Data Privacy Policy

Name and contact details of the controller responsible for processing and the company data protection officer

This Data Protection Policy applies to data processing by:

Controller: Chrono24 GmbH (hereinafter "Chrono24")
Haid-und-Neu-Strasse 18, 76131 Karlsruhe, Germany

E-mail:
Phone: 49 (0) 721 96693-0
Fax: 49 (0) 721 96693-990

The data protection officer of Chrono24 is contactable at the above address, Attn: Data Protection Department and via .

Collection and storage of personal data and the nature and purpose of its use

a) When visiting the website

When you visit the Chrono24 website, the browser you are using on your device automatically sends information to the server for our website. This information is temporarily stored in a log file. The following information is automatically collected and subsequently automatically deleted after a period of 20 weeks:

• the IP address of the querying computer
• the date and time of access
• the name and URL of the retrieved file
• the website from which access is occurring (referrer URL),
• the session ID
• the user agent
• the browser used and in some cases the operating system of your computer and the name of your access provider.

We process the aforementioned data for the following purposes:

• to ensure a trouble-free connection with the website
• to ensure convenient use of our website and optimise our platform
• to monitor and ensure system security and stability.
• to detect and prevent attacks on our website, and
• for other internal statistical and administrative purposes.

We never use collected data to reference you as a person. In the event of an attack on our network infrastructure however, your IP address will be identified in order to assert or defend against legal claims.

We process data in accordance with our legitimate interests in line with Article 6 para. 1 sentence 1 item f of the General Data Protection Regulation (GDPR). Our legitimate interests proceed from the data collection purposes specified above.

We also use cookies and analytics services when you visit our website. For further details see points 5. and 6. of this Data Protection Policy.

b) Registering as a user on our platform

Buyers, private sellers and commercial merchants can create a user account on our platform. The mandatory data required to set up a user account must be entered under i), ii) and iii). This data is processed

• to identify you as our contract partner
• to enter into, structure, execute and amend contracts with you governing the use of our platform and services offered thereupon
• to assess the plausibility of the data entered
• to contact you as necessary for with any questions, and
• to assert any claims against you as necessary.

The data specified under points i), ii) and iii) are processed upon your placement of an inquiry for the purposes outlined above and are required for use of the platform in accordance with Article 6 para. 1 sentence 1 item b of the GDPR, and thus required for fulfilment of the contract and of pre-contractual actions.

Furthermore, if you use our platform as a seller, you must provide your taxpayer ID number (TIN). The processing of your taxpayer ID number is lawful under the terms of Art. 6(1)(c) GDPR, as we are required by law to report marketplace transactions to the relevant tax authorities.

You may have the option of providing voluntary information/data depending on the type of user account. We process voluntarily provided information/data in accordance with our legitimate interests in line with Article 6 para. 1 sentence 1 item f GDPR. This information/data is used to facilitate contact with you and ensure rapid clarification of any questions.

After deletion of your user account your data are automatically deleted to prevent further use unless, in accordance with Article 6 para. 1 sentence 1 item c GDPR, it must be stored for a longer period of time pursuant to retention and documentation requirements under tax or commercial code (HGB, StGB, AO), or if you have consented to storage for a longer period of time in line with Article 6 para. 1 sentence 1 item a GDPR.

i) myChrono24 user accounts

The following mandatory data must be entered to register as a user (buyer) and set up a user account:

• a valid email address
• a password of your choice.

These constitute the login data for your user account.

You can also provide this voluntary user data:

• Your first and last name
• A profile picture
• Your address (street, post code, city/town, country)
• Your phone number.

ii) Registering and Logging in With Apple/Google (Third-Parties)

You can register for Chrono24 or log in to your Chrono24 account using a third-party provider. This means that you use your Apple or Google account as an authentication method to register for or log in to Chrono24.

If you decide to register or log in using a third-party provider, you will be taken to the respective interface from Apple or Google to enter your login information. Apple or Google will then indicate which data are transmitted to us for authentication purposes as part of the registration or login process. These are:

• Your first and last name
• Your profile picture, if available
• Your email address (unless you have selected "Hide My Email" in your Apple account)

If we do not recognize your email address, you will be asked if you already have a Chrono24 account. If you already have a Chrono24 account, you have the option of linking it to your third-party login. If you do not have a Chrono24 account, you can create one using your third-party login.

Data processing is carried out in accordance with Article 6, Paragraph 1, Sentence 1, Point f of the GDPR on the basis of our legitimate interest in enabling you to use an additional, more convenient service.

The purpose and scope of the data collection as well as the further processing and use of your data by Apple or Google, including your rights and setting options in order to protect your privacy, can be found in Apple's Privacy Policy and Google's Privacy Policy.

iii) Private sellers

To place sale offers as a private seller you must first have a user account (see i)). To place a sale offer on the platform you must enter the following data:

• Your first and last name
• Your address (street, post code, city/town, country)
• Your phone number
• Your date of birth, as well as
• Your taxpayer ID number

To sell your goods with the Escrow Service, you must first register for the Escrow Service as a private seller.

By registering for the Escrow Service, you are applying for an escrow account with the payment service provider Mangopay (https://www.mangopay.com/ ) of Leetchi SA (company seat at 59 Boulevard Royal, L-2449 Luxembourg). This account is then used to process your payouts within the framework of the Escrow Service.

In accordance with anti-money laundering and counter-terrorism finance laws, Leetchi Corp. is obligated to identify every seller on the basis of specified documents and other information.

When registering for the trustee service, the following data and documents are thus collected from you and forwarded onto Leetchi Corp. S.A.:

• Family name, first name, email address, date of birth as well as nationality and the country of residence.
• Information about which bank account should be used for the payments.
• A copy of a valid official ID document:
  • German identity card (front and reverse) for Germans, passport for foreigners resident in Germany or abroad.
  • Within the EEA: Passport or national ID card or driving licence. A residence permit for people from third-party countries.
  • Outside of the EEA: Passport or driving licence for the USA and Canada.

iv) Merchants

The following data must be entered to register as a commercial merchant:

• Your company name
• A contact person (first and last name)
• Your address (street, post code, city/town, country)
• A phone number
• A valid email address
• A username of your choice
• A password of your choice
• Your taxpayer ID number(s)
• Your commercial registration number

The following information is optional:

• A fax number
• A cell phone number
• A website

To activate two-factor authentication for your dealer account, you will receive a text message upon creating your account. This involves sharing your phone number with the cloud communications platform Twilio Inc. (645 Harrison St., Third Floor, San Francisco, CA, 94107, USA). Twilio Inc. conducts two-factor authentication using the phone number provided.

The legal basis for the processing of personal data is Article 6, Paragraph 1, Sentence 1, Point (f) of the GDPR. Chrono24 GmbH's legitimate interests required by this clause are the general improvement of the marketplace's security and the associated optimization of the transaction process.

We use Twilio Inc.'s services for conducting this form of two-factor authentication. We have signed a data processing agreement with Twilio Inc. as laid out in Article 28 of the GDPR. With this agreement, Twilio Inc. guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

Twilio Inc. is located in the United States of America. For EU citizens, this means the transfer of their phone numbers to a third country. Data transfer to the USA is permitted since Chrono24 GmbH has signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Twilio Inc. has implemented additional measures to ensure adherence to an appropriate level of data protection.

By registering as a professional dealer on Chrono24, it is possible that we will send you print mail to keep you up to date on the latest watch trends. This involves forwarding the following personal data to the corresponding service provider:

• Your first and last names
• Your address

The legal basis for the processing of personal data is Article 6, Paragraph 1, Sentence 1, Point (f) of the GDPR. Chrono24 GmbH's legitimate interest required by this clause is the implementation of direct mail. This is a legally recognized legitimate interest under Recital 47 of the GDPR.

It is also possible to register as a professional dealer via the contact form displayed as an advertisement on LinkedIn. We use the data you provide us to contact you about the registration as a professional dealer on Chrono24. If you use the contact form, the following personal data will be processed:

• Your first and last name
• Your email address
• Your business phone number

The legal basis for the processing of personal data is Article 6, Paragraph 1, Sentence 1, Point (f) of the GDPR. Chrono24 GmbH's legitimate interest required by this clause is the communication stated above.

When contacting you, the data you provide us will be stored in Salesforce, the CRM solution from Salesforce.com, Inc. (415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA). We have signed a data processing agreement with Salesforce.com, Inc. as laid out in Article 28 of the GDPR. With this agreement, Salesforce.com, Inc. guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

Salesforce.com, Inc. is located in the United States of America. For non-US residents, this means the transfer of personal data to a third country. Data transfer to the USA is permitted since we have signed standard data protection clauses as laid out in Article 46, Paragraph 2, Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46, Paragraph 1 of the GDPR. Furthermore, Salesforce.com, Inc. has implemented additional measures to ensure adherence to this level of data protection.

c) Using the internal messenger on our platform

As a registered user, you are able to use the internal messenger provided on the website to communicate with us or with a dealer/buyer/private seller on the platform. Registration is required to use the internal messenger on the platform (see 2. b).

When you use our internal messenger on the platform, messages that you send will be scanned and analyzed by us, both automatically and manually. The purpose of doing so is to

• prevent fraud,
• detect any illegal activities and violations of our general terms and conditions,
• and improve our communication and customer services.

The basis for this data processing is our legitimate interests pursuant to Art. 6(1) sentence 1 (f) GDPR. The GDPR recognizes data processing for the aforementioned purposes as a legitimate interest.

You can manage messages you have sent and received on your own or submit a request to have them deleted by us. In the event of a fraud attempt, an illegal activity or a violation of our general terms and conditions, we may continue to store any relevant messages based on our legitimate interests pursuant to Art 6(1) sentence 1 (f) GDPR for use as evidence and for establishing, exercising or defending our legal rights, even after you have submitted a deletion request.

d) Automated customer profile creation

We create a customer profile for your user account in order for you to use our platform as a registered user/merchant. We categorise your customer profile and supplement it with additional data so that you only receive information likely to be of interest to you. To do so we utilise this data:

• Your personal information (e.g., your basic profile information);
• The length of your membership;
• Statistical information (e.g., the type, frequency, and intensity of your website's usage); and
• A history of the listings, brands, and sellers you've visited.

