Data protection

Data protection is a particularly important topic for our company. In this privacy notice, we will inform you about the collection of personal data when using our ALLPLAN Shop and purchase our ALLPLAN products. We will inform you about which data we collect from you, and how we use it. We will also inform you about your rights under applicable data protection law, and tell you whom to contact if you have any questions.

Personal data is all data relating to you personally, such as name, address, email addresses or user behavior. We have put in place extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. We regularly review our security measures and adapt them to technological progress.

1. Responsible party for data processing

Jointly responsible pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) are

ALLPLAN GmbH

Konrad-Zuse-Platz 1

81829 Munich

Germany

and the following companies associated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Österreich GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 3401 Village Dr #110, Lincoln, Nebraska 68516, USA
  • ALLPLAN Software Singapore Pte. Ltd., 4 Battery Road #25-01, Bank of China Building, 49908 Singapore
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, oficina 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Žerotínova 1133/32, 130 00 Praha 3-Žižkov, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia

Email: info@allplan.com

In the conduct of business, it is essential that data is also regularly exchanged between ALLPLAN's branches and subsidiaries in order to promote intra-group cooperation and use resources effectively. For this reason, central processes are not limited to the area of a single group company, but also extend to other group companies and benefit from the processes established and resources available there. The ALLPLAN companies therefore cooperate in many areas, in particular regarding order processing in our ALLPLAN Shop, and act in the data protection sense as so-called jointly responsible parties for this website as indicated above.

Information on the essential content of the contract due to joint responsibility:

In order to ensure the security of processing and the effective assertion of your rights, and against the above background, the member companies have concluded a contract as jointly responsible parties within the meaning of Article 26 GDPR in conjunction with Article 4(7) GDPR. This contract regulates the following points in particular:

  • Subject matter, purpose, means and scope as well as the competences and responsibilities regarding data processing
  • Information of the data subjects
  • Fulfillment of the other rights of the data subjects
  • Security of the processing
  • Involvement of data processors
  • Procedure in the event of data protection violations
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

2. Get in touch with our data protection officer

Please contact our data protection officer at dataprotectionofficer@allplan.com our postal address by adding “data protection officer”.

3. Legal basis of our data processing according to GDPR

The processing of personal data may be based on various legal grounds. If we need your data to honor a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(1)(b) GDPR. If we obtain your consent for the processing of certain data, the legal basis is Article 6(1)(1)(a) GDPR. We carry out some data processing on the basis of our legitimate interest, always weighing your interests worthy of protection against our legitimate interests. The legal basis is Article 6(1)(f) GDPR. Insofar as the processing is necessary for the fulfillment of a legal obligation to which we are subject, the legal basis is Article 6(1)(1)(c) GDPR.

We explain below how we process personal data when you use our ALLPLAN Shop.

Legal basis of our data storage under the Telecommunications Telemedia Data Protection Act (“TTDSG” in German).

According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment is only permissible if the end user has consented on the basis of clear and comprehensive information, i.e. has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25 (1) TTDSG and consequently also process purely technical data only after consent.

In our information to you and in obtaining consent, we follow the specifications of the TTDSG to the design specifications of the GDPR.

According to Section 25 (2) TTDSG, consent is not required in exceptional cases,

- if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message via a public telecommunications network, or

- where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

4. Processing of personal data when accessing our ALLPLAN Shop website

Our ALLPLAN Shop is accessible at https://shop.allplan.com. If you use the website and the ALLPLAN Shop for informational purposes only, i.e., if you do not register, we collect the following technical information (log file data):

Data

Purpose of processing

Duration of storage

Operating system used

Evaluation by devices in order to ensure an optimized display of the website

The data is deleted in log files for the purpose of operating the website and to protect against misuse in accordance with our security regulations, generally after 30 days

Information about the type of browser and the version used

Evaluation of the browser used in order to optimize our websites for this purpose

The Internet service provider of the user

Evaluation of the Internet service provider

IP address

Display of the website on the respective device

Date and time of access

Ensuring the proper operation of the website

If necessary, manufacturer and type designation of the smartphone, tablet or other mobile device

Evaluation of device manufacturers and types of mobile devices for statistical purposes

Name of accessed site

Ensuring proper operation of the website

Referrer URL (source URL from which you came to the website)

Ensuring proper operation of the website

We collect this data for technical reasons to display our website to you and to ensure stability and security. We (and our hosting service providers) are generally not aware of who is behind an IP address. We do not merge the above data with any other data.

The legal basis is the legitimate interest pursuant to Article 6(1)(1)(f) GDPR, as well as § 25 (2) Nr. 2 TTDSG due to the technical necessity described above. Within the framework of the balancing of interests pursuant to Article 6(1)(f) GDPR, we have taken into account and weighed our interest in providing and your interest in processing your personal data in accordance with data protection. Since the following data is technically necessary for us to provide you with our service and also to ensure stability and security, in particular to protect from misuse, we have to process this data – while ensuring data security in line with the state of the art – taking due account of your interest in processing in line with data protection requirements. If the processing is based on another legal basis (e.g. consent according to Article 6 (1)(a) GDPR, § 25 (1) TTDSG), this will be shown accordingly.

5. Registration

Before you can purchase from our ALLPLAN Shop, you must first register with us and create a customer account. When you register, we process your personal data for individual user access and to process orders and payments, as well as to process contact and service requests.

For registration, we use the so-called double-opt-in procedure. This means that after you have entered your email address, we will send you a confirmation e-mail to the e-mail address you have entered, in which we ask you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we will store your data for the storage period indicated in the table. The storage also takes place for participation in the ALLPLAN Community with which you also have the possibility to use our services (ALLPLAN Share, ALLPLAN Exchange, ALLPLAN Connect, ALLPLAN Campus, ALLPLAN Bimplus) with an account. Once you have registered, you will receive personal, password-protected access and can view and manage the data you have stored.

Furthermore, we store the date and time of registration when you register. The purpose of the procedure is to be able to prove your registration as part of our accountability obligations and, if necessary, to clarify any possible misuse of your personal data. Due to the fulfillment of the accountability obligation, we have a legitimate interest in accordance with Article 6(1)(1)(f) GDPR in processing the data of the double-opt-in procedure.

For the registration, we collect and store the following personal data from you:

Data

Purpose of processing

Legal basis of processing

Duration of storage

Email address and username

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

Password

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

IP address at registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Date of registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

IP address at double opt-in

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Time of double opt-in verification

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Customer number

Assignment in case of already existing contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Salutation

Direct approach within the scope of the contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

First name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Family name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Company

Invoicing

Legitimate interest; Article 6(1)(1)(f) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Telephone

Contract execution
(customer support)

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

After the end of the contractual relationship

Language

Control of language settings

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

after the end of the contractual relationship)

Country

Contract conclusion and execution

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Address

Invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Personal data that must be provided is marked as mandatory in the respective registration form; any additional information is voluntary.

You can also delete your customer account at any time. Upon deletion of the account, all personal data that is not subject to a legal obligation to retain data or to Article 17 (3) GDPR will be anonymized.

6. Execution of orders and payment processing

When you place an order for one of our products in our ALLPLAN Shop, we process data that is recorded in your customer account to enable you to place orders, including the following:

- First name, surname

- Company

- Customer number

- Billing/delivery address

- Email address

- Telephone number, if necessary

We also process the following additional data that you provide to us when completing your order:

- Information on orders placed (products, licenses, license conditions)

- Information on the payment type and the associated details that are required for making a payment.

