Privacy Policy

Our registered office is located outside the European Union. Pursuant to Article 27 GDPR, we have appointed a member (Data Protection Officer) of our firm who is based in the EU as the contact person and point of contact for supervisory authorities and data subjects for all issues related to processing to ensure compliance with the GDPR Regulation. The designation does not affect the data protection responsibilities of our company or our processors.

Our representative within the European Union can be contacted under dpo@synergy.page

4. Scope and purpose of the processing of personal data

4.1 When visiting this website

4.1.1 Server log files

When you visit our website, data is automatically sent to the server of our website by the Internet browser you are using and stored in a log file for a limited period of time. Until automatic deletion, the following data is stored without further input by the visitor:

• IP address of the visitor's terminal device,
• Date and time of access by the visitor,
• Name and URL of the page accessed by the visitor,
• Website from which the visitor arrives at the website ("referrer URL"),
• Browser and operating system of the visitor's terminal device as well as the name of the access provider used by the visitor.

The processing of this personal data is justified according to Article 6 (1) lit. f GDPR. Our company has a legitimate interest in processing data for the purpose,

• quickly establish the connection to the company's website,
• to enable a user-friendly application of this website,
• To detect and ensure the security and stability of the systems and to facilitate and improve the administration of this website.

The processing is expressly not carried out for the purpose of gaining knowledge about the person of the visitor to this website.

4.1.2 Cookies

So-called cookies are used on our website. These are data packages that are exchanged between the server of a website and the visitor's browser. These are stored by the respective devices used (PC, notebook, tablet, smartphone, etc.) when visiting a website. In this respect, cookies cannot cause any damage to the devices used. They do not contain viruses or other forms of malware. In the cookies, information is stored that arises in each case in connection with the specific end device used. Our company can therefore in no way obtain direct knowledge of the identity of a visitor to our website

Cookies are mostly accepted according to the basic settings of the browsers. The browser settings can be configured in such a way that cookies are either not accepted on the devices used, or that a special notice is given in each case before a new cookie is created.

However, it should be noted that deactivating cookies may mean that not all functions of this website can be used in the best possible way.

The use of cookies serves to make the use of the company's web offer more comfortable. For example, session cookies can be used to track whether the visitor has already visited individual pages of this website. After leaving the website, these session cookies are automatically deleted.

Temporary cookies are used to improve the user experience. They are stored on the visitor's device for a temporary period. When this website is visited again, it is automatically recognized that the visitor has already called up the page at an earlier time and which entries and settings were made at that time, so that these do not have to be repeated.

Cookies are also used to analyze the visits to our website for statistical purposes and for the purpose of improving our offering. These cookies make it possible to automatically recognize new visits to a website or certain contents that may have previously been called up by the visitor. In this case, the cookies are automatically deleted after a specified period of time.

The data processed by cookies is justified for the above-mentioned purposes to protect the legitimate interests of the company pursuant to Article 6 (1) sentence 1 lit. f GDPR.

4.1.3 Contact form on the website

You can send messages to our company via an online contact form on our website. For the processing of your request we need from you

• Your first and last name (to be able to address you),
• an e-mail address (so that we can reply to you by mail) and

Optionally, you may voluntarily provide us with additional information to facilitate the processing of your request. This includes:

• Your phone number to give us the opportunity to call you back
• The name of your company, to be able to assign if you are an employee of an already existing customer
• Your position in the company/your job title, in order to be able to classify which area of the customer company it probably concerns
• An initial description of your request

By sending the message via the contact form, you consent to the processing of the transmitted personal data in accordance with Article 6 (1) a GDPR.

If the contact aims at the conclusion of a contract, the legal basis for the processing is Article 6 (1) lit. b GDPR.

The data processing is carried out exclusively for the purpose of handling and answering inquiries. The collected personal data will be automatically deleted as soon as the request is completed and there is no further legal basis for storage.

4.1.4 Third-party analytics and tools:

4.1.4.1 Use of tracking tools

The first time you visit our website with a new terminal device (and again after clearing the browser cache of this terminal device), you will first be asked in our Consent Manager whether we may only use our own functional cookies (see above), or whether we may additionally use third-party tracking technologies in order to

a) to be able to create statistical evaluations of your user behavior and/or

b) Your user behavior for targeted advertising measures may be tracked by the provider beyond the boundaries of our homepage (for example, via cookies of known social networks).

As a user, you can actively select the appropriate settings for the use of tracking tools. If you agree to the use of tracking tools, further data processing will be based on your consent and thus in accordance with Article 6 (1) a GDPR.

You can revoke your consent at any time with effect for the future by deleting the browser cache of your terminal device and leaving the use of tracking tools inactivated when you request it again.

A more detailed description of the tracking tools used on our website and the associated data processing can be found in the following sections.

