Privacy Policy of Bioshyft GmbH
Privacy Policy of Bioshyft GmbH
(incl. brands Bioshyft, Foodshyft, Agrishyft, Oceanshyft, Materialshyft, Energyshyft & Watershyft)
We, Bioshyft GmbH (hereinafter “the company”, “we” or “us”) take the protection of your personal data seriously and would like to inform you as the data subject (hereinafter also “customer”, “user”, “you”, “you” or “data subject”) about this.
Insofar as we decide on the purposes and means of data processing either alone or jointly with others, this includes above all the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and 14 GDPR). With this declaration (hereinafter: “data protection information”) we inform you about the way in which your personal data is processed by us.
Our data protection information has a modular structure. It consists of a general section for all processing of personal data and processing situations that apply each time a website is accessed (A. General) and a special section, the content of which relates only to the processing situation specified there with the designation of the respective offer or product, in particular the visit to websites described in more detail here (B. Visit to websites)
A. General information
1. Definitions
This data protection information is based on the following definitions of Art. 4 GDPR:
– “Personal data” (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
– “Processing” (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
– “Controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
– “Processor” (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
– A “third party” (Art. 4 No. 10 GDPR) is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
– “Consent” (Art. 4 No. 11 GDPR) of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the controller
The controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is
Bioshyft GmbH
At the Alster 6
20099 Hamburg
E-Mail: coordination@bioshyft.com
For further information about our company, please refer to the legal notice on our website www.bioshyft.com/legal-notice/.
3. Legal basis for data processing
In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justification
- Art. 6 para. 1 sentence 1 lit. a GDPR (“consent”): Where the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;
- Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Art. 6 para. 1 sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject;
- Art. 6 para. 1 sentence 1 lit. d GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject;
- Art. 6 para. 1 sentence 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
- Art. 6 para. 1 sentence 1 lit. f GDPR (“Legitimate interests”): Where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- In addition, the storage of information in the end user’s terminal equipment or access to information that is already stored in the terminal equipment is only permitted if it is covered by one of the following justifications;
- § Section 25 (1) TTDSG: If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;
- § 25 para. 2 no. 1 TTDSG: If the sole purpose is to carry out the transmission of a communication via a public telecommunications network or
- § 25 para. 2 no. 2 TTDSG: If the storage or access is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user.
For the processing operations we carry out, we indicate the applicable legal basis in each case below. Processing can also be based on several legal bases.
4. Data erasure and storage duration
For the processing operations carried out by us, we indicate below how long we store the data and when it is deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose has been fulfilled or the legal basis for storage no longer applies. Your data will only be stored on our servers in Germany, subject to any disclosure in accordance with the provisions in this Section A (6) and (7).
However, data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings or if storage is provided for by statutory provisions to which we are subject as the controller (e.g. Section 257 HGB, Section 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
5. Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g. SSL encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
We will be happy to provide you with more detailed information on request. Please use the contact details given in section 2 above.
6. Cooperation with processors
We use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations within the meaning of Art. 28 GDPR.
7. Requirements for the transfer of personal data to third countries
As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfill contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. fin each case in conjunction with Art. 44 et seq. Art. 44 ff. GDPR). We will inform you about the respective details of the transfer at the relevant points below.
8. No automated decision-making (including profiling)
We do not use personal data for automated decision-making (including profiling).
9. No obligation to provide personal data
We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case in the context of the products presented below and offered by us, you will be informed of this separately.
Legal obligation to transmit certain data
We would like to point out that we may be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public authorities (Art. 6 para. 1 sentence 1 lit. c GDPR).
10. Processing of publicly accessible data
In order to provide our services, we use search engines/crawlers that automatically collect data and information that is publicly accessible on the Internet. This processing may also involve personal data that is not collected directly from the data subject.