The legal basis for the associated data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for completing the ordering process, the purchase and payment processing. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in ensuring a smooth ordering process and enabling our products to be provided to you smoothly, as well as in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interests being in being able to offer our services to your company, and in being able to process your data as a responsible point of contact.

Digital River, reseller

For the sale of our products in the ALLPLAN Shop, we use our sales partner Digital River Ireland Ltd – or for our customers in the USA, Digital River Inc. (hereinafter referred to as "Digital River"). Digital River is part of the Digital River Inc. group of companies (Digital River, Inc., 10380 Bren Road West, Minnetonka, MN 55343/USA), an e-commerce sales service provider from the USA. Digital River is an authorized reseller of all of the products that are offered in our ALLPLAN Shop. If you order one of our products through the ALLPLAN Shop, Digital River is your contractual partner and the Seller. You are the Buyer. Digital River is authorized by us to conclude the purchase or license agreement with you on its own behalf and to carry out and monitor the subsequent processing of your order, in particular the payment processing. A license key for the purchased software, along with care, maintenance and development services are provided by us, as the product manufacturer, after your order.

If you place your order in our ALLPLAN Shop by clicking on the "Order with obligation to pay" button, your order and payment data will be forwarded to our sales partner, Digital River. This data includes your first name, your surname, your company name, information relating to the order placed (products/license and conditions), your billing and delivery address, your email address, and your bank and payment details.

Digital River processes your data for the purpose of concluding a contract, as well as for order and payment processing. Payment is processed according to the payment method selected. As part of this, your data can also be processed by Digital River for the purpose of carrying out identity and credit checks in order to be able to assess solvency to the greatest possible extent when granting payment methods with a credit risk. In addition, your data will be processed by Digital River for its own purposes, in particular to prevent abuse and fraud.

We would like to point out that there is a possibility that – as stated in its own data protection guidelines – Digital River may, in the course of order and contract processing, transfer your personal data to Digital River Inc. servers in the USA. According to Digital River, such data processing and transfers to the third country USA are secured by concluding contracts for order processing in accordance with Article 28 GDPR and corresponding EU standard contractual clauses in accordance with the provisions of Article 46 (2) (c) GDPR, as well as other technical and organizational measures, where such measures are necessary.

Digital River is solely responsible for all of the data processing mentioned within the meaning of Article 4(7) GDPR. You will find comprehensive information on how Digital River processes data

- in the privacy policy: https://store.digitalriver.com/store/defaults/en_US/DisplayDRPrivacyPolicyPage?eCommerceProvider=&selectedLoc=en_US

- and the cookie policy: https://store.digitalriver.com/DRHM/store?Action=DisplayDRCookiesPolicyPage&SiteID=defaults&Locale=en_EN&ThemeID=22100&Env=BASE&eCommerceProvider=

Following the conclusion of the contract between you and Digital River, we will receive information as to whether the transaction could be carried out successfully in an automated process for the purpose of transaction tracking, and so that we can provide the license key for the contractual products and other services. The legal basis for our data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for the performance of the specified activities. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in enabling our products to be provided to you smoothly, and in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interest being in being able to offer our services to your company.

7. Cookies and website analysis

7.1. Cookies

Our website uses cookies. Cookies are files that are placed on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you have made there. This ensures, for example, that you do not have to re-enter required form data each time you use it. The information stored in cookies can also be used to identify preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a predefined duration, which may differ depending on the cookie. With this type of cookies, the information can also be stored on your computer in text files. You can, however, also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is allowed to read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. If you have given us your consent, the legal basis is Article§ 25 (1) TTDSG and Article 6(1)(1)(a) GDPR. Insofar as saving and data processing are based on our overriding legitimate interests, the legal basis is § 25 (2) Nr. 2 TTDSG as well as Article 6(1)(1)(f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionality, to measure reach and – with your consent – to tailor our services to preferred areas of interest.

You can delete cookies already stored on your mobile device at any time. If you want to prevent cookies from being stored, you can do so via the settings in your Internet browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

When accessing our website, all users of our website are also informed by an information banner from our consent management platform, Usercentrics, about our use of cookies and referred to this privacy policy. Here, as a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with future effect by calling up the cookie administration via the icon (fingerprint) in the lower left-hand corner of each page and unchecking the box next to processing to which you had consented. In the cookie manager you can also find more information about the cookies we use.

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software produced by Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany.

Usercentrics identifies the language used by your browser. They set a cookie to check whether you have already made a selection in our consent tool on a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. Usercentrics also creates a log file in order to be able to prove that consent has been given. This file contains the de-identified IP address, information about the browser that was used, data about the scope of consent, and the date and time of the visit. The legal basis for this can be found in § 25 (2) Nr. 2 TTDSG as well as our legitimate interest pursuant to Article 6(1)(1)(f) GDPR.

The purpose of data processing is a user-friendly and legally compliant design of our website. We want to make it as easy as possible for you to give or withdraw consent and to increase the transparency of data processing using cookies, pixels, tags or similar on our website. Our legitimate interest also lies in the purpose of processing data.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent given and consent revoked) will be retained for three years.

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings of your Internet browser, you can disable or restrict the transfer of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

7.3. Website analysis

To analyze and optimize our websites, we use various services as described below. We use these services to analyze how many users visit our site, what information is most in demand, or how users find an offer. We also record data on which website a user came to our site from (so-called referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. This helps us to design our offers in a user-friendly way, to find errors and to improve our offers.

7.3.1 Matomo

On our website, we use the open source web analytics software Matomo. The software is operated exclusively from our own servers.

They use cookies, to analyze the use of the website. For this purpose, the usage information collected in the cookie (including your shortened IP address) is transmitted to our server and stored for usage analysis purposes. Matomo does not transmit data to servers that are outside of our control. Your IP address is immediately de-identified during this process, so that you as a user are not identifiable to us. We do not share the information we collect about your use of this website with third parties. We use the collected data for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes. Our interest in and purpose of data processing is to optimize our website, to adapt the content and to improve our offer. The user's interests are sufficiently protected by de-identifying the data. We store the analysis data only as long as necessary for data processing purposes, but no longer than 14 months.

The legal basis for accessing the information is your consent according to § 25 (1) TTDSG. The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

7.3.2 Google Analytics 4

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, (“Google“) Ireland.

Google Analytics 4 uses cookies that analyze how you use our websites. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there.

Google Analytics 4 de-identifies IP addresses by default. When de-itentifying your IP address, Google will truncate your IP address within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases. The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google.

During your website visit, your user behavior is recorded in the form of "events". Such events can include but must not be limited to:

  • Site views
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search requests
  • Interaction with videos
  • Ads seen / clicked

They can also record:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the end devices you use (e.g. language setting, display resolution)
  • Your Internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

On behalf of ALLPLAN, Google will use this information for the purpose of evaluating your pseudonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be:

- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Article 28 GDPR)

- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

- Alphabet Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, U.S. A transmission of data to the U.S. and access by U.S. authorities to the data stored by Google cannot be ruled out. From a data protection perspective, the U.S. is currently considered a third country. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the tracking settings (cf. Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Alternatively, you can prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, you may experience limited functionality on this and other websites. You can also prevent cookies from collecting data relating to your use of the website (including your IP address) and prevent Google from processing this data by

  1. not giving your consent to the setting of the cookie or
  2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

8. Google Tag Manager

For transparency reasons, we would like to point out that we use the Google Tag Manager of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easy for us to integrate and manage our tags. Tags are small pieces of code used to measure traffic and visitor behavior, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimize websites, among other things. We use the Tag Manager for the Google Analytics service. If you have disabled it, this disabling will be taken into account by Google Tag Manager. For more information on Google Tag Manager, please see: https://www.google.com/intl/de/tagmanager/use-policy.html.

