Back

Privacy Notice for Talents and Freelancers

Index

1. Introduction and Scope2. Data Controller and Contact Details3. Data Protection Officer – Contact4. Purposes and Legal Bases of Processing5. Categories of Personal Data Processed6. Recipients of the Data (e.g., Accounting, Cooperation Partners)7. Data Transfers to Third Countries8. Storage Periods and Erasure Deadlines9. Your Rights as a Data Subject10. Automated Individual Decision-Making11. Detailed information on data processing activities- Mediation and Quality Assurance Services- Security measures in the context of client projects- Use of anonymised usage data- Use of artificial intelligence (AI) and AI-based systems- Communication (e.g. marketing emails, chat)- Project management and organisation- Surveys and questionnaires- Payment processing12. Changes and updates to this privacy notice

1. Introduction and Scope

This privacy notice informs you about the processing of your personal data in the context of a freelance collaboration with our company. This includes, in particular, data processed in connection with engagement, communication, the use of project and communication platforms, as well as invoicing.
These notices apply to talents and freelancers with whom we have a contractual or project-based relationship—including the use of a user account within our digital platform. They are based on the provisions of the General Data Protection Regulation (GDPR), in particular Articles 13 and 14.
If you have any questions about data protection, we are available at any time.
The terms used are not gender-specific.
Status: December 2025

2. Data Controller and Contact Details

Yoummday GmbH
Infanteriestraße 11a
Haus E2
80797 München

Managing directors

Dr. Klaus Harisch
Pablo Harisch
Claas van Delden
Benjamin Tüzen

Phone: +49 89 231 6600 00
E-Mail: [email protected]

Imprint - yoummday

3. Data Protection Officer – Contact

[email protected]

4. Purposes and Legal Bases of Processing

Regular processing purposes and legal bases

  • Pre-contractual inquiries, contract execution, and payment processing (Art. 6(1)(b) GDPR).
  • Contact requests, communication, and support (Art. 6(1)(b) GDPR).
  • Account provision and access management (Art. 6(1)(b) GDPR).
  • Direct marketing, e.g., via newsletter (Art. 6(1)(a) GDPR or Sec. 7(3) UWG).
  • Quality assurance services and/or quality management (Art. 6(1)(a) GDPR).
  • Security measures and fraud prevention (Art. 6(1)(f) GDPR).
  • Detailed information on selected processing activities can be found in Section 11 of this privacy notice.

General Explanations of the Relevant Legal Bases

Below you will find additional explanations of the GDPR legal bases on which we rely for the processing of personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements in your and/or our country of residence or establishment may apply. Where more specific legal bases are relevant in individual cases, we will inform you of these in this privacy notice.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

In addition to the data protection rules of the General Data Protection Regulation, national data protection laws in Germany also apply. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transfers, as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual German federal states (Landesdatenschutzgesetze) may also apply.

5. Categories of Personal Data Processed

  • Master data (e.g., name, address, nationality)
  • Payment data (e.g., bank account details)
  • Location data (e.g., geolocation data)
  • Contact data (e.g., telephone number, email address)
  • Content data (e.g., text, image, or voice recordings)
  • Contract data (e.g., information on remuneration terms, project conditions)
  • System, usage, and connection data (e.g., IP address, operating system, call history, call duration, IP address)

6. Recipients of the Data

In the course of processing personal data, it may occur that data are transferred to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients may include, for example, service providers tasked with IT functions or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to safeguard your information.

Data transfers within the corporate group / organization: We may transfer personal data to other companies within our corporate group or organization, or grant them access to such data. Where this disclosure is for administrative purposes, it is based on our legitimate business and economic interests, or it takes place where necessary to fulfill our contractual obligations, or where the data subject has given consent or a statutory permission applies.

7. Data Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing occurs in the context of using third-party services, or by disclosing/transferring data to other persons, bodies, or companies, this is done only in accordance with legal requirements.

Subject to an explicit consent or a transfer required by contract or by law, we process data—or have data processed—only in third countries with a recognized level of data protection, on the basis of contractual safeguards such as the EU Commission’s standard contractual clauses, where certifications are in place, or under binding corporate rules (Articles 44–49 GDPR; see the European Commission’s information page).

8. Storage Periods and Erasure Deadlines

We delete the data we process in accordance with legal requirements once the consent permitting processing is withdrawn or any other legal permission ceases to apply (e.g., where the purpose for processing no longer exists or the data are no longer necessary for that purpose).

