Privacy Policy

This privacy policy applies to data processing by SQUAKE.earth GmbH ("SQUAKE", "controller", "we" or "us").

When you use our website or our services, personal data is collected and processed in compliance with the applicable data protection regulations. Personal data is any information relating to an identified or identifiable natural person, e.g. name, address, e-mail address. When processing your personal data, we observe the applicable data protection laws, in particular the European Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG").

With this privacy policy, we would like to inform you about which personal data we process, for what purposes and on what legal basis.

We take the protection of your personal data very seriously. We will only process your data for the purposes clearly set out in this privacy policy. If we process data for other purposes and/or pass your data on to third parties for other purposes, we will only do so with your express consent.

1. Name and Contact Details of the Data Protection Officer

The responsible party for data processing within the meaning of Art. 4 No. 7 GDPR is SQUAKE.earth GmbH, c/o Lufthansa Innovation Hub, Rosenthaler Straße 32, 10178 Berlin in Germany, e-mail: info@squake.earth. We have appointed an internal data protection officer. The contact details of our data protection officer are as follows: e-mail: privacy@squake.earth.

2. Collection and Storage of Personal Data, Type and Purpose of your Processing, as well as relevant Legal Basis and Storage Period

2.1 Use of our Website

When you use our website, we automatically collect and store data that your browser transmits to our server (so-called server log files), where by logging only takes place to the extent that is technically necessary.

The following information is collected:

- Operating system and information on the Internetbrowser used, including installed add-ons;

- IP address (internet protocol address) of the end device from which the online offer is accessed;

- Internet address of the website from which the online offer was accessed (so-called origin or referrer URL);

- Name of the service provider through which the online offer is accessed;

- Name of the retrieved files or information;

- Date and time and duration of the retrieval.

The legal basis for the collection of this data is Art. 6 (1) lit. f) GDPR. Our legitimate interest in collecting this data follows from the following purposes:

- Ensuring optimal use of our website,

- Ensure smooth connection establishment,

- Evaluation of system security and stability.

2.2 Use of SQUAKE Services, Purchase of Climate Contributions

Personal data is collected via our website when you provide it to us, e.g. when registering for a SQUAKE customer account, by filling out (contact) forms, by sending e-mails or by purchasing Climate Contributions. We use this data for the purposes stated or resulting from the request, for example to process a support request or a purchase of Climate Contributions.

To complete the purchase of a Climate Contribution, you must provide the following personal data on our check-out page, which we collect and subsequently process:

- E-mail address
- First name and surname
- Adress
- Payment or credit card data

We process this data in order to fulfil the purchase contract concluded with you. This includes in particular the possibility to send you a confirmation of your purchases to the e-mail address you have provided or to ensure the function of a customer account. The legal basis for data processing is therefore Art. 6 para. 1 lit. b) DSGVO.

2.3 Payment Processing

Your payment data is processed when you make a payment. This data is processed on the basis of Art. 6 (1) lit. b) GDPR in order to fulfil the purchase contract concluded with you. In doing so, the data is transferred to one of the the payment service providers.

- Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland).
- Adyen (Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ in Amsterdam, the Netherlands)
- PCI-Proxy (Datatrans Ltd., Kreuzbühlstrasse 26 8008 Zurich, Switzerland)

(all three together hereafter “the Payment Providers”). Your data will only be transmitted for the purpose of payment processing with the Payment Providers and only insofar as it is necessary for this purpose. We have concluded a processor contract with the Payment Providers in accordance with Art. 28 GDPR. The choice of project, the amount of CO2 compensation and the total transaction amount are processed as part of the payment processing.

You can find an overview of Stripe's data protection at: https://stripe.com/de/privacy.

You can find an overview of Adyen’s data protection at: https://www.adyen.com/policies-and-disclaimer/privacy-policy/  

You can find an overview of PCI-Proxy’s data protection at: https://www.pci-proxy.com/privacy-policy.

