Data privacy statement

Thank you for visiting our website. Subsequently, we want to inform you about the collection of data during visiting and using our website.

I. Controller and contact person

1. Name and address of the controller

The controller in the sense of the applicable data protection regulations is:

Compounder GmbH
c/o GATEWAY ESC
Vitalisstraße 67
50827 Cologne
Germany

Email: info@compounder.eu

2. Contact person for data protection related issues

The contact person for any and all inquiries regarding the processing of your personal data as well as your rights with respect to data protection is:

Lina Woelk (external data protection officer)
DAWOCON GmbH
Dellbrücker Hauptstraße 27
51069 Cologne
Germany

Email: datenschutz@compounder.eu
Telephone: +49 (0)221 68003767

II. General information on data processing

1. Scope of the processing of personal data

As a matter of principle, we collect and use personal data of our users only to the extent necessary

– to provide a functional website;
– for the performance of our services;
– consent of the user is granted.

An exception applies in those cases in which it is not possible to obtain the user's prior consent for any factual reasons and the processing of the data is permitted by law.

2. Relevant legal basis for the processing of personal data

The legal basis for the processing of personal data is

Art. 6 para. 1 (a) EU General Data Protection Regulation (GDPR) in the event that the data subject has granted its consent;
Art. 6 para. 1 (b) GDPR regarding pre-contractual measures and/or for the processing of personal data required for the performance of the contract entered into with the data subject;
Art. 6 para. 1 (c) GDPR if and to the extent the processing of personal data is required for the fulfilment of a legal obligation of us;
Art. 6 para. 1 (f) GDPR if and to the extent the processing of personal data is required in order to protect a legitimate interest of our company or a third party, provided that such legitimate interest overweighs the interests, fundamental rights, and freedoms of the data subject.

3. Data deletion and retention period

In general, we delete or block personal data as soon as the purpose for which such personal data is stored ceases to apply. If we are obliged by law to retain personal data, such personal data will be blocked or deleted upon expiry of the applicable statutory retention period, unless the continuing storage of the personal data is required for the conclusion or performance of a contract.

4. Recipients of the collected data

The recipient of the data collected via the platform is the controller. Furthermore, data processors (web hosts) have access to the data collected via the platform. However, compliance with all applicable legal regulations is ensured due to data processing agreements entered into by and between us and our data processors. Data is only transferred to third countries, if and to the extent we have informed you thereof. In the event, that the applicant enters into a contract with us regarding the intermediation of a study place, we will transfer the user's personal data to the respective educational institute within the scope of our contractually agreed services.

5. Necessity of disclosure of personal data

In connection with the use of our services, a registration and thus the disclosure and storage of your personal data is required for the performance of the contract. If the required data is not provided, our services cannot be offered to you.

6. Profiling

We do not engage in any profiling or automated decision-making on our platform.

III. Provision of the platform and creation of log files

1. Scope of the data processing

Each time our platform is accessed, our system automatically collects data and information from the computer system of the accessing computer. In this context, the following data is collected:

(1) Information regarding the type, version, language, character encoding of the browser
(2) The user's operating system
(3) The user's provider
(4) The user's IP address
(5) Date and time of access as well as the first and last visit
(6) The website from which the user is accessing
(7) Web pages accessed by the user's system through our platform
(8) Date of the first and last visit

The data is stored in the log files (log of all or certain processes on a computer system) created by our system. The aforementioned data is not stored in connection with other personal data of the user.

2. Legal basis for the data processing

The legal basis for the temporary storage of the aforementioned data and the log files is Art. 6 para. 1 (f) GDPR (our legitimate interest).

3. Purpose of the data processing

The temporary storage of the IP address by the system is required to enable delivery of the platform. For this purpose, the IP address of the user must be stored for the duration of the session.

The storage in log files is required to ensure the functionality of the platform. In addition thereto, we use the data to optimise the platform and to ensure the security of our information technology systems.

These purposes constitute our legitimate interest in the data processing according to Art. 6 para. 1 (f) GDPR. Since (i) we are not able to draw conclusions from an IP address to an individual; (ii) an IP address is not considered a sensitive date; (iii) the IP address is deleted immediately after a visit to the platform; and (iv) the IP address is required to offer our platform, our interests outweigh the interests of the data subject.

4. Duration of storage

The collected data is deleted as soon as it is no longer required to achieve the purpose for which it was collected (provision of the platform). In the case of storage of data in log files, this is the case upon expiry of seven days at the latest, provided, however, that data may be stored longer than the aforementioned period. In this case, however, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5. Possibility of objection and removal

The collection of data for the provision of the platform and the storage of the data in log files is required for the operation of the platform. Thus, there is no possibility of objection on behalf of the user.