If data are not deleted because they are required for other purposes that are lawful, their processing is restricted to those purposes. This means the data are blocked and not processed for any other purposes. This applies, for example, to data that must be retained for commercial or tax-law reasons, or whose storage is necessary for the establishment, exercise or defense of legal claims, or to protect the rights of another natural or legal person.

Within this privacy notice, we may provide users with additional information on deletion and retention of data that apply specifically to the respective processing activities.

9. Your Rights as a Data Subject

As a data subject, you have various rights under the GDPR, in particular those arising from Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data which is based on Article 6(1)(f) GDPR; this also applies to profiling based on those provisions. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent you have given at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to such data as well as further information and a copy of the data, in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to have incomplete personal data completed and inaccurate personal data concerning you rectified.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to obtain the erasure of personal data concerning you without undue delay, or, alternatively, to obtain restriction of processing in accordance with legal requirements.
  • Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and to have those data transmitted to another controller, in accordance with legal requirements.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy and in accordance with legal requirements, you also have the right to lodge a complaint with a data protection supervisory authority—particularly the authority in the Member State of your habitual residence, place of work, or place of the alleged infringement—if you consider that the processing of personal data relating to you infringes the GDPR.

Supervisory authority responsible for us:
Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision)
Promenade 18
91522 Ansbach
Germany
Email: [email protected]

10. Automated Individual Decision-Making

In the following cases, we use—or apply—methods of automated decision-making when processing personal data:

  • When obtaining creditworthiness/credit checks.
  • When participating in language proficiency assessments.

Detailed information on the above processing activities can be found in Section 11 of this privacy notice.

11. Detailed information on data processing activities

Mediation and Quality Assurance Services

We process the information provided by Talents and clients in the context of initiating contracts or engagements for the purpose of establishing, performing and, where applicable, terminating a contract, as well as for the placement of Talents within the framework of client projects.

We use the contact details of Talents to handle their enquiries via the agreed or otherwise permitted communication channels (e.g. telephone or email), to specify the individual scope of engagement, and to propose suitable client projects or offers to them.

We use the contact details of clients to handle their enquiries via the agreed or otherwise permitted communication channels (e.g. telephone or email), to specify individual project requirements, and to propose suitable Talents to them. In addition, we may, at a later point in time and in accordance with legal requirements, contact clients with follow-up questions regarding the success of our placement service and/or their project.

We process the data of both Talents and clients in order to fulfil our contractual obligations, in particular to match the placement requests submitted to us by Talents with suitable project requests from our clients and to forward them to the respective clients or propose client projects to them.

We may log the information entered in the enquiries submitted to us in order to be able to demonstrate the existence of the contractual relationship and the consent of the respective contractual partners in accordance with the statutory accountability obligations (Art. 5(2) GDPR). This information is stored for a period of three to four years in case we need to prove the original enquiry (e.g. to demonstrate that we were entitled to contact our contractual partners).

We collect qualification data from Talents in order to propose suitable client projects to the respective Talent (i.e. projects that correspond to their respective level of experience and competence) and to ensure that the Talent, in the event of applying for a client project, meets the relevant project requirements (e.g. industry-specific prior knowledge, call centre experience, language skills). The skills and qualifications indicated by the Talents are verified after registration on our platform as part of document checks, training and competence assessments. Language skills are verified when a Talent applies for a project with specific language skill requirements.

Quality Assurance

1. Processing of usage data for service optimisation

We use the data provided in the course of using the platform to improve our service offering and to train various types of AI models. These include so-called reactive machines, which can only respond to the current situation without retaining previous information, as well as AI systems with limited memory, which can remember certain information for a short period of time (e.g. during an ongoing customer conversation) in order to make better decisions. (Further information on this can be found in the section “Intermediation and Quality Assurance Services”, subsection “AI Processing” of this privacy notice).

Data categories processed: master data (e.g. names); contact data (e.g. email addresses, telephone numbers, place of residence); content data (e.g. entries in online forms); usage data (e.g. service times); voice recordings (e.g. audio recordings and their transcriptions).

Data subjects: platform users (here, however, exclusively Talents/freelancers).

Purposes of processing: improvement of the service offering; quality assurance in the context of service provision.

Legal bases: performance of a contract (Art. 6(1) sentence 1 point b GDPR); consent (Art. 6(1) sentence 1 point a GDPR).

Data security and protective measures: processing of voice recordings takes place exclusively on EU servers and in compliance with high security standards in order to prevent unauthorised access and data loss.
Data minimisation: only the data necessary for the analysis is collected and processed. In particular, personal data is filtered or masked in the course of transcription.