We process the aforementioned data for the following purposes:

• For statistical evaluation
• For market research
• To ensure smooth functioning of the platform and to design the platform around user needs
• To personalise our services, and
• To deliver advertising to you which is exclusively targeted to your actual or predicted needs so as to eliminate irrelevant advertising.

We process data in accordance with our legitimate interests in line with Article 6 para. 1 sentence 1 item f GDPR. Data processing for the aforementioned purposes is a recognised legitimate interest in accordance with the GDPR.

You may file objection to the creation of a user profile and/or the evaluation and personalisation of our services or advertising at any time by clicking on this link, in which case processing will be stopped and your user profile will be immediately deleted unless you have consented to longer data retention per Article 6 para. 1 sentence 1 item a GDPR.

You may alternatively file objection at any time via e-mail to .

e) Using the Escrow Service

A user account is required to initiate and complete purchases from dealers/private sellers with our Escrow Service (see point 2.b)i)). Furthermore, you must provide the following information:

• Your first and last name,
• your address (street, postcode, city/town, country) and
• your phone number.

The listed information is processed by us for the following purposes:

• to check and identify who the dealer/private seller’s contract partner is;
• to support the justification, content design and execution of the purchase contracts; and
• where required to make the necessary contact with you in case of further queries.

In case you request a purchase offer with a dealer/private seller or conclude a purchase contract with the dealer/private seller, we also transfer your personal data to the dealer/private seller for the purposes stated above.

The processing of your aforementioned data takes place on your request and is required in accordance with Art. 6 (1) (1) (b) GDPR for the aforementioned purposes for the use of the platform and thus for the fulfilment of the contract and pre-contractual measures.

f) Paying on Chrono24 via credit card or bank transfer

Upon entering a sales agreement for a watch, you can pay the amount due via credit card or wire transfer. To ensure the general processing of these payment methods and prevent attempted fraud, payments are processed by the service provider Mangopay SA (10 Boulevard Royal, L-2449, Luxembourg). This involves forwarding the following personal data to Mangopay:

• Your first and last names
• Your address
• Your bank account or credit card information

This data is processed based on Article 6 Paragraph 1 Sentence 1 Point (b) of the General Data Protection Regulation (GDPR) since it is necessary for the performance of a contract to which the data subject is party.

You can find more information in Mangopay's data privacy policy (https://www.mangopay.com/de/privacy/ ).

If you pay via credit card, you can also have the payment processed by the service provider Checkout Ltd. (54 Portland Place, London, W1B 1DY, United Kingdom). This involves forwarding the following personal data to Checkout:

• Your first and last names
• Your email address
• Your billing address
• Your shipping address (if different from the billing address)

This data is also processed based on Article 6 Paragraph 1 Sentence 1 Point (b) of the General Data Protection Regulation (GDPR) since it is necessary for the performance of a contract to which the data subject is party.

Checkout Ltd. is located in the United Kingdom. For EU citizens, this means the transfer of their personal data to a third country. Data transfer to the United Kingdom is permitted since the European Commission has made an adequacy decision for the United Kingdom as described in Article 45 Paragraph 3 of the GDPR. Thus, the United Kingdom offers an adequate level of protection for transferred personal data. You can find more information in the European Commission's statement .

Furthermore, you can read Checkout's data privacy policy here .

g) Registering for our newsletter

We use your e-mail address to send you our personalised regular newsletter if you have expressly consented thereto in accordance with Article 6 para. 1 sentence 1 item a GDPR. To receive the newsletter it suffices to provide your e-mail address.

To receive more personalised newsletter content you can create a customer profile about you based on your collected personal data. This data relates to personal preferences such as product affinities observed on the basis of orders, interests, purchase decisions, preferred shopping time, etc. and is automatically processed and analysed so that relevant offers are predicted for you. Profiling may also be performed without consent on the basis of Article 6 para. 1 item f GDPR given a legitimate interest (see item 2.c) ).

We may also use your e-mail address without your express consent to send you information about similar products of our company if you are an existing customer and have not objected to the use of your e-mail address. Processing for purposes of marketing to existing customers is done on the basis of our legitimate interests in accordance with Article 6 para. 1 sentence 1 item f GDPR. Processing of your e-mail address for the purpose of direct marketing is a statutorily recognised interest under the GDPR.

In either case you can unsubscribe at any time, such as via link at the end of each newsletter. Alternatively, you can unsubscribe at any time by e-mail to .

For the purpose of mailing our newsletter, we use the Mailchimp tool developed by The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
You can find more information about how service providers handle data here: https://mailchimp.com/legal/privacy/.

If you have given us your consent on the basis of Article 6, Paragraph 1, Sentence 1, Point (a) of the General Data Protection Regulation (GDPR), we will transmit your email address to our partners, Chrono24 Direct GmbH, Mendelejewstr. 2, 09117 Chemnitz, Germany and Fratello Watches B.V., Het Kleine Loo 284, 2592CK, The Hague, The Netherlands. Our partners will use your email address to send you personalized newsletters with offers, deals, and the latest releases. Once we have your email address, you will receive these newsletters; no other action is needed.

Cancellation is possible at any time, e.g. by clicking on the link at the end of every newsletter. Alternatively, you are welcome to send your cancellation request by email to .

h) Using our contact form

You can use a form provided on the website to contact us with questions or contact a merchant or private seller. If you wish ask your question to a merchant or private seller, we forward your contact inquiry to them. For the use of the contact form, the following data is required, without exception:

• a valid e-mail address and
• Your specific question or message.

We process the aforementioned data for the following purposes:

• to identify you
• to answer your question, and
• for forwarding to the relevant merchant or private seller as necessary.

Additionally, you can voluntarily provide your name and telephone number to enable quicker contact.

When you use our contact form, we may scan and analyse your message. This is done for fraud prevention purposes and to generally improve communication and customer service.

Data is processed upon placement of your inquiry, and such processing is required for the above purposes to fulfil the contract and pre-contractual actions in accordance with Article 6 para. 1 p. 1 item b GDPR. Data from contact inquiries is also processed on the basis of our legitimate interests per Article 6 para. 1 sentence 1 item f GDPR. These interests proceed from the aforementioned purposes.

Personal data we collect when you use the contact form is automatically deleted upon completion of your inquiry.

i) When contacting us via WhatsApp

We also offer you the option of contacting us via WhatsApp using a widget, which is visible when you use Chrono24.de under “You have questions”. To use this service, you must provide the following information:

• Your cellphone number
• Your specific question or message

We process the data listed above for the following purposes:

• to identify you
• to reply to your message

We may also be able to view your WhatsApp profile image due to your privacy settings.

When you contact us via WhatsApp, we may also scan and analyze your message. We do so to prevent fraud and generally improve communication and customer service.

When you contact us via WhatsApp, your data is processed on the legal basis of Art. 6(1)(1)(f) GDPR. Our legitimate interest required to do so is based on facilitating contact, enhancing the effectiveness of our response to your questions and the above-mentioned purposes.

Your messages will be received by a smartphone dedicated to contact with you. Your contact with us will not be saved and any personal data we collect will be deleted manually once your concerns have been addressed.

We use the services of WhatsApp, Inc. for this form of contact. We have concluded an order processing agreement with WhatsApp, Inc. in accordance with Art. 28 GDPR. This contract guarantees that WhatsApp, Inc. processes the data on our behalf in accordance with the General Data Protection Regulation and protects the rights of the data subject.

j) HubSpot

We use HubSpot (2nd Floor 30 North Wall Quay, Dublin 1, Ireland) to improve our online marketing activities. This is a software solution with which we cover various aspects of our online marketing.

In particular, this includes:

• Email marketing
• Reporting
• Contact management
• Contact forms

This information is stored on the servers of our software partner HubSpot. It can be used by us to get in touch with visitors to our website and to determine which of our company’s services are of interest to you. The following personal data is collected:

• Email addresses
• First and last names
• Customer data

The processing of your data is based on our legitimate interest in accordance with Art. 6(1)(f) GDPR. This results from the optimization of our activities in online marketing.

All data that we collect is subject to the privacy policy and will be used exclusively for the aforementioned purpose.

You can find more information about the HubSpot privacy policy here.

k) Using the chatbot

We offer a chatbot, giving you the opportunity to ask questions around the clock, which will be answered immediately. You can also contact us using the digital form.

If you use any input fields, the data you enter – such as your email address and your name – will be recorded by us to answer your questions. The legal basis is Art. 6 para. 1 sentence 1 item b and Art. 6 para. 1 sentence 1 item a of the General Data Protection Regulation (GDPR).

When the chatbot is used for the first time, a Universally Unique Identifier (UUID) is assigned to the user once. This allows an interrupted conversation, search or input with the chatbot to be continued at any time (similar to cookies on websites). It is also stored in events. The UUID remains stored in the browser and assigned to the user until local data is deleted. In order to continuously improve the quality of the chatbot, we record events such as “Bot was displayed” and click events such as “User clicked on answer X”.

The data entered into the chatbot is collected by our order processor (Solvemate, Tempelhofer Ufer 1, 10961 Berlin) and is made available to us for the purpose of evaluation.

l) When submitting a comment in our magazine

You can post a comment on articles in the magazine at https://www.chrono24.co.id/magazine/. The following data must be provided, without exception in order to post a comment:

• Your name
• a valid e-mail address
• the comment.

Posting comments on articles is voluntary. We utilise your personal data to publish your comments and allow other users to respond to them. We require your e-mail address to contact you and pursue any legal violations.

Your data are processed for the above purposes on the basis of our legitimate interests per Article 6 para. 1 sentence 1 item f GDPR.

