PRIVACY POLICY

1. PRIVACY STATEMENT

With this privacy statement, we aim to inform our customers, suppliers, applicants, website visitors (myty.com), and other business partners about how we process personal data. Protecting your privacy is of the utmost importance to us, and compliance with legal data protection regulations is a matter of course for our organization.

Name and contact details of the controller:

MYTY Group AG

Dufourstrasse 49

8008 Zurich

MYTY Group Germany GmbH

Alte Jakobstraße 85-86

10179 Berlin

Represented by David Rost, Fabian Moritz, Nico Gärtner

2. DATA PROTECTION OFFICER

Should you have any questions regarding our data protection measures, the processing of your data, or the exercise of your data subject rights, you can reach us and our Data Protection Officer as follows:

External Data Protection Officer:

ePrivacy GmbH

vertreten durch Prof. Dr. Christoph Bauer

Burchardstraße 14

20095 Hamburg

For all questions and concerns regarding your data, please feel free to contact us at compliance@myty.com.

If you wish to communicate directly with our Data Protection Officer (for example, if you have a particularly sensitive matter), please contact them by postal mail, as email communication may always have security vulnerabilities. When making your inquiry, please specify that your concern relates to MYTY Group AG or MYTY Group Germany GmbH.

Representative for controllers or processors not established in the Union (Art. 27 GDPR):

ePrivacy GmbH

Burchardstraße 14

20095 Hamburg

Germany

www.eprivacy.eu/en/legal

3. PERSONAL DATA

Personal data refers to all information relating to an identified or identifiable natural person. The following categories of personal data may be processed by us:

  • Contact details (e.g., first and last name, address, email address, phone number, other contact information, details about the communication channel, date, purpose, and outcome of the contact, (electronic) copies of correspondence, and information about participation in direct marketing activities),
  • Correspondence with us,
  • Log files containing information about your visit to our website,
  • Identification numbers (e.g., social security number, tax identification number, tax ID, passport or identity card number, insurance numbers),
  • Payment data (e.g., bank account number, credit card number, financial institution, direct debit details, tax-related information),
  • Online identifiers (e.g., cookie IDs, IP addresses, advertising IDs),
  • Customer data (e.g., billing information, address, payment details),
  • Authentication data (e.g., signature samples),
  • Contractual master data (order data, data related to the fulfillment of our contractual obligations, information about any third-party beneficiaries),
  • Documentation data (e.g., logs),
  • Product data (e.g., requested or booked services and products),
  • Business credit information (profit and loss statements, balance sheets, financial analyses, type and duration of self-employment),
  • Application data (e.g., cover letter, CV, awards (e.g., certificates and diplomas), optionally a photo, and any other personal data voluntarily provided).

4. USE OF COOKIES

General Information about cookies

Cookies are small text files stored in your browser’s database. They contain data such as user identification numbers, which are transmitted to your device when you visit our website and are managed there. These files are retained for future access. Typical uses of cookies include language selection, documentation of consent, and user authentication.

Session cookies

Session cookies are stored temporarily and deleted automatically when you close your browser. They ensure, for example, that video and audio files can be played, your user inputs are temporarily saved during entry, and overall user experience is improved.

Persistent Cookies

Persistent cookies remain on your device even after you close your browser. These cookies may store your user preferences, such as language settings, and analyze your behavior on our website. The storage duration of persistent cookies is determined individually for each cookie. Once the specified period expires, they are automatically deleted.

You can find information about the specific cookies used, including their functions and durations, in our cookie banner. You can also adjust your consent or withdraw it entirely via the cookie banner.

5. PURPOSES OF PROCESSING

We process your data for the following purposes:

  • To communicate with you,
  • To fulfill contractual obligations with you,
  • For marketing purposes, such as sending our newsletter,
  • For quality assurance and statistical analysis,
  • To provide our services,
  • For your participation in potential competitions or giveaways,
  • For your participation in our events,
  • For your participation in our surveys,
  • To consider your job application,
  • To improve our services.

6. LEGAL BASIS

We process your personal data based on the following legal grounds under the GDPR:

  • Your consent, where you have given it to us (Art. 6(1)(a) GDPR),
  • The performance of a contract with you or to take steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR),
  • Compliance with a legal obligation to which we are subject (Art. 6(1)(c) GDPR),
  • The pursuit of our legitimate interests, provided that your interests or fundamental rights and freedoms do not override these (Art. 6(1)(f) GDPR).

7. LEGITIMATE INTERESTS

The processing of your data serves the following legitimate interests:

  • Improving our services and offerings,
  • Protecting our systems from abuse and misuse,
  • Compiling statistics,
  • Retaining our correspondence with you,
  • Reviewing and optimizing procedures for needs analysis and direct customer communication,
  • Advertising, market research, and opinion polling,
  • Asserting legal claims, defending against legal disputes, and mitigating liability risks,
  • Consulting credit agencies and exchanging data with them,
  • Preventing and investigating criminal offenses,
  • Video surveillance to enforce house rules and gather evidence in the event of criminal offenses,
  • Implementing measures for building and office security,
  • Ensuring compliance with house rules,
  • Managing business operations and further developing services and products,
  • Risk management within the corporate group,
  • Conducting internal statistical analyses using anonymized data,
  • Ensuring IT security and IT operations.

