PRIVACY POLICY (Website)

In this privacy policy we inform you about the processing of personal data and about the access and storage of information on your end device when using our website onefootball.com.

Content of this privacy policy:

  1. Responsible and contact person

  2. Data processing on our website

  3. OneFootball Credit token $OFC

  4. Use of tools

  5. Online presence in social networks

  6. Data Sharing

  7. Data transfer to third countries

  8. Storage duration

  9. Token Airdrop / Airdrop Claim

  10. 1F Predict

  11. Your rights

  12. Changes to the privacy policy

1. Responsible and contact person

The contact person and so-called controller for the processing of your personal data when you visit this website within the meaning of the General Data Protection Regulation (GDPR) is:

OneFootball GmbH
Donaustraße 44
12043 Berlin
Germany

For the processing of your personal data in connection with the data processes relating to the issuance, sale, transfer and any further transactions of and with respect to the OneFootball Credit tokens (“$OFC Tokens”) as well as all associated actions, the controller, in addition to OneFootball GmbH, will also be:

OneFootball Capital GmbH
Donaustraße 44
12043 Berlin
Germany

OneFootball GmbH and OneFootball Capital GmbH together will be referred to as “OneFootball”.

If you have any questions about data protection in connection with the use of our website, OneFootball support and the OneFootball TV app (hereinafter referred to as OneFootball services) or in connection with the $OFC Token, you can also contact our external data protection officer at any time. This can be contacted at the above postal address and by email at privacy@onefootball.com (keyword: "Attn. data protection officer"). We expressly point out that if you use this email address, the content will not be viewed exclusively by our data protection officer. If you wish to exchange confidential information, we therefore ask that you first contact us directly via this e-mail address.

2. Data processing on our website

2.1 Accessing our website / connection data

Each time you use our website, we process connection data that your browser automatically transmits to enable you to visit the website. This connection data comprises the so-called HTTP header information, including the user agent, and includes in particular

  • IP address of the requesting device;

  • Method (e.g. GET, POST), date and time of the request;

  • Address of the requested website and path of the requested file;

  • if applicable, the previously accessed website/file (HTTP referrer);

  • Information about the browser and operating system used;

  • Version of the HTTP protocol, HTTP status code, size of the delivered file;

  • Request information such as language, type of content, encoding of content, character sets;

  • Cookies stored on the end device of the domain called up.

The data processing of this connection data is absolutely necessary to enable the visit to the website, to ensure the permanent functionality and security of our systems and to maintain our website in general for administrative purposes. The connection data is also stored in internal log files for the purposes described above, temporarily and limited in content to what is absolutely necessary, in order to find the cause and take action in the event of repeated or criminal calls that jeopardise the stability and security of our website.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, provided that the page visit is made in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in enabling website access and the permanent functionality and security of our systems.

2.2 Contact us

You have various options for getting in touch with us. These include the contact form and the e-mail address feedback@onefootball.com. In this context, we process your data exclusively for the purpose of communicating with you.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, insofar as your details are required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest in you contacting us and us being able to answer your enquiry.

The data collected by us when you contact us will be automatically deleted after your enquiry has been fully processed, unless we still need your enquiry to fulfil contractual or legal obligations (see section 7 "Storage duration").

2.3 Registration

You have the option of registering with an account for our login area in order to be able to use the full range of functions on our website. We have highlighted the data that you are required to enter as mandatory fields. Registration is not possible without this data.

You will need to enter your e-mail address and password.

The following data may be processed as part of the registration process:

  • Salutation, gender (optional);

  • First and last name (optional);

  • Date of birth (optional);

  • Profile picture (optional)

The legal basis for processing the data required for registration (mandatory fields) is Art. 6 para. 1 lit. b GDPR. For all other data, the legal basis is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to enable the individualisation, adaptation and modification of your account, or your consent in accordance with Art. 6 para. 1 lit. a GDPR, insofar as you have given us this.

Our website offers you the option of logging in with an existing account on the social networks listed below:

  • Facebook Login: Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland (for persons outside the USA and Canada) or Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, USA (for persons from the USA and Canada) - Privacy Policy: https://www.facebook.com/privacy/policy/;

  • Google Sign-In for Websites: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for persons from the European Economic Area and Switzerland) or Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (for all other persons) - Privacy Policy: https://policies.google.com/privacy;

  • Register with Apple: Apple Distribution International ltd, Hollyhill Industrial Estate, Hollyhill Cork, Republic of Ireland (for persons from the European Economic Area and Switzerland) or Apple Inc, One Apple Park Way, Cupertino, CA 95014, USA (for all other persons).

Once you have logged in with one of your existing accounts, additional registration is no longer required. If you want to use the function, you will first be redirected to the relevant social network. There you will be asked to log in with your login name and password. Of course, we do not take any notice of this login data. The server to which a connection is established may be located in the USA or in other third countries.

By confirming the corresponding login button on our website, the relevant social network will be informed that you have logged in to your account on our site and will link your social network account to your account on our website. The following data is also transmitted to us:

  • Facebook login: e-mail address, public profile information (in particular Facebook ID, name, profile picture), possibly other profile information such as age, date of birth, Facebook friends, gender, place of residence, like information, profile URL, locations, posts, photos, videos; cookies used in particular: "fbsr";

  • Google Sign-In for Websites: Email address, Google ID, name, profile picture URL, gender and date of birth;

  • Sign in with Apple: E-mail address (you can also choose the e-mail address of an Apple Relay service), Apple ID

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

Your personal data may also be transferred by Meta, Google and Apple to the USA and processed there. Meta Platforms Inc. and Google LLC have joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the USA in accordance with Art. 45 GDPR. Apple is obliged by standard contractual clauses to comply with the level of data protection in the EU.

