top of page

DATA PROTECTION

We are delighted by your interest in our company!

Data protection is of paramount importance to the management of PANDA GmbH. Use of the PANDA GmbH website is generally possible without providing any personal data. However, if a data subject wishes to use special services offered by our company via our website, processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the data subject's consent.

The processing of personal data, such as the name, address, email address, or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to PANDA GmbH. This privacy policy aims to inform the public about the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, this privacy policy informs data subjects about their rights.

PANDA GmbH, as the data controller, has implemented numerous technical and organizational measures to ensure the most complete possible protection of personal data processed via this website. However, internet-based data transmissions can fundamentally have security vulnerabilities, meaning absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us via alternative means, such as by telephone.

1. Introduction

Below we provide information about the processing of personal data when using [this service/service].

Personal data is any data that relates to a specific natural person, e.g. their name or IP address.

1.1. Contact details

The controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is:
PANDA GmbH, Augsburger Straße 5, 86415 Mering, Germany
Email: datenschutz@we-are-panda.com
Legally represented by Isabelle Hoyer and Stuart B. Cameron

Our data protection officer can be contacted via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu , email: datenschutz@heydata.eu .

1.2. Scope of data processing, processing purposes and legal bases

The scope of data processing, processing purposes, and legal bases are explained in detail below. The following are generally possible legal bases for data processing:

  • Article 6 paragraph 1 sentence 1 letter a GDPR serves as our legal basis for processing operations for which we obtain consent.

  • Article 6(1)(b) GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g., when a website visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing necessary for pre-contractual measures, such as inquiries about our products or services.

  • Article 6(1)(c) GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.

  • Article 6(1)(f) GDPR serves as the legal basis when we can rely on legitimate interests for the processing of personal data, e.g. for cookies that are necessary for the technical operation of our website.

1.3. Data processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the EU Commission pursuant to Art. 45 para. 3 GDPR guarantee the security of the data during the transfer, insofar as these exist, as is the case, for example, for Great Britain, Canada and Israel.

When data is transferred to service providers in the USA, the legal basis for the data transfer is an adequacy decision by the EU Commission if the service provider has additionally certified itself under the EU US Data Privacy Framework.

In other cases (e.g., when no adequacy decision exists), the legal basis for data transfer is generally, unless we provide a different indication, standard contractual clauses. These are a set of rules adopted by the EU Commission and form part of the contract with the respective third party. According to Article 46(2)(b) GDPR, they guarantee the security of data transfer. Many providers have issued additional contractual guarantees beyond the standard contractual clauses, which protect the data beyond the scope of the standard contractual clauses. These include, for example, guarantees regarding data encryption or the third party's obligation to inform data subjects if law enforcement agencies wish to access their data.

1.4. Storage duration

Unless expressly stated otherwise in this privacy policy, the data we store will be deleted as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted, meaning the data will be blocked and not processed for other purposes. This applies, for example, to data that we are required to retain for commercial or tax law reasons.

1.5. Rights of those affected

Data subjects have the following rights with regard to their personal data:

  • Right to information,

  • Right to rectification or erasure,

  • Right to restriction of processing,

  • Right to object to processing,

  • Right to data portability,

  • Right to withdraw consent at any time.

Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. Contact details for the data protection supervisory authorities can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html .

1.6. Obligation to provide data

Customers, prospective customers, or third parties are only required to provide us with the personal data necessary for establishing, executing, and terminating a business or other relationship, or which we are legally obligated to collect. Without this data, we will generally have to refuse to enter into a contract or provide a service, or we may no longer be able to perform an existing contract or other relationship.

Mandatory fields are marked as such.

1.7 No automatic decision-making in individual cases

We generally do not use fully automated decision-making pursuant to Article 22 GDPR for establishing and maintaining a business relationship or other relationship. Should we use these procedures in individual cases, we will inform you separately, provided this is required by law.

1.8. Making contact

When you contact us, for example by email or telephone, we store the data you provide (e.g., names and email addresses) in order to answer your questions. The legal basis for this processing is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in responding to inquiries addressed to us. We delete the data collected in this context once storage is no longer necessary, or restrict processing if there are statutory retention obligations.

1.9. Customer surveys

From time to time, we conduct customer surveys to better understand our customers and their needs. We collect the data requested in each survey. It is in our legitimate interest to better understand our customers and their needs, so the legal basis for the associated data processing is Article 6(1)(f) GDPR. We delete the data once the survey results have been evaluated.