2. Data analysis for contract performance and internal quality assurance (YouScore)

We collect and analyse data provided by Talents in the context of surveys (including information on availability, motivation, language skills) to support contract performance (e.g. to fulfil our duties of care when providing Talent profiles within our platform) and to ensure the reliability of the services provided by us (e.g. compliance with service times, adherence to compliance and quality requirements). The evaluation of the data collected is carried out exclusively by internal employees of yoummday. No automated decision-making takes place.

In addition, we use the data collected for internal benchmarking purposes. Internal benchmarking means that data from different Talents or Talent groups is compared with each other in order to develop internal standards, measure the quality of our services and identify opportunities for improvement. These comparisons are used solely to optimise our internal processes and have no direct or indirect negative effects on individual Talents. Evaluations are carried out exclusively for the purposes mentioned here.

Data categories processed: master data (e.g. names); content data (e.g. entries in online forms or questionnaires); usage data (e.g. service times).

Data subjects: platform users (here, however, exclusively Talents/freelancers).

Purposes of processing: improvement of the service offering; quality measurement and quality assurance to ensure the reliability of the services provided.

Legal bases: performance of a contract (Art. 6(1) sentence 1 point b GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR); consent (Art. 6(1) sentence 1 point a GDPR).

Data security and protective measures: processing of voice recordings takes place exclusively on EU servers and in compliance with high security standards in order to prevent unauthorised access and data loss. Exclusion of automated decision-making. Exclusion of individual performance evaluation and sanctions.

AI Processing

1. Language skills

To assess language skills, we use proprietary AI-based technology in order to determine the project-specific relevant language level of Talents. This process involves the automated analysis of voice recordings collected during the onboarding process and/or in the course of applying for relevant client projects within our platform.

Processing of the data for internal training purposes only takes place insofar as we have received separate consent from the Talents in individual cases.

The data processed is only shared with third parties insofar as the determined language level (after release by the respective Talent) is displayed to clients who are likewise registered on the yoummday platform when they access the Talent profile.

Description of automated decision-making:

  • Data collection: depending on the project, Talents have the option of submitting voice recordings in order to have their language skills assessed.
  • Data processing: the voice recordings are analysed using AI algorithms in order to determine the language level of the Talents objectively.
  • Decision-making: based on the analysis results, an automated decision is made regarding the appropriate language skill level for the respective position.

Legal basis:

As part of the assessment, we use an AI-based analysis of voice recordings to determine the language level of Talents. This process is carried out in an automated manner in accordance with the provisions of the GDPR and the EU AI Act.

The legal basis is Art. 6(1) sentence 1 lit. a GDPR.

Rights of data subjects in accordance with Art. 22(2)(c) and Art. 22(3) GDPR:

  • Right to contest the decision: as a rule, Talents have the right to have the automated assessment of their language level reviewed. For this purpose, a manual review by a competent specialist employee can be requested.
  • Right to withdraw consent: consent to the processing of voice data can be withdrawn at any time without stating reasons. The withdrawal does not affect the lawfulness of the processing carried out up to the time of withdrawal.
  • Right to re-assessment: Talents have the option of having their language skill assessment repeated at reasonable intervals in order to take into account changes in their language abilities.

Transparency and information:

  • Information obligation: all affected Talents are comprehensively informed about the automated decision-making, the data used and their rights.
  • Contact information: the company’s data protection team is available for questions or to exercise the aforementioned rights.

Data security and protective measures

  • Security standards: processing of voice recordings is carried out in compliance with high security standards in order to prevent unauthorised access and data loss.
  • Data minimisation: only the data necessary for the assessment is collected and processed.

Repeated assessment:

To ensure continuous and up-to-date evaluation of language skills, the language level assessment may be repeated regularly, at intervals of at least 3 months.

Retention periods:

  • Voice recordings: the voice recordings collected are stored for as long as required for the purpose, taking into account legal or business reasons for longer retention and the consent of the respective Talent to further (internal) use (e.g. for training or improving the model).
  • Analysis results: the results of the assessment are deleted once the purpose ceases to exist or stored until consent is withdrawn.

These provisions form an integral part of our privacy notice and ensure that the processing of your data complies with the requirements of the GDPR.