Publicly accessible data is all data, information and entries that can be accessed or viewed by anyone directly (e.g. via a link) or indirectly (e.g. via a query) via public sources. Examples of public sources are Websites, news portals, blog articles, publicly shared posts and profiles from social media as well as public databases of specialist portals, job exchanges, forums, the commercial register, the Federal Gazette or Wikipedia.
11. Shared use of data/shared responsibility
In order to provide you with comprehensive support and to ensure the consistently high quality of our services and products, we share responsibility with Shyft Consulting GmbH and Innoloft GmbH. The legal basis for this processing is Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR (legitimate interest in the provision and improvement of our services). In accordance with Art. 26 GDPR, the joint controllers have concluded an agreement in which their respective responsibilities with regard to compliance with their obligations under the GDPR are set out in a transparent manner. In addition, we may share data with other affiliated companies for marketing or customer service purposes. Such processing is carried out on the basis of Art. 28 GDPR in conjunction with a data processing agreement concluded with the respective companies.
12. Your rights
You can assert your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided at the beginning under A.(2). As the data subject, you have the right to
– to request information about the processing of your personal data in accordance with Art. 15 GDPR,
– in accordance with Art. 16 GDPR, to request the rectification of inaccurate personal data concerning you,
– in accordance with Art. 17 GDPR, to demand that personal data concerning you be deleted immediately; we are obliged to delete personal data immediately if one of the reasons stated in the regulation applies,
– in accordance with Art. 18 GDPR, to demand the restriction of processing if one of the reasons stated in the provision applies,
– pursuant to Art. 21 GDPR to object to the processing of personal data concerning you on grounds relating to your particular situation, if the processing is based on Art. 6 (1) f) GDPR (legitimate interests). Following your objection, we will no longer process the personal data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims,
– pursuant to Art. 20 GDPR on data portability.
– In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent at any time with effect for the future.
To exercise your aforementioned rights, please use the contact details provided in section 3 above.
In accordance with Art. 77 GDPR, you also have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority in Hamburg is the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Straße 22, 7th floor, 22459 Hamburg, Tel.: 004940 / 428 54 – 4040, Fax: 004940 / 428 54 – 4000, Email: mailbox@datenschutz.hamburg.de, Website: https://datenschutz-hamburg.de/
13. Changes to the data protection information
As part of the ongoing development of data protection law and technological or organizational changes, our data protection information is regularly reviewed to determine whether it needs to be adapted or supplemented.
B. Visiting websites
1. Explanation of the function
Information about our company and the services we offer can be found in particular at www.bioshyft.com, www.app.bioshyft.com and www.bioshyftapp.com , www.agrishyft.com, www.oceanshyft.com, www.foodshyft.com, www.materialshyft.com, www.energyshyft.com, www.watershyft.com together with the associated subpages (hereinafter jointly referred to as “websites”). When you visit our websites, your personal data may be processed.
2. Processed personal data
We process the following categories of personal data when you use the websites for information purposes:
Log data: When you visit our websites, a so-called log data record (so-called server log files) is stored temporarily and anonymously on our web server. This consists of:
– of the page from which the respective page was requested (so-called referrer URL),
– Name and URL of the requested page,
– Date and time of the call,
– Description of the type, language and version of the web browser used,
– the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established,
– the amount of data transferred,
– the operating system,
– the message whether the call was successful (access status/Http status code),
– the GMT time zone difference.
Contact form data: When contact forms are used, the data transmitted through them is processed (e.g. gender, surname and first name, address, company, e-mail address and the time of transmission).
User account: When you register for a user account, we collect the following personal data:
– Surname, first name
– Business e-mail address
– Contact information
– Billing and payment information
– If you register via Linkedin, your Linkedin profile url
Additional information required, from starter package:
– Link to an organization profile; the organization profile must contain the name of the organization, the URL, the logo and the general e-mail address
– any other information we may ask you to provide, such as your Linkedin profile
Optional data that you add to your profile
– Title
– Position
– Interests
– “About me” text
– Department
– Industries
– Profile picture
In addition to the purely informational use of our website, we offer a subscription to our newsletter, which we use to inform you about new products and events. If you subscribe to our newsletter, the following newsletter data will be collected, stored and processed by us:
– the page from which the respective page was requested (so-called referrer URL),
– Date and time of the call,
– Description of the type of web browser used,
– the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established,
– the e-mail address,
– the date and time of registration and confirmation.
