Data protection

Protecting your privacy and your identity is extremely important to us at F&P GmbH, Karl-Liebknecht-Strasse 12, 04107 Leipzig, Germany. In this document, we explain how your data is processed in accordance with data protection legislation on the basis of the applicable regulations (GDPR). This Data Protection Policy relates to the online services we offer, referred to generally in this Policy as “online offerings” and specifically as the “platform” on websites and the “app” on mobile applications.

In principle, we process personal data only as necessary in order to provide functional online offerings and our content and services. As a rule, personal data is processed only after you have granted your consent. An exception is made in those cases in which it is not possible for practical reasons to obtain your prior consent and the processing of data is permitted by law.

1. Name and contact details of the Controller and Data Protection Officer

1.1 Controller

This Data Protection Policy covers data processing by:

F&P GmbH
Karl-Liebknecht-Strasse 12
04107 Leipzig, Germany
Email: dsb@fp.de

1.2 Data Protection Officer

Our Data Protection Officer can be contacted as follows:

F&P GmbH
Data Protection Officer
Karl-Liebknecht-Strasse 12
04107 Leipzig, Germany
Email: dsb@fp.de

2. General information on the processing of personal data

The operation of our online offering is subject to the natural dynamics of the Internet, and for this reason it is not possible to go into all the details of its functioning. Our goal in this Policy is to cover the most important elements of our data processing.

Personal data is all information relating to an identified or identifiable natural person. Data is processed in order to enable us to present the offerings you want, to fulfil our contractual obligations, and to enable us to take the required pre-contractual measures in response to your enquiry. Further purposes of the processing are primarily:

  • to optimise your user experience and the associated technical and content development
  • to provide basic functions and algorithms that are in line with the core concept of a community and the associated expectations regarding networking
  • to address IT security issues

As a rule, personal data is deleted as soon as it is no longer needed in order to fulfil the purpose for which it was collected and no statutory retention periods would oppose its deletion. If not explicitly stated, the retention periods for third-party tools can be found in the data protection policy of the respective third-party provider.

3. Processing of data when using our offerings

You can access our offerings through various channels (e.g., website, app). Access to our offerings is partly free-of-charge, whereas other parts can only be accessed for a fee. Some offerings can be used for purely informative purposes; other offerings require you to register and enter into a free or fee-based user agreement. If you use our offerings, personal data is processed either by us or by service providers. The purposes, procedures and legal bases of processing are described in more detail below.

3.1 Applied technology without user recognition

Information is automatically sent to our servers each time our online offerings are accessed. This information is stored temporarily in a so-called “log file”.

During this process, the following information is collected and saved until it is deleted automatically:

  • IP address of the querying device
  • Date and time of access
  • Name and URL of the accessed file or interface
  • Website from which the access originated (referrer URL)
  • Browser/browser ID (“user agent”) installed on the device, the operating system and name of the device, and the name of your Internet service provider
  • If apps are used, the app version
  • User account if registered, user ID and session ID
  • Any errors which may occur (anonymised)

We process the above data for the following purposes:

  • To deliver online content correctly to various devices and browsers
  • To protect our IT systems and technology against misuse
  • To ensure the continuing functionality of our IT systems and technology
  • To provide necessary information to law-enforcement authorities for prosecution
  • To evaluate system security and stability
  • To optimise online content

Art. 6(1.1f) GDPR provides the legal basis for data processing. Our legitimate interest lies in the purposes of the data collection listed above. We will never use the collected data for the purpose of identifying you as an individual. The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected.

3.2 User-recognition technologies

Our app uses various methods device-identification methods in order to be able to provide certain features, evaluate errors and to publish user-specific content and information. We use device-identification characteristics in order to be able to allocate chargeable services to devices and offer push notifications as part of the app’s functionality. To identify devices, we use the “Ad ID” for iOS devices and the “Google advertising ID” for Android devices. We do not use these IDs to target ads.

3.3 When subscribing to newsletters

Provided you have granted your express consent under Art. 6(1.1a) GDPR, we use your email address to send you newsletters at regular intervals. To receive the newsletter, you only need to provide your email address. The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected. You can unsubscribe at any time using the link which appears at the end of each newsletter, for example. Alternatively you can email us at dsb@fp.de to unsubscribe at any time.

3.4 When using contact forms and support functions

If you have any questions, we give you the option of contacting us. To do so, you must provide a valid email address or an active login so that we know from whom the enquiry originated and can reply to it. You can provide further information voluntarily.

