Privacy Policy

Protecting your privacy is crucial for our business and we at commercetools are committed being a responsible, trustworthy custodian of our personal information. With this Privacy Policy we want you to better understand how we collect, use, protect, and share your personal data. It describes the manner in which we collect, use, maintain, and may disclose personal data, within the contexts of visiting our websites, using our offerings through our website, and managing our relationships with prospects, customers, partners, suppliers, and other business partners.

As used in this Privacy policy, "personal data" or "personal information" means information relating to an identified or identifiable individual. This includes, for example, name, address, email address, business contact information or information collected through interactions with us via our websites or through other channels. Personal information is also referred to as "information about you."

In the following, the terms "user," "customer," "you" and "your" refer to the individuals whose personal data we may process or use and may occasionally be used interchangeably.

I. Name and contact details of the Controller

commercetools GmbH
Adams-Lehmann-Str. 44
80797 Munich
Email: info@commercetools.com
Phone: +49 (89) 99 82 996-0

(hereinafter "commercetools", "we", "us").

However, the data controller may vary depending on the offer or the purpose of the processing and another of our commercetools Group companies may accordingly be the controller. You can find a list of our commercetools Group companies here.

We have concluded a joint controllership between commercetools GmbH and commercetools Inc. Please find the privacy notice regarding the joint controllership here.

We have also agreed a joint controllership with commercetools B.V., commercetools France SAS, commercetools Spain S.L. and commercetools Ltd. Please find the applicable privacy notice here.

II. Contact details of the Data Protection Officer

If you have general questions about data protection, please contact us:

privacy@commercetools.com

If you have any inquiries concerning the processing of personal data of individuals within Europe, you can also contact our Data Protection Officer directly:

Holzhofer Consulting GmbH
Martin Holzhofer
Lochhamer Str. 31
82152 Planegg

Email: info@commercetools.com

Phone: +49 (89) 99 82 996-0

III. Privacy policy for visitors to our website

The following information on data protection is to be provided pursuant to Art 13 et seq. GDPR where personal data are collected from the data subject on our website.

commercetools generally operates several websites, including but not limited to commercetools.com, modern-commerce-day.com and elevate.commercetools.com (hereinafter "the websites") and would like to inform you in the following sections of this Privacy Notice, among other things, about the extent to which information about you is processed through the websites and the purposes for which such information is used.

The websites also include various subdomains (e.g. docs.commercetools.com) or other domains, many of which are covered by this Privacy Notice. Websites not covered by this Privacy Notice are governed by their own privacy policies.

1. Purposes for which the personal data are processed as well as the legal basis for the processing

1.1 Processing of access and analytics data

For technical reasons, we process a limited amount of data (so-called connection data) each time you access our website. This data is technically necessary to establish and execute a connection between your terminal device and our servers. This data is processed in the main memory of the web server for the duration of the connection:

The following data or data categories are collected:

IP address
Source port of the calling device or a gateway (e.g. firewall or proxy).
Timestamp (date and time) of the retrieval
Amount of data transferred
Message whether the retrieval was successful (using HTTP error code)
Message why a retrieval failed, if applicable (using HTTP error code).
Referer (web page from which calls were made to our main page or sub-pages)
User agent (type of browser you use to access our website and its version)
Display screen width and height
Language settings of your browser
Operating System used
Geographical point of view (only the country)
User UUID
Cloud vendor and region
Job title and company name
Usage patterns (e.g., clicks, scrolling, mouve movement)

The IP address, timestamp, HTTP error code, referer and user agent are automatically logged when our websites are accessed in order to ensure the functionality and protection of our websites. Furthermore, the logs serve to optimize the website. Your IP address is only processed in the logs in abbreviated form and is thus anonymized. A creation of user profiles with personal reference is not possible for us with this data.

The processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the processings are necessary to safeguard our legitimate interests and that these outweigh your interests, fundamental rights and freedoms which require protection of personal data.

1.2 Cookies and related technologies

1.2.1 General

This website partly uses so-called cookies and related technologies (e.g. scripts). Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your terminal device and saved by your browser, for example to "remember" information about you, such as your language settings or login information. These cookies are sometimes set by us and are referred to as first-party cookies. We also use third-party cookies, which come from a different domain than the one of the website you are visiting.

Basically, we distinguish between the following cookie categories:

Technically necessary cookies
Functional cookies
Performance cookies
Cookies for marketing purposes
Social media cookies

You can also find more information on the individual categories as well as the option to reject each cookie category (with the exception of the technically necessary cookies) and in addition a list of all cookies used in the "Cookie Settings" under the following link:

1.2.2 Technically necessary cookies

Most of the cookies we use are so-called "session cookies". They are automatically deleted after the end of your visit. Such cookies are mandatory and technically necessary for the operation of the website and to provide the service requested by the user and can therefore not be disabled.

The processing is based on the legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the processings are necessary to protect our legitimate interests and that these outweigh your interests, fundamental rights and freedoms which require protection of personal data.

1.2.3 Cookies requiring consent such as analysis and tracking cookies and related technologies (e.g. tracking scripts)

Additional advertising, marketing and analysis tools from third-party providers are integrated on our website. These are not technically necessary for the operation of the website, but serve, for example, to record the behavior of the user, to provide him advertising tailored to this or to enable an analysis of the use of our website (e.g. Google Analytics, Hubspot Analytics, Google Dynamic Remarketing, LinkedIn Analytics, Facebook Advertising).

