Privacy Policy

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is any data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

I. Note on the responsible body

The controller responsible for data processing on this website is

vostel volunteering UG (haftungsbeschränkt)
Elsenstraße 82
12059 Berlin

Phone:
E-mail:

If you have any questions about data protection, you can contact us at any time using the contact details provided.

II. Data collection on our website

1. How do we collect your data?

On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form.

Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter our website.

2. Legal basis

2.1 Consent

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent.

Any consent given can be revoked at any time with effect for the future.

Please note that the cancellation is only effective for the future. Processing that took place before the cancellation is not affected.

For a cancellation, please use the contact details given in Section I.

2.2 Performance of the contract, Art. 6 para. 1 sentence 1 lit. b GDPR

We also process your data for the fulfilment of our contractual obligations towards you or insofar as this is necessary for the implementation of pre-contractual measures that are carried out at your request.

2.3 Balancing of interests, Art. 6 para. 1 sentence 1 lit. f GDPR

Where necessary and permissible, we also process your data to protect our legitimate interests or those of third parties. Examples of this are

  • Assertion of legal claims and defence in legal disputes;
  • Guarantee of IT security;
  • Prevention and investigation of criminal offences;
  • Measures for business management and the further development of services and products.

2.4 Legal requirements, Art. 6 para. 1 sentence 1 lit. c GDPR or public interest, Art. 6 para. 1 sentence 1 lit. e GDPR

If we are legally obliged to process your data, processing will also take place on this basis. This may, for example, involve obligations to provide evidence to the tax office or other authorities.

3. Who receives my data?

Your personal data will not be transferred to third parties for purposes other than those listed in this privacy policy.

For the provision of this website and to fulfil other processing purposes mentioned in this privacy policy, your data will be passed on to technical service providers (e.g. hosting service providers, support, quality assurance or mail services), which we have of course carefully selected and commissioned in accordance with the law. These service providers are bound by our instructions, act on our behalf and are regularly monitored by us.

Unless otherwise stipulated in this privacy policy or unless we are legally obliged to do so, we will only transfer your personal data to third parties if you have given us your prior consent to do so.

4. Purpose of the processing

4.1 Visiting this website

If you use our website for information purposes only, we only collect and use the data that your Internet browser automatically transmits to us for the purpose of system security of temporary connection data by means of so-called log files. This data includes

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

This information may also include details about your use of this website, including:

  • Clicks
  • Internal links
  • Visited pages
  • Scroll
  • Search processes
  • Timestamp

We do not use the above data to draw conclusions about your user behaviour or for other personal evaluations.

This data is not merged with other data sources.

On the basis of Art. 6 para. 1 sentence 1 lit. f. GDPR, we use the above data solely for the purpose of enabling you to access our websites and their content and to improve our website offering.

4.2 Registration on this website

You can register on our website in order to use additional functions on the site. We will only use the data you enter for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise we will refuse your registration.

In the event of important changes, for example to the scope of the offer or technically necessary changes, we will use the e-mail address provided during registration to inform you in this way.

The processing of the data entered during registration is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time. All you need to do is send us an informal email. The legality of the data processing that has already taken place remains unaffected by the cancellation.

The data collected during registration will be stored by us for as long as you are registered on our website and will then be deleted. Statutory retention periods remain unaffected.

4.3 Processing of data (customer and contract data)

We collect, process and use personal data voluntarily provided by you when you contact us (e.g. name and your email address) only insofar as it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect, process and use personal data about the use of our website (usage data) only insofar as this is necessary to enable the user to utilise the service or to bill the user.

The customer data collected will be deleted after completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

4.4 Cookies

We use so-called cookies on our website. Cookies are small text files that are sent from our web server to your browser when you visit our website and are stored on your end device for later retrieval. When you return to our websites, the information stored on your device is sent back to us. This exchange of information serves to make our website more user-friendly and effective for you.