2.3.1 Use without registration

You can also use essential functions of our platform without registering. However, the use of these basic functionalities, such as specifying a favourite team and tracking clubs, leagues, associations and players, as well as displaying football results and content, requires the processing of personal data.

In order to be able to use the basic functionalities, we generate a device-specific identification number (pseudonym) when the website is opened for the first time. Information such as the operating system, IP address and server request time is also processed for the technical display of content. The IP addresses are deleted or anonymised after processing, whereby the location is only determined up to the geographical level of the country.

The data in the technical logs is analysed anonymously in order to improve our platform and correct possible errors. The data processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to display your content based on your interests (namely clubs, leagues, associations and players).

2.4 Orders

During an order process (e.g. pay-per-view), we collect the mandatory data required for contract processing:

  • Salutation;

  • First name and surname;

  • Date of birth;

  • E-mail address;

  • Invoice address;

  • Payment information (e.g. IBAN, credit card, etc.);

  • Telephone number

  • GPS data, if applicable

The legal basis for processing is Art. 6 para. 1 lit. b GDPR.

2.5 Newsletter

You have the option of subscribing to our newsletter, in which we regularly inform you about new products and promotions.

2.5.1 Subscribe to the newsletter

We use the so-called double opt-in procedure to subscribe to our newsletter, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you are the owner of the e-mail address provided. If you confirm your e-mail address, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of this storage is to send you the newsletter and to be able to prove your registration. In addition, we measure whether our newsletter can be delivered at all.

The legal basis for processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future by unsubscribing from the newsletter. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient.

2.5.2 Newsletter tracking

We want to share content that is as relevant as possible for our users via our newsletter and better understand what you are actually interested in. We therefore use standard market technologies in our newsletters to measure interactions with the newsletters (e.g. opening of the email, links clicked on). We use this data in pseudonymous form for general statistical evaluations and to optimise and further develop our content and customer communication. On the one hand, this is done with the help of small graphics embedded in the newsletter (so-called pixels), which establish a connection to the server of the images when the e-mail is opened. On the other hand, we use links where we first register a click on this link and only then forward it to the desired target page.

The legal basis for this is your consent in accordance with Art. 6 para. 1 lit. a GDPR. The information in the end device is then accessed on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to the analysis of user behaviour at any time with effect for the future by unsubscribing from the newsletter. You can also prevent the measurement of the opening of an email by deactivating graphics or the output of HTML content in your email programme by default.

The data on the interaction with our newsletters is stored pseudonymously for 90 days and then completely anonymised.

2.6 Existing customer acquisition by e-mail

If you register with us or make a purchase from us, we will also use your contact details to send you further information about our products and services that is relevant to you by email ("existing customer advertising"). This may include, in particular, news, promotions and offers as well as feedback and other surveys.

The legal basis for this data processing is Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG, according to which data processing is permitted to safeguard legitimate interests, insofar as this concerns the storage and further use of data for advertising purposes. You can object to the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the contact details given above (e.g. by email or letter) without incurring any costs other than the transmission costs according to the basic rates.

2.7 Surveys

You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service.

The legal basis for data processing when participating in the survey is your consent in accordance with Art. 6 para. 1 lit. a GDPR. We base the sending of the surveys on your consent in accordance with Art. 6 para. 1 lit. a GDPR, provided that you have given us this consent.

You can object to the sending of a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the e-mails or by sending a message to the above-mentioned contact details (e.g. by e-mail or letter) or revoke your consent with effect for the future without incurring any costs other than the transmission costs according to the basic rates.

2.8 Competitions

You have the opportunity to take part in our competitions.

In the context of competitions, we use your data for the purpose of organising the competition and notifying you of the prize. Detailed information can be found in the conditions of participation for the respective competition. The legal basis for processing is the competition contract in accordance with Art. 6 para. 1 lit. b GDPR. Data processing for other or further purposes, in particular for advertising, is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.

We base the sending of the offer to participate in the competition on your consent in accordance with Art. 6 para. 1 lit. a GDPR, provided you have given us this consent.

You can object to the sending of an offer to participate in competitions and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the above-mentioned contact details (e.g. by email or letter) or revoke your consent with effect for the future without incurring any costs other than the transmission costs according to the basic rates.

2.9 Job Applications

You can find the privacy policy for applications here:

Privacy Policy (Recruiting)

3. OneFootball Credit token $OFC

Within the OneFootball Community, users can obtain $OFC Tokens. The issuer of $OFC Tokens is the OneFootball Capital GmbH as described in Section 1 of this Privacy Policy. To acquire $OFC Tokens, users must be part of the OneFootball Community and create a self-custodial OneFootball smart wallet. OneFootball processes the personal data collected from the registration process for the OneFootball Community or, in case of public sale events, from third parties to identify the user of the OneFootball Community accordingly. Such data can typically be name, email address, login credentials, etc. OneFootball links the wallet address of the specific user to the user’s OneFootball Community account. The legal basis for this data processing is OneFootball’s contractual obligations to provide services to the user (Art. 6 (1) (b) GDPR).

