We are pleased that you are visiting the joint website of Univers GmbH and Univers Operations GmbH (hereinafter "Univers" or "we"). We are very pleased that you are interested in our company and products. Data protection is of a particularly high priority for the management of Univers. This privacy policy is intended for visitors to our website and also for users of our customer portal or app if you are a customer of Univers Operations GmbH and have booked this service with us.

The use of our website is possible without any indication of personal data. However, if a data subject wants to use special services of our enterprise via our website, processing of personal data could become necessary.

The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the country-specific data protection regulations applicable to Univers. By means of this data protection declaration, our enterprise would like to inform the public about the type, scope and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed of their rights by means of this data protection declaration.

As the controller, Univers GmbH and Univers Operations GmbH have implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can always be vulnerable to security risks, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.

1. Definitions

The data protection declaration of Univers is based on the notions used by the European Directive and Regulation Authorities when issuing the General Data Protection Regulation (GDPR).

2. Name and Address of the Controller

The jointly responsible persons within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature are the:

Univers GmbH

Leopoldstraße 248

80807 Munich

and

Univers Operations GmbH

Leopoldstraße 248

80807 Munich

Both companies are represented by their managing director, Mr. Drazen Nikolic.

3. Data Protection Officer

If you have any questions regarding the processing of your personal data, you can contact our data protection officer directly. You can reach our data protection officer at Univers GmbH, Leopoldstraße 248, 80807 Munich, Germany, datenschutz@univers.de.

4. Cookies

Our website uses cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.

Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognized and identified via the unique cookie ID. Through the use of cookies, we can provide the users of this website with more user-friendly services that would not be possible without the cookie setting.

By means of a cookie, the information and offers on our website can be optimized in the sense of the user. Cookies allow us, as already mentioned, to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to re-enter his or her access data each time he or she visits the website, because this is handled by the website and the cookie stored on the user's computer system. Another example is the cookie of a shopping cart in an online store. The online store uses a cookie to remember the items that a customer has placed in the virtual shopping cart.

The data subject can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

The following categories of cookies are used by us:

Technically necessary cookies

Technically necessary cookies are those that are required for the smooth functioning of our website. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the smooth functioning of our website.

Analysis cookies

With analysis cookies we can measure the reach of our own offer. Through the cookie set, we can track, among other things, which website was visited before our website was called up and how our website was used. We use this data to, among other things, optimize our website by evaluating the campaigns we run. The legal basis for the processing is Art. 6 para. 1 lit. a) GDPR. You can give your consent by, actively clicking on "Accept" in the displayed notice, continuing to use the website after a corresponding notice is displayed or changing the cookie settings accordingly.

You can revoke your consent at any time. Your revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Marketing cookies

Marketing cookies help us to show you interest-based advertising. When you visit another website, your browser's cookie is recognized and you are shown selected advertising based on the information stored in this cookie. These cookies are only set if you have actively consented to this. The legal basis for the processing is Art. 6 para. 1 lit. a GDPR. You can give your consent by actively clicking on "Accept" in the displayed notice or by changing the cookie settings accordingly.

You can revoke your consent at any time below. Your revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

5. Collection of general data and information

Our website collects a series of general data and information with each call of the website by a data subject or an automated system. This general data and information is stored in the log files of the server. The following data may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, we do not draw any conclusions about the data subject. Rather, this information is needed (1) to display the contents of our website correctly, (2) to optimize the contents of our website and the advertising for it, (3) to ensure the long-term functionality of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack. Therefore, we statistically evaluate this anonymously collected data and information on one hand, and on the other hand, with the aim of increasing the data protection and data security of our enterprise, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

6. Possibility of contact via the website

Based on statutory provisions, our website contains data that enable a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by using a contact form, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for the purpose of processing the request or contacting the data subject. There is no disclosure of this personal data to third parties. The legal basis of the processing is Art. 6 para. 1 lit. b GDPR.