2. Quality management

We process conversation data of Talents from customer calls in order to ensure the contractually agreed quality standards, to identify and manage training needs, and to ensure compliance with contractual and legal requirements. For this purpose, we analyse the course of conversations based on the Talent’s audio track using proprietary technology based on artificial intelligence. This processing is based on real-time transcription of the conversation data and its analysis for the presence of essential conversation elements in the form of keywords and key sentences (e.g. greeting, performance of identification checks, etc.) as well as for irregularities in the conversation (e.g. omission of necessary conversation elements, other deviations). No automated decision-making takes place. Evaluation of results takes place in particular in cases of irregularities in the course of the conversation or in escalations, and is carried out by authorised employees.

Legal basis

The legal basis is Art. 6(1) sentence 1 point a GDPR. Consent granted may be withdrawn at any time without affecting the lawfulness of processing carried out up to the time of withdrawal.

Rights of data subjects

See the section “Rights of data subjects” at the end of this privacy notice.

Data processed

  • Audio recordings and their transcriptions
  • Contact data (in particular telephone number)
  • Date and time of calls

Data security and protective measures

  • Security standards: processing of voice recordings is carried out exclusively on EU servers and in compliance with high security standards in order to prevent unauthorised access and data loss.
  • Data minimisation: only the data necessary for the analysis is collected and processed. In particular, personal data is filtered or masked in the course of transcription.

Recipients of the data

The analyses are used internally only by authorised team leads. Data is only passed on to third parties in escalated cases and then only to internal legal or data protection contacts.

Retention periods: data is stored only for as long as necessary to fulfil the purposes mentioned above.

  • Audio recordings / call recordings: immediately after evaluation.
  • Transcriptions: immediately after evaluation.
  • Analyses: after 120 days.

In cases of escalations or legal requirements, the data may be retained in accordance with the statutory limitation periods.

Security measures in the context of client projects (including use of hardened security tokens)

In the context of client projects, we implement appropriate technical and organisational measures, in accordance with statutory requirements and the respective contractual provisions, taking into account the state of the art, implementation costs, as well as the nature, scope, circumstances and purposes of processing and the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

Such measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to data, input, transmission, safeguarding of availability and segregation of data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the erasure of data and the response to threats to data. In addition, we take the protection of personal data into account when developing or selecting hardware, software and procedures in line with the principle of data protection by design and by default.

In client projects with heightened security requirements, we employ specific hardware- and software-based security solutions in order to meet our clients’ compliance requirements regarding the use of “private end devices” in the course of project work by Talents and freelancers. This includes the use of a hardened security token in the form of an IGEL stick, which provides a secure operating environment (including automatic establishment of VPN connections and centrally managed configuration of security-relevant components) on the respective end device. The necessity of this use arises from the operational fact that Talents employ a wide variety of work platforms (notebooks, PCs, MacBooks), operating systems and system configurations, while a uniform security standard must be ensured with regard to the personal data processed and confidential information of third parties.

On the IGEL-based security token, there is no user login. No password data and no end customer data is logged. Monitoring tools used (such as the open-source tool “Conky”) collect only local system information (e.g. CPU utilisation, memory usage, network statistics, disk activity) required to ensure technical operation and do not access user data or online services, nor are they used for monitoring user activities. Data processed via this security token is processed exclusively in pseudonymised form and used for statistical analysis and to ensure the error-free operation of the platform and the proper functioning of the security components. Secondary use of the data is not intended and does not take place.

Depending on the project context, security measures include in particular: automatic establishment of VPN connections, centrally managed configuration processes, and the monitoring of technical system information such as CPU utilisation, memory usage, network statistics and disk activity.

Data categories processed:

  • Device data: specific unit ID of the security token (IGEL stick), including associated licence, inter alia to enable device-related error diagnostics where necessary and to track issuance and use by Talents. A mapping of the unit ID to the respective Talent is only possible for yoummday and is carried out solely in conjunction with the validation of geolocation data.
  • Geolocation data: collection and matching with the Talent ID to ensure that the respective end device is used, when connecting via VPN (connection to our network via OpenVPN), only at contractually agreed work locations. This is necessary because access to project-specific systems and services of the client may, for compliance reasons, only take place from defined and previously agreed locations.
  • Start and end times of activities: derived from the establishment and termination of the respective VPN connection, required to enable shift planning within the respective project where our platform is used. When client telephony systems are used, these parameters are not routinely evaluated, but may be used, where necessary, to support the investigation of information security or fraud incidents.
  • Technical system information: such as CPU utilisation, memory usage, network statistics and disk activity, in pseudonymised form.

Where a link to an identifiable person is possible within the scope of the processing purposes described, this constitutes personal data within the meaning of Art. 4(1) GDPR, in respect of which data subjects have the rights under Art. 15 et seq. GDPR.

