Privacy Policy

With this privacy policy we inform you about our processing of your personal data. We know that the protection of this data is important to you and appreciate the trust placed in us. We process personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).


1. Who is controlling data processing and whom can I contact?

Grover Group GmbH operates the website www.grover.com ("Website"). If you conclude contracts via the Website, your contracting partner is is subject to the rented goods:


  • Grover Group GmbH (Holzmarktstr. 11, 10179 Berlin, Commercial Register: Amtsgericht Berlin-Charlottenburg, Commercial Register Number: 166467B, VAT Identification Number: DE300852104), hereafter "Grover Group" or

  • Grover Finance I GmbH (Holzmarktstrasse 11, 10179 Berlin, Commercial Register: Amtsgericht Berlin-Charlottenburg Commercial Register Number: 181384B, VAT Identification Number DE300852104), hereinafter referred to as "Grover Finance I" or

  • Grover Finance II GmbH (Holzmarktstrasse 11, 10179 Berlin, Commercial Register: Amtsgericht Berlin-Charlottenburg Commercial Register Number: 202381B, VAT Identification No. DE300852104), hereinafter referred to as "Grover Finance II".

Grover Finance I and Grover Finance II are subsidiaries of Grover Group and Grover Group is the sole shareholder of Grover Finance I and Grover Finance II (affiliated companies). Grover Group, Grover Finance I and Grover Finance II hereinafter referred to as “Grover Company Group”.


Customer will be informed of the contracting party (Grover Group or Grover Finance I or Grover Finance II) via e-mail in text form. The Grover Group or the Grover Finance I or the Grover Finance II, hereinafter referred to as "Grover," will be the "provider" within the meaning of these terms and conditions.


In case the contracting party is Grover Finance I or Grover Finance II, it is represented by its parent company, Grover Group who exercises the rights and obligations arising from the contracts on behalf of Grover and handles these for Grover Finance I or Grover Finance II.


This results in the following responsibilities:


Controller regarding the operation of the website is:

Grover Group GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

E-mail: [email protected]


Controller regarding the conclusion of contracts through the Website and the execution of these contracts is:


Grover Group GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

E-mail: [email protected]


Grover Finance I GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

E-mail: [email protected]


Grover Finance II GmbH

Holzmarktstraße 11, 10179 Berlin

represented by the managing director Michael Cassau

E-mail: [email protected]


In the following, all companies will be referred to as "Grover" or "we".


Our Data Protection Officer is available to answer any questions regarding data privacy:

datenschutz nord GmbH

Niederlassung Berlin

Kurfürstendamm 212

10719 Berlin

E-mail: [email protected]


2. For what purpose do we process your data and on which legal basis?

We process personal data in accordance with the provisions of the GDPR and the Federal Data Protection Act (BDSG) for the following purposes:


2.1 For the performance of contractual and pre-contractual obligations (Article 6 (1) sentence 1 (b) GDPR)

The processing of personal data (Article 4 No. 2 GDPR) occurs to provide this Website and to market the products, in particular to conclude and process contracts, to settle accounts, to carry out pre-contractual actions, to respond to inquiries related to our business relationship and for all activities necessary for the operation and administration of the company.


The purposes of data processing depends primarily on the specific product. Further details on the purpose of data processing in the context of contract performance can be found in the respective contract documents, and terms and conditions.


In particular, Grover processes the personal information that you provide as a user when registering, for contractual purposes or as part of a request. In particular, the following data are processed: name, date of birth, e-mail address, address (invoice and, if applicable, different shipping address), order information, optional telephone number and bank details. In addition, Grover saves the password, which the user can choose freely. The password is not stored in plain text, but only a so-called hash value.


2.2 Based on legitimate interests (Article 6 (1) sentence 1 (f) GDPR)

In addition, we process your data beyond the provision of the website and the actual performance of the contract for pursuing legitimate interests of third parties, or us, in particular in the following cases:


  • Answering your inquiries which are unrelated to a contract or pre-contractual actions;

  • advertising or market and opinion research, as long as you have not objected to the use of your data;

  • asserting legal claims and defense in legal disputes;

  • ensuring IT security and IT operations;

  • examinating creditworthiness;

  • preventing and investigating criminal offenses;

  • business management and product development.

Our legitimate interest is to market our products optimally, further develop these products and our company, or to protect our company against adverse effects and threats and to enforce its claims.