To comply with legal regulations, in particular to prevent money laundering and terrorist financing, OneFootball is obliged to verify the identity of the user and match certain data with third-party providers for KYC (“know your customer”) and AML (“anti-money laundry”) purposes. Third-party service providers may conduct KYC processes. The personal data involved in these processes includes, for example, identification documents, proof of residence and risk-based checks. OneFootball may be required to submit regulatory reports to the financial supervisory authority or other authorities. This data processing is based on OneFootball’s legal obligation pursuant to Art. 6 (1) (c) GDPR.

To enable OneFootball’s token-related services, the token and trading data (e.g. transfers, allocations, purchases, sales, timestamps) is processed. The legal basis for this type of data processing is the fulfillment of OneFootball’s contractual obligations towards the user pursuant to Art. 6 (1) lit. b) GDPR. Due to the nature of blockchain technology certain transaction-related data such as wallet addresses and technical metadata may be stored on a public and decentralized blockchain. While no directly identifying information such as names or email addresses is stored on the blockchain, wallet addresses may potentially be linked to the identity of users by third parties. Entries recorded on the blockchain are permanent and cannot be altered or deleted retroactively. Therefore, the rights of erasure or rectification regarding such data may be limited due to the inherent technology of the blockchain.

To ensure the security, stability and availability of the services, OneFootball processes certain technical information such as IP addresses, log files and device information. This also serves to detect and defend against unlawful access or attempted fraud. The legal basis for this type of data processing is OneFootball’s legitimate interest in the secure operation of its services and the avoidance of risks in accordance with Art. 6 (1) (f) GDPR.

4. Use of tools

4.1 Technologies used

This website uses various services and applications (collectively "tools") that are offered either by us or by third parties. These include, in particular, tools that use technologies to store or access information in the end device:

  • Cookies: Information stored on the end device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.

  • Web storage (local storage / session storage): Information stored on the end device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with a time entry). Information in local and session storage can also be deleted manually.

  • JavaScript: programming codes (scripts) embedded or called up in the website that, for example, set cookies and web storage or actively collect information from the end device or about the user behaviour of visitors. JavaScript may be used for "active fingerprinting" and the creation of user profiles. JavaScript can be blocked by a setting in the browser, although most services will then no longer work.

  • Pixel: A tiny graphic automatically loaded by a service that can make it possible to recognise visitors by automatically transmitting the usual connection data (in particular IP address, information about the browser, operating system, language, address called up and time of the call) and, for example, to determine whether an email has been opened or a website visited. With the help of pixels, "passive fingerprinting" and the creation of user profiles can be carried out. The use of pixels can be prevented, for example, by blocking images, such as in emails, although the display is then severely restricted.

  • TC-String: For providers participating in the Transparency and Consent Framework ("TCF") of the Interactive Advertising Bureau ("IAB"), user preferences recorded in a content management platform are coded and stored in a sequence of letters and numbers, the so-called Transparency and Consent String ("TC-String"). Providers can use this TC string to display targeted advertising to users.

With the help of these technologies and also by simply establishing a connection on a page, it may be possible to create so-called "fingerprints", i.e. user profiles that do not require the use of cookies or web storage but can still recognise visitors. Fingerprints based on the connection setup cannot be completely prevented manually.

Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you can usually adjust your browser settings so that all or certain cookies are rejected or scripts and graphics are blocked. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services may not work or may not work properly.

In the following, the tools we use are listed according to category, whereby we inform you in particular about the providers of the tools, the storage duration of cookies or information in local storage and session storage as well as the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can withdraw this consent.

4.2 Legal basis and cancellation

4.2.1 Legal basis

We use tools necessary for website operation on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in order to provide the basic functions of our website. In certain cases, these tools may also be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

We use all other non-essential (optional) tools that provide additional functions on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. These include, for example, tools that are used to recognise users and to statistically record and analyse general user behaviour on this and other websites. With the help of these tools, we can understand usage habits and adapt and optimise this website. They also include, for example, tools that are used to create user profiles about user behaviour and the advertisements and content viewed or clicked on by users. This enables classification into advertising categories, the display of personalised advertising and content on this and other websites and retargeting with advertising on other websites. The access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. Data processing using these tools only takes place if we have received your consent for this in advance.

If personal data is transferred to third countries, we refer, also with regard to any associated risks, to Section 6 ("Data transfer to third countries"). We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools and the associated transfer of your personal data to third countries, we will (also) transfer the data processed when using the tools to third countries on the basis of this consent in accordance with Art. 49 para. 1 lit. a GDPR.

4.2.2 Obtaining your consent

To obtain and manage your consent, we use the consent management platform ("CMP") tool OneTrust from OneTrust, LLC, 1200 Abernathy Rd, Suite 700, Atlanta, Georgia 30328 ("OneTrust"). This generates a banner that informs you about the data processing on our website and gives you the opportunity to consent to all, individual or no data processing using optional tools. This banner appears when you visit our website and when you call up the selection of your settings again in order to change them or revoke your consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or if the cookies or information in the local storage have been deleted or have expired.

As part of your website visit, your consent or revocation, your IP address, information about your browser, your device and the time of your visit are transmitted to OneTrust. In addition, necessary information is stored on your device to document your consents and revocations ("Cookielaw by OneTrust (formerly Optanaon)").