7. Routine deletion and blocking of personal data

The controller shall process and store personal data of the data subject only for the period necessary to achieve the purpose of storage or where provided for by the European Directive and Regulation or other legislator in laws or regulations to which the controller is subject.

If the purpose of storage no longer applies or if a storage period prescribed by the European Directive and Regulation or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

8. Rights of the data subject

As a data subject, you are entitled to various rights, which arise in particular from Art. 15 et seq. GDPR.

·  Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data and further information and a copy of the data in accordance with the legal requirements.

· Right to rectification: You have the right to request that data concerning you be completed or that inaccurate data concerning you be rectified.

· Right to erasure: (right to be forgotten): In accordance with Art. 17 GDPR, you can request that data concerning you be deleted without delay.

· Right to restriction of processing: You have the right to request restriction of processing in accordance with the law.

· Right to data portability: In accordance with Art. 20 GDPR, you have the right to receive data concerning you that you have provided to us in a structured, common and machine-readable format or to request the transfer of this data to another controller.

· Right to revoke consent granted under data protection law: You may revoke consent granted at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

· Right to object: In accordance with Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

· Right to lodge a complaint with the supervisory authority: If you believe that the processing of data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority.

9.  Data protection during applications and the application process

The controller collects and processes the personal data of applicants for the purpose of processing the application procedure. The legal basis of the processing is Art. 6 (1) lit. f GDPR. The controller has a legitimate interest in selecting a suitable applicant. The processing may also be carried out electronically. This is particularly the case if an applicant submits relevant application documents to the controller by electronic means, for example by e-mail or via a web form located on the website. If the controller concludes an employment contract with an applicant, the transmitted data will be stored and processed for the purpose of handling the employment relationship in compliance with the statutory provisions. The legal basis of the processing is Art. 6 para. 1 lit. b GDPR. If the controller does not conclude an employment contract with the applicant, the application documents are automatically deleted two months after notification of the rejection decision, provided that no other legitimate interests of the controller conflict with such deletion. The legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

10. Use of Google Tag Manager

We use "Google Tag Manager" on our website, a service of Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as "Google"). Google Tag Manager enables us as marketers to manage website tags via an interface. The Google Tag Manager tool that implements the tags is a cookie-less domain and does not itself collect any personal data. Google Tag Manager takes care of triggering other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.

Third-party information: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland

Further information on data protection can be found on the following Google web pages:

· Privacy policy: https://policies.google.com/privacy?hl=de&gl=de

· FAQ Google Tag Manager: https://www.google.com/intl/de/tagmanager/faq.html

· Terms of Use Google Tag Manager: https://www.google.com/intl/de/tagmanager/use-policy.html

11. Use of Google Analytics

We use Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), on our website and for our online offers.

Google Analytics uses cookies, which are small text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about the use of our website (including the IP address of the user) will be transmitted to and stored by Google on servers in the United States.

Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. The legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 lit. a GDRPR.

Our website also uses the Google Analytics demographic reports feature. This uses data from interest-based advertising from Google and visitor data from third-party providers (e.g. age, gender and interests). This data cannot be traced back to a specific person. The function can be deactivated at any time via the ad settings. The statistics obtained allow us to improve our offer and make it more interesting for you as a user. The legal basis for the use of Google Analytics is Art. 6 para. 1 p. 1 lit. a GDPR.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to the use of our website (including IP address) to Google or the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

For Google's user terms information, please visit: https://www.google.com/analytics/terms/de.html, privacy overview at: https://policies.google.com/?hl=de, privacy policy at: http://www.google.com/intl/de/policies/privacy.

Google Analytics is only used by us with activated IP anonymization ("anonymize IP"). This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. We have concluded an order processing agreement with Google, in which we fully implement the strict requirements of the German data protection authorities when using Google Analytics. To ensure compliance with the provisions of the GDPR in the context of data transfers to third countries, Google uses in particular so-called standard contractual clauses that have been approved by the EU Commission. You can find more information on this at https://privacy.google.com/businesses/compliance/#!?modal_active=none

12. Newsletter

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information by us or our cooperation partners.

