www.networkadvertising.org/managing/opt_out.asp.
Google Ads and Google Ads Conversion Tracking
Type and purpose of the processing
Our website uses Google Conversion Tracking. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The purpose of this processing is the so-called conversion tracking, i.e., we can detect what happened after you clicked on our advertisements. If you reach our website via a Google advertisement, Google Ads places a cookie on your computer.
If a user visits certain pages on our website, and the cookie has not expired, we and Google can recognize that the user clicked on an ad and was redirected to this page. The information gathered by the conversion cookie is used to generate conversion statistics for Google Ads. We can see the total number of users who clicked on our advertisement and were redirected tour webpage. However, we do not receive information that personally identifies users.
You can find more information on the service under the following link: https://policies.google.com/privacy.
Recipients and third country transfer
Whenever you visit our website, your personal information, including your IP address, is transferred to Google in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
These cookies, which are not used for personal identification, expire after 30 days.
Withdrawal of consent
If you do not want to participate in the tracking, you can reject the required cookie use, for example via a general browser setting that disables the automatic use of cookies or configures your browser to block cookies from the domain ‘googleleadservices.com’. Furthermore, you can disable relevant cookies under the following link: https://adssettings.google.com.
Google Tag Manager
Our website uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a solution that allows marketers to manage website tags used for tracking and online marketing through a single interface. It allows JavaScript and HTML tags to be quickly deployed and updated on our website. Google Tag Manager, which implements the tags, is itself a cookie-free domain and does not collect any personal information. Rather, it merely serves to manage other services, such as Google Analytics. These services, in turn, may collect data.
You can find more information hereto by visiting the following website: https://www.google.com/intl/de/tagmanager/use-policy.html.
YouTube videos
Type and purpose of the processing
We embed YouTube videos on our website. The operator of the respective plug-ins is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”). When you visit a page with the YouTube plug-in, a connection to the provider’s servers will be established. In case you are logged into your YouTube account, YouTube will be in a position to associate your browsing behavior with you personally. You can prevent this by logging out of your YouTube account beforehand.
Once a YouTube video is started, the provider sets cookies that collect information about user behavior.
You will find additional information on data protection in the provider’s privacy policy at: https://policies.google.com/privacy.
Recipients and third country transfer
Starting a YouTube video automatically triggers a connection to Google, which processes your data in the USA. To protect your data after the transfer, we have concluded standard contractual clauses with Google. Please let us know should you want to obtain a copy thereof.
Retention period and withdrawal of consent
Your data will be deleted 8 months after its provision.
If you do not wish cookies be placed on your device when watching embedded YouTube videos, you can disable the storage of cookies for the Google Ads Programme or block the storage of cookies in the browser altogether.
Google Marketing Platform
Type and purpose of the processing
Our website services of Google Marketing Platform (formerly “DoubleClick”), provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This tool uses cookies to serve ads that are relevant to users, to improve campaign performance and to prevent a user from being served the same ad more than once. To achieve this, Google uses a cookie ID to record which ads are displayed in which browser. In addition, Google can use cookie IDs to record so-called conversions, i.e. the fact that a user visits the advertiser’s website after seeing a relevant ad. If you are logged into your Google account, Google can assign your visit of the relevant website to your user account. If you do not want this connection to be established, please log off from your Google account beforehand.
Recipients and third country transfer
Your personal information is transferred to Google in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data is deleted as soon as you have withdrawn your consent or it is no longer required to achieve the purposes of processing.
Withdrawal of consent
If you do not want Google Marketing Platform to be used, you can reject the required cookie use, for example via a general browser setting that disables the automatic use of cookies, or by disabling relevant cookies under the following link: https://adssettings.google.com.
Vidyard
Type and purpose of the processing
We embed videos on our website. The operator of the respective plug-ins is Buildscale, Inc., 1 Queen Street North, Unit #301, Kitchener, ON N2H 2G7, Canada. When you visit a page with a Vidyard plug-in, a connection to the provider’s servers will be established, so as to deliver you the video, and a cookie is placed.
Recipients and third country transfer
To show you the video, a connection to Vidyard is necessary. In this context, your data may be transferred to Canada. To protect your data after the transfer, we have concluded standard contractual clauses with Buildscale, Inc. Please let us know should you want to obtain a copy thereof.
Retention period and withdrawal of consent
Your data will be deleted 90 days after its provision.