These services become active only after you have explicitly given your consent using the Consent Banner.

An overview of all third-party services integrated on the Website, as well as detailed information on each of these services, can be found under section 6.

1.2.4 Data processing in connection with our contact form

When contacting commercetools via the contact form on the website, the information you provide will only be stored for the purpose of processing and answering the inquiry as well as for possible follow-up inquiries and, if necessary, for further support (unless you would like to subscribe to the newsletter at the same time by ticking the corresponding checkbox).

The following data or data categories are collected and processed in this process:

Name, first name
E-mail address
Name of your company
Position/Job Title
Phone number
Individual message

The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subject do not outweigh our interests in processing. We have a legitimate interest in answering your inquiry, for which the processing of the data and data categories mentioned here is necessary.

1.2.5 Newsletter registration

If you would like to be informed regularly about new products or other interesting topics, commercetools offers to receive a newsletter.

To subscribe to the newsletter, you can register by ticking the appropriate checkbox under the various forms (e.g. contact form, demo registration, whitepaper download). Subsequently, you will receive an activation link to the specified e-mail address, which you must activate to complete the registration (so-called double opt-in procedure).

The legal basis for the processing is Art. 6 (1) lit. a GDPR, i.e. your explicit and voluntary consent in combination with the double opt-in procedure.

You can withdraw your consent at any time and without giving reasons. You have two options to choose from:

You can unsubscribe from future receipt of the newsletter by clicking on the "unsubscribe" button, which can be found in every newsletter.

You can also send an informal email with your unsubscribe request to privacy@commercetools.com.

1.2.6 Download of white papers and other publications

Our websites offer you the opportunity to learn more about our company and download content. In doing so, we ask you to provide us with your contact information and other demographic information about you.

In order to provide you with the download, the following data or categories of data must be provided:

First and last name
Business email address
Name of your company

If you do not wish to subscribe to the newsletter at the same time by ticking the corresponding checkbox, the information you give will only be used to provide the requested whitepaper. The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in processing. We have a legitimate interest in providing users with special content by means of whitepapers, for which the processing of the data and data categories mentioned here is necessary.

1.2.7 Registering for a trial version

You can register for a free 60-day trial on our website.

In order to complete the registration, the following data or categories of data must be provided:

Name, first name
E-mail address
Name of your company
Position/Job Title
Demand (planned project)
Region

The data collected during registration will be processed exclusively for the purpose of providing the offer, i.e. for the implementation of pre-contractual measures with interested parties, unless you wish to subscribe to the newsletter at the same time by ticking the corresponding checkbox. The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in processing. We have a legitimate interest in carrying out pre-contractual measures with interested parties by providing a test access to demonstrate the functionality of our products, for which the processing of the data and data categories mentioned here is necessary.

1.2.8 Event registration and online events

On our websites, modern-commerce-day.com and elevate.commercetools.com, we use the third-party service of Bizzabo Inc. located at 31 W 27th St 10th Floor, New York, NY 10001.

In regard to the event registration, we may process the following personal data of you:

Name, first name
E-mail address
Name of your company
Position/Job Title
Demand (planned project)
Region
Descriptions / text messages
IP address
Source port of the calling device or a gateway (e.g. firewall or proxy).
Timestamp (date and time) of the retrieval
Amount of data transferred
Message whether the retrieval was successful (using HTTP error code)
Message why a retrieval failed, if applicable (using HTTP error code).
Referer (web page from which calls were made to our main page or sub-pages)
User agent (type of browser you use to access our website and its version)
Display screen width and height
Language settings of your browser
payment details

Our legitimate interest in using this online platform for online events and event registrations is to improve the quality and availability of our service and event experience. Bizzabo only processes personal data on our behalf to the extent necessary for the provision of the service. The platform may use cookies. For more information about Bizzabo's privacy policy, please visit https://www.bizzabo.com/privacy and https://www.bizzabo.com/cookie-policy.

1.2.9 Usage and registration for the Training Center

On our website we offer you the opportunity to be provided with training regarding our products and services that we provide you with. This training is available under https://learn.commercetools.com. In regard to the training, we may process the following personal data of you:

Name, first name
E-mail address
Name of your company
Position/Job Title
Demand (planned project)
Region
Descriptions / text messages
IP address
Source port of the calling device or a gateway (e.g. firewall or proxy).
Timestamp (date and time) of the retrieval
Amount of data transferred
Message whether the retrieval was successful (using HTTP error code)
Message why a retrieval failed, if applicable (using HTTP error code).
Referer (web page from which calls were made to our main page or sub-pages)
User agent (type of browser you use to access our website and its version)
Display screen width and height
Language settings of your browser

If you are not registered for the training services yet you need to register for this training and to create a new account accordingly. In this context the following personal data may be processed:

Name, first name
E-mail address
Name of your company
Position/Job Title
Demand (planned project)
Region
Descriptions / text messages
IP address
Source port of the calling device or a gateway (e.g. firewall or proxy).
Timestamp (date and time) of the retrieval
Amount of data transferred
Message whether the retrieval was successful (using HTTP error code)
Message why a retrieval failed, if applicable (using HTTP error code).
Referer (web page from which calls were made to our main page or sub-pages)
User agent (type of browser you use to access our website and its version)
Display screen width and height
Language settings of your browser

The data collected during the usage and registration will be processed exclusively for the purpose of providing the training services. The legal basis for processing your data is our contractual relationship pursuant to Art. 6 (1) lit. b GDPR.

