Privacy Policy

INTRODUCTION AND DEFINITIONS

1. INTRODUCTION

In connection with the operation of our website www.myticket.de (hereinafter referred to as the "Website"), we process personal data. We treat such data confidentially and process it in accordance with applicable laws — in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Austrian Data Protection Act (DSG). This Privacy Policy is intended to inform you about which personal data we collect from you, for what purposes and on what legal basis we use such data, and, where applicable, to whom we disclose it. In addition, we will explain the rights available to you to safeguard and enforce your data protection interests.

2. DEFINITIONS

This Privacy Policy contains technical terms used in the GDPR. For your convenience, we provide the following plain-language explanations:

2.1 Personal Data
"Personal data" means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). Information about an identified person includes, for example, a name or email address. Data is also considered personal where the identity of the individual is not immediately apparent but can be determined by combining one's own or third-party information. A person may become identifiable, for example, through their postal address, bank account details, date of birth, username, IP address, and/or location data. Any information that may in any way allow conclusions to be drawn about a specific individual is relevant in this context.

2.2 Processing
"Processing" within the meaning of Art. 4(2) GDPR means any operation or set of operations performed on personal data. This includes, in particular, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

DATA CONTROLLER AND DATA PROTECTION OFFICER

3. Data Controller

The controller responsible for data processing is:

Company: mytic myticket AG ("we")
Legal Representatives: Moritz Schwenkow (Chairman of the Board and CEO), Lukas Goy (Member of the Board and COO)
Address: Johannisbollwerk 20, 20459 Hamburg, Germany
Email: help@myticket.de

4. Data Protection Officer

We have appointed an external Data Protection Officer for our company. You may reach them at:

Name: Reinher Karl
Address: HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg, Germany
Email: datenschutz@habewi.de

SCOPE OF PROCESSING

5. Scope of Processing: Website

In connection with the Website, we process the personal data set forth in detail in Sections 6 through 17 below. We only process data that you actively provide on our Website (e.g., by completing forms) or that is automatically made available when you use our services.

Your data is processed exclusively by us and is, as a general rule, neither sold, lent, nor disclosed to third parties. Where we engage the assistance of external service providers to process your personal data, this is done under a data processing agreement (DPA), whereby we, as the data controller, retain the right to issue instructions to the processor. For the hosting, maintenance, support, and further development of our Website, we engage external service providers. Where additional external service providers are involved in any of the processing activities described in Sections 6 through 17, they are identified accordingly.

We host our Website with the external provider Bradler & Krantz GmbH & Co. KG, Kurt-Schumacher-Platz 8, 44787 Bochum, Germany. As a general rule, no transfer of data to third countries takes place, nor is any such transfer planned. Any exceptions to this principle will be disclosed in the relevant processing activities described below.

PROCESSING ACTIVITIES IN DETAIL

6. Provision of the Website and Server Log Files

6.1 Description of Processing
Each time the Website is accessed, we automatically collect information that your browser transmits to our server. This information is also stored in our system's so-called log files. The following data is collected:

Your IP address; the browser software you use, including its version and language; the operating system you use, if actively transmitted by your browser; the website from which you navigated to our Website (so-called referrer); the sub-pages you accessed on our Website; the date and time of your visit to our Website; and the volume of data transferred.

The temporary storage of your IP address by our system is necessary to deliver our Website to your device. For this purpose, your IP address must remain stored for the duration of the session. However, your IP address is not retained in our log files.

6.2 Purpose
Processing is carried out to enable access to the Website and to ensure its stability and security. In addition, processing serves the statistical analysis and improvement of our online offerings.

6.3 Legal Basis
Processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose described in Section 6.2. To the extent that your consent is required, the legal basis is Art. 6(1)(a) GDPR, which we obtain through a cookie consent tool.

6.4 Retention Period
Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collected for the provision of the Website, this is the case when the respective session has ended. Log files are deleted after 14 months, unless statutory retention obligations — particularly in connection with a contractual relationship — require longer retention periods.