12.1 Mail Chimp

For sending the newsletter, we use the newsletter service "MailChimp" offered by Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. MailChimp is a service with which, among other things, the sending of newsletters can be organized and analyzed. Rocket Science Group LLC is part of the Intuit group of companies. The parent company of Rocket Science Group LLC is Intuit Inc.

When you subscribe to our newsletter, the following data is processed: Email address, date and time, IP address.

The data you enter for the purpose of receiving the newsletter (e-mail address) is stored on Mail Chimp's servers in the USA.

The Rocket Science Group LLC (Mail Chimp) has committed to comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework published by the U.S. Department of Commerce regarding the collection, use and retention of personal data from the member states of the EU and Switzerland, respectively. Rocket Science Group LLC (Mail Chimp) has declared by certification that it complies with the Privacy Shield Principles. Mail Chimp uses so-called standard contractual clauses that ensure compliance with the provisions of the GDPR when processing data in the USA. Further information on this can be found at: https://mailchimp.com/legal/ as well as at further information on this can be found at: https://mailchimp.com/legal/ as well as at https://mailchimp.com/de/help/mailchimp-european-data-transfers/.

Furthermore, we have concluded a "Data Processing Agreement" with Mail Chimp. This is a contract in which Mail Chimp undertakes to protect the data of our users, to process the data exclusively in accordance with the data protection provisions on our behalf. For more information, please visit: https://mailchimp.com/legal/data-processing-addendum/.

With the help of Mail Chimp, it is possible for us to analyze our newsletter campaigns. We can see, for example, whether a newsletter message was opened and which links, if any, were clicked. In this way, we can determine which links were clicked on particularly often. In addition, we can see whether certain previously defined actions were performed after opening/clicking (conversion rate). We can thus see, for example, whether you have made a purchase after clicking on the newsletter. Mail Chimp also allows us to subdivide ("cluster") newsletter recipients based on various categories. In this way, the newsletters can be better adapted to the respective target groups. For detailed information on Mail Chimp's features, please refer to the following link: https://mailchimp.com.

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). The granting of consent follows the so-called double opt-in procedure. In a first step, you enter the mandatory information (e.g. e-mail address) and consent to the processing of your personal data by checking the box provided for this purpose. You will then automatically receive an e-mail with a confirmation or activation link, which you must also confirm or activate. This ensures that the e-mail address entered on our website also belongs to you.

You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.

12.2 Google reCaptcha

To protect ourselves from misuse of our registration forms, we use the Google reCaptcha tool offered by Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland. Captcha is an abbreviation for completely automated public turing test to tell computers and humans apart. The service evaluates the behavior of users of our website (e.g. mouse movements or queries) in order to distinguish humans from bots. This involves ticking the "I am not a robot" text box or, under certain circumstances, solving small tasks that can be easily performed by humans but pose considerable difficulties for machines. Further information on Google reCaptcha and the data used can be found at https://www.google.com/recaptcha/about/. Google's privacy policy can be found at https://policies.google.com/privacy.

The data processing is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in protecting ourselves from misuse of our registration forms by bots.

13. Push notifications

For our smartphone app and on this website, we use OneSignal, a push messaging service provided by OneSignal Inc., 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA, (hereinafter "OneSignal") to send push messages to users and to organize, optimize and customize the sending of push messages to our users.

To sign up for push notifications, you must confirm your browser or device's request to receive notifications. This process is documented and stored by OneSignal. For this purpose, the login time and a browser or device ID are stored in OneSignal's servers in the USA. This data is used on the one hand to be able to send you the push notifications and on the other hand as proof of your registration. The processing of your data via OneSignal is based on your consent (Art 6 para 1 lit a GDPR).