Your account, user profile and credentials that are being created will be transferred to and processed for the log-in process by our service provider Okta, Inc., 100 First Street, San Francisco, California 94105, USA, which also provides the service of a so-called "Single Sign On", which means that, in case you have registered several accounts with us, you can log-in with one account that is also valid for the other registered accounts of commercetools. Consequently, there is no need to log-in for each covered account separately when using Okta. In case you have already registered more than one covered account with us, these covered accounts will be merged by Okta. The following, but may be not limited to, personal data will be transferred to and processed by Okta:

User profile information
Contact information
Authentication information

2. Automated decision making including profiling

Automated individual decision-making including profiling according to Art. 22 (1) and (4) GDPR do take place on the part of commercetools GmbH.

3. Data transfer to a third country

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise, for example, in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:

of an adequacy decision of the European Commission according to Art. 45 GDPR. (in case of the USA based on the Data Privacy Framework, if applicable).
of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.
of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, when using our website, a transfer of personal data to third countries (in particular to the USA) takes place through the use of third-party services in the following cases:

Transfer of personal data to Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.
Transfer of personal data to LinkedIn Corp., 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.
Transfer of personal data to Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.
Transfer of personal data to Hootsuite, 111 East 5th Avenue, Vancouver, BC, Canada, V5 t 4LI.
Transfer of personal data to Hubspot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA.
Transfer of personal data to Drift Inc., 222 Berkeley Street Suite 600 Boston, MA 02116 USA.
Transfer of personal data YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.s.

Transfer of personal data to Fullstory, Inc., 1745 Peachtree St NW, Suite G, Atlanta, Georgia 30309, USA.
Transfer of personal data to Bizzabo Inc., 31 W 27th Street, 10th Floor, New York, New York 10001, USA.
Transfer of personal data to AppNexus Inc, 28 W. 23rd Street New York, New York, 10010, USA.
Transfer of personal data to Okta, Inc., 100 First Street, San Francisco, California 94105
Transfer of personal data to Salesforce Inc., The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA (CRM system)

4. Categories of recipients of the personal data

For the processing of personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

Provider of servers for the purpose of hosting our websites
IT service provider to maintain our IT infrastructure
External service providers for additional services
Marketing and analytics service providers
Further processors within the meaning of Art. 28 GDPR in the course of the order processing

These service providers process information about you on our behalf and based on our instructions and are contractually bound to comply with applicable data protection laws.

Other recipients are affiliated companies of the commercetools Group. As a global company, we also share your information with affiliates within the Group. You can find a list of commercetools Group companies here.

Your data will also be passed on if we are legally obliged to do so.

5. Period for which the personal data will be stored or criteria used to determine that period

Personal data will only be stored for as long as necessary to fulfill the purposes stated here or as required by the retention periods specified by law. After the respective purpose ceases to apply or after the retention periods have expired, the data will be deleted in accordance with the statutory provisions.

We store your data for advertising purposes until you object to its use, withdraw your consent, or until it is no longer legally permissible to use it. We store your other data for as long as we need it to fulfill the specific purpose (e.g. to fulfill or process a contract) and delete it when the purpose no longer applies.

All connection data (access logs) are automatically deleted from the web server's memory shortly after the end of the connection. The anonymized access logs are stored for 31 days. In the event that parts of the access logs are required for the purpose of preserving evidence, these are excluded from deletion until the respective incident has been finally clarified.

6. Privacy notices for all third-party services implemented on our websites

6.1 Privacy notice on the use of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Google Analytics uses cookies, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website, such as

Browser type/version,
Operating system used,
Referrer URL (the previously visited page),
Host name of the accessing computer (IP address),
Time of the server request,

are usually transferred to a Google server in the USA and stored there. The IP address transmitted by your browser as part of Google Analytics is not merged with other data from Google. We have also extended Google Analytics on this website with the code "anonymizeIP".

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

For more information on how Google Analytics handles user data, please see Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

6.2 Privacy notice on the use of Google Tag Manager

This website uses the Google Tag Manager of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Through this service, website tags can be managed via an interface. JavaScript tags and HTML tags are managed with this application, which are used to implement tracking and analysis tools in particular. The data processing serves the purpose of demand-oriented design and optimization of our website. The Google Tag Manager only implements tags. This means that no cookies are used and no personal data is collected. The Google Tag Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.

For more information about Google Tag Manager, please visit: http://www.google.de/tagmanager/use-policy.html.

6.3 Privacy notice on the use of Google Fonts API/ gStatic API

External fonts such as Google Fonts and gStatic are used on this website for better visual presentation. These are services of Google Inc, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. ("Google"). The integration of these web fonts is done by a server call, usually a Google server in the USA. This establishes a connection with your end device and, among other things, transmits to the server which of our web pages you have visited. The IP address of the browser of your end device is also collected by Google.

For more information, please visit https://developers.google.com/fonts/faq?tid=331597391040.