8. OBLIGATION TO PROVIDE PERSONAL DATA

Unless explicitly stated otherwise, the provision of your data is neither required nor mandatory.

9. SOURCES OF DATA

If we do not receive the data directly from you or from the devices you use, we may obtain it from the following sources:

  • Company and self-employed master data from publicly accessible official sources,
  • B2B contact data from specialized service providers, and
  • Social media profiles.

10. RETENTION PERIOD

We store your data,

  • If you have consented to the processing, for no longer than until you withdraw your consent;
  • If we require the data to fulfill a contract, for no longer than the duration of the contractual relationship with you;
  • If we process the data based on a legitimate interest, for no longer than your interest in deletion or anonymization outweighs our legitimate interest;
  • If statutory retention obligations apply, until the end of the respective retention period.

11. THIRD-PARTY RECIPIENTS

When processing your data, we collaborate with the following service providers who have access to your data:

Candis

We use the service Candis provided by Candis GmbH (Karl-Liebknecht-Str. 5, 10178 Berlin, Germany) to automate our accounts payable management. The service processes invoice data (creditors, amounts, line items) extracted via AI from documents, as well as master data and data from the digital approval process. This ensures efficient and GoBD-compliant processing and archiving of incoming invoices. For more information on the provider’s data protection practices, visit: Candis Privacy Policy.

ChatGPT

We use ChatGPT, a service provided by OpenAI, L.L.C. (3180 18th Street, San Francisco, CA 94110, USA), to generate, edit, and summarize texts using artificial intelligence. This primarily involves processing user input (prompts) and the generated responses. Additionally, account information for user management and technical usage data for service improvement are collected. Users can disable the use of their conversations for model training via the settings. For more information on the provider’s data protection practices, visit: OpenAI Privacy Policy.

DocuSign

We use DocuSign, provided by DocuSign Germany GmbH (c/o Bird & Bird LLP, Maximiliansplatz 22, 80333 Munich, Germany), to centrally manage documents, conduct digital signature processes, and verify identities. The data processed includes information captured in documents, such as contract and ID data, as well as signatures. For more information on the provider’s data protection practices, visit: DocuSign Privacy Policy.

Figma

We use Figma, provided by Figma, Inc. (760 Market St, Floor 4, San Francisco, CA 94102, USA), as a collaborative platform for creating and editing designs, graphics, and prototypes. This involves processing user-created or uploaded content (e.g., design files, components, comments), as well as profile data for team management and usage data for platform analysis. For more information on the provider’s data protection practices, visit: Figma Privacy Policy.

Google Workspace

We use Google Workspace, provided by Google Cloud EMEA Limited (70 Sir John Rogerson's Quay, Dublin 2, Ireland), as a business tool for collaboration, including Gmail, Google Calendar, Google Meet, Chat, Drive, Docs, and more. This involves processing contact information, communication content, project data, and other relevant data. For more information on the provider’s data protection practices, visit: Google Privacy Policy.

Hintbox

We use Hintbox, provided by lawcode GmbH (Universitätsstraße 3, 56070 Koblenz, Germany), to operate our digital whistleblowing system in compliance with legal requirements. The system processes the content of submitted reports and subsequent communications, ensuring the highest level of confidentiality and anonymity for whistleblowers through end-to-end encryption.v For more information on the provider’s data protection practices, visit: Hintbox Privacy Policy.

Hubspot – CRM

We use the HubSpot CRM platform, provided by HubSpot Germany GmbH (Am Postbahnhof 17, 10243 Berlin, Germany), to integrate and manage marketing, sales, content management, and customer service in one place. This may include processing contact information (name, email address, phone number, and similar details). For more information on the provider’s data protection practices, visit: HubSpot Privacy Policy.

Lucanet

We use Lucanet, provided by Lucanet AG (Karl-Liebknecht-Str. 14, 10178 Berlin, Germany), for consulting services, including planning, technical consulting, training, data collection and validation, data migration, implementation, troubleshooting, and software development/provision of financial performance management software. This includes processing data such as names, contact details (email address, phone number, address), and communication data. For more information on the provider’s data protection practices, visit: Lucanet Data Protection.

Mailchimp

We use Mailchimp, provided by The Rocket Science Group, LLC (675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA), to send newsletters and measure open and click rates. Mailchimp is a U.S.-based service, and we have implemented Standard Contractual Clauses as part of the Data Processing Agreement with Mailchimp to ensure an adequate level of data protection. If you subscribe to our newsletter, we will share your email address with Mailchimp. For more information on the provider’s data protection practices, visit: Mailchimp Data Processing Addendum.

