Data protection

Table of contents

1. General information

1.1 Goal setting and responsibility
1.2 Legal basis
1.3 Rights of those affected
1.4 Data deletion and storage period
1.5 Security of processing
1.6 Data transfer to third parties, subcontractors and third-party providers

2 Processing as part of our online offering

2.1 Collection of information about the use of the online offering
2.2 Contact form and contact via email
2.3 Links to other websites
2.4 Information about Google services
2.5 MYFONTS
2.6 Google Tag Manager
2.7 Google Analytics
2.8 Consent management (click cookies)

3 Processing for the purpose of carrying out our business processes

3.1 Direct marketing
3.2 Advertising to existing customers
3.3 Answering inquiries about projects

4 Cookie Policy

4.1 General information
4.2 Cookie overview
4.3 Possible objections

5 Changes to the privacy policy

---

1. General information

1.1 Goal setting and responsibility

1. This data protection declaration informs you about the type, scope and purpose of the processing of personal data in relation to our online offering and the associated websites, functions and content (hereinafter collectively referred to as the “online offering” or “website”). Details on these processing activities can be found in Section 2.
2. Details on data processing for the purpose of carrying out our business processes are described in Section 3.
3. The provider of the online offer and responsible for data protection is the Smart Building Innovation Foundation (c/o UBM Development Deutschland GmbH – Lietzenburger Str. 44/46, 10789 Berlin, Germany) - hereinafter referred to as “Provider”, “we” or “us” .
4. No data protection officer has been appointed as there is no legal requirement.
5. The term “user” includes all customers and visitors to the online offering.

1.2 Legal basis

We collect and process personal data based on the following legal bases:
a. consent in accordance with Article 6 paragraph 1 lit. a of the General Data Protection Regulation (GDPR). Consent is any voluntary, specific, informed and unambiguous expression of will in the form of a statement or other clear affirmative action by which the data subject indicates that he or she agrees to the processing of personal data concerning him or her.
b. Necessity to fulfill the contract or carry out preparatory measures in accordance with Article 6 Paragraph 1 lit. b GDPR, i.e. the data is necessary so that we can fulfill the contractual obligations towards you or we need the data to prepare a contract with you.
c. Processing for Fulfillment of a legal obligation in accordance with Article 6 paragraph 1 lit. c GDPR, which means that processing of the data is required, for example, due to a law or other regulations.
d. Processing for Safeguarding legitimate interests in accordance with Article 6 paragraph 1 lit. f GDPR, which means that the processing is necessary to protect the legitimate interests of us or third parties, unless the interests or fundamental rights and freedoms of yours that require the protection of personal data outweigh them.

1.3 Rights of those affected

You have the following rights regarding data processing by us:
a. Right to lodge a complaint with a supervisory authority in accordance with Article 13 paragraph 2 letter d) GDPR and Article 14 paragraph 2 letter e) GDPR.
b. Right to information in accordance with Article 15 GDPR
c. Right to rectification in accordance with Article 16 GDPR
d. Right to deletion (“right to be forgotten”) in accordance with Article 17 GDPR
e. Right to restriction of processing in accordance with Article 18 GDPR
f. Right to data portability in accordance with Article 20 GDPR
G. Right to object in accordance with Article 21 GDPR
Note: Users can object to the processing of their personal data at any time with future effect in accordance with legal requirements. The objection can in particular be made against processing for direct advertising purposes.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of your personal data is contrary to violates the GDPR.

1.4 Data deletion and storage period

1. The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data to conclude or fulfill a contract.
2. If necessary, we process your personal data for the duration of our business relationship, which also includes, for example, the initiation and processing of a contract. In addition, we are subject to various retention and documentation obligations, which arise, among other things, from the Commercial Code (HGB) and the Tax Code (AO). The periods specified there for storage and documentation are 6 years for correspondence in connection with the conclusion of a contract and 10 years for accounting documents (§§ 238, 257 para. 1 and 4 HGB, § 147 para. 1 and 3 AO). Such storage and documentation obligations apply in particular if you conclude a contract with us. Finally, the storage period is also determined by the statutory limitation periods, which, for example, according to Sections 195 ff. of the Civil Code (BGB), are usually three years, but in certain cases can also be up to thirty years. After the retention and documentation obligations as well as the relevant limitation periods have expired, we delete the data. Log files and cookies will be deleted within the deadlines mentioned below.

1.5 Security of processing

1. We have implemented appropriate technical and organizational security measures (TOMs) that reflect the state of the art. This protects the data we process from accidental or intentional manipulation, loss, destruction and unauthorized access.
2. The security measures include, in particular, the encrypted transmission of data between your browser and our server.