7. Registration and Profile

7.1 Description of Processing
Certain features and offerings of our Website are available only to registered users. By registering, you enter into a free-of-charge user agreement with us. Through registration, you receive a personal user account on our Website. Registration is completed by filling out and electronically submitting the registration form at www.myticket.de. To register, you must provide your salutation/gender, first name, last name, address (street, house number, postal code, city, country), email address, and a freely chosen password. By clicking the "Register" button, you submit the form to us. You will then receive an automated welcome email containing a link to confirm your email address. Your account on our Website will only be activated after successful verification of your email address by clicking the confirmation link. As a registered user, you can shop more quickly and conveniently on our Website by storing your billing and shipping addresses in your user profile, eliminating the need to re-enter your personal data for future purchases.

In addition to the information you provide during registration, we process the following personal data for the setup and maintenance of your user account, to the extent you provide it: company name, address supplement, telephone number, date of birth, VAT ID, and shipping address.

7.2 Purpose
Processing is carried out to provide you with the features of our Website available to registered users.

7.3 Legal Basis
Processing is necessary for the performance of the user agreement (Art. 6(1)(b) GDPR). Without the provision of your personal data during registration, we are unable to perform our contractual obligations.

7.4 Retention Period
Your data will be automatically deleted upon termination of your user agreement. You may terminate the user agreement at any time by notifying us via email at help@myticket.de or by mail to mytic myticket AG, Johannisbollwerk 20, 20459 Hamburg, Germany, that you no longer wish to be a registered user of our Website. We will then promptly delete your user account. In addition, as a logged-in user, you may edit and remove your own posts, information, and data at any time.

8. Purchases

8.1 Description of Processing
You may purchase tickets and other products related to our events on our Website, either as a guest or as a registered user. During the order process, we process personal data from you and, where applicable, from third parties with whom you plan to attend an event. If you provide the data of a third party when purchasing tickets, you must ensure that the third party has been sufficiently informed by you about the processing of their data and that you are authorized to provide such data. Mandatory fields marked with an asterisk ("*") in our online shop must be completed.

Otherwise, we will be unable to enter into a purchase agreement with you, inform you of short-notice changes, or ship the desired goods to you. For certain events, tickets are personalized. In such cases, we use your name and the names of additional attendees to personalize the tickets. All other information is provided on a voluntary basis. When making a purchase on our Website, you may also select one of the available payment methods to pay the purchase price. Upon completion of your order, the data required for payment will be transmitted to the respective payment service provider. If you make a purchase as a registered user, you may store your billing and shipping addresses, as well as your preferred payment method, in your user profile for a faster and more convenient ordering process. In addition, your first name, last name, and address will be transmitted to our shipping service provider for order fulfillment.

If you have given your consent during the order process by checking the corresponding box, we will also share your email address with our shipping service provider so that you may receive direct email notifications from the shipping service provider regarding the current status of your shipment.

8.2 Purpose
Processing is necessary to fulfill our contractual obligations. The provision of your telephone number is necessary to enable us to contact you on short notice, particularly in the event of material changes, postponements, or cancellations in connection with an event. Personalization is required to enable you and additional attendees to attend the event and to allow the event organizer to receive personalized data for infection chain tracing purposes. Otherwise, the contract cannot be performed.

8.3 Legal Basis
Processing is necessary for the conclusion and performance of purchase agreements (Art. 6(1)(b) GDPR). This also applies to the transmission of payment-related data to the respective payment service provider and the transmission of shipping-related data to the shipping service provider. The transmission of your email address for shipment notification emails is based on your consent (Art. 6(1)(a) GDPR).

8.4 Retention Period
We are required by commercial and tax law to retain your address, payment, and order data for a period of ten years. However, after two years, we restrict the processing of such data. This means your data will then be stored solely for the purpose of complying with statutory retention obligations and will be promptly deleted upon expiration of those periods. Consent to the transmission of your email address for the purpose of sending shipment notification emails is voluntary and may be revoked at any time with future effect by means of a simple declaration (by email to: datenschutz@habewi.de, or by mail to: HABEWI Datenschutz, Palmaille 96, 22767 Hamburg, Germany).

