Privacy Policy

‍

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offering and its associated websites, features, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering"). In terms of the terminology used, such as "personal data" or their "processing," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

‍

Name and address of the responsible party for processing

‍

Name/Company:Legal Hero GmbH Netherlands B.V.

Street No.: Weteringschans 109

Postal Code, City, Country: 1017 SB Amsterdam

Commercial Register: Chamber of Commerce Nr. 96936495

Managing Director: Robin Friedlein

Phone Number: +49 (30) 30 808 100

Email Address: service@legalhero.de

‍

Types of processed data:

- Inventory data (e.g., names, addresses).

- Contact data (e.g., email, phone numbers).

- Content data (e.g., text entries, photographs, videos).

- Contract data (e.g., subject matter, duration, customer category).

- Payment data (e.g., bank account details, payment history).

- Usage data (e.g., visited websites, interest in content, access times).

- Meta/Communication data (e.g., device information, IP addresses).

‍

Processing special categories of data (Art. 9(1) GDPR):

No special categories of data are processed.

‍

Categories of data subjects affected by processing:

- Customers / interested parties.

- Visitors and users of the online offering.

- Hereinafter, we also refer to the data subjects collectively as "users."

‍

Purpose of processing:

- Provision of the online offering, its content, and functions.

- Provision of contractual services, service, and customer care.

- Response to contact requests and communication with users.

- Marketing, advertising, and market research.

- Security measures.

‍

Effective Date: May 1, 2025

‍

1. Relevant Legal Bases

‍

The legal bases for our data processing are provided herein. Unless the legal basis is specifically mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual measures as well as respond to inquiries is Article 6(1)(b) GDPR, the legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR, and the legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR. In cases where vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

‍

2. Changes and Updates to the Privacy Policy

‍

We ask you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as changes in our data processing activities make it necessary. We will inform you when changes require your participation (e.g., consent) or other individual notifications.

‍

3. Security Measures

‍

In accordance with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The measures include, in particular, securing the confidentiality, integrity, and availability of data through controlling physical access to the data, as well as their access, input, transfer, securing availability, and separation. We also have procedures in place to ensure the exercise of data subject rights, deletion of data, and response to data threats. Additionally, we consider the protection of personal data when developing or selecting hardware, software, and procedures, corresponding to the privacy-by-design and by-default principles (Article 25 GDPR).

‍

A key security measure is the encrypted transmission of data between your browser and our server.

‍

4. Cooperation with Processors and Third Parties

‍

We occasionally engage processors, which are companies we legally instruct to process data, Article 28 GDPR (service providers, auxiliary agents). These may be natural or legal persons who process personal data on our behalf and provide it to us as a service. We have concluded contracts with our processors ("processing contracts"). This means that processors are only permitted to process your personal data in ways we have explicitly instructed. They will only transfer your personal data to us and not any other parties or organizations. They also ensure that necessary technical-organizational measures are implemented to safely process your data and only store your personal data as long as instructed by us. Data transfer or other access is only based on legal permission (e.g., when transferring data to third parties, such as payment service providers, is required according to Article 6(1)(b) GDPR for contract fulfillment), if you have consented or based on our legitimate interests (e.g., when using agents, web hosts, etc.). We contract companies primarily in areas such as IT, sales, marketing, finance, consulting, customer service, and human resources.

‍

Under certain circumstances, we are legally obliged to transfer and share personal data with third parties, Article 6(1)(c) GDPR.

‍

5. Transfers to Third Countries

‍

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing, or transferring data to third parties, this only happens if it serves to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow data in a third country only under special conditions of Articles 44 ff. GDPR. That is, the processing is carried out, for example, on the basis of special guarantees such as the officially acknowledged determination of a level of data protection corresponding to that of the EU or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

‍

6. Rights of Data Subjects

‍

6.1. You have the right to request confirmation as to whether data concerning you is being processed and to information about this data as well as further information and a copy of the data according to Article 15 GDPR.

‍

6.2. You have the right to request completion of the data concerning you or correction of inaccurate data according to Article 16 GDPR.

‍

6.3. You have the right to demand immediate deletion of data concerning you according to Article 17 GDPR, or alternatively, to demand a restriction of processing according to Article 18 GDPR.

‍

6.4. You have the right to request data concerning you that you have provided to us according to Article 20 GDPR and to demand their transmission to other responsible parties.

‍

6.5. You also have the right to lodge a complaint with the competent supervisory authority in accordance with Article 77 GDPR.