4.1.4.2 Google Analytics

We create pseudonymous usage profiles with the help of Google Analytics in order to tailor our website to your needs. Google Analytics uses so-called "cookies" (i.e. text files that are stored on your computer and enable an analysis of your use of this website) and related technologies such as web beacons to identify them properly.

If you agree to the storage and use of your data, you can activate the storage and use with the help of our Consent Manager. The processing of your personal data within the scope of Google Analytics cookies is based on your consent in accordance with Article 6 (1) a GDPR when the function is activated in the Consent Manager.

The information generated by the cookie about your use of our website is usually transmitted to a Google server in the USA and stored there. However, since we have activated IP anonymization on our website, your IP address will be truncated by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area.

Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and only shortened there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage. We use Google Analytics, for example, to evaluate clicks from Google AdWords for purely statistical purposes. Information about the use of data by Google can be found at:

https://support.google.com/analytics/answer/6004245and athttps://www.google.com/policies/privacy/partners/.

You can also prevent the storage of cookies by selecting the appropriate settings on your browser software.

In this case, an opt-out cookie is stored in your browser that prevents Google Analytics from storing usage data. If you delete your cookies, this will have the effect that the Google Analytics opt-out cookie will also be deleted. The opt-out must be reactivated when you visit our site again.

Before giving your consent, please note that your data may be transferred by the provider to third countries and processed there, which do not offer sufficient data protection according to the regulations of the GDPR. You can find more information on this in section 9.3.

4.1.4.3 Google Tag Manager

Our website also contains the Google Tag Manager, another online marketing tool of Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as: "Google")

The Tag Manager also uses, among other things, cookies that are stored locally in the cache of your web browser on your terminal device.

We have no influence on the scope and further use of the data collected by Google through the use of Google Tag Manager. According to our knowledge, Google receives the information that you have called up the relevant part of our website or clicked on an ad from us.

If you have a user account with Google and are registered, Google can assign the visit to your user account. Even if you are not registered with Google or have not logged in, there is a possibility that Google learns your IP address, compares it with its own data and stores your user behavior.

You can give your consent to the use of Google Tag Manager by activating the function in our Consent Manager. The legal basis for the processing of your personal data is thus your consent in accordance with Article 6 (1) a GDPR.

We would like to point out that you may not be able to use all the functions of our website to their full extent without your consent.

Preventing cookies from being stored is also possible by setting your web browser to block cookies from the domain "www.googleadservices.com" (https://www.google.com/settings/ads).

We would like to point out that in this case you may not be able to use all functions of our website to their full extent.

You can prevent the installation of cookies by deleting existing cookies and disabling cookie storage in your web browser settings.

We would like to point out that this setting will be deleted when you delete your cookies. In addition, you can deactivate interest-based ads via the link www.aboutads.info/choices. Please note that this setting will also be deleted when you delete your cookies.

Before giving your consent, please note that your data may be transferred by the provider to third countries and processed there, which do not offer sufficient data protection according to the regulations of the GDPR. You can find more information on this in section 9.3.

4.2 When using the Synergy platform

4.2.1 - Registration for the Synergy platform

The use of the Synergy Platform requires the conclusion of a paid SaaS (Software as a Service) contract between you and us, in which we simultaneously enter into an order processing contract with you, which contains appropriate safeguards using the EU standard contractual clauses (as of June 2021), with the help of which personal data of your users can be transferred to the USA. As part of the contractual registration process, Customer will establish an administrative username and password for Customer's corporate account.

The subsequent possible registration of each individual user on the Synergy platform requires the provision of personal data. With the initial registration, a personal customer account is set up.

For this purpose, it is necessary to provide the following personal data:

• Name (first and last),
• Email,
• Other information provided and required by the employer such as employee role, etc.

We temporarily store the transmitted data until you confirm the registration. We use the so-called double opt-in procedure for registration, i.e. your registration is only complete when you have previously registered via an e-mail sent to you for this purpose by confirming the link contained therein.

We process the data collected during registration in order to provide access to and enable you to use the website.

Your data is processed on the basis of Article 6 para. lit. b GDPR for the fulfillment of the contract or (for time-limited test purposes) in the context of pre-contractual measures.

The deletion of your customer account is possible at any time and can be done either by sending an e-mail to us or via a function provided for this purpose. After deletion of your customer account, your data will be restricted for further processing and deleted after expiry of the retention obligations applicable to us.

The legal basis for this further data processing is then our legal obligation within the scope of statutory retention obligations pursuant to Article 6 (1) lit. c GDPR.

4.2.2 Server log files

Server log files are also generated during the operation of the Synergy platform. Until automatic deletion, the following data is stored without further input from the visitor:

• IP address of the visitor's terminal device,
• Date and time of access by the visitor,
• Name and URL of the page accessed by the visitor,
• Website from which the visitor arrives at the website (so-called referrer URL),
• Browser and operating system of the visitor's terminal device as well as the name of the access provider used by the visitor.