To post comments to our magazine, we use the Discourse tool from service provider Civilized Discourse Construction Kit, Inc. (410 Clayton Ave. El Cerrito, CA, 94530-3729, USA) – hereinafter "CDCK". A so-called data processing agreement according to Article 28 of the GDPR was signed with CDCK. With this agreement, CDCK ensures that they process data in accordance with the GDPR and guarantees the protection of the data subject's rights.

CDCK is located in the United States of America. For users located outside of the US, this means the transfer of personal data to a third country. Data transfer to the USA is permitted since we have signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, CDCK has implemented additional measures to ensure adherence to this level of data protection.

You can find more information about how service providers handle data here: https://www.discourse.org/privacy.

m) Customer ratings via Trustpilot

Your opinion about our products and our service is important to us. We therefore offer you the option of submitting a rating about our platform via Trustpilot A/S's rating service at www.trustpilot.com (Pilestræde 58, 3rd floor, 1112 Copenhagen K, Denmark, hereinafter "Trustpilot"). If you submit a rating, it will be published on our website and on the Trustpilot website. We however reserve the right to delete or not publish the rating.

Upon successful completion of a purchase, you will receive an email from us requesting you to rate our platform and our service. The email will contain a "Business Generated Link" from Trustpilot that will allow you to access Trustpilot and submit a rating regarding your transaction. The "Business Generated Link" will include your first and last name, your country of origin (for example, Germany), your email address and the transaction ID. After you click on the link, your personal information will be transmitted to Trustpilot, so that we can assign your rating to your purchase and ensure the rating's authenticity.

We have signed a data processing agreement with Trustpilot for the use of the rating service. With this agreement, Trustpilot ensures that they process data in accordance with the General Data Protection Regulation and ensure the protection of the data subject's rights.

Ratings submitted directly to Trustpilot can also be published on our website, provided that we were able to ensure the rating's authenticity.

Data processing as part of customer rating via Trustpilot takes place on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. By doing so, we want to ensure the needs-based design and optimisation of our website.

For more details on the purpose and scope of data processing by Trustpilot, please refer to Trustpilot's Privacy Policy.

n) Customer reviews on Sitejabber

If you have a billing address in the United States, we invite you to leave us a review on www.sitejabber.com (GGL Projects, Inc. 1528 South El Camino Real, Suite 110, San Mateo, CA 94402, USA). Any review you leave will be published on Sitejabber.

Upon completing your purchase, we will send you an email asking you to review our platform and services. The email will include a "Review request" from Sitejabber. This will take you to Sitejabber's website, where you can leave a review of your transaction. The "Review request" will contain your first and last names, email address, transaction ID, and transaction date. Once you click on the link, your personal information will be forwarded to Sitejabber so that we can match your review to your purchase and guarantee the review's authenticity.

The legal basis for data processing as part of customer reviews on Sitejabber is our legitimate interest per Article 6 Paragraph 1 Point (f) of the GDPR. Data processing enables us to develop needs-based designs and optimize our website based on the information and feedback in customer reviews.

We have signed a data processing agreement, as laid out in Article 28 of the GDPR, with Sitejabber for the use of their review service. With this agreement, Sitejabber ensures that they process data in accordance with the General Data Protection Regulation and guarantees the protection of the data subject's rights.

Sitejabber is located in the United States of America. For EU citizens, this means the transfer of personal data to a third country. Data transfer to the USA is permitted since we have signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Sitejabber has implemented additional measures to ensure adherence to this level of data protection.

o) When using Watch Collection

You have the option of maintaining and managing your watch collection online in your personal Watch Collection by adding watches, storing data and uploading your own pictures of your watches. You can view and manage the Watch Collection from home or on the road. You can also use the Watch Collection to keep an eye on watches that you do not yet own. And you can likewise use the Watch Collection to quickly and easily estimate the value of your watch.

We automatically collect the following data in the process:

• Reference number, brand, model, condition of the watch
• Watch ownership status

You can also specify the purchase price, time and place of purchase and upload a picture of your watch. This information is nevertheless provided only voluntarily.

We process the data listed above for the following purposes:

• to document and assess the value of the user’s personal collection
• to register the user’s interest in individual watches they do not yet own
• to perform a statistical evaluation of everything related to our users’ watches
• to expand our product catalog to include watches previously unknown to us

The data we collect is person-related rather than personal. Person-related data is data with no direct reference to a person from which a person’s identity can be derived. We thus also require a legal basis for processing person-related data.

The processing of such person-related data is based on our legitimate interest in accordance with Art. 6(1)(1)(f) GDPR.

Our legitimate interest in this case is to use the Watch Collection as a source of information on the watch market by statistically evaluating the data in order to enhance our know-how about the current market situation and to optimize our services to better meet the demand in the future.

If you have given your express consent in accordance with Art. 6(1)(1)(a) GDPR, the listed data will also be used for the purchase and sale of the watches in your Watch Collection.

p) Purchase and Sale of Watches in Cooperation with Our Partner Companies

If you've decided to sell your watch directly to Chrono24 and have given your express consent to do so in accordance with Art. 6(1)(1)(a) of the General Data Protection Regulation (GDPR), we will contact you by email and submit a purchase offer in cooperation with Zeitauktion GmbH. For this purpose, the following personal data will be transmitted to Zeitauktion GmbH:

• Your first and last name
• Your email address
• Any message you have left
• Information about the watch for sale (brand, model, reference number)
• Your phone number

The processing of your information for the purpose of transmitting it to Zeitauktion GmbH will occur only after you have given your express consent in accordance with Art. 6(1)(1)(a) GDPR.

We offer the watch purchasing service in cooperation with our subsidiaries, Chrono24 Direct GmbH and Xupes Watches Ltd., and our partner company Zeitauktion GmbH. In doing so, the following personal information is transmitted to Chrono24 Direct GmbH, Xupes Watches Ltd., and Zeitauktion GmbH:

• First and last name
• Address
• Message from the customer to the dealer’s account

The data listed above is collected in order to sell the watch to customers and ship the sold watch.

In cooperation with Zeitauktion GmbH, we also offer advice in all matters relating to direct sales. In order to provide you with professional support and process your request as quickly as possible, the following personal information will be transmitted to Zeitauktion GmbH:

• First and last name
• Telephone number
• The customer’s concerns

The data listed above is processed upon your request and, according to Art. 6(1)(1)(b) GDPR, is necessary for the smooth processing of the purchase transaction and thus for fulfilling the contract and pre-contractual measures.

q) Collection of personal data from third parties

On rare occasions, users may communicate to us personal data from third parties (e.g. authorised representatives, contact persons, different account holders). In such instances where we collect personal data – not from the third party data subjects themselves, but rather through our users – our contractual partners are required to provide information only with the knowledge of the third party data subject. In particular, this includes information about us as the data controller, as well as the disclosed data and the purpose of said disclosure. In all other respects, this data protection information applies to third party data subjects, to the extent that said information is not only relevant for contractual partners. This includes, in particular, information about us as the data controller and our data protection officer, as well as information about the rights of data subjects. Should we, as an exception, receive contact data for a third party data subject, we will inform the data subject directly. However, we do not typically request contact data from third parties. We will only use the third party information for the intended purpose (e.g. necessary contact, payment processing using the account details provided). The data of third party data subjects will be deleted at the latest upon the deletion of the data pertaining to the stated person, or if this person amends or deletes the data concerned. The legal basis for the processing of the data of third party data subjects is Article 6 (1) 1 f GDPR, where said processing is necessary for the pursuit of our legitimate interest in granting our contractual partners the opportunity to involve third parties.

r) Participation in user studies

You are offered the opportunity to participate in user studies on the platform. The purpose of these voluntary user studies is to gather targeted insights into users' behavior, needs, and motivations. This helps optimize Chrono24's platform, apps, products, and processes.

Depending on which user study you participate in, we will use either SurveyMonkey or Hotjar as the survey provider.

When you participate in a user study using SurveyMonkey from the service provider Momentive, Inc., the following personal data is transmitted to them:

• Date and time of participation and submission of the form
• Groups of personal data, e.g., age group (19-29)
• Your IP address

These data are processed in accordance with Article 6(1)(a) GDPR provided you have given your consent.

We have signed a data processing agreement with Momentive, Inc. (One Curiosity Way, San Mateo, CA 94403, USA) as laid out in Article 28 GDPR. With this agreement, Momentive, Inc. guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

Momentive, Inc. is located in the United States of America. For those outside of the USA, this means data are transferred to a third country. This data transfer is permitted since Chrono24 GmbH has signed standard data protection clauses as laid out in Article 46(2)(c) GDPR, thus guaranteeing a sufficient level of data protection in accordance with Article 46(1) GDPR. Furthermore, Momentive, Inc. has implemented additional measures to ensure adherence to an appropriate level of data protection.

If you decide to participate in a user study, you may be forwarded to a screening questionnaire created with a tool called Hotjar. This questionnaire checks whether you are a good match for the study. This involves the processing of the following data:

• Your name
• Your email address
• Your phone number

With your consent, this data is processed based on Article 6 Paragraph 1 Sentence 1 Point (a) of the General Data Protection Regulation (GDPR).

For the questionnaires, we work with the service provider Hotjar Ltd. (Level 2, St. Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta). Chrono24 GmbH has signed a data processing agreement with Hotjar Ltd. as laid out in Article 28 of the GDPR. With this agreement, Hotjar Ltd. guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

Furthermore, in the questionnaire, you will be asked which additional processing of your personal data you consent to as part of the user study. With your consent, the following processing occurs according to Article 6 Paragraph 1 Point (a) of the GDPR:

• Recording the conversation
• Sharing and recording your screen

The recording facilitates the internal evaluation of the study and is deleted upon the study's completion. It takes place using the video and telecommunication software called Zoom. Zoom is a service provided by Zoom Video Communications Inc. (55 Almaden Blvd., 6th Floor, San Jose, CA 95113) in the United States of America. For those outside the USA, this means personal data is processed in a third country. We have signed a data processing agreement with Zoom Video Communications as laid out in Article 28 GDPR.

