Privacy Policy

Thank you for visiting our website. Below you will find information about the handling of your personal data in accordance with Article 13 of the General Data Protection Regulation (GDPR).

1. Who is responsible for data processing and whom can I contact?

The Grover Group GmbH operates the website www.grover.com ("website"). If you conclude contracts via the website, your contractual partner is - depending on the rented goods - the:

• Grover Group GmbH (Holzmarktstr. 11, 10179 Berlin Commercial Register: Berlin-Charlottenburg Local Court Commercial Register Number: 166467B Sales Tax Identification Number: DE300852104), hereinafter referred to as "Grover Group" or

• Grover Finance I GmbH (Holzmarktstr. 11, 10179 Berlin, Commercial Register: Local Court Berlin-Charlottenburg Commercial Register Number: 181384B, Sales Tax Identification Number DE300852104), hereinafter "Grover Finance I" or

• Grover Finance II GmbH (Holzmarktstr. 11, 10179 Berlin, Commercial Register: Local Court Berlin-Charlottenburg Commercial Register Number: 202381B, Sales Tax Identification Number DE300852104), hereinafter "Grover Finance II".

Grover Finance I and Grover Finance II are subsidiaries of Grover Group. Grover Group is the sole shareholder of Grover Finance I and Grover Finance II (affiliated companies). Grover Group, Grover Finance I and Grover Finance II are hereinafter referred to as "Grover".

The contracting party (Grover Group, Grover Finance I or Grover Finance II), will be communicated to the client in text form. In the event that the client's contractual partner is Grover Finance I or Grover Finance II, Grover Group, in the name of Grover Finance I and Grover Finance II, will take care of the rights and obligations of the provider under the contract and will process these for the respective provider, Grover Finance I or Grover Finance II.

This results in the following responsibilities:

Responsible for the operation of the website:

Grover Group GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

e-mail: [email protected]

Responsible for the conclusion of contracts via the website and for the execution of these contracts:

Grover Group GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

e-mail: [email protected]

Grover Finance I GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

e-mail: [email protected]

Grover Finance II GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

e-mail: [email protected]

In the following, all companies are referred to as "Grover" or "we".

You can reach the external data protection officer of the company at

data protection nord GmbH

Branch office Berlin

Kurfürstendamm 212

10719 Berlin

e-mail: [email protected]

2. For what purpose do we process your data and on which legal basis?

2.1 Data processing when using Grover Services

We process personal data in accordance with the provisions of the GDPR and the Federal Data Protection Act (BDSG) for the following purposes:

a) For the performance of contractual and pre-contractual obligations (Article 6 (1) sentence 1 (b) GDPR)

The processing of personal data (Article 4 No. 2 GDPR) is carried out for the purpose of providing this website and for the marketing of the products, in particular for the conclusion and processing of contracts, for invoicing, for the implementation of pre-contractual measures, for answering inquiries in connection with our business relationship and for all activities required for the operation and administration of the company.

The purposes of data processing are primarily based on the specific product. Further details regarding the purpose of data processing within the scope of contracts can be found in the respective contract documents and terms and conditions.

In particular, Grover processes the personal information that you provide as a user during registration, for contractual purposes or within the scope of an inquiry. In particular, this concerns the following data: Name, date of birth, e-mail address, address (invoice and possibly differing shipping address), order information, optional telephone number and bank details. In addition, Grover stores the password, which the user can freely choose. The password is not stored in plain text, but only a so-called hash value.

b) Based on legitimate interests (Article 6 (1) sentence 1 (f) GDPR)

In addition, we process your data beyond the provision of the website and the actual fulfilment of the contract to protect legitimate interests of us or third parties, as in the following cases in particular:

-response to your inquiries outside of a contract or pre-contractual measures;

-Advertising or market and opinion research, unless you have objected to the use of your data, this includes existing customer advertising;

- Evaluation of our advertising measures, e.g. tracking of click and opening behavior in e-mail campaigns

-Enforcement of legal claims and defense in legal disputes;

- Ensuring IT security and IT operation;

-Creditworthiness check;

-prevention and investigation of criminal offences;

-measures for business management and further development of products.