1.6 Data transfer to third parties, subcontractors and third-party providers

1. A transfer of personal data to Third only takes place within the framework of the legal requirements. We only pass on users' data to third parties if this is necessary, for example, for billing purposes or for other purposes if the transfer is necessary to fulfill contractual obligations to the users.
2. Unless we Subcontractors for our online offering, we have taken appropriate contractual precautions and appropriate technical and organizational measures towards these companies.
3. If we receive content, tools or other means from other companies (hereinafter referred to collectively as “Third Party“) and whose registered office is in a third country, it can be assumed that data is transferred to the countries where the third-party providers are based. We will only transfer personal data to third countries if there is an appropriate level of data protection, user consent or other legal permission.

2 Processing as part of our online offering

2.1 Collection of information about the use of the online offering

1. When using the online offering, information is automatically transmitted to us from the user's browser; This includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
2. This information is processed based on legitimate interests in accordance with Article 6 Paragraph (1) lit. f GDPR (e.g. optimization of the online offering) and to ensure the security of processing in accordance with Article 5 Paragraph (1) lit Investigation of cyber attacks).
3. The information will be automatically deleted no later than 30 days after the end of the connection - ie use of the online offer - unless there are other retention periods to the contrary.
4. The collection of data and the storage of the data in log files is absolutely necessary for the provision of the online offer. The user therefore has no possibility of deletion, objection or correction.

2.2 Contact form and contact via email

1. If you contact us, your data (name, contact details, if provided by you) and your message will be processed exclusively for the purpose of processing and handling your request. We process this data on the basis of Article 6 Paragraph 1 Letter a GDPR (consent) to process your request.
2. Any other use of the data will only take place based on the user’s consent.

2.3 Links to other websites

1. While using some of our Services, you may also be automatically directed to other websites; This happens, for example, with links in blog posts.
2. Please note that this data protection declaration is not valid there. The data protection declaration of the linked website may differ significantly from this one.

2.4 Information about Google services

1. On our website we use various services from Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. You can find further information about the specific Google services that we use on this website in the additional data protection declaration.
2. By integrating Google services, Google may collect information (including personal data) and process it. It cannot be ruled out that Google will also transmit the information to a server in a third country. The transfer to the USA depends on the function in which personal data is transferred. As the person responsible, we can transmit data to Google in the USA for further use. There is currently no adequacy decision in accordance with Article 45 of the GDPR. However, the transfer can be based on standard contractual clauses. Google is committed to complying with the Standard Contractual Clauses (SCC) for the transfer of personal data to third countries. Further information on the standard contractual clauses can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractuals-clauses-scc_de as well as under https://policies.google.com/privacy/frameworks?hl=de
3. We ourselves cannot influence which data Google actually collects and processes. However, Google states that, in principle, the following information (including personal data) can be processed:
   • Log data (especially the IP address)
   • Location-related information
   • Unique application numbers
   • Cookies and similar technologies
   Information about the types of cookies used by Google can be found at https://policies.google.com/technologies/types.
4. If you are logged into your Google Account, depending on your account settings, Google may add the processed information to your account and treat it as personal data.
5. Google states, among other things, the following:
   “If you are not signed in to a Google Account, we store the data we collect with unique identifiers associated with the browser, app or device you use. This allows us, for example, to ensure that your language settings are retained across all browser sessions. If you are signed in to a Google Account, we also collect information that we store in your Google Account and consider to be personal information." (https://privacy.google.com/take-control.html)
6. You can prevent this data from being added directly by logging out of your Google account or by making the appropriate account settings in your Google account. You can also change your cookie settings (e.g. delete cookies, block them, etc.).
7. Further information can be found in Google's data protection information, which you can access here: https://www.google.com/policies/privacy/
8. Information about Google's privacy settings can be found at https://privacy.google.com/take-control.html

2.5 MyFonts

1. This website uses web fonts from myfonts.com based on Art. 6 Para. 1 f GDPR. The web fonts are hosted locally on our server.
2. Due to the license terms, page view tracking is carried out by counting the number of visits to our website for statistical purposes and transmitting it to MyFonts. MyFonts Counter is a service of MyFonts Inc., 500 Unicorn Park Drive, Woburn, MA 01801, USA.
3. Further information about data protection at MyFonts can be found under the following link: https://www.myfonts.com/legal/website-use-privacy-policy.
4. To prevent MyFonts from executing Java Script code altogether, you can install a Java Script blocker (e.g. www.noscript.net).