‍

7. Right of Withdrawal

‍

You have the right to withdraw granted consent in accordance with Article 7(3) GDPR with effect for the future.

‍

8. Right to Object

‍

You can object to future processing of data concerning you in accordance with Article 21 GDPR at any time. The objection may particularly concern processing for purposes of direct marketing.

‍

9. Cookies, Collection and Storage of Personal Data, and Nature and Purpose of Use

‍

9.1. Cookies are information transferred from our web server or third-party web servers to users' web browsers, stored there for later retrieval. Cookies can be small files or other types of information storage. Whether and which cookies may be used during your visit to our website depends on the areas and features of our websites you use and whether you consent to non-technically necessary cookies in our consent management system. Additionally, the use of cookies depends on the settings of your web browser (e.g., Microsoft Edge, Google Chrome, Apple Safari, Mozilla Firefox). Most web browsers are preset to automatically accept certain types of cookies; however, you can mostly change this setting. Existing cookies can be deleted at any time. Web/DOM storage and local shared objects can be deleted separately. Refer to the manufacturer's instructions for details on how this works in your browser or device.

‍

9.2. When accessing our website www.legalhero.de or our app, your browser automatically sends information to the server of our website. The web servers are operated by AWS Germany and Raidboxes GmbH and are located in Germany. This information is temporarily stored in a so-called logfile, captured without your intervention, and stored until automated deletion:

‍

- IP address of the requesting computer

- Date and time of access

- Name and URL of the accessed file

- Website from which access occurs (Referrer URL)

- Browser used and possibly the operating system of your computer, as well as the name of your access provider

‍

The mentioned data is processed by us for the following purposes:

‍

- Ensuring a smooth connection to the website

- Ensuring comfortable usage of our website

- Evaluation of system security and stability

- Administrative purposes

‍

The legal basis for data processing is Article 6(1)(f) GDPR. Our legitimate interest is derived from the purposes listed above for data collection. Under no circumstances will we use the collected data for the purpose of drawing conclusions about your person.

‍

Furthermore, we use cookies and analysis services on our website visit. More explanations can be found under sections 12 and following of this privacy policy.

‍

9.3. When contacting us by phone or fax, the user's information, especially their name, request, and phone number, is processed for handling the contact request and its execution in accordance with Article 6(1)(b) GDPR.

‍

User details may be stored in our Customer-Relationship-Management System ("CRM System") or a similar filing system for the purpose of passing them to a partner law firm. Based on our legitimate interests (rapid and efficient handling of user requests), we use the software of Aircall SAS, 11 Rue Saint-Georges 75009 Paris, France, for receiving and processing phone inquiries and fax messages. We have concluded a data processing agreement with Aircall SAS under Article 28 GDPR with EU standard contractual clauses to comply with the GDPR.

‍

User information is deleted once the requested inquiry is resolved unless needed for further processing of an existing or concluded contract or another contractual matter according to Article 6(1)(b) GDPR.

‍

9.4. When users initiate a legal review through one of our partner law firms on the website ("Check Your Right"), we collect the following personal data and information on the services you have commissioned and store them in order databases:

‍

- First and last name

- Phone number

- Email address

- Availability of legal protection insurance

- Insurance and policy number

- Possibly differing name of the policyholder

- Contract data (e.g., gross salary, limitation) / Date of incident or case description (e.g., dismissal or traffic violation date), driver's license data, number of points in Flensburg

- Uploaded documents

‍

We transmit the data for the purpose of mediating legal services to law firms, which due to their qualification for service provision and other details may be considered as providers of legal services. Upon assigning and acceptance by the law firm, a mandate relationship with the respective law firm — not with us — is established. The responding lawyer is subject to attorney-client privilege. The legal basis for the processing of data entered during case registration are Article 6(1)(a) GDPR (consent) and Article 6(1)(f) GDPR (legitimate interests of the responsible party). Another legal basis for this data processing is Article 6(1)(e) GDPR (public interests).

‍

We delete inquiries when no longer needed. We check the necessity every two years. In case of statutory archiving obligations, deletion occurs once these expire.

‍

9.5. We use a suite of software tools (G-Suite) from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) based on our legitimate interests (efficient and quick handling of user requests). We have concluded a contract with Google Ireland Limited involving standard contractual clauses, in which the provider commits to processing user data only as directed by us and to adhere to the EU data protection standards. The standard contractual clauses are available from the respective providers. The essential content is also available at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF.

