Privacy Policy

The BVB Fans Int. App ("App") is operated by Borussia Dortmund GmbH & Co. KGaA, Rheinlanddamm 207-209, 4137 Dortmund, Germany (hereinafter "BVB"), [service@bvb.de]. For further details please see our imprint [https://www.bvb.de/eng/Imprint].

With this Privacy Policy we inform you about how we process your personal data when you use the App or access our website under [https://www.bvb.de/eng] ("Website") or otherwise interact with us and your rights in this respect.

1. PURPOSES OF THE DATA PROCESSING

1.1 Account registration

We process your data in order to create an account in the App or our Website. This includes, in particular, your e-mail address, phone number, a username a password and the FanID ("Account Data"). The "FanID" is a unique identifier which we receive, together with the other Account Data, from the FanID platform me.fan, where you initially created your account. me.fan is operated by Liquiditeam GmbH, Willy-Brandt-Platz 16-20, 38102 Braunschweig, Deutschland ("liquiditeam"). The privacy policy of liquiditeam is available under [https://www.liquidi.team/privacy/].

Legal basis: Art. 6 (1) lit. b) GDPR.

1.2 Using the App and the Website

We process your data to provide you with the services in the App (legal basis: Art. 6 (1) lit. b) GDPR).

This includes, but is not limited to:

● We use your Account Data as well as data you provide within the App (e.g., comments, boosts and votings) to provide you with the features of the App.

● We send messages to your e-mail address or phone number, for example in due course of the account creation or as otherwise selected in the App

● Club Token: You might receive club tokens ("Club Token") when using and actively engaging in the App. Those Club Tokens are based on a so-called blockchain, a distributed ledger technology which is characterized by storing data on distributed node computers ("Nodes"). All Nodes are operated by liquiditeam. The Club Tokens are linked to a public identifier on the blockchain which we connect to your account. The blockchain contains the entire transaction chain of all Club Tokens. The information on the blockchain including this public identifier and transaction data cannot be deleted or modified, but we can delete the link to this public identifier in your account, making the public identifier stored on the blockchain anonymous.

● Activity points: You will receive activity points based on the intensity of your App usage. Those activity points are measured by the number of pages you visit or activities you take part in. None of these activities is used for profiling or tracking purposes, neither do we analyze what and how long you use certain functionalities within the App, unless you have granted us an express consent.

1.3 Accessing the Website or our servers through the App

Each time you access our Website or the App establishes an internet connection with our servers, your device transfers a couple of data to us which we store in our logfiles. This data may include:

● browser type and browser version

● operating system used

● internet service provider

● the IP address

● hostname of the accessing computer

● time of the server inquiry

● websites from which you reach our solution (so-called referrer)

● websites accessed

● bytes transferred

● access status

We process such data temporarily to provide you with the requested content (Art. 6 (1) lit. b) GDPR) and we store and process such data for a period of ten days (unless an unusual incident requires a longer storage period (e.g. after a hacker attack)) for security reasons in order to identify potential attacks on our systems and optimize our systems (Art. 6 (1) lit. f) GDPR). Thereafter, this data is being anonymized.

1.4 Contacting us

When you send us an e-mail or otherwise contact us, for example through our ticket system in the App or the Website, we process the personal data you provided us with, for example to answer your e-mail. We also process your data when you participate in campaigns on our social media channels (Facebook etc.) or send us inquiries or comments.

Legal basis: Art. 6 (1) lit. b) GDPR.

1.5 Use of cookies and related data processing (website optimization, analysis, advertising)

We use cookies (small text files placed on your browser) and similar technologies such as pixel tags (hereinafter referred to as “Cookies”).

1.5.1. Essential Cookies

Essential Cookies are necessary for the website to function properly by providing basic features such as page navigation, access to secure areas of the website or language settings. Legal basis is Article 6 (1) lit. b) GDPR. We store these essential Cookies for up to one year.

1.5.2. Website optimization and analysis

Based on your consent, we set Cookies and analyze how you're using our websites. This way, we collect information about how well certain services are received and we can adjust and improve them as well our websites. Your IP address will be truncated and thus anonymized before being used for analysis purposes.

Legal basis: Article 6 (1) lit. a) GDPR.

You may withdraw your consent with effect for the future at any time here [service@bvb.de]

1.6 Other

Where you give us your consent for processing your personal data, Article 6 (1) lit. a) GDPR serves as the legal basis. You can withdraw your consent at any time with effect for the future.