Data is processed for the purpose of answering contact queries either on the basis of Art. 6(1.1.b) GDPR in order to take steps prior to entering into a contract or to fulfil contractual obligations, or in accordance with Art. 6(1.1a) GDPR on the basis of your freely granted consent.

The personal data that we collect for making contact or communicating is automatically deleted once your enquiry has been dealt with.

Registered users also have the option to report content and request support services.

In such cases we store the name of the person who sent the enquiry, the content of the enquiry and the content, if any, that is reported. The conversation with the user is stored in our support system. Calls via support hotlines are handled without data being stored unless it was essential to establish the caller’s identity in order to clarify the situation and the caller provided this information. In such cases, a support ticket is created. This records the information provided during the conversation or any unresolved issues.

Data used to provide support services is processed in accordance with Art. 6(1.1a) GDPR on the basis of your freely granted consent, in accordance with Art. 6(1.1b) GDPR in order to fulfil contractual or pre-contractual matters with us or with an affiliated payment-service provider, and in accordance with Art. 6(1.1c and f) GDPR to secure the handling of content notifications, such as notifications that must be documented in accordance with the German Network Enforcement Act (NetzDG).

Personal data that we collect for the use of support functions is automatically deleted as soon as your enquiry has been dealt with, provided there is no legal obligation for further retention of this data.

3.5 Ordering a product 

We accept various forms of payment. Payment data may be shared with payment service providers for this purpose. We cooperate with our payment service provider, approved by the BaFin (German Federal Financial Supervisory Authority), for the processing of payments. When you select a payment method during the ordering process, the relevant data is automatically transmitted to the payment service provider. By selecting a payment option, you thereby consent to the transmission of any personal data necessary to process the payment. 

The personal data transmitted to the payment service provider usually consists of the first name, last name, address, date of birth, gender, email address, IP address, phone number, mobile number and other data required to process payments. Personal data relating to the particular order is also necessary for the execution of the contract. In particular, payment information such as account details, card number, expiration date and CVC code, as well as data about goods, services and prices, may be mutually exchanged.

The data is transmitted for the particular purpose of verifying identity, managing payments and preventing fraud. The legal basis is the fulfilment of contractual obligations in accordance with Art. 6(1b) GDPR. In particular, the person responsible for processing the data (the “Controller”) will disclose personal data to the payment service provider where there is a legitimate interest in doing so. The personal data disclosed to the payment service provider will be forwarded by the payment service provider to credit-rating agencies, where necessary, for the purpose of identity verification and credit screening. The legal basis for this is Art. 6(1f) GDPR.

The payment service provider will also share the personal data with service providers or subcontractors where such action is necessary to fulfil contractual obligations. You can withdraw your consent to the handling of personal data by the payment service provider at any time. The withdrawal of consent does not apply to personal data where the processing, usage or disclosure of such is absolutely essential for the (contractual) processing of payments.

3.6 User accounts and profiles

As a user of our online offerings, you have the option of using the offering as a guest without a registered account or registering in order to be able to use further functions. The scope of functions available without registration may be strictly limited.

When you visit our online offering, a contractual relationship is established. The data collected is processed in accordance with Art. 6(1.1b) GDPR in order to fulfil a contract or to implement precontractual measures. No further fees arise unless you intentionally purchase membership and expressly consent to this after registering.

You are not legally obliged to provide personal information. However, some mandatory information is required before we can enter into a user agreement with you. It is a good idea to provide additional information. If you do not provide certain information or object to its use, certain features or services may be unavailable to you.

3.6.1 Host

Guests can access our online offering without obligation and use the basic functions and content provided. During the visit user data and technical data are collected to provide and optimise the content as described in this Data Protection Policy. No further personal data is collected. Since guests cannot enter any further personal data, no data is processed or stored. For special types of use such as subscribing to a newsletter that do not require separate registration, the relevant passages of this Data Protection Policy apply.

Guests can access a registration form for the purpose of registering a user account. Once the registration process has begun, you have to enter the required data as shown on the input form. This data is stored for a short time so that you can verify your email address (opt-in). If you do not opt in, the data is deleted immediately.

3.6.2 Registered user

You have the option of registering by providing additional personal data. The additional personal data that is transmitted to us depends on which input form you use to register. We require this data in order to provide you with the service offering that you have requested within the framework of the existing user relationship.

