Data protection

Data protection is a particularly important topic for our company. In this privacy notice, we will inform you about the collection of personal data when using our ALLPLAN Shop and purchase our ALLPLAN products. We will inform you about which data we collect from you, and how we use it. We will also inform you about your rights under applicable data protection law, and tell you whom to contact if you have any questions.

Personal data is all data relating to you personally, such as name, address, email addresses or user behavior. We have put in place extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. We regularly review our security measures and adapt them to technological progress.

1. Responsible party for data processing

Jointly responsible pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) are

ALLPLAN GmbH

Konrad-Zuse-Platz 1

81829 Munich

Germany

and the following companies associated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Österreich GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 3401 Village Dr #110, Lincoln, Nebraska 68516, USA
  • ALLPLAN Software Singapore Pte. Ltd., 4 Battery Road #25-01, Bank of China Building, 49908 Singapore
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, oficina 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Žerotínova 1133/32, 130 00 Praha 3-Žižkov, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia

Email: info@allplan.com

In the conduct of business, it is essential that data is also regularly exchanged between ALLPLAN's branches and subsidiaries in order to promote intra-group cooperation and use resources effectively. For this reason, central processes are not limited to the area of a single group company, but also extend to other group companies and benefit from the processes established and resources available there. The ALLPLAN companies therefore cooperate in many areas, in particular regarding order processing in our ALLPLAN Shop, and act in the data protection sense as so-called jointly responsible parties for this website as indicated above.

Information on the essential content of the contract due to joint responsibility:

In order to ensure the security of processing and the effective assertion of your rights, and against the above background, the member companies have concluded a contract as jointly responsible parties within the meaning of Article 26 GDPR in conjunction with Article 4(7) GDPR. This contract regulates the following points in particular:

  • Subject matter, purpose, means and scope as well as the competences and responsibilities regarding data processing
  • Information of the data subjects
  • Fulfillment of the other rights of the data subjects
  • Security of the processing
  • Involvement of data processors
  • Procedure in the event of data protection violations
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

2. Get in touch with our data protection officer

Please contact our data protection officer at dataprotectionofficer@allplan.com our postal address by adding “data protection officer”.

3. Legal basis of our data processing according to GDPR

The processing of personal data may be based on various legal grounds. If we need your data to honor a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(1)(b) GDPR. If we obtain your consent for the processing of certain data, the legal basis is Article 6(1)(1)(a) GDPR. We carry out some data processing on the basis of our legitimate interest, always weighing your interests worthy of protection against our legitimate interests. The legal basis is Article 6(1)(f) GDPR. Insofar as the processing is necessary for the fulfillment of a legal obligation to which we are subject, the legal basis is Article 6(1)(1)(c) GDPR.

We explain below how we process personal data when you use our ALLPLAN Shop.

Legal basis of our data storage under the Telecommunications Telemedia Data Protection Act (“TTDSG” in German).

According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment is only permissible if the end user has consented on the basis of clear and comprehensive information, i.e. has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25 (1) TTDSG and consequently also process purely technical data only after consent.

In our information to you and in obtaining consent, we follow the specifications of the TTDSG to the design specifications of the GDPR.

According to Section 25 (2) TTDSG, consent is not required in exceptional cases,

- if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message via a public telecommunications network, or

- where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

4. Processing of personal data when accessing our ALLPLAN Shop website

Our ALLPLAN Shop is accessible at https://shop.allplan.com. If you use the website and the ALLPLAN Shop for informational purposes only, i.e., if you do not register, we collect the following technical information (log file data):

Data

Purpose of processing

Duration of storage

Operating system used

Evaluation by devices in order to ensure an optimized display of the website

The data is deleted in log files for the purpose of operating the website and to protect against misuse in accordance with our security regulations, generally after 30 days

Information about the type of browser and the version used

Evaluation of the browser used in order to optimize our websites for this purpose

The Internet service provider of the user

Evaluation of the Internet service provider

IP address

Display of the website on the respective device

Date and time of access

Ensuring the proper operation of the website

If necessary, manufacturer and type designation of the smartphone, tablet or other mobile device

Evaluation of device manufacturers and types of mobile devices for statistical purposes

Name of accessed site

Ensuring proper operation of the website

Referrer URL (source URL from which you came to the website)

Ensuring proper operation of the website

We collect this data for technical reasons to display our website to you and to ensure stability and security. We (and our hosting service providers) are generally not aware of who is behind an IP address. We do not merge the above data with any other data.

The legal basis is the legitimate interest pursuant to Article 6(1)(1)(f) GDPR, as well as § 25 (2) Nr. 2 TTDSG due to the technical necessity described above. Within the framework of the balancing of interests pursuant to Article 6(1)(f) GDPR, we have taken into account and weighed our interest in providing and your interest in processing your personal data in accordance with data protection. Since the following data is technically necessary for us to provide you with our service and also to ensure stability and security, in particular to protect from misuse, we have to process this data – while ensuring data security in line with the state of the art – taking due account of your interest in processing in line with data protection requirements. If the processing is based on another legal basis (e.g. consent according to Article 6 (1)(a) GDPR, § 25 (1) TTDSG), this will be shown accordingly.

5. Registration

Before you can purchase from our ALLPLAN Shop, you must first register with us and create a customer account. When you register, we process your personal data for individual user access and to process orders and payments, as well as to process contact and service requests.

For registration, we use the so-called double-opt-in procedure. This means that after you have entered your email address, we will send you a confirmation e-mail to the e-mail address you have entered, in which we ask you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we will store your data for the storage period indicated in the table. The storage also takes place for participation in the ALLPLAN Community with which you also have the possibility to use our services (Allplan Share, Allplan Exchange, Allplan Connect, Allplan Campus, Allplan Bimplus) with an account. Once you have registered, you will receive personal, password-protected access and can view and manage the data you have stored.

Furthermore, we store the date and time of registration when you register. The purpose of the procedure is to be able to prove your registration as part of our accountability obligations and, if necessary, to clarify any possible misuse of your personal data. Due to the fulfillment of the accountability obligation, we have a legitimate interest in accordance with Article 6(1)(1)(f) GDPR in processing the data of the double-opt-in procedure.

For the registration, we collect and store the following personal data from you:

Data

Purpose of processing

Legal basis of processing

Duration of storage

Email address and username

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

Password

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

IP address at registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Date of registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

IP address at double opt-in

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Time of double opt-in verification

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Customer number

Assignment in case of already existing contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Salutation

Direct approach within the scope of the contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

First name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Family name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Company

Invoicing

Legitimate interest; Article 6(1)(1)(f) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Telephone

Contract execution
(customer support)

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

After the end of the contractual relationship

Language

Control of language settings

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

after the end of the contractual relationship)

Country

Contract conclusion and execution

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Address

Invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Personal data that must be provided is marked as mandatory in the respective registration form; any additional information is voluntary.

You can also delete your customer account at any time. Upon deletion of the account, all personal data that is not subject to a legal obligation to retain data or to Article 17 (3) GDPR will be anonymized.

6. Execution of orders and payment processing

When you place an order for one of our products in our ALLPLAN Shop, we process data that is recorded in your customer account to enable you to place orders, including the following:

- First name, surname

- Company

- Customer number

- Billing/delivery address

- Email address

- Telephone number, if necessary

We also process the following additional data that you provide to us when completing your order:

- Information on orders placed (products, licenses, license conditions)

- Information on the payment type and the associated details that are required for making a payment.

The legal basis for the associated data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for completing the ordering process, the purchase and payment processing. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in ensuring a smooth ordering process and enabling our products to be provided to you smoothly, as well as in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interests being in being able to offer our services to your company, and in being able to process your data as a responsible point of contact.

Digital River, reseller

For the sale of our products in the ALLPLAN Shop, we use our sales partner Digital River Ireland Ltd – or for our customers in the USA, Digital River Inc. (hereinafter referred to as "Digital River"). Digital River is part of the Digital River Inc. group of companies (Digital River, Inc., 10380 Bren Road West, Minnetonka, MN 55343/USA), an e-commerce sales service provider from the USA. Digital River is an authorized reseller of all of the products that are offered in our ALLPLAN Shop. If you order one of our products through the ALLPLAN Shop, Digital River is your contractual partner and the Seller. You are the Buyer. Digital River is authorized by us to conclude the purchase or license agreement with you on its own behalf and to carry out and monitor the subsequent processing of your order, in particular the payment processing. A license key for the purchased software, along with care, maintenance and development services are provided by us, as the product manufacturer, after your order.

If you place your order in our ALLPLAN Shop by clicking on the "Order with obligation to pay" button, your order and payment data will be forwarded to our sales partner, Digital River. This data includes your first name, your surname, your company name, information relating to the order placed (products/license and conditions), your billing and delivery address, your email address, and your bank and payment details.

Digital River processes your data for the purpose of concluding a contract, as well as for order and payment processing. Payment is processed according to the payment method selected. As part of this, your data can also be processed by Digital River for the purpose of carrying out identity and credit checks in order to be able to assess solvency to the greatest possible extent when granting payment methods with a credit risk. In addition, your data will be processed by Digital River for its own purposes, in particular to prevent abuse and fraud.

We would like to point out that there is a possibility that – as stated in its own data protection guidelines – Digital River may, in the course of order and contract processing, transfer your personal data to Digital River Inc. servers in the USA. According to Digital River, such data processing and transfers to the third country USA are secured by concluding contracts for order processing in accordance with Article 28 GDPR and corresponding EU standard contractual clauses in accordance with the provisions of Article 46 (2) (c) GDPR, as well as other technical and organizational measures, where such measures are necessary.

Digital River is solely responsible for all of the data processing mentioned within the meaning of Article 4(7) GDPR. You will find comprehensive information on how Digital River processes data

- in the privacy policy: https://store.digitalriver.com/store/defaults/en_US/DisplayDRPrivacyPolicyPage?eCommerceProvider=&selectedLoc=en_US

- and the cookie policy: https://store.digitalriver.com/DRHM/store?Action=DisplayDRCookiesPolicyPage&SiteID=defaults&Locale=en_EN&ThemeID=22100&Env=BASE&eCommerceProvider=

Following the conclusion of the contract between you and Digital River, we will receive information as to whether the transaction could be carried out successfully in an automated process for the purpose of transaction tracking, and so that we can provide the license key for the contractual products and other services. The legal basis for our data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for the performance of the specified activities. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in enabling our products to be provided to you smoothly, and in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interest being in being able to offer our services to your company.