2.6 Google Tag Manager

1. We use Google Tag Manager on our website. Google Tag Manager is a service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
2. Using Google Tag Manager we can integrate various codes and services on our website in an organized and simplified manner. The Google Tag Manager implements the tags or “triggers” the integrated tags. When a tag is triggered, Google may process and process information (including personal data). It cannot be ruled out that Google will also transmit the information to a server in a third country.
3. In particular, the following personal data is processed by Google Tag Manager:
   • Online identifiers (including cookie identifiers)
   • IP address
4. You can also find further detailed information about the Google Tag Manager on the websites https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/ as well as under https://www.google.com/intl/de/policies/privacy/index.html (Section “Information We Obtain from Your Use of Our Services”).
5. Furthermore, we have concluded an order processing contract with Google for the use of the Google Tag Manager (Article 28 GDPR). Google processes the data on our behalf to trigger the stored tags and display the services on our website. Google may, if necessary, transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google.
6. If you have deactivated individual tracking services (e.g. by setting an opt-out cookie), the deactivation remains in effect for all affected tracking tags that are integrated by the Google Tag Manager.
7. By integrating the Google Tag Manager, our aim is to be able to integrate various services in a simplified and clear manner. In addition, the integration of the Google Tag Manager optimizes the loading times of the various services.
8. The legal basis for the processing of personal data described here as part of the measurement procedure is your express consent in accordance with Article 6 Paragraph 1 Letter a of the GDPR.
9. The legal basis for processing the data that is processed in the context of obtaining consent is our legitimate interest in accordance with Article 6 (1) (f) GDPR. We have a legitimate interest in being able to prove that you have given your consent to the measurement procedure (Art. 7 Para. 1 GDPR)

2.7 Google Analytics

1. Based on your consent, we rely on the analysis, optimization and economic operation of our online offering in accordance with Art. 6 Para. 1 lit. a. GDPR Google Analytics, a web analysis service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) – hereinafter “Google”. Google uses cookies and other technologies. The information generated by the service about users' use of the online offering is transferred to a Google server in the USA and processed there.
2. Google acts for us as part of order processing in accordance with Article 28 GDPR. We have concluded a data protection agreement with Google that contains the EU standard data protection clauses.
3. We use Google Analytics with activated IP anonymization.
4. Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID that can be used to recognize you on future website visits. Users can prevent the storage of cookies by setting their browser software accordingly.
5. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 26 months. Other data remains stored in aggregated form indefinitely.
6. Further information on data usage by Google, settings and revocation options can be found on the Google websites: https://policies.google.com/technologies/partner-sites?hl=de (“Use of data by Google when you use our partners’ websites or apps”) https://policies.google.com/technologies/ads (“Use of data for advertising purposes”) https://adssettings.google.com/authenticated (“Manage information Google uses to show you advertising”).

3 Processing for the purpose of carrying out our business processes

3.1 Direct marketing

1. If you have given us your consent, we will regularly inform you by email about new offers and construction projects. We use your name and email address for this purpose. The legal basis for data processing is Article 6 Paragraph 1 Subparagraph 1 Letter a GDPR. You can revoke your consent at any time with future effect, for example via the link at the end of every email.
2. Our newsletter will only be sent by email with your prior express consent according to the double opt-in principle: After registering for the newsletter on our website, you will receive an email asking you to cancel your newsletter registration to confirm. This ensures that no third party has misused your data.
3. When you register for the newsletter, we also obtain your consent to newsletter tracking for the purposes of personalized advertising and market research. Using so-called tracking pixels or web beacons and links, each of which is linked to an individual ID, we collect the following personal tracking information in connection with the use of our newsletter:
   • Opening the newsletter, clicking on the links contained therein, sending a form on our website after clicking on a link contained in the newsletter (including the timing of these actions)
   • Type of device used when you access images in the newsletter or click on links
   • Behavior on our website if you access it via a link from our newsletter (including the timing of these actions)
   • Location of access when you access images in the newsletter or click on links (by assigning your IP address, which we do not store)
   We store this data for your user profile, which is assigned to the data entered when you registered for the newsletter. We use this data to evaluate and optimize our email marketing as well as for personalized advertising and market research purposes. As part of our newsletter, we can send you personal product, service and offer information that is of particular interest to you. You can revoke your consent to this data processing at any time with future effect by unsubscribing from the newsletter. An isolated deactivation of newsletter tracking is (currently) not technically possible. We delete the tracking data if you unsubscribe from our newsletter. Data stored by us for other purposes remains unaffected.

