CU Entertainment OG, FN 520875 v, Dreierschützengasse 12/Top 2, 8020 Graz (hereinafter also referred to as “Operator”) operates mobile apps for Android and iOS. The Operator, as the responsible party within the meaning of the General Data Protection Regulation (GDPR), decides on the purpose and means of data processing and is ultimately responsible for ensuring that data processing is carried out in accordance with the statutory rules.
Please note that the original wording is valid only from the German version and that this is an English translation of the original text which may contain discrepancies and translation errors or gaps.
Customers who use CU’s platform entrust the operator with personal data. Personal data is any kind of information that can be directly or indirectly associated with a natural person or a company. This includes, among others, the name, address, e-mail address, telephone number. In addition, the IP address or information about usage behavior can be considered personal data.
II. Data collection and processing
The Operator collects data in connection with the registration and also with the subsequent use of the CU Services. Personal data is collected in the following ways:
1. Data that the operator receives from the user
When the user creates his account or sets activities as a registered user, then he shares information about himself with the operator. Personal data in this category is actively communicated by the user, e.g. by completing the registration, by contacting the support or by feedback given by the user through functions set up specifically for this purpose.
To make it easier for the user to register and to reduce the risk of scammers and spammers, the user has three options for registration:
a. The registration with Facebook Connect:
In doing so, the operator accesses certain data that is stored in the user’s Facebook profile and that the user releases during registration. This authorization can be revoked by the user at any time at Facebook. Of course, the operator does not have access to the user’s Facebook login data. The operator is not liable and is not responsible for incorrect or unauthorized data transfers by Facebook.
b. The registration with Google Sign in:
In doing so, the operator accesses certain data that is stored in the user’s Google profile and that the user releases during registration. This authorization can be revoked by the user at any time at Google. Of course, the Operator does not have access to the User’s Google login data. The operator is not liable and is not responsible for incorrect or unauthorized data transmission by Google.
c. The registration with e-mail and SMS confirmation:
In doing so, the operator accesses the user’s data that he or she provided during registration. The profile data provided by the user, i.e. name, e-mail address and telephone number must be truthful and complete and kept up to date.
2. Data collected when using the CU services.
When using the CU Services and performing activities, the User transmits data that is stored by the Operator in order to identify the User and ensure the smooth provision of the CU Services. At the same time, the Operator stores information when the User contacts the Operator, for example, when the User sends an email to the Operator’s User Support to assist the User and answer questions. The Operator may use anonymized and aggregated data regarding such requests to improve the Services.
When using CU services, the operator collects information about user activity, such as which services and pages are visited within CU and how they are used. It also collects a number of data that the Operator receives as a result of the use of the CU Services. This includes:
a. Technical information about the user's device and Internet connection
Through server logs and other tools, the Operator collects information about the User’s Device and Internet connection, including operating system, browser version, IP addresses, cookies and other unique identifiers. In order to analyze how the Operator’s services are used, the technical information is usually processed as aggregated data. However, the aggregated data can also be linked to the user’s account, for example, in order to adapt the CU services to the device used by the user.
b. Information on the use of CU services
The Operator records the User’s activities, such as logging in and logging out from the User’s account, or purchasing products and services within the CU Services. The Operator also stores information about the User’s CU visits. The Operator uses this information, among other things, to prevent abuse and fraud, to improve the CU Services and to provide the User with personalized services, recommendations or information.
c. Location information
When using CU, the operator determines the location of the user based on the IP address or the determined geo-location. This information is used, for example, to display content and to show the user ads relevant to their location, to improve CU services, and, to determine and display the location of posted purchase ads. To make it difficult to infer the user’s location, the seller’s location is displayed offset for posted listings.
d. Cookies and anonymized identifiers
When the User uses the CU Services, the Operator makes use of various technologies to identify the User as such. For example, the CU website uses “cookies” to enable all the functionalities of the CU website and to facilitate the use of the site. Cookies enable the user, for example, not to have to log in again each time he or she uses the CU services on the CU website. The Operator reserves the right to store anonymized identifiers on the User’s mobile device, especially since cookies cannot be used on them.
3. Information from other sources
The Operator may from time to time receive information from, for example, its partners, ad networks and other third parties to help it understand the User’s activities and preferences or to help improve the CU Services. For example, when the user creates his user account through Facebook, the operator may add basic information to the information received from Facebook. Furthermore, an advertiser can inform the operator what happens when an ad is clicked on the operator’s website. This allows the operator to measure the impact of the ad to provide the user with appropriate advertising or content. Usually, analyses of this kind are aggregated and anonymized.
III. Purpose of data processing
The Operator uses the User’s data for the following purposes:
The Operator processes the data 1) to provide the CU Services; 2) to improve and develop the CU Services; 3) for personalized advertising, offers and recommendations to the Users; 4) to identify market trends; 5) to prevent, contain and investigate the misuse of the CU Services.
The purposes of data processing are detailed below.
1. Provision of CU services
In order to use the CU services, it is necessary for the operator to determine the current user location. This enables the display of events in the vicinity of the user used.
In addition, the operator uses other personal data to personalize the user account and provide a good user experience. This includes, in particular, the user experience related to registration, login, purchase and sale of tickets for events and services.
2. Improvement and further development of CU services
The operator uses information to improve its services, for example by making the registration process, the log-in or the process of paying for premium services as user-friendly as possible. For example, the operator can record the steps (screen views, clicks) that the user has gone through when searching for a product in order to analyze whether and to what extent individual elements are confusing for the user. Typically, analyses of this type are aggregated and anonymized, although the operator may also use individually attributable data to provide technical support or to better understand how individual users use the CU services.