You can also use the input options to optimise your image within the community and thus increase your chances of making contact. This data includes information such as your user name, age, region and personal preferences. Additional privacy settings are also available for some functions and types of input. These can be used to activate or block display.

Sensitive data such as your exact date of birth or email address is generally not publicly visible and is collected and stored for internal use only. We can forward the data to one or more contracted external processors, which also use it exclusively for internal purposes on our behalf. You can deactivate the annual display of your birthday on your date of birth yourself at any time using the privacy settings. Registered users have the option at any time to correct the data entered during registration.

Data that is accessible only to you is stored to ensure various functions. This includes the internal email communication system, the visitors to your profile and other data that does not generally appear in your public profile or that can be excluded from being displayed using the privacy settings.

For statistical purposes and to optimise our offering, we collect key data on the use of the online offering by individual registered users at regular intervals and in the event of relevant incidents.

You can also provide various data voluntarily. In this case, too, the purpose of the storage and processing is the general provision of the online offering with community functions (Art. 6 [1.1a] GDPR). We also have a legitimate interest in accordance with Art. 6(1.1f) GDPR in making specific data accessible in the form of profiles within the online offering and in connecting functions used for the operation of the online offerings in keeping with the expectations of all users regarding basic functionality.

We will provide information on request at any time on which personal data is stored. We will also correct or delete personal data on request or on receipt of instructions provided that this does not conflict with any statutory retention periods or breach the purpose limitation. Data not subject to retention periods will be deleted as soon as no longer required to fulfil the purpose for which it was collected, and at the latest on deletion of the user account. Our Data Protection Officer is your contact person for questions relating to this.

3.7 Confirmation of authenticity and verification of legal age

With its combined authenticity check and age verification, JOYclub is committed to taking resolute action against fake profiles and ensuring the protection of minors. All JOYclub members can be verified as genuine for free in just a few minutes. At the same time, we verify that you are of legal age.

During the authenticity check and age verification, we check the authenticity of your profile data, particularly with regard to gender and legal age, by means of a video recording. In case of doubt, we can ask you to present an ID document. The data is stored on servers within Germany and only for the short period of time necessary to carry out the check. After the check has been completed, the submitted video material, which can be viewed only by the members of the JOY team carrying out the checks, is irreversibly deleted. The data is not disclosed to third parties.

For stand-alone authenticity checks we only obtain a photo of you.

Participation in the combined authenticity check and age verification is voluntary. The legal basis for processing the aforementioned data is therefore consent in accordance with Article 6(1a) GDPR, as well as Article 6(1c) GDPR in conjunction with Section (2) of the German Treaty on the Protection of Minors (JMStV) for legal-age verification. Data will be deleted in full immediately after the check has been completed.

The video verification process is not the only way to complete the authenticity check / age verification. There are also opportunities for in-person checks at select events, for example.

3.8 Competitions and surveys

If you participate in surveys or competitions, you have the chance to win virtual and physical prizes. In the latter case, the prize must be shipped to the winner, and for this reason we collect your postal address and real name. This data is processed on the basis of your express consent in accordance with Art. 6(1.1a) GDPR for the purpose of shipping the prize.

Address data will be deleted following the shipment.

4. Disclosure of data

Your personal data will only be disclosed to others for the purposes listed below.

We will only disclose your personal data to third parties if:

  • you have granted your express consent to this under Art. 6(1.1a) GDPR
  • disclosure is required under Art. 6(1.1f) GDPR in order to assert, exercise or defend legal claims and there is no reason to believe that you have an overriding legitimate interest in your data not being disclosed
  • we are legally obliged to disclose it under Art. 6(1.1c) GDPR
  • disclosure is permitted by law and necessary under Art. 6(1.1b) GDPR in order to process contractual relationships or orders with you
  • a legitimate interest in optimising our offering exists under Art. 6(1.1f) GDPR

5. Web analytics

5.1 Adobe Analytics

We use the analytics tool Adobe Analytics from Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland (Adobe). When you use our website, Adobe collects and processes various information to provide us with insights into how the website is used. This enables us to optimise our website and improve the user experience, as well as to detect fraud attempts and artificial traffic from bots or crawlers. We use it to measure the reach, usage and performance data of our website in order to improve the design, functioning, security and offering of our website.