Data processing is necessary to provide you with the legally required consent management and to fulfil our documentation obligations. The legal basis is Art. 6 para. 1 lit. f GDPR, justified by our interest in fulfilling the legal requirements for consent management. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

4.2.3 Revoking your consent or changing your selection

You can revoke your consent for certain tools, i.e. for the storage and access to information in the end device, the processing of your personal data and the transfer of your data to third countries, at any time with effect for the future. To do this, click on the following link/button: Einstellungen | OneFootball please click on "Privacy settings" on the bottom of the side. There you can also change the selection of tools you wish to consent to the use of and obtain additional information on the tools used. Alternatively, you can assert your cancellation directly with the provider for certain tools.

4.3 IAB Transparency and Consent Framework

When using OneTrust, the current version of the IAB Transparency and Consent Framework ("TCF") standard is observed, which specifies conclusive categories of processing purposes and the associated legal bases. TCF also enables your decisions made in the CMP, such as consents, revocations and objections, to be forwarded directly to the providers of the technologies in the CMP. The so-called TC string is used for this purpose. This ensures that your current request is always honoured and complied with by the providers.

The following user data is transmitted to OneTrust as part of the website visit: Consents, revocations and objections, IP address, information about the browser, end device and the time of the visit.

4.4 Necessary tools

We use certain tools to enable the basic functions of our website ("necessary tools"). These include, for example, tools to prepare and display website content, to manage and integrate tools, to provide payment processing services, to detect and prevent fraud and to ensure the security of our website. Without these tools, we would not be able to provide our service. Therefore, necessary tools are used without consent.

The legal basis for necessary tools is the necessity to fulfil our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in the provision of the respective basic functions and the operation of our website. In cases where the provision of the respective website functions is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, the legal basis for data processing is Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

4.4.1 Own tools

We use our own necessary tools that access information in the end device or store information on the end device, in particular

  • for login authentication,

  • for load distribution,

  • to save your language settings,

  • to note that information placed on our website has been displayed to you - so that it will not be displayed again the next time you visit the website.

4.5 Functional tools

We also use optional tools to improve the user experience on our website and to offer you more functions ("functional tools"). Although these are not absolutely necessary for the basic functions of the website, they can bring considerable benefits to visitors, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels. This can include, in particular, the integration of external content such as maps and videos as well as logging in via an existing social network account or, for example, a comment function.

The legal basis for the functional tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. To revoke your consent, see 3.2.3: "Revoking your consent or changing your selection".

In the event that personal data is transferred to third countries, in addition to the information provided below, we refer to Section 6 ("Data transfer to third countries").

4.6 Analysis tools

In order to improve our website, we use optional tools to recognise visitors and to statistically record and analyse general user behaviour based on access data ("analysis tools"). We also use analysis services to evaluate the use of our various marketing channels. The usage information collected is analysed and enables us to understand the usage habits of our visitors. This helps us to adapt and optimise the design of our website and make the user experience more pleasant.

The legal basis for the analysis tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. To revoke your consent, see 3.2.3: "Revoking your consent or changing your selection".

In the event that personal data is transferred to third countries, in addition to the information provided below, we refer to Section 6 ("Data transfer to third countries").

4.7 Marketing tools

We also use optional tools for advertising purposes ("marketing tools"). Some of the access data collected when you use our website is used to create usage profiles, which in particular store your usage behaviour, the advertisements you have viewed or clicked on and, based on this, the classification into advertising categories, interests and preferences. By analysing and evaluating this access data, we are able to show you personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites and services of other providers. We also analyse your usage behaviour in order to recognise you on other sites and to address you in a personalised manner based on your use of our site (so-called "retargeting"). In addition, we analyse the effectiveness and success of our advertising campaigns (in particular so-called "conversions" and leads).

Marketing tools also include optional social network tools that are used to share posts and content via these networks ("social media plugins").

The legal basis for the marketing tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. To revoke your consent, see 3.2.3: "Revoking your consent or changing your selection".

In the event that personal data is transferred to third countries, in addition to the information provided below, we refer to Section 6 ("Data transfer to third countries").

In the following section, we would like to explain the tools and the providers used for this in more detail. The data collected may include in particular

  • the IP address of the device;

  • the information of a cookie and in local or session storage;

  • the device identifier of mobile devices (e.g. device ID, advertising ID);

  • Referrer URL (previously visited page);

  • Pages accessed (date, time, URL, title, duration of visit);

  • Downloaded files;

  • Clicked links to other websites;

  • If applicable, achievement of certain goals (conversions);

  • Technical information: Operating system; browser type, version and language;

    device type, make, model and resolution;

  • Approximate location (country and city if applicable).

However, the data collected is only stored under a pseudonym, so that no direct conclusions can be drawn about individuals.

4.8 Processing purposes, functions and service providers

Processing purposes and functions, as well as the individual providers ("suppliers") can be viewed in the CMP under the following link under "Data protection settings" home | OneFootball.

5. Online presence in social networks

We maintain an online presence on social networks in order to communicate with customers and interested parties and to provide information about our products and services. User data is generally processed by the relevant social networks for market research and advertising purposes. This allows user profiles to be created based on the interests of users. Cookies and other identifiers are stored on the computers of the data subjects for this purpose. These user profiles are then used, for example, to display adverts within the social networks as well as on third-party websites.