Our legitimate interest is to market our products in the best possible way and to further develop them and our company, or to protect our company against impairments and dangers and to enforce our claims.

c) Based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR)

If you have given us your consent to process personal data for specific purposes (e.g. evaluation or use of data for marketing purposes, receipt of advertising by e-mail), the legality of this processing is based on your consent. You consent can be revoked at any time. Please note that the revocation is only effective for the future.

d) Due to legal requirements (Art. 6 para. 1 sentence 1 lit. c GDPR)

We are also subject to various legal obligations, e.g. money laundering law, tax laws, which require the processing of data.

2.2 Credit assessment, risk analysis and fraud prevention

In the course of the ordering process, we may check your creditworthiness. For this purpose we transmit the following data to so-called credit bureaus cooperating with us:

● Customers (including Freelancer): full name, billing and shipping address, date of birth, phone number, email.

●Business customers: Company, company address.

We transfer your personal data to the following companies, among others, for credit assessment:

-CRIF Bürgel GmbH, Radlkoferstrasse 2, 81373 Munich

- Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss

Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden

• Experian Nederland B.V., Grote Marktstraat 49, (2511 BH) The Hague

• Creditsafe Germany GmbH, Schreiberhauer Straße 30, 10317 Berlin

For the decision on the conclusion, performance or termination of a contractual relationship, we use not only an address check, but also information about your previous payment behavior as well as probability values for your future behavior, which include, among other things, address data. We obtain this information from the following providers, among others:

-CRIF Bürgel GmbH, Radlkoferstrasse 2, 81373 Munich -Creditreform Boniversum

GmbH, Hellersbergstraße 11, 41460 Neuss and

-Schufa

Holding AG, Kormoranweg 5, 65201 Wiesbaden

-Experian Nederland B.V.,, Grote Marktstraat 49, (2511 BH) The Hague

-Creditsafe Germany GmbH, Schreiberhauer road 30, 10317 Berlin

For the decision on the establishment of a contractual relationship, we also carry out our own analyses to detect abuse and fraud. In particular, we use the following categories of data:

-Customer characteristics (e.g. data from credit reports, age, mobile phone provider, e-mail provider).

-shopping cart data like device categories -behavioral data (e.g. number of orders and their status, behavior on the website)

-Payment data like payment methods

-reconciliation of account data with other user accounts with regard to matching data

-customer characteristics such as data from credit reports and mobile phone providers.

The credit information and the own analyses for fraud detection can contain probability values (score values), which are calculated on the basis of scientifically recognized mathematical-statistical procedures and their calculation includes among other things (but not exclusively) address data. The legal basis for this is Article 6 paragraph 1 letter f) GDPR. The legitimate interest results from our interest in reducing the contractual risk, in protection against bad debts and against the danger of misuse of our services by third parties. Your interests worthy of protection are taken into account in accordance with the statutory provisions.

In individual cases we check the calculation or the calculation result manually.

In order to prevent abuse and fraud and to avoid debts in current and future rental contracts of the customer, the longer-term storage (see 3.) of creditworthiness data and data from our own analyses is necessary for the detection of abuse and fraud. The legal basis is Art. 6 Paragraph 1 Letter f) GDPR. Our legitimate interest arises from our interest in detecting fraudulent behaviour or patterns of behaviour, recognising and taking into account developments in the creditworthiness of our customers, evaluating the rental agreements (the risk portfolio and the probability of default are relevant for investors, among others) and reviewing and improving our risk management (by analysing the data records - only in anonymised form).

If the other legal requirements are met, we will also forward information about delays in payment or a possible loss of receivables to credit agencies cooperating with us, such as Schufa Holding AG, Wiesbaden. The legal basis for this is article 6 paragraph 1 letter f) GDPR. Our legitimate interest results from our and third parties' interest in reducing contractual risks for future contracts.

3 Which data do we process when you visit our website?

3.1 Usage data

When you visit our website, our web server temporarily evaluates so-called usage data for statistical purposes as a protocol in order to improve the quality of our website. This data record consists of         • the name and address of the requested content,

            • the date and time of the query,

       • of the transferred data volume,

• the access status (content transferred, content not found),

• the description of the used web browser and operating system,    • the referral link, which indicates from which page you reached ours,

• the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established.

