PENG Privacy Policy according to GDPR

The following privacy policy is intended to inform you in particular about the type, scope and purpose for the processing of personal data (hereinafter referred to in short as “data”) on our website.

I. NAME AND ADDRESS OF THE PERSON RESPONSIBLE

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
‍
PENG Communications GmbH
Am Zirkus 4
10117 Berlin10117 Berlin
Managing Director: Max Mühlbach
Commercial register: Charlottenburg District Court, HRB 134670 B
email: enter@exit-game.de

II. GENERAL INFORMATION ON DATA PROCESSING

1. Scope of processing of personal data
In principle, we only process the personal data of our users to the extent necessary to provide a functional website and our content and services. The processing of our users' personal data is regularly carried out only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal regulations. We process inventory data (e.g., name, address and email address), contract data (e.g., services used, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 para. 1 lit b. GDPR. The entries marked as mandatory in online forms are required for the conclusion of the contract.

2. Legal basis for processing personal data
Insofar as we obtain consent from the data subject for processing personal data, Article 6 (1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data that is necessary to fulfill a contract to which the data subject is a party, Article 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c DSGVO serves as the legal basis. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis. If the legitimate interest of our company or a third party is necessary and if the interests, fundamental rights and freedoms of the person concerned do not outweigh the former interest, Article 6 (1) (f) GDPR serves as the legal basis for processing.

3. Data deletion and storage period
The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by European or national legislators in EU regulations, laws or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the above standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

4. Cooperation with contract processors and third parties
If, as part of our processing, we transfer data to other persons and companies (processors or third parties) or otherwise grant them access to the data, this is only done on the basis of legal permission that you have consented, a legal obligation provides for this, for the processing of contractual relationships (e.g. Belbo, Stripe) with you or we have a legitimate interest in the transfer of data (e.g. when using agents, web hosts, etc.). If we commission third parties to process data on the basis of a so-called “order processing contract”, this is done on the basis of Article 28 GDPR.

5. Data security
When you visit our website, we use the common SSL (Secure Socket Layer) process in conjunction with the highest level of encryption supported by your browser. This is usually 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser. We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

6. Company profiles on social media
We operate company profiles within social networks and platforms in order to communicate with the customers, prospects and users active there and to inform them about our services. When you access the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply. Unless otherwise stated in our privacy policy, we process users' data if they communicate with us within social networks and platforms, e.g. write posts on our online presence or send us messages.

III. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES

When you visit our website https://exit-game.de The browser used on your device automatically sends information to the server on our website. This information is temporarily stored in a so-called log file. The following information is collected without any action on your part and stored until it is automatically deleted:

(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's Internet service provider
(4) The user's IP address
(5) Date and time of access
(6) Websites from which the user's system accesses our website
(7) Websites that are accessed by the user's system via our website
(8) Protocol (GET or POST)
(9) Status code (including 200 or 500)

The above data is processed by us for the following purposes:
• ensuring a smooth connection to the website,
• ensuring a comfortable use of our website,
• Evaluation of system security and stability, and
• for further administrative purposes.

The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest follows from the data collection purposes listed above. In no case do we use the collected data for the purpose of drawing conclusions about you. In addition, we use cookies and analysis services when you visit our website. For more information, see Sections V and VIII of this Privacy Policy.

IV. USE OF COOKIES

We use cookies on our site. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your device and do not contain viruses, Trojans or other malware. The cookie stores information that is generated in connection with the specific device used. However, this does not mean that we are immediately aware of your identity.

On the one hand, the use of cookies serves to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after you leave our site. In addition, we also use temporary cookies to optimize usability, which are stored on your device for a specific fixed period of time. If you visit our site again to use our services, it will automatically recognize that you have already been with us and what inputs and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you (see Section VII). These cookies enable us to automatically recognize that you have already been with us when you visit our site again. These cookies are automatically deleted after a defined period of time. When you visit our website, users are informed by an information banner about the use of cookies for analysis purposes and referred to this privacy policy. In this context, there is also a reference to how the storage of cookies can be prevented in the browser settings.