As part of the operation of our online presences, we may have access to information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may contain, in particular, demographic information (e.g. age, gender, region, country) and data on interaction with our online presence (e.g. likes, subscriptions, sharing, viewing images and videos) and the posts and content distributedvia it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information can also be used by us to adapt the design and our activities and content on the online presence and to optimise it for our audience. Please refer to the list below for details and links to the social network data that we can access as the operator of the online presence. The collection and use of these statistics are generally subject to joint responsibility. Where this applies, the relevant contract is listed below.

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 lit. b GDPR, in order to stay in contact with our customers and inform them and to carry out pre- contractual measures with interested parties.

If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This can be done, for example, via direct messages or posts. The content of communication via the social network and the processing of content data is the responsibility of the social network as a messenger and platform service. As soon as we transfer personal data from you to our own systems or process it further, we are independently responsible for this and this is done to carry out pre-contractual measures and to fulfil a contract in accordance with Art. 6 para. 1 lit. b GDPR.

The legal basis for the data processing carried out by the social networks on their own responsibility can be found in the data protection information of the respective social network. The links below will also provide you with further information on the respective data processing and the options to object.

We would like to point out that data protection requests can be made most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. You can also contact us with your request. In this case, we will process your enquiry and forward it to the provider of the social network.

Below is a list with information on the social networks on which we have an online presence:

6. Data sharing

The data collected by us will only be passed on if there is a legal basis for this under data protection law in the specific case, in particular if:

  • you have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR,

  • the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,

  • we are legally obliged to disclose data in accordance with Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to official enquiries, court orders and legal proceedings, or

  • this is legally permissible and required in accordance with Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that are carried out at your request.

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include, in particular, data centres that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.

7. Data transfer to third countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. If this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions under Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the fulfilment of the contract or for the implementation of pre-contractual measures.

If a transfer to a third country is planned and there is no adequacy decision or suitable guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. If you obtain your consent via the consent banner, you will also be informed of this.

8. Storage duration

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need the data until the statutory limitation period expires for evidence purposes for civil law claims, due to statutory retention obligations or there is another legal basis under data protection law for the continued processing of your data in the specific individual case.

For evidence purposes, we must retain contract data in particular for three years from the end of the year in which the business relationship with you ends. Any claims expire at the earliest at this time in accordance with the statutory limitation period.

Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents are two to ten years.

9. Token Airdrop / Airdrop Claim

If you use the Airdrop Claim feature in FanPass, we process your personal data in order to verify your eligibility for the airdrop and, if you are eligible, to enable you to claim your tokens, select a vesting option (3, 6, or 9 months), and enter into and perform the related agreement with OneFootball. We also process your data to properly administer the airdrop and to reallocate any unclaimed tokens, or tokens not contractually secured within the applicable deadline, to the treasury wallet in accordance with the applicable airdrop terms and conditions.

9.1 Categories of Personal Data Processed

In this context, we process in particular your wallet address, transaction and claim data, your email address, and your username or handle. We obtain this data either directly from you or from our internal systems. To the extent that we also consult publicly accessible blockchain data (for example, to verify on-chain eligibility criteria or transaction history), such data may not have been collected directly from you. Where required under Article 14 GDPR, we will inform you of the source and categories of such data here.

9.2 Purposes and Legal Bases

To the extent that processing is necessary to carry out the claim process, enable the selection of a vesting option, and to enter into or perform the related agreement, the legal basis is Article 6(1)(b) GDPR (performance of a contract to which you are party).

To the extent that processing is necessary to verify airdrop eligibility, prevent abusive or multiple claims, ensure the technical and organisational integrity of the airdrop, or reallocate unclaimed or forfeited allocations to the treasury wallet in compliance with the applicable rules, the legal basis is Article 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in the secure, fair, and proper administration of the airdrop. We have balanced this interest against your rights and interests and consider that this processing does not override your fundamental rights, given that the processing is limited to what is necessary to administer the airdrop securely and fairly, and that the processing is reasonably foreseeable from your participation in the airdrop.

Where processing is based on Article 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation. Please see Section 11 "Your Rights" for further details.

9.3 Recipients

Recipients of your data include the relevant internal teams as well as cloud service providers, blockchain node and RPC providers, and other blockchain infrastructure service providers engaged by us.

9.4 International transfers and blockchain

Where personal data is transferred outside the EEA in connection with off-chain processing, we use an appropriate transfer mechanism in accordance with applicable law, such as an adequacy decision or the Standard Contractual Clauses adopted by the European Commission.

Where personal data is recorded on a public blockchain, that data, in particular wallet addresses and transaction data, is accessible globally by the nature of the blockchain infrastructure. We take this into account when assessing international transfer risks and minimise the personal data written on-chain accordingly.

9.5 Automated processing, including automated reallocation

As part of the airdrop process, we use automated processing to:

  • verify your airdrop eligibility based on your wallet and participation data;

  • assess whether the required agreement has been signed within the applicable two-week deadline; and

  • automatically reallocate tokens to the treasury wallet if the required agreement is not signed within two weeks, or if allocated tokens are not claimed within one year.

The logic applied in these automated processes is as follows: 

(1) Whitelist eligibility check. At the point of first access to the 1F Predict Game, the system checks whether the wallet address connected by the User is recorded as a Whitelist Wallet in OneFootball's eligibility database. This check is binary: the wallet address either matches a verified entry in the whitelist or it does not. No further personal characteristics are assessed at this stage. A wallet that does not match is automatically denied access to the Airdrop claim flow. A wallet that matches is permitted to proceed to Contract Duration selection.