During your visit to our website, the following data is processed, among others:

  • information about the browser you are using and your operating system, mobile device dimension and screen resolution.
  • your IP address (in abbreviated form)
  • date and time of your visit
  • visit time per page
  • the website from which you came to our site (referrer)
  • the pages you have visited within our website
  • the length of time you spent on each page
  • interactions with content (e.g. clicks, scrolling behaviour)

In addition, we collect account-related data, such as

  • account type
  • type of membership
  • stated age
  • Membership duration
  • App status

We do not use cookies in connection with the use of Adobe Analytics.

We process the data on the basis of Art. 6 para. 1 lit. f) DSGVO. Our legitimate interest is to improve the security of our website and optimise our online offering.

The data collected as part of Adobe Analytics is transferred to Adobe servers and stored there. Adobe may pass this information on to third parties if this is required by law or if third parties process data on behalf of Adobe. We have entered into an order processing agreement with Adobe, which ensures that Adobe processes the data on our behalf in accordance with the applicable data protection regulations.

Personal data is only stored by Adobe for as long as is necessary for the purposes described.

6. Google reCAPTCHA

We protect our community by using the reCAPTCHA service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin. The purpose of the reCAPTCHA challenge is to detect if responses are from humans or if the system is being misused by automated processing (“bots”).

Only authentication data is transmitted by us to Google in the process. This contains no personal data and serves only to authenticate our software at Google.

The embedded reCAPTCHA sends standard client information (e.g., browser, IP address) and any other data required by Google for the reCAPTCHA service to a Google server in the USA, where it is stored and used for further purposes. This information may also be transferred to third parties if required by law or if the data is processed by contracted third parties. Under no circumstances is your IP address combined with other data by Google. The IP addresses are anonymised to prevent them from being linked to a particular individual (IP masking). Only in exceptional cases will the full IP address be sent to a Google server in the USA and anonymised there.

The data is processed on the basis of Art. 6(1f) GDPR. We have a legitimate interest in protecting our website against unauthorised automatic spying and spam.

You can prevent Google from collecting and processing the data relating to your use of the website by disabling JavaScript and cookies in your browser settings. Please note that this may limit the functionality of our website.

Further information on data protection can be found here: https://policies.google.com/privacy?hl=en

7. Cloudflare

We use a content delivery network (CDN) of the service provider Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA). A CDN is a network of servers connected to the Internet worldwide. On the one hand, this makes it possible to increase the delivery speed of our website. On the other hand, Cloudflare provides important security services, such as DDoS protection and the web application firewall. Cloudflare blocks threats and limits abusive bots and crawlers that waste our server resources.

DDoS attacks in particular have become a complex security challenge, because the methods and resources for conducting and concealing such attacks have evolved dramatically. Cloudflare’s network automatically expands the interface by distributing traffic during the attack to a variety of Cloudflare data centres and a diverse set of high-bandwidth cross-connections to other networks. For example, all Internet assets on Cloudflare’s network can withstand massive modern DDoS attacks. The service leads the industry in this respect.

Under certain circumstances, Cloudflare may collect certain information about the use of the website and process data that is sent or for which Cloudflare has received appropriate approvals from us. Generally, these are IP addresses, DNS log data and performance data for websites derived from browser activity. The processing is carried out in accordance with Art. 6(1f) GDPR on the basis of our legitimate interest in secure and efficient service provision, as well as in improving the stability and functionality of our website.

Cloudflare also uses a cookie (__cfduid) to identify individual users behind a shared IP address and to apply security settings to each individual user. Personal data is not stored by this cookie. The cookie is indispensable in order to be able to use the Cloudflare security architecture. It is therefore technically necessary and the use does not require consent.

Personal data will only be stored by Cloudflare for as long as is necessary for the purposes described. As a rule, this data is deleted after 24 hours.

Cloudflare also stores data in the USA. The transmission of data from the EU is based on the European Commission’s so-called “standard contractual clauses” for data protection, which ensure compliance with the European level of data protection in the USA.

For more information, please see Cloudflare’s Privacy Policy at: https://www.cloudflare.com/privacypolicy/

8. Other providers

8.1 Videos and GIFs

8.1.1 YouTube Player and Vimeo

We use the providers YouTube and Vimeo to embed videos. YouTube is operated by YouTube LLC, headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA. Google is represented by Google Ireland Ltd., with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Videos from YouTube are embedded into our online content with the enhanced data protection setting activated. This means that no information about visitors to our online presence is collected and stored by YouTube unless the visitor plays the video. Further information regarding data processing and tips on data protection by YouTube (Google) can be found at https://policies.google.com/privacy and https://www.youtube.com/static?template=privacy_guidelines.