8.5 Recipients
For the processing of your payment, personal data is transmitted to one of the following external payment service providers, as selected by you during your purchase:

• Adyen N.V., Simon Carmiggeltstraat 6, 1011 DJ Amsterdam, The Netherlands
• PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

9. Contact Form and Contact via Email

9.1 Description of Processing
We provide a contact form on our Website for the purpose of contacting us. In this form, you are asked to enter your email address, your name, the subject of your inquiry, the event, the event date, and, if applicable, your order number, as well as a message to us. When you click the "Send" button, the data is transmitted to us using SSL encryption. The contact form can only be submitted if you accept our Privacy Policy by checking the corresponding checkbox. You may also contact us via the email addresses provided on the Website and write and publish reviews of artists. In such cases, the personal data transmitted with the email or the review will be processed by us.

9.2 Purpose
By providing a contact form on our Website, we aim to offer you a convenient way to reach us. The data transmitted with and in the contact form or your email is used exclusively for the purpose of processing and responding to your inquiry.

9.3 Legal Basis
Processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose described in Section 9.2. Where the email contact is aimed at the conclusion or performance of a contract, the legal basis for processing is Art. 6(1)(b) GDPR.

9.4 Retention Period
Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. This is generally the case when the respective communication with you has ended. The communication is deemed ended when the circumstances indicate that your matter has been conclusively resolved. Where statutory retention periods preclude deletion, the data will be deleted promptly upon expiration of the applicable statutory retention period.

10. Cookies and Tracking Technologies

10.1 Description of Processing
Our Website uses cookies. Cookies are small text files that are stored on a user's device when visiting a website. Cookies contain information that enables the recognition of a device and, where applicable, certain functions of a website. We distinguish between our own cookies, which are set, for example, when the Website is accessed, and third-party cookies, such as those from advertising services and social networks. Our Website uses both "session cookies" and "persistent cookies." Session cookies are automatically deleted when you end your internet session and close your browser. Persistent cookies remain stored on your device for an extended period. Where cookies are technically necessary for the operation of our Website, your consent is not required. All other cookies are only set after you have actively consented to the use of cookies through our cookie banner or cookie consent tool. Details on which cookies are used on our Website, for which purpose, and how long they are stored on your device, can be found in the settings of our cookie banner or cookie consent tool.

We use the following third-party services, provided you have given your prior consent in each case:

Impact, eKomi, Freshdesk, Personio, Google Ads Conversion Tracking, YouTube Cookies (ytimg), Google Analytics, Google Tag Manager, Clarity, Twitter, DoubleClick Floodlight, Google Ads Retargeting, Meta Conversions API, Meta Pixel, Meta Custom Audiences, Microsoft Bing Ads, Spotify, Cloudflare, DataDome, AWS S3 (Amazon), TikTok (Analytics), Taggrs.io

When visiting our Website, a cookie icon is displayed in the lower left corner. Clicking on the icon opens the settings page of our cookie consent tool, where you can access detailed information pursuant to Art. 12(1) GDPR regarding the purpose, duration, location, and legal basis of the processing of personal data, and where you can revoke your consent at any time.

10.2 Purpose
We use cookies to make our Website more user-friendly and to provide the functions described in Section 10.1. A detailed description of the purpose of each individual cookie can be found in the settings of our cookie banner or cookie consent tool.

10.3 Legal Basis
With regard to technically necessary cookies, processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose described in Section 10.2. With regard to all other — i.e., non-technically necessary — cookies, the legal basis is consent (Art. 6(1)(a) GDPR). Such consent is voluntary.

10.4 Retention Period and Revocation of Consent
Cookies are automatically deleted at the end of a session or upon expiration of the specified retention period. Since cookies are stored on your device, you as the user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be deleted, including on an automated basis. If cookies for our Website are deactivated, deleted, or restricted, certain features of our Website may not be available or may only function in a limited manner. Any consent you have granted for the use of cookies may be revoked at any time with future effect through the settings of the cookie banner or cookie consent tool. You can access the settings of the cookie consent tool by clicking on the blue cookie icon in the lower left corner when visiting our Website.