Microsoft 365, Azure, PowerBI

We use services provided by Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) for office applications, cloud infrastructure, and data analytics. These platforms are used for creating and editing documents, internal and external communication, and managing our IT systems. Depending on the service, different data may be processed, including user-generated or uploaded content (e.g., emails, documents, Teams messages, analytics datasets), account information, and usage and diagnostic data. For more information on the provider’s data protection practices and the EU data boundary, visit: Microsoft Privacy Statement, Microsoft Trusted Cloud Privacy.

Mistral Le Chat

We use Le Chat, provided by Mistral AI (15 Rue des Halles, 75001 Paris, France), for tasks requiring AI-powered text generation. Processing is limited to user input and the technical data necessary to fulfill these requests. According to the provider, data submitted via enterprise solutions is not used for model training. For more information on the provider’s data protection practices, visit: Mistral AI Privacy Policy.

Notion

We use Notion, provided by Notion Labs, Inc. (685 Market Street, San Francisco, CA 94105, USA), as a platform to connect and manage marketing, sales, content management, and customer service. This may include processing contact information (name, email address, phone number, online username, and similar details). For more information on the provider’s data protection practices, visit: Notion Privacy Center.

Personio

We use Personio, provided by Personio SE & Co. KG (Seidlstraße 3, 80335 Munich, Germany), for HR administration, time tracking, leave management, payroll, and applicant management. This involves processing employee master data (e.g., name, address, date of birth, phone number), contract data (e.g., professional qualifications, employment contracts), payroll data, and performance-related information. For more information on the provider’s data protection practices, visit: Personio Privacy Policy.

Sage GmbH

We use software provided by Sage GmbH (Franklinstraße 61-63, 60486 Frankfurt am Main, Germany) for commercial processes such as financial accounting, inventory management, and payroll. This includes processing core business data, such as financial accounting data (bookings, accounts), inventory data (customers, items, orders), and sensitive payroll data. For more information on the provider’s data protection practices, visit: Sage Privacy Policy.

Salesviewer

We use SalesViewer, provided by SalesViewer GmbH (Universitätsstraße 60, 44789 Bochum, Germany), to analyze user behavior on our website and identify companies visiting our site. This involves collecting and storing company-related data (e.g., company name, industry, address) and website usage behavior (e.g., pages visited) for marketing, market research, and optimization purposes. According to the provider, this data is used solely to identify potential business customers and not to identify individual private visitors. For more information on the provider’s data protection practices, visit: SalesViewer Privacy Policy.

Slack

We use Slack, provided by SFDC Ireland Limited (Salesforce Tower, 60 R801, North Dock, Dublin, Ireland), as a central platform for internal and external corporate communication. This involves processing all user-shared content, such as messages and files, as well as account information (name, profile picture) and technical usage data. For more information on the provider’s data protection practices, visit: Slack Privacy Policy.

Travelperk

We use Travelperk, provided by TravelPerk, S.L.U. (Carrer dels Almogàvers 160, 08018 Barcelona, Spain), to centrally book and manage business travel. This involves processing personal data of travelers (e.g., name, contact details, ID information), travel details (flights, hotels), and payment information for billing purposes. For more information on the provider’s data protection practices, visit: Travelperk Privacy Policy.

Yokoy

We use Yokoy, provided by Yokoy Group AG (Förrlibuckstrasse 181, 8005 Zurich, Switzerland), for automated expense and spend management. This involves processing data from receipts and invoices (extracted via AI) as well as associated employee and travel data to simplify and accelerate the expense process from submission to booking. For more information on the provider’s data protection practices, visit: Yokoy Privacy Policy.

12. DATA TRANSFERS TO THIRD COUNTRIES

If we transfer personal data to countries outside the European Economic Area (EEA), we ensure that this only occurs if the European Commission has confirmed an adequate level of data protection for the respective country or we have implemented appropriate safeguards to protect the personal data. These safeguards may include contractual agreements (such as the Standard Contractual Clauses), certifications, or compliance with internationally recognized security standards.

  • Switzerland: Adequacy decision by the European Commission (as of 15 January 2024)
  • USA: Transfer based on Standard Contractual Clauses and additional protective measures in conjunction with the EU-U.S. Data Privacy Framework (adequacy decision by the European Commission as of 28 February 2023)

13. YOUR RIGHTS

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): You have the right to request information about the processing of your personal data and to receive a copy of your personal data. This includes information about the purposes of processing, the categories of personal data concerned, the recipients of the data (if disclosed), and the storage period or the criteria used to determine that period.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.
  • Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data concerning you. If your data is incomplete, you may request its completion, taking into account the purposes of processing.
  • Right to erasure or restriction (Art. 17, 18 GDPR): You have the right to request the erasure ("right to be forgotten") or restriction of processing of your personal data.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal data.
  • Right to withdraw consent (Art. 7 GDPR): If processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future.
  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable data protection law.