Both parties have also agreed to standard data protection clauses that guarantee an adequate level of protection. Furthermore, we have implemented additional security measures by changing our Zoom configurations so that all "online meetings" are only processed by data centers in the European Union, European Economic Area, or secure third countries like Canada or Japan.

s) After-sales activities through an external call center

To improve the lead time of after-sales calls, we make use of a call center. If you potentially initiated a purchase on the platform, you will be forwarded to a call center so that you can be called to confirm whether or not a sale took place. This involves forwarding the following personal data to the call center:

• Your first and last names
• Your phone number

Personal data is processed according to Article 6 Paragraph 1 Sentence 1 Point (f) of the General Data Protection Regulation (GDPR). Chrono24 GmbH's legitimate interests required by this clause are the improvement of the lead time of after-sales calls and the associated improved customer experience.

We use the services of Termitel GmbH (Zehntwiesenstr. 37, 76275 Ettlingen, Germany) to conduct after-sales calls. Chrono24 GmbH has signed a data processing agreement with Termitel GmbH as laid out in Article 28 of the GDPR. With this agreement, Termitel GmbH, as the call center operator, guarantees that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

t) Using the Private Client Advisor Service

If you make use of our Private Client Advisor Service, we will process your data to provide the following services:

• Personal data from your contact request or Chrono24 account so we can contact you.
• Information about your use of the Chrono24 marketplace and its features (e.g., the Notepad, saved searches, the Watch Collection) to help search for watches and provide you with suitable watch offers.
• Information about ongoing requests and orders to offer you proactive support on our platform.
• Your previous communication with Chrono24 to have an overview of what's already been discussed.

The legal basis for data processing is your permission according to Article 6 Paragraph 1 Point (a) of the GDPR. You can revoke this permission at any time in your user account or by sending an email to support@chrono24.com.

u) Translation of User-Generated Content

In order to translate dealer reviews, messages sent via the Chrono24 Messenger, and listing descriptions, we use the Google Translate API from Google, Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). We also use the DeepL Translate API from DeepL SE (Maarweg 165, 50825 Cologne, Germany).

Personal data may be transmitted depending on the content that is translated.

The legal basis for the processing of personal data is Article 6, Paragraph 1, Sentence 1, Point (f) of the GDPR. Chrono24 GmbH's legitimate interest lies in the purposes outlined above and the associated user-based design of the website, in particular the removal of language barriers for communicating user-generated content.

We have signed data processing agreements with Google, Inc. and DeepL SE pursuant to Article 28 of the GDPR. With this agreement, the service providers guarantee that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

Google, Inc. is located in the United States of America. For those outside of the USA, this means the transfer of the translated content to a third country. This data transfer is permitted since Chrono24 GmbH has signed standard data protection clauses as laid out in Article 46, Paragraph 2, Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection in accordance with Article 46, Paragraph 1 of the GDPR. Furthermore, Google, Inc. has implemented additional measures to ensure adherence to an appropriate level of data protection.

v) Recording of Calls

For quality assurance and training purposes, and with your consent, we record incoming calls. The following personal data are processed for this purpose:

• Audio data
• Content of the conversation

Data are only processed by the employees involved in the call and their supervisor. Third parties do not have access to your personal data.

These data are processed in accordance with Article 6(1)(a) GDPR provided you have given us your express consent.

Call recordings are only stored for 90 days and deleted thereafter.

Disclosure of data

We only disclose your personal data to third parties if:

• you have expressly consented thereto in accordance with Article 6 para. 1 p. 1 item a GDPR
• there is a legal disclosure obligation pursuant to Article 6 para. 1 sentence 1 item c GDPR
• disclosure is required pursuant to Article 6 para. 1 sentence 1 item f GDPR in order to assert or defend against claims or exercise legal rights and there are no grounds to assume that you have a prevailing legitimate interest in non-disclosure of your data.

a) Disclosure Within the Context of Tax Reporting Obligations

In the course of implementing EU Directive 2021/514 pertaining to administrative cooperation in the field of taxation and the modernization of procedural tax law (hereinafter “DAC7”), we, as the platform operator, are obligated to process information about persons and companies that perform certain paid activities with the assistance of our platform. For the purposes of taxation, these details must be reported annually to the German Federal Central Tax Office, together with information about the nature and scope of these activities. The German Federal Central Tax Office subsequently forwards the data reported by us to the responsible tax authorities in Germany or their counterparts in other EU member states.

Accordingly, the following personal information will be transmitted to the German Federal Central Tax Office on an annual basis, provided that you are subject to mandatory reporting:

• Your first and last name
• Your address
• Your taxpayer ID number(s)
• Your date of birth, as well as
• Your VAT ID number (if applicable)

If you are registered as a commercial dealer, we as a platform operator are also obligated by the DAC7 to transmit the following information to the German Federal Central Tax Office on an annual basis, provided that you are subject to mandatory reporting:

• Your company name
• Your address
• Your taxpayer ID number(s)
• Your VAT ID number, as well as
• Your commercial registration number

As soon as you sell a watch on Chrono24, you are deemed a vendor and subject to mandatory reporting.

The transmission of your personal data to the German Federal Central Tax Office is lawful pursuant to Art. 6(1)(1)(c) GDPR, as we, as a platform operator, are obligated to do so pursuant to Section 13 DAC7.

We are further obligated to transmit the following data to the German Federal Central Tax Office:

• Your bank account number
• Any additional information that serves to identify the account holder
• Every EU member state in which you are considered a resident, broken down quarterly
• Any fees, commission, or taxes charged or withheld by us during the reporting period
• The total remuneration paid or credited during the reporting period, as well as
• the number of relevant activities for which remuneration was paid or credited during the reporting period

In the course of transmitting the information described above to the German Federal Central Tax Office, you may continue to assert your rights as a data subject pursuant to Section 12 of our Data Privacy Policy.

b) Information pursuant to Art. 26(2)(2) GDPR on joint responsibility for the processing of personal data
about joint responsibility for the processing of personal data

i) Chrono24 GmbH and Subsidiaries

Chrono24 and our subsidiaries (hereinafter jointly referred to as “parties” or “we”) work closely together in many areas due to our organisational structure. We use uniform EDP systems across all our businesses and operate joint databases in which, in particular, customer data from both parties is processed.

In doing so, we process the personal data of dealers and users of the online platforms of Chrono24 as joint controllers in accordance with Article 26 GDPR. Due to this joint responsibility, we have concluded an agreement with regard to the personal data concerned.

Chrono24 is responsible for the processing of personal data as far as this relates to the provision of EDP systems and internal databases to customers.

Both parties are responsible for entering data into the internal databases and maintaining the records of personal data of both registered and unregistered platform users, as well as personal data of registered dealers.

As part of our joint responsibility, we have in particular also agreed the specific obligations under the GDPR that each party shall fulfil. This concerns, in particular, the exercise of the rights of data subjects and compliance with the information obligations under Articles 13 and 14 GDPR.

Both parties have agreed that Chrono24 shall publish on its platforms the information required in accordance with Articles 13 and 14 GDPR relating to joint data processing and the essential content of the processing conditions.

Both parties shall also inform each other of data protection rights asserted by affected users. They shall provide each other with all the information necessary to respond to requests for information.

Data protection rights can be asserted against Chrono24 as well as against the respective dealer. Chrono24 undertakes to comply with the rights of data subjects to information about, correction, erasure or blocking of their personal data upon request.

ii) With Dealers on Chrono24 GmbH

We and our contractual partner (hereinafter “dealer”) work together contractually in connection with the online marketplace for watches. Chrono24 operates the online platform on which the respective dealer can sell and buy watches.

In this context, Chrono24 and the respective dealer process the personal data of users of the platform as jointly responsible parties, under Article 26 GDPR. Chrono24 and the respective dealer have concluded an agreement based on this joint responsibility with regard to the personal data concerned.

Under this agreement, Chrono24 is responsible for the processing of personal data, as far as it concerns the techniques for analyzing the behavior of users on the website, the statistical evaluation and provision of statistical data for the dealer, and the transmission of customer contact data for the purpose of order processing/shipping. The respective dealer, on the other hand, is responsible for the processing of personal data, insofar as this concerns the parameterization of statistical data via the drop-down function and the receipt and use of contact data for shipping the object of purchase.

Chrono24 and the respective dealer have in particular also agreed, in the context of the joint responsibility, which of them will fulfil which obligation under GDPR. This concerns in particular the exercise of the rights of the data subjects and the fulfilment of the information obligations under Articles 13 and 14 GDPR.

Both parties have stipulated that Chrono24 shall publish on its platform the information required under Articles 13 and 14 GDPR with regard to the data processing regulated within the scope of joint responsibility as well as the essential content of the processing conditions.

Both sides shall also inform each other of any data protection rights asserted by affected users. They shall provide each other with all information necessary to respond to requests for information.

Data protection rights can be asserted against Chrono24 as well as against the respective dealer. Chrono24 shall comply with the obligation to provide information, as set out in Art. 15 GDPR, and to provide the persons concerned with the information they are entitled to, as set out in Art. 15 GDPR, on request.

iii) Agreement Between Mangopay and Chrono24 for 1099-K Reporting to the IRS

We have a concluded a contract with Mangopay S.A. (2 Avenue Amélie, L-1125 Luxembourg; hereinafter: Mangopay) to carry out reporting related to Form 1099-K as required by the IRS. Accordingly, sellers in the USA who generated transactions of 600 USD or more in the 2022 calendar year must file a Form 1099-K with the IRS. Mangopay, as a payment service provider, is obligated to report to the IRS sellers in the USA who are required to file such forms. To this end, as a platform operator, we ask sellers in the USA to provide the required taxpayer identification numbers as part of the registration process. We then transmit these taxpayer identification numbers to Mangopay in order to ensure that both Mangopay and Chrono24 can fully comply with their legal obligations to the IRS.