Furthermore, the operator uses certain tracking tools to improve the CU Services and to detect and analyze errors. For this purpose, the operator records the usage behavior of the user on the CU Services both independently and through third-party providers (e.g. Google Analytics, crashlytics).
Notifications of upcoming changes or improvements to the CU Services will be sent to the User by the Operator using the User’s e-mail address or, if the User uses mobile devices, via push notifications. In addition, the User will receive the CU Newsletter at regular intervals. To unsubscribe from the newsletter, simply deactivate the newsletter subscription in the user profile or click directly on the corresponding unsubscribe link in the newsletter. Push notifications can be deactivated directly in the system settings of the mobile device.
3. Personalized content, offers and recommendations
The operator uses the available information to personalize the CU services and to offer content relevant to users. The Operator reserves the right to offer content and recommendations based on User activity – for example, products may be recommended based on popularity with other Users.
The operator also places advertisements on its platform itself or works with external partners to place and optimize its own and third-party advertisements.
For the purpose of playing out personal data on the Service, data such as birthday (if disclosed by the User), gender (if disclosed by the User), approximate geographic location, language, Internet service provider, categories of interests may also be disclosed to advertising network operators such as Google, Facebook, AppNexus and similar providers.
If the consent of the user is required for this data transfer, this will be obtained separately. In this case, this consent can be revoked at any time in the user settings.
4. Recognizing market trends
The operator analyzes data in order to better understand trends and to adapt, improve and further develop the CU services accordingly. The trend analysis can either be performed by the operator directly or by third parties who prepare data on behalf of the operator. Collaboration with third parties to prepare data is based on contract data processing agreements with strict regard to confidentiality and integrity.
5. Prevention, containment and investigation of misuse of the CU Services.
CU uses information to prevent various forms of misuse of the CU Services, such as fraudulent activity, denial of service attacks, spamming, unauthorized access, or other activities that violate our TOS or are prohibited by law.
IV. Legal basis of data processing
If the operator processes personal data of users, this is done to fulfill the contract by the operator or is necessary to protect the overriding legitimate interests of the operator.
Any further data processing will only take place with the express consent of the user or on the basis of legal regulations.
V. Use of data by third parties
For all services that use social networking functions such as the Facebook Like button or the Google +1 button, it should be noted that Facebook and other social networking providers can collect data about the user, even if the user is not registered on a page or has consented to the exchange of data. By using popular functions such as the Facebook “Like Button” or the Google “+1 Button”, the providers of these functions can draw conclusions about page visits and Internet usage behavior of the respective user. More detailed information on this can be found in the respective usage and privacy policies of the respective providers. (e.g. http://www.google.at/intl/de/policies/privacy/, http://www.facebook.com/policy.php)
The user can prevent such data collection by logging out of the respective social networks before using the operator’s services.
VI. Passing on the data
However, the above statements do not preclude the operator from using service providers who process the data for the operator on the basis of a corresponding commissioned data processing agreement. Service providers to whom personal data is transferred for processing may only process the data for those purposes that are specified in these data protection provisions and that have been expressly agreed with the respective service provider.
A transfer of personal data is only possible for the following reasons:
1. Transmission of personal data to third parties
The operator may disclose personal data to the police or other authorities if there is a suspicion of unlawful conduct in connection with the use of the CU Services and if there is a corresponding court order or administrative order. Personal data may be disclosed to other third parties if they can demonstrate an overriding legal interest in establishing the identity of a user and a specific unlawful circumstance and, moreover, credibly demonstrate that knowledge of this information is an essential prerequisite for legal prosecution.
2. Commissioned data processor
The operator also uses service providers (data processors within the meaning of the GDPR) for its activities, in particular for the display of advertising, for the analysis of user behavior and for the integration of third-party services. Commissioned data processing contracts are concluded with such service providers in accordance with Art. 28 DSGVO.
3. The transfer of personal data to a non-EU or non-EEA country
The Operator shall only transfer the User’s personal data to recipients in a country outside the EU or the EEA if a decision of the EU Commission on adequate data protection for this country is available or if the EU standard contractual clauses have been concluded with these recipients and the transfer is legally permissible on the basis of these standard contractual clauses. In all other cases, transfer to other EU countries will only take place with the consent of the user.
4. Payment with the payment provider Stripe
Stripe is a third-party payment solution that makes it possible to process credit and debit card payments.
The CU website uses “cookies” to enable all functionalities of the CU website and to facilitate the use of the site. “Cookies” are small text files that allow the operator to store specific information on the user’s PC while visiting the operator’s website.
In addition, third-party providers may set cookies over which the operator has no control.
The user can deactivate the storage of cookies, limit them to certain websites or set his browser to notify him about cookies. He can also delete cookies from the hard disk of his PC at any time. In these cases, a restricted display of the page and limited user guidance must be expected.
VIII. Rights of the user
1. Right to information
The User has the right to obtain information as to whether and which personal data the Operator processes about the User and to obtain copies of such data.
2. Right to rectification, restriction and deletion
The user has the right to request correction, completion, restriction or deletion of personal data.
3. Right of withdrawal
Under certain circumstances, the user is entitled to object to the processing of personal data and to revoke any consent previously given.
4. Data portability
The user has the right to request data portability of the registration data.
5. Right of appeal
The user is entitled to complain to the competent data protection authority (www.dsb.gv.at).
IX. Duration of storage
The operator does not store personal data longer than it is necessary for the fulfillment of the above purposes. Users’ personal data is regularly deleted or anonymized when it is no longer relevant for the aforementioned purposes. For example, the operator stores personal data as long as the user’s account has not been deleted or the user has not expressed a revocation according to point VIII. or as long as the data is necessary for the provision of CU services or there is no legal restriction whatsoever.