We would like to point out that we evaluate your user behavior when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For the evaluations, we link the aforementioned data and the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID. The data is collected exclusively in pseudonymized form, i.e. the IDs are not linked to your other personal data, and direct personal identification is excluded.
3. Purpose and legal basis of data processing
We process the personal data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary.
Insofar as the processing of personal data is based on Art. 6 para. 1 sentence 1 lit. f GDPR, the purposes mentioned also represent our legitimate interests.
The processing of log data serves statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 sentence 1 lit. a or lit. f GDPR).
The processing of contact form data is carried out to process customer inquiries (legal basis is Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR).
User account data is processed for the purpose of accessing your user account and using the services we offer. As part of the registration process, you consent to the processing of your personal data (legal basis is Art. 6 para. 1 lit. a GDPR). We use the so-called double opt-in procedure to register for your user account. This means that after you have registered, we will send you an email to the email address you have provided in which we ask you to confirm that you wish to access our services (free of charge). The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.
If the processing of the data requires the storage of information in your terminal equipment or access to information that is already stored in the terminal equipment, Section 25 (1), (2) TTDSG is the legal basis for this.
4. Duration of data processing
Your data will only be processed for as long as is necessary to achieve the above-mentioned processing purposes; the legal bases specified in the context of the processing purposes apply accordingly. With regard to the use and storage duration of cookies, please refer to section A, point 4.
Third parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the respective order.
You can find more details on the storage period under section A, point 4.
5. Transfer of personal data to third parties; basis for justification
The following categories of recipients, which are usually processors (see section A, paragraph 7), may have access to your personal data:
– We use data processors as service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, insofar as these are not processors;
– Government bodies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR;
– Persons engaged to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.
In addition, we will only pass on your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
6. Use of cookies, plugins and other services on our website
a) Cookies
We use cookies on our websites. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer more user-friendly and effective overall, i.e. more pleasant for you.
Cookies may contain data that makes it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, a distinction is made between cookies:
– Required cookies: Required cookies are absolutely necessary to enable the basic functions of this website, such as secure login or customization of your consent settings. These cookies do not store any personally identifiable data.
– Functional cookies: Functional cookies help to perform certain functions, such as sharing the content of the website on social media platforms, collecting feedback and other third-party functions.
– Analytical cookies: Analytical cookies are used to understand how visitors interact with the website. These cookies help to provide information on key figures such as the number of visitors, bounce rate, traffic, etc.
– Performance cookies: Performance cookies are used to understand and analyze the website’s key performance indicators, which helps to provide visitors with a better user experience.
– Advertising cookies: These are used to show visitors tailored advertising based on previously visited pages and to analyze the effectiveness of advertising campaigns.
The legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is § 25 para. 2 no. 2 TTDSG. Any further use of cookies will only be made with your consent in accordance with § 25 para. 1 TTDSG in conjunction with Art. 6 para. 1 sentence 1 lit. a GDPR. In addition, we will only pass on your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
b) Google Analytics
For these websites we use Google Analytics, a web analysis service of Google Ireland Limited (“Google”) on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. Google Analytics uses cookies, which are stored on your computer and enable your use of the website to be analyzed. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
However, by activating IP anonymization on our website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
Google will use this information on our behalf to anonymously evaluate your use of the website, to compile reports on website activity and to provide us with other analysis services relating to website activity and internet usage.