Data subjects
Platform users (here, however, exclusively Talents/freelancers).

Purposes of processing

  • Establishment of a hardened, standardised operational working environment on individual end devices in order to ensure a uniform security standard for the processing of personal data and confidential information of end customers.
  • Ensuring the confidentiality, availability and integrity of data processing in client projects.
  • Contractually compliant safeguarding of platform operation, project execution and operational support.
  • Proper business organisation and internal investigation/clarification of information security and fraud incidents.

Legal bases
Processing in connection with these security measures, including the use of the IGEL-based security token, is carried out on the basis of:

  • Art. 6(1) sentence 1 point b GDPR (performance of a contract), in particular for the provision, operation, maintenance and support of services, hardware and software, including agreed security measures and evidentiary obligations;
  • Art. 6(1) sentence 1 point f GDPR (legitimate interests), namely our legitimate interest in efficient and secure business and project organisation, the security of our systems and the internal investigation of information security and fraud incidents; and
  • Art. 6(1) sentence 1 point a GDPR (consent), where specific processing operations are based on your prior consent.

In particular, we would like to point out that the following consents have been provided by you:

  • consent to call recordings, silent monitoring, webcam use, feedback and coaching; and
  • consent to authentication and quality measures, which also include the processing of location data.

All consents are available for you to review at any time in your Talent profile under “Downloads”.

Recipients / categories of recipients

  • Internal departments, in particular IT (technical operation, error diagnostics, security analysis) and Legal (e.g. handling access requests or incidents).
  • Clients, depending on the project and only insofar as necessary to confirm the use of the hardened environment or to fulfil contractual obligations.

No transfer of personal data to third countries takes place in connection with the use of the IGEL-based security token and the associated security measures.

Retention period and automated decision-making
As a rule, no data is permanently stored on the security token; technical data may be stored temporarily and is deleted upon restart. Otherwise, the general retention periods described in this privacy notice apply; data is stored only for as long as necessary for the purposes mentioned or where statutory retention obligations exist.

No automated decision-making within the meaning of Art. 22 GDPR takes place on the basis of the data processed for these security measures. Any profiling occurs only on a session-based/temporary basis in anonymised or pseudonymised form for statistical and operational purposes, without resulting in decisions with legal or similarly significant effects for Talents or freelancers.

Use of anonymised usage data

We reserve the contractually agreed right to use the data provided in the course of platform use for our own legitimate interests, while strictly safeguarding the privacy of our users. For this purpose, the relevant data is first anonymised and pre-labelled. Anonymised means that all references to data subjects are removed beforehand so that no conclusions can be drawn about their identity. Pre-labelled means that the data is assigned to certain categories or tagged with keywords (for example “tariff upgrade” or “complaint” for different types of customer requests) so that it can be used more effectively for training AI systems. (Further information on this can be found in the section “Intermediation and Quality Assurance Services”, subsection “AI Processing” of this privacy notice).

Data categories processed: content data (e.g. entries in online forms); usage data (e.g. service times); voice recordings (e.g. audio recordings and their transcriptions).

Data subjects: platform users (here, however, exclusively Talents/freelancers).

Purposes of processing: further use or secondary use of anonymised data for development and optimisation purposes, in particular for the training and improvement of AI systems; controller’s economic interests.

Legal bases: performance of a contract (Art. 6(1) sentence 1 point b GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR).

Data security and protective measures: anonymisation and data minimisation.

Use of artificial intelligence (AI) and AI-based systems

In the context of our business cooperation, we use AI-based systems to support individual processes. By this we mean software-based applications that are based on machine-learning algorithms or automated processing and can be used for the analysis, structuring or assistance in work processes.

These systems are used primarily for supportive purposes – for example for call preparation or automated quality assurance. There is no full replacement of human decision-making. The systems serve instead to increase efficiency, prepare information or ensure quality in the project context and support Talents, for example, in customer service tasks such as drafting text, classifying content, researching information or performing structural analyses. (With the exception of the optional service for assessing language skills – see the section “Collection and verification of qualification information” – no automated decisions producing legal effects or similarly significant effects are made.)

The use of these systems is based on your explicit consent pursuant to Art. 6(1) sentence 1 point a GDPR or our legitimate interest pursuant to Art. 6(1) sentence 1 point f GDPR. Consent is voluntary and may be withdrawn at any time with effect for the future. In the event of withdrawal, your personal data will no longer be processed by these systems.