6.4 Privacy notice on the use of Doubleclick.net by Google

This website uses the online marketing tool DoubleClick by Google. DoubleClick uses cookies to serve ads that are relevant to users, to improve campaign performance reports, or to prevent a user from seeing the same ads more than once. Via a cookie ID, Google records which ads are displayed in which browser and can thus prevent them from being displayed more than once. In addition, DoubleClick can use cookie IDs to record so-called conversions that are related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later views the advertiser's website with the same browser and buys something there. According to Google, DoubleClick cookies do not contain any personal information.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of DoubleClick, Google receives the information that you have viewed up the corresponding part of our website or clicked on an ad from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is the possibility that the provider learns your IP address and stores it.

In addition, the DoubleClick Floodlight cookies used allow us to understand whether you take certain actions on our website after you have accessed or clicked on one of our display/video ads on Google or on another platform via DoubleClick (conversion tracking). DoubleClick uses this cookie to understand the content you have interacted with on our websites in order to later send you targeted advertising.

For more information about DoubleClick by Google, please visit www.google.de/doubleclick.

6.5 Privacy notice on the use of Google Audiences

We also use Google Audiences ("GA Audiences") of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"), another web analytics service of Google. Through this service, data is collected and stored, from which pseudonymized usage profiles are created. Through this technology, users who have visited our website can be shown targeted advertising from us on other external pages of the Google Partner Network.

GA Audiences uses, among other things, cookies that are stored on your computer and other mobile devices (e.g. smartphones, tablets, etc.) and that enable an analysis of the use of the respective devices. In some cases, the data is analyzed across devices. GA Audiences receives access to the cookies created in the context of the use of Google Analytics. In the course of use, data, such as the IP address and activities of the users, may be transmitted to a server of the company Google LLC and stored there. Google LLC may transfer this information to third parties where required to do so by law, or where such data is processed by third parties.

For more information on the privacy of your use of GA Audiences, please visit: http://support.google.com/analytics/answer/2700409?hl=en&ref_topic=2611283/.

6.6 Privacy notice on the use of Google Dynamic Remarketing

We use the remarketing or "similar audiences" function of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google") on our website. The application serves the purpose of analyzing visitor behavior and visitor interests. Google uses cookies to perform the analysis of website usage, which forms the basis for the creation of interest-based advertisements. The cookies are used to record visits to the website and anonymized data on website usage. No personal data of the website visitors is stored. If you subsequently visit another website in the Google Display Network, you will be shown advertisements that are highly likely to take into account previously accessed product and information areas.

You can find more information about Google Remarketing and the associated privacy policy at: http://www.google.com/privacy/ads/.

6.7 Privacy notice on the use of LinkedIn Analytics and LinkedIn Ads

We use on this website "LinkedIn Analytics" as well as "LinkedIn Ads", services of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. ("LinkedIn"). Both services store and process information about your user behavior on our website. Among other things, cookies are used for this purpose, which are stored locally in the cache of your web browser on your end device and which enable an analysis of your use of our website.

We use LinkedIn Analytics for marketing and optimization purposes, in particular to analyze the use of our website and to continuously improve individual functions and offers as well as the user experience. Through the statistical evaluation of user behavior, we can improve our offer and make it more interesting for you as a user.

We use LinkedIn Ads to serve personalized ads on LinkedIn to visitors of this website. Furthermore, the possibility arises to create anonymous reports on the performance of the ads as well as information on website interaction. For this purpose, the LinkedIn Insight tag is embedded on this website, which establishes a connection to the LinkedIn server if you visit this website and are logged into your LinkedIn account at the same time.

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We would like to point out that in this case you may not be able to use all functions on our website to their full extent. LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To deactivate the Insight tag on our website ("opt-out") click here.

6.8 Privacy notice on the use of Youtube

We have integrated YouTube videos into our online offer, which are stored on http://www.YouTube.com and can be played directly from our website. The operator of the pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.

With this integration, content from the YouTube website is displayed in parts of a browser window. However, the YouTube videos are only called up by clicking on them separately. This technique is also called "framing". When you view a (sub-) page of our website on which YouTube videos are embedded in this form, a connection is established to the YouTube servers and the content is displayed on the website by informing your browser.

YouTube content is only integrated in "expanded data protection mode". YouTube itself provides this mode and thus ensures that YouTube does not initially save any cookies on your device. However, when the relevant pages are viewed up, the IP address and other data (e.g. browser used, operating system and its interface, language and version of the browser software, date and time of the query) are transmitted and thus in particular communicated which of our Internet pages you have visited. However, this information cannot be assigned to you unless you have logged in to YouTube or another Google service (e.g. Google+) before accessing the page or are permanently logged in.

As soon as you start the playback of an embedded video by clicking on it, YouTube only stores cookies on your device through the expanded data protection mode, which do not contain any personally identifiable data, unless you are currently logged in to a Google service. These cookies can be prevented by appropriate browser settings and extensions.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

For more information on the handling of user data, please see YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy.

6.9 Privacy notice on the use of Facebook Custom Audience

We use a "Facebook pixel" on our website from the social network Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Facebook"). The Facebook pixel can be used to track the behavior of users after they click on a Facebook ad. With the help of the Facebook pixel, we can understand how our marketing measures are received on Facebook and, if necessary, take optimization measures. For this purpose, interest-related advertisements ("Facebook ads") are displayed to users of our website when they visit the Facebook social network or other websites that also use the procedure. Accordingly, we also use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called Facebook "Custom Audiences" or "Look Alike Audiences").

