Privacy Notice

1. General Information

1.1. Data Controller

The controller is Lunelink GmbH, Georgsplatz 1, 20099 Hamburg, Germany, [email protected].

1.2. Legal Bases for the Processing of Personal Data

We process the personal data of an individual ("data subject") on the basis of the following legal bases:

1.2.1. Data Subject's Consent

Where we obtain the data subject’s consent for a specific purpose, Article 6(1)(a) GDPR is the legal basis.

1.2.2. Fulfillment of Contractual Obligations

Insofar as processing is necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR is the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

1.2.3. Legal Requirements and Obligations

To the extent that processing is necessary to comply with a legal obligation to which we are subject, Article 6(1)(c) GDPR is the legal basis.

1.2.4. Legitimate interests

Insofar as processing is necessary to safeguard our legitimate interests or those of a third party and the interests, fundamental rights, and freedoms of the data subject do not override the former, Article 6(1)(f) GDPR is the legal basis.

1.3. Retention Period and Deletion of Personal Data

Personal data will be deleted or blocked as soon as there is no longer a legal basis for processing.

1.4. Recipients of personal data

Internally, personal data is processed only by those units that require it to fulfill their processing purposes. This also applies to the processors, service providers, and vicarious agents we engage. All units and individuals who work with personal data are bound by data confidentiality and have been instructed to handle such data with care.

Personal data will only be disclosed to third parties if this is in accordance with data protection regulations. In particular, parties engaged to carry out our business operations (e.g., banks, tax advisors, service providers for data processing and IT services) as well as government authorities/agencies may receive your personal data insofar as this is necessary to fulfill a legal obligation.

1.5. Data Processing in Third Countries

In some cases, our services require the processing of personal data in countries outside the EU/EEA ("third countries") by our processors. Where personal data are processed in a country that does not provide a level of data protection equivalent to the European standard, as confirmed by an adequacy decision of the European Commission pursuant to Art. 45(3) GDPR, we have entered into the EU Standard Contractual Clauses with the relevant processors to ensure appropriate safeguards in accordance with Art. 46 GDPR. You can find a copy of the EU Standard Contractual Clauses at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914&from=DE.

1.6. Data Subject Rights

The data subject has the following rights under the GDPR in relation to us as the controller:

1.6.1. Right of access

Under Article 15 of the GDPR, data subjects have the right to obtain information about the personal data we process. In particular, the data subject may request the following information:

• Purposes of Processing,

• Data Categories,

• Categories of recipients to whom the personal data have been or will be disclosed, as well as information on whether the personal data are transferred to a third country or to an international organization (in this context, the data subject may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR).

• Planned retention period,

• Existence of a right to rectification, erasure, restriction of processing, or objection,

• the existence of a right to lodge a complaint, the source of your data, if it was not collected by us,

• request information on the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

1.6.2. Right to Rectification

Under Article 16 GDPR, you have the right to rectification and/or completion of your personal data if it is inaccurate or incomplete.

1.6.3. Right to Restrict Processing

Under Article 18 of the GDPR, there is a right to request the restriction of the processing of personal data where the accuracy of the personal data is contested by the data subject or the processing is unlawful.

If the processing has been restricted, we will notify the data subject before the restriction is lifted.

1.6.4. Right to Erasure

Under Article 17 GDPR, there is a right to the erasure of personal data unless processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

1.6.5. Right to Be Informed

If the data subject has exercised their right to rectification, erasure of personal data, or restriction of processing with us, we are required to inform all recipients to whom the personal data have been disclosed of the rectification, erasure of personal data, or restriction of processing, unless this proves impossible or would involve disproportionate effort.

1.6.6. Right to Data Portability

In accordance with Article 20 of the GDPR, data subjects have the right to receive the personal data they have provided to us in a structured, commonly used, and machine-readable format, or to request transmission to another controller.

1.6.7. Right to Object

Under Article 21 GDPR, you have the right to object to processing where the processing is based on Article 6(1)(e) or (f) GDPR.

1.6.8. Right to Withdraw Consent to Data Processing

According to Article 7(3) GDPR, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

1.6.9. Right to Lodge a Complaint with a Supervisory Authority

Under Article 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.

2. Additional information for the website

We are responsible for our website lunelink.app and its subpages (the “Website”). When you use our Website, personal data is processed.

