Privacy Policy for “Tendoo”

Contents

  1. Name and contact details of the responsible entity
  2. Our Data Protection Officer
  3. Collection and storage of personal data; type, purpose, and use
    1. Registration
    2. Use of the Tendoo platform
    3. Legal basis for processing
    4. Recipients of your data
    5. Duration of storage
  4. Email notifications
  5. Analytics tools
  6. Cookies
  7. Transfer of data to third parties
  8. Your rights as a data subject
  9. Your right to object

  1. Name and contact details of the responsible entity

    The controller within the meaning of data protection law is:

    GEALAN Fenster-Systeme GmbH

    Hofer Straße 80

    95145 Oberkotzau

    Germany

    Phone: +49 - 92 86 / 77-0

    Fax: +49 - 92 86 / 77-22 22

    Email: info@gealan.de

    Represented by the Managing Directors: Ivica Maurović, Tino Albert

  2. Our Data Protection Officer

    We have appointed a Data Protection Officer in our company. You can contact her as follows:

    Lena Müller

    Email: datenschutz(at)gealan.de

  3. Collection and storage of personal data; type, purpose, and use

    1. Registration

      1. Categories and types of personal data

        We process the data you have provided to us in connection with your registration for the use of the Tendoo tendering platform.

        This data includes:

        -

        Basic data: Salutation, first name, last name

        -

        Contact and communication data: Email, phone number

        -

        Company data: Industry, company name, address

        -

        Offering person: Selection of whether window dealer or window manufacturer

        -

        Tendering person: Selection of whether planning office, architectural firm, general contractor, housing company (other options)

        -

        Password

      2. Purpose and legal basis of processing

        The processing of your data is necessary for the creation and management of a user account to use the Tendoo tendering platform and to enable the functionalities of the platform. The legal basis is Art. 6 para. 1 lit. b GDPR (performance of a contract or steps prior to entering into a contract).

      3. Recipients of your data

        Your registration data will be forwarded to the responsible departments for software support for review and activation. Likewise, the Structural Engineering Department has access to tenders and construction projects and can see which interested parties exist for a project and whether they have submitted an offer. If needed, the Structural Engineering Department can provide support here.

        Within the company, only those individuals who need access to your data for the proper execution of the registration process and support procedures generally have access.

        The Tendoo tender platform was developed by Mindmatters GmbH and is hosted by our parent company, VEKA AG. Both companies act as service providers for us and may, in connection with the maintenance and servicing of the systems, gain knowledge of your personal data. We have concluded a so-called data processing agreement with Mindmatters GmbH, VEKA AG, and Digital Building Solutions GmbH, ensuring that data processing is carried out in a permissible manner.

      4. Duration of storage

        We store your data as long as you use the software. After termination, tax-relevant data is retained for 10 years to comply with statutory retention periods. Data not subject to retention requirements is stored for up to 6 months after termination, to potentially fulfill warranty claims.

    2. Email Notifications

      During the use of our platform, we only send system-relevant email notifications. These messages inform you about important activities related to your user account, such as the publication or status change of construction projects, as well as expressing or withdrawing interest. These notifications are necessary to ensure platform functionality and smooth usage. Therefore, unsubscribing from these emails is currently not possible. We do not send newsletters or promotional content without your explicit consent.

    3. Analytics Tools

      Google Analytics

      The Tendoo tender platform uses features of the web analytics service Google Analytics. Provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

      Google Analytics allows the operator to analyze the behavior of platform visitors. The operator receives various usage data such as page views, dwell time, operating systems used, and user origin. This data is compiled into a user ID and assigned to the respective visitor device.

      Furthermore, we can record your mouse movements, scrolling, and clicks with Google Analytics. Google Analytics also uses various modeling approaches to complement collected datasets and employs machine learning technologies for data analysis.

      Google Analytics uses technologies that allow user recognition for the purpose of behavior analysis (e.g., cookies or device fingerprinting). The information collected about the use of the Tendoo tender platform is first transmitted to our servers via server-side tracking. This allows us to truncate, anonymize, or encrypt the data before transferring it to a Google server in the USA.

      Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time. Data transfer to the USA relies on the EU Commission's Standard Contractual Clauses. Details can be found here: Google Ads Controller-Controller Data Protection Terms: EU Standard Contractual Clauses (Module 1: Controller-to-Controller)

      IP Anonymization

      We have activated IP anonymization on this platform. This ensures that your IP address is truncated by Google within EU member states or other countries of the European Economic Area before transmission to the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. Google will use this information on behalf of the platform operator to evaluate platform usage, compile activity reports, and provide other services related to website and internet usage. The IP address transmitted via Google Analytics is not merged with other Google data.

      Google Tag Manager

      We use Google Tag Manager. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that allows us to integrate tracking, analytics, and other technologies on our website. It does not create user profiles, store cookies, or perform independent analyses. It is used only to manage and deliver integrated tools. Google Tag Manager may collect your IP address, which could be transferred to Google's parent company in the USA. Use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The operator has a legitimate interest in quickly and easily integrating and managing various tools on its website. If consent is obtained, processing occurs exclusively based on Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

      Google Ads

      The platform operator uses Google Ads. Google Ads is an online advertising program by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads allows us to display ads in the Google search engine or on third-party websites when users enter specific search terms (keyword targeting). Additionally, targeted ads can be shown based on Google user data (e.g., location and interests) (audience targeting). As a platform operator, we can quantitatively analyze these data, for example, by seeing which search terms led to the display of our ads and how many ads resulted in clicks. Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time. Data transfer to the USA relies on the EU Commission's Standard Contractual Clauses. Details here: policies.google.com/privacy/frameworks and privacy.google.com/businesses/controllerterms/mccs/.

      Google Ads Remarketing

      This platform uses Google Ads Remarketing features. Provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads Remarketing allows us to assign users interacting with our online services to specific target groups to then display interest-based ads in the Google advertising network (remarketing/retargeting). Furthermore, these ad target groups can be linked across devices using Google’s cross-device functionality, showing personalized ads tailored to a user’s previous behavior on one device on other devices (e.g., tablet, PC). If you have a Google account, you can opt out of personalized advertising here: https://www.google.com/settings/ads/onweb/. Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time. More information can be found in Google’s privacy policy: https://policies.google.com/technologies/ads?hl=de.

      Audience formation using customer matching

      To create target audiences, we use Google Ads Remarketing customer matching. Specific customer data (e.g., email addresses) from our customer lists are shared with Google. If these customers are Google users and logged into their Google account, they will see relevant advertising within the Google network (e.g., YouTube, Gmail, search engine).

      Google Conversion Tracking

      This platform uses Google Conversion Tracking. Provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Conversion Tracking allows Google and us to determine whether users have completed specific actions. For example, we can analyze which buttons are clicked most often and which products are viewed or purchased frequently. This information is used to create conversion statistics. We receive only aggregate user data and no personally identifiable information. Google uses cookies or similar recognition technologies. Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time. More information can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=de.

      Sentry

      This platform uses Sentry by Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA for monitoring applications and analyzing errors. Sentry makes it possible to detect technical issues, analyze their causes, and improve the stability of applications. As part of the use of Sentry, personal data such as IP address, device and browser information, username, time of occurrence, and technical details about errors may be processed and transferred to the USA. Processing is carried out on the basis of legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the stability and security of the systems.

      Sentry is certified under the EU-U.S. Data Privacy Framework. Insofar as a transfer is not covered by the Data Privacy Framework, it is carried out on the basis of the standard contractual clauses of the European Commission in order to ensure an adequate level of data protection. Further information on data processing by Sentry can be found in Sentry’s privacy policy at: https://sentry.io/privacy/

    4. Cookies

      Our tender platform uses so-called "cookies." Cookies are small text files and do not harm your device. They are stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit. Persistent cookies remain on your device until you delete them or a browser-based automatic deletion occurs.

