Privacy Policy
Careloop GmbH
Privacy Policy
Please note that the following texts are translated from German to English. In case of inconsistencies the German original version has priority.
The protection of your privacy is of particular importance to us.
Careloop GmbH (limited liabilty), Invalidenstr. 161, 10115 Berlin, Germany, e-mail: info@careloop.io (see also imprint), hereinafter referred to as “Careloop ” or “we”, as operator of the website www.careloop.io, is responsible for the use of the personal data of the users of the website in accordance with Art. 4 para. 7 EU Data Protection Basic Regulation (DS-GVO). Our data protection officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, which can be contacted by email at datenschutz@heydata.eu.
It is important to us that you know at all times when we store your personal data and how we use it. We collect, process and use your personal data in accordance with the applicable European and German data protection regulations.
1. General
In the following, we provide information about the processing of personal data when using our social media profiles and our services:
- careloop.io
- klett-talentakademie.de
- app.careloop.de
- careloopacademy.de
Personal data is all data that can be related to a specific natural person, e.g. their name or IP address.
1.1. Contact information
The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is Careloop GmbH, Invalidenstraße 161, 10115 Berlin, Germany, e-mail: info@careloop.io. We are legally represented by Alexander Lundberg and Matti Fischer.
Our data protection officer can be contacted via heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany, e-mail: datenschutz@heydata.eu.
1.2 Scope of data processing, processing purposes and legal bases
The scope of data processing, processing purposes and legal bases are explained in detail below. The following legal bases for data processing can generally be considered:
- Art. 6 para. 1 sentence 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent.
- Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g. if a site visitor purchases a product from us or we perform a service for them. This legal basis also applies to processing that is necessary for pre-contractual measures, for example in the case of inquiries about our products or services.
- Art. 6 para. 1 sentence 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case in tax law, for example.
- Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis if we can rely on legitimate interests to process personal data, e.g. for cookies that are required for the technical operation of our website.
1.3 Data processing outside the EEA
Insofar as we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the EU Commission pursuant to Art. 45 para. 3 GDPR guarantee the security of the data during transfer, insofar as these are available, as is the case, for example, for the UK, Canada and Israel.
In the case of data transfer to service providers in the USA, the legal basis for data transfer is an adequacy decision by the EU Commission if the service provider is also certified under the EU-US Data Privacy Framework.
In other cases (e.g. if there is no adequacy decision), the legal basis for data transfer is usually standard contractual clauses, i.e. unless we indicate otherwise. These are a set of rules adopted by the EU Commission and form part of the contract with the respective third party. According to Art. 46 para. 2 lit. b GDPR, they guarantee the security of data transfer. Many of the providers have provided contractual guarantees that go beyond the standard contractual clauses and protect the data beyond the standard contractual clauses. These are, for example, guarantees regarding the encryption of the data or regarding the obligation of the third party to inform the data subject if law enforcement agencies wish to access data.
1.4. Storation period
Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that we must retain for commercial or tax law reasons.
1.5 Rights of the data subjects
Data subjects have the following rights regarding their personal data held by us:
- Right of access,
- Right to rectification or erasure,
- Right to restriction of processing,
- Right to object to processing,
- Right to data portability,
- Right to revoke consent at any time.
Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data. Contact details of the data protection supervisory authorities can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
1.6 Obligation to provide data
In the context of a business relationship or other relationship, customers, interested parties or third parties must only provide us with the personal data that is necessary for the establishment, execution and termination of the business relationship or for the other relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude a contract or provide a service or will no longer be able to perform an existing contract or other relationship.
Mandatory information is marked as such.
1.7 No automated decision-making in individual cases
As a rule, we do not use fully automated decision-making in accordance with Article 22 of the GDPR for the establishment and execution of a business relationship or other types of relationships. Should we use such procedures in individual cases, we will provide separate information about this, provided it is legally required.
1.8. Contacting us
When contacting us, e.g., via email or phone, the data provided to us (e.g., names and email addresses) will be stored by us to answer inquiries. The legal basis for processing is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in responding to inquiries addressed to us. We delete the data collected in this context once storage is no longer necessary or restrict processing if legal retention obligations exist.
1.9. Customer Surveys
From time to time, we conduct customer surveys to better understand our customers and their preferences. In this process, we collect the requested data. It is in our legitimate interest to better understand our customers and their needs, making the legal basis for the associated data processing Art. 6 para. 1 sentence 1 lit. f GDPR. We delete the data once the survey results have been evaluated.
1.10. Cookie Notice
Our services store information on the end devices of website visitors (e.g., cookies) or access information already stored on the end devices (e.g., IP addresses). Details about the specific information can be found in the following sections.