Through the Facebook pixel, your browser automatically establishes a direct connection with the Facebook server. We have no influence on the scope and further use of the data collected by Facebook through the use of this tool and therefore inform you according to our state of knowledge:

By integrating the Facebook pixel, Facebook receives the information that you have clicked on an ad from us or viewed the corresponding web page of our website. If you are registered with a Facebook service, Facebook can assign the visit to your account. Even if you are not registered with Facebook or have not logged in, it is possible that the provider will learn and store your IP address and other identifiers.

The processing of data by Facebook takes place within the framework of Facebook's data usage policy. Specific information and details about the Facebook Pixel and how it works can also be found in Facebook's help section.

6.10 Privacy notice on the use of Facebook Connect

If a so-called "Facebook Connect Button" is placed on this website, you have the option of logging in to our website with your Facebook user data. In addition, information about your activities on our website can automatically flow into your Facebook profile via Facebook Connect. In this respect, when activating the button, you are given both the opportunity to explicitly consent to accessing your Facebook user data and to consent to the publication of information and activities in your Facebook profile. The use of further data (e.g. contacting you via your email address) only takes place with prior explicit consent. Please note that Facebook receives information about the application or website, including what actions you take, through Facebook Connect. In order to personalize the process of making connections, there is a possibility that in some cases Facebook may receive a limited amount of information prior to authorizing the application or website.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, can be found in Facebook's privacy policy:

Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA.; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo.

For more information about Facebook Connect and privacy settings, please see the privacy notices and terms of use of Facebook Inc.

6.11 Privacy notice on the use of Hotjar

Our website uses Hotjar, an analytics software provided by Hotjar Ltd. ("Hotjar"), 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe. Hotjar makes it possible to measure and analyze usage behavior on our website in the form of clicks, mouse movements, scroll heights, etc. The information generated by the tracking code and the cookie is transmitted to the Hotjar servers in Ireland and stored there.

The following information is collected:

The IP address of your device (collected and stored in an anonymized format)
Screen size of your device
Device type and browser information
Geographical point of view (only the country)
The preferred language to display our website

In addition, the following data is logged on our server when Hotjar is used:

Referring domain
Visited pages
Geographical point of view (only the country)
The preferred language to display our website
Date and time of access to the website

Hotjar will use this information to evaluate your use of our website, generate reports, and provide other services related to website usage and internet evaluation of the website. Hotjar also uses third-party services, such as Google Analytics, to provide services. This third-party company may store information that your browser sends as part of your website visit, such as cookies or IP requests. For more information about how Google Analytics stores and uses data, please see its privacy policy.

You can find more information about privacy when using Hotjar at: http://www.hotjar.com/privacy/ and at http://www.hotjar.com/legal/policies/privacy/.

6.12 Privacy notice on the use of the live chat "Drift”

We use for live chat and as a chatbot the service of Drift.com Inc, 222 Berkeley Street, Suite 600, Boston, MA 02116, USA ("Drift") in order to process user requests faster and more efficiently.

Drift enables us and our visitors to conduct a live chat via a chat widget. Drift uses, among other things, cookies and IP address to provide the service and to collect information about our users' behavior on the website and about their end devices. Your data transmitted in the live chat is stored on servers of Drift, Inc. in the USA.

Only after explicit separate consent to the storage and processing in the chat window, you can send us additional data such as your name or email address. We store and process this data so that we can respond to inquiries and answer aborted chats by e-mail.

The privacy policy of Drift, Inc. (in English) can be found here: https://www.drift.com/privacy-policy/.

6.13 Privacy notice for the use of AppNexus

In some areas of our website, we use AppNexus, a service for displaying usage-based advertising from AppNexus Inc, 28 W. 23rd Street New York, New York, 10010, USA. AppNexus uses, among other things, cookies that allow an analysis of the use of the website in order to display targeted interest-based advertising. In the course of use, your data, such as in particular the IP address and user activities, may be transmitted to a server of AppNexus in the USA and stored there.

For more information about privacy, please see the AppNexus privacy policy here at https://www.appnexus.com/en/company/platform-privacy-policy-de.

6.14 Privacy notice for the use of HubSpot

Our websites use various services of the company HubSpot for different purposes of our online marketing activities, for example for analysis and communication purposes. HubSpot Inc. is a software company located at 25 First Street, 2nd Floor, Cambridge, MA 02141, USA. Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. These include in particular:
Email marketing (newsletters and automated mailings, e.g. for providing event notices), social media publishing & reporting (e.g. traffic sources, hits, etc. ), reporting, contact management (e.g. user segmentation & CRM), landing pages, website analytics, web hosting and contact forms.

Hubspot uses web beacons and cookies to help us analyze your use of this website. Specifically, when you contact us, download a whitepaper, register for a trial, register for an event, or submit another form integrated from Hubspot, your activities on this website are associated with your cookie, allowing us to analyze your website usage in more detail (e.g. pages visited, date and time of views, forms completed, documents downloaded). In addition, for some forms, we deliver requested digital resources (e.g. eBooks/whitepapers) to you by e-mail. In this way, we can tailor the user experience on the website as well as external communication even better to the needs of visitors.