      Cookies serve various purposes. Many cookies are technically necessary for certain website functions. Others are used to analyze user behavior or display advertising. Technically necessary cookies are stored based on Art. 6(1)(f) GDPR, in accordance with § 25 TDDDG, unless another legal basis applies. The operator has a legitimate interest in storing cookies to provide services efficiently. If consent is requested, cookies are stored based exclusively on this consent (Art. 6(1)(a) GDPR). Consent can be revoked at any time.

      You can configure your browser to be informed about cookie placement, allow cookies only in individual cases, block them entirely, or automatically delete cookies when closing the browser. Disabling cookies may restrict the website’s functionality. If cookies are used for analysis purposes, we will inform you separately and request consent if necessary.

      Consent collection via CookieBot

      Our platform uses Cookiebot to collect your consent for storing certain cookies or using certain technologies and to document this in compliance with data protection regulations. Provider is Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark ("Cookiebot").

      When you enter our platform, a connection is established to Cookiebot servers to obtain your consent and other statements regarding cookie use. Cookiebot then stores a cookie in your browser to link granted consents or revocations. This cookie is technically necessary for compliance with consent collection requirements and is exempt from consent under § 25 TDDDG. Data is stored until you request deletion, delete the Cookiebot cookie, or the purpose expires. Mandatory legal retention periods remain unaffected. Cookiebot ensures legally required consent for cookie usage. Legal basis: Art. 6(1)(c) GDPR.

      Data processing agreement

      We have a data processing agreement (DPA) with the above provider. This legally required agreement ensures that the provider processes personal data of our website visitors only according to our instructions and in compliance with GDPR.

      Changing cookie settings afterwards

      You can adjust your cookie settings or revoke consent at any time. Click the following link to reopen the cookie settings banner: https://tendoo.app/cookie-declaration.

      Via this link, you can select which types of cookies you want to allow or revoke previously given consent. Alternatively, consent can be revoked by deleting cookies in your browser.

    5. Transfer of data to third parties

      Your personal data is only transmitted or disclosed to external parties to the extent required by law, necessary to fulfill a pre-contractual relationship, or if the company or an external party has a legitimate interest in the above sense, and the transfer is permissible under data protection regulations.

    6. Your rights as a data subject

      As a data subject, you have the following rights:

      - Right of withdrawal:

      You can revoke any consent you have given to us at any time. Data processing based on the revoked consent may no longer continue in the future.

      - Right to access:

      You can request information about your personal data processed by us, including purposes of processing, categories of personal data, recipients (if applicable), storage duration, source of data (if applicable), and information about automated decision-making including profiling (if applicable) with meaningful details.

      - Right to rectification:

      You can request correction of inaccurate or completion of incomplete personal data stored by us.

      - Right to erasure:

      You can request deletion of your personal data stored by us unless processing is necessary for exercising the right to freedom of expression and information, legal obligations, public interest, or for asserting, exercising, or defending legal claims.

      - Right to restriction of processing:

      You can request restriction of processing of your personal data if the accuracy of the data is disputed, or processing is unlawful but you oppose deletion. This right also applies if we no longer need the data, but you require it to assert, exercise, or defend legal claims, or if you object to processing.

      - Right to complain (supervisory authority):

      You can exercise the above rights and also contact the competent supervisory authority for data protection.

      Data protection supervisory authority

      Our responsible data protection authority is:

      Bavarian State Office for Data Protection Supervision (BayLDA)

      Promenade 18, 91522 Ansbach

      Phone: +49 (0) 981 180093-0

      Email: poststelle@lda.bayern.de

      However, you may also contact any other data protection authority.

    7. Your right to object

      If we process your personal data based on consent or legitimate interest, you have the right to object to this processing. The controller will then no longer process your personal data unless compelling legitimate grounds for processing override your interests, rights, and freedoms, or the processing is for asserting, exercising, or defending legal claims (Art. 21 GDPR). To exercise your right to object, a written notification is sufficient. You may contact us via email or letter. Our contact information is provided in section 1 of this privacy notice.