(2) Two-week TGE claim window monitoring. From the moment the Airdrop claim goes live, the system records a fixed deadline timestamp of exactly 14 days (expiring at 12:00 noon UTC on the 14th day). At that timestamp, the system automatically checks, for each Whitelist Wallet that has not yet executed an initial TGE claim, whether a confirmed Contract Duration selection and an executed initial claim transaction are recorded against that wallet address. If both are recorded, no action is taken. If either is absent, meaning the User has not selected a Contract Duration or has not executed the initial TGE claim transaction within the 14-day window, the system automatically marks the User's entire Airdrop allocation as forfeited and transfers it to the Reward Pool. No further action or human review is required before this transfer is executed.

(3) Soft Staking Requirement balance checks. At each prediction submission deadline during an Epoch, the system automatically queries the $OFC Token balance of each participating User's Wallet. If the balance recorded at a single balance check falls below the current Soft Staking Requirement (currently 1,000 $OFC), the system flags the User's account and triggers a notification to the User via the FanPass site; the User's Matchday Ratings for that occurrence are not invalidated. If the balance falls below the Soft Staking Requirement at two or more consecutive balance checks within the same Epoch, the system automatically invalidates the User's Matchday Ratings for the entire Epoch, rendering the User ineligible for 1F Predict Rewards and vesting acceleration for that Epoch.

(4) One-year unclaimed vesting token expiry. The system records the exact timestamp of the TGE. Exactly one year after that timestamp (at 12:00 noon UTC), the system automatically checks, for each User with an active vesting contract, whether any portion of their Total Eligible Airdrop Allocation has become claimable but remains unclaimed. Any such unclaimed vesting tokens are automatically transferred to the Reward Pool at that moment. This is a single fixed expiry event applied simultaneously to all unclaimed vesting amounts, regardless of when during the vesting period each individual amount became claimable.

(5) Reward Pool migration upon contract expiry. The system continuously monitors the status of each User's vesting contract. When the system determines that all vesting allocations under a User's contract have either been claimed, unlocked but not yet claimed, or forfeited through expiry or early termination, the User is automatically migrated from Reward Pool 1 (active contract holders) to Reward Pool 2 (post-Airdrop participants) for all subsequent Epochs.

The personal data used as inputs in each of these automated checks are: your wallet address; records of your Contract Duration selection and initial TGE claim transaction; your $OFC Token wallet balance at each relevant balance check timestamp; records of each monthly unlock and claim event; and the TGE timestamp. These automated processes produce decisions that directly affect your rights under this Privacy Policy, including your entitlement to Airdrop allocations, 1F Predict Game Rewards, and vesting acceleration. You have the right to request human review of any automated decision that you consider to have been applied incorrectly to your account. To exercise this right, please contact us at the OneFootball Help Center available here. You also have the right to express your point of view and to contest any such decision.

The legal basis for automated eligibility and reallocation decisions under Article 22(2) GDPR is Article 22(2)(a) (necessity for the performance of the contract between you and OneFootball).

Where an automated decision produces legal effects concerning you or similarly significantly affects you, you have the right to:

  • obtain human review of the decision by a member of OneFootball's team;

  • express your point of view; and

  • contest the decision.

To exercise these rights, please contact us at the OneFootball Support Center available here.

9.6 Retention

Where personal data is processed on a public blockchain, this may result in such data remaining permanently or long-term technically irremovable due to the characteristics of the blockchain. This applies in particular to wallet addresses and blockchain-based transaction data. Where on-chain deletion is not technically possible, we minimise the personal data written on-chain and delete or irreversibly sever the cryptographic link between off-chain identity data and on-chain records to the extent feasible and legally permitted.

Data stored off-chain, in particular information relating to eligibility verification, claim administration, communications, and contract performance, is generally retained for the duration of the airdrop programme and any applicable vesting period. Thereafter, we delete or anonymise such data after a period of three years following the end of the calendar year in which the relevant claim process was completed, unless statutory retention obligations or legitimate interests require longer retention. Where data forms part of records relevant under commercial or tax law, we retain such data for the duration of the applicable statutory retention periods (in Germany: generally six years for commercial correspondence and ten years for accounting-relevant records).

10. 1F Predict Game

If you participate in 1F Predict in FanPass, we process your personal data in order to enable your participation in the game, verify whether you hold the minimum amount of OFC tokens required for certain game features, record your predictions, calculate your performance and Matchday Score, place you in the relevant leaderboard category, and distribute tokens from the applicable reward pools. Depending on your participation and performance, this may also affect your eligibility for gameplay-related benefits, including accelerated airdrop unlocks and qualification for monthly prize pools.

10.1 Categories of personal data processed

In this context, we process in particular your wallet address, your username or handle, your prediction entries, gameplay and scoring data, and blockchain-based transaction and reward distribution data. We obtain this data either directly from you or from our internal records. To the extent that we also consult publicly accessible blockchain data (for example, to verify OFC token holdings), such data may not have been collected directly from you. Where required under Article 14 GDPR, we will inform you of the source and categories of such data here.

10.2 Purposes and legal bases

To the extent that processing is necessary to provide 1F Predict and related functionalities requested by you, the legal basis is Article 6(1)(b) GDPR (performance of a contract to which you are party).