Data categories processed: Talent data (in particular name, internal ID); voice recordings (audio files); transcribed content derived from these recordings (where required); analysis results (e.g. degree of match with the Talent’s speech pattern or typing behaviour; degree of compliance with contractually agreed conversation requirements); timestamps, file names and technical metadata.

Recipients: the systems are used exclusively within the organisation. There is no disclosure to third parties and no automated further processing for other purposes.

Data subjects: platform users (here, however, exclusively Talents/freelancers).

Purposes of processing: quality management; ensuring contractually agreed quality standards in projects; contract-compliant safeguarding of platform operation and operational support.

Sources of data: the personal data concerned originates from ongoing project communication (e.g. call recordings and/or transcriptions, chats) and cooperation.

Retention period: data processed in the context of AI-supported processes is not stored permanently, but used only temporarily for assistance or evaluation and then deleted or anonymised.

Legal bases: consent (Art. 6(1) sentence 1 point a GDPR); performance of a contract (Art. 6(1) sentence 1 point f GDPR).

If you have any questions regarding how these systems work, the specific data processing operations involved, or if you wish to exercise your rights under Art. 15 et seq. GDPR (in particular access, withdrawal, rectification), you can contact our data protection team at [email protected].

Communication (e.g. marketing emails, chat)

Marketing emails and electronic notifications

If you, as a Talent or freelancer, are in business or business-initiating contact with us, we send marketing emails and other electronic notifications (hereinafter “marketing emails”) to you only with your consent or where permitted by law. If the content of the marketing emails is specifically described in the course of registration, that description is decisive for the users’ consent. Otherwise, our marketing emails contain information about our services (e.g. suitable project offers) and about us.

Erasure and restriction of processing:
We may store email addresses for which a marketing objection (opt-out) has been declared for up to three years on the basis of our legitimate interests before we delete them, in order to be able to prove a previously given consent. Processing of this data is restricted to the purpose of potential defence against claims. An individual request for erasure is possible at any time, provided that the previous existence of consent or another legal basis is confirmed at the same time. Where we are under an obligation to permanently observe objections, we reserve the right to store the email address for this purpose alone in a separate suppression list (so-called “blocklist”).

The logging of procedures that are relevant for the establishment or existence of the respective legal basis takes place on the basis of our legitimate interests for the purpose of proving that the process was carried out properly. Where we engage a service provider to send emails, this is based on our legitimate interests in an efficient and secure email delivery system.

Notes on legal bases:
The dispatch of newsletters is based on the consent of the recipients or, where consent is not required, on our legitimate interests in direct marketing, insofar as and to the extent that this is permitted by law, e.g. in the case of marketing to existing customers. Where we engage a service provider to send emails, this is done on the basis of our legitimate interests in efficient and secure dispatch. The registration process is recorded on the basis of our legitimate interests in order to demonstrate that it was carried out in accordance with the law. In the case of system emails, notifications are sent for the purpose of business initiation (e.g. confirmations of receipt of enquiries or orders, or information on changes to processing status) and/or for the purpose of fulfilling a contract.

Content:

Information about us, our services, campaigns and offers.
Information on order or placement status (system emails).

Data categories processed: master data (e.g. names, addresses); contact data (e.g. email addresses, telephone numbers); meta/communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).

Data subjects: communication partners.

Purposes of processing: direct marketing and promotional communication (e.g. by email or post).

Legal bases: existing customer exception (§ 7(3) UWG – German Unfair Competition Act); consent (Art. 6(1) sentence 1 point a GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR).

Right to object (opt-out):
You may unsubscribe from receiving our newsletter at any time, i.e. withdraw your consent and/or object to any further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter, or you can use one of the contact options provided above, preferably email.

Further information on processing operations, procedures and services

Measurement of open and click rates:
Our marketing emails may contain a so-called “web beacon”, i.e. a one-pixel file that is retrieved from our server when the newsletter is opened or, if we use an email service provider, from their server. As part of this retrieval, technical information is initially collected, such as information on the browser and your system, as well as your IP address and the time of retrieval. This information is used to technically improve our newsletter based on the technical data or the target groups and their reading behaviour, determined on the basis of their retrieval locations (which can be identified using the IP address) or access times.

This analysis also includes determining whether and when newsletters are opened and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until these are deleted. The evaluations help us recognise the reading habits of our users and adapt our content to them or send different content according to the interests of our users.

Measurement of open and click rates, storage of the measurement results in user profiles and their further processing are carried out on the basis of the users’ consent. A separate withdrawal of consent solely for performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information is deleted.

