The protection of your privacy and your personal data is an important concern to which we pay special attention. Personal data collected during visits to our website is processed according to the legal provisions valid for the countries in which the website is maintained. In the following paragraphs, we provide you with information on how we are following these rules, which data we collect, and how we use it. Thereby, we fulfill our obligation of information under Art. 13 GDPR (General Data Protection Regulation).

The provider (and data controller within the meaning of GDPR) of this website is indicated in the imprint of our website. If you have any questions, do not hesitate to contact us via the e-mail address you will find at the end of this Privacy Policy.

Collecting and Processing Personal Data

a) Website Visitors

When visiting our website, our web servers store details of your operating system and browser used, the webpage from which you came to our website, the pages that you visit on our site, the current date and time, and, for security reasons, the IP address assigned to you by your Internet service provider (ISP). Legal basis for processing is Art. 6 para. 1 f) GDPR.

With the exception of your IP address, personal data is only stored if you choose to submit it to us, e.g. when contacting us via our contact form, during registration, in a survey, in a competition or in order to enable performance of an agreement.

Your personal data remains only with our company, our affiliates, and our provider and will not be made available to third parties. The technical information collected will be used to guarantee smooth functionality of our website. To analyze user behavior, we are making us of Google Analytics. For more information about that – including how to disable data transfer – see below (section ‘Google Analytics’).

For any other purpose than the one specifically intended by you, your personal data will only be processed when you have given us specific consent in accordance with Art. 6 para. 1 a) GDPR. You can adjust your consent for the use of your personal data at any time with an email to the email address listed at the end of this policy to the effect that you revoke your consent in the future.

b) Job Applicants

When applying for a job posting at VMRay via our career-website you will be required to provide us with information on your personal, professional and academic background, including (but not limited to) personal details, contact information, certificates and references. The application data provided by you will only be processed and used by us in connection with your interest in a current or future employment. Legal Basis for this kind of processing is Art. 6 para. 1 f) GDPR and § 26 BDSG (Bundesdatenschutzgesetz / (German) Federal Data Protection Act).

Internally, your application data will only be processed by the relevant contact persons of the Human Resources Department and the department to which your application is directed. In case you are applying for a position at VMRay Inc., your application will be forwarded to the responsible US-employee only. All our employees are obliged to treat personal data strictly confidential.

In case your application has been successful, your data may be used for administrative purposes within the framework of your future employment and the applicable legal requirements. In that case, your data will be deleted after the ground for storage ceases to exist. The legal basis for storage is Art. 6 para. 1 lit. f) GDPR and § 24 para. 1 no. 2 BDSG. Our legitimate interest lies in legal defense and enforcement

In case your application has not been successful, we will keep your application for a maximum of 6 months to answer any questions you may have in connection with your application. For longer periods of time, your data will only be stored in case of a legal requirement to do so or for the purpose of providing legal evidence. In that case, your data will be deleted after the ground for storage ceases to exist.  The legal basis for storage is Art. 6 para. 1 lit. f) GDPR and § 24 para. 1 no. 2 BDSG. Our legitimate interest lies in legal defense and enforcement. At any time you may exercise your data protection rights as described in this policy (see below).

Contact Form

We provide a contact form on our website which can be used for electronic contact. If a user takes advantage of this possibility, the data entered will be transmitted to us and stored. Your consent is obtained for the processing of the data within the scope of the sending process and reference is made to this privacy policy.

We will use the data you provide only to process your request. The legal basis for this is our legitimate interest in answering your request in accordance with Art. 6 para. 1 f) GDPR. If your request serves the conclusion of a contract with us, further legal basis for the processing is Art. 6 para. 1 b) GDPR. The data will be deleted after your request has been processed. If we are legally obliged to store data for a longer period of time, the data will be deleted after expiry of the corresponding period.

For more information on how to register and deregister from our Newsletter, see section “Newsletters” below.