This storage and access are based on the following provisions:
- To the extent that this storage or access is strictly necessary for us to provide the service expressly requested by website visitors (e.g., for the operation of a chatbot used by the website visitor or to ensure the IT security of our website), it is carried out based on Section 25 para. 2 no. 2 of the Telecommunications-Telemedia Data Protection Act (TTDSG).
- Otherwise, this storage or access is based on the consent of the website visitors (§ 25 para. 1 TTDSG).
- The subsequent data processing is carried out in accordance with the following sections and based on the provisions of the GDPR.
1.11. Informational Use of the Services
When using the services for informational purposes, i.e., when site visitors do not transmit specific information to us, we collect the personal data that the browser sends to our server to ensure the stability and security of our services. This constitutes our legitimate interest, making the legal basis Art. 6 para. 1 sentence 1 lit. f GDPR.
These data are:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website from which the request originates
- Browser
- Operating system and its interface
- Language and version of the browser software.
These data are also stored in log files. They are deleted when their storage is no longer necessary, at the latest after 14 days.
1.12. Job Advertisements
We publish job advertisements on our website, on pages linked to the website, or on third-party websites.
The processing of the data provided as part of the application is carried out for the purpose of conducting the application process. To the extent that this data is necessary for our decision to establish an employment relationship, the legal basis is Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 BDSG. The data required for conducting the application process is marked accordingly or pointed out by us. If applicants do not provide this data, we cannot process the application.
Additional data is voluntary and not required for an application. If applicants provide further information, the basis is their consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
We ask applicants to refrain from including information on political opinions, religious beliefs, and similarly sensitive data in their CV and cover letter, as these are not required for an application. If applicants nonetheless provide such information, we cannot prevent its processing as part of the CV or cover letter. Its processing will then also be based on the consent of the applicants (Art. 9 para. 2 lit. a GDPR).
Finally, we process the data of applicants for further application processes if they have given us their consent to do so. In this case, the legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR.
We share the data of applicants with the responsible employees in the HR department, our processors in the recruiting area, and other employees involved in the application process.
If, following the application process, we enter into an employment relationship with the applicant, we will only delete the data after the employment relationship has ended. Otherwise, we delete the data no later than six months after rejecting an applicant.
If applicants have given us their consent to use their data for further application processes, we will only delete their data one year after receiving the application.
2. Updates
We reserve the right to inform customers who have already used our services or purchased goods from us about updates from time to time via email or other means, provided they have not objected to this. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in direct advertising (Recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time without additional costs, for example, via the link at the end of each email or by sending an email to our aforementioned email address.
Interested parties have the option to subscribe to a free newsletter. We process the data provided during registration exclusively for the purpose of sending the newsletter. Registration is carried out by selecting the corresponding field on our website, checking the appropriate box on a paper document, or through another clear action by which interested parties express their consent to the processing of their data, making the legal basis Art. 6 para. 1 sentence 1 lit. a GDPR. Consent can be revoked at any time, e.g., by clicking the corresponding link in the newsletter or notifying us via our email address mentioned above. The processing of data up to the point of revocation remains lawful even in the event of a revocation.
Based on the consent of the recipients (Art. 6 para. 1 sentence 1 lit. a GDPR), we also measure the open and click rates of our newsletters to understand which content is relevant to our recipients.
We send newsletters using the HubSpot tool provided by HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. The provider processes content, usage, meta/communication data, and contact data within the EU. Further information can be found in the provider’s privacy policy at https://legal.hubspot.com/de/privacy-policy.
3. careloop.io & klett-talentakademie.de
3.1. Web Hosting and Provision of the Websites
The websites are hosted by webgo. The provider is webgo GmbH, Heidenkampsweg 81, 20097 Hamburg. The provider processes the personal data transmitted via the website, such as content, usage, meta/communication data, or contact data, within the EU. Further information can be found in the provider’s privacy policy at https://www.webgo.de/datenschutz/.
It is in our legitimate interest to provide the websites, making the legal basis for the described data processing Art. 6 para. 1 sentence 1 lit. f GDPR.
We use a Content Delivery Network (CDN) to help provide our website. The provider for careloop.io is Elementor LTD., Tuval St 40, Ramat Gan, Israel, and the provider for careloop.academy is Webflow, Inc., 398 11th St., Floor 2, San Francisco, CA 94103, USA. The provider processes the personal data transmitted via the website, such as content, usage, meta/communication data, or contact data. It is in our legitimate interest to provide the websites, making the legal basis for the data processing Art. 6 para. 1 sentence 1 lit. f GDPR.
3.2. Contact Form
When contacting us via the contact form on our website, we store the data requested there and the content of the message.
The legal basis for the processing is our legitimate interest in responding to inquiries addressed to us. Therefore, the legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR.
We delete the data collected in this context once storage is no longer necessary or restrict processing if legal retention obligations exist.