Further information on processing operations, procedures and services:

HubSpot: CRM and collaboration platform including email marketing; service provider: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany; legal basis: legitimate interests (Art. 6(1) sentence 1 point f GDPR); website; privacy policy; data processing agreement; standard contractual clauses (ensuring an adequate level of data protection when processing in third countries).

Notes on legal bases (repeated overview):

The dispatch of newsletters is based on the consent of the recipients or, where consent is not required, on our legitimate interests in direct marketing, insofar as and to the extent this is permitted by law, e.g. in the case of marketing to existing customers. Where we engage a service provider to send emails, this is done on the basis of our legitimate interests in efficient and secure dispatch. The registration process is recorded on the basis of our legitimate interests in order to demonstrate that it was carried out in accordance with the law. In the case of system emails, notifications are sent for the purpose of business initiation (e.g. confirmations of receipt of enquiries or orders, or to inform you about changes to processing status) and/or for the purpose of fulfilling a contract.

Data categories processed: master data (e.g. names, addresses); contact data (e.g. email addresses, telephone numbers); meta/communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).

Data subjects: communication partners.

Purposes of processing: direct marketing and promotional communication (e.g. by email or post).

Legal bases: existing customer exception (§ 7(3) UWG); consent (Art. 6(1) sentence 1 point a GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR).

Right to object (opt-out):
You may unsubscribe from receiving our newsletter at any time, i.e. withdraw your consent and/or object to any further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter, or you can use one of the contact options provided above, preferably email.

Communication via chat, messenger & similar services

In the context of project- or order-related communication, we use selected chat and messenger services and therefore ask you to observe the following information on how these services work, on encryption, on the use of communication metadata and on your options to object.

You can also contact us via alternative channels, e.g. by telephone or email. Please use the contact options provided to you or those indicated in our online offering.

In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content (i.e. the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure that the content of messages is encrypted.

However, we additionally inform our communication partners that although the providers of messengers cannot view the content, they can determine that and when communication partners communicate with us and process technical information on the device used by the communication partners and, depending on the settings of their device, also location information (so-called metadata).

Notes on legal bases:
Where we ask communication partners for permission before communicating with them via messenger, the legal basis for our processing of their data is their consent. Otherwise, if we do not request consent and, for example, they contact us on their own initiative, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, on the basis of our legitimate interests in fast and efficient communication and in meeting our communication partners’ needs for communication via messenger.

We also point out that we do not transmit contact data provided to us to messenger providers for the first time without your consent.

Withdrawal, objection and erasure:
You may withdraw consent given and object to communication with us via messenger at any time. In the case of communication via messenger, we erase messages in accordance with our general erasure policies (i.e. for example, as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any enquiries from communication partners, provided no reference to a previous conversation is expected and there are no statutory retention obligations preventing erasure.

Reservation of reference to other communication channels:
Finally, we point out that, for your security, we reserve the right not to answer enquiries via messenger. This may be the case, for example, where contractual details require special confidentiality or a response via messenger does not meet formal requirements. In such cases, we refer you to more appropriate communication channels.

Data categories processed: contact data (e.g. email addresses, telephone numbers); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); content data (e.g. entries in online forms).

Data subjects: communication partners.

Purposes of processing: handling contact enquiries and communication; direct marketing (e.g. by email or post).

Legal bases: consent (Art. 6(1) sentence 1 point a GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 point b GDPR).

Further information on processing operations, procedures and services

HubSpot: CRM and collaboration platform; service provider: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany; legal basis: legitimate interests (Art. 6(1) sentence 1 point f GDPR); website; privacy policy; data processing agreement; standard contractual clauses (ensuring an adequate level of data protection when processing in third countries).

Microsoft Teams: Microsoft Teams messenger; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; website; privacy policy; security information; standard contractual clauses (ensuring an adequate level of data protection when processing in third countries).

RocketChat: maintenance and technical support for the platform-internal chat and collaboration service; service provider: Rocket.Chat Technologies Corp., 251 Little Falls Dr, Wilmington, DE 19808, USA; website; privacy policy; GDPR compliance (including ensuring an adequate level of data protection when processing in third countries).

Project management and organisation

In the course of providing our services, we use software services accessible via the internet and operated on the servers of their respective providers (“cloud services”, also referred to as “Software as a Service”) for the following purposes: document storage and management, customer relationship management, calendar management, email dispatch, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information, as well as chats and participation in audio and video conferences.