Further information on the use of data by Google, setting and objection options can be found on the Google websites: policies.google.com/technologies/partner-sites?hl=de, policies.google.com/technologies/ads?hl=de, adssettings.google.com/anonymous
c) YouTube
We embed videos from youtube.com on our website. We have embedded the videos in the so-called “extended data protection mode”. This means that only when you use the playback function will cookies be set by YouTube on the device you are using, which can also be used to analyze usage behavior for market research and marketing purposes.
If you have not consented to the use of advertising cookies, you must consent to the transfer of data to YouTube before playing a video. The legal basis for the processing is your consent.
You can find more information on the use of cookies by YouTube in Google’s cookie policy at https://policies.google.com/technologies/types?hl=de
d) Hotjar
For this website we use Hotjar, a web analysis service of Hotjar Limited (“Hotjar”) based in Malta on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. Hotjar uses cookies, which are stored on your computer and enable your use of the website to be analyzed. With the data obtained, we can improve the functionality and user-friendliness of the website. Your IP address is processed anonymously.
You can find more information on the use of cookies by Hotjar in Hotjar’s cookie policy at https://www.hotiar.com/lepal/policies/privacy/ and https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookies
e) Zapier
We use “Zapier” to connect different web apps. This allows us to automate actions between different web apps. Zapier is a service of Zapier Inc. based in the USA. When using Zapier, it cannot be ruled out that data will be transferred to Zapier servers in the USA. We have concluded an order processing agreement with Zapier. We use Zapier to automate actions between different apps and thus improve our website and make it more time-efficient, which is also our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.
Further information on data protection at Zapier can be found at: https://zapier.com/privacv/
f) Notion
For these websites we use a service of Notion Laby Inc., 548 Market Street Suite 74567 San Francisco, CA 94104 United States for the provision of FAQs. You can find further information on data protection at Notion at: https://www.notion.so/de-de/security
g) Airtable
On our website we integrate a web-based data management system from Formagrid Inc, dba Airtable, which enables us to plan and control workflows. Further information on data protection at Airtable can be found at: https://www.airtable.com/company/privacy
h) Stripe
We use the payment service provider Stripe Payments Europe, Limited (SPEL) for payment processing on this website. Further information on data protection at Stripe can be found at: https://stripe.com/de/privacy
i) Calendly
We use a planning tool from Calendly LLC. on our website, with which we can quickly and easily arrange and coordinate appointments. Further information on data protection at Calendly can be found at: https://calendly.com/privacy
j) Breakcold
We use the CRM software Breakcold from the provider Logike SAS to support our email processes. Further information on data protection at Breakcold can be found at: https://www. breakcold . com/en/privacy-policy
k) Provenexpert
For these websites, we use a service provided by Expert Systems AG, which enables us to integrate customer reviews on our website. Further information on data protection at Provenexpert can be found at:
I) MapTiler
Maps are integrated on our website using the services of MapTiler AG. Further information on data protection at MapTiler can be found at: https://www.maptiler.com/privacy-policy/
m) PubNub
We use the real-time communication platform (messenger system) of PubNub Inc. Further information on data protection at PubNub can be found at https://www.pubnub.com/trust/legal/privacy-policy/
n) Mailjet
We use the service of the French e-mail marketing platform Mailjet GmbH to send e-mails. Further information on data protection at Mailjet can be found at: https://www.mailiet.com/de/rechtliches/datenschutzerklaerunq/
o) DeepL
We use the translation service of DeepSE Inc. for our websites. Further information on data protection at DeepL can be found at: https://www.deepl.com/de/privacy
p) Stonly
We use a service from Stonly SAS to support integration for users and administrators. Further information on data protection at Stonly can be found at: https://stonly.com/priyacy
q) X (formerly Twitter)
You can find further information on data protection on Twitter at:
https://twitter.com/de/privacy
r) Social media plugins
If our website contains symbols from social media providers (e.g. LinkedIn, X and YouTube), we only use these to passively link to the pages of the respective providers..