2.3 On the basis of your consent (Article 6 (1) sentence 1 (a) GDPR)

Insofar as you have given us consent to the processing of personal data for specific purposes (e.g. evaluation or use of data for marketing purposes), the legality of this processing is based on your consent. A given consent can be withdrawn at any time. This also applies to the withdrawal of consents, which you have given us prior to the validity of the GDPR (before 25 May 2018). Please note that the withdrawal takes effect only for the future. Processing that occurred before the withdrawal is not affected by a revocation.


2.4 For compliance with a legal obligation (Article 6 (1) sentence 1 (c) GDPR)

In addition, we are subject to various legal obligations (e.g. Money Laundering Act, tax laws), which require the processing of data.


2.5 Identity verification upon opening a Grover Business Account:

In the course of the ordering process through a Grover Business Account, we may verify the identity of the Company's legal representative to prevent fraud and identity theft. For this purpose, we use the following service provider to help us verify the identity of the legal representative using a photo of his/her ID and person:


  • Onfido Limited, 3 Finsbury Avenue, London EC2M 2PA, United Kingdom

As part of the identity verification, a photo of the identity card and, if necessary, of the person ("selfie") is sent to the service provider. The service provider will only keep the ID document and photo or the associated data until it is necessary for the processing of the registration and the completion of lease agreements of the company. The service provider has also concluded a data processing agreement with Grover and demonstrates high safety standards (including an ISO 27001 certification). For more information, please refer to the Privacy Policy of Onfido https://onfido.com/privacy/.


The legal basis for this verification process and data processing is Article 6 (1) sentence 1 (f) GDPR. The legitimate interest results from our interest in reducing the contract risk, protecting against bad debts as well as misuse of our services by third parties. Your interests will be considered in accordance with the statutory provisions.


3. Who gets my data?

Within the respective controlling company, the departments which need your personal data to perform our contractual and legal obligations, obtain access to your data.

Also, we pass on your data to the recipients expressly named in this privacy policy.

Furthermore, we pass them on to the following categories of recipients if this is necessary to fulfill a contractual relationship with you or to carry out pre-contractual measures (Article 6 (1) sentence 1 GDPR), or to pursue legitimate interests (Art 6 (1) sentence 1 lit. f GDPR):


  • IT service providers, especially software as a service, hosting, storage and cloud computing providers,

  • logistics service providers,

  • email marketing service providers and customer service providers,

  • marketing service providers, especially Google Adwords and WhatsApp consulting service providers,

  • payment service providers and credit institutions for the collection of fees,

  • and collection agencies to enforce claims

To the extent that processing is required to pursue legitimate interests, such as the use of IT services, our legitimate interest is to outsource functions.


In case your contracting partner is Grover Finance I or Grover Finance II, Grover Finance I and Grover Finance II make your data accessible to Grover Group GmbH for the conclusion and settlement of the contractual relationship as well as for the promotion of its own offers in the extent of the existence of a legal ground.


In addition, your personal data is forwarded or transmitted if required by law (Article 6 (1) sentence 1 (c) GDPR), or if you have consented (Article 6 (1) sentence 1 (a) GDPR).


4. How long will my data be stored?

To the extent necessary, we process and store your personal data for the duration of our contractual relationship, which includes, for example, the initiation and performance of a contract. Note that our contractual relationship is usually a continuing obligation.


When there is a contractual relationship, or another civil law claim, the storage period is also governed by the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code are usually three years, but in certain cases also can be thirty years.


In addition, we are subject to various storage and documentation obligations, which result inter alia from the German Commercial Code (HGB) and the Tax Code (AO). The deadlines for storage or documentation specified therein are 6 years for correspondence in connection with the conclusion of a contract and 10 years for accounting documents and business letters (§§ 238, 257 (1) and (4) HGB, § 147 (1) and (3) AO).


Log files are always deleted after the end of the respective browser session, at the latest after seven days, unless their further storage is exceptionally necessary and lawful. The storage period of cookies depends on the individual case and is usually between 12 and 24 months.


5. Are data transmitted to a third country or to an international organization?

Grover itself does not transmit data to third countries (countries outside the European Economic Area - EEA). However, some of the above mentioned recipients will transfer personal data to third countries, but this will only be done on the basis of an adequacy decision by the EU Commission or, as indicated below, on the basis of standard data protection clauses of the EU Commission (available at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF) or binding corporate rules.