10.5 Recipients and Transfers to Third Countries
When third-party cookies are used, data may be transmitted to the respective providers of such third-party services. In some cases, this may involve transfers to third countries outside the European Union or the European Economic Area. Information about data recipients and any third-country transfers is provided in the settings of the cookie banner/cookie consent tool or in the relevant section pertaining to the third-party service in this Privacy Policy.

11. PIA Media

11.1 Description of Processing
PIA Media GmbH, Gorch-Fock-Wall 1a, 20354 Hamburg, Germany, receives and processes all data collected by the service providers listed in the preceding section through cookies, web storage, pixels, and similar technologies. The collected data is processed and prepared for profiling, analytics, tracking, and advertising purposes.

11.2 Purpose
We have PIA Media process the data for the purposes of advertising, marketing, personalization, retargeting, optimization of our services, conversion tracking, and profiling. A detailed description of the purpose of each individual cookie can be found in the settings of our cookie consent tool.

11.3 Legal Basis
The legal basis is consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG [German Telecommunications Digital Services Data Protection Act]). Such consent is voluntary.

11.4 Retention Period and Revocation of Consent
You may revoke your consent to the storage and processing of data at any time with future effect through the settings of the cookie consent tool.

11.5 Recipients and Transfers to Third Countries
When third-party cookies are used, data may be transmitted to the respective providers of such third-party services. In some cases, this may involve transfers to third countries outside the European Union or the European Economic Area. Information about data recipients and any third-country transfers is provided in the settings of the cookie consent tool or in the relevant section pertaining to the respective third-party service in this Privacy Policy. PIA Media's privacy information can be found here: https://piamedia.com/en/privacy-policy/

12. Newsletter

12.1 Description of Processing
We send newsletters at irregular intervals. Through our newsletter, we inform you about pre-sale launches for concerts, shows, and events of all kinds, as well as current event recommendations, sweepstakes and marketing campaigns, and automated marketing emails (e.g., surveys, birthday greetings). You will only receive our newsletter if you actively subscribe to our mailing list. You can subscribe by completing and submitting a newsletter sign-up form on our Website or during the checkout process in our online shop. Newsletter registration requires only the provision of your email address. All other information (such as your first and last name) is voluntary and serves solely to personalize the emails. To carry out and verify newsletter registrations, we use the so-called double opt-in procedure. Registration takes place in multiple steps. First, you sign up for the newsletter on our Website. You will then receive an email from us at the email address you provided. In this email, we ask you to confirm that you did indeed sign up for the newsletter and wish to receive it. Confirmation is effected by clicking a confirmation link contained in the email. Only after successful confirmation will we add you to our newsletter mailing list and send you emails going forward. As part of the double opt-in procedure, we store the date, time, and your IP address both at the time of sign-up and at the time of confirmation.

Where we have received your email address in connection with the sale of goods or services and you have not objected, we reserve the right to send you regular offers for products similar to those already purchased from our catalog by email, on the basis of Section 7(3) of the German Unfair Competition Act (UWG) and Section 174(4) of the Austrian Telecommunications Act (TKG), without your prior consent, in the form of a so-called existing customer newsletter. This serves the protection of our legitimate interests, which prevail in the context of a balancing-of-interests assessment, in the advertising outreach to our customers. You may object to this use of your email address at any time by sending a message to the contact information set forth below or by using the designated link in the promotional email, without incurring any costs other than the transmission costs at the basic rates.

12.2 Purpose
Processing is carried out to provide the newsletter function and to send newsletter emails to subscribers and existing customers. The collection and storage of the date, time, and IP addresses during newsletter registration serves to document consents granted and to protect against the unauthorized registration of email addresses.