Data Retention

We store your personal data for as long as it is necessary to perform a service that you have requested or for which you have granted your permission, providing that no legal requirements exist to the contrary such as in case of retention periods required by trade or tax regulations.

At any time you may exercise your right to have your personal data erased, provided that no legal requirement opposes deletion or the data is necessary for the fulfilment of a contractual obligation of VMRay, in which case we will inform you and provide alternative solutions to your request (e.g. blockage of your data).

Data Protection Rights

In accordance with Art. 15 ff. GDPR, VMRay guarantees the following data protection rights:

Right to Information (Art. 15 GDPR): You have the right to request information on your personal data processed by VMRay. This Privacy Policy shall serve this purpose. In case you have any remaining questions, you may send an e-mail to the contact indicated at the end of this Policy.

Right to Access: You may demand access to the personal data processed by VMRAy. We will provide the required data to you via e-mail.

Right to Rectification (Art. 16 GDPR): You may demand from VMRay the rectification of inaccurate personal data concerning you.

Right to Erasure (Art. 17 GDPR): You may demand from VMRay erasure of your personal data. VMRay is going to comply with your request unless legal requirements oppose deletion or we have to process the data in order to fulfill our contractual obligations. In that case, we will contact you and provide alternative solutions to your request (e.g. blockage of your data).

Right to Data Portability (Art. 20 GDPR): At your request, VMRay will provide you with your data in a suitable format and (if technically possible) we will transmit your data to another responsible controller upon your request.

Right to Object and to Restrict (Art. 18, 21 GDPR): Furthermore, you may demand from us to end the processing of your personal data at any given time or to restrict your consent to the processing activities.

Right to Complain: In case of a complaint, you may contact the competent data protection supervisory authority.

In order to exercise your rights, you may send an e-mail to the address indicated at the end of this policy.

Cookies

Cookies are small text files containing information which makes it possible to identify repeated visitors exclusively for the duration of their visit to our web pages.

Cookies are stored on the hard disk of your computer and do not cause any damage there. They can be used to determine whether there has been any contact between us and your end device in the past. Only the cookie on your end device is identified. Personal data can only be saved in cookies if you have given your consent or if it is essential for technical reasons, e.g., to enable a secure login. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

On our website, we only use cookies if they are required for an application or service which we provide. If you would like to opt out of the advantages of these cookies, you can read in the Help function on your browser how to adjust your browser to prevent these cookies, accept new cookies, or delete existing cookies. You can also learn there how to block all cookies or set up notifications for new cookies. If you choose not to accept cookies it may result in a reduced availability of the services provided on our website.

The Cookies which we currently use on the website are listed in the following table:

Cookie: _ga
Type: Persistent
Description: We use Google Analytics to measure performance and improve your user experience. This cookie is used to uniquely identify you as a visitor to this site. This is achieved by generating two random 32-bit numbers and setting them in a cookie, no personal information or data is tracked.

Cookie: _cat
Type: Session
Description: We use Google Analytics to measure performance and improve your user experience. This cookie is used to throttle the request rate back to Google.

Cookie: Youtube
Type: Persistent
Description: We embed Youtube-videos via the so-called “Advanced Privacy Mode”, where cookies are only stored on your computer when playing the video. According to Youtube, in privacy mode no personal data is stored in the cookies for playbacks of embedded videos. For more information please visit this page.

Google Analytics

We use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online offer by users is generally transferred to a Google server in the USA and stored there.

Google is certified under the EU-US Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law.

Google will use this information on our behalf to evaluate the use of our website by users, to compile reports on the activities on our website and to provide us with further services associated with the use of our website. From the processed data, pseudonymous user profiles can be created.

We use Google Analytics only with IP anonymization enabled (‘anonymize_IP’). This means that Google will reduce the IP address of users within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will not associate your IP address with any other data held by Google.

We use the remarketing function of Google Analytics. This function enables you to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-related, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC). To do this, Google stores a cookie in the browsers of users who visit certain Google services or websites on the Google Display Network. To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to our Google Analytics data.