3.2 Advertising to existing customers

1. If you have already used paid services from us, we may from time to time inform you by email or letter about similar services from us (in particular new construction projects) if you have not objected to this.
2. The legal basis for data processing is Article 6 Paragraph 1 Subparagraph 1 Letter f GDPR. Our legitimate interest lies in direct advertising (Recital 47 GDPR). You can object to the use of your email address and postal address for advertising purposes at any time without additional costs with future effect.

3.3 Answering inquiries about projects

For inquiries about projects from property developers, we will pass on the data provided in your inquiry to the developer or broker of the respective project, to the extent that this is necessary or beneficial to answer your inquiry and/or to carry out contractual or pre-contractual measures.

4 Cookie Policy

4.1 General information

1. Cookies are information that is transmitted from our web server or third-party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.
2. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the browser's system settings. The exclusion of cookies can lead to functional restrictions of this online offer. Cookie Consent Manager Clickskeks

Link to privacy policy
https://sbif.foundation

Local Storage:

Surname	lifespan	Description
ccm_consent	1 year	Used to store the cookie consent agreement, which specifies which cookies can be set.

Legal basis
Art. 6 Paragraph 1 Sentence 1 Letter c GDPR

Place of processing

Analysis/Statistics

Google Analytics

editor
Google Ireland Limited

Description
Google Analytics collects statistics about the use of the website. (distance measurement) Browser information (browser type, referring/exit pages, files viewed on our website, operating system, timestamp and/or clickstream data) Usage data (views, clicks) IP address (we have IP anonymization (hence - IP masking ) activated (your IP address, so that your IP address is shortened by Google in the EU and EEA before transmission so that no other conclusions can be drawn about the person. Only this anonymized IP address is transmitted to Google.) Further details can be found here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Link to privacy policy
https://policies.google.com/privacy?hl=en

What data is collected?
browser information; click path; date and time of visit; location information; IP address; interaction data; usage data; device operating system; device information; Referrer URL; browser type; browser language; screen resolution; JavaScript support; Pages visited; user behavior; hostname; URL visited; Downloads; app updates; purchasing activity; widget interactions; Flash version; IP address; location information; device information; device information; app updates; JavaScript support; purchasing activities; browser information;

Purpose of data collection
Advertising; Analysis; deliver content; provision of fonts; improving the service; Integration of Facebook functions; Personalization; tag management; Pay; cloud computing; bot protection; conversion tracking; online audio distribution; use of a chatbot; feedback; customer behavior analysis; web analytics; authentication; Purposes according to Art. 5b GDPR / consent / customer support; Safety measures; bookings; Statistics; Offer technical assistance; Providing a market for labeled data; trend analysis; transaction tracking; use of the site; Show ads; Store and/or access information on a device; Measure content performance; Maintenance;

Cookies:

Surname	lifespan	Description
_ga	24 Months	Collection of statistics about the use of the website. (range measurement)
_gid	24 hours	ID to identify the user within 24 hours of last activity
_gat_gtag_*	1 minute	This cookie is used to distinguish users.
_gac_*	90 days	This cookie contains information about the ad you clicked on.
_gat*	1 minute	This is used to limit the request rate.
_dc_gtm_*	1 minute	This is used to distinguish computer users.
IDE	1 year	This ID allows Google to identify users across different websites and domains and show them personalized advertising.
AMP_TOKEN	30 seconds to 1 year	Contains the token code used to read the client ID from the AMP Client ID service. Matching this ID with the Google Analytics ID allows users to match when switching between AMP and non-AMP content. Reference: https://support.google.com/analytics/answer/7486764?hl=fr
__utma	2 years after the last activity	This cookie is one of the 4 core Google Analytics cookies and tracks user actions on the website and measures website performance. Cookies distinguish between users and sessions. It is used to calculate statistics about returning visitors and is updated every time data is sent to Google Analytics.
__utmt*	10 mins	This cookie is used to limit the request rate of the service and thereby limit data collection on busy websites.
__utmb	30 minutes after the last activity	This cookie is one of the 4 core Google Analytics cookies and tracks user actions on the website and measures website performance. A cookie identifies new sessions and visits by a user. It is updated every time data is sent to Google Analytics. Any visitor activity during the life of the cookie is counted as a single visit, even if the visitor leaves and then returns to the website. Visits after the cookie lifespan has expired are counted as new visits.
__utmc	End of session (browser)	This cookie is one of the 4 core Google Analytics cookies and tracks user actions on the website and measures website performance. Most websites no longer use cookies, but are still configured to serve legacy scanning code, also known as Urchin. In older versions it was used with __utmb to identify the visitor.
__utmz	6 months after the last activity	This cookie is one of the top 4 cookies set by Google Analytics to track user behavior and measure website performance. The cookie identifies the location of the visitor's visit to the website to inform the owner of the location of the user's visit to the website and is updated each time the data is sent to Google Analytics.
__utmv	2 years after the last activity	Used to store variable data at the individual visitor level. This cookie is created when the developer uses the _setCustomVar method with visitor-level custom variables. This cookie is also used for the deprecated _setVar method. The cookie is updated each time data is sent to Google Analytics.
__utmx	18 months	This cookie is linked to the Google Website Optimizer. It is used to distinguish two variants of a website that can be presented to visitors as part of an A/B split test.
__utm*	18 months	Used to determine when an A/B or multivariate user engagement test ends
_swag_ga_ga*	n/a	The cookies used assign an identifier to the website visitor and determine statistical data about the website visitor's visit to the website. This is used to personalize advertising shown to users.
__utmd	n/a	This cookie name appears to be linked to the Google Analytics service, which allows website owners to track visitor behavior and measure website performance. However, Google does not currently document this.
__utmo	n/a	This cookie enables the functionality of Google Analytics.
__gads	13 months	Is set to enable ad placement or retargeting.
_gd*	session	Stores a timestamp of the user.
_ga_*	2 years	Used to get session status.
_gcl_gb	1 year	The _gcl cookie value contains a version number followed by a timestamp and campaign information in the format of the GCLID value.