6. Website – log files

When visiting our Website, the browser used on your device automatically sends information to the server hosting our Website. This information is temporarily stored in a so-called log file. The following information is collected without your intervention and stored until automated deletion: IP address of the requesting computer, date and time of access, name and URL of the retrieved file, web page from which the access follows ("Referrer-URL "), If applicable, the search engine you are using, the browser used and, if applicable, the operating system of your computer and the name of your access provider.


The legal basis for this type of data processing is Article 6 (1) sentence 1 lit. f GDPR. The legitimate interests pursued by us are in particular:


  • Ensuring a smooth connection of the website,

  • ensuring comfortable use of our website,

  • billing,

  • statistical evaluation using a pseudonym to optimize our website and offer quality and range,

  • evaluation of system security and stability as well

  • for further administrative purposes.


7. Marketing

7.1 Newsletter

To the extent that you have expressly consented in accordance with Art. 6 para. 1 sentence 1 (a) GDPR we use your e-mail address to inform you with our newsletter by e-mail about us, our offers and special promotions. Your consent will be logged.


For the receipt of the newsletter the indication of an e-mail address is sufficient.


The withdrawal of the consent is possible at any time, for example via the link at the end of each e-mail. Alternatively, you can also send your withdrawal notice at any time by e-mail at [email protected]. In this case, your e-mail address will be deleted from our e-mail distribution list and added to our black list. The withdrawal of your consent takes effect only for the future. Processing that occurred before is not affected.


Newsletter tracking

Note that we evaluate the behavior of the recipients of our emails using pseudonymous usage statistics. For this purpose, the emails contain so-called web beacons or tracking pixels and links, which are each linked with an individual ID. Thus, we record the time of opening and forwarding the e-mail as well as the clicking of the links contained therein, the IP address (to determine the country of retrieval) and the email program used. This data is not linked to your email address or other personal data, so that a direct personal relationship is excluded for us. The evaluation is based on aggregated usage statistics (delivery rate, opening rate, click rate, number of redirects, number of clicks on the links contained in the email, email programs used, openings and clicks by time of day and date, country of retrieval). Only in the event of cancellations or failed deliveries will we additionally receive information about the name and email address. This is (also) in your interest, so that we can immediately delete you from our email distribution list or correct the delivery problem. The pseudonymous evaluation of usage behavior serves to check the success of our email marketing and to constantly improve it. For these purposes, we have a legitimate interest in data processing. The legal basis is Art. 6 (1) sentence 1 (f) GDPR.


Shipping and evaluation by MailChimp

We use MailChimp, a service of The Rocket Science Group LLC, 675 Ponce De Leon Ave. NE, Suite 5000, Atlanta, GA 30308, USA ("MailChimp") for the purposes of sending and analyzing the e-mails.


The data processed during the dispatch and the evaluation of the e-mails are stored on the servers of MailChimp in the USA. The submission of your information to a third country outside the EU is covered by an adequacy decision of the Commission within the meaning of Art. 45 GDPR, as MailChimp has committed to comply with the Privacy Shield Principles (https://www.privacyshield.gov/EU-US-Framework). Mail-Chimp will work for us as a processor within the meaning of Art. 28 GDPR.

For more information, please refer to the Privacy Policy of MailChimp (https://mailchimp.com/legal/privacy/).


Braze


We also use Braze in the USA to control, design content and transmit communications. For this purpose, personal data such as the name and email address are also processed in order to personalize the communication. The data is passed on to Braze via direct interfaces with our products (SDKs and APIs). The transmission of your information to a third country outside the EU, in this case the USA, is protected by data protection law, because Braze has submitted to the EU-US Privacy Shield (https: //www.privacyshield.gov/EU-US-Framework). Braze works for us as a processor in the sense of Art. 28 GDPR.


For more information, see Braze's privacy policy (https://www.braze.com/privacy?utm_medium=Paid-Search&utm_source=Google&utm_campaign=Brand_L_Brand_EMEA&utm_content=Braze_EM_KW&utm_term=braze|e|g|c|1t1|379494868996&gclid=EAIaIQobChMI1v7thMaZ5wIVSuJ3Ch2WjANYEAAYASAAEgKb2vD_BwE).


7.2 Existing customer advertising

To the extent that you have already ordered our products for a fee, we will inform you from time to time by e-mail or letter about similar goods and services from us, if you have not objected.


The legal basis for data processing is Art. 6 (1) sentence 1 (f) GDPR. We have a legitimate interest in direct marketing (Recital 47 GDPR).