9. Social bookmarks

- LinkedIn (operator: LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA)

- Instagram (Operator: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland)

-YouTube (operator: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043)

Social bookmarks are Internet bookmarks with which the users of such a service can collect links and news items. These are only integrated on our website as links to the corresponding services. After clicking on the embedded graphic, you will be redirected to the page of the respective provider, i.e. only then will user information be transmitted to the respective provider. For information on the handling of your personal data when using these websites, please refer to the respective privacy policies of the providers.

10. Duration of storage

We store your personal data for as long as it is necessary to fulfill our legal and contractual obligations in connection with the processing of your order from our ALLPLAN Shop. Data relating to an order is generally kept for 10 years after completion of the order and then deleted, unless further processing is necessary for the following purposes:

After the end of a contractual term, we usually delete your data after 10 years due to the fulfillment of commercial and tax retention obligations (in particular retention periods as per the German Commercial Code (HGB) or the German Fiscal Code (AO)). In order to retain evidence within the framework of the statute of limitations of the German Civil Code (BGB), storage of up to 30 years may be necessary in individual cases.

11. Data transfer

Your personal data will not be transferred to third parties for purposes other than those listed. We will only share your personal information with third parties if:

  • you have given your express consent to this,
  • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer, and this is legally permissible and necessary for the initiation or processing of contractual relationships with you,

External service providers and partner companies receive your data from us, only to the extent necessary to process your order. These service providers are from the following categories:

  • Distribution partners: Digital River Ireland Ltd. or Digital River Inc. (for customers in the USA) as resellers (see above);
  • IT service providers (e.g. maintenance and hosting service providers)
  • Payment service providers
  • Credit agencies for determining creditworthiness and default risks

In these cases, however, the scope of the data transmitted is limited to the minimum required. Insofar as our service providers come into contact with your personal data, we ensure within the framework of commissioned processing pursuant to Article 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the respective privacy notices of the providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

12. Data transfer to third countries

We consider it important to process your data within the EU/EEA. However, we may sometimes use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before transferring your personal data. This means that via EU standard contracts (EU standard contractual clauses), as well as through an agreement on further measures that may be necessary, or by means of an adequacy decision of the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

In the event of data transfer outside the European Union, the high European level of data protection does generally not exist. In the case of a transfer, it may be that there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection in the European Union based on the GDPR; therefore, we have put in place the aforementioned appropriate guarantees.

Possible risks that may not be completely excluded in connection with the transfer of data include, in particular:

  • Your personal data could possibly be processed beyond the actual purpose.
  • In addition, there is the possibility that you may not be able to assert and enforce your rights under data protection law, such as your right to information, correction, deletion or data portability, in the long term.
  • There may also be a higher probability that incorrect data processing may occur and that the protection of personal data does not fully comply with the requirements of the GDPR in terms of quantity and quality.

13. Data security

Your personal data is transferred securely at ALLPLAN using encryption. This applies to all form processes (including registration, login, ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) coding system. It is true that no one can guarantee absolute protection. However, ALLPLAN secures its website and other systems against loss, destruction, access, modification or distribution of your data by unauthorized persons by means of technical and organizational measures. We regularly review our security measures and adapt them to technological progress.

14. Your rights

You have the following rights with respect to us regarding personal data concerning you:

14.1. Basic permissions

You have a right to information, correction, deletion, restriction of processing, objection to processing and data portability. Insofar as processing is based on your consent, you have the right to revoke this consent with effect for the future.

To exercise your rights, please contact us by e-mail at dataprotectionofficer@allplan.com or by mail at ALLPLAN GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. The exercise of your rights described in this point is free of charge for you.

14.2 Rights in data processing according to legitimate interest

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) or on the basis of Article 6 (1) (f) GDPR (data processing for the purposes of safeguarding a legitimate interest); this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

14.3 Right to complain to a supervisory authority

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you may at any time exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection law (Article 77 GDPR).

15. Links to other websites

Our websites may contain links to websites of other providers. We would like to point out that this privacy notice applies exclusively to the website https://shop.allplan.com. We have no influence on and do not control that other providers comply with the applicable data protection regulations.

16. Changes to the privacy notice

We reserve the right to change or adapt this privacy notice at any time in compliance with the applicable data protection regulations.

As of 23.01.2024

Allplan Shop | Data protection

Data protection

Data protection is a particularly important topic for our company. In this privacy notice, we will inform you about the collection of personal data when using our ALLPLAN Shop and purchase our ALLPLAN products. We will inform you about which data we collect from you, and how we use it. We will also inform you about your rights under applicable data protection law, and tell you whom to contact if you have any questions.

Personal data is all data relating to you personally, such as name, address, email addresses or user behavior. We have put in place extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. We regularly review our security measures and adapt them to technological progress.

1. Responsible party for data processing

Jointly responsible pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) are

ALLPLAN GmbH

Konrad-Zuse-Platz 1

81829 Munich

Germany

and the following companies associated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Österreich GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 3401 Village Dr #110, Lincoln, Nebraska 68516, USA
  • ALLPLAN Software Singapore Pte. Ltd., 4 Battery Road #25-01, Bank of China Building, 49908 Singapore
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, oficina 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Žerotínova 1133/32, 130 00 Praha 3-Žižkov, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia

Email: info@allplan.com

In the conduct of business, it is essential that data is also regularly exchanged between ALLPLAN's branches and subsidiaries in order to promote intra-group cooperation and use resources effectively. For this reason, central processes are not limited to the area of a single group company, but also extend to other group companies and benefit from the processes established and resources available there. The ALLPLAN companies therefore cooperate in many areas, in particular regarding order processing in our ALLPLAN Shop, and act in the data protection sense as so-called jointly responsible parties for this website as indicated above.

Information on the essential content of the contract due to joint responsibility:

In order to ensure the security of processing and the effective assertion of your rights, and against the above background, the member companies have concluded a contract as jointly responsible parties within the meaning of Article 26 GDPR in conjunction with Article 4(7) GDPR. This contract regulates the following points in particular:

  • Subject matter, purpose, means and scope as well as the competences and responsibilities regarding data processing
  • Information of the data subjects
  • Fulfillment of the other rights of the data subjects
  • Security of the processing
  • Involvement of data processors
  • Procedure in the event of data protection violations
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

2. Get in touch with our data protection officer

Please contact our data protection officer at dataprotectionofficer@allplan.com our postal address by adding “data protection officer”.

3. Legal basis of our data processing according to GDPR

The processing of personal data may be based on various legal grounds. If we need your data to honor a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(1)(b) GDPR. If we obtain your consent for the processing of certain data, the legal basis is Article 6(1)(1)(a) GDPR. We carry out some data processing on the basis of our legitimate interest, always weighing your interests worthy of protection against our legitimate interests. The legal basis is Article 6(1)(f) GDPR. Insofar as the processing is necessary for the fulfillment of a legal obligation to which we are subject, the legal basis is Article 6(1)(1)(c) GDPR.