7. Cookies and website analysis

7.1 Cookies

Our website uses cookies. Cookies are files that are placed on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you have made there. This ensures, for example, that you do not have to re-enter required form data each time you use it. The information stored in cookies can also be used to identify preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a predefined duration, which may differ depending on the cookie. With this type of cookies, the information can also be stored on your computer in text files. You can, however, also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is allowed to read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. If you have given us your consent, the legal basis is Article§ 25 (1) TTDSG and Article 6(1)(1)(a) GDPR. Insofar as saving and data processing are based on our overriding legitimate interests, the legal basis is § 25 (2) Nr. 2 TTDSG as well as Article 6(1)(1)(f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionality, to measure reach and – with your consent – to tailor our services to preferred areas of interest.

You can delete cookies already stored on your mobile device at any time. If you want to prevent cookies from being stored, you can do so via the settings in your Internet browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

When accessing our website, all users of our website are also informed by an information banner from our consent management platform, Usercentrics, about our use of cookies and referred to this privacy policy. Here, as a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with future effect by calling up the cookie administration via the icon (fingerprint) in the lower left-hand corner of each page and unchecking the box next to processing to which you had consented. In the cookie manager you can also find more information about the cookies we use.

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software produced by Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany.

Usercentrics identifies the language used by your browser. They set a cookie to check whether you have already made a selection in our consent tool on a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. Usercentrics also creates a log file in order to be able to prove that consent has been given. This file contains the de-identified IP address, information about the browser that was used, data about the scope of consent, and the date and time of the visit. The legal basis for this can be found in § 25 (2) Nr. 2 TTDSG as well as our legitimate interest pursuant to Article 6(1)(1)(f) GDPR.

The purpose of data processing is a user-friendly and legally compliant design of our website. We want to make it as easy as possible for you to give or withdraw consent and to increase the transparency of data processing using cookies, pixels, tags or similar on our website. Our legitimate interest also lies in the purpose of processing data.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent given and consent revoked) will be retained for three years.

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings of your Internet browser, you can disable or restrict the transfer of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

7.3 Website analysis

To analyze and optimize our websites, we use various services as described below. We use these services to analyze how many users visit our site, what information is most in demand, or how users find an offer. We also record data on which website a user came to our site from (so-called referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. This helps us to design our offers in a user-friendly way, to find errors and to improve our offers.

7.3.1 Matomo

On our website, we use the open source web analytics software Matomo. The software is operated exclusively from our own servers.

They use cookies, to analyze the use of the website. For this purpose, the usage information collected in the cookie (including your shortened IP address) is transmitted to our server and stored for usage analysis purposes. Matomo does not transmit data to servers that are outside of our control. Your IP address is immediately de-identified during this process, so that you as a user are not identifiable to us. We do not share the information we collect about your use of this website with third parties. We use the collected data for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes. Our interest in and purpose of data processing is to optimize our website, to adapt the content and to improve our offer. The user's interests are sufficiently protected by de-identifying the data. We store the analysis data only as long as necessary for data processing purposes, but no longer than 14 months.

The legal basis for accessing the information is your consent according to § 25 (1) TTDSG. The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

7.3.2 Google Analytics (Universal Analytics)

This website uses Google Analytics, a web analysis service of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The use includes running Universal Analytics. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thereby analyze a user's activities across devices.

Google Analytics uses cookies that enable an analysis of your use of the website. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there. However, thanks to the selected de-identification on this website, your IP address will be shortened by Google within Member States of the European Union or in other states party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Article 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google. On behalf of the operator of this website, Google will use such information for analyzing your use of the website, for compiling reports about the website activities and for rendering additional services that are related to the website use and internet use toward the website operator.

The data sent by us and linked to cookies or user IDs (e.g. user ID) are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

7.3.3 Google Analytics

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, (“Google“) Ireland.

Google Analytics 4 uses cookies that analyze how you use our websites. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there.

Google Analytics 4 de-identifies IP addresses by default. When de-itentifying your IP address, Google will truncate your IP address within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases. The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google.

During your website visit, your user behavior is recorded in the form of "events". Such events can include but must not be limited to:

  • Site views
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search requests
  • Interaction with videos
  • Ads seen / clicked

They can also record:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the end devices you use (e.g. language setting, display resolution)
  • Your Internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

On behalf of Allplan, Google will use this information for the purpose of evaluating your pseudonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be:

- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Article 28 GDPR)

- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

- Alphabet Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, U.S. A transmission of data to the U.S. and access by U.S. authorities to the data stored by Google cannot be ruled out. From a data protection perspective, the U.S. is currently considered a third country. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the tracking settings (cf. Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Alternatively, you can prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, you may experience limited functionality on this and other websites. You can also prevent cookies from collecting data relating to your use of the website (including your IP address) and prevent Google from processing this data by

  1. not giving your consent to the setting of the cookie or
  2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

7.3.4 Google Tag Manager

For transparency reasons, we would like to point out that we use the Google Tag Manager of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easy for us to integrate and manage our tags. Tags are small pieces of code used to measure traffic and visitor behavior, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimize websites, among other things. We use the Tag Manager for the Google Analytics service. If you have disabled it, this disabling will be taken into account by Google Tag Manager. For more information on Google Tag Manager, please see: https://www.google.com/intl/de/tagmanager/use-policy.html.

7.4 ADVERTISING

We use cookies for marketing purposes to target our users with advertising tailored to their interests. In addition, we use cookies to limit the likelihood of an ad being shown and to measure the effectiveness of our advertising efforts. This information may also be shared with third parties, such as ad networks. The legal basis for this is Art. 6 (1) s. 1 lit. a GDPR.

7.4.1 GOOGLE ADS, REMARKETING AND CONVERSION TRACKING

We use the service Google Ads. Google Ads is an online advertising program of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

This means we run Google Ads and also use Google remarketing and conversion tracking as part of this. The ads are displayed after search queries on web pages of the Google advertising network. In addition, we use ads remarketing lists for search ads. This allows us to customize search ad campaigns for users who have visited our website before. These services help us to combine our ads with certain search terms or to display ads for previous visitors, for example, advertising services that the visitors have viewed on our website. As a result, we can display interest-based advertising to users of our website on other websites within the Google advertising network (as a “Google Ad” within “Google Search” or on other websites).

For interest-based offers, we need to analyze online user behavior. Google uses cookies to perform this analysis. When clicking on an ad or visiting our website, Google sets a cookie on the user's computer. These cookies last for 90 days. The information collected by the respective cookie is used to target the visitor in a subsequent search query. For further information on the cookie technology used, please also see Google's notes on website statistics and the privacy policy. With the help of this technology, Google and we as a customer receive information that a user has clicked on an ad and been redirected to our websites. We only use the information obtained this way to analyze statistics and optimize advertisements We do not receive information that personally identifies visitors. Your IP address will be transmitted to Google, but since we use Google Analytics IP masking on this website, your IP address will be anonymized.

Log data is anonymized after 9 months, and cookie information is anonymized after 18 months.

The statistics provided to us by Google include the total number of users who clicked on one of our ads and, if applicable, whether they were redirected to a page on our website that was tagged with a conversion tag. Based on these statistics, we can track which search terms were clicked on our ad particularly often and which ads lead to users contacting us via the contact form.

You can find more information on data protection in the context of Google Ads at: https://policies.google.com/technologies/ads?hl=en-GB.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

The legal basis for the described data processing is our legitimate interest pursuant to Art. 6 (1) s. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

You can also select the types of Google ads or disable interest-based ads on Google via the ads setting (https://adssettings.google.com/authenticated?hl=en-GB).

7.4.2 DoubleClick by Google

We use the online marketing tool DoubleClick by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA on our website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

DoubleClick uses cookies to display ads that are relevant to users, to improve campaign performance reports, or to prevent users from seeing the same ads more than once. Google uses a cookie ID to record which ads are displayed in which browser. This prevents the same ad from being displayed more than once. In addition, DoubleClick can use cookie IDs to record so-called conversions with reference to ads. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase.

When you call up a page that uses DoubleClick and for which the DoubleClick script is permitted by explicit consent, your browser automatically establishes a direct connection with Google's server. We as the website operator have no influence on the scope and further use of the data collected by Google through the use of this tool. We inform you according to our state of knowledge: Through the integration of DoubleClick, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider may obtain and store your IP address.

Insofar as data is processed outside the EU/EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection, which in individual cases permit the transfer of personal data to a third country.

The legal basis for the described data processing is your consent, Art. 6 para. 1 p. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see above, section 5. Cookies). Alternatively, you can delete your cookies (all or only from this website). The banner with the selection options will then be displayed again.

For more information about DoubleClick by Google, please visit https://www.google.com/doubleclick and about Google's privacy policy in general: https://policies.google.com/privacy. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at https://www.networkadvertising.org.

7.4.3 FACEBOOK CUSTOM AUDIENCES / CONVERSION TRACKING PIXELS

In the context of usage-based online advertising, we use the Custom Audiences service of Facebook Inc. (1601 S. California Avenue, Palo Alto, CA 94304, USA). For us (as a company from the EU), the processor is also Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

In the context of usage-based online advertising via Custom Audiences, we define target groups of users in the Facebook Ads Manager based on certain characteristics; these groups will subsequently be shown ads within the Facebook network. Users are selected by Facebook based on the profile information they provide and other data provided through their use of Facebook. If a user clicks on an advertisement and subsequently arrives on our website, Facebook receives the information that the user has clicked on the advertising banner via the Facebook pixel embedded on our website.

Basically, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which is transmitted to Facebook for analysis and marketing purposes. Facebook will set a cookie in the process. This cookie collects information about your activities on our website (e.g. surfing behavior, subpages visited, etc.). Your IP address is also stored and used for the geographic targeting of advertising.

We do not use Facebook Custom Audiences via the customer list, nor do we use the “advanced matching” function.

For more information about the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your settings options for protecting your privacy, please refer to Facebook's privacy policy. You can change the settings for which ads are displayed to you on Facebook under this link and in the Facebook account settings.

The legal basis for the described data processing is our legitimate interest pursuant to Art. 6 (1) s. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Insofar as you consent to the data processing described, Facebook will of course also have access to your data. In particular, it is possible that Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA, in addition to Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland has access to your data. Facebook Inc. is located in an insecure third country where the level of data protection is lower.

Facebook has made available online a “Facebook European Data Transfer Addendum” since 31/08/2020, which is intended to incorporate the standard contractual clauses in cases where Facebook Ireland Limited processes data from the EU/ EEA as a processor and transfers it to Facebook Inc. as a sub-processor.

For more information about Facebook's Custom Audiences service, please visit: https://en-gb.facebook.com/business/help/1711863145774142.

