PRIVACY POLICY

for MyCityHighlight user accounts, MyCityHighlight apps and MyCityHighlight websites
Valid per 25 May 2018

The protection of your personal data is a matter of particular concern to us whenever you register for our platforms (our apps and our websites) using your email address or your Facebook or Twitter account, or whenever you use our apps or visit the MyCityHighlight websites.

We process personal data solely and exclusively in compliance with the legal provisions of the European General Data Protection Regulation (GDPR) and the national data protection laws based on this regulation.

This privacy statement contains information about the most important aspects of the data processing relating to the use of our app and web services. We offer to you here a detailed overview of how we use your data that you have provided to us or that we have legally and correctly obtained in compliance with the terms and conditions defined here.

1. What personal data do we collect?

When you use our apps or visit our websites, the following data may be processed:

• Email addresses: If you register with an email account, we store and process the email address and other information that is made available.
• Facebook account data: If you register through your Facebook account, we may store and process the information made available during the registration process. Facebook will always show you what information we can access.
• Twitter account data: If you register through your Twitter account, we may store and process the information made available during the registration process.
• User-generated contents: If you use our apps or websites to create contents, we process and store all contents that you have generated. For instance: photos, favourites, saved locations, ratings, comments, insider tips, travel journals etc.
• App use log files: When you use our apps, we record your app user behaviour. These data include crash records, your actions in the app such as the search for maps or locations, the selection of buttons, the use of various app functionalities, date and time of use, your time zone, information about the specifications of your device and operating system, language settings and approximate location data derived from your IP address.
• Web use log files: When you use our websites, we record your user behaviour while on our websites. This includes your actions on the website such as search logs, clicks on buttons and links, date and time of use, your time zone, information about the specifications of your browser and operating system, language settings, approximate location data derived from your IP address, referrals from other websites and web searches.
• Server log files: When you use our apps or websites, we create server log files. They include date and time of access, access times, data throughput, access status and HTTP(S) status codes.
• Location data: Provided that you give your express consent, we collect, process and share location data, using as well third-party software components as an aid (mobile “SDKs”).
• Device identification numbers and IP addresses: When you use our apps, we process and store your mobile device identification number (such as the iOS UDID or Android Advertising ID) and IP addresses; when you visit our websites, we process and store your IP addresses.

2. Legal grounds or purpose of the data processing

Your data are stored and processed solely and exclusively for the purpose of being able to offer our platform, our app services and related services and/or to improve our websites.

1. Contract performance: The processing of your email addresses, Facebook and Twitter account data and/or the user-generated contents you have made available is required for the performance of the contract (point (b) of Art. 6 (1) GDPR). We collect your data for processing if you have voluntarily decided to enter these data. Your data will be processed if you have communicated them to us yourself, e.g. because you use one of the apps we offer and generate content (e.g. content you have generated: photos, lists, favourites, stored locations, ratings, comments, insider tips, travel journals etc.). In this case, the generated data are processed solely and exclusively for the performance of the pertinent service and are consequently required for performance of the contract for the use of the app.
2. Evaluation of your purchase: By completing your purchase, you agree that we may send you an invitation to evaluate the products you have purchased to the e-mail address you have provided. The rating of the products is voluntary.
3. Overriding legitimate interest: We have an overriding legitimate interest in the processing of app and web use logs, server log files, device identification numbers and IP addresses (point (f) of Art. 6 (1) GDPR). We use these data for the orderly operation of our apps, platform and websites, in particular so that we can discover and remedy errors. Our legitimate interest within the sense of the GDPR is the security and optimisation of our services and websites. Moreover, we transfer in this case data to third parties for statistical and analysis purposes and for the optimisation of interest-based marketing actions for the purpose of improving our services and products (see annex).We also have an overriding legitimate interest in the processing of email addresses, Facebook and Twitter account data, user-generated contents, app and web use log files for direct marketing purposes. We process in this sense solely and exclusively the data that you have voluntarily provided to us. The primary objective of this data processing is customer retention and customer acquisition. We are allowed to use these data to notify you of updates and to send to you notifications about our apps, products or services that could be of interest to you. We are allowed to use these data to recommend services, products or offers relating to the topics of “Travel” and “Leisure-time Offers” on our platforms or within our apps or websites. Moreover, we transfer your contact data (email address) to selected external service providers because they perform email and message services for us relating to direct marketing purposes (see annex). See number XX regarding your legal information and other rights resulting from the processing, storage and transfer of personal data.
4. Express consent: Insofar as you have given your express consent in our apps, we also process your location data with the aid of third-party software components (mobile “SDKs”). We transfer these data to external contract partners for purposes of interest-based advertising by third parties (see annex, list of contract partners), the classification of advertisements and for statistical and analysis purposes. In any case, we will request in advance your express consent. You may, however, withdraw any consent you have given at any time and without giving your reasons, effective for the future. (see number 3).
5. In addition, we use trackers, namely…. They collect information and data in the form of …. See number 3 for information about your legal information and other rights relating to personal data which arise for you because of the use of trackers.