You may object to the use of your e-mail address and postal address for promotional purposes at any time at no additional charge, for example via the link at the end of each e-mail or by e-mail to [email protected].


8. Credit check and scoring

In the course of ordering processes, we may review your credit rating. For this purpose, we provide the following data to so-called credit bureaus cooperating with us: name, address, date of birth. For this purpose, we will submit your personal data for the credit rating to the following companies:


  • CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 München

  • Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss and

  • Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden

  • Creditsafe Deutschland GmbH, Schreiberhauer Straße 30 , 10317 Berlin

For the decision on the conclusion, performance or termination of a contractual relationship, we use not only an address check, but also information about your previous payment behavior as well as probability values for your future behavior, which include, among other things, address data. We obtain this information from the following providers:


  • CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 München

  • Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss and

  • Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden

  • Creditsafe Deutschland GmbH, Schreiberhauer Straße 30 , 10317 Berlin

SEPA Direct Debit (see Section 10.3) also enables us to obtain information from the payment service provider we use about the account balance and processed chargebacks of the account you specify. 


The creditworthiness information and own analyzes can contain probability values (score values), which are calculated on the basis of scientifically recognized mathematical-statistical procedures and whose calculation includes, among other things, address data. The legal basis for this is Article 6 (1) sentence 1 (f) GDPR. The legitimate interest results from our interest in reducing the contract risk, protecting against bad debts as well as misuse of our services by third parties. Your interests will be considered in accordance with the statutory provisions.


We also provide information about payment delays or any default on loans to credit agencies cooperating with us, such as Schufa Holding AG, Wiesbaden, in compliance with any legal requirements. The legal basis for this is Article 6 (1) sentence 1 (f) GDPR. Our legitimate interest results from our and the interest of third parties in reducing contract risks for future contracts.


9. Cookies and similar technologies

9.1 Essential Cookies


We use cookies on our websites, which are essential for the use of our websites.

Cookies are small text files that can be stored and read on your end device. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.

We do not use these required cookies for coverage analysis, tracking or advertising purposes. We use them to display our websites, to provide our services and for the technical functions and content of third party providers listed below.


When you access our pages, content from the third-party providers, who provide these functions and contents, will be reloaded. The third party provider is thereby informed that you have accessed our site and receives the usage data that is technically required for this purpose.


In some cases, these cookies only contain information on certain settings and cannot be linked to personal data. They may also be necessary to enable user guidance, security and implementation of the site.


We use these cookies on the basis of Art. 6 para. 1 p. 1 lit. f GDPR in the interest of making our site as appealing and informative as possible and to be able to provide our services without restriction.


You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent for you. You can also delete cookies at any time using the appropriate browser setting and prevent the setting of new cookies. Please note that our web pages may not be able to be displayed and some functions may no longer be available for technical reasons.

i) Provider = Snowplow

Purpose: Risk assessment and fraud prevention

Storage Period: 2 Years

Adequate level of data protection: USA – Standard Contractual Clauses


ii) Provider = New Relic 

Purpose: Measuring the performance of the website

Storage Period: 1 Year

Adequate level of data protection: USA – Standard Contractual Clauses

iii) Provider = Nethone 

Purpose: Fraud prevention

Storage Period: 1 Year

iv) Provider = Intercom 

Purpose: Enable customer support via chat

Storage Period: 1 Year

Adequate level of data protection: USA – Standard Contractual Clauses

v) Provider = AWS

Purpose: Operation of the website

Storage Period: 7 Days

Adequate level of data protection: USA – Standard Contractual Clauses

vi) Provider = GTM

Purpose: Storing cookie-consent

Storage Period: 1 Year

vii) Provider = Braze

Purpose: Customer Relationship Management

Storage Period: 1 Year

viii) Provider = Grover

Purpose: Country of origin recognition to customize the website

Storage Period: 1 Year

ix) Provider = Grover

Purpose: Language preference recognition to customize the website

Storage Period: 1 Year

x) Provider = Grover

Purpose: Recognition of logged in users

Storage Period: 1 Year

xi) Provider = Grover

Purpose: Enabling orders

Storage Period: 1 Year


9.2 Tracking technologies by third party providers to measure traffic statistics


We use web analysis tools to design our websites according to your needs. These create usage profiles based on pseudonyms. For this purpose, permanent cookies are stored on your end device and read out by us. In addition, it is possible that we access recognition features for your browser or terminal device (e.g. a so-called browser fingerprint or your unabridged IP address). In this way we are able to recognize returning visitors and count them as such.