You can disable the “Facebook Custom Audiences” function for logged-in users at https://www.facebook.com/settings/?tab=ads#_.

7.4.4 LINKEDIN ADS / CONVERSION TRACKING (PIXELS)

We use the LinkedIn conversion tracking service of LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA as part of the evaluation of our online advertising. The responsible entity for users in the EU/ EEA and Switzerland is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

For this purpose, we define target groups of users based on certain characteristics in LinkedIn Campaign Manager, who are subsequently shown ads within LinkedIn's network. Users are selected by LinkedIn based on the profile information they provide as well as other data provided when using LinkedIn. If a user clicks on an advertisement and subsequently arrives on our website, LinkedIn receives the information that the user has clicked on the advertising banner via the conversion tag embedded on our website.

This way, the LinkedIn tag enables the collection of the following data:

  • visited website, including the URL,
  • referrers
  • IP address
  • device and browser properties (User Agent)
  • and timestamp.

The IP addresses are shortened or (in the case of cross-device use) hashed by LinkedIn. The direct identifiers of the members are removed within 7 days for pseudonymization of the data. The remaining pseudonymous data is then deleted within 180 days.

LinkedIn does not share the personal data with us as the website operator but only provides us with reports and notifications (which do not identify the user) about website visits and ad performance. LinkedIn also offers so-called retargeting, which allows us, as a website operator, to show personalized ads outside of our website using this data without identifying individual members. Data that does not identify you is also used to improve ad relevance and reach LinkedIn members across devices. LinkedIn members can manage the use of their personal data for advertising purposes in their account settings. LinkedIn refers to the following link to customize advertising preferences: https://www.linkedin.com/psettings/advertising/actions-that-showed-interest.

We process this data to evaluate our advertising campaigns. The legal basis for processing is your consent in accordance with Art. 6 (1) lit. a GDPR. Without your consent via our consent tool, we do not process any data for LinkedIn conversion tracking. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above).

As part of LinkedIn conversion tracking, LinkedIn naturally has access to the listed data. In particular, it is possible that in addition to LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA may also have access to your data.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

For more information about the purpose and scope of the collected data and the further processing and use of the data by LinkedIn, as well as your settings options for protecting your privacy, please also refer to LinkedIn’s privacy policy.

For more information on LinkedIn Conversion Tracking, please visit: https://www.linkedin.com/help/lms/answer/a425606/set-up-linkedin-conversion-tracking?lang=en.

For more information on data processing and storage duration, please visit https://www.linkedin.com/help/linkedin/answer/a427660?lang=en.

8. Duration of storage

We store your personal data for as long as it is necessary to fulfill our legal and contractual obligations in connection with the processing of your order from our ALLPLAN Shop. Data relating to an order is generally kept for 10 years after completion of the order and then deleted, unless further processing is necessary for the following purposes:

After the end of a contractual term, we usually delete your data after 10 years due to the fulfillment of commercial and tax retention obligations (in particular retention periods as per the German Commercial Code (HGB) or the German Fiscal Code (AO)). In order to retain evidence within the framework of the statute of limitations of the German Civil Code (BGB), storage of up to 30 years may be necessary in individual cases.

9. Data transfer

Your personal data will not be transferred to third parties for purposes other than those listed. We will only share your personal information with third parties if:

  • you have given your express consent to this,
  • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer, and this is legally permissible and necessary for the initiation or processing of contractual relationships with you,

External service providers and partner companies receive your data from us, only to the extent necessary to process your order. These service providers are from the following categories:

  • Distribution partners: Digital River Ireland Ltd. or Digital River Inc. (for customers in the USA) as resellers (see above);
  • IT service providers (e.g. maintenance and hosting service providers)
  • Payment service providers
  • Credit agencies for determining creditworthiness and default risks

In these cases, however, the scope of the data transmitted is limited to the minimum required. Insofar as our service providers come into contact with your personal data, we ensure within the framework of commissioned processing pursuant to Article 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the respective privacy notices of the providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

10. Data transfer to third countries

We consider it important to process your data within the EU/EEA. However, we may sometimes use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before transferring your personal data. This means that via EU standard contracts (EU standard contractual clauses), as well as through an agreement on further measures that may be necessary, or by means of an adequacy decision of the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

In the event of data transfer outside the European Union, the high European level of data protection does generally not exist. In the case of a transfer, it may be that there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection in the European Union based on the GDPR; therefore, we have put in place the aforementioned appropriate guarantees.

Possible risks that may not be completely excluded in connection with the transfer of data include, in particular:

  • Your personal data could possibly be processed beyond the actual purpose.
  • In addition, there is the possibility that you may not be able to assert and enforce your rights under data protection law, such as your right to information, correction, deletion or data portability, in the long term.
  • There may also be a higher probability that incorrect data processing may occur and that the protection of personal data does not fully comply with the requirements of the GDPR in terms of quantity and quality.

11. Data security

Your personal data is transferred securely at ALLPLAN using encryption. This applies to all form processes (including registration, login, ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) coding system. It is true that no one can guarantee absolute protection. However, ALLPLAN secures its website and other systems against loss, destruction, access, modification or distribution of your data by unauthorized persons by means of technical and organizational measures. We regularly review our security measures and adapt them to technological progress.

12. Your rights

You have the following rights with respect to us regarding personal data concerning you:

12.1 Basic permissions

You have a right to information, correction, deletion, restriction of processing, objection to processing and data portability. Insofar as processing is based on your consent, you have the right to revoke this consent with effect for the future.

To exercise your rights, please contact us by e-mail at dataprotectionofficer@allplan.com or by mail at Allplan GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. The exercise of your rights described in this point is free of charge for you.

12.2 Rights in data processing according to legitimate interest

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) or on the basis of Article 6 (1) (f) GDPR (data processing for the purposes of safeguarding a legitimate interest); this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

12.3 Right to complain to a supervisory authority

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you may at any time exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection law (Article 77 GDPR).

13. Links to other websites

Our websites may contain links to websites of other providers. We would like to point out that this privacy notice applies exclusively to the website https://shop.allplan.com. We have no influence on and do not control that other providers comply with the applicable data protection regulations.

14. Changes to the privacy notice

We reserve the right to change or adapt this privacy notice at any time in compliance with the applicable data protection regulations.

As of June 1, 2023

Allplan Shop | Data protection

Data protection

Data protection is a particularly important topic for our company. In this privacy notice, we will inform you about the collection of personal data when using our ALLPLAN Shop and purchase our ALLPLAN products. We will inform you about which data we collect from you, and how we use it. We will also inform you about your rights under applicable data protection law, and tell you whom to contact if you have any questions.

Personal data is all data relating to you personally, such as name, address, email addresses or user behavior. We have put in place extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. We regularly review our security measures and adapt them to technological progress.

1. Responsible party for data processing

Jointly responsible pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) are

ALLPLAN GmbH

Konrad-Zuse-Platz 1

81829 Munich

Germany

and the following companies associated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Österreich GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 3401 Village Dr #110, Lincoln, Nebraska 68516, USA
  • ALLPLAN Software Singapore Pte. Ltd., 4 Battery Road #25-01, Bank of China Building, 49908 Singapore
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, oficina 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Žerotínova 1133/32, 130 00 Praha 3-Žižkov, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia

Email: info@allplan.com

In the conduct of business, it is essential that data is also regularly exchanged between ALLPLAN's branches and subsidiaries in order to promote intra-group cooperation and use resources effectively. For this reason, central processes are not limited to the area of a single group company, but also extend to other group companies and benefit from the processes established and resources available there. The ALLPLAN companies therefore cooperate in many areas, in particular regarding order processing in our ALLPLAN Shop, and act in the data protection sense as so-called jointly responsible parties for this website as indicated above.

Information on the essential content of the contract due to joint responsibility:

In order to ensure the security of processing and the effective assertion of your rights, and against the above background, the member companies have concluded a contract as jointly responsible parties within the meaning of Article 26 GDPR in conjunction with Article 4(7) GDPR. This contract regulates the following points in particular:

  • Subject matter, purpose, means and scope as well as the competences and responsibilities regarding data processing
  • Information of the data subjects
  • Fulfillment of the other rights of the data subjects
  • Security of the processing
  • Involvement of data processors
  • Procedure in the event of data protection violations
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

2. Get in touch with our data protection officer

Please contact our data protection officer at dataprotectionofficer@allplan.com our postal address by adding “data protection officer”.

3. Legal basis of our data processing according to GDPR

The processing of personal data may be based on various legal grounds. If we need your data to honor a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(1)(b) GDPR. If we obtain your consent for the processing of certain data, the legal basis is Article 6(1)(1)(a) GDPR. We carry out some data processing on the basis of our legitimate interest, always weighing your interests worthy of protection against our legitimate interests. The legal basis is Article 6(1)(f) GDPR. Insofar as the processing is necessary for the fulfillment of a legal obligation to which we are subject, the legal basis is Article 6(1)(1)(c) GDPR.

We explain below how we process personal data when you use our ALLPLAN Shop.

Legal basis of our data storage under the Telecommunications Telemedia Data Protection Act (“TTDSG” in German).

According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment is only permissible if the end user has consented on the basis of clear and comprehensive information, i.e. has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25 (1) TTDSG and consequently also process purely technical data only after consent.

In our information to you and in obtaining consent, we follow the specifications of the TTDSG to the design specifications of the GDPR.

According to Section 25 (2) TTDSG, consent is not required in exceptional cases,

- if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message via a public telecommunications network, or

- where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

4. Processing of personal data when accessing our ALLPLAN Shop website

Our ALLPLAN Shop is accessible at https://shop.allplan.com. If you use the website and the ALLPLAN Shop for informational purposes only, i.e., if you do not register, we collect the following technical information (log file data):

Data

Purpose of processing

Duration of storage

Operating system used

Evaluation by devices in order to ensure an optimized display of the website

The data is deleted in log files for the purpose of operating the website and to protect against misuse in accordance with our security regulations, generally after 30 days

Information about the type of browser and the version used

Evaluation of the browser used in order to optimize our websites for this purpose

The Internet service provider of the user

Evaluation of the Internet service provider

IP address

Display of the website on the respective device

Date and time of access

Ensuring the proper operation of the website

If necessary, manufacturer and type designation of the smartphone, tablet or other mobile device

Evaluation of device manufacturers and types of mobile devices for statistical purposes

Name of accessed site

Ensuring proper operation of the website

Referrer URL (source URL from which you came to the website)

Ensuring proper operation of the website

We collect this data for technical reasons to display our website to you and to ensure stability and security. We (and our hosting service providers) are generally not aware of who is behind an IP address. We do not merge the above data with any other data.