IV. Use of technically necessary cookies

1. Description and scope of the data processing

Our platform uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is accessed again.

We use cookies to make our platform more user-friendly. Some elements of our platform require that the calling browser can be identified even after a page change.

The following cookies are used:

Name Function Collected data Duration of storage
PHPSESSID Possibility of logging into the system and assigning interactions on the platform Session ID/random string End of the session
klaro Saves the setting for accepting/rejecting other cookies Name and status of cookies 360 days
uslk_umm_109517 Possibility of full use of the integrated chat Visited subpages as well as randomised number for the assignment of the chats 30 days

2. Legal basis for the data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 (f) GDPR.

3. Purpose of the data processing

The purpose of using cookies is to simplify the use of websites for users. Some functions of our platform cannot be offered without the use of cookies. Therefore, it is required that the browser is recognised after a page change.

We need cookies for the following applications: login, cookie banner, chat solution.

We do not use the user data collected by the cookies to create user profiles.

The aforementioned purposes constitute our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 (f) GDPR.

4. Duration of storage, possibility of objection, and removal

Cookies are stored on and transmitted by the user's computer to our website. Therefore, you as a user have full control over the use of cookies. By changing the settings in your Internet browser, you may disable or restrict the transmission of cookies. Cookies, which have already been stored, may be deleted at any time. This may also be done automatically. If cookies are deactivated for our platform, the use all functions of our platform may be restricted or excluded.

If you do not wish to receive cookies, please click here.

V. Email contact/contact form

1. Scope of the data processing

You may contact us via the email address or the contact form provided on our platform. In this case, any personal data transmitted in the email or via the contact form will be stored. The data is used exclusively for the processing of the conversation or inquiry.

2. Legal basis for the data processing

The legal basis for the processing of the aforementioned data is Art. 6 para. 1 (f) GDPR. If the contact is used for or in connection with the conclusion of a contract, an additional legal basis for the processing is Art. 6 para. 1 (b) GDPR.

3. Purpose of the data processing

The processing of the data is required to process the correspondence and your inquiry, which constitutes our legitimate interest. Since any electronic contact as described above is initiated by you and at your sole discretion and since we inform you in advance regarding the procession of the transmitted data, our legitimate interest outweighs your right of privacy.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent electronically, this is the case when the respective correspondence with the user has ended. The conversation is deemed to have ended if, taking into account the specific circumstances, the concerned matter is ultimately resolved.

5. Possibility of objection and removal

The user has the option to object the storage of its personal data at any time. In such a case, the correspondence cannot be continued. The objection may be submitted by email or in writing.

Any and all personal data stored in the course of contacting us will be deleted by us in this case.

In the event, that the data is collected in connection with a contractual relationship, the user is not entitled to object if and to the extent the data is required for the performance of the contract.

VI. Newsletter/Marketing

In the event, that you have registered for our newsletter, we will send you information about our offers, services, and events periodically. We make use of a so-called double opt-in procedure for this purpose. This means that we will only send email newsletters to a user if said user has expressly consented to receiving such newsletters, provided, that the respective user has clicked on an authentication link sent by email. Hereby we ensure that the email address provided to us is used by the person granting its consent. Prior to the granting of the user's consent, the user is informed about the intended use of data.

1. Description and scope of the data processing

Within the scope of the newsletter dispatch, we collect the following data:

– First and last name;
– Email address;
– Time and date of registration.

2. Legal basis for the data processing

The legal basis for the processing of data after registration for the newsletter is Art. 6 para. 1 (a) GDPR (consent).

3. Purpose of the data processing

The collection of your email address is required to provide you with a newsletter. The other data serves us for the protection against any misuse.

4. Duration of storage, possibility of objection, and removal

The data will be deleted as soon as it is no longer required to achieve the purpose for which it is collected. Therefore, your email address will be stored for as long as your subscription to the newsletter is active.

You may terminate your subscription to the newsletter at any time. For this purpose, you will be provided a corresponding link in each newsletter. Following a termination of the subscription, your email address will be deleted from our newsletter distribution list immediately, unless (i) you have expressly consented to a further use of your data or (ii) we have reserved the right to use your data for any other purpose permitted by law subject to prior information hereof.

VII. Registration and performance of the contract

1. Scope of the data processing

In order to use our entire range of services, you must first register by providing personal data. The data is to be entered into an input mask and will be transmitted to and stored by us.