3. Legal information and other rights and opt-out opportunities

In accordance with Art. 12 (1) GDPR, the processing, storage and transfer of personal data mean that you as the «data subject» have information rights with respect to us as the «controller» in accordance with Art. 13 and Art. 14 GDPR; in addition, there are communication obligations pursuant to Art. 15 to Art. 22 and Art. 34 GDPR.

In accordance with Art. 21 GDPR, you as the data subject affected by the processing of personal data have the right to object to the processing in the cases specified in this article.

In accordance with Art. 16 GDPR, you have a right to rectification.

In accordance with Art. 17 GDPR, you as the data subject have a right to request erasure of the stored data concerning you.

In accordance with Art. 18 GDPR, you have a right to the restriction of the processing of your data.

We offer the following opt-out opportunities for the exercise of your rights:

• Interest-based advertising: You may at any time decline interest-based advertising. To do this on your iOS device, go to “Settings”, then to “Privacy” and “Advertising”. On Android devices: Open “Google Settings”, then open “Ads” and enable “Opt out of interest-based ads”. When these settings have been made, our external service providers will not use information collected through the app to determine your interests and no ads — based on these interests — will be displayed on your device. We point out, however, that this may result in the loss of functions for some app services.
• Processing of locations: You can prevent the app from accessing location data at any time by disabling the location data in the settings of your device. We point out, however, that this result in the loss of location-based functions for some app services.
• Email: You may at any time disable the receipt of our Highlight-based emails in your user profile on the website (www.mycityhighlight.com).
• Deletion of your user profile: If you wish to delete your user profile, send us an email to the address moc.thgilhgihyticymobfsctd@ofni. Tell us which email address is linked to the profile you wish to delete. Note: If we delete your profile, you will irrevocably lose all of the user-generated data you have created such as stored locations and favourites etc. Moreover, there may a loss of the functions of some app services.
• Erasure of other tracking data

In addition, you have the right pursuant to Art. 77 GDPR to lodge a complaint with the competent data protection authority.

4. Storage of the data

We store data on servers in Switzerland. We implement all reasonable measures to ensure that your data are secure and are used as described in this privacy policy.

We use secure servers to ensure the lawful storage of the data. Every transmission of personal data is encrypted for security reasons.

The transmission of data on the internet can never be absolutely secure, however. We can therefore not guarantee the security of data that have been electronically collected or transmitted; however, we implement the necessary measures that are under our control to ensure the best possible security.

You make your data available at your own risk. Where necessary, a password may be required to access sections of our apps or our websites. You bear the sole responsibility without any limitations for the security and confidentiality of the password you generate.

5. Transfer of data

In addition to the cases described under number 2, your data may be transferred to third parties under the following conditions:

Transfer is allowed if we sell our company, in whole or in part, or parts of its assets to third parties.
Your data may be transferred to every employee in our company and to employees of affiliated companies for the purpose of the data use and processing as set forth in this privacy policy.
Legal regulations to which our company is subject may require the transfer of your data.