The processing of this personal data is justified pursuant to Article 6 (1) sentence 1 lit. f GDPR. Our company has a legitimate interest in processing data for the purpose,

• quickly establish the connection to the company's learning platform,
• enable a user-friendly application of this learning platform,
• Identify and ensure the security and stability of the systems and facilitate and improve the administration of this learning platform,
• The processing is expressly not carried out for the purpose of gaining knowledge about the person of the user of the learning platform.

4.2.3 Cookies

Cookies (see section "Visiting our website" for definition) may also be used on the learning platform:

• We only use session cookies in the Synergy platform, e.g. to track whether the user has visited individual pages of the learning platform. After leaving the platform or after logging out, session cookies are automatically deleted.

The data processed by cookies is justified for the above-mentioned purposes to protect the legitimate interests of the company pursuant to Article 6 (1) sentence 1 lit. f GDPR.

4.3 Data processing in our company

4.3.1 Employee data

This data is processed for the fulfillment of contracts within the scope of employment contracts and for the fulfillment of legal obligations. Data is regularly transferred to social security institutions, tax authorities and other bodies for the purpose of fulfilling legal obligations. The data is deleted after expiry of the statutory retention periods. There is no automated decision-making including profiling for this purpose.

The processing of this personal data is justified pursuant to Article 88 GDPR in conjunction with. §26 para. 1 BDSG-neu justified and is based on Article 6 para. 1 lit. b and Article 6 para. 1 lit. c GDPR (performance of contract and legal obligation.)

4.3.2 Customer data

This data is processed as part of the execution of our contracts with customers and for the implementation of pre-contractual measures. The purposes of the data processing are based on the needs of the customer and may also include sales/consulting meetings and the like. Furthermore, we process personal data for the initiation and fulfillment of contracts with suppliers and service providers on the basis of Article 6 (1) lit. b GDPR.

4.3.3 Contact by mail

You can contact our company by mail. For the processing of your request we need your last name, an e-mail address and a phone number.

The legal basis for the processing of personal data is through the sending of the mail by you of your consent in accordance with Article 6 para 1 lit. a GDPR. If the contact aims at the conclusion of a contract, the legal basis for the processing is Article 6 para 1 lit. b GDPR.

The data processing takes place exclusively for the purpose of handling and answering inquiries. The personal data collected is automatically deleted as soon as the request is completed and there is no legal basis for further storage.

5. Legal bases of data processing

Unless the legal bases have already been specifically stated in Section 5, the following applies to data processing:

• Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) a GDPR serves as the legal basis.
• If the processing of personal data is necessary for the performance of a contract for consideration or free of charge, Article 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
• If the processing is necessary for the fulfillment of a legal obligation to which we are subject, Article 6 (1) c GDPR serves as the legal basis.
• If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interests, Article 6 (1) f GDPR serves as the legal basis for the processing.

6. Storage period

Unless otherwise stated in section 5 of this declaration in individual cases, we store personal data only for as long as is necessary to fulfill the purposes pursued.

Your personal data will be deleted as soon as the purpose of the data processing ceases to apply.

If legitimate reasons within the meaning of Article 17 (3) GDPR oppose the deletion, such as a legal obligation to retain data, the processing of the data will be restricted during this period. A legal obligation to retain data exists, for example, due to documentation obligations under tax and commercial law. In these cases, the data will be deleted when the reason for further storage no longer applies, e.g. the legally required storage period expires.

7. Recipients or categories of recipients of the data

Within our company, only those departments receive your data that need it to fulfill their tasks.

As a matter of principle, your personal data will not be transferred to third parties. Exceptions to this only apply insofar as this is necessary for the processing of contractual relationships with you, your consent has been given, legal provisions require this, or we are entitled to pass on the data.

This includes in particular the transfer to service providers commissioned by us (e.g. order processors) or other third parties whose activities are necessary for the execution of the contract (e.g. shipping companies, banks, collection agencies, lawyers, tax consultants, authorities, courts, experts, etc.). The transmitted data may be used by the third parties exclusively for the stated purposes. We have concluded contracts with all processors for the handling of personal data, which are subject to our instructions.

Our company works with the following service providers, who are legally bound to our instructions by means of order processing contracts and have committed themselves to us to comply with the EU standard contractual clauses.

Synergy Platform Subprocessors:

8. Data transfer to third countries

8.1 Data transmission to Synergy

In the following cases

1) Use of our Synergy platform

2) Use of our website

3) Communication with us via contact form or mail as well as

your personal data may be transferred to the United States of America because both our website and the Synergy Platform (unless operated and administered "on premise" on servers owned by our customers) are partly hosted, operated and maintained in the United States.