12.3 Legal Basis
For our subscriber newsletter, processing is based on consent pursuant to Art. 6(1)(a) GDPR. You may request a copy of your consent declaration from us at any time by email. Your consent is voluntary. The collection and storage of the date, time, and IP addresses during newsletter registration is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose described in Section 12.2. For our existing customer newsletter, processing is based on Art. 6(1)(f) GDPR in pursuit of the controller's prevailing legitimate interests. Our legitimate interest lies in the direct marketing outreach to existing customers, which is permissible within the framework we observe under Section 7(3) UWG and Section 174(4) TKG, respectively.

12.4 Retention Period and Revocation of Consent
If you do not confirm your newsletter registration within 31 days of receiving the corresponding registration email, your data will be deleted. We otherwise process your personal data for the duration of your newsletter subscription. You may cancel receipt of our newsletter at any time by revoking your consent. A simple declaration is sufficient (by email to help@myticket.de, or by mail to mytic myticket AG, Johannisbollwerk 20, 20459 Hamburg, Germany) or via the designated link in the newsletter, without incurring any costs other than the transmission costs at the basic rates. Upon revocation of your consent, you will no longer receive newsletters and your personal data will be removed from our active mailing list. We will add your email address to our so-called suppression list on a restricted basis to enforce your revocation. This ensures that you will not receive newsletters from us in the future and that your email address is not misused by third parties.

12.5 Recipients and Transfers to Third Countries
For the management of our newsletter mailing list and the dispatch of emails, we use the services of the newsletter provider starmate solutions GmbH, Pfarrer-Weiß-Weg 16, 89077 Ulm, Germany. This is done under a data processing agreement. Further information on data protection at starmate solutions GmbH can be found at https://www.starmate.io/datenschutz.

13. Social Networks

13.1 Description of Processing
Our Website does not use so-called social media plugins. The logos of Facebook, Instagram, TikTok, and LinkedIn displayed on our Website are merely linked to the respective profiles of our company on the social networks. The integration of these logos does not result in any data transmission to the social networks. Clicking on one of the logos will simply redirect you to the external website of the respective social network.

However, our profiles within the social networks do constitute data processing. If you are logged into the respective social network when visiting such a profile, this information will be associated with your user account there. If you interact with our profile — e.g., by commenting on, "sharing," "liking," or "retweeting" a post — this information will also be stored in your user account. As a rule, your interactions with our profile are also visible to us.

On the social networks Facebook and Instagram, the so-called "Insights" feature provides us with the ability to obtain statistical data about the use of our Facebook page and our Instagram profile. These statistics are generated by Facebook and Instagram, respectively. The Insights feature is non-derogable; we cannot choose to enable or disable it. It is available to all operators of a Facebook fan page and all operators of an Instagram business account, regardless of whether the Insights feature is actively used.

Through Facebook Insights, we receive the following data for a selectable time period, in anonymized form with respect to fans, subscribers, reached individuals, and interacting individuals: total number of page views, "likes" including origin, page activities, post interactions, reach, post reach (subdivided into organic, viral, and paid interactions), comments, shared content, replies, and demographic analyses — i.e., country of origin, gender, and age. The Insights statistics do not allow us to identify subscribers and fans of our page or view their profiles.

Additionally, Instagram Insights provides us with anonymized data on the growth and reach of our Instagram profile, as well as the posts, stories, and videos we publish there. We also receive statistical information in Instagram Insights about the location, gender, and age of the subscribers of our Instagram profile.

The social networks with which you communicate store your data using pseudonyms as user profiles and use such data for advertising and market research purposes. This enables, for example, the display of advertising within the social network and on third-party websites that corresponds to your presumed interests. For this purpose, cookies are generally placed on your device by the social network. You have the right to object to the creation of these user profiles; to exercise this right, you must contact the social networks directly.

13.2 Purpose
We maintain profiles on the aforementioned social networks for the purpose of contemporary and supporting public relations and corporate communications with customers and interested parties.

We use the "Facebook Insights" feature to make our posts on our Facebook fan page more attractive to our visitors. This enables us, for example, to identify preferred visit times and use this information to schedule our posts accordingly.