The legal basis is the legitimate interest pursuant to Article 6(1)(1)(f) GDPR, as well as § 25 (2) Nr. 2 TTDSG due to the technical necessity described above. Within the framework of the balancing of interests pursuant to Article 6(1)(f) GDPR, we have taken into account and weighed our interest in providing and your interest in processing your personal data in accordance with data protection. Since the following data is technically necessary for us to provide you with our service and also to ensure stability and security, in particular to protect from misuse, we have to process this data – while ensuring data security in line with the state of the art – taking due account of your interest in processing in line with data protection requirements. If the processing is based on another legal basis (e.g. consent according to Article 6 (1)(a) GDPR, § 25 (1) TTDSG), this will be shown accordingly.

5. Registration

Before you can purchase from our ALLPLAN Shop, you must first register with us and create a customer account. When you register, we process your personal data for individual user access and to process orders and payments, as well as to process contact and service requests.

For registration, we use the so-called double-opt-in procedure. This means that after you have entered your email address, we will send you a confirmation e-mail to the e-mail address you have entered, in which we ask you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we will store your data for the storage period indicated in the table. The storage also takes place for participation in the ALLPLAN Community with which you also have the possibility to use our services (Allplan Share, Allplan Exchange, Allplan Connect, Allplan Campus, Allplan Bimplus) with an account. Once you have registered, you will receive personal, password-protected access and can view and manage the data you have stored.

Furthermore, we store the date and time of registration when you register. The purpose of the procedure is to be able to prove your registration as part of our accountability obligations and, if necessary, to clarify any possible misuse of your personal data. Due to the fulfillment of the accountability obligation, we have a legitimate interest in accordance with Article 6(1)(1)(f) GDPR in processing the data of the double-opt-in procedure.

For the registration, we collect and store the following personal data from you:

Data

Purpose of processing

Legal basis of processing

Duration of storage

Email address and username

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

Password

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

IP address at registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Date of registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

IP address at double opt-in

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Time of double opt-in verification

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Customer number

Assignment in case of already existing contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Salutation

Direct approach within the scope of the contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

First name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Family name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Company

Invoicing

Legitimate interest; Article 6(1)(1)(f) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Telephone

Contract execution
(customer support)

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

After the end of the contractual relationship

Language

Control of language settings

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

after the end of the contractual relationship)

Country

Contract conclusion and execution

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Address

Invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Personal data that must be provided is marked as mandatory in the respective registration form; any additional information is voluntary.

You can also delete your customer account at any time. Upon deletion of the account, all personal data that is not subject to a legal obligation to retain data or to Article 17 (3) GDPR will be anonymized.

6. Execution of orders and payment processing

When you place an order for one of our products in our ALLPLAN Shop, we process data that is recorded in your customer account to enable you to place orders, including the following:

- First name, surname

- Company

- Customer number

- Billing/delivery address

- Email address

- Telephone number, if necessary

We also process the following additional data that you provide to us when completing your order:

- Information on orders placed (products, licenses, license conditions)

- Information on the payment type and the associated details that are required for making a payment.

The legal basis for the associated data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for completing the ordering process, the purchase and payment processing. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in ensuring a smooth ordering process and enabling our products to be provided to you smoothly, as well as in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interests being in being able to offer our services to your company, and in being able to process your data as a responsible point of contact.

Digital River, reseller

For the sale of our products in the ALLPLAN Shop, we use our sales partner Digital River Ireland Ltd – or for our customers in the USA, Digital River Inc. (hereinafter referred to as "Digital River"). Digital River is part of the Digital River Inc. group of companies (Digital River, Inc., 10380 Bren Road West, Minnetonka, MN 55343/USA), an e-commerce sales service provider from the USA. Digital River is an authorized reseller of all of the products that are offered in our ALLPLAN Shop. If you order one of our products through the ALLPLAN Shop, Digital River is your contractual partner and the Seller. You are the Buyer. Digital River is authorized by us to conclude the purchase or license agreement with you on its own behalf and to carry out and monitor the subsequent processing of your order, in particular the payment processing. A license key for the purchased software, along with care, maintenance and development services are provided by us, as the product manufacturer, after your order.

If you place your order in our ALLPLAN Shop by clicking on the "Order with obligation to pay" button, your order and payment data will be forwarded to our sales partner, Digital River. This data includes your first name, your surname, your company name, information relating to the order placed (products/license and conditions), your billing and delivery address, your email address, and your bank and payment details.

Digital River processes your data for the purpose of concluding a contract, as well as for order and payment processing. Payment is processed according to the payment method selected. As part of this, your data can also be processed by Digital River for the purpose of carrying out identity and credit checks in order to be able to assess solvency to the greatest possible extent when granting payment methods with a credit risk. In addition, your data will be processed by Digital River for its own purposes, in particular to prevent abuse and fraud.

We would like to point out that there is a possibility that – as stated in its own data protection guidelines – Digital River may, in the course of order and contract processing, transfer your personal data to Digital River Inc. servers in the USA. According to Digital River, such data processing and transfers to the third country USA are secured by concluding contracts for order processing in accordance with Article 28 GDPR and corresponding EU standard contractual clauses in accordance with the provisions of Article 46 (2) (c) GDPR, as well as other technical and organizational measures, where such measures are necessary.

Digital River is solely responsible for all of the data processing mentioned within the meaning of Article 4(7) GDPR. You will find comprehensive information on how Digital River processes data

- in the privacy policy: https://store.digitalriver.com/store/defaults/en_US/DisplayDRPrivacyPolicyPage?eCommerceProvider=&selectedLoc=en_US

- and the cookie policy: https://store.digitalriver.com/DRHM/store?Action=DisplayDRCookiesPolicyPage&SiteID=defaults&Locale=en_EN&ThemeID=22100&Env=BASE&eCommerceProvider=

Following the conclusion of the contract between you and Digital River, we will receive information as to whether the transaction could be carried out successfully in an automated process for the purpose of transaction tracking, and so that we can provide the license key for the contractual products and other services. The legal basis for our data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for the performance of the specified activities. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in enabling our products to be provided to you smoothly, and in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interest being in being able to offer our services to your company.

7. Cookies and website analysis

7.1 Cookies

Our website uses cookies. Cookies are files that are placed on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you have made there. This ensures, for example, that you do not have to re-enter required form data each time you use it. The information stored in cookies can also be used to identify preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a predefined duration, which may differ depending on the cookie. With this type of cookies, the information can also be stored on your computer in text files. You can, however, also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is allowed to read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. If you have given us your consent, the legal basis is Article§ 25 (1) TTDSG and Article 6(1)(1)(a) GDPR. Insofar as saving and data processing are based on our overriding legitimate interests, the legal basis is § 25 (2) Nr. 2 TTDSG as well as Article 6(1)(1)(f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionality, to measure reach and – with your consent – to tailor our services to preferred areas of interest.

You can delete cookies already stored on your mobile device at any time. If you want to prevent cookies from being stored, you can do so via the settings in your Internet browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

When accessing our website, all users of our website are also informed by an information banner from our consent management platform, Usercentrics, about our use of cookies and referred to this privacy policy. Here, as a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with future effect by calling up the cookie administration via the icon (fingerprint) in the lower left-hand corner of each page and unchecking the box next to processing to which you had consented. In the cookie manager you can also find more information about the cookies we use.

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software produced by Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany.

Usercentrics identifies the language used by your browser. They set a cookie to check whether you have already made a selection in our consent tool on a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. Usercentrics also creates a log file in order to be able to prove that consent has been given. This file contains the de-identified IP address, information about the browser that was used, data about the scope of consent, and the date and time of the visit. The legal basis for this can be found in § 25 (2) Nr. 2 TTDSG as well as our legitimate interest pursuant to Article 6(1)(1)(f) GDPR.

The purpose of data processing is a user-friendly and legally compliant design of our website. We want to make it as easy as possible for you to give or withdraw consent and to increase the transparency of data processing using cookies, pixels, tags or similar on our website. Our legitimate interest also lies in the purpose of processing data.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent given and consent revoked) will be retained for three years.

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings of your Internet browser, you can disable or restrict the transfer of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

7.3 Website analysis

To analyze and optimize our websites, we use various services as described below. We use these services to analyze how many users visit our site, what information is most in demand, or how users find an offer. We also record data on which website a user came to our site from (so-called referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. This helps us to design our offers in a user-friendly way, to find errors and to improve our offers.

7.3.1 Matomo

On our website, we use the open source web analytics software Matomo. The software is operated exclusively from our own servers.

They use cookies, to analyze the use of the website. For this purpose, the usage information collected in the cookie (including your shortened IP address) is transmitted to our server and stored for usage analysis purposes. Matomo does not transmit data to servers that are outside of our control. Your IP address is immediately de-identified during this process, so that you as a user are not identifiable to us. We do not share the information we collect about your use of this website with third parties. We use the collected data for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes. Our interest in and purpose of data processing is to optimize our website, to adapt the content and to improve our offer. The user's interests are sufficiently protected by de-identifying the data. We store the analysis data only as long as necessary for data processing purposes, but no longer than 14 months.

The legal basis for accessing the information is your consent according to § 25 (1) TTDSG. The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

7.3.2 Google Analytics (Universal Analytics)

This website uses Google Analytics, a web analysis service of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The use includes running Universal Analytics. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thereby analyze a user's activities across devices.

Google Analytics uses cookies that enable an analysis of your use of the website. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there. However, thanks to the selected de-identification on this website, your IP address will be shortened by Google within Member States of the European Union or in other states party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Article 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google. On behalf of the operator of this website, Google will use such information for analyzing your use of the website, for compiling reports about the website activities and for rendering additional services that are related to the website use and internet use toward the website operator.

The data sent by us and linked to cookies or user IDs (e.g. user ID) are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

7.3.3 Google Analytics

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, (“Google“) Ireland.

Google Analytics 4 uses cookies that analyze how you use our websites. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there.

Google Analytics 4 de-identifies IP addresses by default. When de-itentifying your IP address, Google will truncate your IP address within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases. The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google.