We use the following cookies that do not require consent:

Name Duration Purpose
_vostel_session Until the end of the browser session Session cookie, stores your login status and other data required for the vostel application to function.
remember_user_token 1 year after creation Cookie that enables the "Stay logged in" function, i.e. login beyond browser sessions.
website_tracking until 31 Dec 9999 23:59:59 GMT Saves the information as to whether the user has consented to the setting of cookies requiring consent.
load_maps until 31 Dec 9999 23:59:59 GMT Saves the information whether the user has consented to the use of Google Maps.
hide_maintenance_message 24 hours after creation If a maintenance message is set on vostel.de, the user has the option of closing the message. This cookie is set so that the message is not displayed again the next time the page is reloaded.
_GRECAPTCHA 6 months after creation Risk analysis to avoid automated form entries.

These cookies are essential for the website to function and therefore do not require consent.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested are stored on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the storage of cookies for the technically error-free and optimised provision of our services. Insofar as other cookies (e.g. cookies for analysing your surfing behaviour) are stored, these are treated separately in this privacy policy.

4.5 Third-party services

With the third-party services listed below and used by us, we want to ensure a user-friendly and secure use of our website. The respective purposes of processing and categories of personal data are described below in connection with the corresponding third-party services:

a) Google reCAPTCHA

We integrate the function for recognising bots, e.g. for entries in online forms ("reCAPTCHA") of Google Ireland Ltd (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and other affiliated companies of Google.

The purpose of reCAPTCHA is to check whether data is entered on our websites (e.g. in a contact form) by a human or by an automated programme. For this purpose, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). The data collected during the analysis is forwarded to Google and may also be shared with other third parties.

Website visitors are informed in the appropriate places when a reCAPTCHA analysis takes place.

Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM. If a corresponding consent has been requested, is processed exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR; the consent can be revoked at any time.

Here you can find more information about Google reCAPTCHA and Google's privacy policy.

b) Google Maps

We integrate the maps of the "Google Maps" service of Google Ireland Ltd (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and other affiliated companies of Google LLC. We use Google Maps to show you the locations of our volunteering offers. A transfer of data to a third country cannot be ruled out. To use the Google Maps function, a connection to Google's servers is established. This gives Google knowledge that our service has been accessed via the user's IP address. This information is usually transferred from your browser to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer.

Further information on the handling of user data can be found in Google's privacy policy.

Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in an appealing presentation of our online offers and in making it easy to find the places we have indicated on the website. If a corresponding consent has been requested, the use of Google Maps is based on Art. 6 para. 1 sentence 1 lit. a GDPR.

You have not yet given your consent to the use of Google Maps. You can do this at any time via the consent mask of any Google Maps map on vostel.de.

c) Google Places API Web Service

We use the Google Places API web service and the automatic address completion of Google Ireland Ltd (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA as well as other affiliated companies of Google LLC.

In order for us to receive this information from Google, the IP address and the content entered by the user is transmitted to Google. A connection to Google's servers is established for this purpose. As a result, Google becomes aware that our service has been accessed via the user's IP address. Google is used in the interest of simplifying the completion of input fields when entering addresses in our online offering. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR; the consent can be revoked at any time.

Further information on Google Places Api Web Services can be found in Google's privacy policy.

d) Mailjet

We use the provider Mailjet for sending emails, such as for the registration process, sign up and appointment confirmations, password recovery, but also for appointment reminders and feedback requests. The provider is Mailjet SAS, 13-13 bis, Rue de l'Aubrac - 75012 Paris, France or Mailgun Technologies Inc, 112 E Pecan Sr #1135, San Antonio, Texas 78205, USA. Mailjet is a service that can be used to organise and analyse the sending of e-mails. The data you enter for the purpose of receiving e-mails is stored on Mailjet's servers.

Our emails sent with Mailjet enable us to analyse the behaviour of email recipients. Among other things, we can analyse how many recipients have opened the message and how often which link in the message was clicked on. With the help of conversion tracking, we can also analyse whether a predefined action has taken place after clicking on the link in the emails.

Mailjet also allows us to divide email recipients into different categories ("segmentation") based on the data provided during registration. In this way, the emails can be better customised to the respective target groups.

If the e-mail is used to process and respond to a specific enquiry (e.g. confirmation of registration, sign up for a specific volunteering activity, password recovery), the data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR for the execution and/or preparation of the contractual or platform usage relationship that exists with you expressly or impliedly. In addition, the processing is based on Art. 6 para. 1 sentence 1 lit f GDPR: We have a legitimate interest in processing and responding to your enquiries. If you give us your consent, the data processing is otherwise based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. The legality of the data processing operations that have already taken place remains unaffected by the revocation.