The following personal data are collected mandatorily in connection with the registration process:

– First and last name, email address, password, sixteen years of age completed (Yes/No)

Furthermore, the following data is stored at the time of registration:

– Date and time of registration;
– Date and time of the opt-in regarding the age query.

As a protective measure against any misuse of our IT systems, we use the service “reCAPTCHA” provided by Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland (Google) in connection with the registration process. The query is used to assess whether an input is made by a human or abusive by automated machine processing.

In connection with the query, the IP address and other data required by Google for the reCAPTCHA service (including, without limitation, user behaviour information such as mouse movement or query) is transferred to Google. Therefore, your input is also transferred to and used by Google. For more information on the data processing by Google reCAPTCHA, please refer to Google's privacy policy, which may be found at https://policies.google.com/privacy?hl=en and https://www.google.com/recaptcha/.

If you log in on our platform after registration, we collect and store your user name and password as well as the date and time of the login, in order to recognise you as a registered user.

In the event, that you have subscribed to any of our service plans, we additionally collect your invoice address, provided, however, that such address will only be used for invoicing of the service plans you have subscribed for.

In addition hereto, we also collect data with respect to your application and your contact details in connection with the offered services (review of applications for completeness, applying to universities, communication with you and the university). Such data includes

– Personal data (gender, place of birth, nationality, telephone number, address, address suffix, postal code, city, country);
– Data regarding education (country, city, name of school, graduation, final grade, date of graduation);
– Data regarding professional training (country, name and place of training company, place of vocational school, name of vocational school, profession, final grade, date of graduation);
– Data regarding study (country, name of university, degree, course of study, final grade, date of graduation);
– Application documents (depending on the university: curriculum vitae, university entrance qualification/certificate, last certificate, proof of language proficiency, confirmation of exmatriculation, etc.).

2. Legal basis for the data processing

The legal basis for the data processing is (i) Art. 6 para. 1 (b) and (c) GDPR if and to the extent that you have granted your consent to the processing of special categories of data or the transfer of data to third parties; (ii) Art. 6 para. 1 para. (a) GDPR regarding the use of Google reCAPTCHA; (iii) Art. 6 para. 1 (f) GDPR, and (iv) Art. 6 para. 1 (f) GDPR, Section 7 para. 3 of the German Unfair Competing Act (UWG) regarding the use of your email address for promotional/marketing purposes.

3. Purpose of the data processing

The registration as user is required for the performance of the contract entered into with the respective user and/or for pre-contractual measures.

The subject matter of the contract is the temporary use of our platform for the placement of applicants at universities. Due to the remote data connection, this requires a registration and a subsequent login of the user, in order for the user to be recognised by our system and for the access to all functionalities. In addition hereto, this shall prevent any misuse of our system and allows us to invoice paid services. In particular, the use of Google reCAPTCHA shall prevent any misuse in connection with the registration. Since a registration for our services is at your own discretion, our legitimate interests outweigh your rights.

Furthermore, the purpose of the data processing is the provision of our services on the platform. This includes the review of the applicant's data for completeness of the provided data, the transmission of the applicant's data to the selected university/universities or to third-party service providers used by the universities with respect to the application process, as well as to contact you via your contact data for any communication regarding the application process and to provide you with the results of the application process.

In addition hereto, the purpose of processing your email address is marketing by transmission of promotional emails.

4. Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which the data is collected.

With respect to any data stored during the registration process for the fulfilment of a contract or for pre-contractual measures, this shall apply as soon as soon the relevant data is no longer required for the performance of the contract. Storage of personal data regarding the contractual partner may also be required after the conclusion of the contract in order to comply with contractual or legal obligations.

Continuing obligations require the storage of personal data during the term of the contract. In addition hereto, any applicable warranty periods may require storage of data. The same appies to any storage for tax purposes. The applicable storage periods cannot be determined in a generalised manner, but must be determined for each individual contract and contracting party.

5. Data transfer

Since our platform is used for applications to universities and users can apply via the service on our platform, we transfer data mentioned in Section 1 to the relevant university or the third-party providers used by the university in connection with the application process, subject to your consent. Data is only transferred to the extent required by the university for the application. If you have provided us with any data that is not required by a university, such data will not be transferred. Prior to any transfer data, we will obtain your express consent to such transfer of data by means of a so-called opt-in.