The data processed by cookies is required for the stated purposes to protect our legitimate interests and those of third parties in accordance with Article 6 (1) (1) (f) GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or that a message always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all functions of our website.

V. E-MAIL CONTACT

You can contact us via the email address enter@exit-game.de provided. In this case, the user's personal data transmitted by e-mail will be stored. In this context, there is no transfer of data to third parties. The data is used exclusively to process the conversation.

The legal basis for processing data transmitted in the course of sending an e-mail is Article 6 (1) (f) GDPR. If the email contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR.

We only process the personal data from the e-mail to process the contact. This is also the necessary legitimate interest in processing the data.

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been finally clarified.

The user has the option to withdraw his consent to the processing of personal data at any time. If the user contacts us by e-mail (enter@exit-game.de), he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. In this case, all personal data that was saved in the course of contacting us will be deleted.

VI. CONTACT FORM

If you have any questions, we offer you the opportunity to contact us via a form provided on the website. It is necessary to provide the following personal data

— email address

so that we know who the request came from and to be able to answer it. Data processing for the purpose of contacting us is carried out in accordance with Art. 6 (1) (f) GDPR. The personal data collected by us for using the contact form will be automatically deleted after the request you have submitted has been completed.

VII. TRACKING TOOLS

The tracking measures listed below and used by us are carried out on the basis of Article 6 (1) (f) GDPR. With the tracking measures used, we want to ensure a needs-based design and continuous optimization of our website. On the other hand, we use tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimising our offering for you. These interests are to be regarded as legitimate within the meaning of the aforementioned provision. The respective data processing purposes and data categories can be found in the corresponding tracking tools.

1. Google Analytics

For the purpose of designing and continuously optimizing our pages, we use Google Analytics, a web analysis service provided by Google Inc. (https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). In this context, pseudonymized user profiles are created and cookies (see section IV) are used. The information generated by the cookie about your use of this website, such as

• browser type/version,
• operating system used,
• referrer URL (the previously visited page),
• host name of the accessing computer (IP address),
• time of the server request,

are transferred to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and Internet usage for the purposes of market research and the needs-based design of these websites. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf. Under no circumstances will your IP address be combined with other data from Google. The IP addresses are anonymized so that allocation is not possible (IP masking). You can prevent the installation of cookies by setting your browser software accordingly; however, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de). As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on this link. An opt-out cookie is set to prevent your data from being collected in the future when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. For more information on data protection in connection with Google Analytics, see the Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=de).

VIII. SOCIAL MEDIA PLUG-INS

On the basis of Article 6 (1) (f) GDPR, we use social plug-ins from the social networks Facebook, Twitter and Instagram on our website to make EXIT better known about this. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for data protection-compliant operation is guaranteed by their respective providers. We integrate these plug-ins using the so-called two-click method in order to protect visitors to our website in the best possible way.

1st Facebook
Social media plugins from Facebook are used on our website to make their use more personal. To do this, we use the “LIKE” or “SHARE” button. This is an offer from Facebook. When you visit a page on our website that contains such a plugin, your browser creates a direct connection with Facebook's servers. The content of the plugin is transmitted directly from Facebook to your browser and integrated into the website by it. By integrating the plugins, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Facebook account or are not currently logged into Facebook. This information (including your IP address) is transmitted directly from your browser to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can directly associate your visit to our website with your Facebook account. If you interact with the plugins, for example by pressing the “LIKE” or “SHARE” button, the corresponding information is also transmitted directly to a Facebook server and stored there. The information is also published on Facebook and displayed to your Facebook friends. Facebook can use this information for the purposes of advertising, market research and the needs-based design of Facebook pages. For this purpose, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services related to the use of Facebook. If you do not want Facebook to associate the data collected via our website with your Facebook account, you must log out of Facebook before visiting our website. The purpose and scope of data collection and the further processing and use of data by Facebook as well as your related rights and settings options to protect your privacy can be found in the privacy policy (https://www.facebook.com/about/privacy) from Facebook.

