The protection of your privacy and your personal data is an important concern to which we pay special attention. Personal data collected during visits to our website is processed according to the legal provisions valid for the countries in which the website is maintained. In the following paragraphs, we provide you with information on how we are following these rules, which data we collect, and how we use it. Thereby, we fulfil our obligation of information under Art. 13 GDPR (General Data Protection Regulation).
Collecting and Processing Personal Data
a) Website Visitors
When visiting our website, our web servers store details of your operating system and browser used, the webpage from which you came to our website, the pages that you visit on our site, the current date and time, and, for security reasons, the IP address assigned to you by your Internet service provider (ISP). Legal basis for processing is Art. 6 para. 1 f) GDPR.
With the exception of your IP address, personal data is only stored if you choose to submit it to us, e.g. when contacting us via our contact form, during registration, in a survey, in a competition or in order to enable performance of an agreement.
Your personal data remains only with our company, our affiliates, and our provider and will not be made available to third parties. The technical information collected will be used to guarantee smooth functionality of our website. To analyze user behavior, we are making us of Google Analytics. For more information about that – including how to disable data transfer – see below (section ‘Google Analytics’).
For any other purpose than the one specifically intended by you, your personal data will only be processed when you have given us specific consent in accordance with Art. 6 para. 1 a) GDPR. You can adjust your consent for the use of your personal data at any time with an email to the email address listed at the end of this policy to the effect that you revoke your consent in the future.
b) Job Applicants
When applying for a job posting at VMRay via our career-website you will be required to provide us with information on your personal, professional and academic background, including (but not limited to) personal details, contact information, certificates and references. The application data provided by you will only be processed and used by us in connection with your interest in a current or future employment. Legal Basis for this kind of processing is Art. 6 para. 1 f) GDPR and § 26 BDSG (Bundesdatenschutzgesetz / (German) Federal Data Protection Act).
Internally, your application data will only be processed by the relevant contact persons of the Human Resources Department and the department to which your application is directed. In case you are applying for a position at VMRay Inc., your application will be forwarded to the responsible US-employee only. All our employees are obliged to treat personal data strictly confidential.
In case your application has been successful, your data may be used for administrative purposes within the framework of your future employment and the applicable legal requirements. In that case, your data will be deleted after the ground for storage ceases to exist. The legal basis for storage is Art. 6 para. 1 lit. f) GDPR and § 24 para. 1 no. 2 BDSG. Our legitimate interest lies in legal defense and enforcement
In case your application has not been successful, we will keep your application for a maximum of 6 months to answer any questions you may have in connection with your application. For longer periods of time, your data will only be stored in case of a legal requirement to do so or for the purpose of providing legal evidence. In that case, your data will be deleted after the ground for storage ceases to exist. The legal basis for storage is Art. 6 para. 1 lit. f) GDPR and § 24 para. 1 no. 2 BDSG. Our legitimate interest lies in legal defense and enforcement. At any time you may exercise your data protection rights as described in this policy (see below).
We will use the data you provide only to process your request. The legal basis for this is our legitimate interest in answering your request in accordance with Art. 6 para. 1 f) GDPR. If your request serves the conclusion of a contract with us, further legal basis for the processing is Art. 6 para. 1 b) GDPR. The data will be deleted after your request has been processed. If we are legally obliged to store data for a longer period of time, the data will be deleted after expiry of the corresponding period.
For more information on how to register and deregister from our Newsletter, see section “Newsletters” below.
We store your personal data for as long as it is necessary to perform a service that you have requested or for which you have granted your permission, providing that no legal requirements exist to the contrary such as in case of retention periods required by trade or tax regulations.
At any time you may exercise your right to have your personal data erased, provided that no legal requirement opposes deletion or the data is necessary for the fulfilment of a contractual obligation of VMRay, in which case we will inform you and provide alternative solutions to your request (e.g. blockage of your data).
Data Protection Rights
In accordance with Art. 15 ff. GDPR, VMRay guarantees the following data protection rights:
Right to Access: You may demand access to the personal data processed by VMRAy. We will provide the required data to you via e-mail.
Right to Rectification (Art. 16 GDPR): You may demand from VMRay the rectification of inaccurate personal data concerning you.
Right to Erasure (Art. 17 GDPR): You may demand from VMRay erasure of your personal data. VMRay is going to comply with your request unless legal requirements oppose deletion or we have to process the data in order to fulfill our contractual obligations. In that case, we will contact you and provide alternative solutions to your request (e.g. blockage of your data).
Right to Data Portability (Art. 20 GDPR): At your request, VMRay will provide you with your data in a suitable format and (if technically possible) we will transmit your data to another responsible controller upon your request.
Right to Object and to Restrict (Art. 18, 21 GDPR): Furthermore, you may demand from us to end the processing of your personal data at any given time or to restrict your consent to the processing activities.
Right to Complain: In case of a complaint, you may contact the competent data protection supervisory authority.
In order to exercise your rights, you may send an e-mail to the address indicated at the end of this policy.
Cookies are small text files containing information which makes it possible to identify repeated visitors exclusively for the duration of their visit to our web pages.