During your website visit, your user behavior is recorded in the form of "events". Such events can include but must not be limited to:

  • Site views
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search requests
  • Interaction with videos
  • Ads seen / clicked

They can also record:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the end devices you use (e.g. language setting, display resolution)
  • Your Internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

On behalf of Allplan, Google will use this information for the purpose of evaluating your pseudonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be:

- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Article 28 GDPR)

- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

- Alphabet Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, U.S. A transmission of data to the U.S. and access by U.S. authorities to the data stored by Google cannot be ruled out. From a data protection perspective, the U.S. is currently considered a third country. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the tracking settings (cf. Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Alternatively, you can prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, you may experience limited functionality on this and other websites. You can also prevent cookies from collecting data relating to your use of the website (including your IP address) and prevent Google from processing this data by

  1. not giving your consent to the setting of the cookie or
  2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

7.3.4 Google Tag Manager

For transparency reasons, we would like to point out that we use the Google Tag Manager of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easy for us to integrate and manage our tags. Tags are small pieces of code used to measure traffic and visitor behavior, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimize websites, among other things. We use the Tag Manager for the Google Analytics service. If you have disabled it, this disabling will be taken into account by Google Tag Manager. For more information on Google Tag Manager, please see: https://www.google.com/intl/de/tagmanager/use-policy.html.

7.4 ADVERTISING

We use cookies for marketing purposes to target our users with advertising tailored to their interests. In addition, we use cookies to limit the likelihood of an ad being shown and to measure the effectiveness of our advertising efforts. This information may also be shared with third parties, such as ad networks. The legal basis for this is Art. 6 (1) s. 1 lit. a GDPR.

7.4.1 GOOGLE ADS, REMARKETING AND CONVERSION TRACKING

We use the service Google Ads. Google Ads is an online advertising program of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

This means we run Google Ads and also use Google remarketing and conversion tracking as part of this. The ads are displayed after search queries on web pages of the Google advertising network. In addition, we use ads remarketing lists for search ads. This allows us to customize search ad campaigns for users who have visited our website before. These services help us to combine our ads with certain search terms or to display ads for previous visitors, for example, advertising services that the visitors have viewed on our website. As a result, we can display interest-based advertising to users of our website on other websites within the Google advertising network (as a “Google Ad” within “Google Search” or on other websites).

For interest-based offers, we need to analyze online user behavior. Google uses cookies to perform this analysis. When clicking on an ad or visiting our website, Google sets a cookie on the user's computer. These cookies last for 90 days. The information collected by the respective cookie is used to target the visitor in a subsequent search query. For further information on the cookie technology used, please also see Google's notes on website statistics and the privacy policy. With the help of this technology, Google and we as a customer receive information that a user has clicked on an ad and been redirected to our websites. We only use the information obtained this way to analyze statistics and optimize advertisements We do not receive information that personally identifies visitors. Your IP address will be transmitted to Google, but since we use Google Analytics IP masking on this website, your IP address will be anonymized.

Log data is anonymized after 9 months, and cookie information is anonymized after 18 months.

The statistics provided to us by Google include the total number of users who clicked on one of our ads and, if applicable, whether they were redirected to a page on our website that was tagged with a conversion tag. Based on these statistics, we can track which search terms were clicked on our ad particularly often and which ads lead to users contacting us via the contact form.

You can find more information on data protection in the context of Google Ads at: https://policies.google.com/technologies/ads?hl=en-GB.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

The legal basis for the described data processing is our legitimate interest pursuant to Art. 6 (1) s. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

You can also select the types of Google ads or disable interest-based ads on Google via the ads setting (https://adssettings.google.com/authenticated?hl=en-GB).

7.4.2 DoubleClick by Google

We use the online marketing tool DoubleClick by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA on our website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

DoubleClick uses cookies to display ads that are relevant to users, to improve campaign performance reports, or to prevent users from seeing the same ads more than once. Google uses a cookie ID to record which ads are displayed in which browser. This prevents the same ad from being displayed more than once. In addition, DoubleClick can use cookie IDs to record so-called conversions with reference to ads. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase.

When you call up a page that uses DoubleClick and for which the DoubleClick script is permitted by explicit consent, your browser automatically establishes a direct connection with Google's server. We as the website operator have no influence on the scope and further use of the data collected by Google through the use of this tool. We inform you according to our state of knowledge: Through the integration of DoubleClick, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider may obtain and store your IP address.

Insofar as data is processed outside the EU/EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection, which in individual cases permit the transfer of personal data to a third country.

The legal basis for the described data processing is your consent, Art. 6 para. 1 p. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see above, section 5. Cookies). Alternatively, you can delete your cookies (all or only from this website). The banner with the selection options will then be displayed again.

For more information about DoubleClick by Google, please visit https://www.google.com/doubleclick and about Google's privacy policy in general: https://policies.google.com/privacy. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at https://www.networkadvertising.org.

7.4.3 FACEBOOK CUSTOM AUDIENCES / CONVERSION TRACKING PIXELS

In the context of usage-based online advertising, we use the Custom Audiences service of Facebook Inc. (1601 S. California Avenue, Palo Alto, CA 94304, USA). For us (as a company from the EU), the processor is also Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

In the context of usage-based online advertising via Custom Audiences, we define target groups of users in the Facebook Ads Manager based on certain characteristics; these groups will subsequently be shown ads within the Facebook network. Users are selected by Facebook based on the profile information they provide and other data provided through their use of Facebook. If a user clicks on an advertisement and subsequently arrives on our website, Facebook receives the information that the user has clicked on the advertising banner via the Facebook pixel embedded on our website.

Basically, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which is transmitted to Facebook for analysis and marketing purposes. Facebook will set a cookie in the process. This cookie collects information about your activities on our website (e.g. surfing behavior, subpages visited, etc.). Your IP address is also stored and used for the geographic targeting of advertising.

We do not use Facebook Custom Audiences via the customer list, nor do we use the “advanced matching” function.

For more information about the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your settings options for protecting your privacy, please refer to Facebook's privacy policy. You can change the settings for which ads are displayed to you on Facebook under this link and in the Facebook account settings.

The legal basis for the described data processing is our legitimate interest pursuant to Art. 6 (1) s. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Insofar as you consent to the data processing described, Facebook will of course also have access to your data. In particular, it is possible that Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA, in addition to Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland has access to your data. Facebook Inc. is located in an insecure third country where the level of data protection is lower.

Facebook has made available online a “Facebook European Data Transfer Addendum” since 31/08/2020, which is intended to incorporate the standard contractual clauses in cases where Facebook Ireland Limited processes data from the EU/ EEA as a processor and transfers it to Facebook Inc. as a sub-processor.

For more information about Facebook's Custom Audiences service, please visit: https://en-gb.facebook.com/business/help/1711863145774142.

You can disable the “Facebook Custom Audiences” function for logged-in users at https://www.facebook.com/settings/?tab=ads#_.

7.4.4 LINKEDIN ADS / CONVERSION TRACKING (PIXELS)

We use the LinkedIn conversion tracking service of LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA as part of the evaluation of our online advertising. The responsible entity for users in the EU/ EEA and Switzerland is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

For this purpose, we define target groups of users based on certain characteristics in LinkedIn Campaign Manager, who are subsequently shown ads within LinkedIn's network. Users are selected by LinkedIn based on the profile information they provide as well as other data provided when using LinkedIn. If a user clicks on an advertisement and subsequently arrives on our website, LinkedIn receives the information that the user has clicked on the advertising banner via the conversion tag embedded on our website.

This way, the LinkedIn tag enables the collection of the following data:

  • visited website, including the URL,
  • referrers
  • IP address
  • device and browser properties (User Agent)
  • and timestamp.

The IP addresses are shortened or (in the case of cross-device use) hashed by LinkedIn. The direct identifiers of the members are removed within 7 days for pseudonymization of the data. The remaining pseudonymous data is then deleted within 180 days.

LinkedIn does not share the personal data with us as the website operator but only provides us with reports and notifications (which do not identify the user) about website visits and ad performance. LinkedIn also offers so-called retargeting, which allows us, as a website operator, to show personalized ads outside of our website using this data without identifying individual members. Data that does not identify you is also used to improve ad relevance and reach LinkedIn members across devices. LinkedIn members can manage the use of their personal data for advertising purposes in their account settings. LinkedIn refers to the following link to customize advertising preferences: https://www.linkedin.com/psettings/advertising/actions-that-showed-interest.

We process this data to evaluate our advertising campaigns. The legal basis for processing is your consent in accordance with Art. 6 (1) lit. a GDPR. Without your consent via our consent tool, we do not process any data for LinkedIn conversion tracking. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above).

As part of LinkedIn conversion tracking, LinkedIn naturally has access to the listed data. In particular, it is possible that in addition to LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA may also have access to your data.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

For more information about the purpose and scope of the collected data and the further processing and use of the data by LinkedIn, as well as your settings options for protecting your privacy, please also refer to LinkedIn’s privacy policy.

For more information on LinkedIn Conversion Tracking, please visit: https://www.linkedin.com/help/lms/answer/a425606/set-up-linkedin-conversion-tracking?lang=en.

For more information on data processing and storage duration, please visit https://www.linkedin.com/help/linkedin/answer/a427660?lang=en.

8. Duration of storage

We store your personal data for as long as it is necessary to fulfill our legal and contractual obligations in connection with the processing of your order from our ALLPLAN Shop. Data relating to an order is generally kept for 10 years after completion of the order and then deleted, unless further processing is necessary for the following purposes:

After the end of a contractual term, we usually delete your data after 10 years due to the fulfillment of commercial and tax retention obligations (in particular retention periods as per the German Commercial Code (HGB) or the German Fiscal Code (AO)). In order to retain evidence within the framework of the statute of limitations of the German Civil Code (BGB), storage of up to 30 years may be necessary in individual cases.

9. Data transfer

Your personal data will not be transferred to third parties for purposes other than those listed. We will only share your personal information with third parties if:

  • you have given your express consent to this,
  • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer, and this is legally permissible and necessary for the initiation or processing of contractual relationships with you,

External service providers and partner companies receive your data from us, only to the extent necessary to process your order. These service providers are from the following categories:

  • Distribution partners: Digital River Ireland Ltd. or Digital River Inc. (for customers in the USA) as resellers (see above);
  • IT service providers (e.g. maintenance and hosting service providers)
  • Payment service providers
  • Credit agencies for determining creditworthiness and default risks

In these cases, however, the scope of the data transmitted is limited to the minimum required. Insofar as our service providers come into contact with your personal data, we ensure within the framework of commissioned processing pursuant to Article 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the respective privacy notices of the providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

10. Data transfer to third countries

We consider it important to process your data within the EU/EEA. However, we may sometimes use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before transferring your personal data. This means that via EU standard contracts (EU standard contractual clauses), as well as through an agreement on further measures that may be necessary, or by means of an adequacy decision of the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

In the event of data transfer outside the European Union, the high European level of data protection does generally not exist. In the case of a transfer, it may be that there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection in the European Union based on the GDPR; therefore, we have put in place the aforementioned appropriate guarantees.