The mentioned log data will only be evaluated anonymously.

3.2 Cookies and similar technologies

3.2.1 Essential Cookies

We use cookies on our websites, which are necessary for the use of our websites.

Cookies are small text files that can be stored and read on your end device. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.

We do not use these required cookies for range analysis, tracking or advertising purposes. We use them to display our web pages, to provide our services and for the technical functions and content of third parties listed below.

A call of our pages leads to the fact that contents of the third party providers are reloaded, who provide these functions and contents. The third party provider is thus informed that you have called up our site and receives the usage data that is technically required for this purpose.

Some of these cookies only contain information on certain settings and cannot be linked to a person. They may also be necessary to enable user guidance, security and implementation of the site.

We use these cookies on the basis of Art. 6 Para. 1 S. 1 lit. f GDPR in the interest of making our site as attractive and informative as possible and to be able to provide our services without restriction.

You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent for you. You can also delete cookies at any time using the appropriate browser setting and prevent the setting of new cookies. Please note that our web pages may not be able to be displayed and some functions may no longer be available for technical reasons.

i) Provider = Snowplow

Purpose: Risk assessment and fraud prevention

Storage period: 2 years

Adequate level of data protection: USA - standard contractual clauses

ii) Provider = New Relic

Purpose: To measure the performance of the website

Storage period: 1 year

Adequate level of data protection: USA - standard contractual clauses

iii) Supplier = Nethone

Purpose: Fraud prevention

Storage period: 1 year

iv) Provider = Intercom

Purpose: To enable customer support via the chat

Storage period: 1 year

Adequate level of data protection: USA - standard contractual clauses

(v) Supplier = AWS

Purpose: Operation of the website

Storage period: 7 days

Adequate level of data protection: USA - standard contractual clauses

vi) Supplier = GTM

Purpose: Storage of the cookie consent

Storage period: 1 year

vii) Provider = Cloudflare

Purpose: To protect bandwidth and server resources

Storage period: 1 month

Adequate level of data protection: USA - standard contractual clauses

viii) Supplier = Grover

Purpose: recognition of the country of origin for the adaptation of the website

Storage period: 1 year

ix) Supplier = Grover

Purpose: Recognition of the language preference to customize the website

Storage period: 1 year

x) Supplier = Grover

Purpose: Recognition of logged-in users

Storage period: 1 year

xi) Supplier = Grover

Purpose: Enabling orders

Storage period: 1 year

3.2.2 Third-party tracking technologies for evaluating visitor statistics

We use web analysis tools to design our websites according to your needs. These create usage profiles based on pseudonyms. For this purpose, permanent cookies are stored on your end device and read out by us. In addition, it is possible that we call up recognition features for your browser or terminal device (e.g. a so-called browser fingerprint or your unabridged IP address). In this way we are able to recognize returning visitors and count them as such.

In addition, we use the following functions in the context of visitor measurement:

         • We enrich the pseudonymous data with additional data provided by third parties. In this way, we are able to record demographic characteristics of our visitors, e.g. statements on age, gender and place of residence.

We use a recognition method that allows us to capture and subsequently evaluate the mouse pointer movement of our visitors.

The data processing is based on your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR or § 15 para. 3 p. 1 TMG, if you have given your consent via our banners.

Which third-party providers do we use in this context?

In the following, we will name the third-party providers with whom we work in connection with visitor measurement. If the data is processed outside the EU or EEA in this context, please note that there is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to a third country is based on Art. 49 para. 1 lit. a GDPR.

i) Provider = Google LLC (USA)

Maximum storage period: 2 years

Adequate level of data protection: No adequate level of data protection. The data is transmitted on the basis of Art. 49 para. 1 lit. a GDPR.

Revocation of consent: If you wish to revoke your consent, please scroll to the bottom of our website, click on "Cookie settings" and make the appropriate setting via our banner.


3.2.3 Third party tracking technologies for marketing purposes

We use cross-device tracking technologies to help us display targeted advertising on other websites based on your visit to our websites and to help us determine how effective our advertising efforts have been.

The data processing is based on your consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR or § 15 para. 3 p. 1 TMG, if you have given your consent via our banner. Your consent is voluntary and can be revoked at any time.