If data is transferred to the USA, this is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.mailjet.com/legal/dpa/.

The data you provide us with for the purpose of receiving emails will be stored by us until you unsubscribe and will be deleted from both our servers and Mailjet's servers after you unsubscribe. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.

For more information, please refer to Mailjet's information on "Security and privacy" and Mailjet's privacy policy.

e) Amazon Web Services

We use the Amazon Web Services ("AWS") service of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg or Amazon Web Services, Inc, P.O. Box 81226, Seattle, WA 98108-1226, USA (hereinafter "AWS").

The data is stored exclusively in a German data centre (Frankfurt/Main), which is certified in accordance with ISO 27001, 27017 and 2018 as well as PCI DSS Level 1. Of course, we have strictly limited access rights and the data is automatically encrypted. You can find more information about AWS and data protection at https://aws.amazon.com/compliance/eu-data-protection sowie unter https://aws.amazon.com/privacy/.

When you visit our website, your personal data is processed on the servers of AWS. Personal data may also be transferred to the parent company of AWS in the USA. Amazon.com, Inc. and certain US subsidiaries it controls, the Amazon Group Companies, as well as Amazon Web Services, Inc (together the Amazon Group Companies) participate in the EU-US Data Privacy Framework for the collection, use and storage of personal information from European Union member states. The Amazon Group Companies have certified to the U.S. Department of Commerce that they adhere to the Data Privacy Framework Principles.

For further information, please refer to the website of the Data Privacy Framework and the AWS privacy policy.

The use of AWS is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. In the event that personal data is transferred to the Amazon Group companies based in the USA, this is done in accordance with the adequacy decision issued by the EU Commission on the basis of Art. 45 GDPR, as Amazon.com, Inc. is certified under the Data Privacy Framework.

f) MailChimp

If this has been agreed with vostel volunteering UG, this website uses the services of MailChimp to send newsletters.

MailChimp is a service that can be used to organise and analyse the sending of newsletters, among other things. If you enter data for the purpose of subscribing to the newsletter (e.g. email address), this data is stored on MailChimp's servers in the USA.

With the help of MailChimp, we can analyse our newsletter campaigns. When you open an email sent with MailChimp, a file contained in the email (known as a web beacon) connects to MailChimp's servers in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g. time of access, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.

If you do not wish to be analysed by MailChimp, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message.

The data processing takes place on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the cancellation.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the MailChimp servers after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.

You can find more details in MailChimp's privacy policy.

In the event that personal data is transferred to Rocket Science Group LLC, based in the USA, this is done in accordance with the adequacy decision issued by the EU Commission on the basis of Art. 45 GDPR, as Rocket Science Group LLC is certified under the Data Privacy Framework. In addition, we have concluded a so-called "Data Processing Agreement" with MailChimp, which corresponds to the standard contractual clauses, in which we oblige MailChimp to protect our customers' data and not to pass it on to third parties. This agreement can be viewed at the following link: https://mailchimp.com/legal/data-processing-addendum/.

g) HaveIBeenPwned.com

We use the API of HaveIBeenPwned.com (HIBP) to check your anonymised data for possible data leaks. HIBP is operated by Superlative Enterprises Pty Ltd, a public limited company incorporated in the State of Queensland, Australia (ABN 62 085 442 020). HIBP's services are hosted in the West US Microsoft Azure data centre. The service provides us with an overview of possible unauthorised processing of personal data by third parties. It is not possible for us to view the data stored there. The data is stored anonymised, in particular without names or identification. The data transmitted by us, on the other hand, is not stored. Only the result of our search (true/false) is transmitted to us, but using SSL encryption.

The data processing is carried out as a pre-contractual measure or for the fulfilment of the contract concluded with you on the basis of Art. 6 para. 1 lit. b GDPR.

Here you will find further information on data protection and the use of data by HIBP.