2.4 Data Processing when contacting us

If you contact us by e-mail, we will process the information you provide for the purpose of processing the enquiry and for possible follow-up questions. This processing is based on our legitimate interest in being able to answer customer enquiries (Art. 6 1 lit. f DGVO).

For customer support, we use the CRM system "Zendesk", from the provider Zendesk, Inc. 989 Market Street #300, San Francisco, CA 94102, USA, in order to be able to process user enquiries more quickly and efficiently (legitimate interest pursuant to Art. 6 (1) lit. f GDPR). We have concluded a processor contract with Zendesk in accordance with Art. 28 GDPR.

Zendesk stores your personal data exclusively on servers located in Germany and does not transfer them to third countries outside the EU. Zendesk only uses the data for the technical processing of the requests and in particular does not pass it on to third parties. To use Zendesk, you must at least provide a correct email address. A pseudonymous use is possible. However, in the course of processing contact requests, it may be necessary to collect further data such as name and address.

For more information, please see Zendesk's privacy policy: https://www.zendesk.de/company/customers-partners/privacy-policy/.

2.5 Storage Period

We will delete the data collected and stored in connection with the creation of your SQUAKE customer account at the latest when you delete your account. However, premature deletion of your personal data is not possible if and to the extent that your data is still required to process a purchase contract.

Irrespective of this, we store your data processed during the purchase of our products until the expiry of the statutory or possible contractual warranty rights. After expiry of this period, we retain the information on the contractual relationship required under commercial and tax law for the periods specified by law. For this period, the data will be processed again solely in the event of an audit by the tax authorities.

We retain email communications with you for 12 months, unless statutory retention periods apply. In this case, we keep the email communication for 6 or 10 years, depending on the legal regulation.

The law requires payment data to be stored for 10 years.

3. Website Hosting and Optimization

3.1 Hosting via Webflow

We host our website using Webflow. The service provider is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. When you visit our website, Webflow collects various log files including your IP address. Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are necessary for the display of the page, to provide certain website functions and to ensure security (necessary cookies). In this respect, the use of Webflow is based on Art. 6 para. 1 lit. f) DSGVO, as we have a legitimate interest in the most reliable presentation of our website.

We have concluded a contract with Webflow for commissioned data processing in accordance with Art. 28 DSGVO. Details can be found in the privacy policy of Web-flow at https://webflow.com/legal/eu-privacy-policy.

3.2 Cookies

On our website, we use cookies that are temporarily stored in the main memory ("session cookie") or permanently stored on the hard disk ("permanent cookie"). Cookies are small text files that are automatically created by the browser and stored on your end device (laptop, tablet, smartphone or similar) when you visit our website.

These files allow us to design the website more efficiently. Most of the cookies we use are session cookies, which are only stored in the RAM, but not on your hard drive, and which expire when you close your internet browser and are therefore automatically deleted. Session cookies enable us to recognise that you have already visited individual pages of our website or that you have already logged into your account. We automatically receive certain data, such as IP address, browser used, operating system about your computer and your connection to the internet.

Cookies cannot be used to launch programmes or transfer viruses to a computer. The information contained in cookies allows us to facilitate your navigation and enable the correct display of our website. Under no circumstances will the data we process be passed on to third parties or linked to other personal data without your consent. Of course, you can also view our website without cookies. Internet browsers are regularly set to automatically accept cookies. You can deactivate the use of cookies at any time via your browser settings. Please use the help functions of your internet browser to find out how to change these settings. Please note that some features of our website may not work if you have disabled the use of cookies. You can also control and/or delete cookies as you wish. You can find out how here: www.aboutcookies.org.

Since the activation of cookies is necessary for the proper functioning of our website, we have a legitimate interest in your use. The legal basis for the associated data processing is therefore Art. 6 (1) lit. f) GDPR.

If we use cookies for other purposes (e.g. for analysis or marketing purposes), we will inform you separately in this privacy policy.

Change cookie settings


3.3 Analysis- and Marketing Cookies

Google Analytics

Our website uses the analysis tool Google Analytics and Google Tag Manager. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland is the data protection controller for both services.