If you are a seller located in the USA, we will process your taxpayer identification number with Mangopay as joint controllers on the basis of Article 26 of the GDPR. We have entered into a corresponding agreement for this joint responsibility with regard to the personal data concerned.

Chrono24 is responsible for collecting the taxpayer identification numbers required for 1099-K reporting to the IRS. Mangopay is responsible for carrying out the reporting.

Within the scope of the joint responsibility established and as part of our agreement with Mangopay, we have also determined which party fulfills the specific obligations laid down in the GDPR. This relates in particular to the rights of the data subjects and the fulfillment of the information obligations in accordance with Article 13 and Article 14 of the GDPR.

Mangopay and Chrono24 shall communicate to each other any data protection rights asserted by affected users. Both parties shall provide each other with all data necessary to respond to requests for information.

You may assert your rights as a data subject under Section 12 of this Data Privacy Policy both with Chrono24 and with Mangopay. We undertake to comply with the rights of data subjects to request information, rectification, erasure, and blocking of personal data, provided that there are no other precluding legal provisions.

Visibility of your data to third parties

a) As user and private seller

Personal data stored in connection with your user account (myChrono24, see items 2.b) i) and ii) ) cannot be viewed by third parties unless you have published offers on the platform. When you publish an offer on the platform as a private seller, registered and unregistered users will only be able to see your provider data on the platform if have expressly consented to their publishing in accordance with Article 6 para. 1 sentence 1 item a GDPR.

b) As merchant

If you are registered as a merchant and publish offers on the platform, registered and unregistered users can view your provider data on the platform (as per item 2.b) iii)). You can restrict the visibility of your data during registration so that your address is not displayed, and thereafter in your profile settings.

The publication of the merchant data is required to fulfil and execute the contract between Chrono24 and the merchant as part of use of the platform in accordance with Article 6 para. 1 sentence 1 item b GDPR.

Cookies and pixels

We use cookies and pixels on our website (hereinafter collectively referred to as “scripts”) to statistically record the use of our website and to evaluate this for the purpose of optimizing our offer for you (see Section 6). These scripts allow us to recognize automatically that you have previously visited us when you revisit our website. The scripts used on our website are divided into those that are technically necessary and those that are not.

Where in the case of technically necessary cookies personal data is also processed, this processing is based on our legitimate interests in accordance with Art. 6(1)(f) GDPR. Our ability to operate our website without interference is considered a legitimate interest within the meaning of the aforementioned provision. Scripts that are not technically necessary will only be activated following your prior express consent. For information on the specific scripts used, see Section 6.

a) Cookies

Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not harm your device and do not contain any viruses, Trojans or other malicious software.

The cookie stores information that arises in connection with the specific device used. This does not mean, however, that we obtain direct knowledge of your identity.

On the one hand, cookies are used to make using our offer more pleasant for you. For example, we use what are known as session cookies to recognize that you have already visited individual pages of our website or have already logged into your user account. These will be automatically deleted after you leave our site.

In addition, we also use temporary cookies, which are stored on your device for a specified time, to optimize the user experience. If you revisit our site to use our services, we will automatically recognize that you have already visited us and which entries and settings you have made, to save you from having to re-enter them.

Most browsers accept cookies automatically. However, you can configure your browser to reject cookies or to notify you before a new cookie is saved. Complete deactivation of cookies can, however, mean you are unable to use all of the functions of our website.

b) Pixels

Pixels, also known as tracking pixels, are small 1x1 pixel GIF files that can be stored in graphics or emails, e.g. when you visit a website. Pixels also do not harm your device and do not contain any viruses, Trojans or other malicious software.

The pixels send to a web server your IP address, the referrer URL of the visited website, the time at which the pixel was viewed, the browser used and previously saved cookie information. This makes it possible for us to carry out reach measurements and other statistical evaluations to optimize our platform and our offer.

Most browsers accept pixels automatically. You can prevent the use of pixels on our pages by using appropriate tools or browser add-ons (e.g. via the “AdBlock” add-on for Firefox).

Analysis tools

a) Tracking tools

The following tracking measures are used on the basis of Art. 6(1)(a) GDPR, i.e. your consent. You can withdraw your consent separately for each individual tool with effect for the future at any time with the help of the Consent Manager, which you will find at the end of the Privacy Policy. The lawfulness of processing until the time of your withdrawal is not affected by this. By using the tracking measures, we want to ensure a needs-based design and the continuous optimization of our website. At the same time, we use the tracking measures to statistically record the use of our website and evaluate this for the purpose of optimizing our offer for you.

The respective data processing purposes and data categories can be found in the following list.

i) Google Analytics

We utilise Google Analytics, a web analytics service provided by Google LLC. (1600 Amphitheater Parkway, Mountain View, CA 94043, hereinafter "Google") for the purpose of customising and continuously optimising our webpages. This service involves the creation of pseudonymised usage profiles and use of cookies (see item 5). The information generated by the cookie about your use of this website, such as

• Browser type/version
• Operating system used
• Referrer URL (page last visited)
• Host name of accessing computer (IP address)
• Server query time

is transferred to a Google server in the USA and stored there. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.

The information is used to evaluate use of the website, to compile reports on website activity, and to provide further services associated with website and Internet use for the purposes of market research and needs-based design of these web pages. This information may also be forwarded to third parties as appropriate, insofar as this is prescribed by law or insofar as these parties process the data on behalf of the commissioning party. Under no circumstances will your IP address be merged with other data from Google. IP addresses are anonymized to exclude all possibility of such association (IP masking).

The user can prevent the installation of cookies by adjusting his/her browser accordingly from the outset; however, we must point out that in this case not all functions of the website may be available to the user to their full extent.

Further information on data protection in connection with Google Analytics can be found in Google Analytics Help .

ii) Google Adwords Conversion Tracking

We also use Google conversion tracking in order to statistically record the use of our website and for the purpose of optimizing our offer for you. Google AdWords saves a cookie (see Section 5) on your computer if you have accessed our website via a Google ad. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.

These cookies will expire after 30 days and will not be used for personal identification. If the user visits certain pages of the AdWords customer’s website and the cookie has not yet expired, Google and the customer can recognize that the user has clicked on the ad and has been redirected to this page.

Each AdWords customer receives a different cookie. Cookies cannot be tracked via the websites of AdWords customers. The information collected via the conversion cookie is used to generate conversion statistics for AdWords customers who have chosen conversion tracking. AdWords customers see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.

If you wish to opt out of tracking you can reject cookie placement, for example by configuring your browser to disable the automatic placement of any cookies. You can also disable conversion tracking cookies by configuring your browser to block cookies at "www.googleadservices.com". The Google conversion tracking privacy policy can be found here .

iii) Hotjar

We use the Hotjar analytics service (3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe) on our website. Hotjar is a tool for studying user behaviour that enables us to measure and evaluate the behaviour of visitors to our website (such as mouse movement, clicks and scroll height).

Hotjar places cookies for this purpose (see item 5) on the devices of site visitors which can store their browser information, operating system, data on time spent on the site, etc. in anonymised form.

iv) Bing Ads

We utilise Bing Universal Event Tracking (UET) from Microsoft Bing Ads. This is a service of the Microsoft Corporation ("Microsoft") that allows us to track user activity on our website when the user navigates to our website via Bing Ads advertisements.

A cookie is placed on your computer when you visit our website via a Bing Ads ad, (see item 5). A Bing UET tag is integrated into our website. This tag is a code which in combination with the cookie stores certain non-personally data about your use of the site. This includes the time spent visiting the website, the areas of the website that were visited and the ads via which the user navigated to the website. Information about your identity is not collected.

This information is transmitted to Microsoft servers in the USA and stored there for a maximum of 180 days. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.

For more information on Bing analytics services, visit the Bing website.

See the Microsoft Data Privacy Policies for further information about data protection at Microsoft .

v) MaxMind

For the purpose of fraud prevention, we transmit your IP address and information about the device you are using to the service provider MaxMind, Inc. (14 Spring Street, 3rd Floor Waltham, MA 02451, USA, hereinafter referred to as “MaxMind”). Your data will be transmitted to a MaxMind server in the USA and stored there. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection. This gives us statistical analyses of IP addresses, devices used, and locations in order to detect and prevent fraud attempts.

Your data is processed exclusively for this purpose. This data is deleted when you end usage. Further information on data protection in connection with MaxMind can be found here.

You can prevent geolocalisation by blocking the placement of cookies by changing the settings on your browser accordingly; in such case however you may not be able to fully utilise the entire range of the features of this website.

vi) Crashlytics

Our mobile app uses crashlytics analysis software of Google Ireland Limited with registered office at Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Crashlytics"). Crashlytics collects app usage data specifically relevant to system crashes and errors. Data is gathered about the device and app version installed as well as other information which facilitates troubleshooting, such as data relating to the user's software and hardware. For further information see the Crashlytics Data Protection Policy: https://try.crashlytics.com/terms/privacy-policy.pdf.

You can opt out of the use of Crashlytics in the privacy settings of our Mobile App.

b) Targeting tools

The following targeting measures used by us are used on the basis of Art. 6(1)(a) GDPR, i.e. your consent. You can withdraw your consent separately for each individual tool with effect for the future at any time with the help of the Consent Manager, which you will find at the end of the Privacy Policy. The lawfulness of processing until the time of your withdrawal is not affected by this. By using the targeting measures, we want to ensure that only advertisements based on your actual or supposed interests are displayed on your devices.

The respective data processing purposes and data categories can be found in the following list.

i) Google Adwords remarketing

We use Google remarketing tags. These are services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as “Google”). Google uses cookies (see Section 5), which are stored on your computer and which enable your use of the website to be analyzed. The information generated by the cookie regarding your use of this website (including your IP address) is transmitted to a Google server in the USA and stored there. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.