‍

10. Deletion of Data

‍

10.1. The data we process will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless explicitly stated within this privacy policy, stored data is deleted when no longer necessary for its intended purpose and no statutory retention obligations oppose this. If data is not deleted because necessary for other legally permissible purposes, its processing will be restricted. That is, the data will be locked and not processed for other purposes, e.g., for data that must be retained for commercial or tax reasons.

‍

10.2. According to legal requirements, retention specifically occurs for 6 or 10 years per § 257(1) HGB (commercial books, inventories, opening balances, annual statements, commercial letters, booking receipts, etc.) and for 10 years per § 147(1) AO (books, records, situational reports, booking documents, commercial and business letters, documents relevant for taxation, etc.).

‍

11. Online Presence on Social Media

‍

11.1. We maintain online presences within social networks and platforms based on our legitimate interests under Article 6(1)(f) GDPR to communicate with clients, interested parties, and users and inform them about our services there. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

‍

11.2. Unless otherwise stated within our privacy policy, we process user data if they communicate with us within social networks and platforms, e.g., by posting on our online presence or sending us messages.

‍

12. Email Dispatch

‍

We use Mailchimp by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (Mailchimp) to dispatch our newsletter. This allows us to contact subscribers directly and additionally analyze user behavior to optimize our offerings.

‍

For this purpose, we share the following personal data with Mailchimp:

‍

- Email address

- [First Name]

- [Last Name]

- [Phone Number]

‍

[Our email dispatches include a link to update your personal data.]

‍

Mailchimp is the recipient of your personal data and acts as a processor for us concerning the dispatch of our newsletter. Processing of data mentioned in this section is neither legally nor contractually required. Without consent and transfer of your personal data, we cannot send our newsletter to you.

‍

Additionally, Mailchimp collects the following personal data using cookies and other tracking methods: information about your device (IP address, device information, operating system, browser ID, information about the application you use to read emails, and other hardware and internet connection information). Also collected are usage data such as date and time when you open the email/campaign and browser activities (e.g., which emails/websites are opened). Mailchimp needs this data to ensure system security and reliability, compliance with terms of use, and prevent abuse. This corresponds to Mailchimp's legitimate interest (in accordance with Article 6(1)(f) GDPR) and serves contractual fulfillment (according to Article 6(1)(b) GDPR). Additionally, Mailchimp evaluates performance data like email delivery statistics and other communication data. This information is used to create usage and performance statistics of services.

‍

Mailchimp additionally collects information from other sources about you. Personal data from social media and other third-party providers are collected to an unspecified extent and period. We have no influence over this process.

‍

Further information on objection and removal options against Mailchimp can be found at: https://mailchimp.com/legal/privacy/#3._Privacy_for_Contacts

‍

The legal basis for these processing activities is your consent according to Article 6(1)(a) GDPR. You can withdraw consent for processing your personal data at any time. All transmissions contain a corresponding link. The withdrawal can also occur through the indicated contact options. The legality of the previously undertaken processing remains unaffected by the withdrawal of consent.

‍

Your data is processed as long as the corresponding consent is present. Apart from that, these are deleted after the contract between us and Mailchimp ends unless legal requirements necessitate further storage.

‍

Mailchimp has implemented compliance measures for international data transfers. These apply to all worldwide activities where Mailchimp processes personal data of individuals within the EU. These measures are based on EU standard contractual clauses (SCCs). More information can be found at: https://mailchimp.com/legal/data-processing-addendum/.

‍

13. Inclusion of Third-Party Services and Content

‍

13.1. Within our online offering, we use content or service offers from third-party providers based on our legitimate interests (i.e., interest in analysis, optimization, and economic operation of our online offering under Article 6(1)(f) GDPR) to integrate their content and services, such as videos, fonts, or maps (hereinafter uniformly referred to as "content"). This always requires that the third-party providers of this content perceive the users' IP address since without the IP address they cannot send content to their browser. The IP address is therefore needed for displaying this content. We endeavor to only use content where respective providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, so-called "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on these website pages can be evaluated. Pseudonymous information may also be stored in cookies on users' devices, including technical information about the browser and operating system, referring websites, visit time, and further data on the use of our online offering, and may also be combined with such information from other sources.

‍

13.2. The following presentation provides an overview of third-party providers as well as their content, along with links to their privacy policies, which contain further information on data processing and, partly already mentioned here, objection possibilities (so-called opt-out):

‍

External fonts from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), https://www.google.com/fonts ("Google Fonts"). The integration of Google Fonts occurs through a call to Google servers (typically in the USA). Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

‍