3.3. Careloop Account
Employers, partners, and candidates can open an account with us.
Information on the processing of candidate data can be found here. Further information for partners and employers is available under section 4.3.
3.4. Technically Necessary Cookies
Our website uses cookies. Cookies are small text files that are stored in the web browser on the device of a website visitor. Cookies help make the service more user-friendly, efficient, and secure. To the extent that these cookies are necessary for the operation of our website or its functions (hereinafter referred to as “Technically Necessary Cookies”), the legal basis for the associated data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing a functional website to customers and other website visitors.
Specifically, we use technically necessary cookies for the following purpose:
- Cookies that store login data
3.5. Third Parties
3.5.1. HubSpot
We use HubSpot for communication management and storage. The provider is HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. The provider processes usage data (e.g., visited websites, interest in content, access times), content data (e.g., entries in online forms), and meta/communication data (e.g., device information, IP addresses) within the EU.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in managing data in an easy and cost-effective way.
The data will be deleted once the purpose of their collection no longer applies and no retention obligations are in place. Further information can be found in the provider’s privacy policy at https://legal.hubspot.com/privacy-policy.
3.5.2. Google Ads
We use Google Ads for advertising purposes. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g., visited websites, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing is based on consent. Affected individuals can withdraw their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of the processing up to the point of withdrawal.
The transfer of personal data to a country outside the EEA is carried out on the legal basis of an adequacy decision. The security of the data transferred to the third country (i.e., a country outside the EEA) is ensured because the European Commission has decided, in an adequacy decision under Art. 45 para. 3 GDPR, that the third country provides an adequate level of protection.
We delete the data once the purpose of their collection no longer applies. Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=en.
3.5.3. Google Analytics
We use Google Analytics for analysis purposes. The provider is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The provider processes usage data (e.g., visited websites, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing is based on consent. Affected individuals can withdraw their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of the processing up to the point of withdrawal.
The transfer of personal data to a country outside the EEA is carried out on the legal basis of an adequacy decision. The security of the data transferred to the third country (i.e., a country outside the EEA) is ensured because the European Commission has decided, in an adequacy decision under Art. 45 para. 3 GDPR, that the third country provides an adequate level of protection.
The data will be deleted once the purpose of their collection no longer applies and no retention obligation exists. Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=en.
3.5.4. Facebook Conversion API
We use Facebook Conversion API for analysis purposes. The provider is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g., visited websites, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) in the USA.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a GDPR. The processing is based on consent. Affected individuals can withdraw their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The withdrawal does not affect the lawfulness of the processing up to the point of withdrawal.
The transfer of personal data to a country outside the EEA is carried out on the legal basis of an adequacy decision. The security of the data transferred to the third country (i.e., a country outside the EEA) is ensured because the European Commission has decided, in an adequacy decision under Art. 45 para. 3 GDPR, that the third country provides an adequate level of protection.
The data will be deleted once the purpose of their collection no longer applies and no retention obligation exists. Further information can be found in the provider’s privacy policy at https://www.facebook.com/policy.php.
3.5.5. heyData
We have embedded a privacy seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g., IP addresses) within the EU.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seal, which is why a mere image copy of the certificate is not a viable alternative to confirmation.
The data is anonymized after collection so that no personal reference remains. Further information can be found in the provider’s privacy policy at https://heydata.eu/datenschutzerklaerung.
4. app.careloop.de & klett-talentakademie.de
4.1. Web Hosting and Provision of the Websites
The app.careloop.de is hosted by:
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland
- Vercel Inc., 340 S Lemon Ave Unit 4133 Walnut, CA, USA
- Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992, Singapore
- HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA.
The klett-talentakademie.de is hosted by MOOCit. The provider is MOOCit SAS, 97 allée Maurice Ravel 45160 Olivet, France. The providers process the personal data transmitted via the website, such as content, usage, meta/communication data, or contact data. It is in our legitimate interest to provide our services, making the legal basis for the data processing Art. 6 para. 1 sentence 1 lit. f GDPR.
The legal basis for the transfer to a country outside the EEA is an adequacy decision and standard contractual clauses. With an adequacy decision, the European Commission decides that the security of the data transferred to a third country (i.e., a country outside the EEA) is ensured.
4.2. Booking of Appointments
Website visitors can book appointments with us on our website. In addition to the data entered, we process meta or communication data. We have a legitimate interest in offering potential clients a user-friendly option for scheduling appointments. Therefore, the legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If we use a third-party tool for scheduling, the information regarding this can be found under “Third Parties.”
4.3. Careloop Account
Employers, partners, and candidates can open an account with us. Website visitors can create an account on our website. Detailed information for candidates can be found here.