13.3 Legal Basis
The legal basis for data processing in connection with our profiles on social networks is the pursuit of our prevailing legitimate interests (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose described in Section 13.2. Where you are asked for your consent by the respective operator of a social network, the legal basis is Art. 6(1)(a) GDPR. With regard to our presence on Facebook and Instagram, data processing is additionally based on joint controllership pursuant to Art. 26 GDPR.

13.4 Recipients and Transfers to Third Countries
The respective social networks are operated by the companies listed below. Further information on data protection with respect to our profile on the social networks can be found in the linked privacy policies.

• Facebook: Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Privacy Policy:
  www.facebook.com/policy.php; www.facebook.com/help/186325668085084,
  www.facebook.com/about/privacy/your-info-on-other#applications and
  www.facebook.com/about/privacy/your-info#everyoneinfo.
• Instagram: Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; Privacy Policy: help.instagram.com/155833707900388/.
• TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/en

The social networks also process your personal data in the United States.

14. Google Web Fonts

14.1 Description of Processing
Our Website uses "Google Web Fonts," a font replacement service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google"). With Google Web Fonts, the default fonts on your device are replaced by typefaces from Google's catalog when our Website is displayed. If your browser prevents the integration of Google Web Fonts, the text on our Website will be displayed in the default fonts of your device. Google Fonts are loaded directly from a Google server. For this to occur, your browser sends a request to a Google server. As a result, your IP address may be transmitted to Google in connection with the address of our Website. However, Google Web Fonts does not place cookies on your device. According to Google, data processed in connection with the Google Web Fonts service is transmitted to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. This data is not linked to data that may be collected in connection with the use of other Google services, such as the search engine of the same name or Gmail. Further information on data protection with regard to Google Web Fonts can be found at https://developers.google.com/fonts/faq. General information on data protection at Google is available at https://policies.google.com/privacy.

14.2 Purpose
Processing is carried out to display the text on our Website in a more legible and aesthetically appealing manner.

14.3 Legal Basis
Processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the purpose described in Section 14.2.

14.4 Recipients and Transfers to Third Countries
Through the use of Google Web Fonts, personal data may be transmitted to Google. Google also processes your personal data in the United States.

15. Sign In with Google (Google Sign-In)

15.1 Description of Processing
We offer you the option to sign in and register on our Website using your existing Google account ("Google Sign-In"). This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). When you use the "Sign in with Google" function, you will be redirected to a Google sign-in page where you can authenticate using your Google credentials. Upon successful authentication, your Google account will be linked to our service. Depending on your chosen sharing settings, we receive the following information from Google: your first and last name, your email address, and, if applicable, your profile picture. We use this data exclusively for the creation and management of your user account on our Website and for authentication during future sign-ins. We do not link your account with other Google services.

15.2 Purpose
Processing is carried out to enable simplified registration and sign-in on our Website and to save you the need to repeatedly enter registration data.

15.3 Legal Basis
Processing is based on your consent pursuant to Art. 6(1)(a) GDPR, which you grant by actively clicking the "Sign in with Google" button. Your consent is voluntary. In addition, processing is carried out for the implementation of pre-contractual measures or the performance of the user agreement pursuant to Art. 6(1)(b) GDPR.

15.4 Retention Period and Revocation of Consent
We process your personal data received via Google Sign-In for the duration of your user agreement with us. You may revoke your consent to the use of Google Sign-In at any time with future effect by unlinking the connection in your user account settings on our Website or by sending us a corresponding notification by email to help@myticket.de. The revocation of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to its revocation. In the event of a revocation, you may continue to log in to your user account using the credentials you provided at the time of initial registration. Alternatively, you may delete your user account entirely.

15.5 Recipients and Transfers to Third Countries
Through the use of Google Sign-In, personal data is transmitted to Google Ireland Limited. Google also processes your personal data in the United States. This third-country data transfer is carried out on the basis of the so-called EU Standard Contractual Clauses. Further information on Google Sign-In and data protection at Google can be found at https://policies.google.com/privacy.