We explain below how we process personal data when you use our ALLPLAN Shop.

Legal basis of our data storage under the Telecommunications Telemedia Data Protection Act (“TTDSG” in German).

According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment is only permissible if the end user has consented on the basis of clear and comprehensive information, i.e. has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25 (1) TTDSG and consequently also process purely technical data only after consent.

In our information to you and in obtaining consent, we follow the specifications of the TTDSG to the design specifications of the GDPR.

According to Section 25 (2) TTDSG, consent is not required in exceptional cases,

- if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message via a public telecommunications network, or

- where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

4. Processing of personal data when accessing our ALLPLAN Shop website

Our ALLPLAN Shop is accessible at https://shop.allplan.com. If you use the website and the ALLPLAN Shop for informational purposes only, i.e., if you do not register, we collect the following technical information (log file data):

Data

Purpose of processing

Duration of storage

Operating system used

Evaluation by devices in order to ensure an optimized display of the website

The data is deleted in log files for the purpose of operating the website and to protect against misuse in accordance with our security regulations, generally after 30 days

Information about the type of browser and the version used

Evaluation of the browser used in order to optimize our websites for this purpose

The Internet service provider of the user

Evaluation of the Internet service provider

IP address

Display of the website on the respective device

Date and time of access

Ensuring the proper operation of the website

If necessary, manufacturer and type designation of the smartphone, tablet or other mobile device

Evaluation of device manufacturers and types of mobile devices for statistical purposes

Name of accessed site

Ensuring proper operation of the website

Referrer URL (source URL from which you came to the website)

Ensuring proper operation of the website

We collect this data for technical reasons to display our website to you and to ensure stability and security. We (and our hosting service providers) are generally not aware of who is behind an IP address. We do not merge the above data with any other data.

The legal basis is the legitimate interest pursuant to Article 6(1)(1)(f) GDPR, as well as § 25 (2) Nr. 2 TTDSG due to the technical necessity described above. Within the framework of the balancing of interests pursuant to Article 6(1)(f) GDPR, we have taken into account and weighed our interest in providing and your interest in processing your personal data in accordance with data protection. Since the following data is technically necessary for us to provide you with our service and also to ensure stability and security, in particular to protect from misuse, we have to process this data – while ensuring data security in line with the state of the art – taking due account of your interest in processing in line with data protection requirements. If the processing is based on another legal basis (e.g. consent according to Article 6 (1)(a) GDPR, § 25 (1) TTDSG), this will be shown accordingly.

5. Registration

Before you can purchase from our ALLPLAN Shop, you must first register with us and create a customer account. When you register, we process your personal data for individual user access and to process orders and payments, as well as to process contact and service requests.

For registration, we use the so-called double-opt-in procedure. This means that after you have entered your email address, we will send you a confirmation e-mail to the e-mail address you have entered, in which we ask you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we will store your data for the storage period indicated in the table. The storage also takes place for participation in the ALLPLAN Community with which you also have the possibility to use our services (ALLPLAN Share, ALLPLAN Exchange, ALLPLAN Connect, ALLPLAN Campus, ALLPLAN Bimplus) with an account. Once you have registered, you will receive personal, password-protected access and can view and manage the data you have stored.

Furthermore, we store the date and time of registration when you register. The purpose of the procedure is to be able to prove your registration as part of our accountability obligations and, if necessary, to clarify any possible misuse of your personal data. Due to the fulfillment of the accountability obligation, we have a legitimate interest in accordance with Article 6(1)(1)(f) GDPR in processing the data of the double-opt-in procedure.

For the registration, we collect and store the following personal data from you:

Data

Purpose of processing

Legal basis of processing

Duration of storage

Email address and username

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

Password

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

IP address at registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Date of registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

IP address at double opt-in

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Time of double opt-in verification

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Customer number

Assignment in case of already existing contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Salutation

Direct approach within the scope of the contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

First name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Family name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Company

Invoicing

Legitimate interest; Article 6(1)(1)(f) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Telephone

Contract execution
(customer support)

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

After the end of the contractual relationship

Language

Control of language settings

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

after the end of the contractual relationship)

Country

Contract conclusion and execution

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Address

Invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Personal data that must be provided is marked as mandatory in the respective registration form; any additional information is voluntary.

You can also delete your customer account at any time. Upon deletion of the account, all personal data that is not subject to a legal obligation to retain data or to Article 17 (3) GDPR will be anonymized.

6. Execution of orders and payment processing

When you place an order for one of our products in our ALLPLAN Shop, we process data that is recorded in your customer account to enable you to place orders, including the following:

- First name, surname

- Company

- Customer number

- Billing/delivery address

- Email address

- Telephone number, if necessary

We also process the following additional data that you provide to us when completing your order:

- Information on orders placed (products, licenses, license conditions)

- Information on the payment type and the associated details that are required for making a payment.

The legal basis for the associated data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for completing the ordering process, the purchase and payment processing. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in ensuring a smooth ordering process and enabling our products to be provided to you smoothly, as well as in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interests being in being able to offer our services to your company, and in being able to process your data as a responsible point of contact.

Digital River, reseller

For the sale of our products in the ALLPLAN Shop, we use our sales partner Digital River Ireland Ltd – or for our customers in the USA, Digital River Inc. (hereinafter referred to as "Digital River"). Digital River is part of the Digital River Inc. group of companies (Digital River, Inc., 10380 Bren Road West, Minnetonka, MN 55343/USA), an e-commerce sales service provider from the USA. Digital River is an authorized reseller of all of the products that are offered in our ALLPLAN Shop. If you order one of our products through the ALLPLAN Shop, Digital River is your contractual partner and the Seller. You are the Buyer. Digital River is authorized by us to conclude the purchase or license agreement with you on its own behalf and to carry out and monitor the subsequent processing of your order, in particular the payment processing. A license key for the purchased software, along with care, maintenance and development services are provided by us, as the product manufacturer, after your order.

If you place your order in our ALLPLAN Shop by clicking on the "Order with obligation to pay" button, your order and payment data will be forwarded to our sales partner, Digital River. This data includes your first name, your surname, your company name, information relating to the order placed (products/license and conditions), your billing and delivery address, your email address, and your bank and payment details.

Digital River processes your data for the purpose of concluding a contract, as well as for order and payment processing. Payment is processed according to the payment method selected. As part of this, your data can also be processed by Digital River for the purpose of carrying out identity and credit checks in order to be able to assess solvency to the greatest possible extent when granting payment methods with a credit risk. In addition, your data will be processed by Digital River for its own purposes, in particular to prevent abuse and fraud.

We would like to point out that there is a possibility that – as stated in its own data protection guidelines – Digital River may, in the course of order and contract processing, transfer your personal data to Digital River Inc. servers in the USA. According to Digital River, such data processing and transfers to the third country USA are secured by concluding contracts for order processing in accordance with Article 28 GDPR and corresponding EU standard contractual clauses in accordance with the provisions of Article 46 (2) (c) GDPR, as well as other technical and organizational measures, where such measures are necessary.