In addition, we use the following function in the context of visitor traffic measurement:

  • We enrich the pseudonymous data with additional data provided by third parties. In this way, we are able to record demographic characteristics of our visitors, e.g. statements on age, gender and place of residence.


The data processing takes place on the basis of your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR or § 15 Para. 3 S. 1 TMG, if you have given your consent via our banner. 


Which third-party providers do we use in this context??


In the following, we will name the third-party providers with whom we work in connection with visitor measurement. If the data is processed outside the EU or EEA in this context, please note that there is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to a third country is based on Art. 49 para. 1 lit. a GDPR. 

i) Provider = Google LLC (USA)

Maximum storage period: 2 years


Adequate level of data protection: No adequate level of data protection. The transfer is based on Art. 49 Abs. 1 lit.a GDPR. 

Withdraw consent: If you want to withdraw your consent, please go to the footer of our website, click on the button ‘Data Preferences’ and make the appropriate setting via our banner. 


9.3 Third party tracking technologies for marketing purposes


We use cross-device tracking technologies to help us display targeted advertising on other websites based on your visit to our websites and to help us determine how effective our advertising efforts have been.


The data processing is based on your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR or § 15 Para. 3 S. 1 TMG, if you have given your consent via our banner. Your consent is voluntary and can be revoked at any time.


How does the tracking work?


When you visit our websites, it is possible that the third party providers listed below may call up recognition features for your browser or terminal device (e.g. a so-called browser fingerprint), evaluate your IP address, store or read recognition features on your terminal device (e.g. cookies) or gain access to individual tracking pixels.


The individual features can be used by third parties to recognize your terminal device on other Internet sites. We may commission the relevant third-party providers to display advertisements based on the pages visited on our website.


What does cross-device tracking mean?


If you log on to the third-party provider with your own user data, the respective recognition features of different browsers and end devices can be linked with each other. For example, if the third-party provider has created a separate recognition feature for the laptop, desktop PC, smartphone or tablet you use, these individual features can be assigned to each other as soon as you use a third-party service with your login data. This allows the third party to target our advertising campaigns across multiple devices.


Which third party providers do we use in this context?

In the following, we list the third party providers with whom we work for advertising purposes. If the data is processed outside the EU or EEA in this context, please note that there is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to a third country is based on Art. 49 para. 1 lit. a GDPR.



Withdraw consent 

If you want to withdraw your consent, please go to the footer of our website, click on the button ‘Data Preferences’ and make the appropriate setting via our banner. 

i) Provider = Facebook (USA and/or Ireland)

Maximum Storage period: 3 Months

Adequate level of data protection: No adequate level of data protection. The transfer is based on Art. 49 Abs. 1 lit.a GDPR.  


ii) Provider = Google LLC (USA)

Maximum Storage period: 2 Years

Adequate level of data protection: No adequate level of data protection. The transfer is based on Art. 49 Abs. 1 lit.a GDPR.   


iii) Provider = Criteo

Maximum Storage period: 1 Year

iv) Provider = Rakuten (LinkSynergy)

Maximum Storage period: 1 Year

v) Provider = Daisycon

Maximum Storage period: 1 Year


vi) Provider = TikTok (USA)

Maximum Storage period: 1 Year

Adequate level of data protection: No adequate level of data protection. The transfer is based on Art. 49 Abs. 1 lit.a GDPR. 


10. Payment service provider

10.1 PayPal as payment method

We have integrated PayPal components on this website. PayPal is an online payment service provider. Payments are made through so-called PayPal accounts, which are virtual private or business accounts. In addition, PayPal has the ability to process virtual payments through credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no classic account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also takes on trustee functions and offers buyer protection services.


The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.


If the data subject selects "PayPal" as a payment option during the order process in our online shop, data of the data subject will be automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transfer of personal data required for payment processing.


The personal data sent to PayPal are usually first name, last name, address, email address, IP address, telephone number, mobile phone number or other data required for payment processing. For the execution of the purchase contract, also such personal data are necessary, which are in connection with the respective order.


The purpose of the transmission of the data is payment processing and fraud prevention. The controller will provide PayPal with personally identifiable information, in particular if there is a legitimate interest in the transfer. The personal data exchanged between PayPal and the controller may be transferred by PayPal to credit reporting agencies. This transmission is for the purposes of the identity and credit check.