Possible risks that may not be completely excluded in connection with the transfer of data include, in particular:

  • Your personal data could possibly be processed beyond the actual purpose.
  • In addition, there is the possibility that you may not be able to assert and enforce your rights under data protection law, such as your right to information, correction, deletion or data portability, in the long term.
  • There may also be a higher probability that incorrect data processing may occur and that the protection of personal data does not fully comply with the requirements of the GDPR in terms of quantity and quality.

11. Data security

Your personal data is transferred securely at ALLPLAN using encryption. This applies to all form processes (including registration, login, ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) coding system. It is true that no one can guarantee absolute protection. However, ALLPLAN secures its website and other systems against loss, destruction, access, modification or distribution of your data by unauthorized persons by means of technical and organizational measures. We regularly review our security measures and adapt them to technological progress.

12. Your rights

You have the following rights with respect to us regarding personal data concerning you:

12.1 Basic permissions

You have a right to information, correction, deletion, restriction of processing, objection to processing and data portability. Insofar as processing is based on your consent, you have the right to revoke this consent with effect for the future.

To exercise your rights, please contact us by e-mail at dataprotectionofficer@allplan.com or by mail at Allplan GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. The exercise of your rights described in this point is free of charge for you.

12.2 Rights in data processing according to legitimate interest

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) or on the basis of Article 6 (1) (f) GDPR (data processing for the purposes of safeguarding a legitimate interest); this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

12.3 Right to complain to a supervisory authority

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you may at any time exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection law (Article 77 GDPR).

13. Links to other websites

Our websites may contain links to websites of other providers. We would like to point out that this privacy notice applies exclusively to the website https://shop.allplan.com. We have no influence on and do not control that other providers comply with the applicable data protection regulations.

14. Changes to the privacy notice

We reserve the right to change or adapt this privacy notice at any time in compliance with the applicable data protection regulations.

As of June 1, 2023

Data protection

Data protection is a particularly important topic for our company. In this privacy notice, we will inform you about the collection of personal data when using our ALLPLAN Shop and purchase our ALLPLAN products. We will inform you about which data we collect from you, and how we use it. We will also inform you about your rights under applicable data protection law, and tell you whom to contact if you have any questions.

Personal data is all data relating to you personally, such as name, address, email addresses or user behavior. We have put in place extensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. We regularly review our security measures and adapt them to technological progress.

1. Responsible party for data processing

Jointly responsible pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) are

ALLPLAN GmbH

Konrad-Zuse-Platz 1

81829 Munich

Germany

and the following companies associated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Österreich GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 3401 Village Dr #110, Lincoln, Nebraska 68516, USA
  • ALLPLAN Software Singapore Pte. Ltd., 4 Battery Road #25-01, Bank of China Building, 49908 Singapore
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, oficina 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Žerotínova 1133/32, 130 00 Praha 3-Žižkov, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia

Email: info@allplan.com

In the conduct of business, it is essential that data is also regularly exchanged between ALLPLAN's branches and subsidiaries in order to promote intra-group cooperation and use resources effectively. For this reason, central processes are not limited to the area of a single group company, but also extend to other group companies and benefit from the processes established and resources available there. The ALLPLAN companies therefore cooperate in many areas, in particular regarding order processing in our ALLPLAN Shop, and act in the data protection sense as so-called jointly responsible parties for this website as indicated above.

Information on the essential content of the contract due to joint responsibility:

In order to ensure the security of processing and the effective assertion of your rights, and against the above background, the member companies have concluded a contract as jointly responsible parties within the meaning of Article 26 GDPR in conjunction with Article 4(7) GDPR. This contract regulates the following points in particular:

  • Subject matter, purpose, means and scope as well as the competences and responsibilities regarding data processing
  • Information of the data subjects
  • Fulfillment of the other rights of the data subjects
  • Security of the processing
  • Involvement of data processors
  • Procedure in the event of data protection violations
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

2. Get in touch with our data protection officer

Please contact our data protection officer at dataprotectionofficer@allplan.com our postal address by adding “data protection officer”.

3. Legal basis of our data processing according to GDPR

The processing of personal data may be based on various legal grounds. If we need your data to honor a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(1)(b) GDPR. If we obtain your consent for the processing of certain data, the legal basis is Article 6(1)(1)(a) GDPR. We carry out some data processing on the basis of our legitimate interest, always weighing your interests worthy of protection against our legitimate interests. The legal basis is Article 6(1)(f) GDPR. Insofar as the processing is necessary for the fulfillment of a legal obligation to which we are subject, the legal basis is Article 6(1)(1)(c) GDPR.

We explain below how we process personal data when you use our ALLPLAN Shop.

Legal basis of our data storage under the Telecommunications Telemedia Data Protection Act (“TTDSG” in German).

According to Section 25 TTDSG, the storage of information in the end user's terminal equipment or the access to information already stored in the terminal equipment is only permissible if the end user has consented on the basis of clear and comprehensive information, i.e. has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25 (1) TTDSG and consequently also process purely technical data only after consent.

In our information to you and in obtaining consent, we follow the specifications of the TTDSG to the design specifications of the GDPR.

According to Section 25 (2) TTDSG, consent is not required in exceptional cases,

- if the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a message via a public telecommunications network, or

- where the storage of information in the end-user's terminal equipment or the access to information already stored in the end-user's terminal equipment is strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user.

4. Processing of personal data when accessing our ALLPLAN Shop website

Our ALLPLAN Shop is accessible at https://shop.allplan.com. If you use the website and the ALLPLAN Shop for informational purposes only, i.e., if you do not register, we collect the following technical information (log file data):

Data

Purpose of processing

Duration of storage

Operating system used

Evaluation by devices in order to ensure an optimized display of the website

The data is deleted in log files for the purpose of operating the website and to protect against misuse in accordance with our security regulations, generally after 30 days

Information about the type of browser and the version used

Evaluation of the browser used in order to optimize our websites for this purpose

The Internet service provider of the user

Evaluation of the Internet service provider

IP address

Display of the website on the respective device

Date and time of access

Ensuring the proper operation of the website

If necessary, manufacturer and type designation of the smartphone, tablet or other mobile device

Evaluation of device manufacturers and types of mobile devices for statistical purposes

Name of accessed site

Ensuring proper operation of the website

Referrer URL (source URL from which you came to the website)

Ensuring proper operation of the website

We collect this data for technical reasons to display our website to you and to ensure stability and security. We (and our hosting service providers) are generally not aware of who is behind an IP address. We do not merge the above data with any other data.

The legal basis is the legitimate interest pursuant to Article 6(1)(1)(f) GDPR, as well as § 25 (2) Nr. 2 TTDSG due to the technical necessity described above. Within the framework of the balancing of interests pursuant to Article 6(1)(f) GDPR, we have taken into account and weighed our interest in providing and your interest in processing your personal data in accordance with data protection. Since the following data is technically necessary for us to provide you with our service and also to ensure stability and security, in particular to protect from misuse, we have to process this data – while ensuring data security in line with the state of the art – taking due account of your interest in processing in line with data protection requirements. If the processing is based on another legal basis (e.g. consent according to Article 6 (1)(a) GDPR, § 25 (1) TTDSG), this will be shown accordingly.

5. Registration

Before you can purchase from our ALLPLAN Shop, you must first register with us and create a customer account. When you register, we process your personal data for individual user access and to process orders and payments, as well as to process contact and service requests.

For registration, we use the so-called double-opt-in procedure. This means that after you have entered your email address, we will send you a confirmation e-mail to the e-mail address you have entered, in which we ask you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we will store your data for the storage period indicated in the table. The storage also takes place for participation in the ALLPLAN Community with which you also have the possibility to use our services (Allplan Share, Allplan Exchange, Allplan Connect, Allplan Campus, Allplan Bimplus) with an account. Once you have registered, you will receive personal, password-protected access and can view and manage the data you have stored.

Furthermore, we store the date and time of registration when you register. The purpose of the procedure is to be able to prove your registration as part of our accountability obligations and, if necessary, to clarify any possible misuse of your personal data. Due to the fulfillment of the accountability obligation, we have a legitimate interest in accordance with Article 6(1)(1)(f) GDPR in processing the data of the double-opt-in procedure.

For the registration, we collect and store the following personal data from you:

Data

Purpose of processing

Legal basis of processing

Duration of storage

Email address and username

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

Password

Creation of the customer account

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the termination of the customer account term

IP address at registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Date of registration

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

IP address at double opt-in

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Time of double opt-in verification

Proof of double opt-in

Legitimate interest; Article 6(1)(1)(f) GDPR, § 25 (2) Nr. 2 TTDSG – technical necessity

3 years after termination of customer relationship

Customer number

Assignment in case of already existing contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Salutation

Direct approach within the scope of the contractual relationship

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

First name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Family name

Direct approach within the scope of the contractual relationship/invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Company

Invoicing

Legitimate interest; Article 6(1)(1)(f) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Telephone

Contract execution
(customer support)

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

After the end of the contractual relationship

Language

Control of language settings

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

after the end of the contractual relationship)

Country

Contract conclusion and execution

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Address

Invoicing

Legitimate interest: Article 6(1)(1)(f) GDPR; contract execution: Article 6(1)(1)(b) GDPR

Until the end of the tax statutory limitation periods (10 years after the end of the contractual relationship)

Personal data that must be provided is marked as mandatory in the respective registration form; any additional information is voluntary.

You can also delete your customer account at any time. Upon deletion of the account, all personal data that is not subject to a legal obligation to retain data or to Article 17 (3) GDPR will be anonymized.

6. Execution of orders and payment processing

When you place an order for one of our products in our ALLPLAN Shop, we process data that is recorded in your customer account to enable you to place orders, including the following:

- First name, surname

- Company

- Customer number

- Billing/delivery address

- Email address

- Telephone number, if necessary

We also process the following additional data that you provide to us when completing your order:

- Information on orders placed (products, licenses, license conditions)

- Information on the payment type and the associated details that are required for making a payment.

The legal basis for the associated data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for completing the ordering process, the purchase and payment processing. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in ensuring a smooth ordering process and enabling our products to be provided to you smoothly, as well as in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interests being in being able to offer our services to your company, and in being able to process your data as a responsible point of contact.