Digital River is solely responsible for all of the data processing mentioned within the meaning of Article 4(7) GDPR. You will find comprehensive information on how Digital River processes data

- in the privacy policy: https://store.digitalriver.com/store/defaults/en_US/DisplayDRPrivacyPolicyPage?eCommerceProvider=&selectedLoc=en_US

- and the cookie policy: https://store.digitalriver.com/DRHM/store?Action=DisplayDRCookiesPolicyPage&SiteID=defaults&Locale=en_EN&ThemeID=22100&Env=BASE&eCommerceProvider=

Following the conclusion of the contract between you and Digital River, we will receive information as to whether the transaction could be carried out successfully in an automated process for the purpose of transaction tracking, and so that we can provide the license key for the contractual products and other services. The legal basis for our data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for the performance of the specified activities. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in enabling our products to be provided to you smoothly, and in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interest being in being able to offer our services to your company.

7. Cookies and website analysis

7.1. Cookies

Our website uses cookies. Cookies are files that are placed on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you have made there. This ensures, for example, that you do not have to re-enter required form data each time you use it. The information stored in cookies can also be used to identify preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a predefined duration, which may differ depending on the cookie. With this type of cookies, the information can also be stored on your computer in text files. You can, however, also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is allowed to read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. If you have given us your consent, the legal basis is Article§ 25 (1) TTDSG and Article 6(1)(1)(a) GDPR. Insofar as saving and data processing are based on our overriding legitimate interests, the legal basis is § 25 (2) Nr. 2 TTDSG as well as Article 6(1)(1)(f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionality, to measure reach and – with your consent – to tailor our services to preferred areas of interest.

You can delete cookies already stored on your mobile device at any time. If you want to prevent cookies from being stored, you can do so via the settings in your Internet browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

When accessing our website, all users of our website are also informed by an information banner from our consent management platform, Usercentrics, about our use of cookies and referred to this privacy policy. Here, as a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with future effect by calling up the cookie administration via the icon (fingerprint) in the lower left-hand corner of each page and unchecking the box next to processing to which you had consented. In the cookie manager you can also find more information about the cookies we use.

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software produced by Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany.

Usercentrics identifies the language used by your browser. They set a cookie to check whether you have already made a selection in our consent tool on a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. Usercentrics also creates a log file in order to be able to prove that consent has been given. This file contains the de-identified IP address, information about the browser that was used, data about the scope of consent, and the date and time of the visit. The legal basis for this can be found in § 25 (2) Nr. 2 TTDSG as well as our legitimate interest pursuant to Article 6(1)(1)(f) GDPR.

The purpose of data processing is a user-friendly and legally compliant design of our website. We want to make it as easy as possible for you to give or withdraw consent and to increase the transparency of data processing using cookies, pixels, tags or similar on our website. Our legitimate interest also lies in the purpose of processing data.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent given and consent revoked) will be retained for three years.

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings of your Internet browser, you can disable or restrict the transfer of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

7.3. Website analysis

To analyze and optimize our websites, we use various services as described below. We use these services to analyze how many users visit our site, what information is most in demand, or how users find an offer. We also record data on which website a user came to our site from (so-called referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. This helps us to design our offers in a user-friendly way, to find errors and to improve our offers.

7.3.1 Matomo

On our website, we use the open source web analytics software Matomo. The software is operated exclusively from our own servers.

They use cookies, to analyze the use of the website. For this purpose, the usage information collected in the cookie (including your shortened IP address) is transmitted to our server and stored for usage analysis purposes. Matomo does not transmit data to servers that are outside of our control. Your IP address is immediately de-identified during this process, so that you as a user are not identifiable to us. We do not share the information we collect about your use of this website with third parties. We use the collected data for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes. Our interest in and purpose of data processing is to optimize our website, to adapt the content and to improve our offer. The user's interests are sufficiently protected by de-identifying the data. We store the analysis data only as long as necessary for data processing purposes, but no longer than 14 months.

The legal basis for accessing the information is your consent according to § 25 (1) TTDSG. The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

7.3.2 Google Analytics 4

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, (“Google“) Ireland.

Google Analytics 4 uses cookies that analyze how you use our websites. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there.

Google Analytics 4 de-identifies IP addresses by default. When de-itentifying your IP address, Google will truncate your IP address within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases. The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google.

During your website visit, your user behavior is recorded in the form of "events". Such events can include but must not be limited to:

  • Site views
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search requests
  • Interaction with videos
  • Ads seen / clicked

They can also record:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the end devices you use (e.g. language setting, display resolution)
  • Your Internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

On behalf of ALLPLAN, Google will use this information for the purpose of evaluating your pseudonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be:

- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Article 28 GDPR)

- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

- Alphabet Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, U.S. A transmission of data to the U.S. and access by U.S. authorities to the data stored by Google cannot be ruled out. From a data protection perspective, the U.S. is currently considered a third country. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the tracking settings (cf. Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Alternatively, you can prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, you may experience limited functionality on this and other websites. You can also prevent cookies from collecting data relating to your use of the website (including your IP address) and prevent Google from processing this data by

  1. not giving your consent to the setting of the cookie or
  2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

8. Google Tag Manager

For transparency reasons, we would like to point out that we use the Google Tag Manager of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easy for us to integrate and manage our tags. Tags are small pieces of code used to measure traffic and visitor behavior, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimize websites, among other things. We use the Tag Manager for the Google Analytics service. If you have disabled it, this disabling will be taken into account by Google Tag Manager. For more information on Google Tag Manager, please see: https://www.google.com/intl/de/tagmanager/use-policy.html.

9. Social bookmarks

- LinkedIn (operator: LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA)

- Instagram (Operator: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland)

-YouTube (operator: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043)

Social bookmarks are Internet bookmarks with which the users of such a service can collect links and news items. These are only integrated on our website as links to the corresponding services. After clicking on the embedded graphic, you will be redirected to the page of the respective provider, i.e. only then will user information be transmitted to the respective provider. For information on the handling of your personal data when using these websites, please refer to the respective privacy policies of the providers.

10. Duration of storage

We store your personal data for as long as it is necessary to fulfill our legal and contractual obligations in connection with the processing of your order from our ALLPLAN Shop. Data relating to an order is generally kept for 10 years after completion of the order and then deleted, unless further processing is necessary for the following purposes:

After the end of a contractual term, we usually delete your data after 10 years due to the fulfillment of commercial and tax retention obligations (in particular retention periods as per the German Commercial Code (HGB) or the German Fiscal Code (AO)). In order to retain evidence within the framework of the statute of limitations of the German Civil Code (BGB), storage of up to 30 years may be necessary in individual cases.

11. Data transfer

Your personal data will not be transferred to third parties for purposes other than those listed. We will only share your personal information with third parties if:

  • you have given your express consent to this,
  • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer, and this is legally permissible and necessary for the initiation or processing of contractual relationships with you,

External service providers and partner companies receive your data from us, only to the extent necessary to process your order. These service providers are from the following categories:

  • Distribution partners: Digital River Ireland Ltd. or Digital River Inc. (for customers in the USA) as resellers (see above);
  • IT service providers (e.g. maintenance and hosting service providers)
  • Payment service providers
  • Credit agencies for determining creditworthiness and default risks

In these cases, however, the scope of the data transmitted is limited to the minimum required. Insofar as our service providers come into contact with your personal data, we ensure within the framework of commissioned processing pursuant to Article 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the respective privacy notices of the providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

12. Data transfer to third countries

We consider it important to process your data within the EU/EEA. However, we may sometimes use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before transferring your personal data. This means that via EU standard contracts (EU standard contractual clauses), as well as through an agreement on further measures that may be necessary, or by means of an adequacy decision of the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

In the event of data transfer outside the European Union, the high European level of data protection does generally not exist. In the case of a transfer, it may be that there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection in the European Union based on the GDPR; therefore, we have put in place the aforementioned appropriate guarantees.