The following information applies to employer and partner users. We process the data requested in this context based on the contract concluded with the user in order to provide our services or due to our legitimate interest in fulfilling the contract with the employer. Therefore, the legal basis for processing is Art. 6 para. 1 sentence 1 lit. b or f GDPR.
The following describes the categories of data processed.
Partner Data:
- Company Data: Information about the partner company, role, and recruitment successes
- Recruitment Results: Data on the number of candidates placed and their status
- Financial Data
- Communication
Employer Data:
- Company Data: Information about the employer and its contacts
- Recruitment Process: Data on placed candidates, contracts, and terminations
- Financial Information: Revenue and booked services
- Immigration Services: Booked immigration and integration measures
- Communication
To the extent necessary for our services, personal data may be shared with third parties (candidates, authorities, etc.).
4.4. Technically Necessary Cookies
Our website uses cookies. Cookies are small text files that are stored in the web browser on a website visitor’s device. Cookies help make the service more user-friendly, effective, and secure. To the extent that these cookies are necessary for the operation of our website or its functions (hereinafter “Technically Necessary Cookies”), the legal basis for the associated data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing customers and other website visitors with a functional website.
Specifically, we use technically necessary cookies for the following purpose(s):
- Cookies that store login data
4.5. Third Parties
4.5.1. Auth0
We use Auth0 for managing authentications. The provider is Okta, Inc., 100 First Street, San Francisco, California 94105, USA. The provider processes contact data (e.g., email addresses, phone numbers), meta/communication data (e.g., device information, IP addresses), and master data (e.g., names, addresses) within the EU.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in properly authenticating users of our applications.
We delete the data once the purpose of their collection no longer applies. Further information can be found in the provider’s privacy policy at https://auth0.com/privacy.
4.5.2. HubSpot
We use HubSpot for lead generation, marketing automation, and analysis. The provider is HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. The provider processes usage data (e.g., visited websites, interest in content, access times), content data (e.g., entries in online forms), and meta/communication data (e.g., device information, IP addresses) within the EU.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in managing data in a simple and cost-effective manner.
The data will be deleted once the purpose of their collection no longer applies and no retention obligations exist. Further information can be found in the provider’s privacy policy at https://legal.hubspot.com/privacy-policy.
4.5.3. heyData
We have embedded a privacy seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g., IP addresses) within the EU.
The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use its seal, which is why a mere image copy of the certificate is not a viable alternative to confirmation.
The data will be anonymized after collection so that no personal reference remains. Further information can be found in the provider’s privacy policy at https://heydata.eu/datenschutzerklaerung.
5. Data Processing on Social Media Platforms
We are represented on social media networks to present our organization and our services. The operators of these networks regularly process data of their users for advertising purposes. Among other things, they create user profiles based on online behavior, which are then used to display advertisements on the network pages and elsewhere on the internet that align with the interests of the users. To do this, the network operators store information about user behavior in cookies on the users’ devices. It is also possible that the operators combine this information with additional data. Further information, as well as instructions on how users can object to the processing by the operators, can be found in the privacy policies of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries, which means that data is processed there. This may pose risks for users, such as making it more difficult to enforce their rights or allowing government authorities to access their data.
If users of the networks contact us via our profiles, we process the data provided to respond to the inquiries. This constitutes our legitimate interest, making the legal basis for processing Art. 6 para. 1 sentence 1 lit. f GDPR.
5.1. Facebook
We maintain a profile on Facebook. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://www.facebook.com/policy.php. An option to object to the data processing can be found through the ad settings: https://www.facebook.com/settings?tab=ads.
Based on an agreement, we are jointly responsible for the processing of the data of the visitors to our profile with Facebook according to Art. 26 GDPR. The exact data processed is explained by Facebook at https://www.facebook.com/legal/terms/information_about_page_insights_data. Affected individuals can exercise their rights both with us and with Facebook. However, according to our agreement with Facebook, we are obligated to forward requests to Facebook. Affected individuals will therefore receive a faster response if they contact Facebook directly.
5.2. Instagram
We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: help.instagram.com/.
5.3. YouTube
We maintain a profile on YouTube. The operator is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The privacy policy is available here: https://policies.google.com/privacy?hl=en.
5.4. LinkedIn
We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://www.linkedin.com/legal/privacy-policy?_l=en_US. An option to object to the data processing can be found through the ad settings: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
5.5. Xing
We maintain a profile on Xing. The operator is New Work SE, Dammtorstraße 29-32, 20354 Hamburg. The privacy policy is available here: https://privacy.xing.com/en/privacy-policy.
6. Changes to this Privacy Policy
We reserve the right to amend this privacy policy with future effect. The current version is always available here.
7. Questions and Comments
For questions or comments regarding this privacy policy, we are happy to assist you using the contact details provided above.
Adjust Cookie Settings
You can change your cookie settings here.