You can permanently opt out of cross-device remarketing/targeting by opting out of personalized advertising in your Google Account by following this link: https://www.google.com/settings/ads/onweb/. For more information about Google Remarketing, please visit: http://www.google.com/privacy/ads/.

You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=en-GB. You must perform this opt out on all systems that you use, for example in another browser or on your mobile device.

The data collected in your Google Account is collected solely on the basis of your consent, which you may give or revoke to Google (Art. 6 para. 1 lit. a DSGVO). In case of data collection processes that are not consolidated in your Google Account (e.g. because you do not have a Google Account or have objected to the consolidation), the data collection is based on our legitimate interests within the meaning of Art. 6 para. 1 lit. f DSGVO. For more information on terms of use and privacy, please visit http://www.google.com/analytics/terms/de.html or https://www.google.de/intl/de/policies/.

Google Maps
We use on our site the component “Google Maps” from Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043 USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

Each time you access the Google Maps component, Google will set a cookie to process user preferences and data when you view the page that includes the Google Maps component. As a rule, this cookie is not deleted by closing the browser, but expires after a certain period of time, unless you delete it manually beforehand. If you do not agree with this processing of your data, it is possible to deactivate the “Google Maps” service and in this way prevent the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you cannot use “Google Maps” or only to a limited extent.

The use of “Google Maps” and the information obtained via “Google Maps” is subject to the Google Terms of Use.

Google+

The plug-in “google+” (Google Plus) is integrated on our website. It is provided and operated by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

When you visit a website that contains such a plug-in, your browser establishes a direct connection to Google’s servers, which in turn transmits the plug-in’s content to your browser and integrates it into the website displayed. This forwards the information that you have visited our website to Google.

If you are logged in to Google Plus or Google through your personal account while you are visiting our site, Google may associate your web page visit with that account. By interacting with plug-ins, e.g. by clicking the button or leaving a comment, this information is transmitted directly to Google and stored there. If you wish to prevent such data transmission, you must log out of your Google Plus or Google account before visiting our website.
We have no influence on the extent and content of the data that Google collects with the button. We assume that your IP address will also be recorded and transmitted. You can find out about the purpose, scope and use of data collection by Google Inc. on its privacy policy via http://www.google.com/intl/de/+/policy/+1button.html.

If you are a Google Plus member or have logged in to Google and do not want Google to collect information about you when you visit our website and link it to your membership information stored by Google, you must log out of Google Plus or Google before visiting our website.

This data protection declaration is provided by the law firm Hoesmann (https://hoesmann.eu).

Facebook

Plugins of the social network Facebook (1601 South California Avenue, Palo Alto, CA 94304, USA) are integrated on our page. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

Facebook is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.

You can recognize the Facebook plugins by the Facebook logo or the “Like” button on our site. An overview of the Facebook plugins can be found here: http://developers.facebook.com/docs/plugins/.

When you visit our page, the plugin establishes a direct connection between your browser and the server of Facebook. Facebook receives the information that you have visited our site with your IP address. If you click the Facebook “Like button” while logged in to your Facebook account, you can link the contents of our pages to your Facebook profile. This allows Facebook to associate your visit of our page with your user account. We would like to point out that we, as the provider of these pages, do not receive any knowledge of the content of the transmitted data and their use by Facebook. For more information, please have a look at the privacy statement of Facebook at http://de-de.facebook.com/policy.php. If you do not want Facebook to associate visiting our pages with your Facebook account, please log out of your Facebook account.