2. X (formerly Twitter)
Plug-ins from the X Corp. (X) short message network are integrated into our websites. You can recognize the X plugins (tweet button) by the X logo on our site. An overview of tweet buttons can be found here (https://about.twitter.com/resources/buttons) .When you visit a page on our website that contains such a plugin, a direct connection is established between your browser and the X server. X thus receives the information that you have visited our site with your IP address. If you click on the X “tweet button” while logged into your X account, you can link the content of our pages to your X profile. This allows X to associate your visit to our pages with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data and how it is used by X. If you do not want X to be able to associate your visit to our pages, please log out of your X user account. For more information, please see X's privacy policy (https://twitter.com/privacy).

3rd Instagram
Our website also uses so-called social plugins (“plugins”) from Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). The plugins are marked with an Instagram logo, for example in the form of an “Instagram camera”. When you visit a page on our website that contains such a plugin, your browser creates a direct connection to Instagram's servers. The content of the plugin is transmitted directly from Instagram to your browser and integrated into the page. Through this integration, Instagram receives the information that your browser has accessed the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged into Instagram. This information (including your IP address) is transmitted directly from your browser to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can immediately associate your visit to our website with your Instagram account. If you interact with the plugins, for example by pressing the “Instagram” button, this information is also transmitted directly to an Instagram server and stored there. The information is also published on your Instagram account and displayed there to your contacts. If you do not want Instagram to associate the data collected via our website directly with your Instagram account, you must log out of Instagram before visiting our website. For more information, see the privacy policy (https://help.instagram.com/155833707900388) from Instagram.

4. TikTokWe use the TikTok Pixel on our website. The TikTok Pixel is a TikTok advertiser tool from the two providers TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (both are referred to collectively as “TikTok”) .The TikTok Pixel is a JavaScript code snippet that allows us to track the activities of visitors to our website understand and track. For this purpose, the Tiktok Pixel collects and processes information about the users of our website or the devices they use (so-called event data). The event data collected via the TikTok Pixel is used to target our advertisements and to improve ad delivery and for personalized advertising. For this purpose, the event data collected on our website using the TikTok Pixel is transmitted to Facebook TikTok. In part, this event data is information that is stored in the device you are using. In addition, the TikTok Pixel also uses cookies, which store information on the device you are using. Such storage of information through the TikTok Pixel or access to information that is already stored in your device is only possible with your consent. The legal basis for the collection and transfer of personal data by us to TikTok is therefore Article 6 (1) (a) GDPR. You can revoke your consent at any time using our Consent Management Tool. This collection and transmission of event data is carried out by us and TikTok as joint controllers. We have reached an agreement with TikTok on processing as a joint controller, which stipulates the distribution of data protection obligations between us and TikTok. In this agreement, we and TikTok have agreed, among other things, that we are responsible for providing you with all information in accordance with Art. 13, 14 GDPR on the joint processing of personal data; that TikTok is responsible for enabling the rights of data subjects under Articles 15 to 20 GDPR with regard to the personal data stored by Facebook Ireland following the joint processing. You can read the agreement concluded between us and TikTok at https://ads.tiktok.com/i18n/official/article?aid=300871706948451871 retrieving. Retrieve.TikTok is solely responsible for processing the transmitted event data following the transmission. For more information about how TikTok processes personal data, including the legal basis TikTok relies on and ways to exercise your rights against TikTok, please see TikTok's data policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.

IX. THIRD PARTY SERVICES

1. Google Maps
To optimize our website, we use the “Google Maps” map service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Our legitimate interest in improving our website with regard to the display of maps and the preparation of route plans is also our legitimate interest in accordance with Article 6 (1) (f) GDPR. When using Google Maps, Google collects, processes and uses data about the use of the Maps functions by users of our website. In particular, the user's IP address is required to display Google Maps content to display maps. The data collected by Google is transferred by Google to the USA and stored there. Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

For more information about Google's data processing, please see Google's privacy policy.