III. Is data transferred to a third country or to an international organisation?

Data will only be transferred to third countries (countries outside the European Economic Area - EEA), except in the cases expressly mentioned in this privacy policy, if you have given us your consent. If such data transfer to third countries that do not have an adequate level of data protection is carried out by our processors and if your consent has not been obtained for this, this is done exclusively on the basis of the EU standard contractual clauses concluded between us and our processors in accordance with Art. 46 para. 2 lit c. GDPR and, if necessary, supplemented by additionally required clauses. GDPR and, if necessary, supplemented by additional necessary security measures ("safeguards") to protect your personal data. The EU Commission's standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en at any time. In addition, data is transferred to third countries on the basis of Art. 45 GDPR, provided that the EU Commission has issued a corresponding adequacy decision and the data processor complies with its requirements.

IV. How long will my personal data be stored?

We will retain your personal data for as long as necessary to fulfil the processing purposes set out in this Privacy Policy.

Specific information in this privacy policy or legal requirements for the retention and deletion of personal data, in particular those that we must retain for tax reasons, remain unaffected.

V. What precautions do we take with regard to data security?

We have taken reasonable precautions to protect the personal data collected from loss, misuse, unauthorised access, disclosure, alteration or destruction, which includes contractual, administrative, physical and technical measures.

However, no data transmission over the Internet, particularly by e-mail, or any other network can be guaranteed to be 100% secure. Therefore, while we endeavour to protect information transmitted via this website, we cannot guarantee the security of such information. Data transmission is therefore at your own risk.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as login credentials. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

VI. What rights do you have with regard to your data?

1. Right to information

You have the right to request information from us at any time about the personal data concerning you that we process within the scope of Art. 15 GDPR. To do so, you can send a request by post or by email to the contact details given in Section I above.

2. Right to rectification of inaccurate data

You have the right to demand that we correct your personal data immediately if it is incorrect. To do so, please contact us using the contact details provided in section I above.

3. Right to cancellation

You have the right to demand that we erase the personal data concerning you under the conditions described in Art. 17 GDPR. In particular, these conditions provide for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject. To assert your right to erasure, please contact us using the contact details provided in Section I above.

4. Right to restriction of processing

You have the right to demand that we restrict processing in accordance with Art. 18 GDPR. This right exists in particular if the accuracy of the personal data is disputed between the user and us, for the period required to verify the accuracy and in the event that the user requests restricted processing instead of erasure in the event of an existing right to erasure; furthermore, in the event that the data is no longer required for the purposes pursued by us, but the user requires it for the assertion, exercise or defence of legal claims and if the successful exercise of an objection is still disputed between us and the user. To assert your right to restriction of processing, please contact us using the contact details provided in Section I above.

5. Right to data portability

You have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR. To assert your right to data portability, please contact us using the contact details provided in Section I above.

6. Information about your right to object in accordance with Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1), including profiling based on those provisions.

Furthermore, you can object to the processing of your personal data for the purpose of direct marketing at any time - without giving reasons. This also applies to profiling insofar as it is associated with such direct marketing.

To exercise your right to object, please use the contact details listed in section 1.

7. Right of appeal

You also have the right to lodge a complaint with a supervisory authority.

VII. Do I have an obligation to provide data?

As part of our business relationship, you only need to provide the personal data that is required for the establishment, execution and termination of a business relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to fulfil an existing contract and may have to terminate it.

Furthermore, it is necessary for us to request additional data in order to provide chargeable services and, for example, to process your desired payment method.

However, subject to the above, you are generally free to provide personal data.

VIII. To what extent is there automated decision-making in individual cases?

Automated decision-making processes based on personal data do not take place.

IX. Links to other websites

Where links are provided to other websites, we have neither influence nor control over the linked content and the data protection provisions there. When accessing linked websites, we recommend checking the data protection declarations of these websites in order to determine whether and to what extent personal data is collected, processed, utilised or made accessible to third parties.

X. Up-to-dateness and amendment of this privacy policy

This privacy policy is currently valid and was last updated in February 2024.

Due to the further development of our website and offers on it or due to changed legal or official requirements, it may become necessary to change this data protection declaration. The current privacy policy can be viewed at any time on the website at https://www.zalando.vostel.de/en/data_privacy.