An overview of all cookies that are set by HubSpot can be found at: https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser.

As part of the optimization of our marketing measures, the following data may be collected and processed via Hubspot:

Geographic location, browser type, navigation information, referral URL, performance data, information about how often the application is used, mobile apps data, HubSpot subscription service credentials, files viewed on site, domain names pages viewed, aggregated usage, operating system version, internet service provider, IP address, device identifier, duration of visit, where the application was downloaded from, operating system, events that occur within the application, access times, clickstream data, device model and version.
This information as well as the content of our website is stored on servers of our software partner HubSpot in the USA.

The storage of and access to information in the end user's terminal equipment is carried out in accordance with Section 25 (1) TTDPA. The legal basis for the further processing of your personal data is your voluntary and informed consent pursuant to i) Art. 6 (1) lit. a GDPR, where you give your corresponding consent via the Consent Banner or ii) Art. 6 (1) lit. f GDPR, if applicable. Our legitimate interest in using this online platform is to improve the quality and availability of our marketing campaigns, service and events experience. Hubspot only processes personal data on our behalf to the extent necessary for the provision of the service. For this purpose, we have entered into a Data Processing Agreement (DPA) with HubSpot. Therefore, the information about you will be processed according to our instructions. We have also entered into the European Commission's Standard Contractual Clauses with HubSpot in connection with this. For more information about HubSpot's data security and privacy policies, click here.

6.15 Privacy notice on the use of Hootsuite

Hootsuite collects information for us about whether any of our posts have been shared, liked, commented on or mentioned on social media and whether you are a user who has interacted with our posts on social media. Hootsuite will analyze this data for us to create anonymous reports about the reach and usage of our posts. The data is stored pseudonymously and later anonymized. You can object to the collection of your data by Hootsuite by configuring your browser to block the storage of cookies.

The information generated by cookies and Goal Tracking technologies is transferred to and stored on an Hootsuite server in Canada and it may be transferred to the USA.

For more information on data processing by Hootsuite, please visit Hootsuite 's website ( /legal/privacy ).

6.16 Privacy notice on the use of Fullstory

This website uses Fullstory, a SaaS analytics software provided by Fullstory, Inc., (1745 Peachtree St NW, Suite G, Atlanta, Georgia 30309, USA; “Fullstory”). FullStory’s session replay and analytics help us understanding the usability of our websites and build better experiences. The information generated by your use of the website, such as

Usage patterns (e.g., clicks, scrolling, mouse movement, IP address),
Tech specifications (e.g., Browser, device type, operating system),
Navigation (e.g., referrers, URL parameters, pages visited, session duration),
Personal Information (e.g., user UUID, preferred language, Cloud vendor and region, job title and company name),

may be transferred to, and stored at, a location outside of your outside the European Economic Area (EEA) and the United Kingdom. We have entered into a Data Processing Agreement (DPA) with Fullstory and, therefore, information about you will be processed in accordance with our instructions. In addition, we have also agreed to the European Commission’s Standard Contractual Clauses with Fullstory in connection with this.

On behalf of the operator of this website, Fullstory will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. You can deactivate the use of Fullstory analytics by opting out here. You can also prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We would like to point out that in this case you may not be able to use all functions on our website to their full extent.

The storage of and access to Information In the end user's terminal equipment is carried out in accordance with Section 25 (1) TTDPA. The legal basis for the further processing of your personal data is your voluntary and informed consent pursuant to Art. 6 (1) lit. a GDPR. You give your corresponding consent via the Consent Banner.

For more information on how Fullstory handles user data, please see Fullstory’s privacy policy here.

6.17 Privacy notice on the use of Salesforce

We use the CRM system of salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany, a subsidiary of salesforce.com, Inc., the Landmark at One Market, Suite 300, San Francisco, CA 94105, USA ("Salesforce"), in connection to the use of Hubspot, to process personal data related to website visitors, prospects, customers and partners (name, contact information, company, job title, and other information) to collect information for sales and marketing purposes, to make communications with website visitors, prospects, customers and partners relevant and to understand the performance of our marketing campaigns.The legal basis for the further processing of your personal data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.Our legitimate interest in using this online platform is to improve the quality and availability of our marketing campaigns, service and events experience. For this purpose, we have concluded a Data Processing Agreement (DPA) with Salesforce. Therefore, the information about you will be processed according to our instructions. We have agreed the European Commission's Standard Contractual Clauses with Salesforce in connection with this.

IV. Privacy policy for our customers, prospective customers and partners

The following information is to be provided pursuant to Art. 13 et seq. GDPR where personal data are collected from our customers and prospective customers.

Our offer is addressed exclusively to entrepreneurs, tradesmen, freelancers and public institutions. Contracts with consumers according to Sec. 13 of the German Civil Code are not concluded.

1. Purposes for which the personal data are processed as well as the legal basis for the processing

1.1 Handling of inquiries and preparation of offers (Art. 6 (1) lit. f GDPR)

If you are interested in our offered goods and services (e.g. our cloud-based e-commerce platform and related training, consulting, technical support, licenses, maintenance contracts, etc.), we process and store the following data for the purpose of processing your inquiry and preparing an offer when you contact us (e.g. by e-mail, telephone or contact form on our website):

Title
Name, first name
Company/organization and possibly department within the company
Position in the company
Business address
Business phone numbers
Business fax number
Business email address
Individual message
Product interest
Conversation notes from sales and customer support calls and live chat sessions, if applicable.