2nd Belbo
To sell our offers (EXIT missions and vouchers), we use the booking system of Belbo Business Software GmbH (formerly zeitfest GmbH), Pappelallee 78/79, 10437 Berlin (“Belbo”). By making a booking on our site, you consent to Belbo storing and processing your personal data. Your personal data will be transferred to Belbo and processed. This storage and processing of data is carried out for the purpose of supporting and processing your orders, authentication, processing payment transactions and improving Belbo's services. For more information on terms of use and data protection and the possible appointment of third parties to process data by Belbo, please visit https://belbo.com/datenschutzerklaerung/

3rd stripe
Payment services via [bank transfer, credit and debit cards, SEPA direct debit, Sofortüberweisung, Giropay, iDEAL and Przelewy24] are provided by Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street, Lower Grand Canal Dock, Dublin D02 H210, Ireland. For the use of these services, Stripe collects, stores and processes personal data in accordance with the Stripe Terms of Use and is responsible for the lawful handling of them. For more information, please see Stripe's privacy policy at https://stripe.com/at/privacy

3. PayPal
The PayPal service is provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. When paying with PayPal, you will be redirected to the PayPal website via a link. To use this service, PayPal collects, stores and processes your personal data, such as your name, address, telephone number and email address, as well as your credit card or bank account details. PayPal is solely responsible for protecting and handling the data collected by PayPal. In this respect, the PayPal terms of use apply, which you can find at www.PayPal.com be able to call up. Further information on the handling of your data and the possible appointment of third parties can be found in PayPal's privacy policy, which is available at the following link: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

X. RIGHTS OF THE PERSON CONCERNED

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:

1. Right to information
You can request confirmation from the person responsible as to whether personal data concerning you is being processed by us. If such processing is available, you can request information from the person responsible about the following information:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipients to whom the personal data relating to you has been or is still being disclosed;
(4) the planned duration of storage of personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to correct or delete personal data concerning you, a right to restrict processing by the person responsible or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) all available information about the origin of the data if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and — at least in these cases — meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether your personal data is being transferred to a third country or to an international organization. In this context, you can request to be informed of the appropriate guarantees in accordance with Article 46 GDPR in connection with the transfer.

2. Right to rectification
You have the right to have the person responsible corrected and/or completed if the processed personal data relating to you is incorrect or incomplete. The person responsible must make the correction immediately.

3. Right to restrict processing
Under the following conditions, you can request the restriction of the processing of personal data concerning you:
(1) if you dispute the accuracy of the personal data concerning you for a period of time that enables the person responsible to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to delete the personal data and instead request the restriction of the use of the personal data;
(3) the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
(4) if you have lodged an objection to processing in accordance with Article 21 (1) GDPR and it is not yet clear whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of your personal data has been restricted, this data — apart from storage — may only be processed with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is lifted.

4. Right to delete
a) Obligation to delete
You can demand from the person responsible that the personal data concerning you be deleted immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent, on which processing was based in accordance with Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a DSGVO, and there is no other legal basis for processing.
(3) You object to processing in accordance with Article 21 Paragraph 1 GDPR and there are no overriding legitimate reasons for processing, or you object to processing in accordance with Article 21 Paragraph 2 GDPR.
(4) The personal data concerning you was processed unlawfully.
(5) The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
(6) The personal data concerning you was collected in relation to information society services offered in accordance with Article 8 (1) GDPR.
b) ExceptionsThe right to deletion does not exist insofar as processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation which requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, insofar as the right referred to in section a) is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or
(5) to assert, exercise or defend legal claims.

5. Right to be informed
If you have asserted the right to correct, delete or restrict processing against the person responsible, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the person responsible about these recipients.

6. Right of objection
For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.

The person responsible will no longer process your personal data unless he can demonstrate compelling legitimate reasons for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In connection with the use of information society services — notwithstanding Directive 2002/58/EC — you have the option to exercise your right of objection by means of automated procedures using technical specifications.

7. Right to withdraw the declaration of consent under data protection law
You have the right to withdraw your data protection consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the time of withdrawal.

8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.
The supervisory authority with which the complaint was filed shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.