6. Possibility of objection and removal

In general, you may object the data processing, provided, however, that any data required for the performance of a contract or for pre-contractual measures will only be deleted if and to the extent such deletion does not affect the fulfilment of contractual or legal obligations. You may revoke any consent granted at any time with effect for the future via our general contact details. If you no longer wish to receive promotional emails from us, you may object to the sending of promotional emails at any time by email to Support or by clicking the unsubscribe link provided by us in each promotional email.

If you wish to terminate the registration, we kindly ask you to inform us by email to Support. Upon receipt of such notice we will delete your account immediately and inform any recipients about your objection accordingly if we are obliged to do so.

VIII. Matomo (analysis tool)

1. Scope of the data processing

We use the open source software tool Matomo (formerly PIWIK) on our platform to analyse the surfing behaviour of our users. The software sets a cookie on the user's computer (for cookies, see above). If individual pages of our platform are accessed, the following data is stored:

(1) Two bytes of the IP address of the user's calling system;
(2) The accessed web page;
(3) The web page from which the user accessed the respective web page (referrer);
(4) The subpages that are accessed from the called-up website;
(5) The duration of the visit of the website;
(6) The frequency of page accesses.

The aforementioned software runs exclusively on the servers of our platform. Therefore, the respective personal data of the users is stored on such servers and is not transferred to third parties.

The setting of the aforementioned software provides for the IP addresses not to be stored in full, but only 2 bytes of the IP address are masked (ex: 192.168.xxx.xxx). Thereby, an assignment of the shortened IP address to the calling computer is no longer possible.

2. Legal basis for the processing of personal data

The legal basis for the aforementioned processing of the users' personal data is Art. 6 para. 1 (f) GDPR.

3. Purpose of the data processing

The purpose of using analysis cookies is to improve the quality of our platform and its content. Through the use of analysis cookies, we may analyse the use of website and may constantly optimise our services accordingly.

The processing of the users' personal data enables us to analyse the surfing behaviour of the users. By evaluating the obtained data, we are able to compile information about the use of the individual components of our platform. This helps us to continuously improve our platform and its user-friendliness/the user experience. These purposes constate our legitimate interest in processing the data according to Art. 6 para. 1 (f) GDPR. By anonymising the IP address, the interest of the users in the protection of their personal data is taken into account sufficiently. Therefore, our interests outweigh your rights and freedoms. For more information on the privacy settings of the Matomo software, please see the following link: https://matomo.org/docs/privacy/.

4. Duration of storage

The data is deleted as soon as it is no longer required for our recording purposes, which is after 180 days in our case.

5. Possibility of objection and removal

By changing the settings of your Internet browser, you may disable or restrict the transfer of cookies. Cookies that have already been stored may be deleted by you at any time. This may also be done automatically. Please see Section 4 for more information.

IX. Chat solution Userlike

1. Scope of the data processing

On our platform, you may contact us directly via a chat function. For this purpose, we use the live chat software of the company Userlike UG (haftungsbeschränkt), Probsteigasse 44–46, Cologne, Germany. The processing of the data collected by Userlike in connection with the use of the chat function is carried out subject to and in accordance with the instructions of a data processing agreement.

Userlike uses cookies to enable you to have a personal conversation with us via real-time chat. It is not required to provide your name or email address, nor is it required to sign in or to register for the use of the chat widget. When you visit our platform, the chat widget is loaded via a JavaScript file from AWS Cloudfront provided by Amazon Web Services, having its registered office in Luxembourg. The chat widget technically is the source code executed on your computer an enabling the chat. In the event that the chat function is used, the following data is stored on the servers of the provider, which are hosted in Germany:

– Date and time of the access;
– Browser type/version of the requesting computer;
– IP address;
– Operating system used;
– URL of the previously visited website; and
– a randomised number.

Depending on the content of the communication, further personal data may be collected in connection with or in relation to the chat as disclosed by the user. Compliance with applicable data protection regulation is ensured in this respect by appropriate technical and organisational measures.

The data is processed exclusively for the processing of the correspondence and your inquiry. Furthermore, the data may be processed for protection against misuse of our IT systems.

2. Legal basis of the data processing

The legal basis for data processing is Art. 6 para. 1 (f) GDPR. In the event that the chat widget is used for the conclusion of a contract or for inquiries regarding support in connection with an existing contractual relationship between the respective user and us, the legal basis is Art. 6 para. 1 (b) GDPR.

3. Purpose of the data processing

The purpose of data processing is to optimise our platform by offering an immediate and uncomplicated device of communication in order to respond, as swiftly as possible, to any wishes and needs of users. In addition hereto, we offer support via the chat widget.