To the extent that processing is necessary to verify eligibility, ensure the integrity of the game, prevent abuse or manipulation, operate leaderboards, and securely administer token rewards, the legal basis is Article 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in ensuring a secure, fair, and properly functioning gameplay and rewards system. We have weighed this interest against your rights and consider that this processing does not override your fundamental rights, given that the data processed is limited to what is necessary to administer the game securely and equitably.

Where processing is based on Article 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation. Please see Section 9 "Your Rights" for further details.

10.3 Recipients

Recipients of your data include the relevant internal teams as well as cloud service providers, blockchain node or RPC providers, and other blockchain infrastructure service providers engaged by us. Off-chain processing generally takes place within Europe.

10.4 International transfers and blockchain

Where personal data is transferred outside the EEA in connection with off-chain processing, we use an appropriate transfer mechanism in accordance with applicable law, such as an adequacy decision or the Standard Contractual Clauses adopted by the European Commission.

Where personal data is recorded on a public blockchain - in particular wallet addresses and transaction and reward distribution data - that data is accessible globally by the nature of the blockchain infrastructure. We minimise the personal data written on-chain accordingly.

10.4 Automated processing

As part of 1F Predict, we use automated processing to: (i) verify whether you hold the required minimum amount of OFC tokens; (ii) record your predictions and calculate your Matchday Score; (iii) assign you to the relevant leaderboard category; and (iv) trigger reward distribution from the applicable reward pools.

(i) OFC token-holding check. To verify whether you hold the required minimum amount of $OFC Tokens, the system automatically queries the on-chain balance of the wallet address you have connected to 1F Predict at each prediction submission deadline during the Epoch. The check is performed by reading the balance recorded on the relevant blockchain at the moment of each submission deadline. The data used is your wallet address and the $OFC Token balance associated with it at that point in time. If your balance meets or exceeds the current minimum threshold, the check passes and your Matchday Score for the relevant matchday is counted towards your Epoch average for leaderboard and reward purposes. If your balance falls below the threshold at two or more consecutive checks within the same Epoch, your Matchday Scores for that Epoch are automatically invalidated, meaning you will not appear in the leaderboard rankings and will not receive a reward distribution for that Epoch.

(ii) Recording of predictions and calculation of your Matchday Score. When you submit predictions for a matchday, the system records your chosen outcome (home win, draw or away win) for each match alongside a timestamp confirming that submission occurred before the first match kick-off of the relevant matchday. Late submissions are automatically rejected. Once official match results are available, the system compares your submitted predictions against those results and generates a numerical Matchday Score between 0 and 10.0. The Score reflects the accuracy of your predictions across the matches included in that matchday's fixture list: the more of your predictions match the actual results, the higher your Matchday Score. The exact weighting applied to each match when deriving the Score is determined by a scoring methodology set by OneFootball. The data used in this process is: your wallet address, your submitted predictions for each match, the submission timestamp, and the official match results.

(iii) Assignment to leaderboard category and ranking. At the end of each Epoch, the system calculates your average Matchday Score by dividing the sum of your Matchday Scores across all matchdays within the Epoch by the number of matchdays in that Epoch. This average is used to rank you against other participants. Based on your Airdrop allocation status — specifically, whether you hold an active vesting contract — the system automatically assigns you to one of two leaderboard categories: Category 1 (participants with an active vesting contract) or Category 2 (participants without an active vesting contract or whose vesting contract has fully concluded). Within each category, participants are ranked in descending order of their Epoch average Matchday Score. If two or more participants share the same average score, a tiebreaker is applied automatically. The data used is: your wallet address, your individual Matchday Scores for the Epoch, your vesting contract status, and, where a tiebreaker is required, additional data points such as total number of predictions submitted, individual matchday highs or the timestamp of your final prediction submission for the Epoch.

(iv) Reward distribution trigger. Once leaderboard rankings for a given Epoch have been confirmed, the system automatically determines your reward entitlement based on your final rank within your leaderboard category and the applicable prize distribution percentages. If your rank falls within the top 100 of your category, the system calculates the $OFC Token amount corresponding to your rank's percentage share of the relevant Reward Pool and triggers distribution of that amount to your connected wallet address. If your rank falls outside the top 100, no reward is distributed for that Epoch. Reward distributions become claimable at 12:00 noon UTC on the first day of the month following the Epoch. Any Metagame Rewards that become claimable but are not claimed within one year of the Token Generation Event are automatically transferred to the Reward Pool. The data used is: your wallet address, your final leaderboard rank, your leaderboard category, and the Reward Pool size for the relevant Epoch.

(v) The personal data used as inputs across all four automated processes are: your connected wallet address; your $OFC Token balance at each balance check point; your submitted match predictions and their submission timestamps; official match results; your individual and average Matchday Scores; your vesting contract status; and your leaderboard rank and category. These automated processes produce outcomes that directly affect your entitlement to Metagame Rewards. You have the right to request human review of any automated outcome that you believe has been applied incorrectly to your account. To exercise this right, please contact us at the OneFootball Help Center available here. You also have the right to express your point of view and to contest any such outcome.

Where an automated decision produces legal effects concerning you or similarly significantly affects you — in particular automated decisions that determine your access to airdrop unlocks or prize pool qualification — you have the right to:

  • obtain human review of the decision by a member of OneFootball's team;

  • express your point of view; and

  • contest the decision.