Digital River, reseller

For the sale of our products in the ALLPLAN Shop, we use our sales partner Digital River Ireland Ltd – or for our customers in the USA, Digital River Inc. (hereinafter referred to as "Digital River"). Digital River is part of the Digital River Inc. group of companies (Digital River, Inc., 10380 Bren Road West, Minnetonka, MN 55343/USA), an e-commerce sales service provider from the USA. Digital River is an authorized reseller of all of the products that are offered in our ALLPLAN Shop. If you order one of our products through the ALLPLAN Shop, Digital River is your contractual partner and the Seller. You are the Buyer. Digital River is authorized by us to conclude the purchase or license agreement with you on its own behalf and to carry out and monitor the subsequent processing of your order, in particular the payment processing. A license key for the purchased software, along with care, maintenance and development services are provided by us, as the product manufacturer, after your order.

If you place your order in our ALLPLAN Shop by clicking on the "Order with obligation to pay" button, your order and payment data will be forwarded to our sales partner, Digital River. This data includes your first name, your surname, your company name, information relating to the order placed (products/license and conditions), your billing and delivery address, your email address, and your bank and payment details.

Digital River processes your data for the purpose of concluding a contract, as well as for order and payment processing. Payment is processed according to the payment method selected. As part of this, your data can also be processed by Digital River for the purpose of carrying out identity and credit checks in order to be able to assess solvency to the greatest possible extent when granting payment methods with a credit risk. In addition, your data will be processed by Digital River for its own purposes, in particular to prevent abuse and fraud.

We would like to point out that there is a possibility that – as stated in its own data protection guidelines – Digital River may, in the course of order and contract processing, transfer your personal data to Digital River Inc. servers in the USA. According to Digital River, such data processing and transfers to the third country USA are secured by concluding contracts for order processing in accordance with Article 28 GDPR and corresponding EU standard contractual clauses in accordance with the provisions of Article 46 (2) (c) GDPR, as well as other technical and organizational measures, where such measures are necessary.

Digital River is solely responsible for all of the data processing mentioned within the meaning of Article 4(7) GDPR. You will find comprehensive information on how Digital River processes data

- in the privacy policy: https://store.digitalriver.com/store/defaults/en_US/DisplayDRPrivacyPolicyPage?eCommerceProvider=&selectedLoc=en_US

- and the cookie policy: https://store.digitalriver.com/DRHM/store?Action=DisplayDRCookiesPolicyPage&SiteID=defaults&Locale=en_EN&ThemeID=22100&Env=BASE&eCommerceProvider=

Following the conclusion of the contract between you and Digital River, we will receive information as to whether the transaction could be carried out successfully in an automated process for the purpose of transaction tracking, and so that we can provide the license key for the contractual products and other services. The legal basis for our data processing is Article 6(1)(1)(b) GDPR, insofar as the processing of your data is necessary for the performance of the specified activities. In addition, the legal basis for the associated data processing is Article 6(1)(1)(f) GDPR, our legitimate interests being in enabling our products to be provided to you smoothly, and in dealing with all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or an organization, we process your data on the basis of Article 6(1)(1)(f) GDPR, our legitimate interest being in being able to offer our services to your company.

7. Cookies and website analysis

7.1 Cookies

Our website uses cookies. Cookies are files that are placed on your computer by a website you visit and allow your browser to be reassigned. Cookies transmit information to the entity that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you have made there. This ensures, for example, that you do not have to re-enter required form data each time you use it. The information stored in cookies can also be used to identify preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are sets of data that are only temporarily held in memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a predefined duration, which may differ depending on the cookie. With this type of cookies, the information can also be stored on your computer in text files. You can, however, also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is allowed to read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data by means of cookies and their storage period may vary. If you have given us your consent, the legal basis is Article§ 25 (1) TTDSG and Article 6(1)(1)(a) GDPR. Insofar as saving and data processing are based on our overriding legitimate interests, the legal basis is § 25 (2) Nr. 2 TTDSG as well as Article 6(1)(1)(f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionality, to measure reach and – with your consent – to tailor our services to preferred areas of interest.

You can delete cookies already stored on your mobile device at any time. If you want to prevent cookies from being stored, you can do so via the settings in your Internet browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have disabled the use of cookies.

When accessing our website, all users of our website are also informed by an information banner from our consent management platform, Usercentrics, about our use of cookies and referred to this privacy policy. Here, as a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with future effect by calling up the cookie administration via the icon (fingerprint) in the lower left-hand corner of each page and unchecking the box next to processing to which you had consented. In the cookie manager you can also find more information about the cookies we use.

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software produced by Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany.

Usercentrics identifies the language used by your browser. They set a cookie to check whether you have already made a selection in our consent tool on a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. Usercentrics also creates a log file in order to be able to prove that consent has been given. This file contains the de-identified IP address, information about the browser that was used, data about the scope of consent, and the date and time of the visit. The legal basis for this can be found in § 25 (2) Nr. 2 TTDSG as well as our legitimate interest pursuant to Article 6(1)(1)(f) GDPR.

The purpose of data processing is a user-friendly and legally compliant design of our website. We want to make it as easy as possible for you to give or withdraw consent and to increase the transparency of data processing using cookies, pixels, tags or similar on our website. Our legitimate interest also lies in the purpose of processing data.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent given and consent revoked) will be retained for three years.

Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings of your Internet browser, you can disable or restrict the transfer of cookies. You can delete cookies that have already been saved at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

7.3 Website analysis

To analyze and optimize our websites, we use various services as described below. We use these services to analyze how many users visit our site, what information is most in demand, or how users find an offer. We also record data on which website a user came to our site from (so-called referrer), which sub-pages of the website were accessed or how often and for how long a sub-page was viewed. This helps us to design our offers in a user-friendly way, to find errors and to improve our offers.

7.3.1 Matomo

On our website, we use the open source web analytics software Matomo. The software is operated exclusively from our own servers.

They use cookies, to analyze the use of the website. For this purpose, the usage information collected in the cookie (including your shortened IP address) is transmitted to our server and stored for usage analysis purposes. Matomo does not transmit data to servers that are outside of our control. Your IP address is immediately de-identified during this process, so that you as a user are not identifiable to us. We do not share the information we collect about your use of this website with third parties. We use the collected data for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes. Our interest in and purpose of data processing is to optimize our website, to adapt the content and to improve our offer. The user's interests are sufficiently protected by de-identifying the data. We store the analysis data only as long as necessary for data processing purposes, but no longer than 14 months.

The legal basis for accessing the information is your consent according to § 25 (1) TTDSG. The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

7.3.2 Google Analytics (Universal Analytics)

This website uses Google Analytics, a web analysis service of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The use includes running Universal Analytics. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thereby analyze a user's activities across devices.

Google Analytics uses cookies that enable an analysis of your use of the website. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there. However, thanks to the selected de-identification on this website, your IP address will be shortened by Google within Member States of the European Union or in other states party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Article 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google. On behalf of the operator of this website, Google will use such information for analyzing your use of the website, for compiling reports about the website activities and for rendering additional services that are related to the website use and internet use toward the website operator.

The data sent by us and linked to cookies or user IDs (e.g. user ID) are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for the described data processing is our legitimate interest pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

7.3.3 Google Analytics

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, (“Google“) Ireland.

Google Analytics 4 uses cookies that analyze how you use our websites. The information about your use of this website created by the cookie is usually transmitted to a server of Google in the U.S. and saved there.

Google Analytics 4 de-identifies IP addresses by default. When de-itentifying your IP address, Google will truncate your IP address within Member States of the European Union or in other countries that are party to the Agreement on the European Economic Area. The full IP address is transmitted to a server of Google in the U.S. and shortened there only in exceptional cases. The IP address that is transmitted by your browser within the frame of Google Analytics is not combined with other data of Google.

During your website visit, your user behavior is recorded in the form of "events". Such events can include but must not be limited to:

  • Site views
  • First visit to the website
  • Start of the session
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search requests
  • Interaction with videos
  • Ads seen / clicked

They can also record:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the end devices you use (e.g. language setting, display resolution)
  • Your Internet provider
  • The referrer URL (via which website/advertising medium you came to this website)

On behalf of Allplan, Google will use this information for the purpose of evaluating your pseudonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be:

- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Article 28 GDPR)

- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

- Alphabet Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that U.S. authorities will access the data stored by Google.

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, U.S. A transmission of data to the U.S. and access by U.S. authorities to the data stored by Google cannot be ruled out. From a data protection perspective, the U.S. is currently considered a third country. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Article 6(1)(1)(a) GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the tracking settings (cf. Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Alternatively, you can prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, you may experience limited functionality on this and other websites. You can also prevent cookies from collecting data relating to your use of the website (including your IP address) and prevent Google from processing this data by

  1. not giving your consent to the setting of the cookie or
  2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and on data protection at Google, please visit https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/?hl=en.

7.3.4 Google Tag Manager

For transparency reasons, we would like to point out that we use the Google Tag Manager of the provider Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easy for us to integrate and manage our tags. Tags are small pieces of code used to measure traffic and visitor behavior, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimize websites, among other things. We use the Tag Manager for the Google Analytics service. If you have disabled it, this disabling will be taken into account by Google Tag Manager. For more information on Google Tag Manager, please see: https://www.google.com/intl/de/tagmanager/use-policy.html.

7.4 ADVERTISING

We use cookies for marketing purposes to target our users with advertising tailored to their interests. In addition, we use cookies to limit the likelihood of an ad being shown and to measure the effectiveness of our advertising efforts. This information may also be shared with third parties, such as ad networks. The legal basis for this is Art. 6 (1) s. 1 lit. a GDPR.

7.4.1 GOOGLE ADS, REMARKETING AND CONVERSION TRACKING

We use the service Google Ads. Google Ads is an online advertising program of Google LLC, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). The responsible entity for users in the EU/ EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

This means we run Google Ads and also use Google remarketing and conversion tracking as part of this. The ads are displayed after search queries on web pages of the Google advertising network. In addition, we use ads remarketing lists for search ads. This allows us to customize search ad campaigns for users who have visited our website before. These services help us to combine our ads with certain search terms or to display ads for previous visitors, for example, advertising services that the visitors have viewed on our website. As a result, we can display interest-based advertising to users of our website on other websites within the Google advertising network (as a “Google Ad” within “Google Search” or on other websites).

For interest-based offers, we need to analyze online user behavior. Google uses cookies to perform this analysis. When clicking on an ad or visiting our website, Google sets a cookie on the user's computer. These cookies last for 90 days. The information collected by the respective cookie is used to target the visitor in a subsequent search query. For further information on the cookie technology used, please also see Google's notes on website statistics and the privacy policy. With the help of this technology, Google and we as a customer receive information that a user has clicked on an ad and been redirected to our websites. We only use the information obtained this way to analyze statistics and optimize advertisements We do not receive information that personally identifies visitors. Your IP address will be transmitted to Google, but since we use Google Analytics IP masking on this website, your IP address will be anonymized.

