- Responsibility for Data Protection
Responsibility for data protection lies with Prolinx GmbH (referred to in the following as “we”), based in Brehmstr. 56, 40239 in Germany. We act with regard to data protection according to the General Data Protection Regulation of the EU. Supervisory authority is the NRW State Office for Data Protection:
- Purpose of Data Processing
We offer a variety of services and marketing services. When offering our services, it is likely that we will perform data processing to fulfil the contract with you or to fulfil our legal obligations. It may also happen that we carry out data processing in order to improve our services – in the case that your consent is given to us – otherwise data processing with this purpose will not be carried out.
- Basic Principles of Data Processing
We carry out data processing only when we:
4.1. have contracted with you and the data processing is partly or fully necessary for us to fulfil the obligations arising from the contract with you;
4.2. are required by law to perform data processing in whole or in part;
4.3. obtain consent from you that we recognize and which authorizes or obliges us to perform data processing in whole or in part.
When you visit our website, your data will be recorded during the ongoing connection for communication between your internet browser and our web server:
- Date and time of request
- Name of requested file
- Page from which file was requested
- Access status (file transfer, file not found, etc)
- Web browser and operating system
- Full IP address of requesting computer
- Transferred amount of data
For technical and security reasons, we temporarily store data. An identification of one individual person is not possible using this data.
Collection of Additional Data
If you do not use the contact form on our website, there will be no further data collection. If you use the contact form on our website or contact us by e-mail, we will collect, process and use the personal information you provide in your request for the purpose of processing your request.
Web Tracking Method (Range Measurement)
When you visit our website, we do not use any analysis programs or other techniques for evaluating user behaviour on our website.
Security of Data Transfer
We realize transport encryption with HTTPS with Perfect Forward Secrecy and the current encryption protocol TLS 1.2. The transmission of data you send us using the contact form on our website is also encrypted in terms of content and the decryption of this data can only be carried out by us.
- Data collected by Us
Data we collect from you is divided into the following categories:
6.1. Data that you submit to us.
When creating an Customer Account, we ask you to provide personal information, including e-mail address, telephone number, full name, passport number, date of birth, and a photo of the first page of your passport – some of this data can be specified later, at latest before disbursement of your tax refund. Some of this data is not needed for creating an STF Travel Agent Account. If you use your WeChat (also known conventionally as “Weixin”) account to create an STF Customer Account, we will also collect your WeChat-ID (the identification number of your WeChat account).
For disbursement of your tax refund, we need some payment data in addition to your personal data, including:
- a UnionPay card account number, if you actively instruct us to receive your tax refund to the UnionPay card account number you have provided to us;
- a WeChat Pay account number, if you actively instruct us to receive your tax refund to the WeChat Pay account number you have provided to us;
- a bank account number (the number of a bank account of the Single Euro Payments Area, also known as SEPA) including the full name of the account holder, if you actively instruct us to receive your tax refund to the bank account you have provided to us.
6.2. Data that we collect when you use our services
When using our services, such as our mobile application, we collect the information of the model and identification number of your device and information of the operating system installed on the device.
- Device Information and Log Information
When you use our services via WeChat or our mobile application, we automatically collect the device information and log information, including information about your IP address, information about the hardware and software you use, device event data, unique device identification, crash data, your user behaviour (namely, how you use our services), access data and times, cookie data, and the web pages you accessed or interacted with. Such information is needed to secure the full functionality of our services.
- Local Storage
If you use our services via our mobile application, we will need information about your local storage, such as information about the remaining local storage to secure that the mobile application can be successfully installed or to notify you if local storage is insufficient.
- Location Information
When using our services, such as searching for retailers or navigating to retailers, we automatically collect your location information. If you disagree with this, you can turn off the feature when setting up your mobile device and we cannot offer you the related features in this case.
- Storage of collected Data
We store collected data on a server provided by an external service provider which is located in the territory of the EU and offers high-level security. The service provider has no right to access the stored data.
- Use of collected Data
We use the collected data to achieve the purposes outlined in section 3 above.
- Transfer of collected Data
We will only pass on your data in the following cases:
9.1. We will pass on collected data if you give us your consent. In this case we will carry out the transfer under instructions of your consent;
9.2. We will pass on the collected data in a reasonable scope to courts, law enforcement agencies and other government agencies or authorized third parties if the disclosure is required from an objective point of view for the following purposes:
- to fulfil the legal obligations;
- in response to the claims made against us.
- verification or authentication of your identification documents;
- comparison of data with public databases;
- assistance with background or police checks, fraud prevention and risk assessments;
- product development, maintenance and troubleshooting;
- providing our services through third-party platforms and software tools (for example through integration with our technical interfaces, conventionally referred to as APIs);
- providing customer service and consulting, such as external call center service providers who offer telephone assistance to you;
- providing technical support and methods on making settlement of redeemed purchase coupons, such as external technical development service providers to develop relevant technical functions;
- providing payment services, such as external payment service providers to help us transfer your VAT refund to the UnionPay card account, WeChat-Pay account or SEPA bank account specified by you.
- Your Rights
You may e-mail your request to us to exercise the rights described in this section. Please note that we may ask you to confirm your identity for processing your request. The method described in subsections in the section on exercising your rights remains unaffected.
10.1 Access to your personal data
You can log in to your STF customer account and access your personal data. Please pay additional attention to the following notes on data storage:
- In the case that you haven’t used your STF Customer Account to activate the Tax Free Form which was issued to you within 36 months after its creation, or you haven’t physically sent us the Tax Free Form which was issued to you and signed by you within 36 months after its creation, we will delete the data collected for issuing the Tax Free Form from our databases and servers.
- In the case that we have successfully reimbursed the VAT refund resulting from a Tax Free Form to your STF Customer Account, we will further encrypt the data on your Tax Free Form 12 months after reimbursement. The data will be stored to comply with legal requirements for the necessary period of time.
10.2 Update and correction of your personal data
You have the right to update or correct your personal data. After you have logged in to your STF Customer Account, you can update and correct your personal data. In some cases, the update or the correction will take effect after our confirmation. Please be aware that it is your responsibility to keep your personal data up to date.
10.3 Export of your personal data
You have the right to export the personal data stored by us. In order to export personal data stored by us, you can contact us by e-mail or post. In this case, we will contact you to request a personal identification. Within 30 days of receiving your e-mail or letter and your personal identification, we will provide you with the requested data and confirm your inquiry in written form.
10.4 Deletion of your personal data
You have the right to delete the personal data stored by us. You can delete your personal data by deleting your STF customer account, except for the data which is legally or contractually required to be stored for a certain period of time (e.g. legally required personal data for VAT refund).
10.5. Revocation of consent and restriction of processing
In cases that you have given us your consent to the processing of your personal data, you always have the right to revoke your consent at any time with the effect for the future. In these cases, you can send an e-mail to us.
You also have the right to restrict our use of your personal information if: (i) the validity of your personal information is disputed; (ii) the processing is unlawful; (iii) the personal data is no longer necessary for our processing and you need the personal data for the establishment, exercise or defence of legal claims; or (iv) you object to our processing and it is not yet determined if the legitimate interests of us outweigh your own.
- Data Security
We strive to protect your personal information from unauthorized access, unauthorized alteration, disclosure or destruction. We use the following measures to do this:
- we encrypt the necessary data transaction paths of our services using SSL;
- we always carry out the exporting and deleting of your personal data requested by you only after a successful verification of your personal identity;
- we restrict access to personal information only to employees and contractors who need access to perform the tasks assigned to them, who are subject to strict confidentiality obligations and who may be disciplined or dismissed if they fail to comply with these obligations.