Google then removes the last three digits of the IP address, rendering definite cross-referencing of the IP address impossible. Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and provide other website and internet usage-related services.

Google may also forward this information to third parties as appropriate, insofar as this is prescribed by law or insofar as these parties process the data on behalf of Google. Third-party providers, including Google, place ads on websites on the Internet. Third-party providers, including Google, use stored cookies to place ads based on a user’s previous visits to this website. Under no circumstances will Google combine your IP address with other Google data.

More information about Google's terms can be found here .

ii) Google Double Click

Cookies are used on our website to collect and evaluate data for the purpose of optimising advertising (see item 5). For this we use targeting technologies of Google Inc. (Double Click, Double Click Exchange Buyer, Double Click Bid Manager). These technologies enable us to serve advertising to you in targeted fashion based around your interests. The cookies are used, for example, to record information about which of our products you are interested in. Using this information we can market offers to you on our website or third-party websites which are oriented around your specific interests as predicted based on your historical user behaviour. Data collected and evaluated pertaining to your user behaviour exclusively on a pseudonymous basis so that it is not possible for us to identify you. In particular, this data is not merged with personal data about you.

Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.

The cookie is automatically deleted after 30 days.

You can also configure setting for the display of interest-based advertising via the Google Ads Settings Manager.

See the Google Data Protection Policy and Terms of Use for further information on data protection respecting advertising and Google.

iii) Facebook Custom Audiences

We utilise Facebook Website Custom Audiences, a service of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). This Facebook marketing service allows us to display personalised and interest-based advertising on Facebook for particular groups of pseudonymised visitors to our website who use Facebook.

A Facebook Custom Audience pixel is integrated into our website. This is a JavaScript code that stores non-personal data about the use of the website. This includes your IP address, the browser used, and the source and destination pages. This information is transmitted to Facebook servers in the USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.

In an automated process there it is checked whether you have a Facebook cookie stored. The Facebook cookie automatically determines whether you belong to the target group relevant for us. If you belong to the target group, we then show you relevant ads of ours on Facebook. In this process, you are not personally identified, either by us or by Facebook.

You can also object to the use of the Custom Audiences service on the Facebook website. After logging into your Facebook account, you will be taken to your Facebook ad settings.

See the Facebook privacy policy for more information on data protection at Facebook .

iv) Criteo

This website uses technologies from Criteo SA (32 Rue Blanche, 75009 Paris, France) to collect and store data for marketing and optimization purposes. Together with Criteo, we determine the purposes and means of processing and are therefore jointly responsible for processing. Chrono24 is responsible for the processing of data subjects’ rights.

Criteo technologies enable us to evaluate our advertising campaigns and content. This data can be utilised to create a usage profile under a pseudonym. Cookies are employed for this purpose. Data collected using the Criteo technology are not used to personally identify visitors to this website and are not merged with personal data about the pseudonym bearer without the specific consent of the data subject. Criteo analyses browsing behaviour using an algorithm to then display targeted product recommendations via personalised advertising banners on other websites (‘publishers’). The data is not otherwise used or forwarded to third parties. See the Criteo Privacy Policy for further information about Criteo technology.

When Criteo is used, additional pixels of partners of Criteo are loaded as well. An overview of all publishers and networks that load pixels is provided here .

Please note that if you disable the displaying of personalized ads by Criteo and other advertising partners, you will continue to receive advertisements but they will be less tailored to your interests/browsing behavior.

v) CrossEngage

Information about user behavior on our website is collected using Cookies (see point 5) and evaluated by service provider CrossEngage GmbH (Bertha-Benz-Strasse 5, 10557 Berlin, Germany). This enables us to optimize our marketing measures according to users' actual or supposed interests and display content to them on other websites or via other advertising channels.

Further information on data protection in connection with CrossEngage can be found here .

Social Media

We use social plugins for the social networks Facebook, Twitter, and Instagram on our website. The legal basis is Art. 6(1)(a) GDPR, i.e. your consent. You can withdraw your consent separately for each individual tool with effect for the future at any time with the help of the Consent Manager, which you will find at the end of the Privacy Policy. The lawfulness of processing until the time of your withdrawal is not affected by this. Responsibility for data protection-compliant operation is to be guaranteed by their respective providers.

Social media buttons are integrated using a specially developed solution that prevents a connection to a social network being established just because you call up a page with a social media button without activating it. This means that information is not transmitted to the social network until you activate the button.

a) Facebook

Our platform uses social media plug-ins of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland) to personalise the experience through usage of "LIKE" and "SHARE" buttons. These are a Facebook offering.

When you visit a page of our website featuring such a plug-in and you activate that plug-in yourself, your browser establishes a direct connection to Facebook servers. The plug-in content is sent by Facebook directly to your browser and integrated into the page.

When a plug-in is integrated, Facebook receives the data the browser you used to access the page of our website in question even if you do not have a Facebook account or are currently not logged in to Facebook. This data (including your IP address) is transmitted by your browser directly to a Facebook server in the US and stored there.

If you are logged into Facebook, Facebook can directly reference your visit to our website your Facebook account. If you interact with a plug-in such as by pressing a "LIKE" or "SHARE" button, the corresponding information data is also transmitted directly to a Facebook server and stored. This data is posted on Facebook and displayed to your Facebook friends.

Facebook can use this data for the purposes of advertising, market research and structuring Facebook pages in line with user needs. This involves Facebook creating user, interest and relationship profiles, for example to evaluate your use of our website in relation to advertisements displayed on Facebook, to inform other Facebook users of your activities on our website and to provide other services related to use of Facebook.

If you do not want Facebook to reference information about you from our website to your Facebook account, you must log out of Facebook before visiting our website.

Please see the Facebook data privacy notices for information regarding the purpose and scope of data collection, further processing and use of data by Facebook, your data privacy rights and data privacy configuration settings.

b) Twitter

Plug-ins of the news and social networking firm Twitter International Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland, hereinafter "Twitter") are integrated into our web pages. Twitter plug-ins (Tweet button) bear the Twitter logo, making them identifiable on our website. An overview of Tweet buttons can be found here .

When you visit a page of our website featuring such a plug-in and you activate that plug-in yourself, a direct connection is established between your browser and a Twitter server. Twitter then receives the information that you have visited our page, and your IP address. You can link content from our webpages with your Twitter account by clicking on the Twitter "Tweet" button while logged into your Twitter account. This enables Twitter to cross-reference your visit to our webpages to your user account. Please note that as website provider we have no knowledge of the content of the data transmitted or regarding its use by Twitter.

You should log out of your Twitter account first if you do not want Twitter to be able to cross-reference your visit to our webpages to your Twitter user account.

For further information see the Twitter data privacy policy .

c) Instagram

Our website utilises Instagram social plug-ins ("plug-ins") operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram").

The plug-ins bear an Instagram logo, such as the "Instagram camera".

When you visit a page of our website featuring such a plug-in and you activate that plug-in yourself, your browser establishes a direct connection to Instagram servers. The plug-in content is sent by Instagram directly to your browser and integrated into the page. When a plug-in is integrated, Instagram receives the data the browser you used to access the page of our website in question even if you do not have an Instagram profile or are currently not logged in to Instagram.

This data (including your IP address) is transmitted by your browser directly to an Instagram server in the US and stored there. If you are logged into Instagram, Instagram can directly reference your visit to our website your Instagram account. If you interact with a plug-in such as by pressing an Instagram button, the corresponding information data is also transmitted directly to an Instagram server and stored.

This data is also published on your Instagram account and displayed to your contacts there.

If you do not want Instagram to directly reference information about you from our website to your Instagram account, you must log out of Instagram before visiting our website.

For further information see the Instagram data privacy policy .

d) YouTube

On our website, you have the option of being redirected straight to our YouTube page. This is not a link requiring consent pursuant to Art. 6(1)(a) GDPR. In addition, we use YouTube’s privacy-enhanced mode to prevent these links from saving cookies that analyze usage behavior.

The controller for this external link is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Further information can be found in the privacy policy at: https://policies.google.com/privacy and https://www.youtube.com/t/terms

e) LinkedIn

We use technologies from LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2, Ireland) on our website to collect and store data for marketing and optimization purposes. The technologies from LinkedIn enable us to create reports on advertising campaigns and to gather information about user behavior on our website in order to optimize marketing strategies and our platform, as needed. For this, we use a marketing pixel from LinkedIn to create pseudonymized user profiles. This involves transmitting your IP address to LinkedIn in shortened or hashed form. We pseudonymize the IP address within seven days and delete it after 90 days at the latest.

The legal basis for the processing of personal data is Article 6 Paragraph 1 Sentence 1 Point (a) of the General Data Protection Regulation (GDPR). Data processing will only occur if you have expressly consented to the use of LinkedIn cookies in Chrono24's data privacy settings. You may revoke your consent with future effect at any time by adjusting your choices in the data privacy settings at the bottom of the page under "Manage Cookies."

In the course of data processing, personal data is transmitted to LinkedIn Inc. (1000 West Maude Avenue Sunnyvale, CA 94085, USA). The legal basis for the processing of personal data is Article 49 Paragraph 1 Point (a) of the GDPR. Consenting to data transmission to the USA is done analogously to consenting to data processing. The intragroup transmission of data to the USA by LinkedIn takes place on the basis of standard clauses in line with Article 46 Paragraph 2 Point (c) of the GDPR.