Log data is anonymized after 9 months, and cookie information is anonymized after 18 months.

The statistics provided to us by Google include the total number of users who clicked on one of our ads and, if applicable, whether they were redirected to a page on our website that was tagged with a conversion tag. Based on these statistics, we can track which search terms were clicked on our ad particularly often and which ads lead to users contacting us via the contact form.

You can find more information on data protection in the context of Google Ads at: https://policies.google.com/technologies/ads?hl=en-GB.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

The legal basis for the described data processing is our legitimate interest pursuant to Art. 6 (1) s. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

You can also select the types of Google ads or disable interest-based ads on Google via the ads setting (https://adssettings.google.com/authenticated?hl=en-GB).

7.4.2 DoubleClick by Google

We use the online marketing tool DoubleClick by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA on our website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

DoubleClick uses cookies to display ads that are relevant to users, to improve campaign performance reports, or to prevent users from seeing the same ads more than once. Google uses a cookie ID to record which ads are displayed in which browser. This prevents the same ad from being displayed more than once. In addition, DoubleClick can use cookie IDs to record so-called conversions with reference to ads. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase.

When you call up a page that uses DoubleClick and for which the DoubleClick script is permitted by explicit consent, your browser automatically establishes a direct connection with Google's server. We as the website operator have no influence on the scope and further use of the data collected by Google through the use of this tool. We inform you according to our state of knowledge: Through the integration of DoubleClick, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider may obtain and store your IP address.

Insofar as data is processed outside the EU/EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection, which in individual cases permit the transfer of personal data to a third country.

The legal basis for the described data processing is your consent, Art. 6 para. 1 p. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see above, section 5. Cookies). Alternatively, you can delete your cookies (all or only from this website). The banner with the selection options will then be displayed again.

For more information about DoubleClick by Google, please visit https://www.google.com/doubleclick and about Google's privacy policy in general: https://policies.google.com/privacy. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at https://www.networkadvertising.org.

7.4.3 FACEBOOK CUSTOM AUDIENCES / CONVERSION TRACKING PIXELS

In the context of usage-based online advertising, we use the Custom Audiences service of Facebook Inc. (1601 S. California Avenue, Palo Alto, CA 94304, USA). For us (as a company from the EU), the processor is also Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

In the context of usage-based online advertising via Custom Audiences, we define target groups of users in the Facebook Ads Manager based on certain characteristics; these groups will subsequently be shown ads within the Facebook network. Users are selected by Facebook based on the profile information they provide and other data provided through their use of Facebook. If a user clicks on an advertisement and subsequently arrives on our website, Facebook receives the information that the user has clicked on the advertising banner via the Facebook pixel embedded on our website.

Basically, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which is transmitted to Facebook for analysis and marketing purposes. Facebook will set a cookie in the process. This cookie collects information about your activities on our website (e.g. surfing behavior, subpages visited, etc.). Your IP address is also stored and used for the geographic targeting of advertising.

We do not use Facebook Custom Audiences via the customer list, nor do we use the “advanced matching” function.

For more information about the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your settings options for protecting your privacy, please refer to Facebook's privacy policy. You can change the settings for which ads are displayed to you on Facebook under this link and in the Facebook account settings.

The legal basis for the described data processing is our legitimate interest pursuant to Art. 6 (1) s. 1 lit. a GDPR. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above). Alternatively, you can delete your cookies (all or only from this website). You will then see the banner with the options again.

Insofar as you consent to the data processing described, Facebook will of course also have access to your data. In particular, it is possible that Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA, in addition to Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland has access to your data. Facebook Inc. is located in an insecure third country where the level of data protection is lower.

Facebook has made available online a “Facebook European Data Transfer Addendum” since 31/08/2020, which is intended to incorporate the standard contractual clauses in cases where Facebook Ireland Limited processes data from the EU/ EEA as a processor and transfers it to Facebook Inc. as a sub-processor.

For more information about Facebook's Custom Audiences service, please visit: https://en-gb.facebook.com/business/help/1711863145774142.

You can disable the “Facebook Custom Audiences” function for logged-in users at https://www.facebook.com/settings/?tab=ads#_.

7.4.4 LINKEDIN ADS / CONVERSION TRACKING (PIXELS)

We use the LinkedIn conversion tracking service of LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA as part of the evaluation of our online advertising. The responsible entity for users in the EU/ EEA and Switzerland is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

For this purpose, we define target groups of users based on certain characteristics in LinkedIn Campaign Manager, who are subsequently shown ads within LinkedIn's network. Users are selected by LinkedIn based on the profile information they provide as well as other data provided when using LinkedIn. If a user clicks on an advertisement and subsequently arrives on our website, LinkedIn receives the information that the user has clicked on the advertising banner via the conversion tag embedded on our website.

This way, the LinkedIn tag enables the collection of the following data:

  • visited website, including the URL,
  • referrers
  • IP address
  • device and browser properties (User Agent)
  • and timestamp.

The IP addresses are shortened or (in the case of cross-device use) hashed by LinkedIn. The direct identifiers of the members are removed within 7 days for pseudonymization of the data. The remaining pseudonymous data is then deleted within 180 days.

LinkedIn does not share the personal data with us as the website operator but only provides us with reports and notifications (which do not identify the user) about website visits and ad performance. LinkedIn also offers so-called retargeting, which allows us, as a website operator, to show personalized ads outside of our website using this data without identifying individual members. Data that does not identify you is also used to improve ad relevance and reach LinkedIn members across devices. LinkedIn members can manage the use of their personal data for advertising purposes in their account settings. LinkedIn refers to the following link to customize advertising preferences: https://www.linkedin.com/psettings/advertising/actions-that-showed-interest.

We process this data to evaluate our advertising campaigns. The legal basis for processing is your consent in accordance with Art. 6 (1) lit. a GDPR. Without your consent via our consent tool, we do not process any data for LinkedIn conversion tracking. Once you have given your consent, you can revoke it at any time with future effect by changing your selection in the cookie settings (see section 5 Cookies above).

As part of LinkedIn conversion tracking, LinkedIn naturally has access to the listed data. In particular, it is possible that in addition to LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA may also have access to your data.

Insofar as data is processed outside the EU/ EEA, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection; these clauses permit the transfer of personal data to a third country in individual cases.

For more information about the purpose and scope of the collected data and the further processing and use of the data by LinkedIn, as well as your settings options for protecting your privacy, please also refer to LinkedIn’s privacy policy.

For more information on LinkedIn Conversion Tracking, please visit: https://www.linkedin.com/help/lms/answer/a425606/set-up-linkedin-conversion-tracking?lang=en.

For more information on data processing and storage duration, please visit https://www.linkedin.com/help/linkedin/answer/a427660?lang=en.

8. Duration of storage

We store your personal data for as long as it is necessary to fulfill our legal and contractual obligations in connection with the processing of your order from our ALLPLAN Shop. Data relating to an order is generally kept for 10 years after completion of the order and then deleted, unless further processing is necessary for the following purposes:

After the end of a contractual term, we usually delete your data after 10 years due to the fulfillment of commercial and tax retention obligations (in particular retention periods as per the German Commercial Code (HGB) or the German Fiscal Code (AO)). In order to retain evidence within the framework of the statute of limitations of the German Civil Code (BGB), storage of up to 30 years may be necessary in individual cases.

9. Data transfer

Your personal data will not be transferred to third parties for purposes other than those listed. We will only share your personal information with third parties if:

  • you have given your express consent to this,
  • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • there is a legal obligation for the transfer, and this is legally permissible and necessary for the initiation or processing of contractual relationships with you,

External service providers and partner companies receive your data from us, only to the extent necessary to process your order. These service providers are from the following categories:

  • Distribution partners: Digital River Ireland Ltd. or Digital River Inc. (for customers in the USA) as resellers (see above);
  • IT service providers (e.g. maintenance and hosting service providers)
  • Payment service providers
  • Credit agencies for determining creditworthiness and default risks

In these cases, however, the scope of the data transmitted is limited to the minimum required. Insofar as our service providers come into contact with your personal data, we ensure within the framework of commissioned processing pursuant to Article 28 GDPR that they comply with the provisions of the data protection laws in the same manner. Please also note the respective privacy notices of the providers. The respective service provider is responsible for the content of third-party services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

10. Data transfer to third countries

We consider it important to process your data within the EU/EEA. However, we may sometimes use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection is established at the recipient before transferring your personal data. This means that via EU standard contracts (EU standard contractual clauses), as well as through an agreement on further measures that may be necessary, or by means of an adequacy decision of the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

In the event of data transfer outside the European Union, the high European level of data protection does generally not exist. In the case of a transfer, it may be that there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection in the European Union based on the GDPR; therefore, we have put in place the aforementioned appropriate guarantees.

Possible risks that may not be completely excluded in connection with the transfer of data include, in particular:

  • Your personal data could possibly be processed beyond the actual purpose.
  • In addition, there is the possibility that you may not be able to assert and enforce your rights under data protection law, such as your right to information, correction, deletion or data portability, in the long term.
  • There may also be a higher probability that incorrect data processing may occur and that the protection of personal data does not fully comply with the requirements of the GDPR in terms of quantity and quality.

11. Data security

Your personal data is transferred securely at ALLPLAN using encryption. This applies to all form processes (including registration, login, ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) coding system. It is true that no one can guarantee absolute protection. However, ALLPLAN secures its website and other systems against loss, destruction, access, modification or distribution of your data by unauthorized persons by means of technical and organizational measures. We regularly review our security measures and adapt them to technological progress.

12. Your rights

You have the following rights with respect to us regarding personal data concerning you:

12.1 Basic permissions

You have a right to information, correction, deletion, restriction of processing, objection to processing and data portability. Insofar as processing is based on your consent, you have the right to revoke this consent with effect for the future.

To exercise your rights, please contact us by e-mail at dataprotectionofficer@allplan.com or by mail at Allplan GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. The exercise of your rights described in this point is free of charge for you.

12.2 Rights in data processing according to legitimate interest

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) or on the basis of Article 6 (1) (f) GDPR (data processing for the purposes of safeguarding a legitimate interest); this also applies to profiling based on this provision. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

12.3 Right to complain to a supervisory authority

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you may at any time exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection law (Article 77 GDPR).

13. Links to other websites

Our websites may contain links to websites of other providers. We would like to point out that this privacy notice applies exclusively to the website https://shop.allplan.com. We have no influence on and do not control that other providers comply with the applicable data protection regulations.

14. Changes to the privacy notice

We reserve the right to change or adapt this privacy notice at any time in compliance with the applicable data protection regulations.

As of June 1, 2023