We reserve the right to inquire about your decision by telephone or e-mail within 3 months after you have submitted our offer, provided you have not objected to our inquiry.

The legal basis for the processing is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the processing of your data is necessary to answer your inquiry and if necessary, for further pre-contractual measures and that our interest outweighs your interests or fundamental rights and freedoms to protect your data.

1.2 Implementation and execution of contracts (Art. 6 (1) lit. f GDPR)

In order to implement and fulfill an existing contractual relationship, in particular to provide services owed (e.g. provision of our cloud-based e-commerce platform and associated execution of services such as maintenance and support, consulting and training) and to send you contractual documents, we and any third parties or processors commissioned by us process the following data from you, insofar as you have provided us with this when concluding the contract or in the course of the contractual relationship:

Contact details of contact persons and, if applicable, other employees in the company of the business customer
- Title
- Name, first name
- Company/organization and possibly department within the company
- Position in the company
- Business address
- Business phone numbers
- Business fax number
- Business email address
Signature of the person(s) signing contractual documents, if applicable
Further information that is required to process in the context of a project or the handling of a contractual relationship with commercetools or which is provided voluntarily by our contact persons
- Orders placed (especially products and services ordered)
- Transacted inquiries
- Project details
- Conversation notes from sales and customer support calls and live chat sessions, if applicable.
Information collected from publicly available sources, information databases, or credit reporting agencies

For invoicing, monitoring and collection of trade receivables, we process contact details of accounting contacts and other persons entrusted with these processing operations.

If you make use of the offer of our trainings and courses and register for them (e.g. online via our website or by e-mail), we process the following data for the planning and execution of the trainings and, if applicable, for the creation and sending of personalized certificates of participation:

Personal data of the training participants
- Name, first name
- Company/organization and possibly department within the company
- Email address
- Address
Personal details of the payer
- Name, first name
- Company/organization and possibly department within the company
- Field of activity
- Company address
- Phone number

Other information such as: Course date, duration, location, price, date of registration/time stamp.

The training participants are usually employees of our customers and prospective customers.

We also use online video conferencing systems of the respective customer or alternatively our own system for various services, e.g. for technical support or for conducting training/education for customers. The activation of video transmission is the responsibility of the respective participant and is not linked to any advantages or disadvantages in the provision of the service. A recording of the video conferences by us shall only be made upon request and in consultation with all participants. If, in exceptional cases, recording by us is necessary, consent will be obtained from the participants in accordance with Art. 6 (1) lit. a in conjunction with Art. 7 GDPR.

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation and fulfillment of contracts with our customers. We have a legitimate interest in the implementation and performance of contractual obligations with our customers, for which the processing of the data and data categories mentioned here is necessary.

1.3 Implementation of marketing activities

In the case of an advertising approach, we will only contact you via the communication channels to which you have consented, subject to mailing. For this purpose, we use your data for the following purposes:

Quality assurance: In order to continuously improve our performance, our products and our services for you, we conduct surveys on your satisfaction, as well as your experiences from your contractual relationship.
E-mail advertising using newsletter
Invitations to specific events
Communication regarding downloaded whitepapers

We receive your personal data for contacting you either directly from you and/or from third-party providers. In this context, third-party providers are social networks and/or other contact data generating networks that provide us with your personal data collected from public sources or directly from you.

The legal basis for the processing is generally Article 6 (1) lit. a GDPR. Pursuant to Article 7 (3) GDPR, you can always withdraw your consent with effect for the future by sending an e-mail to the e-mail address specified in Section VII Section 1.

Without separate consent, the legal basis may also be our legitimate interest for the purpose of direct advertising (in accordance with Article 6 (1) lit. f GDPR in conjunction with Article 95 GDPR, Section 7 (3) German Act against Unfair Competition) provided that your fundamental rights and freedoms do not conflict. In accordance with Art. 21 GDPR, you can always object to data processing on the basis of our legitimate interests with effect for the future by contacting the e-mail address stated in Chapter VII, Section 1.

2. Obligation to provide the data

The provision of the data specified in section 1.2 is mandatory. If you do not provide us with this information, a contract will not be concluded with us. All other data is provided voluntarily.

3. Automated decision making including profiling

Automated individual decision making including profiling according to Art. 22 (1) and (4) GDPR do take place on the part of commercetools GmbH.

4. Data transfer to a third country

of an adequacy decision of the European Commission according to Art. 45 GDPR. (in case of the USA based on the Data Privacy Framework, if applicable).
of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.
of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, in the context of pre-contractual measures and in connection with the conclusion and performance of a contract, data transfers to countries outside the EU and the European Economic Area ("Third Countries") take place in the following cases:

In the course of our global sales, marketing and support services, our customer relationship management or in the course of using our central IT services, we transfer data to affiliated companies within the commercetools Group located outside the EU/EEA. You can find a list of commercetools Group companies here.

By using third-party providers, personal data is transmitted to service providers in the USA and Australia in the context of:
- Service provider of CRM Software services
- Service provider of Marketing activities, such as sales engagement, leads generation, and customer review applications,
- Service provider to optimize our relationship with potential customers, such as ABM software, communication platforms,
- Service provider to manage our relationship with customers and partners relationship and communication,
- Service provider of contract management.