LinkedIn Analytics
Type and purpose of the processing
We use LinkedIn Analytics on our website. The service, provided by LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn”), stores and processes information about your user behavior on our website. For this purpose, the service places cookies in your terminal device. We use LinkedIn Analytics to analyze the use of our website and to continuously improve individual functions of our website and the overall user experience. The statistical evaluation of user behavior enables us to improve our offer and make it more interesting for our website visitors.
To learn more about LinkedIn’s processing of your data, please visit: https://www.linkedin.com/legal/privacy-policy.
Recipients and third country transfer
LinkedIn as the recipient of your data might transfer your data to the USA. To protect your data after the transfer, we have concluded standard contractual clauses with LinkedIn. Please let us know should you want to obtain a copy thereof.
Retention period
The data is deleted as soon as you have withdrawn your consent or it is no longer required to achieve the purposes of processing. In principle, the cookies are valid for the duration of the session, 24 hours, 30 days or 2 years.
Withdrawal of consent
If you do not want LinkedIn Analytics to be used, you can withdraw your consent in our consent banner. Furthermore, you can visit LinkedIn’s webpage to modify your privacy preferences and opt-out: https://www.linkedin.com/legal/cookie-policy.
LinkedIn Ads
Type and purpose of the processing
Furthermore, we use the retargeting tool and the conversion tracking of LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland. For this purpose, the LinkedIn Insight Tag is incorporated into our webpage. LinkedIn uses it to collect statistical, pseudonymized data regarding your visit to our website and your use thereof, and to provide us with the corresponding aggregated statistics.
To learn more about LinkedIn’s processing of your data, please visit: https://www.linkedin.com/legal/privacy-policy.
Recipients and third country transfer
LinkedIn as the recipient of your data might transfer your data to the USA. To protect your data after the transfer, we have concluded standard contractual clauses with LinkedIn. Please let us know should you want to obtain a copy thereof.
Retention period
Depending on the type of data, the data is stored for the duration of the session, 24 hours or 2 years.
Withdrawal of consent
If you do not want LinkedIn Ads to be used, you can withdraw your consent in the consent banner. Furthermore, you can visit LinkedIn’s webpage to modify your privacy preferences and opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
HubSpot
Type and purpose of the processing
HubSpot is an integrated software solution that we use to cover different aspects of our online marketing. This includes, among others, email marketing, reporting, social media publishing and reporting, contact management (e.g., user segmentation and CRM), landing pages, and contact forms. Furthermore, HubSpot allows us to analyse the usage of the website. The service is provided by HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA (“HubSpot”).
Our registration service enables visitors to our website to find out more about our company, to download contents and to provide their contact information, together with further demographic information. This information is stored on the servers of our software partner HubSpot. We can use it to make contact with visitors to our website and to determine which of our company’s services are interesting for them.
To find out more about the data processing by HubSpot, please visit: https://legal.hubspot.com/privacy-policy.
Recipients and third country transfer
HubSpot as the recipient of your data processes the data in the USA. HubSpot is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
Depending on the type of data, the data is stored for the duration of the session, 30 Minutes, one day, one year or 13 months.
Withdrawal of consent
If you do not want HubSpot to be used, you can withdraw your consent at any time in our consent banner.
Trade Desk
Type and purpose of the processing
This website uses Trade Desk, a targeted advertising service provided by The Trade Desk, Inc., 42 N. Chestnut Street, Ventura, CA 93001 (“Trade Desk”). Trade Desk is used for the so-called remarketing of advertising based on your behavior on our website. Information on the surfing behavior of website visitors are collected in a purely anonymized form for marketing purposes. No clear user-related data such as name or address is stored in the process.
Further information on Trade Desk is available under https://www.thetradedesk.com/us/privacy.
Recipients and third country transfer
Trade Desk as the recipient of your data might process the data in the USA. Trade Desk is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data is stored for one year.
Withdrawal of consent
You may withdraw your consent to this type of analysis of your use of this website in our consent banner or by visiting https://www.adsrvr.org/ to opt-out of the Trade Desk services. Both options will prevent the use of web analysis only as long as you use the browser in which you made your choice and do not delete the opt-out cookie.