2. Newsletter

We reserve the right to inform customers who have already used our services or purchased goods about our offers from time to time via email or other means, unless they have objected to this. The legal basis for this data processing is Article 6(1)(f) GDPR. Our legitimate interest lies in direct marketing (Recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without additional costs, for example, via the link at the end of each email or by sending an email to our email address provided above.

Based on the consent of the recipients (Art. 6 para. 1 sentence 1 lit. a GDPR), we also measure the open and click rates of our newsletters to understand which content is relevant to our recipients.

We send newsletters using the Mailchimp tool from the provider Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. This provider processes content, usage, meta/communication data, and contact data in the USA. Further information can be found in the provider's privacy policy at https://mailchimp.com/legal/privacy/ .

3. Data processing on our website
3.1. Note for website visitors from Germany

Our website stores information on the end device of website visitors (e.g., cookies) or accesses information that is already stored on the end device (e.g., IP addresses). The specific information collected is detailed in the following sections.

This storage and access is based on the following provisions:

  • Insofar as this storage or access is absolutely necessary for us to provide the service on our website expressly requested by website visitors (e.g., to operate a chatbot used by the website visitor or to ensure the IT security of our website), it is carried out on the basis of Section 25 Paragraph 2 No. 2 of the Telecommunications Digital Services Data Protection Act (TDDDG).

  • Furthermore, this storage or access is based on the consent of the website visitors (§ 25 para. 1 TDDDG).

Subsequent data processing takes place in accordance with the following sections and on the basis of the provisions of the GDPR.

3.2. Informational use of the website

When you use our website for informational purposes only, i.e., when visitors do not separately provide us with information, we collect the personal data that your browser transmits to our server in order to ensure the stability and security of our website. This constitutes our legitimate interest, and the legal basis for this processing is Article 6(1)(f) GDPR.

This data is:

  • IP address

  • Date and time of the request

  • Time zone difference to Greenwich Mean Time (GMT)

  • Content of the request (specific page)

  • Access status/HTTP status code

  • each data volume transferred

  • Website from which the request originates

  • browser

  • Operating system and its interface

  • Language and version of the browser software.

This data is also stored in log files. It is deleted when its storage is no longer necessary, at the latest after 14 days.

3.3. Web hosting and provision of the website

Our website is hosted by IONOS. The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. The provider processes personal data transmitted via the website, such as content, usage, meta/communication data, or contact data, within the EU. Further information can be found in the provider's privacy policy at https://www.ionos.de/terms-gtc/datenschutzerklaerung/ .

It is in our legitimate interest to provide a website, so the legal basis for the described data processing is Art. 6 para. 1 sentence 1 lit. f GDPR.

3.4. Contact form

When you contact us via the contact form on our website, we store the data requested there and the content of the message. The legal basis for this processing is our legitimate interest in responding to inquiries addressed to us. Therefore, the legal basis for this processing is Article 6(1)(f) GDPR.


We delete the data collected in this context once storage is no longer necessary, or restrict processing if there are legal retention obligations.

3.5. Job advertisements

We publish job advertisements on our website, on pages linked to the website, or on third-party websites.


The data provided during the application process is processed for the purpose of carrying out the application procedure. Insofar as this data is necessary for our decision to establish an employment relationship, the legal basis is Article 88 Paragraph 1 GDPR in conjunction with Section 26 Paragraph 1 BDSG (German Federal Data Protection Act). We have marked or indicated the data required for the application procedure accordingly. If applicants do not provide this data, we cannot process their application.
Providing further information is voluntary and not required for an application. If applicants provide additional information, this is based on their consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

We ask applicants to refrain from including information about political opinions, religious beliefs, and similarly sensitive data in their CV and cover letter. This information is not required for an application. If applicants nevertheless include such information, we cannot prevent its processing within the context of processing the CV or cover letter. In this case, such processing is based on the applicant's consent (Art. 9 para. 2 lit. a GDPR).

Finally, we process applicants' data for further application procedures if they have given us their consent to do so. In this case, the legal basis is Article 6(1)(a) GDPR.

We pass on the applicants' data to the responsible employees in the human resources department, to our data processors in the field of recruiting and to other employees involved in the application process.

If we enter into an employment relationship with the applicant following the application process, we will only delete the data after the employment relationship has ended. Otherwise, we will delete the data no later than six months after an applicant has been rejected.

If applicants have given us their consent to use their data for further application processes, we will only delete their data one year after receiving the application.

3.6. Registration on our website

Website visitors can open a customer account on our website. We process the data requested in this context on the basis of our contract. The legal basis for the processing is therefore Art. 6 Para. 1 Sentence 1 lit. b GDPR.