You can find more information on data privacy in regards to processing by LinkedIn here .

f) Pinterest

We collect and store data for marketing and optimization purposes using technology from Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; hereinafter: Pinterest). The technologies from Pinterest enable us to create reports on advertising campaigns and to gather information about user behavior on our website in order to optimize marketing strategies and our platform, as needed. For this, we use the Pinterest Pixel to create pseudonymized user profiles. To this end, Pinterest processes log data. These data include information about your browser, your device, your IP address, our website address, your activity on our website, and the time and date of said activity. Pinterest generally stores the collected data until it is no longer needed for the company's purposes.
The legal basis for the processing of personal data is Article 6 Paragraph 1 Sentence 1 Point (a) of the General Data Protection Regulation (GDPR). Data processing will only occur if you have expressly consented to the use of the Pinterest Pixel in Chrono24's data privacy settings. You may revoke your consent with future effect at any time by adjusting your choices in the data privacy settings at the bottom of the page under "Manage Cookies."
In the course of data processing, personal data is transmitted to Pinterest, Inc. (505 Brannan St., San Francisco, CA 94107, USA). The legal basis for the processing of personal data in the USA is Article 49 Paragraph 1 Point (a) of the GDPR. Consenting to data transmission to the USA is done analogously to consenting to data processing. The intragroup transmission of data to the USA by Pinterest takes place on the basis of standard clauses in line with Article 46 Paragraph 2 Point (c) of the GDPR.
You can find more information on data privacy in regard to the processing by Pinterest here .

g) Social Media Profiles

We operate public profiles on the following social media:

• Facebook: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter: Facebook)
• Twitter: Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland (hereinafter: Twitter)
• Instagram: Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, United States of America (hereinafter: Instagram)
• YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: YouTube)
• LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter: LinkedIn)
• Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (hereinafter: Pinterest)
• TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter: TikTok)

We operate our social media profiles under joint responsibility with the respective network operators on the basis of joint responsibility agreements under Article 26 GDPR.

When visiting our social media profiles, your personal data are processed by the responsible parties as follows:

We use the analysis functions provided to obtain statistical evaluations of visitors to our social media profiles.

To this end, the network operators use profile cookies and similar technologies when you visit our platform, and a unique user ID is created. This ID may be linked to your user data if you are registered with the respective network operator.

The information stored in the user ID is processed by the network operators, especially when you as a user visit these services. Other entities, such as partners or third parties, may also use cookies within these services to provide services to companies that advertise on the networks.

You can find more detailed information on data processing by the network operators in the respective privacy policies:

• Facebook: Privacy Policy, Information About Page Insights Data, Cookie Policy
• Twitter: Privacy Policy, Cookies Policy
• Instagram: Privacy Policy, also see Facebook's Cookies Policy
• YouTube: Privacy Policy from Google
• LinkedIn: Privacy Policy, Cookie Policy
• Pinterest: Privacy Policy, Cookie Policy
• TikTok: Privacy Policy, Cookie Policy

Data processing serves two purposes: enabling network operators to improve their advertising and allowing us to optimize our marketing activities based on the statistics obtained.

We receive the visitor statistics generated in an anonymous form. We do not have access to the underlying data.

We also use our social media profiles to communicate with our customers, users, and other parties and to provide them with information about our services. Thus, we may receive further information, e.g., information in user comments or private messages. The processing thereof takes place for the sole purpose of communicating and interacting with these parties.

The legal basis for the processing is our legitimate interest in accordance with Article 6(1)(f) GDPR to optimize the presentation of our company and services.

In the case of Facebook, Twitter, Instagram, YouTube, LinkedIn, Pinterest, and TikTok, it is possible that some information collected may also be processed in the United States of America. For those outside the USA, the data transfer takes place on the basis of standard clauses approved by the European Commission that ensure an appropriate level of data protection. We have no influence on these processing operations. We do not transmit any personal data that we receive via our social media profiles.

Tool for sending emails

In order to send transaction and service emails, we pass on your email address to an email service provider. We use the following service providers:

a) Mailgun

We use the Mailgun tool developed by Mailgun Technologies, Inc., 535 Mission St., San Francisco, CA 94105, USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
You can find more information about how service providers handle data here: https://www.mailgun.com/privacy-policy.

b) Sparkpost

We use the Sparkpost tool developed by Message Systems Inc., 301 Howard St. Suite 1330 San Francisco, CA 94105, USA. Data is transferred in accordance with the EU Commission’s so-called standard contractual clauses to ensure an adequate level of data protection.
You can find more information about how service providers handle data here: https://www.sparkpost.com/policies/privacy/.

Data processing as part of sending transaction and service emails takes place on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. By doing so, we wish to ensure that communication processes are automated in a needs-based manner, in particular with regard to those actions undertaken by you, or in order to be able to inform you about security-relevant matters as quickly as possible.

c) Pitchbox

We conduct and manage outreach campaigns using the Pitchbox tool from Pitchbox, LLC (626 Jacksonville Rd., Suite 105, Warminster, PA 18974, USA). Pitchbox is a web-based solution that enables us to send and receive emails and measure the success of our associated outreach campaigns. In the process, the following personal data are transferred to Pitchbox:

• Email address

You may be contacted via Pitchbox during an outreach campaign. This is allowed according to Article 6 Paragraph 1 Sentence 1(f) of the GDPR. Chrono24 GmbH's legitimate interest required by this clause is the legitimate interest in direct advertising as laid out in Recital 47 of the GDPR and the fact that only bloggers and editors who may have an interest in working with Chrono24 are contacted.

We have signed a data processing agreement, as laid out in Article 28 of the GDPR, with Pitchbox LLC. With this agreement, Pitchbox LLC ensures that they process data in accordance with the General Data Protection Regulation and guarantees the protection of the data subject's rights and freedoms.

Pitchbox LLC is located in the United States of America. For non-US residents, this means the transfer of personal data to a third country. Data transfer to the USA is permitted since we have signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Pitchbox LLC has implemented additional measures to ensure adherence to this level of data protection.

Solutions for fraud prevention

We want to make the sales process on Chrono24 as secure as possible for you. We therefore use solutions from specialized service providers in order to prevent fraud and obtain information from these service providers about transactions on Chrono24. The IP address of the device that accesses our website, other data related to the use of Chrono24, etc. are processed. It is not possible for us to assign such data to a specific user. We will only do this in cases where fraudulent behavior is suspected based on the information. The specialized service providers may be companies based in the USA. Only service providers working in accordance with the EU Commission’s so-called standard contractual clauses will be selected accordingly. This ensures that we only work with service providers who meet the level of data protection required within the EU. The legal basis is Art. 6 (1)(1)(f) GDPR. Preventing fraudulent acts that are detrimental to our clients as well as to us is expressly recognized by GDPR as a legitimate interest.

a) IDnow

To identify users on our platform, we use AutoIdent technology from IDnow (Auenstrasse 100, 80469 Munich, Germany). This is a verification app that captures the end user's ID using a smartphone camera and completes online verification. The following personal data is collected:

• First name
• Last name
• Date of birth
• ID number
• Video recordings of the user’s face

We also collect personal data on the ID document that confirm the identity of the user beyond a doubt.

The AutoIdent solution is not a fully automated process. As soon as the verification app detects any discrepancies, IDnow employees manually double-check the data.

We have concluded an order processing contract with IDnow that entitles us to use the AutoIdent solution. This contract guarantees that IDnow processes the data accordance with the General Data Protection Regulation and protects the rights of the data subject.

Personal data is collected in accordance with Article 6(1)(1)(b) of the GDPR as a pre-contractual measure.

Data is also collected on the basis of Article 6(1)(1)(f) of the GDPR. The general increase in the security of the marketplace constitutes the legitimate interest in this case.

All the information we collect is subject to the data protection regulation. We use all the information exclusively to verify and identify our users.

b) Reporting a listing

If you suspect that a listing is an attempt to commit fraud, you can report the listing to Chrono24 using the appropriate form. This involves forwarding the following personal data to the email delivery services Sparkpost and Mailgun:

• Your name
• Your email address
• Your phone number

Personal data is processed according to Article 6 Paragraph 1 Sentence 1 Point (f) of the General Data Protection Regulation (GDPR). Chrono24 GmbH's legitimate interests required by this clause are preventing fraud and, thus, improving the marketplace's security.

To offer the service and guarantee that the service effectively meets the aforementioned purpose, we make use of the services provided by Message Systems, Inc. (dba SparkPost) (301 Howard St., Suite 1330, San Francisco, CA 94105) and Mailgun Technologies, Inc. (548 Market St. #43099, San Francisco, CA 94104). We have signed data processing agreements with Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. as laid out in Article 28 of the GDPR. With these agreements, Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. guarantee that they process data on our behalf in accordance with the General Data Protection Regulation and, thus, protect the rights of the data subject.

Both Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. are located in the United States of America. While your personal data is stored on European servers, the potential for personal data to be transferred to the United States remains due to the CLOUD Act. For EU citizens, this means the transfer of their personal data to a third country. Data transfer to the USA is permitted since Chrono24 GmbH has signed standard data protection clauses as laid out in Article 46 Paragraph 2 Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection per Article 46 Paragraph 1 of the GDPR. Furthermore, Message Systems, Inc. (dba SparkPost) and Mailgun Technologies Inc. have implemented additional measures to ensure adherence to an adequate level of data protection.

c) Intragroup Exchange of Personal Data for Fraud Prevention

As part of our fraud prevention measures, customers suspected of fraudulent activity are forwarded to Chrono24 Direct GmbH, an intragroup affiliate of Chrono24 that lists watches on our platform. The user's personal data is transmitted to Chrono24 Direct GmbH in order to prevent the latter from entering into potentially fraudulent transactions. In such cases, the following personal data is exchanged between Chrono24 GmbH and Chrono24 Direct GmbH:

• Email address
• First and last name

The legal basis for the transfer of personal data is Article 6(1)(1)(f) of the General Data Protection Regulation (GDPR). Chrono24 GmbH and Chrono24 Direct GmbH's legitimate interests required by Article 26 GDPR are preventing fraud and, thus, ensuring the platform's overall security.

Chrono24 and Chrono24 Direct GmbH have agreed on joint responsibility in line with Article 26 GDPR, meaning the rights and freedoms of the data subjects are guaranteed by both parties. Moreover, both parties undertake to process the data in accordance with the GDPR.

d) Spam Protection

We use Turnstile, a tool developed by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA), to determine whether interactions on our website are performed by humans or automated machines. This way, we can protect our website from automated spam, spying, and misuse.