To exercise these rights, please contact us at the OneFootball Help Center available here.

The legal basis for automated eligibility decisions under Article 22(2) GDPR is Article 22(2)(a) necessity for the performance of the contract between you and OneFootball. 

10.5 Retention

On-chain data. Where personal data is processed on a public blockchain — in particular wallet addresses and blockchain-based gameplay, transaction, and reward distribution data — that data may remain permanently or long-term technically irremovable due to the inherent characteristics of blockchain technology. Where on-chain deletion is not technically possible, we minimise the personal data written on-chain at the point of collection and, to the extent technically feasible and legally permitted, delete or irreversibly sever the cryptographic link between any off-chain identity data held by us and the corresponding on-chain records, so that the on-chain data can no longer be attributed to an identified or identifiable natural person by us. Once that link is severed, the remaining on-chain data no longer constitutes personal data within the meaning of Art. 4(1) GDPR as far as we are concerned, in accordance with Recital 26 GDPR.

Off-chain data, active participation period. Off-chain data relating to your participation in 1F Predict, including your username or handle, internal gameplay records, prediction history, Matchday Scores, leaderboard rankings, and reward distribution records — is retained for as long as your account remains active and for as long as necessary for the operation of 1F Predict, the administration and verification of rewards, the resolution of disputes, and compliance with our legal obligations. During the active participation period, your data is retained on the basis of contract performance (Art. 6(1)(b) GDPR) and, where applicable, our legitimate interests in maintaining accurate records and preventing fraud (Art. 6(1)(f) GDPR).

Off-chain data, post-participation retention. Following the end of your active participation, meaning the later of: (i) the date on which your Metagame vesting contract concludes or expires; (ii) the date on which your OneFootball account is deleted or deactivated; or (iii) the date on which your last reward or transaction becomes final, we retain your off-chain personal data for a further period of three years, calculated from the end of the calendar year in which the relevant event occurs. This three-year period reflects the standard civil limitation period under §§ 195, 199 BGB applicable to contractual claims arising from your participation in 1F Predict, during which data may be required to establish, exercise, or defend legal claims. At the end of this three-year period, your off-chain personal data is deleted or anonymised unless one of the following statutory retention obligations requires longer storage.

Statutory retention obligations. The following statutory retention periods override the three-year period above and may require us to retain certain categories of data for longer:

  • Commercial and accounting records (including records of Admin-Fee payments and reward distributions that constitute commercial transactions): up to 10 years from the end of the calendar year in which the transaction occurred, pursuant to § 147(1) AO and § 257(1) HGB

  • Anti-money laundering records (including wallet address verification records and transaction records where AML/KYC checks were performed): up to 5 years from the end of the calendar year in which the business relationship ended, with an absolute maximum of 10 years, pursuant to § 8(4) GwG.

  • Any other retention period required by applicable law, regulatory authority, or court order.

During any statutory retention period, access to your data is restricted to the extent technically and organisationally feasible, so that it is used only to fulfil the statutory retention obligation and not for any other purpose. This approach of restricting rather than immediately deleting data where statutory obligations apply is consistent with the requirements of § 35 BDSG and Art. 18 GDPR.

Deletion and anonymisation. At the expiry of the applicable retention period, your off-chain personal data is either permanently deleted or anonymised in a manner that renders re-identification impossible, so that the anonymised data is no longer subject to GDPR. Automated account deletion or anonymisation is triggered at the end of the applicable retention period. You may also request early deletion of your data pursuant to Art. 17 GDPR at any time, subject to our statutory retention obligations and our right to retain data to establish, exercise, or defend legal claims under Art. 17(3)(e) GDPR.

Your right to information on retention. You may request confirmation of the specific retention period applicable to your data at any time by contacting us at the OneFootball Help Center available here.

11. Your rights , in particular cancellation and objection

You are entitled to the data subject rights formulated in Art. 7 para. 3, Art. 15 - 21 at any time if the respective legal requirements are met:

  • Right to withdraw your consent (Art. 7 (3) GDPR);

  • Right to object to the processing of your personal data (Art. 21 GDPR);

  • Right to information about the personal data processed by us (Art. 15 GDPR);

  • Right to rectification of your incorrect personal data stored by us (Art. 16 GDPR);

  • Right to erasure of your personal data (Art. 17 GDPR);

  • Right to restriction of processing of your personal data (Art. 18 GDPR);

  • Right to data portability of your personal data (Art. 20 GDPR).

To assert your rights described here, you can contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection. If the relevant legal requirements are met, we will comply with your data protection request.

Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, beyond this period if there are grounds for the assertion, exercise or defence of legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in the defence against any civil law claims pursuant to Art. 82 GDPR, the avoidance of fines pursuant to Art. 83 GDPR and the fulfilment of our accountability obligation pursuant to Art. 5 para. 2 GDPR.

You have the right to withdraw your consent at any time. As a result, we will no longer continue the data processing that was based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it concerns an objection to data processing for direct marketing purposes, you have a general right to object, which we will also implement without you having to give reasons.

If you wish to exercise your right of cancellation or objection, simply send an informal message to the contact details above.

Finally, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR at. You can assert this right, for example, with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

12. Changes to the privacy policy

We occasionally update this privacy policy, for example when we customise our website or when legal or regulatory requirements change.

Version 1/2026

Status: March 2026