Which personal data is processed in this context is apparent from the respective input mask used for registration. Data is only transferred to one or more processors, such as Collaborative Partner companies, after explicit prior consent from the data subject.

Furthermore, registration on the controller's website stores the IP address assigned by the data subject's Internet Service Provider (ISP), the date, and the time of registration. This data is stored because it is the only way to prevent misuse of our services, and this data makes it possible to investigate committed criminal offenses if necessary. In this respect, the storage of this data is necessary to safeguard the controller. This data is generally not passed on to third parties, unless there is a legal obligation to pass it on or the transfer serves the purpose of criminal prosecution.

Our platform is hosted by Hivebrite. The provider is Kit United, 5 rue des italiens, 75009 Paris, France. The provider processes the personal data transmitted via the website, e.g., content, usage, meta/communication data, or contact details, within the EU. Further information can be found in the provider's privacy policy at https://hivebrite.io/privacy-policy.

It is our legitimate interest to provide our platform, so the legal basis for the described data processing is Art. 6 Para. 1 Sentence 1 lit. f GDPR.

Registration for Events We offer the opportunity to apply for various events organized by us via forms on our site. The data entered during this application process can be seen in the input mask of the application form. They are collected and stored exclusively for the use of our service.

 

The data involved are:

  • First name, last name, email, phone number, postal code, place of residence

  • current job title, current type of employment, current company

  • academic background, industry

  • who should definitely be at the event? Name 3 other people you would like to recommend (first name, last name, email) > voluntary information

  • how did you find out about PANDA?

  • upload CV (as a PDF)

 

In this context, the IP address, date, and time of registration are also stored. This serves as a safeguard on our part in the event that a third party misuses your data and registers on our site without your knowledge.

The data is generally not passed on to third parties. An exception to this is the forwarding of the CV to corporate partners of the event for which you applied to us as a participant. This forwarding only takes place upon an explicit request and after explicit release by you. This is obtained during your application as follows:

PANDA CV-Book* Before the event, we offer you the opportunity to appear with your CV in the 'PANDA CV-Book'. The CV-Book is forwarded to our partner companies. Companies interested in your profile can contact you and invite you to a personal introductory meeting at the PANDA Event. If you would like to be included, we will use the CV we have on file for this purpose (unless you would like to provide us with a different version).

IMPORTANT: Your CV is accessible to the partner companies for a period of four weeks – after which your contact information will be deleted. Participation in the CV-Book is voluntary, of course, and is intended to offer additional added value. Your profile will not be forwarded without your consent.

  • Yes, I would like to appear in the CV-Book.

  • No, I would not like to appear in the CV-Book.

3.7. Payment service providers

We use payment processors to process payments; these processors are themselves data controllers within the meaning of Article 4 No. 7 GDPR. Insofar as they receive data and payment information entered by us during the ordering process, we thereby fulfill the contract concluded with our customers (Article 6 Paragraph 1 Sentence 1 Letter b GDPR).

These payment service providers are:

  • Stripe Payments Europe, Ltd., Ireland

3.8. Technically Necessary Cookies

Our website uses cookies. Cookies are small text files that are stored in the web browser on the device of a website visitor. Cookies help to make our website more user-friendly, effective, and secure. Insofar as these cookies are necessary for the operation of our website or its functions (hereinafter referred to as "technically necessary cookies"), the legal basis for the associated data processing is Article 6(1)(f) GDPR. We have a legitimate interest in providing customers and other website visitors with a functional website.


Specifically, we use technically necessary cookies for the following purpose(s):

  • Cookies that apply language settings,

  • Cookies that remember search terms,

  • Flash cookies, which are set to play media content and

  • Cookies that store login data

3.9. Third-party providers

3.9.1. LinkedIn Share button

We use the LinkedIn Share button to share interests on social media. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The provider processes usage data (e.g., pages visited, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) within the EU.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects may revoke their consent at any time by contacting us using the details provided in our privacy policy. The revocation does not affect the legality of the processing carried out until the revocation.

Data will be deleted when the purpose of its collection no longer applies and no retention obligations prevent deletion. Further information can be found in the provider’s privacy policy at https://www.linkedin.com/legal/privacy-policy

3.9.2. Instapage

We use Instapage. The provider is Instapage, Inc., 303 2nd Street, San Francisco, CA, USA. The provider processes usage data (e.g., websites visited, interest in content, access times), contact data (e.g., email addresses, telephone numbers), and meta/communication data (e.g., device information, IP addresses) in the USA.