How does the tracking work?

When you visit our websites, it is possible that the third party providers listed below call up recognition features for your browser or terminal device (e.g. a so-called browser fingerprint), evaluate your IP address, store or read recognition features on your terminal device (e.g. cookies) or gain access to individual tracking pixels.

The individual features can be used by the third-party providers to recognize your end device on other Internet sites. We may commission the relevant third-party providers to place advertisements based on the pages visited on our site.

What does cross-device tracking mean?

If you log on to the third-party provider with your own user data, the respective recognition features of different browsers and end devices can be linked with each other. For example, if the third-party provider has created a separate recognition feature for the laptop, desktop PC, smartphone or tablet you are using, these individual features can be assigned to each other as soon as you use a third-party service with your login data. This allows the third party to target our advertising campaigns across multiple devices.

Which third-party providers do we use in this context?

In the following, we will name the third party providers with whom we work for advertising purposes. If the data is processed outside the EU or EEA in this context, please note that there is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to a third country is based on Art. 49 para. 1 lit. a GDPR.

Revocation of consent:

If you wish to withdraw your consent, please scroll to the bottom of our website, click on "Cookie settings" and make the appropriate setting via our banner.

i) Provider = Facebook (USA and/or Ireland)

Maximum storage period: 3 months

Adequate level of data protection: No adequate level of data protection. The data is transmitted on the basis of Art. 49 para. 1 lit. a GDPR.

ii) Provider = Google LLC (USA)

Maximum storage period: 2 years

Adequate level of data protection: No adequate level of data protection. The data is transmitted on the basis of Art. 49 para. 1 lit. a GDPR.

iii) Supplier = Criteo

Maximum storage period: 1 year

iv) Provider = Rakuten (LinkSynergy)

Maximum storage period: 1 year

v) Supplier = Daisycon

Maximum storage period: 1 year

vi) Provider = TikTok (USA)

Maximum storage period: 1 year

Adequate level of data protection: No adequate level of data protection. The data is transmitted on the basis of Art. 49 para. 1 lit. a GDPR.

vii) Supplier = Braze

Purpose: Customer Relationship Management

Storage period: 1 year

3.3 Access Protected Area

If you wish to use our access-protected area, prior registration is necessary.

We only collect the data required for registration. The processing is based on Art. 6 para. 1 sentence 1 letter b GDPR or on Art. 6 para. 1 letter f GDPR in the interest of providing you with the services and information of the access-protected area.

If we collect additional data, these are marked as voluntary and are based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

4. Who is the recipient of my data?

Within the respective responsible company, those departments that need access to your data to fulfill our contractual and legal obligations are granted access to your data.

We will pass on your data to the recipients named in this privacy policy. We also pass on your data to the following categories of recipients if this is necessary to fulfill a contractual relationship with you or to carry out pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR) or to safeguard legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

         • IT service providers, especially software as a service, hosting, storage and cloud computing providers

        • Logistics service provider

          • E-mail marketing service providers and customer service providers who, among other things, create offers and invoices for us

        • Marketing service providers, especially Google Adwords and WhatsApp consulting service providers

           • Payment service providers and credit institutions for the collection of a charge or the provision of a payment service

        • Collection agency for the enforcement of claims

     • Service providers who support us in risk analysis and fraud prevention

          • Insurance companies and legal service providers

Insofar as processing is necessary to protect legitimate interests, for example when using IT services, our legitimate interest is to outsource functions.

If your contractual partner is Grover Finance I or Grover Finance II, Grover Finance I or Grover Finance II will make your data available to the Grover Group for the purpose of concluding and processing the contractual relationship and for advertising its own offers, provided that there is a legal basis for this.

In addition, your personal data will be passed on or transmitted if required by law (Art. 6 para. 1 sentence 1 lit. c GDPR) or if you have given your consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

5. Is my personal data processed outside the European Union?

For the processing of your data we also use service providers located in third countries outside the European Union. These countries may have a different level of data protection than within the European Union. Unless there is a decision by the EU Commission that these third countries generally offer an adequate level of data protection, we have taken special measures to ensure that your data is processed in the third countries as securely as within the European Union. With service providers in third countries we conclude the standard data protection clauses of the European Commission. These provide appropriate guarantees for the protection of your data with service providers in the third country. You can request a copy of these data protection clauses by contacting us at the contact details given above. In addition, we encrypt or pseudonymize personal data before transferring it to a service provider in a third country, provided that this is technically possible and appropriate.