In this context, personal data may be processed and stored on the providers’ servers, insofar as such data forms part of communication processes with us or is otherwise processed by us as set out in this privacy notice. Such data may include, in particular, master data and contact details of users, data relating to transactions, contracts and other processes and their content. The providers of the cloud services also process usage data and metadata, which they use for security purposes and to optimise their services.

Where we provide forms or other documents and content for other users or publicly accessible websites with the help of cloud services, the providers may store cookies on the users’ devices for the purposes of web analytics or to remember user settings (e.g. in the case of media controls).

Notes on legal bases:
Where we request consent for the use of cloud services, the legal basis for processing is consent. Furthermore, their use may form part of our (pre-)contractual services where the use of cloud services has been agreed in that context. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. our interest in efficient and secure administration and collaboration processes).

Data categories processed: master data (e.g. names, addresses); contact data (e.g. email addresses, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

Data subjects: business partners (here primarily Talents/freelancers); employees (e.g. staff, applicants, former employees); prospective clients; communication partners.

Purposes of processing: project management; office and organisational procedures.

Legal bases: consent (Art. 6(1) sentence 1 point a GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 point b GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR).

Further information on processing operations, procedures and services:

  • Microsoft cloud services: cloud storage, cloud infrastructure services and cloud-based application software; service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; website; privacy policy; security information; data processing agreement; standard contractual clauses (ensuring an adequate level of data protection when processing in third countries).
  • HubSpot: CRM and collaboration platform; service provider: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany; legal basis: legitimate interests (Art. 6(1) sentence 1 point f GDPR); website; privacy policy; data processing agreement; standard contractual clauses (ensuring an adequate level of data protection when processing in third countries).

Surveys and questionnaires

We conduct surveys and questionnaires in order to collect information for the survey purpose communicated in each case. The surveys and questionnaires carried out by us (hereinafter “surveys”) are evaluated in anonymised form. Personal data is only processed to the extent necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address in order to display the survey in the user’s browser or the use of a cookie to enable the survey to be resumed).

Data categories processed: contact data (e.g. email addresses, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, consent status).

Data subjects: communication partners; participants.

Purposes of processing: feedback (e.g. collecting feedback via online form).

Legal bases: legitimate interests (Art. 6(1) sentence 1 point f GDPR).

Further information on processing operations, procedures and services:

Survicate: execution of online surveys; service provider: Survicate S.A., Zamiany 8 LU2 Street, 02-786 Warsaw, Poland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://survicate.com/; privacy policy: https://help.survicate.com/en/articles/3943207-terms-of-service-privacy-policy-gdpr-and-dpa#h_0c335b370a; data processing agreement: https://assets.survicate.com/docs/Terms-Of-Service-Survicate-3.0.pdf.

Payment processing

In the context of contractual and other legal relationships, on the basis of statutory obligations or otherwise on the basis of our legitimate interests, we offer our business partners (here: Talents/freelancers) efficient and secure payment methods and, in addition to banks and credit institutions, use other service providers for this purpose (collectively referred to as “payment service providers”).

The data processed by the payment service providers includes master data such as name and address, contact data such as email address, banking details such as account numbers or credit card numbers, passwords, TANs and check sums, as well as information relating to the contract, amounts and recipients. We process this information only to the extent that it is required in connection with the respective agreed payment method in order to execute transactions. The data entered is processed and stored exclusively by the payment service providers. This means that we do not receive any account or credit card details, but only information confirming payment or indicating a refusal. In some cases, the payment service providers may transmit data to credit reference agencies. Such transmission serves the purpose of identity and credit checks. For this, we refer to the general terms and conditions and privacy notices of the respective payment service providers.

For payment transactions, the terms and conditions and privacy notices of the respective payment service providers apply, which can be accessed on their respective websites and within their transaction applications. We also refer you to these for further information and for asserting rights of withdrawal, access and other data subject rights.

Data categories processed: master data (e.g. names, addresses); contact data (e.g. email address); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

Data subjects: business partners (here, however, exclusively Talents/freelancers).

Purposes of processing: provision of contractual services and customer service.

Legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 point b GDPR); legitimate interests (Art. 6(1) sentence 1 point f GDPR).

12. Changes and updates to this privacy notice

We kindly ask you to review the content of this privacy notice on a regular basis. We will amend it as soon as changes in our data processing activities make this necessary. We will inform you if such changes require any act of cooperation on your part (e.g. consent) or any other individual notification.

Where we provide addresses and contact details of companies and organisations in this privacy notice, please note that such details may change over time. We therefore ask you to verify the information before making contact.