6. Integration of third-party services and content

It is possible that content or services from third-party providers, such as city maps or fonts from other websites, are integrated within our online offer. The integration of third-party content always requires that the third-party provider is aware of the IP address of the user. Without the IP address, the content cannot be sent to the user’s browser. The IP address is therefore required for the display of this content. Furthermore, the providers of third-party content can set their own cookies and process the users’ data for their own purposes. In doing so, user profiles can be created from the processed data. We will use this content as sparingly as possible and in a way that avoids data loss, and we will select reliable third-party providers with regard to data security.

The following presentation provides an overview of third-party providers and their content, together with links to their data protection declarations, which contain further information on the processing of data and, in part already mentioned here, options for objection (so-called opt-out):

External fonts from Google, Inc, https://www.google.com/fonts (“Google Fonts”). The integration of Google Fonts takes place via a server call at Google (usually in the USA). Privacy policy: https://www.google.com/policies/privacy/,
Opt-out: https://www.google.com/settings/ads/.

Videos from the “YouTube” platform of the third-party provider Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

This website uses the reCAPTCHA service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). The purpose of the query is to distinguish whether the input is made by a human or by automated, machine processing. The query includes the sending of the IP address and possibly other data required by Google for the reCAPTCHA service to Google. For this purpose, your input will be transmitted to Google and used there. On behalf of the operator of this website, Google will use this information to evaluate your use of this service. The IP address transmitted by your browser as part of reCaptcha will not be merged with other Google data. Your data may also be transmitted to the USA. The processing is based on Art. 6 (1) lit. a DSGVO with your consent. You can revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. You can find more information about Google reCAPTCHA and the associated privacy policy at:
https://www.google.com/privacy/ads/.

This website uses the Google Tag Manager. This is a solution with which we can manage so-called website tags via an interface and thus, for example, integrate Google Analytics and other Google marketing services into our online offer. The tag manager itself, which implements the tags, does not process any personal data of the users. With regard to the processing of users’ personal data, please refer to the following information on Google services.

Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

7. Hyperlinks on third-party websites

Every third-party website or app that can be accessed from our platform, our apps or our website must always maintain its own privacy policy. We recommend that you review the terms and conditions defined on these sites or apps. Our privacy policy does not cover websites or apps that can be accessed from our platforms (in our apps or on our websites) by clicking on hyperlinks. Contents on linked sites or apps are solely the responsibility of the operators of the sites and apps. We expressly preclude any and all liability and/or responsibility for the handling of your data by third parties. We point out that third-party websites or apps are beyond our control; we do not have any influence on the data collected there and the data processing activities, nor are the scope of the data collection, the purposes of the collection or the storage periods known to us.

8. Data subject rights and contact

Please write to MyCityHighlight AG, Talgut-Zentrum 7, 3063 Ittigen, Switzerland, or send an email to hc.thgilhgihyticymobfsctd@ofni to exercise your rights as described above to obtain information about the personal data concerning you that we process (Art. 12 in conjunction with Art. 13, Art. 14, as well as Art. 15 to Art. 22 and Art. 34 GDPR), the right to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) and restriction of the processing (Art. 18 GDPR) and the right to object pursuant to Art. 21 GDPR.

To exercise your right to lodge a complaint pursuant to Art. 77 GDPR, please contact the competent supervisory authority.

In addition, you have the right to lodge a complaint by sending it to the
Federal Officer for Data Protection and Freedom of Information,
Husarenstrasse 30, D-53117 Bonn,
Phone: +49 0228 997799–0
Email: ed.dnub.idfbobfsctd@elletstsop,
as the competent supervisory authority.

9. Modifications of this privacy statement

We reserve the right to amend or modify this privacy statement at any time, effective for the future; the most recently revised version can be accessed on the website