Possible risks that may not be completely excluded in connection with the transfer of data include, in particular:

  • Your personal data could possibly be processed beyond the actual purpose.
  • In addition, there is the possibility that you may not be able to assert and enforce your rights under data protection law, such as your right to information, correction, deletion or data portability, in the long term.
  • There may also be a higher probability that incorrect data processing may occur and that the protection of personal data does not fully comply with the requirements of the GDPR in terms of quantity and quality.

13. Data security

Your personal data is transferred securely at ALLPLAN using encryption. This applies to all form processes (including registration, login, ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) coding system. It is true that no one can guarantee absolute protection. However, ALLPLAN secures its website and other systems against loss, destruction, access, modification or distribution of your data by unauthorized persons by means of technical and organizational measures. We regularly review our security measures and adapt them to technological progress.

14. Your rights

You have the following rights with respect to us regarding personal data concerning you:

14.1. Basic permissions

You have a right to information, correction, deletion, restriction of processing, objection to processing and data portability. Insofar as processing is based on your consent, you have the right to revoke this consent with effect for the future.

To exercise your rights, please contact us by e-mail at dataprotectionofficer@allplan.com or by mail at ALLPLAN GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. The exercise of your rights described in this point is free of charge for you.

14.2 Rights in data processing according to legitimate interest

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) or on the basis of Article 6 (1) (f) GDPR (data processing for the purposes of safeguarding a legitimate interest); this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

14.3 Right to complain to a supervisory authority

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you may at any time exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection law (Article 77 GDPR).

15. Links to other websites

Our websites may contain links to websites of other providers. We would like to point out that this privacy notice applies exclusively to the website https://shop.allplan.com. We have no influence on and do not control that other providers comply with the applicable data protection regulations.

16. Changes to the privacy notice

We reserve the right to change or adapt this privacy notice at any time in compliance with the applicable data protection regulations.

As of 23.01.2024

Data protection

Data protection is a particularly important topic for our company. In this privacy notice, we will inform you about the collection of personal data when using our ALLPLAN Shop and purchase our ALLPLAN products. We will inform you about which data we collect from you, and how we use it. We will also inform you about your rights under applicable data protection law, and tell you whom to contact if you have any questions.

Personal data is all data relating to you personally, such as name, address, email addresses or user behavior. We have put in place extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. We regularly review our security measures and adapt them to technological progress.

1. Responsible party for data processing

Jointly responsible pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) are

ALLPLAN GmbH

Konrad-Zuse-Platz 1

81829 Munich

Germany

and the following companies associated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Österreich GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 3401 Village Dr #110, Lincoln, Nebraska 68516, USA
  • ALLPLAN Software Singapore Pte. Ltd., 4 Battery Road #25-01, Bank of China Building, 49908 Singapore
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, oficina 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Žerotínova 1133/32, 130 00 Praha 3-Žižkov, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia

Email: info@allplan.com

In the conduct of business, it is essential that data is also regularly exchanged between ALLPLAN's branches and subsidiaries in order to promote intra-group cooperation and use resources effectively. For this reason, central processes are not limited to the area of a single group company, but also extend to other group companies and benefit from the processes established and resources available there. The ALLPLAN companies therefore cooperate in many areas, in particular regarding order processing in our ALLPLAN Shop, and act in the data protection sense as so-called jointly responsible parties for this website as indicated above.

Information on the essential content of the contract due to joint responsibility:

In order to ensure the security of processing and the effective assertion of your rights, and against the above background, the member companies have concluded a contract as jointly responsible parties within the meaning of Article 26 GDPR in conjunction with Article 4(7) GDPR. This contract regulates the following points in particular:

  • Subject matter, purpose, means and scope as well as the competences and responsibilities regarding data processing
  • Information of the data subjects
  • Fulfillment of the other rights of the data subjects
  • Security of the processing
  • Involvement of data processors
  • Procedure in the event of data protection violations
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

2. Get in touch with our data protection officer

Please contact our data protection officer at dataprotectionofficer@allplan.com our postal address by adding “data protection officer”.

3. Legal basis of our data processing according to GDPR

The processing of personal data may be based on various legal grounds. If we need your data to honor a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(1)(b) GDPR. If we obtain your consent for the processing of certain data, the legal basis is Article 6(1)(1)(a) GDPR. We carry out some data processing on the basis of our legitimate interest, always weighing your interests worthy of protection against our legitimate interests. The legal basis is Article 6(1)(f) GDPR. Insofar as the processing is necessary for the fulfillment of a legal obligation to which we are subject, the legal basis is Article 6(1)(1)(c) GDPR.

We explain below how we process personal data when you use our ALLPLAN Shop.

Legal basis of our data storage under the Telecommunications Telemedia Data Protection Act (“TTDSG” in German).

According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment is only permissible if the end user has consented on the basis of clear and comprehensive information, i.e. has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25 (1) TTDSG and consequently also process purely technical data only after consent.

In our information to you and in obtaining consent, we follow the specifications of the TTDSG to the design specifications of the GDPR.

According to Section 25 (2) TTDSG, consent is not required in exceptional cases,

- if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message via a public telecommunications network, or

- where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

4. Processing of personal data when accessing our ALLPLAN Shop website

Our ALLPLAN Shop is accessible at https://shop.allplan.com. If you use the website and the ALLPLAN Shop for informational purposes only, i.e., if you do not register, we collect the following technical information (log file data):

Data

Purpose of processing

Duration of storage

Operating system used

Evaluation by devices in order to ensure an optimized display of the website

The data is deleted in log files for the purpose of operating the website and to protect against misuse in accordance with our security regulations, generally after 30 days

Information about the type of browser and the version used

Evaluation of the browser used in order to optimize our websites for this purpose

The Internet service provider of the user

Evaluation of the Internet service provider

IP address

Display of the website on the respective device

Date and time of access

Ensuring the proper operation of the website

If necessary, manufacturer and type designation of the smartphone, tablet or other mobile device

Evaluation of device manufacturers and types of mobile devices for statistical purposes

Name of accessed site

Ensuring proper operation of the website

Referrer URL (source URL from which you came to the website)

Ensuring proper operation of the website

We collect this data for technical reasons to display our website to you and to ensure stability and security. We (and our hosting service providers) are generally not aware of who is behind an IP address. We do not merge the above data with any other data.

The legal basis is the legitimate interest pursuant to Article 6(1)(1)(f) GDPR, as well as § 25 (2) Nr. 2 TTDSG due to the technical necessity described above. Within the framework of the balancing of interests pursuant to Article 6(1)(f) GDPR, we have taken into account and weighed our interest in providing and your interest in processing your personal data in accordance with data protection. Since the following data is technically necessary for us to provide you with our service and also to ensure stability and security, in particular to protect from misuse, we have to process this data – while ensuring data security in line with the state of the art – taking due account of your interest in processing in line with data protection requirements. If the processing is based on another legal basis (e.g. consent according to Article 6 (1)(a) GDPR, § 25 (1) TTDSG), this will be shown accordingly.