6sense
Type and purpose of the processing
We use 6sense, a software for marketing automation. The provider of the tools is 6Sense Insights, Inc., 450 Mission Street, Suite 201. San Francisco, CA, 94105, USA (“6sense”). 6sense is a B2B account engagement platform that uses advanced data analysis techniques to provide account engagement insights, optimized marketing programming, and targeted digital advertising experiences. For those purposes, 6sense collects the following information: IP address, device information, and cookie identifiers.
You can learn more about the respective data processing under the following link: https://6sense.com/privacy-policy/.
Recipients and third country transfer
6sense as the recipient of your data might process the data in the USA. 6sense is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data is stored for 30 days.
Withdrawal of consent
You may withdraw your consent to this data processing in our consent banner.
3. Processing activities within our platform
While we are a data processor for the vast majority of the processing activities conducted within our Platforms, we are a controller for the others. These are listed below.
3.1. Provision of the platforms and collection of general information during a visit to our Platforms
Type and purpose of the processing
When you access our Platforms, i.e. even if you do not register or otherwise submit any information, information of a general nature is automatically collected. This information (server log files) include, for example, the type of web browser and the operating system used, the domain name of your Internet service provider, your IP address and the like.
In particular, these data are processed for the following purposes:
- ensuring a problem-free connection,
- ensuring seamless use of our Platforms,
- evaluation of system security and stability, and
- optimization of our Platforms.
We do not use these data to draw conclusions about your person. We might statistically analyze them in an anonymized form in order to optimize our Platforms and its underlying technology.
Legal basis and legitimate interest
The processing is carried out pursuant to Art. 6(1)(f) GRPR on the basis of our legitimate interest in improving the stability and functionality of the respective Platform.
Data recipients and third-country transfer
Recipients of the data may be our technical service providers acting as data processors in the area of operation and maintenance of our Platforms.
Retention period
The data will be deleted as soon as they are no longer required for the purpose for which they were collected. With regard to the data processed with the aim of Platform provision, this is generally the case after the respective session has ended.
Data stored in log files will be deleted after 30 days at the latest. Storage beyond this period is possible, in which case we will anonymize the IP addresses of the users so that an assignment of the calling client is no longer possible.
Mandatory or required provision
The provision of the aforementioned personal data is neither statutory nor contractually required. However, without the IP address, the service and functionality of our Platform cannot be guaranteed. Furthermore, individual services may be unavailable or limited. Hence, objection to the aforementioned processing is not possible.
3.2 Registration and login on our platforms
Type and purpose of the processing
As part of our Platform integration, there are web applications connected to our website where customers can issue corporate payments. In order to access these web applications, a log-in is required, whereby certain personal data such as email address and password are collected.
Legal basis
Insofar as this processing does not fall under the Data Processing Agreements conducted with our customers, it is conducted based on our legitimate interest in guaranteeing the security of the Platforms pursuant to Art. 6(1)(f) GDPR.
Recipients
Recipients of the data may be our technical service providers (data processors) in the field of operation and maintenance of our website.
Retention period
Data are only processed as long as they are necessary for the fulfillment of the contract. Thereafter, they will be deleted, unless there is a statutory retention obligation contradicting the deletion.
Mandatory or required provision
The provision of your personal data is not statutory required. However, without the provision of your personal data, we cannot give you access to our Platforms, meaning that some of the TIS services might not be available to you.
3.3 Use of Identify Providers (Single-Sign-On)
Type and purpose of the processing
To facilitate the authentication process when accessing our Platforms, we provide our customers with the possibility to use single-sign-on. For this purpose, Azure Active Directory or other Identity Providers chosen by our customers may be used.
If single-sign-on is being used, our platform authenticates a user by verifying the data provided by the respective Identity Provider. TIS does not store any login data or authentication tokens. Authentication and processing of data both take place directly in the user’s browser, by communicating directly with the respective Identity Provider.
The data processed in this context is only used for the purpose of user authentication. We will not process it for any other purpose.
Legal basis
The legal basis for this processing activity is your consent according to Art. 6(1)(a) GDPR.
Recipients and third country transfer
Depending on the Identity Provider used by your company, a third-country transfer might take place. The level of data protection in these countries might not always correspond to that of the European Union. To identify the countries in which the data is transferred in this context, please refer to your company or the Identity Provider used.
For example, if your company uses Azure Active Directory, a third-country transfer to the USA to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA might take place. For details about Microsoft’s use of your data and your options to protect your personal information, please see the Microsoft Privacy Statement.