We use Google Analytics to collect aggregated, anonymised data. This data helps us understand how customers use our website and identify opportunities for improvement. In addition, the data performs important functions, such as detecting errors and fraudulent use, and provides operational data. We use this information to improve the quality, effectiveness and performance of our website so that you can get the most out of it. The Google Analytics script is used to assign values to the cookies required to collect this information. In order for this to work, Google Analytics sets cookies on your computer. Google is not authorised to access this data. Google Analytics anonymises your IP address to protect your data. It does not collect any other personal data that could be used to identify you. Google Analytics is only used with your consent (Art. 6 1 lit. a GDPR and § 25 1 TTDSG). You may revoke your consent at any time.

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. However, we would like to point out that in this case you may not be able to use all functions of the website to their full extent.

You can find Google's data guidelines at: http://www.google.com/privacy/.

Google Fonts

In order to make the font of our website available on your terminal device, we use the Google Fonts service. Google Fonts requires your IP address for this purpose. We use this service on the basis of a legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in order to offer you a better website experience. The IP address is transmitted to the tool operator so that the service can be provided correctly on your device. Google only stores this data temporarily and uses it exclusively for the correct display of the fonts on your device.

4. Marketing Communication and Newsletter

If you give us your express consent, we will send you information about our services and offers by e-mail. For this purpose, we process your name and email address. You may revoke your consent at any time.

You can send your objection to receiving product and advertising mails or revoke your consent to our newsletter by e-mail to: privacy@squake.earth or by post to:

SQUAKE.earth GmbH, c/o Lufthansa Innovation Hub
Rosenthaler Straße 32
10178 Berlin in Germany.

We use the email service provider SendGrid (Twilio Germany GmbH Rosenheimer Straße 143C, 81671 Munich in Germany) to send information about our services and offers. We have concluded a processor contract with SendGrid in accordance with Art. 28 GDPR. The legal basis for sending our information and using SendGrid is Art. 6 (1) lit. a) DSGVO. You can find more information in SendGrid's privacy policy at https://www.twilio.com/legal/privacy.

5. Transfer of Personal Data to Third Parties

Data will only be transferred to third parties if there is an explicit legal basis for this or if you have consented to the transfer.

In addition to the service providers mentioned above under clauses 3-5, we have involved processors for the following processing activities in accordance with Art. 28 GDPR:

- Email services as part of automated confirmation management,

- HR management services for application requests

These service providers process your personal data on our behalf, in accordance with our instructions and under our supervision, solely for the purposes set out in this privacy policy.

6. Data Transfer to Third Countries

In the course of our business relationships, your personal data may be passed on or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. This concerns the use of the following services:

- Google: Google Analytics and Google Tag Manager are services of companies of the Google LLC group, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

- Webflow: Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA

In the context of the transfer of personal data to a third country, we will regularly ensure through appropriate safeguards, for example by concluding the European Commission's standard contractual clauses, that a transfer of data to a third country only takes place on the basis of a level of protection that complies with the GDPR.

Insofar as data is transferred to a third country, in particular the USA, for which there is no Commission adequacy decision, this is done on the basis of standard contractual clauses pursuant to Art. 46 (2) c) of the GDPR in conjunction with appropriate technical and organisational measures to protect your data.

A copy of the standard contractual clauses or further information on the standard contractual clauses used can be downloaded from the respective websites of the service providers we use:

- Google: https://privacy.google.com/businesses/processorterms/mccs/  


7. Data Security

All personal data transmitted by you is transferred using the secure and proven SSL (Secure Socket Layer) standard, which is also used for online banking, for example. We also use appropriate technical and organisational security measures to protect stored personal data against manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data of traffic coming from the GDPR zone is stored exclusively on servers hosted in the EU that are certified in accordance with DIN ISO/IEC 27001 (as amended).