5. Registration

Before you can purchase from our ALLPLAN Shop, you must first register with us and create a customer account. When you register, we process your personal data for individual user access and to process orders and payments, as well as to process contact and service requests.

For registration, we use the so-called double-opt-in procedure. This means that after you have entered your email address, we will send you a confirmation e-mail to the e-mail address you have entered, in which we ask you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we will store your data for the storage period indicated in the table. The storage also takes place for participation in the ALLPLAN Community with which you also have the possibility to use our services (ALLPLAN Share, ALLPLAN Exchange, ALLPLAN Connect, ALLPLAN Campus, ALLPLAN Bimplus) with an account. Once you have registered, you will receive personal, password-protected access and can view and manage the data you have stored.

Furthermore, we store the date and time of registration when you register. The purpose of the procedure is to be able to prove your registration as part of our accountability obligations and, if necessary, to clarify any possible misuse of your personal data. Due to the fulfillment of the accountability obligation, we have a legitimate interest in accordance with Article 6(1)(1)(f) GDPR in processing the data of the double-opt-in procedure.

For the registration, we collect and store the following personal data from you:

Data

Purpose of processing

Legal basis of processing

Duration of storage

Email address and username

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

Password

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

IP address at registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Date of registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

IP address at double opt-in

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Time of double opt-in verification

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Customer number

Assignment in case of already existing contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Salutation

Direct approach within the scope of the contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

First name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Family name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Company

Invoicing

Legitimate interest; Article 6(1)(1)(f) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Telephone

Contract execution
(customer support)

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

After the end of the contractual relationship

Language

Control of language settings

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

after the end of the contractual relationship)

Country

Contract conclusion and execution

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Address

Invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Personal data that must be provided is marked as mandatory in the respective registration form; any additional information is voluntary.

You can also delete your customer account at any time. Upon deletion of the account, all personal data that is not subject to a legal obligation to retain data or to Article 17 (3) GDPR will be anonymized.

6. Execution of orders and payment processing

When you place an order for one of our products in our ALLPLAN Shop, we process data that is recorded in your customer account to enable you to place orders, including the following:

- First name, surname

- Company

- Customer number

- Billing/delivery address

- Email address

- Telephone number, if necessary

We also process the following additional data that you provide to us when completing your order:

- Information on orders placed (products, licenses, license conditions)

- Information on the payment type and the associated details that are required for making a payment.

The legal basis for the associated data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for completing the ordering process, the purchase and payment processing. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in ensuring a smooth ordering process and enabling our products to be provided to you smoothly, as well as in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interests being in being able to offer our services to your company, and in being able to process your data as a responsible point of contact.

Digital River, reseller

For the sale of our products in the ALLPLAN Shop, we use our sales partner Digital River Ireland Ltd – or for our customers in the USA, Digital River Inc. (hereinafter referred to as "Digital River"). Digital River is part of the Digital River Inc. group of companies (Digital River, Inc., 10380 Bren Road West, Minnetonka, MN 55343/USA), an e-commerce sales service provider from the USA. Digital River is an authorized reseller of all of the products that are offered in our ALLPLAN Shop. If you order one of our products through the ALLPLAN Shop, Digital River is your contractual partner and the Seller. You are the Buyer. Digital River is authorized by us to conclude the purchase or license agreement with you on its own behalf and to carry out and monitor the subsequent processing of your order, in particular the payment processing. A license key for the purchased software, along with care, maintenance and development services are provided by us, as the product manufacturer, after your order.

If you place your order in our ALLPLAN Shop by clicking on the "Order with obligation to pay" button, your order and payment data will be forwarded to our sales partner, Digital River. This data includes your first name, your surname, your company name, information relating to the order placed (products/license and conditions), your billing and delivery address, your email address, and your bank and payment details.

Digital River processes your data for the purpose of concluding a contract, as well as for order and payment processing. Payment is processed according to the payment method selected. As part of this, your data can also be processed by Digital River for the purpose of carrying out identity and credit checks in order to be able to assess solvency to the greatest possible extent when granting payment methods with a credit risk. In addition, your data will be processed by Digital River for its own purposes, in particular to prevent abuse and fraud.

We would like to point out that there is a possibility that – as stated in its own data protection guidelines – Digital River may, in the course of order and contract processing, transfer your personal data to Digital River Inc. servers in the USA. According to Digital River, such data processing and transfers to the third country USA are secured by concluding contracts for order processing in accordance with Article 28 GDPR and corresponding EU standard contractual clauses in accordance with the provisions of Article 46 (2) (c) GDPR, as well as other technical and organizational measures, where such measures are necessary.

Digital River is solely responsible for all of the data processing mentioned within the meaning of Article 4(7) GDPR. You will find comprehensive information on how Digital River processes data

- in the privacy policy: https://store.digitalriver.com/store/defaults/en_US/DisplayDRPrivacyPolicyPage?eCommerceProvider=&selectedLoc=en_US

- and the cookie policy: https://store.digitalriver.com/DRHM/store?Action=DisplayDRCookiesPolicyPage&SiteID=defaults&Locale=en_EN&ThemeID=22100&Env=BASE&eCommerceProvider=

Following the conclusion of the contract between you and Digital River, we will receive information as to whether the transaction could be carried out successfully in an automated process for the purpose of transaction tracking, and so that we can provide the license key for the contractual products and other services. The legal basis for our data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for the performance of the specified activities. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in enabling our products to be provided to you smoothly, and in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interest being in being able to offer our services to your company.

7. Cookies and website analysis

7.1. Cookies

Our website uses cookies. Cookies are files that are placed on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you have made there. This ensures, for example, that you do not have to re-enter required form data each time you use it. The information stored in cookies can also be used to identify preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a predefined duration, which may differ depending on the cookie. With this type of cookies, the information can also be stored on your computer in text files. You can, however, also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is allowed to read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. If you have given us your consent, the legal basis is Article§ 25 (1) TTDSG and Article 6(1)(1)(a) GDPR. Insofar as saving and data processing are based on our overriding legitimate interests, the legal basis is § 25 (2) Nr. 2 TTDSG as well as Article 6(1)(1)(f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionality, to measure reach and – with your consent – to tailor our services to preferred areas of interest.

You can delete cookies already stored on your mobile device at any time. If you want to prevent cookies from being stored, you can do so via the settings in your Internet browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

When accessing our website, all users of our website are also informed by an information banner from our consent management platform, Usercentrics, about our use of cookies and referred to this privacy policy. Here, as a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with future effect by calling up the cookie administration via the icon (fingerprint) in the lower left-hand corner of each page and unchecking the box next to processing to which you had consented. In the cookie manager you can also find more information about the cookies we use.

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software produced by Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany.

Usercentrics identifies the language used by your browser. They set a cookie to check whether you have already made a selection in our consent tool on a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. Usercentrics also creates a log file in order to be able to prove that consent has been given. This file contains the de-identified IP address, information about the browser that was used, data about the scope of consent, and the date and time of the visit. The legal basis for this can be found in § 25 (2) Nr. 2 TTDSG as well as our legitimate interest pursuant to Article 6(1)(1)(f) GDPR.