Retention period
The data will be retained as long as your consent and the purpose of processing are given. We will delete the data as soon as not needed anymore, e.g. in case you stop using our services.
Withdrawal of consent
You may withdraw it at any time with effect for the future. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Mandatory or required provision
The provision of your personal data is voluntary and based solely on your consent. If you do not give us consent, you unfortunately will not be able to use single-sign-on to access our Platforms.
3.4 Datadog
Type and purpose of the processing
To guarantee the security of our Platform and to be able to respond to any connected issues, we use Datadog services within our platform. For example, by using the Datadog services, we can detect and prevent attacks to our Platform, thereby protecting the data processed within the Platform. The provider of the service is Datadog, Inc., 620 8th Ave., 45th Fl., New York, NY 10018, USA (“Datadog”).
We use Datadog in our capacity as a data controller, as it is first and foremost in the interest of TIS to guarantee the security of its platform. In this regard, we alone decide on the purposes of the processing. At no point does Datadog have access to financial data processed within the TIS Platforms under the Data Processing Agreements with our customers.
The data processed in this context is only used for the purpose of guaranteeing the security of the platform and connected troubleshooting. We will not process it for any other purpose.
Legal basis
The legal basis for this processing activity is our legitimate interest in guaranteeing the security of our platform pursuant to Art. 6(1)(f) GDPR.
Recipients and third country transfer
The data is shared with Datadog, which processes your data in the USA. Datadog is certified under the EU-U.S. Data Privacy Framework; the transfers of data to the USA are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data will be retained as long as necessary for the abovementioned purposes of processing.
Mandatory or required provision
The provision of your personal data is neither contractually nor statutory required.
Objection to the processing
Please read the information on your right to object according to Art. 21 GDPR below.
3.5 Matomo
Our platform uses Matomo, an open-source software for statistical analysis of usage of websites. The provider is InnoCraft Ltd, 150 Willis St., 6011 Wellington, New Zealand.
With the help of the analysis tool Matomo, self-hosted in the cloud of our hosting provider, we evaluate user behavior. No cookies are set for this purpose. Furthermore, we have set Matomo in a way that it does not access information stored in the user’s end device that is protected pursuant to § 25(1) TTDSG.
At no time does Matomo access the data subject to the Data Processing Agreements with our customers.
Purpose and legal basis of processing
Matomo is used to improve the quality of our Platform and to better adapt it to the needs of our customers. With the help of Matomo, we gain insights on how the Platform is used and can thus constantly optimize it.
The processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the Platform.
Recipient of the data
Recipients of the data are our service providers who act as data processors in the area of operation and maintenance of our Platform.
Retention period
IP addresses are anonymized before storage. Consequently, we are not able to draw conclusions about individual users of the Platform.
The data will be deleted as soon as it is no longer required for the purposes for which it was collected and no statutory retention obligations oppose to its deletion. In our case, data is deleted automatically after 6 months.
Objection to the processing
Please find the information on the right to object further down.
Provision prescribed or required
The provision of the data is neither statutory nor contractually required.
4. Processing activities within our social media platform
Our company also has social media profiles on LinkedIn and Facebook. Thereby, our goal is to inform you about the activities of TIS and to provide for an easy way to get in touch with us.
4.1 Facebook profile
Nature and purpose of processing
We maintain a company profile on Facebook. The platform is operated by Meta Platforms Ireland Ltd (Ireland/EU). We maintain the profile in order to inform profile visitors, interested parties and customers about our company. We provide information via our profile and provide for an opportunity to contact us.
As soon as you visit our Facebook company profile, follow it or otherwise engage with it, Meta processes personal data. As a result, Meta provides us with insights and statistics in anonymised form, informing us about the types of actions that visitors take on our site. It is not possible for us to use this information to draw conclusions about individual users.
We are jointly responsible with Meta for the processing of personal data of profile visitors (Art. 26 GDPR). For this purpose, we have concluded a joint controllership agreement with Meta, which governs the distribution of data protection obligations between us and Meta. You can access this agreement here. To exercise your data subject rights, you may contact Meta online or via the contact details in the privacy policy.
You can also contact us to exercise your rights as a data subject. In such a case, we will forward your enquiry to Meta, unless we are able to respond to the request ourselves.
Further information on the processing of your data by Meta can be found in the privacy policy of Meta Platforms Ireland Ltd.