8. Your Rights

In relation to our processing of your personal data, you have the following rights free of charge:

8.1 Right to Information pursuant to Art. 15 GDPR

You have the right to request information from us at any time about the data we hold about you, as well as its origin, recipients or categories of recipients to whom this data is disclosed, and the nature and purpose of the processing. In addition, we can provide you with a copy of this data.

8.2 Right of Withdrawal according to Art. 7 GDPR

If you have given your consent to the use of data, you can revoke this at any time without giving reasons with effect for the future.

8.3 Right of Rectification pursuant to Art. 16 GDPR

If your data stored with us is incorrect or incomplete, you can correct or complete it at any time in your customer account or have it corrected or completed by us. If required by law, we will also inform third parties about this correction if we have passed on your personal data to them.

8.4 Right of Deletion and Blocking according to Art. 17 GDPR

Under certain circumstances, you have the right to block or delete your personal data stored by us if one of the following cases applies:

- your data is no longer necessary for the purposes for which it was collected or otherwise processed or the purpose has been achieved;
 
- you revoke your consent and there is no other legal basis for the processing;
 
- you object to the processing and there are no overriding legitimate grounds for processing; in the case of the use of personal data for direct marketing, a mere objection by you to the processing is sufficient;

- your personal data have been processed unlawfully;
 
- the deletion of your personal data is necessary for compliance with a legal obligation under European Union law or the law of a Member State to which we are subject.

The deletion or blocking of your personal data will take place as soon as we have checked the conditions for the legitimacy of your request. If legal, contractual or tax law or company law retention obligations or other legally anchored reasons contradict the deletion, only the blocking of your data can be carried out instead of the deletion. After the deletion of your data, it is no longer possible to provide information.

8.5 Data Transfer Right according to Art. 20 GDPR

You may receive the data we process relating to you, if we have received it from you ourselves, in a machine-readable format determined by us or instruct us to transfer this data directly to a third party chosen by you, provided that this recipient enables us to do so from a technical point of view and that the transfer of the data is not prevented by unreasonable effort or by legal or other obligations of secrecy or confidentiality considerations on our part or on the part of third parties.

8.6 Right of Objection according to Art. 21 GDPR

You have the right to object to the processing of your data at any time on grounds relating to your particular situation, if we base this processing on legitimate interests pursuant to Article 6(1)(f) of the GDPR. If you object, we will no longer process your personal data, except in two cases:

- we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or

- the processing serves the assertion, exercise or defence of legal claims.

In particular, if we process your personal data for direct marketing, you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for this purpose.

8.7 Right to Restriction of Processing pursuant to Art. 18 GDPR

You have the right to request that we restrict the processing of your personal data for one of the following reasons:

- you dispute the accuracy of your personal data for a period of time that allows us to verify the accuracy of the personal data;

- the processing is unlawful and you refuse to erase the personal data and instead request the restriction of the use of your personal data;

- we no longer need your personal data for the purposes of processing; however, you need them to assert, exercise or defend legal claims, or

- you have objected to the processing as long as it has not yet been determined whether our legitimate grounds outweigh yours.

If you have obtained a restriction on processing under the above list, we will inform you before the restriction is lifted.

8.8 Contact for the Assertion of Data Subject Rights

To exercise your data protection rights, you can contact us by e-mail at: privacy@squake.earth or in writing at: SQUAKE.earth GmbH, c/o Lufthansa Innovation Hub, Rosenthaler Straße 32, 10178 Berlin. For all your requests, we ask you to always provide proof of your identity, for example by sending an electronic copy of your ID.

8.9 Right of Appeal to the Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority against the processing of your personal data if you feel that your rights under the GDPR have been violated. The competent supervisory authority for us is the:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstraße 219
10969 Berlin
Phone: 030 13889-0
Fax: 030 2155050
E-mail: mailbox@datenschutz-berlin.de

9. Changes to the Privacy Policy

We reserve the right to amend this data protection declaration from time to time so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. We recommend that you regularly check the data protection declaration for possible changes. Insofar as your prior consent is required for a change to our services or for the introduction of a new service, we will inform you accordingly in good time and ask for your consent.

Status: July 2022