6. To what extent does automated decision making take place in individual cases?

When establishing contractual relationships, we use fully automated decision-making processes in the sense of Art. 22 Para. 1 GDPR, taking into account the creditworthiness data provided by credit agencies and the score value determined by our own analyses for abuse and fraud detection (see above under 2.) This is necessary for the conclusion of the contract in the sense of Art. 22 para. 2 lit. a GDPR: automated decision making allows for greater coherence and fairness, the risk of non-payment due to lack of solvency, abuse or fraud is minimized and we can make decisions within shorter deadlines and increase our efficiency. All this is essential in our mass and time-critical online business. It is therefore possible that we may automatically reject your order based on the determined creditworthiness or the determined probability of abuse or fraud. If you do not agree with our decision, you can inform us in writing or by e-mail to [email protected] A member of staff will then review the decision, taking your point of view into account, and correct it if necessary.

7. How long will my data be stored?

Your data will be processed according to the legal regulations and deleted in accordance with the intended deletion periods.

As far as necessary, we process and store your personal data for the duration of our contractual relationship, which also includes, for example, the initiation and execution of a contract. Please note that our contractual relationship is usually a continuing obligation.

In the case of contractual relationships, but also in the case of other civil law claims, the storage period is also governed by the statutory limitation periods, which, for example, according to §§ 195 ff. of the German Civil Code (BGB), are usually three years, but in certain cases can be up to thirty years.

In addition, we are subject to various storage and documentation regulations, which result from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods of retention or documentation specified there are six years for correspondence in connection with the conclusion of a contract and 10 years for accounting records and business letters (§§ 238, 257 para. 1 and 4 HGB, § 147 para. 1 and 3 AO).

Logfiles are deleted in principle after the end of the respective browser session, at the latest after seven days, unless their further storage is exceptionally necessary and lawful. The storage period of cookies depends on the individual case and is usually between twelve and 24 months.

Customer data and your customer account will be deleted five years after the end of your last rental contract or after your last login, whichever comes later.

We usually delete the following customer data within the following shorter periods:

Data on telephone conversations with customers (for example telephone number) will be deleted one year after the last telephone conversation with the customer. If we record a telephone conversation in individual cases, which is only done with the customer's voluntary consent, the recording is automatically deleted after 30 days.

Credit scoring data (see above under 2.) of customers whose order was rejected for reasons of creditworthiness, we delete or anonymize after six months. Otherwise, we delete or anonymize creditworthiness data five years after the end of your last rental agreement or after your last login, whichever comes later.

Data from our own analyses for abuse and fraud detection (see above under 2.) we will delete or anonymize your data five years after the end of your last rental agreement or after your last login, whichever comes later.

8. What are my privacy rights? You have the right of information (Art. 15 GDPR), the right of correction (Art. 16 GDPR), the right of deletion (Art. 17 GDPR), the right to limit processing (Art. 18 GDPR) and the right of data transferability (Art. 20 GDPR). In the case of the right of information and the right of deletion, the restrictions pursuant to Sections 29 (1) sentence 2, 34 and 35 BDSG apply.

You also have the right to object to data processing by us (Art. 21 GDPR). Insofar as our processing of your personal data is based on consent (Art. 6 para. 1 sentence 1 lit. a GDPR), you may revoke this consent at any time; the legality of the data processing carried out on the basis of the consent until revocation remains unaffected.

In order to assert all these rights as well as for further questions regarding personal data, you can contact our data protection officer or our contact details mentioned above at any time.

Notwithstanding the above, you have the right to lodge a complaint with a supervisory authority - in particular in the EU member state of your residence, place of work or place of the alleged violation - if you believe that the processing of the personal data you provided violates the GDPR or other applicable data protection laws (Art. 77 GDPR, § 19 BDSG).

11.12.2020


Do you have a question or just need support?


4.13 / 5

Apple StoreGoogle Play Store

Grover Group GmbH © 2021