The aforementioned purposes as well as the prevention of misuse of our IT systems constitute our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR. Since the use of the chat widget is at the user's discretion and since (i) we do not store any sensitive data in this context, (ii) the data processing is carried out within the framework of data processing agreement according to our instructions, and (iii) the processing of data takes place within the EU, our legitimate interests outweigh the freedoms and rights of the user.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. With respect to the use of the chat widget, the data is stored for a period not exceeding 30 days.

5. Possibility of objection and removal

You are entitled to the data subject rights provided for in Section 11. In the event that you wish for the data collected via the chat widget to be deleted prior to its automatic deletion, please inform us accordingly.

X. Payment service provider

1. Scope of the data processing

We use the payment service provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (“PayPal”) to process the any payment in the event that you have subscribed for one of our fee-based service plan.

You provide PayPal with your personal data, such as first name, last name, address, date of birth, gender, email address, IP address, telephone number, cell phone number, and—subject to your registration with PayPal—banking data required for payment processing, e.g. account numbers, credit card numbers, passwords, verification numbers, validity date, and CVC code. Furthermore, any data related to your respective booking, such as prices, taxes, and other duties, may be required for processing of payments and therefore may be transerred to PayPal by us.

2. Legal basis for the data processing

The legal basis for the data processing for the performance of the contract is Art. 6 para. 1 (b) GDPR. In addition hereto, we use PayPal on basis of our legitimate interests pursuant to Art. 6 para. 1 (f) GDPR.

3. Purpose of the data processing

The purpose of the aforementioned data processing is the processing of payments in connection with our paid service plan.

We use Paypal to offer you an effective and secure payment option. This is our legitimate interest within the meaning of Art. 6 para. 1 (f) GDPR.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Invoice data will be deleted by us after expiry of the applicable retention periods under commercial and tax law.

5. Possibility of objection and removal

You are entitled to the “data subject rights” set forth in Section 11. The terms and conditions of PayPal apply to any payment transactions. For more information on data protection, please refer to PayPal's privacy policy available at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

XI. Your rights as a data subject

If your personal data is processed, you are deemed a data subject within the meaning of the GDPR. In this case, you are entitled to the following rights:

– Right to information regarding any data stored concerning you, including any recipients and the planned storage period according to Art. 15 GDPR;
– Right to rectification in the event that any incorrect data concerning you is processed according to Art. 16 GDPR.

Furthermore, you have the following rights, subject to the legal prerequisites:

– Right to deletion according to Art. 17 GDPR;
– Right to restricted processing according to Art. 18 GDPR;
– Right to information according to Art. 19 GDPR;
– Right to data transfer according to Art. 20 GDPR;
– Right to object according to Art. 21 GDPR;
– Right to revoke any granted consent according to Art. 7 Abs. 3 S. 1 GDPR.

If you believe, that the processing of your personal data violates applicable data protection regulation, you have the right to file a complaint with a data protection supervisory authority of your choice pursuant to Art. 77 para. 1 GDPR.

Right to object, Art. 21 GDPR

You have the right to object the processing of personal data concerning you pursuant to Art. 6 para. 1 lit. (e) or (f) GDPR at any time based on grounds relating to your particular situation; this also applies to any profiling based on the aforementioned provisions.

In this event, the controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing of the personal data, provided, that such grounds overweigh your interests, rights, and freedoms. The same shall apply in the event, that the processing of such personal data is required for assessment or exercise or defense against any legal claims.

In the event, that the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of such personal data concerning you for the purpose of such marketing; this also applies to any profiling, if and to the extent it is related to such direct marketing.

If you object the processing of personal data for direct marketing purposes, such personal data concerning you will no longer be processed for these purposes.

Notwithstanding the Directive 2002/58/EC, you are entitled to exercise your right to object by means of automated procedures using technical specifications in connection with the use of information society services.

XII. IT security

In order to protect the IT security of your data during data transmissions, we use the so-called TLS encryption method (256 bit key), which you can recognise by the lock symbol in the address line of the URL of our platform. In addition hereto, our IT systems are secured by firewalls, anti-virus/virus protection software, and other technical and organisational measures (in particular, without limitation, encryption methods) in accordance with the GDPR and the German Data Protection Act (BDSG).

XIII. Right of modification

We reserve the right to amend or adapt this data protection statement in order to comply with applicable legal requirements as may be amended from time to time. The amended version shall apply for any visit of our platform following the amendment.

[Current version: 13/08/2021]