2.1. Provision of the Website and Creation of Log Files

When you visit our website, we automatically collect data and information from your device (so-called log files). This includes, in particular:

• IP address

• Date/Time

• Browser type

• Internet service provider

• Device operating system

2.1.1. Data Processor

To provide our website, we use the services of Google Cloud EMEA Ltd., with whom we have entered into a data processing agreement.

2.1.2. Processed Information & Duration of Processing

The log files specifically store information about the browser type and version used, the device’s operating system, the user’s internet service provider, the device’s IP address, and the date and time of access to the website.

The log files will be deleted within 30 days.

2.1.3. Purpose of Processing & Legal Basis

The data is needed to display the website on the user's device, ensure the website's proper functioning, and analyze any disruptions. It also helps us optimize the website and ensure the security of our IT systems.

The legal basis is Article 6(1)(f) GDPR. The collection of log files is strictly necessary for operating the website. Accordingly, the user has no right to object.

2.2. Use of Strictly Necessary Cookies

We use strictly necessary cookies on our website to make our website available. Cookies are text files that are stored in or by the web browser on the user's device when they visit a website.

Each cookie contains a unique string of characters that enables the browser, and thus the user’s device, to be uniquely identified on the next visit to the website. Details about the cookies can be found in the Consent Manager under the "Cookies" link in the footer of this website.

The legal basis for storing the strictly necessary cookies is Section 25(2) no. 2 TDDDG. The legal basis for processing the associated personal data is Article 6(1)(f) GDPR. The use of these cookies is strictly necessary for the operation of the website. The user therefore has no option to object.

2.3. Marketing

We use marketing tools on our website that use so-called pixels ("Meta Pixel").

2.3.1. Joint Controllership & Third-Country Processing

The Meta Pixel we use is provided by Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland (“Meta”), a subsidiary of Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, which acts as a joint controller with us. Key information about the joint controller arrangement between Meta and us can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data

It is possible that Meta processes personal data at Meta Platforms, Inc. in the United States. In this case, processing is carried out on the basis of an adequacy decision by the European Commission in conjunction with Meta Platforms, Inc.'s certification under the Data Privacy Framework (Art. 45 GDPR).

2.3.2. Processed Information & Duration of Processing

If you consent to the use of the Meta Pixel, data transmitted to Meta includes:

• Requested pages or URLs

• achieving website goals (e.g., contact inquiries, newsletter sign-ups)

• Internet Connection Data (IP Address, Date/Time)

• Technical information such as browser, device, and screen resolution

• randomly generated user ID

• Randomly generated ad click ID if you came to our website via an advertisement

2.3.3. Purpose & Legal Basis

The use of the Meta Pixel enables us to measure the success of Facebook advertising campaigns, retarget visitors to our website with ads on Facebook and Instagram, and personalize ads based on previous page visits.

Processing is based on the user's consent, which can be granted on the first visit to the website and can be revoked at any time. The consent covers, on the one hand, the storing of and access to information on the user's terminal device pursuant to Section 25(1) TDDDG and, on the other hand, the processing of the resulting personal data for marketing purposes pursuant to Article 6(1)(a) GDPR. Further information about the Meta Pixel and the option to withdraw consent can be found in the Consent Manager under the "Cookies" link in the footer of this website.

3. Additional Information on Platform Use

We operate a cloud-based, AI-powered marketing platform (“Platform”) through which our customers (companies, agencies, freelancers—collectively, “Users”) can, in particular, connect ad accounts from various third-party platforms (e.g., Meta, Google, TikTok, LinkedIn, Pinterest), create ad creatives, manage campaigns, conduct community and review management, and access performance analyses and AI-powered optimization recommendations. While the provision of content is the respective User’s own responsibility, we also process personal data under our own responsibility. The following refers to these latter processing activities:

3.1. User Account Registration, Verification, and Login

3.1.1. Processed Information & Duration of Processing

As part of registration, verification of user accounts, and subsequent sign-in, the following personal data may be processed by us, to the extent you provide it to us:

• First name

• Last name

• Company / Organization

• Function / Role in the Company

• Email address

• Phone number (optional)

• Login data (e.g., username, hashed password)

Personal data will be deleted when the user agreement ends due to termination, the user deletes their account with us, and to the extent that no further statutory retention periods apply to the data.

We generally process additional personal data stored by the user in their account (e.g., additional profile information, team assignments, settings, and preferences) on the user’s behalf to provide the relevant platform features.