In order to do this, Turnstile automatically selects from a set of browser challenges based on telemetry and user behavior during a session on our website. This data includes but is not limited to the following:

• Your IP address
• Information about your system configurations
• Information about your operating system
• Your device settings (e.g., language and browser settings, header, user agent)

Furthermore, Turnstile uses private access tokens for the same purpose. These tokens are provided by device manufacturers and help Turnstile confirm whether visitors to our website are indeed human. This means that data can be verified without being captured again by Turnstile.

If Turnstile's purely data-driven analysis does not produce clear results, the website visitor is prompted to perform another action (e.g., click a button). This interaction serves as a final check in determining whether a website visitor is human.

Cloudflare, Inc. does not process the data for its own purposes. Furthermore, cookies, which are used to collect or store information, are neither set nor searched for in the course of the analysis.

The processing of personal data within the context of our spam protection procedure through the use of Turnstile is lawful pursuant to Art. 6(1)(f) GDPR. The legitimate interest required thereunder ensues from the abovementioned purpose(s) and the general increase in the security of the marketplace associated with this procedure.

For more information, please read Cloudflare, Inc.'s data privacy policy.

Collection of personal data to comply with US sales tax

Avalara

We rely on the cloud-based solution AvaTax from the service provider Avalara to comply with US tax laws and regulations. This solution automates both the determination of the applicable sales tax rate and the complex calculation of US sales tax. The following personal data are processed with respect to dealers based in the US:

• Address

The purpose of data collection is to determine the regional tax regulations we are subject to. In the US, these differ not only at state level but, to some extent, also from county to county. This is why we need to know the exact dealer location in the US in order to use AvaTax to determine the correct sales tax rate.

We have concluded a data processing agreement with Avalara for the use of the cloud-based tax compliance solution. Under this agreement, Avalara guarantees that the data processing will meet the requirements of the General Data Protection Regulation (GDPR) and ensure the protection of the rights of the data subjects.

The legal basis for data collection is Article 6(1)(c) GDPR, as the processing is necessary to fulfill our legal obligation to comply with US tax laws.

Virtual Meeting Platforms

a) Zoom

To conduct interviews for our user studies, we use the Zoom software from Zoom Video Communications, Inc. (55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA). We use Zoom to communicate with Chrono24 users who have agreed to participate in our research. When you use Zoom, different types of data are processed, and the scope of the data depends on the information you provide before and during your participation in the Zoom meeting. Ultimately, the following personal data may be subject to processing:

• Display name
• Email address
• Profile picture
• Meeting metadata (date, time, meeting ID, and device and hardware information)
• Participant's IP address
• Text, audio, and video data

For the duration of the Zoom meeting, data from the microphone and video camera on your device is processed to enable video display and audio playback. However, you can turn off the camera or mute the microphone yourself at any time in the Zoom application.

You can also dial into Zoom meetings using a phone. In this case, the following personal data will also be processed:

• Phone number
• Country
• Other connection data, e.g., IP address of the device used, if applicable

The legal basis for the processing of personal data is Article 6, Paragraph 1, Sentence 1, Point (f) of the GDPR. Our legitimate interest required by this clause lies in efficiently conducting virtual meetings as part of our user studies.

If you have provided your consent on the basis of Article 6, Paragraph 1, Point (a) of the GDPR, we will record the Zoom meeting. In this case, an MP4 file of all video, audio, and presentation recordings; an M4A file of all audio recordings; and a text file of the Zoom meeting chat will be stored internally on our servers in order to evaluate the user study.

We have signed a data processing agreement with Zoom Video Communications, Inc. as laid out in Article 28 of the GDPR. With this agreement, Zoom Video Communications, Inc. guarantee that they process data in accordance with the General Data Protection Regulation and protect the rights of the data subject.

Zoom Video Communications, Inc. is located in the United States of America. For those outside of the USA, this means the transfer of personal data to a third country. This data transfer is permitted since Chrono24 GmbH and Zoom Video Communications, Inc. have signed standard data protection clauses as laid out in Article 46, Paragraph 2, Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection. Furthermore, Zoom Video Communications, Inc. has implemented additional measures to ensure adherence to an appropriate level of data protection. As an additional security measure on our end, we have configured our Zoom settings so that all data from virtual meetings are stored in data centers in the European Economic Area or in secure third countries such as Canada and Japan.

b) Teams

In order to conduct virtual meetings and webinars and to communicate via chat, we use the Microsoft Teams communication platform (hereinafter: Teams) from Microsoft Ireland Operations Limited (70 Sir John Rogerson's Quay, Dublin 2, Ireland). We communicate via Teams with external parties and Chrono24 users who have agreed to participate in our studies. When using Teams, various types of data are processed, and the scope of the data depends on the information you provide before and during your participation in the Teams meeting. Ultimately, the following personal data may be processed:

• Display name
• Email address
• Profile picture
• Meeting metadata (date, time, meeting ID, and device and hardware information)
• Participant's IP address
• Text, audio, and video data

For the duration of the Teams meeting, data from the microphone and video camera on your device is processed to enable video display and audio playback. However, you can turn off the camera or mute the microphone yourself at any time in the Teams application.

You can also dial into Teams meetings using a phone. In this case, the following additional personal data will be processed:

• Phone number
• Country
• Other connection data, e.g., IP address of the device used, if applicable

The legal basis for conducting Teams meetings is Article 6, Paragraph 1, Sentence 1, Point (f) of the GDPR, insofar as the meetings take place within the context of a contractual relationship.

If we have not concluded a contractual relationship with you, the legal basis for processing your personal data is Article 6, Paragraph 1, Point (f) GDPR. In this case, our legitimate interest lies in the effective facilitation of Teams meetings and conducting our user studies in a user-based manner.

If we intend to record a Teams meeting, we will communicate this intention transparently in advance. The meeting will only be recorded if you have given us your consent in accordance with Article 6, Paragraph 1, Point (a) of the GDPR.

We have signed a data processing agreement with Microsoft Ireland Operations Limited as laid out in Article 28 of the GDPR. With this agreement, Microsoft Ireland Operations Limited guarantee that they process data in accordance with the General Data Protection Regulation and protect the rights of the data subject.

Microsoft Ireland Operations Limited is the European subsidiary of the Microsoft Corporation located in the United States of America (One Microsoft Way, Redmond, WA 98052-6399, USA). For those outside of the USA, this means the transfer of personal data to a third country. This data transfer is permitted since Chrono24 GmbH and Microsoft Ireland Operations Limited have signed standard data protection clauses as laid out in Article 46, Paragraph 2, Point (c) of the GDPR, thus guaranteeing a sufficient level of data protection. Furthermore, Microsoft Ireland Operations Limited has implemented additional measures to ensure adherence to an appropriate level of data protection. As an additional security measure on our end, we have also configured our Teams settings so that all data from virtual meetings are stored in data centers in the European Union.

Rights as data subject:

You have the right:

• to revoke consent you have granted us at any time in accordance with Article 7 para. 3 GDPR. This applies non-retrospectively, so that without your consent we are no longer allowed to process data thereafter
• to request information about the personal data of yours which we are processing in accordance with Article 15 GDPR. In particular, you are entitled to receive information about the processing purposes, the types of personal data, the types of recipients to whom your data has been disclosed, the intended storage retention period, about your rights to demand correction, deletion, processing restriction and to file objection, about your complaint rights, the source of your data if not collected by us, and whether automated decision-making is utilised, including profiling, along with relevant details as appropriate
• to demand the correction of incorrect personal data and the addition of incomplete personal data we have stored, in line with Article 16 GDPR
• to demand the deletion of your personal data stored by us, except if processing is necessary to exercise freedom of expression speech and information rights, to fulfil a legal obligation, for reasons of public interest or to assert or defend against legal claims or exercise rights, in line with Article 17 GDPR
• to demand the restriction of your personal data from processing in accordance with Article 18 GDPR if you dispute the correctness of the data or processing is unlawful but you reject its deletion and we no longer need the data yet you require the data in order to assert or defend against legal claims or exercise rights, or if you have filed objection to processing in accordance with Article 21 GDPR
• to receive your personal data from us in a commonly used, structured, machine-readable format, and to request such to be sent to a different data controller in line with Article 20 GDPR
• to lodge complaint with a supervisory authority in line with Article 77 GDPR. Generally you should contact the supervisory authority for your primary place of residence, your place of work or our company headquarters.

Right to file objection

If your personal data are processed on the basis of on legitimate interests in accordance with Article 6 para. 1 sentence 1 item f GDPR, you have the right to file an objection against the processing of your personal data pursuant to Article 21 GDPR given reasons for doing so which pertain to your special circumstances or the objection pertains to direct advertising. In the latter case you enjoy a general right to file objection which we will act upon without your having to outline any special circumstances.

To exercise your right to file objection it suffices to send a corresponding e-mail to .

Data security

We utilise the widely used TLS (Transport Layer Security) method for our website in combination with the highest level of encryption supported by your browser. TLS is a secure and proven standard utilised in online banking, for example. A secure TLS connection is indicated among other things by the letter ‘s’ appended on the ‘http’ (i.e. https://..) in the address bar of your browser, and by a lock icon appearing at the bottom of your browser.

We furthermore implement appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction and unauthorised access by third parties. The security measures we implement are continuously upgraded to remain in line with technological progress.

If you register with us as a user, you can only access your user account after entering your personal password. You should always keep your access data confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.

We take company-internal data protection very seriously as well. We bind our staff and commissioned service provider firms to uphold confidentiality and comply with data protection regulations.

Version of and changes to this Data Protection Policy

This Data Protection Policy is the latest, valid version, last updated in April 2023.

Changes to our website and offers marketed via the website and changes in legal or regulatory requirements may necessitate updating of this Data Protection Policy. You can view and print out the latest updated version of this Data Protection Policy at any time on the website
https://www.chrono24.co.id/info/datenschutz.htm .