You can opt out of receiving push notifications by configuring the appropriate settings on your device.

OneSignal also evaluates our push notifications statistically. OneSignal can thus identify if and when our push notifications were displayed and clicked on. This allows us to determine which push notifications interest recipients in order to tailor future messages to the presumed interests of all recipients and thus increase interest in our offer.

You can revoke your consent to the storage and use of your personal data to receive our push notifications at any time with effect for the future. You can revoke your consent in the settings provided for receiving push notifications in your browser. If you use our push notifications on a desktop PC with the "Windows" operating system, you can also unsubscribe from the push notifications by right-clicking on the respective push notification in the settings that appear there.

Your data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. Accordingly, your data will be stored as long as the subscription to our push notifications is active.

We have entered into a "Data Processing Agreement" with OneSignal. This is a contract in which OneSignal undertakes to protect the data of our users, to process the data exclusively in accordance with the data protection provisions on our behalf and in accordance with instructions. OneSignal also uses so-called standard contractual clauses that ensure compliance with the provisions of the GDPR.

For more information, please visit: https://documentation.onesignal.com/docs/data-questions.

14. Use of Firebase Crashlytics

To further improve our app, we use the technology of Firebase Crashlytics, an analytics tool of Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland, (hereinafter: Google Firebase).

When our app crashes, we receive a report about it, which we transmit anonymously to Google Firebase for analysis purposes. On our behalf, Google Firebase evaluates the data in connection with the crash of our app. This involves collecting information about the device used and the use of our app (e.g., the timestamp, when the app was launched, and when the crash occurred), which enables us to diagnose and resolve problems. However, this data may also include personal data in individual cases if this data is the trigger of the erroneous behavior and is stored by Google Firebase on their servers in the USA. This personal data will not be merged with your other profile information. Chat messages are excluded from this and are not sent with crash reports. A detailed overview of the data collected by Google Firebase can be found at: support.google.com/firebase/answer/6318039.

The processing of this data is necessary for us to further improve the stability and security of the app. The legal basis for the processing is Art. 6 (1) p. 1 lit. f GDPR. We have a legitimate interest in improving and optimizing our app.

For more information from Google Firebase on user terms and conditions, please visit: https://firebase.google.com/terms/crashlytics/, the privacy and retention overview at: https://firebase.google.com/support/privacy/, and general information at https://firebase.google.com.

We have concluded an order processing contract with Google Firebase, in which we fully implement the strict requirements of the German data protection authorities when using Firebase Crashlytics. To ensure compliance with the provisions of the GDPR in the context of data transfers to third countries, Google uses in particular so-called standard contractual clauses that have been approved by the EU Commission. For more information, please visit https://privacy.google.com/businesses/compliance/#!?modal_active=none

15. Use of Commercetools

To process orders, we use commercetools, a service of Commercetools GmbH, Adams-Lehmann-Str. 44, 80797 Munich, Germany (hereinafter: commercetools). In this context, commercetools processes data that is relevant in the context of ordering processes, such as name, address or delivery addresses. We have concluded an order processing contract with commercetools, in which we fully implement the strict requirements of the German data protection authorities when using commercetools. The legal basis for the processing is Art 6 (1) lit. b GDPR.

Access to the information by subsidiaries of commercetools GmbH for support purposes in third countries (Commercetools Pte. Ltd. and Commercetools Inc.) cannot be excluded, so that a corresponding EU standard contract (adequate guarantee for data processing in non-European countries) has been concluded. The EU standard contractual clauses used can be accessed via the URL https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.

Further information on data use by commercetools can be found at https://commercetools.com/de/datenschutz.

16. Duration for which the personal data are stored

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfillment or initiation of the contract.

17. Rules for the provision of personal data

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner).

Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.

Before the data subject provides personal data, the data subject must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or by contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.

18. Existence of automated decision making

As a responsible company, we do not use automatic decision-making or profiling.

As of January 31, 2022