Legal basis
Your personal data is processed on the basis of your consent in accordance with Art. 6(1)(a) GDPR, which you have provided to Meta as part of your registration.
Recipients and third country transfer
The recipient of your data in this context is Meta. A transfer of data to the USA may take place in this context. Meta has certified under the EU-U.S. Data Privacy Framework. Transfers of data to them are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In this context, this is the case at the latest when you have withdrawn your consent.
Provision mandatory or required
The provision of the aforementioned personal data is voluntary and is based on your consent.
4.2 LinkedIn page
Nature and purpose of processing
We maintain a company profile on LinkedIn. This platform is operated by LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland. We maintain the LinkedIn company page in order to inform profile visitors, interested parties and customers about our company. We provide information via our LinkedIn profile and offer users the opportunity to communicate with us.
As soon as you visit our LinkedIn company profile, follow this page or engage with it, LinkedIn processes personal data. LinkedIn provides us with anonymised insights and statistics that inform us about the types of actions that visitors take on our site (so-called Page Insights). It is not possible for us to draw conclusions about individual members from the Page Insights information. Thereby, LinkedIn processes data that you have provided in your profile, or that is inferred from your interactions with our LinkedIn company page.
As the operator of a LinkedIn company profile, we are jointly responsible with LinkedIn for the processing of the personal data of page visitors (Art. 26 GDPR). For this purpose, we have concluded a joint controllership agreement with LinkedIn, which defines the distribution of data protection obligations between us and LinkedIn. You can access the agreement here. According to it, LinkedIn is primarily responsible for responding to data subject requests. To exercise your data subject rights, you may contact LinkedIn online or via the contact details in the privacy policy. You may also contact LinkedIn’s data protection officer.
You can also contact us to exercise your rights as a data subject. In such a case, we will forward your enquiry to LinkedIn, unless we are able to respond to your inquiry ourselves.
Further information on the processing of your data by LinkedIn can be found in LinkedIn’s privacy policy.
Legal basis
The processing of your personal data is based on your consent in accordance with Art. 6(1)(a) GDPR, which you have given to LinkedIn as part of your registration.
Recipients and third country transfer
The recipient of your data in this context is LinkedIn. A transfer of data to the USA may take place. LinkedIn has certified under the EU-U.S. Data Privacy Framework. Transfers of data to them are hence based on the adequacy decision of the EU Commission for the USA.
Retention period
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. In this context, this is the case at the latest when you have withdrawn your consent.
Provision mandatory or required
The provision of the aforementioned personal data is voluntary, based solely on your consent.
5. Your rights as the data subject
You can exercise the following rights at any time using the contact details specified above:
- information on your data stored by us and the processing thereof (Art. 15 GDPR),
- rectification of inaccurate personal data (Art. 16 GDPR),
- deletion of your data stored by us (Art. 17 GDPR),
- restriction of the processing, provided that we may not delete your data due to legal obligations (Art. 18 GDPR),
- objection to the processing of your data with us (Art. 21 GDPR) and
- data portability, provided that you have consented to the data processing or have entered into a contract with us (Art. 20 GDPR).
If you have given us consent, you may withdraw it at any time with effect for the future. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You can lodge a complaint with a supervisory authority at any time, e.g. with the supervisory authority of the state of your residence or the authority that oversees us as the responsible party. You can find a list of supervisory authorities under the following link:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
6. Information on your right to object according to Art. 21 GDPR
You have the right at any time, for reasons that arise from your particular situation, to object to the processing of personal data pertaining to you based on 6(1)(f) GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision in accordance with Art. 4 No. 4 GDPR.
If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing is for the purpose of enforcing, carrying out or defending legal claims.
7. SSL encryption
To protect the security of your data during transmission, we use state-of-the-art encryption methods (such as SSL) via HTTPS.
8. Information on joint controllership
The companies named in Section 1 of this Privacy Policy are joint controllers for the data processing activities conducted in the framework of the provision of the website. For this purpose, we have concluded an intercompany joint controllership agreement. You may contact any of the named companies should you want to exercise your data subject rights.
9. Revision of our privacy policy
We reserve the right to amend this privacy policy so that it always complies with current legal requirements or to reflect changes to our services in the privacy policy. In case the privacy policy is modified, your next visit will be subject to the new privacy policy.