Cookies are stored on the hard disk of your computer and do not cause any damage there. They can be used to determine whether there has been any contact between us and your end device in the past. Only the cookie on your end device is identified. Personal data can only be saved in cookies if you have given your consent or if it is essential for technical reasons, e.g., to enable a secure login. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
The Cookies which we currently use on the website are listed in the following table:
Description: We use Google Analytics to measure performance and improve your user experience. This cookie is used to uniquely identify you as a visitor to this site. This is achieved by generating two random 32-bit numbers and setting them in a cookie, no personal information or data is tracked.
Description: We use Google Analytics to measure performance and improve your user experience. This cookie is used to throttle the request rate back to Google.
Description: We embed Youtube-videos via the so-called “Advanced Privacy Mode”, where cookies are only stored on your computer when playing the video. According to Youtube, in privacy mode no personal data is stored in the cookies for playbacks of embedded videos. For more information please visit this page.
Google is certified under the EU-US Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law.
Google will use this information on our behalf to evaluate the use of our website by users, to compile reports on the activities on our website and to provide us with further services associated with the use of our website. From the processed data, pseudonymous user profiles can be created.
We use Google Analytics only with IP anonymization enabled (‘anonymize_IP’). This means that Google will reduce the IP address of users within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will not associate your IP address with any other data held by Google.
We use the remarketing function of Google Analytics. This function enables you to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-related, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC). To do this, Google stores a cookie in the browsers of users who visit certain Google services or websites on the Google Display Network. To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to our Google Analytics data.
You can permanently opt out of cross-device remarketing/targeting by opting out of personalized advertising in your Google Account by following this link: https://www.google.com/settings/ads/onweb/. For more information about Google Remarketing, please visit: http://www.google.com/privacy/ads/.
We use on our site the component “Google Maps” from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043 USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
Each time you access the Google Maps component, Google will set a cookie to process user preferences and data when you view the page that includes the Google Maps component. As a rule, this cookie is not deleted by closing the browser, but expires after a certain period of time, unless you delete it manually beforehand. If you do not agree with this processing of your data, it is possible to deactivate the “Google Maps” service and in this way prevent the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you cannot use “Google Maps” or only to a limited extent.
The plug-in “google+” (Google Plus) is integrated on our website. It is provided and operated by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
When you visit a website that contains such a plug-in, your browser establishes a direct connection to Google’s servers, which in turn transmits the plug-in’s content to your browser and integrates it into the website displayed. This forwards the information that you have visited our website to Google.
If you are logged in to Google Plus or Google through your personal account while you are visiting our site, Google may associate your web page visit with that account. By interacting with plug-ins, e.g. by clicking the button or leaving a comment, this information is transmitted directly to Google and stored there. If you wish to prevent such data transmission, you must log out of your Google Plus or Google account before visiting our website.
If you are a Google Plus member or have logged in to Google and do not want Google to collect information about you when you visit our website and link it to your membership information stored by Google, you must log out of Google Plus or Google before visiting our website.
This data protection declaration is provided by the law firm Hoesmann (https://hoesmann.eu).
Plugins of the social network Facebook (1601 South California Avenue, Palo Alto, CA 94304, USA) are integrated on our page. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
Facebook is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.
You can recognize the Facebook plugins by the Facebook logo or the “Like” button on our site. An overview of the Facebook plugins can be found here: http://developers.facebook.com/docs/plugins/.
When you visit our page, the plugin establishes a direct connection between your browser and the server of Facebook. Facebook receives the information that you have visited our site with your IP address. If you click the Facebook “Like button” while logged in to your Facebook account, you can link the contents of our pages to your Facebook profile. This allows Facebook to associate your visit of our page with your user account. We would like to point out that we, as the provider of these pages, do not receive any knowledge of the content of the transmitted data and their use by Facebook. For more information, please have a look at the privacy statement of Facebook at http://de-de.facebook.com/policy.php. If you do not want Facebook to associate visiting our pages with your Facebook account, please log out of your Facebook account.
Our website includes functions of the services of LinkedIn. The provider is LinkedIn Corporation (2029 Stierlin Court, Mountain View, CA 94043, USA). On our site we provide information and offer LinkedIn users the possibility of communication. The company presence is used for applications, information/PR and active sourcing. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
Our pages include functions of the services of Twitter. These functions are provided by Twitter Inc. (1355 Market St, Suite 900, San Francisco, CA 94103, USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
Twitter is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.
If the plug-in is stored on one of the pages you visit on our website, your Internet browser will download a representation of the plug-in from the Twitter servers in the USA. For technical reasons it is necessary for Twitter to process your IP address. In addition, the date and time of your visit to our website are also recorded.
If you are logged in to Twitter while visiting our website, the information collected by the plug-in from your specific visit will be recognized by Twitter. Twitter may assign the information collected in this way to your personal user account there. If you use the “Share” button of Twitter, for example, this information will be stored in your Twitter account and published on the Twitter platform if necessary. If you wish to prevent this, you must either log out of Twitter before visiting our website or make the appropriate settings in your Twitter user account.