The purpose of data processing is a user-friendly and legally compliant design of our website. We want to make it as easy as possible for you to give or withdraw consent and to increase the transparency of data processing using cookies, pixels, tags or similar on our website. Our legitimate interest also lies in the purpose of processing data.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent given and consent revoked) will be retained for three years.

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings of your Internet browser, you can disable or restrict the transfer of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

7.3. Website analysis

To analyze and optimize our websites, we use various services as described below. We use these services to analyze how many users visit our site, what information is most in demand, or how users find an offer. We also record data on which website a user came to our site from (so-called referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. This helps us to design our offers in a user-friendly way, to find errors and to improve our offers.

7.3.1 Matomo

On our website, we use the open source web analytics software Matomo. The software is operated exclusively from our own servers.

They use cookies, to analyze the use of the website. For this purpose, the usage information collected in the cookie (including your shortened IP address) is transmitted to our server and stored for usage analysis purposes. Matomo does not transmit data to servers that are outside of our control. Your IP address is immediately de-identified during this process, so that you as a user are not identifiable to us. We do not share the information we collect about your use of this website with third parties. We use the collected data for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes. Our interest in and purpose of data processing is to optimize our website, to adapt the content and to improve our offer. The user's interests are sufficiently protected by de-identifying the data. We store the analysis data only as long as necessary for data processing purposes, but no longer than 14 months.

The legal basis for accessing the information is your consent according to § 25 (1) TTDSG. The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

7.3.2 Google Analytics 4

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, (“Google“) Ireland.

Google Analytics 4 uses cookies that analyze how you use our websites. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there.

Google Analytics 4 de-identifies IP addresses by default. When de-itentifying your IP address, Google will truncate your IP address within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases. The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google.

During your website visit, your user behavior is recorded in the form of "events". Such events can include but must not be limited to:

  • Site views
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search requests
  • Interaction with videos
  • Ads seen / clicked

They can also record:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the end devices you use (e.g. language setting, display resolution)
  • Your Internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

On behalf of ALLPLAN, Google will use this information for the purpose of evaluating your pseudonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be:

- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Article 28 GDPR)

- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

- Alphabet Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, U.S. A transmission of data to the U.S. and access by U.S. authorities to the data stored by Google cannot be ruled out. From a data protection perspective, the U.S. is currently considered a third country. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the tracking settings (cf. Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Alternatively, you can prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, you may experience limited functionality on this and other websites. You can also prevent cookies from collecting data relating to your use of the website (including your IP address) and prevent Google from processing this data by

  1. not giving your consent to the setting of the cookie or
  2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

8. Google Tag Manager

For transparency reasons, we would like to point out that we use the Google Tag Manager of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easy for us to integrate and manage our tags. Tags are small pieces of code used to measure traffic and visitor behavior, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimize websites, among other things. We use the Tag Manager for the Google Analytics service. If you have disabled it, this disabling will be taken into account by Google Tag Manager. For more information on Google Tag Manager, please see: https://www.google.com/intl/de/tagmanager/use-policy.html.

9. Social bookmarks

- LinkedIn (operator: LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA)

- Instagram (Operator: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland)

-YouTube (operator: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043)

Social bookmarks are Internet bookmarks with which the users of such a service can collect links and news items. These are only integrated on our website as links to the corresponding services. After clicking on the embedded graphic, you will be redirected to the page of the respective provider, i.e. only then will user information be transmitted to the respective provider. For information on the handling of your personal data when using these websites, please refer to the respective privacy policies of the providers.

10. Duration of storage

We store your personal data for as long as it is necessary to fulfill our legal and contractual obligations in connection with the processing of your order from our ALLPLAN Shop. Data relating to an order is generally kept for 10 years after completion of the order and then deleted, unless further processing is necessary for the following purposes:

After the end of a contractual term, we usually delete your data after 10 years due to the fulfillment of commercial and tax retention obligations (in particular retention periods as per the German Commercial Code (HGB) or the German Fiscal Code (AO)). In order to retain evidence within the framework of the statute of limitations of the German Civil Code (BGB), storage of up to 30 years may be necessary in individual cases.

11. Data transfer

Your personal data will not be transferred to third parties for purposes other than those listed. We will only share your personal information with third parties if:

  • you have given your express consent to this,
  • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer, and this is legally permissible and necessary for the initiation or processing of contractual relationships with you,

External service providers and partner companies receive your data from us, only to the extent necessary to process your order. These service providers are from the following categories:

  • Distribution partners: Digital River Ireland Ltd. or Digital River Inc. (for customers in the USA) as resellers (see above);
  • IT service providers (e.g. maintenance and hosting service providers)
  • Payment service providers
  • Credit agencies for determining creditworthiness and default risks

In these cases, however, the scope of the data transmitted is limited to the minimum required. Insofar as our service providers come into contact with your personal data, we ensure within the framework of commissioned processing pursuant to Article 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the respective privacy notices of the providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

12. Data transfer to third countries

We consider it important to process your data within the EU/EEA. However, we may sometimes use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before transferring your personal data. This means that via EU standard contracts (EU standard contractual clauses), as well as through an agreement on further measures that may be necessary, or by means of an adequacy decision of the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

In the event of data transfer outside the European Union, the high European level of data protection does generally not exist. In the case of a transfer, it may be that there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection in the European Union based on the GDPR; therefore, we have put in place the aforementioned appropriate guarantees.

Possible risks that may not be completely excluded in connection with the transfer of data include, in particular:

  • Your personal data could possibly be processed beyond the actual purpose.
  • In addition, there is the possibility that you may not be able to assert and enforce your rights under data protection law, such as your right to information, correction, deletion or data portability, in the long term.
  • There may also be a higher probability that incorrect data processing may occur and that the protection of personal data does not fully comply with the requirements of the GDPR in terms of quantity and quality.

13. Data security

Your personal data is transferred securely at ALLPLAN using encryption. This applies to all form processes (including registration, login, ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) coding system. It is true that no one can guarantee absolute protection. However, ALLPLAN secures its website and other systems against loss, destruction, access, modification or distribution of your data by unauthorized persons by means of technical and organizational measures. We regularly review our security measures and adapt them to technological progress.

14. Your rights

You have the following rights with respect to us regarding personal data concerning you:

14.1. Basic permissions

You have a right to information, correction, deletion, restriction of processing, objection to processing and data portability. Insofar as processing is based on your consent, you have the right to revoke this consent with effect for the future.

To exercise your rights, please contact us by e-mail at dataprotectionofficer@allplan.com or by mail at ALLPLAN GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. The exercise of your rights described in this point is free of charge for you.

14.2 Rights in data processing according to legitimate interest

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) or on the basis of Article 6 (1) (f) GDPR (data processing for the purposes of safeguarding a legitimate interest); this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

14.3 Right to complain to a supervisory authority

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you may at any time exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection law (Article 77 GDPR).

15. Links to other websites

Our websites may contain links to websites of other providers. We would like to point out that this privacy notice applies exclusively to the website https://shop.allplan.com. We have no influence on and do not control that other providers comply with the applicable data protection regulations.

16. Changes to the privacy notice

We reserve the right to change or adapt this privacy notice at any time in compliance with the applicable data protection regulations.

As of 23.01.2024