LinkedIn

Our website includes functions of the services of LinkedIn. The provider is LinkedIn Corporation (2029 Stierlin Court, Mountain View, CA 94043, USA). On our site we provide information and offer LinkedIn users the possibility of communication. The company presence is used for applications, information/PR and active sourcing. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

If you click the LinkedIn “Share-Button” (Plug-In), you will be redirected to your user account in a separate browser window – provided you are logged into your user account at LinkedIn – and can share the electronic publication stored on our website by adding a comment. The plug-in establishes a direct connection between your browser and the LinkedIn server. LinkedIn receives the information that you have visited our website with your IP address. LinkedIn will also be able to associate your visit to our website with you and your user account. We point out that we have no knowledge of the content of the transmitted (personal) data and their use by LinkedIn. For more information, please see LinkedIn’s privacy policy at: https://www.linkedin.com/legal/privacy-policy.

Twitter

Our pages include functions of the services of Twitter. These functions are provided by Twitter Inc. (1355 Market St, Suite 900, San Francisco, CA 94103, USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

Twitter is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.

If the plug-in is stored on one of the pages you visit on our website, your Internet browser will download a representation of the plug-in from the Twitter servers in the USA. For technical reasons it is necessary for Twitter to process your IP address. In addition, the date and time of your visit to our website are also recorded.

If you are logged in to Twitter while visiting our website, the information collected by the plug-in from your specific visit will be recognized by Twitter. Twitter may assign the information collected in this way to your personal user account there. If you use the “Share” button of Twitter, for example, this information will be stored in your Twitter account and published on the Twitter platform if necessary. If you wish to prevent this, you must either log out of Twitter before visiting our website or make the appropriate settings in your Twitter user account.

We would like to point out that we are not aware of the content of the data transmitted or how it is used by Twitter. For more information, please see Twitter’s privacy policy at http://twitter.com/privacy. You can change your Twitter privacy settings in your account settings at http://twitter.com/account/settings.

YouTube

We have included YouTube videos in our website. YouTube is an offer of YouTube LLC (901 Cherry Ave., San Bruno, CA 94066, USA). YouTube is a subsidiary of Google LLC. The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

Google, and thereby also YouTube, is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.

YouTube videos are embedded in our portal exclusively on the basis of YouTube’s “Extended Data Protection Mode”. According to YouTube, the “Extended Data Protection Mode” function means that the data specified below will only be transmitted to the YouTube server if you actually start a video.

Without this “Extended Data Protection Mode”, a connection to the YouTube server in the USA will be established as soon as you access one of our Internet pages on which a YouTube video is embedded. This connection is required in order to be able to display the respective video on our website via your Internet browser. In the course of this, YouTube will at least record and process your IP address, the date and time as well as the website you visited. In addition, a connection to the Google advertising network “DoubleClick” is established.

If you are logged in to YouTube at the same time, YouTube will assign the connection information to your YouTube account. If you wish to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.

For the purpose of functionality and analysis of usage behavior, YouTube permanently stores cookies via your Internet browser on your terminal. If you do not agree to this processing, you have the option of preventing the storage of cookies by setting it in your Internet browser.

For more information, please visit https://support.google.com/youtube/answer/171780?hl=en in the “Enable Advanced Privacy Mode” section.

Newsletters

VMRay sends it newsletter for the purpose of advertising its product and informing about our company only with consent of the recipient. For the registration to our newsletter we use the double opt-in procedure. You may subscribe and consent to the receipt of our newsletter by providing us with your email address via our contact form, explicitly ticking the opt-in box underneath and by clicking the link in the confirmation mail. By clicking on the corresponding link, we process the public IP address of the computer from which the link is accessed, together with the date and time of the click. We process this data to be able to provide proof that you have confirmed receipt of our email newsletter.

The legal basis for this processing is your consent according to Art. 6 para. 1 a) GDPR.

MailChimp
To send our newsletter we are making use of the newsletter distribution platform “MailChimp”, a service of the Rocket Science Group, LLC (1526 DeKalb Ave NE, Atlanta, GA 30307, USA). The legal basis for this type of processing is Art. 6 para. 1 f) GDPR.