We have included YouTube videos in our website. YouTube is an offer of YouTube LLC (901 Cherry Ave., San Bruno, CA 94066, USA). YouTube is a subsidiary of Google LLC. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
Google, and thereby also YouTube, is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.
YouTube videos are embedded in our portal exclusively on the basis of YouTube’s “Extended Data Protection Mode”. According to YouTube, the “Extended Data Protection Mode” function means that the data specified below will only be transmitted to the YouTube server if you actually start a video.
Without this “Extended Data Protection Mode”, a connection to the YouTube server in the USA will be established as soon as you access one of our Internet pages on which a YouTube video is embedded. This connection is required in order to be able to display the respective video on our website via your Internet browser. In the course of this, YouTube will at least record and process your IP address, the date and time as well as the website you visited. In addition, a connection to the Google advertising network “DoubleClick” is established.
If you are logged in to YouTube at the same time, YouTube will assign the connection information to your YouTube account. If you wish to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.
For the purpose of functionality and analysis of usage behavior, YouTube permanently stores cookies via your Internet browser on your terminal. If you do not agree to this processing, you have the option of preventing the storage of cookies by setting it in your Internet browser.
For more information, please visit https://support.google.com/youtube/answer/171780?hl=en in the “Enable Advanced Privacy Mode” section.
VMRay sends it newsletter for the purpose of advertising its product and informing about our company only with consent of the recipient. For the registration to our newsletter we use the double opt-in procedure. You may subscribe and consent to the receipt of our newsletter by providing us with your email address via our contact form, explicitly ticking the opt-in box underneath and by clicking the link in the confirmation mail. By clicking on the corresponding link, we process the public IP address of the computer from which the link is accessed, together with the date and time of the click. We process this data to be able to provide proof that you have confirmed receipt of our email newsletter.
The legal basis for this processing is your consent according to Art. 6 para. 1 a) GDPR.
To send our newsletter we are making use of the newsletter distribution platform “MailChimp”, a service of the Rocket Science Group, LLC (1526 DeKalb Ave NE, Atlanta, GA 30307, USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.
The e-mail addresses of our newsletter recipients, as well as the data described below are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, MailChimp uses this data according to its own information to optimize its own services.
However, MailChimp does not pass the data of our newsletter recipients on to third parties.
The newsletters contain a so-called “web-beacon”, i.e. a pixel-sized file that is retrieved from the MailChimp server when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser, as well as your IP address and time of retrieval are initially collected. This information is used to technically improve the services based on the technical data, the individual reading behavior, the retrieval locations (determined by using the IP address) or access times.
The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. The evaluations serve to recognize the reading habits of our users and to adapt our contents individually according to the interests of our users.
Online Access and Data Management
Ocassionally, we direct the newsletter recipients to the web pages of MailChimp (e.g. in case of display problems, our newsletters contains a link through which recipients can assess the newsletter online). Furthermore, newsletter recipients can subsequently correct their data, e.g. their e-mail address via Mailchimp.
Our website can be used to subscribe to newsletters. The data provided during the newsletter registration will be used only for the purposes of sending out the newsletter, provided you have not consented to other use. You can cancel the subscription at any time by using the unsubscribe option provided in the newsletter.
You may cancel the receipt of our newsletter at any time. By doing that you also revoke your consent to the statistical analyses (as described above). You may cancel the subscription by using the unsubscribe option provided in the newsletter. The data which we require as proof that you have agreed to receive the newsletter will be deleted after expiration of any legal obligation to provide this evidence.
We conduct regular seminar via the Internet (webinar). For this purpose we use the GoToWebinar software solution from LogMeIn, Inc (320 Summer Street Boston, MA 02210, USA).
LogMeIn is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.
A connection will be established between you and the webinar organizer to conduct the webinar. We do not record the sound or image information transmitted during the webinar. With your participation you also confirm not to make any recordings or screen shots. You can end the session at any time by simply closing the browser window or closing the program or app.
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, in accordance with Art. 32 GDPR. Such measures shall in particular include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation.
External Data Processors and Third Parties
If we disclose data to other persons or companies (contract processors or third parties) within the scope of our processing, this only takes place on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, in accordance with Art. 6 para. 1 b) GDPR for contract fulfilment is necessary), if you have consented, if a legal obligation provides for it or on the basis of our legitimate interests. If we commission third parties with the processing of data on the basis of a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR.
Transfer to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), this only takes place if it is necessary for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests.
Subject to legal or contractual permissions, we process the data in a third country only under the special requirements of Art. 44 ff. GDPR. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognized EU-US Privacy Shield or compliance with officially recognized contractual obligations (“EU Standard Contractual Clauses”).
The continuous development of the Internet makes it necessary for us to adjust our data protection rules from time to time. We reserve the right to implement appropriate changes at any time.
If you wish to exercise your data protection rights or if you have any comments, suggestions, questions or complaints, please do not hesitate to send an e-mail to firstname.lastname@example.org.
Alternatively, our Data Protection Officer (DPO) can be contacted via the website www.datenschutzexperte.de or directly via email@example.com.