Legal basis
Consent, Art. 6 Para. 1 lit. a GDPR, or Art. 49 Para. 1 lit. a GDPR

Place of processing
European Union

Google Tag Manager

editor
Google Ireland Limited

Description
It is a tag management system. Using Google Tag Manager, tags can be integrated centrally via the user interface. Tags are small pieces of code that can track activity. Script code for other tools is integrated via the Google Tag Manager. The Tag Manager can control when certain tags are activated.

Link to privacy policy
https://policies.google.com/privacy?hl=en

What data is collected?
Aggregated data about tag firing; Aggregated data to trigger tags; No data collected

Purpose of data collection
tag management; functionality; generating leads; website tag management; managing website tags; network analysis; Manage tags and scripts on this website; Ensuring comfortable use of our website

Cookies:

Surname	lifespan	Description
cookiePreferences	2 years	Cookie settings for registered users
mat_ep	n/a	Collect cross-site visitor data - this data is used to increase advertising relevance.
_dc_gtm_UA-.*	n/a	Used by Google Tag Manager to control loading of Google Analytics script code.
_gcl_au	4 months	Google Tag Manager uses cookies to track and store conversions.
_dc_gtm_UA-*	meeting	Used by Google Tag Manager to control loading of Google Analytics script code.

Legal basis
Consent, Art. 6 Para. 1 lit. a GDPR, Art. 49 Para. 1 lit. a GDPR

Place of processing
European Union

WPML

editor
OnTheGoSystems Ltd.

Description
Check whether cookies are activated. This cookie is activated for all website visitors when you use the browser language redirection feature.

What data is collected?
browser information; navigation information; information content; Plugins; Browser user agent string

Purpose of data collection
Advertising; findability in search engines; identify users; improving the service; Provision of Services

Cookies:

Surname	lifespan	Description
wp-wpml_current_language	meeting	Save current language. By default, this cookie is only set for logged in users.
wp-wpml_current_admin_language_{hash}	0	Stores the current language of the WordPress admin panel.
_icl_visitor_lang_js	n/a	Record the redirected speech. This cookie is set for all website visitors when they use the browser's language redirection feature.
wpml_browser_redirect_test	n/a	Check whether cookies are activated. This cookie is activated for all website visitors when you use the browser language redirection feature.
wpm domain test	n/a	No information from the manufacturer

Legal basis
Art. 6 Paragraph 1 Sentence 1 Letter f GDPR

Place of processing
Hong Kong

5 Changes to the privacy policy

1. We reserve the right to change this data protection declaration with regard to data processing in order to adapt it to changed legal situations, changes to the online offering or to data processing.
2. If consent from the users is required or components of the data protection declaration contain regulations of the contractual relationship with the users, the changes will only be made with the consent of the users.
3. Users are requested to regularly inform themselves about the content of this data protection declaration.

As of: October 2022

• Contact
• Legal Notice
• Privacy policy