Please be aware that, as a U.S. company, we may be legally required by U.S. law to share your information with third parties without informing you or providing you with a legal remedy.

For this reason, too, the USA is not currently considered a third country with adequate data protection under the GDPR.

You can inform yourself at any time at the following link of the EU Commission about countries for which an adequacy decision exists confirming sufficient data protection in the sense of the GDPR and allowing the transfer of personal data to these countries:

8.1.1 Use of the Synergy platform

Data transfer under appropriate safeguards

The contractual use of the Synergy Platform requires the conclusion of a contract for the provision of Software as a Service (SaaS) between a customer within the European Union (a data controller or data exporter) and Synergy as processor and data importer, which necessarily includes the EU Standard Contractual Clauses as amended in June 2021.

The agreement of unchanged EU standard contractual clauses constitutes appropriate safeguards for data transfers to third countries without sufficient data protection pursuant to Article 46 GDPR.

An unmodified copy of the EU Standard Contractual Clauses is available as a PDF file in English, German and French under the following link:

• https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

For this reason, the following regulation applies:

If any provision in this Privacy Policy or the Terms and Conditions of our company contradicts a provision in the underlying EU Standard Contractual Clauses, the provision in the EU Standard Contractual Clauses shall apply in full and without exception.

Cloud computing and encryption

Synergy does not own its own data centers, instead we leverage leading public cloud infrastructure providers as IaaS.

We currently use Microsoft's Azure cloud for hosting our Synergy Software as a Service (SaaS) platform and data storage of customer data (which may include personal data).

We keep network and access logs to manage the security of the data, and encryption both in-transit (TLS) and at rest (AES-256) for all data.

8.1.2 Use of our website

Our Synergy website is hosted, operated and maintained in the USA.

By using the website, your personal data will reach the USA and thus a third country for which there is no adequacy decision by the EU Commission.

8.2 Data transfer in case of consent to third-party tracking tools

In addition, a transfer of personal data to the USA and other third countries is possible if you give your consent to the use of third-party tracking tools on our website.

Synergy has no direct influence on the further processing of your personal data by the aforementioned third-party tracking tool providers.

In particular, we have no knowledge of

• Location,
• Uses,
• Storage period,
• The creation of user profiles or the combination of personal data from several different sources and with third-party providers (which, contrary to the provisions of the GDPR, may be legal under applicable national law),
• Or the enforceability of data subject rights under the GDPR

unless the aforementioned third-party providers provide detailed and legally compliant information about it.

If third-party providers process your data for their own purposes, these providers are responsible to you under the GDPR.

9. Data subject rights

Within the scope of the applicable legal provisions, you have the right to information, correction or amendment, deletion, data portability, restriction and objection to the processing of your personal data.

We take the protection of your data very seriously. To ensure that personal data is not disclosed to third parties, please send your request by e-mail or by post to the above address, clearly identifying yourself.

9.1 Right to information

You have the right to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details. (Article 15 GDPR)

9.2 Right of correction or completion

You have the right to request without undue delay the rectification of inaccurate or incomplete personal data stored by us (Article 16 GDPR.)

9.3 Right to deletion

You have the right to request the deletion of your personal data stored by us, unless further processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims. (Article 17 GDPR)

9.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Article 21 GDPR (Article 18 GDPR)

9.5 Obligation of the person responsible to notify

If you have asserted your right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom we have disclosed your personal data of this rectification or erasure of the data or restriction of processing - unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients (Article 19 GDPR)

9.6 Right to data portability

You have the right to data portability, i.e. the right to have data stored by us about you transferred in a common, machine-readable format. (Article 20 GDPR)

You also have the right to have your personal data, which we process on the basis of your consent or in fulfillment of a contract and in an automated manner, handed over to another controller in a common, machine-readable format.

If you request the direct transfer of the data to another controller, this will only be done insofar as this does not restrict the rights and freedoms of other persons.

10. Right to withdraw the consent to data processing

If we process your personal data on the basis of your consent, you have the right to revoke this consent at any time with effect for the future,

In the event of revocation, we will immediately delete the data concerned, unless further processing can be based on a legal basis for processing without consent (e.g. legal retention periods).

Your revocation of consent does not affect the lawfulness of the processing that took place until your revocation.

11. Right of appeal to the data protection supervisory authority

Without prejudice to other remedies, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform you of the status and outcome of the complaint, including the possibility of judicial remedy under Article 78 GDPR.

The supervisory authority responsible for us is the Spanish Data Protection Agency.

AEPD

C/ Jorge Juan, 6.

28001, Madrid

Spain

An overview of all supervisory authorities can be found at:

Status and update of this privacy policy

The status of this privacy policy is September 2022

We reserve the right to adapt the data protection declaration at regular intervals to the underlying data processing procedures or due to changes in the legal situation.