3.1.2. Purpose & Legal Basis

The processing of personal data is carried out to fulfill our contractual obligations on the basis of the service agreement concluded with the respective customer (Art. 6(1)(b) GDPR). Where, for this purpose, personal data of the customer’s employees are processed, the processing is based on our overriding legitimate interest pursuant to Art. 6(1)(f) GDPR, as such data are necessary to provide our services to the customer.

3.2. Use of the platform and processing of marketing and communications data

3.2.1. Processed Information & Duration of Processing

When using the platform, depending on the modules booked and the specific use, the following categories of personal data may, in particular, be processed:

• Basic and contact data of users (e.g., names, contact details),

• personal data arising from the connected ad accounts and third-party platforms (e.g., pseudonymous usage and conversion data, event data, IDs),

• Personal data of customers, prospective customers, or other communication partners of the user that are processed as part of community management, responding to messages and comments, and review management (e.g., names, profile information, communication content, review content),

• Personal data processed as part of AI-based analyses and optimization recommendations, to the extent that they relate to identifiable natural persons,

• Log data, usage data, and metadata regarding use of the platform (e.g., logins, actions within the platform, technical logs), to the extent they constitute personal data.

The specific retention period depends on the respective function (e.g., duration of a campaign, deletion of reviews, statutory retention periods). As a rule, data is deleted as soon as it is no longer necessary to achieve the purposes and no statutory retention obligations prevent deletion.

3.2.2. Purpose & Legal Basis

The processing of the aforementioned data is for the purpose of providing the functions of the Lunelink platform, in particular to manage advertising accounts, create and deliver ad creatives, run campaigns, conduct community and review management, provide dashboards and analytics, and offer AI-powered optimization suggestions.

The legal basis is the performance of our contractual obligations to the respective customer (Article 6(1)(b) GDPR). Insofar as personal data of employees or other users designated by the customer are processed for these purposes, the processing is based on our overriding legitimate interests pursuant to Article 6(1)(f) GDPR in providing and improving our platform and in efficient collaboration with our customers.

4. Additional notes for communicating with us

The following information applies to all communication with us.

When contacting us, the personal data of the requester that they provide directly or that are communicated to us via the respective communication channel are processed by us exclusively for the purpose of handling the inquiry and, where applicable, for follow-up questions. If the communication is aimed at concluding a contract, the legal basis for the processing is Article 6(1)(b) GDPR. In all other cases, the legal basis is Article 6(1)(f) GDPR. The requester’s interest does not outweigh our interest in responding to the inquiry; since the requester has contacted us, a response is also in their interest, and the requester is aware that we must process their personal data in order to answer the inquiry.

Personal data will be deleted once the inquiry has been resolved and there is no longer any legal basis for processing.

Where communication takes place via WhatsApp, please note that the interface (API) we use is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (“WhatsApp”), and that the communication transmitted through it is provided by WhatsApp in its capacity as a telecommunications service provider. For information on data protection at WhatsApp, please refer to its privacy policy: https://www.whatsapp.com/legal/privacy-policy-eea

5. Additional Notes for Contractual Partners

Additionally, the following information applies if a contractual relationship exists.

Which specific personal data are processed depends on the tasks within the contractual relationship. We use personal data solely for the purpose for which they were provided to us. These include, for example, personal details (name, address and other contact details, date and place of birth). They may also include order data (e.g., payment instructions), data from the fulfillment of our contractual obligations (e.g., transaction data in payment processing), information about your financial situation (e.g., creditworthiness data), marketing and sales data, and other data comparable to the categories mentioned.

Personal data will be deleted as soon as the contractual relationship has ended, provided there is no other reason for processing.

Processing is carried out primarily for the purpose of entering into and performing the contractual relationship; the legal basis is Article 6(1)(b) GDPR.

Additionally, we also process personal data in some cases on the basis of our legitimate interests, namely for the purposes of contact and communications management, efficiency audits, contract and project management, and to ensure the operation of information and telecommunications systems. The legal basis is Article 6(1) sentence 1 point (f) GDPR.

In addition, as a company, we are bound by various legal obligations that we must comply with under applicable laws and regulations. The legal basis for processing to fulfill statutory requirements and obligations is Art. 6(1)(c) GDPR. These include, in particular, statutory retention obligations under tax law.