PayPal may disclose personal information to affiliates and service providers or subcontractors, to the extent necessary to fulfill its contractual obligations or to process the data on behalf of the controller.


The data subject has the option to revoke the consent to the handling of personal data against PayPal at any time. A revocation has no effect on personal data which must be processed, used or transmitted for (contractual) payment processing.


PayPal's applicable privacy policy is available at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.


10.2 Visa and Mastercard as payment method

We use external payment service providers, through whose platforms the users and we can make payment transactions (eg, each with a link to the privacy policy, Visa (https://www.visa.de/datenschutz) and Mastercard (https://www.mastercard.de/de-de/datenschutz.html).


Payment transactions via the offered means of payment take place exclusively via an encoded SSL or TLS connection. You can recognize an encrypted connection by changing the address line of the browser from "http: //" to "https: //" and the lock symbol in your browser line. In the case of encrypted communication, your payment details that you submit to us can not be read by third parties.


Amongst the data processed by the payment service providers are inventory data, e.g. the name and the address, bank data, such as Account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, summary and recipient-related information. The information is required to complete the transactions. However, the data entered will only be processed and stored by the payment service providers. We do not receive any account or credit card information, but only information with confirmation or negative disclosure of the payment. The data may be transmitted by the payment service providers to credit reporting agencies. This transmission is for the purpose of the identity and credit check. For this we refer to the terms and privacy policy of payment service providers.


For the payment transactions, the terms and conditions and the privacy notices of the respective payment service providers, which are available within the respective websites, or transaction applications apply. We also refer to these for further information and assertion of rights of withdrawal, information and other data subjects.


10.3 SEPA-Direct Mandate as payment method

We use external payment service providers through whose platforms you can issue a SEPA direct debit mandate (SEPA Express, B4Payment GmbH, Lilienthalstr. 8, 93049 Regensburg, Germany / UAB Finolita Unio, Lvovo str. 25, Vilnius, 09320 Lithuania / FinTecSystems GmbH, Gottfried-Keller-Str. 33, 81245 Munich).


The SEPA direct debit mandate is issued exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http: //" to "https: //" and by the lock symbol in your browser line. With encrypted communication, your bank details that you transmit to SEPAExpress cannot be read by third parties.


The data processed by the payment service providers include inventory data, such as the name and address, bank details, such as IBAN, account number, passwords, TANs and test number as well as the contract amount and recipient-related information. The information is required to complete the transactions. The data entered will be processed and saved by the payment service providers. In order to check the validity of the direct debit, we also have the option of obtaining information from the payment service providers regarding the name of the account holder, the account balance and processed chargebacks regarding the account specified. 


The terms and conditions and the data protection notices of the respective payment service providers apply to the payment transactions, which can be called up within the respective websites or transaction applications.


11. Which data protection rights do I have?

You have against us the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Article 20 GDPR). With regard to the right of access and the right to erasure, the restrictions stipulated in §§ 34 and 35 BDSG apply. You also have the right to object to data processing by us (Article 21 GDPR). Insofar as our processing of your personal data is based on consent (Art. 6 (1), sentence 1 (a) GDPR), you can withdraw it at any time; the lawfulness of the data processing carried out on the basis of the consent until the withdrawal remains unaffected.


To assert all these rights and for further questions on personal data related issues, you can always contact our data protection officer or our postal address (see paragraph 1).


In addition, you have the right to lodge a complaint with a supervisory authority - in particular in the EU Member State where your place of residence or your place of work or the place of alleged infringement is - if you believe that the processing of your personal data is contrary to the GDPR, or other applicable data protection laws (Art. 77 GDPR, § 19 BDSG).


12. To what extent is there automated decision-making in individual cases?

As part of the conclusion and performance of the contractual relationship, we use fully automated individual decision-making in the context of credit checks in accordance with Art. 22 GDPR. If you do not agree, you can notify us in writing or by e-mail to [email protected]. We will then re-examine the decision, taking your point of view into account.


13. Changes to our privacy policy

Our service may be changed from time to time, in particular to further enhance the functionality of our platform or our offers / services. Such changes may also affect the use of your personal information. For this reason, we reserve the right to change this privacy policy at any time. The current version is available on our website under the heading "Privacy Policy". Please inform yourself in this way regularly about the current status of the data protection information.


As of: 19.11.2020


Do you have a question or just need support?


4.13 / 5

Apple StoreGoogle Play Store

Grover Group GmbH © 2020