16. Matomo

16.1 Description of Processing
Our Website uses "Matomo," a web analytics service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (hereinafter "Matomo"). Matomo is open-source software that we use as a cloud service, with servers operated by InnoCraft Ltd. Matomo analyzes user behavior on our Website. The statistics generated by Matomo capture, in particular, how many users visit our Website, from which country or location the access originates, which sub-pages are visited, and via which links or search terms visitors arrive at our Website. We use Matomo in two variants: a cookieless base variant and an extended variant with cookies (see Section 10). Your IP address is captured only in truncated form, so that it cannot be attributed to your person (so-called IP masking). The collected data is transferred to and stored on servers of InnoCraft Ltd. in New Zealand.

16.2 Purpose
Processing is carried out to analyze the use of our Website. The information obtained in this way serves to improve and tailor our online presence to user needs.

16.3 Legal Basis
In the cookieless base variant, processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR in conjunction with Section 25(2) TDDDG). Our legitimate interest lies in the purpose stated above. In the extended variant with cookies, processing is based on consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. This consent is obtained through our cookie consent tool. Such consent is voluntary.

16.4 Retention Period and Revocation of Consent
The retention period and your options for controlling and configuring cookies are described in Section 10. You may revoke the consent you have granted with respect to the extended variant of Matomo at any time with future effect through the settings of the cookie consent tool. You may also object to data processing by Matomo at any time. The analytics data processed and stored by Matomo is automatically deleted by us after 6 months.

16.5 Recipients and Transfers to Third Countries
InnoCraft Ltd. acts on our behalf under a data processing agreement pursuant to Art. 28 GDPR. Processing takes place on servers of InnoCraft Ltd. in New Zealand. New Zealand is subject to an adequacy decision of the European Commission pursuant to Art. 45 GDPR, and accordingly the data transfer to this third country is based on that decision. Further information on data protection at Matomo can be found at https://matomo.org/privacy-policy/.

17. Blog / myspotlight

17.1 Description of Processing
Our blog is operated on the basis of WordPress software and is technically provided and managed by MOLENO Consulting UG (haftungsbeschränkt), Schiefbahner Str. 10, 41564 Kaarst, Germany (hereinafter "myspotlight"). When you access our blog, personal data — in particular your IP address and technical access data such as the date and time of the request, browser type and version, operating system, and the URL accessed — is automatically processed and stored in server log files. For the operation of the blog infrastructure, myspotlight in turn uses the hosting services of WordPress.com (Aut O'Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland). Further information on data protection at myspotlight can be found at https://www.myticket.de/de/myspotlight/datenschutz/ .

17.2 Purpose
Processing is carried out to technically deliver the content of our blog and to ensure the security and stability of our Website operations.

17.3 Legal Basis
Processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) GDPR). Our legitimate interest lies in the aforementioned purpose, namely the technically sound delivery and secure operation of our blog.

17.4 Retention Period
Access data stored in server log files is deleted after no more than 30 days, unless extended retention is required for security analysis or law enforcement purposes.

17.5 Recipients and Transfers to Third Countries
myspotlight acts on our behalf under a data processing agreement pursuant to Art. 28 GDPR. As a sub-processor, myspotlight uses WordPress.com (Aut O'Mattic A8C Ireland Ltd.). In the course of operating WordPress.com, personal data may be transferred to the United States. Aut O'Mattic A8C Ireland Ltd. is certified under the EU-US Data Privacy Framework, and accordingly the transfer to the United States is based on the adequacy decision of the EU Commission of July 10, 2023, pursuant to Art. 45 GDPR. Further information on data protection at WordPress.com can be found at https://automattic.com/privacy/.

SECURITY MEASURES

18. Security Measures

To protect your personal data from unauthorized access, we have secured our Website with an SSL/TLS certificate. SSL stands for "Secure Sockets Layer" and TLS for "Transport Layer Security"; both encrypt the communication of data between a website and the user's device. You can recognize an active SSL/TLS encryption by a small lock icon displayed on the far left of your browser's address bar.