Article 6 (1) lit. b) GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This shall also apply to processing operations necessary for the implementation of pre-contractual measures.

We might process your personal data insofar as it is necessary for the fulfilment of a legal obligation to which our company is subject (e.g. accounting, commercial and tax law), court orders or other binding decisions of public authorities (Article 6 (1) lit. c) GDPR).

If necessary, we process your personal data to satisfy our legitimate interests (Art. 6 (1) lit. f) GDPR), including the following:

● to protect, enforce and defend our rights, property and interests.

2. DATA TRANSFERS

We may share personal information with third parties.

2.1 Reporting obligations

In order to protect our rights or the rights of third parties, we may disclose data to rights holders, consultants, courts and authorities in accordance with legal provisions.

2.2 Service providers (processors)

We work with service providers who assist us in providing our services, in particular:

● liquiditeam for the technical operation of the Website and the App

● sms.at mobile internet services gmbh, Graz, Austria for sending text messages

● The Rocket Science Group LLC d/b/a Mailchimp, Georgia, USA for sending e-mails

● Google and Apple for push notifications you receive in your end device

These service providers process data solely on behalf of, according to our instructions and under the control of us and only for the purposes described in this Privacy Policy.

2.3 Transfer to third parties

We transfer data to contractual partners who process data under their own responsibility and for their own purposes in particular:

● Club Token: The blockchain necessary for the Club Tokens is only operated by us. Since the blockchain is publicly accessible, third parties may also be able to view information on the Club Tokens, such as a unique identifier associated with your Club Tokens. However, only liquiditeam is currently able to link this identifier with your Account Data.

The data is transferred for the purposes described in this Privacy Policy.

2.4 Social plugins and other third-party content

We have not implemented any tools by which information is automatically transferred to the provider of social media services when you visit our website ("Social Plugins").

Any forwarding to social media providers such as YouTube, Facebook, etc. takes place exclusively once you have clicked on a link or a disabled Social Plugin, so that data about your visit to our services (e.g., IP address) or data available on your end device (e.g., information stored in Cookies) is only transmitted to the respective providers when this function is actively used.

2.5 Transfer to recipients outside the EEA

We might transfer personal data to recipients located outside the European Economic Area (EEA) into so-called third countries, for example service providers or authorities. In such cases, prior to the transfer, we ensure that the data recipient provides an appropriate level of data protection (e.g. due to a decision of adequacy by the European Commission for the respective country (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en), due to an agreement based on so-called EU standard contractual clauses with the recipient (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=en) or due to other appropriate safeguards).

3. RETENTION OF PERSONAL DATA

We will store your personal data as long as it is necessary for the respective purposes, which is usually to provide the services you have requested. For example, we store your Account Data until you delete your account. In some cases, we are obliged to store your data for longer in order to comply with statutory retention periods.

If we process data on the basis of legitimate interests (Art. 6 (1) lit. f) GDPR), these will be stored until you object to the processing or until your legitimate interests prevail.

We have specified retention periods for certain processing purposes.

4. YOUR RIGHTS

4.1 General Rights

You can request information about your stored personal data. If you have provided personal data based on a contract or consent, you have the right to receive this data in a commonly used and machine-readable format.

In addition, you can also request the deletion, rectification or restriction of the processing of your data in certain cases.

You can withdraw your consent at any time with future effect.

If your personal data are transferred to a country outside the EU that does not offer adequate protection, you can request a copy of the contract or other means that ensure adequate protection of personal data.

You also have a general right to complain to us or a supervisory authority in particular in the member state of your residence, place of work or place of suspected infringement of our data processing. The supervisory authority responsible for BVB is:

Landesbeauftragten für Informationsfreiheit und Datenschutz (LDI) (https://www.ldi.nrw.de/)

4.2 Right to object

To the extent we base the processing of your personal data on our legitimate interests (Art. 6 (1) lit. f) GDPR, you may object to such processing at any time. In this case, we will not process such personal data any longer, unless our interests prevail. You can object to the use of data for direct marketing purposes at any time without a weighing of interests.

4.3 Contacting us

In order to exercise the aforementioned rights, please contact us directly in writing or via e-mail under [service@bvb.de].

Note: We may change our Privacy Policy from time to time by publishing it here. Please check this Privacy Policy regularly.

***