Vimeo is operated by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. Further information regarding data processing and tips on data protection are available at https://vimeo.com/privacy.

8.1.2 Giphy, Tenor

We use the providers Tenor and Giphy to embed animations (GIFs). Tenor is operated by Tenor, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Further information regarding data processing and tips on data protection can be found at https://tenor.com/legal-privacy.

Giphy is operated by Giphy Inc., 416 West 13th Street, Suite 207, New York, New York 10014, USA. Further information regarding data processing and tips on data protection can be found at https://support.giphy.com/hc/en-us/articles/360020028332-GIPHY-Privacy-Policy.

8.1.3 Please note

The legal basis for the processing of users’ personal data is Article 6(1f) GDPR. Processing our users’ personal data enables us to display useful information visually.

When you access our online content, the technology used to embed files can transmit data such as your IP address back to the platforms. You can prevent tracking cookies from being set when playing videos by activating the corresponding setting in your browser to disable their storage. However, we advise you that should you choose to do so, you may not be able to use all of the functionalities of our online content to their full extent.

We have no influence over how the platforms use the data. You can find further information regarding the individual operators directly via the links above and adjust your privacy settings as you deem necessary.

9 Video chat

If you use our video chat feature provided by Nexmo Inc., 23 Main Street, Holmdel, NJ 07733, USA (hereinafter referred to as “Nexmo”), the actual streaming content data generated during the chat (video image and audio track) and the meta- und communication data required for client integration (time and duration of use, source and target identification, location, IP address) are transmitted to the provider’s servers. The data is stored only to the extent required to set up the chat and to enforce security measures.

This processing is carried out solely for the purpose of providing the video chat service and Art. 6(1b) GDPR provides the basis for its legitimacy.

Processing is carried out on our behalf and according to our instructions by the provider Nexmo. The data can be processed on servers in various countries. If the processing is carried out in third countries, it is ensured that the EU Standard Contractual Clauses for this processing apply and thus sufficient guarantees for an adequate level of data protection are provided.

Further information on data processing by Nexmo is available here: https://www.vonage.com/legal/privacy-policy/

10. Rights of data subjects

You have the right:

  • to obtain information about your personal data processed by us under Art. 15 GDPR. In particular, you can request information about the purposes of the processing, the categories of personal data, the categories of recipients to whom your data has been or is disclosed, the envisaged duration for which it will be stored, the existence of a right to rectification and erasure, and to restrict the processing or object to it, the existence of a right to complain, the source of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if appropriate, meaningful information concerning its details
  • to have incorrect personal data stored by us rectified or completed without undue delay under Article 16 GDPR
  • to have your personal data stored by us erased under Article 17 GDPR, provided processing is not necessary to exercise the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or to establish, exercise or defend legal claims
  • to request that the processing of your personal data be restricted under Art. 18 GDPR and to object to the processing under Art. 21 GDPR
  • to receive the personal data that you have provided to us in a structured, commonly used, machine-readable format or * to have it transmitted to another controller under Art. 20 GDPR
  • to withdraw the consent that you have granted to us under Art. 7(3) GDPR at any time. This will prevent us from continuing to process data based on such consent.
  • to lodge a complaint with a supervisory authority under Art. 77 GDPR, in particular in the Member State in which you live or work or in which the alleged infringement took place, if you are of the opinion that the processing of personal data relating to you is in breach of the GDPR.

11. Right to object

If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1.1f) GDPR, you have the right under Art. 21 GDPR to object to the processing of your personal data where there are grounds relating to your particular situation or the objection relates to direct marketing. In the latter case, you have a general right to object that we will implement without the need to specify a particular situation.

If you wish to exercise your right to withdraw consent or to object, simply email us at dsb@fp.de.

12. Data security

When our online offerings are accessed, we use the widely used SSL (Secure Socket Layer) protocol in conjunction with the highest level of encryption that your device supports. Generally this is 256-bit encryption. If your device does not support 256-bit encryption, we use 128-bit v3 technology instead.

We make use of appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss or destruction and against unauthorised access by third parties. Our security measures are continually enhanced in line with technological advances.

13. Validity of and changes to this Data Protection Policy

This Data Protection Policy (correct as of 01 September 2021) is currently in force.

It may be necessary to make changes to this Data Protection Policy following further development of our online offerings or due to legislative or administrative changes. You can access and store the currently valid Data Protection Policy at any time.