The e-mail addresses of our newsletter recipients, as well as the data described below are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, MailChimp uses this data according to its own information to optimize its own services.
However, MailChimp does not pass the data of our newsletter recipients on to third parties.

MailChimp is certified under the US-EU Privacy Shield and thus commits itself to comply with EU data protection principles. Furthermore, VMRay has concluded a Data Processing Agreement with Mailchimp in which MailChimp undertakes to protect the data of our users, to process them on our behalf in accordance with their data protection regulations and in particular not to pass them on to third parties. The Privacy Policy of Mailchimp can be assessed via https://mailchimp.com/legal/privacy/.

Statistical Evaluations
The newsletters contain a so-called “web-beacon”, i.e. a pixel-sized file that is retrieved from the MailChimp server when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser, as well as your IP address and time of retrieval are initially collected. This information is used to technically improve the services based on the technical data, the individual reading behavior, the retrieval locations (determined by using the IP address) or access times.

The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. The evaluations serve to recognize the reading habits of our users and to adapt our contents individually according to the interests of our users.

Online Access and Data Management
Ocassionally, we direct the newsletter recipients to the web pages of MailChimp (e.g. in case of display problems, our newsletters contains a link through which recipients can assess the newsletter online). Furthermore, newsletter recipients can subsequently correct their data, e.g. their e-mail address via Mailchimp.

In this context we would like to point out that cookies are used on the websites of MailChimp and thus personal data are processed by MailChimp, its partners and service providers (e.g. Google Analytics). We have no influence on this data collection. Further information can be found in the privacy policy of MailChimp.

Our website can be used to subscribe to newsletters. The data provided during the newsletter registration will be used only for the purposes of sending out the newsletter, provided you have not consented to other use. You can cancel the subscription at any time by using the unsubscribe option provided in the newsletter.
Unsubscribe
You may cancel the receipt of our newsletter at any time. By doing that you also revoke your consent to the statistical analyses (as described above). You may cancel the subscription by using the unsubscribe option provided in the newsletter. The data which we require as proof that you have agreed to receive the newsletter will be deleted after expiration of any legal obligation to provide this evidence.
Webinars
We conduct regular seminar via the Internet (webinar). For this purpose we use the GoToWebinar software solution from LogMeIn, Inc (320 Summer Street Boston, MA 02210, USA).

LogMeIn is certified under the EU-US Privacy Shield, thereby guaranteeing adherence to general EU data protection principles.

A connection will be established between you and the webinar organizer to conduct the webinar. We do not record the sound or image information transmitted during the webinar. With your participation you also confirm not to make any recordings or screen shots. You can end the session at any time by simply closing the browser window or closing the program or app.

LogMeIn’s privacy policy is available at: https://www.logmeininc.com/de/legal/privacy.

Security

We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, in accordance with Art. 32 GDPR. Such measures shall in particular include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation.

External Data Processors and Third Parties
If we disclose data to other persons or companies (contract processors or third parties) within the scope of our processing, this only takes place on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, in accordance with Art. 6 para. 1 b) GDPR for contract fulfilment is necessary), if you have consented, if a legal obligation provides for it or on the basis of our legitimate interests. If we commission third parties with the processing of data on the basis of a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR.

Transfer to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), this only takes place if it is necessary for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests.
Subject to legal or contractual permissions, we process the data in a third country only under the special requirements of Art. 44 ff. GDPR. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognized EU-US Privacy Shield or compliance with officially recognized contractual obligations (“EU Standard Contractual Clauses”).

Contact

The continuous development of the Internet makes it necessary for us to adjust our data protection rules from time to time. We reserve the right to implement appropriate changes at any time.

If you wish to exercise your data protection rights or if you have any comments, suggestions, questions or complaints, please do not hesitate to send an e-mail to dataprotection@vmray.com.

Alternatively, our Data Protection Officer (DPO) can be contacted via the website www.datenschutzexperte.de or directly via datenschutzbeauftragter@datenschutzexperte.de.