The legal basis for the processing is Article 6(1)(f) GDPR. We have a legitimate interest in managing our customer and marketing data in a simple manner.

The transfer of personal data to a country outside the EEA is based on standard contractual clauses. The security of the data transferred to the third country (i.e., a country outside the EEA) is ensured by standard data protection clauses adopted in accordance with the review procedure pursuant to Article 93(2) GDPR (Article 46(2)(c) GDPR), which we have agreed upon with the provider.

The data will be deleted when the purpose for its collection no longer applies and there is no legal obligation to retain it. Further information can be found in the provider's privacy policy at https://instapage.com/privacy-policy/ .

3.9.3. YouTube Videos

We use YouTube videos on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g., websites visited, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA.

The legal basis for processing is Article 6(1)(a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The transfer of personal data to a country outside the EEA is based on consent. Further information can be found in the provider's privacy policy at https://policies.google.com/privacy .

3.9.4. heyData

We have integrated a data protection seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g., IP addresses) within the EU.

The legal basis for this processing is Article 6(1)(f) GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seals, which is why a mere image copy of the certificate is not a viable alternative for confirmation.

The data is masked after collection to prevent any personal identification. Further information can be found in the provider's privacy policy at https://heydata.eu/datenschutzerklaerung .

4. Data processing on social media platforms

We are present on social media networks to showcase our organization and services. The operators of these networks regularly process their users' data for advertising purposes. Among other things, they create user profiles based on online behavior, which are used, for example, to display advertising on the networks' pages and elsewhere on the internet that matches the users' interests. To do this, the network operators store information about usage behavior in cookies on users' computers. It is also possible that the operators combine this information with other data. Further information and instructions on how users can object to data processing by the network operators can be found in the respective operators' privacy policies listed below. It is also possible that the operators or their servers are located in non-EU countries, meaning they process data there. This may pose risks for users, for example, because enforcing their rights may be more difficult or government agencies may gain access to the data.

When users of these networks contact us via our profiles, we process the data they provide in order to answer their inquiries. This constitutes our legitimate interest, and the legal basis for this processing is Article 6(1)(f) GDPR.

4.1. Instagram

We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy can be found here: https://help.instagram.com/519522125107875

4.2. YouTube

We maintain a profile on YouTube. The operator is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The privacy policy can be found here: https://policies.google.com/privacy?hl=de .

4.3. LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy can be found here: https://www.linkedin.com/legal/privacy-policy?_l=de_DE. You can object to data processing via the ad settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out .

5. Compliance with child safety laws and reporting requirements

Our app complies with applicable laws and regulations regarding child safety.

Our app ensures that all content shared within the app is suitable for a diverse audience, including children. User-generated content is moderated to prevent inappropriate material from being accessed.

All CSAM (Child Safety Abuse Material) content will be automatically removed if it is flagged or reported via our moderation functions, or if we are contacted directly for this purpose.

We will systematically take steps to report confirmed CSAM content to the National Center for Missing and Exploited Children .

CSAM encompasses any visual representation, including but not limited to photographs, videos and computer-generated images, that involves the use of a minor in sexually explicit behavior.

Contact person for child safety

You can contact go@we-are-panda.com if CSAM content is detected.

Privacy and data protection

Our app is committed to protecting user data, especially that of children under 13 years of age, in accordance with applicable regulations.
The privacy policy is clearly displayed and accessible via the app settings and our website.
All data is encrypted and securely stored during transmission.

Advertising and monetization

Our app contains no advertising or monetized content.

Transparency and disclosure

Data security: Detailed information can be found in the Google Play data security form.
Content ratings: IARC 3+, L, E, 3, 3, USK 0

Validation and updates

Regular internal tests are conducted to ensure compliance with Google Play's child safety standards, including functionality tests and content audits.

The guidelines are reviewed quarterly or as needed to adapt them to updated child safety standards.

6. Changes to this Privacy Policy

We reserve the right to amend this privacy policy with effect for the future. The current version is always available here.

7. Questions and Comments

For questions or comments regarding this privacy policy, please feel free to contact us using the contact details provided above.

Subscribe to the newsletter now

Receive quarterly updates on events, initiatives, and insights from the PANDA universe. By subscribing, you agree that PANDA GmbH may send you news and information via email.

*You can unsubscribe from the newsletter at any time using the unsubscribe link at the bottom of each email. Further information on how we handle personal data can be found in our privacy policy .

status
bottom of page