5. Recipients of data and data sources

5.1 Categories of recipients of the personal data

In order to process personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

Service provider for hosting and operation of the online video conferencing system and the software for remote maintenance for technical customer support
Service provider for hosting servers for the provision of web-based services
Service provider for operation of e-mail servers
Software service provider, e.g. for CRM systems, ABM software, lead generation and communication platforms, etc.

Other recipients who are not processors:

Financial institutions and providers of payment services for settlements as well as processing of payments
Lawyers for the defense and enforcement of claims
Tax consultant for financial accounting and preparation of balance sheets
Debt collection service providers and competent courts in order to collect receivables and enforce claims in court. If personal data (customer and contact data, payment data and data on the claim) is transferred to a debt collection service provider in the event of collection, we will inform you in advance of the intended transfer.
Affiliated commercetools Group companies: As a global company, we also share your information with affiliated companies within the commercetools Group. You can find a list of commercetools Group companies here.

In addition, we will only disclose your personal data to third parties if you have given your express prior consent. You have the right to withdraw your consent at any time with effect for the future.

Your data will also be passed on if we are legally obliged to do so.

5.2 Data sources

We process personal data that we have received from prospective customers and customers in the course of our business relationships.

Insofar as it is necessary for the provision of our service, we process personal data that we permissibly obtain from publicly accessible sources (debtor directories, land registers, commercial and association registers, press, Internet) or that we are legitimately provided with by other third parties (a credit agency or an address service provider).

In addition, we may receive your personal data for contacting you either directly from you and/or from third-party providers. In this context, third-party providers are social networks and/or other contact data generating networks that provide us with your personal data collected from public sources or directly from you.

6. Period for which the personal data will be stored or criteria used to determine that period

Personal data will only be stored as long as necessary to fulfill the purposes mentioned here or as required by the retention periods specified by law.

We delete data from inquiries about our products and services in accordance with the statutory retention obligations, which arise primarily from commercial and tax law (in particular §§ 147 AO and 257 HGB).

We store your data for the period of the existing contract and after termination of the contract with you for a period until receipt of the tax assessment notice for the year in which the contract was terminated. In the event that the notice is not final, the data will be stored until the completion of the complete company audit. In addition, we store your data for the duration of the settlement of legal disputes and the assertion, exercise or defense of legal claims. If there are statutory retention periods, we are obliged to store the data until these periods expire. After expiry of the statutory retention periods, which result primarily from commercial and tax law (in particular §§ 147 AO and 257 HGB), we delete this data again.

We store your data for advertising purposes until you object to its use, you withdraw your consent or the use is no longer permitted by law. We store your other data for as long as we need it to fulfill the specific purpose (e.g. to fulfill or process a contract) and delete it after the purpose no longer exists.

7. Security

commercetools takes appropriate technical and organizational measures (TOM) to protect personal data from loss, destruction, manipulation and unauthorized access.

Information about our security measures can be found here.

V. Privacy policy for our suppliers and business partners

The following information is to be provided pursuant to Art. 13 et seq. GDPR where personal data are collected from our suppliers and service providers commissioned by us.

1. Purposes for which the personal data are processed as well as the legal basis for the processing

Implementation and execution of our business relationship with suppliers and business partners (Art. 6 (1) lit. f GDPR)

In order to be able to carry out and maintain the business relationship with suppliers or business partners, in particular to carry out contract preparation and fulfillment, provide communication channels, deliver goods and carry out pre-contractual measures, we and any third parties or processors, process the following data from the supplier or business partner:

Contact information of the contact person and, if applicable, other employees at the supplier or business partner's company
- First name and surname
- Business address
- Business phone number
- Business mobile phone number
- Business fax number
- Business email address
Signature of the person(s) signing contractual documents, if applicable
Payment data, such as information required to process payment transactions or prevent fraud

Further information whose processing is required in the context of a project or the handling of a contractual relationship with commercetools, or which is provided voluntarily by our contacts
- Orders placed
- Transacted inquiries
- Project details

Information collected from publicly available sources, information databases, or credit reporting agencies

The legal basis for the processing of your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subjects do not outweigh our interests in the implementation of pre-contractual measures and the implementation and fulfillment of supplier and business partner contracts. We have a legitimate interest in the initiation, implementation and settlement of the business relationship with our suppliers and business partners, for which the processing of the above mentioned data is necessary.

2. Obligation to provide the data

The provision of the data specified in section 1 is mandatory. If you do not provide us with this information a business relationship or a contract with us would not be possible.

3. Automated decision making including profiling

Automated individual decision making including profiling according to Art. 22 (1) and (4) GDPR do not take place on the part of commercetools GmbH.

4. Data transfer to a third country

of an adequacy decision of the European Commission according to Art. 45 GDPR. (in case of the USA based on the Data Privacy Framework, if applicable).
of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.
of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, in the context of pre-contractual measures and in connection with the conclusion and performance of a contract with suppliers and business partners, data transfer to countries outside the EU and the European Economic Area ("Third Countries") takes place in the following cases:

In the course of our global sales, marketing and support services, our customer relationship management or in the course of using our central IT services, we transfer data to affiliated companies within the commercetools Group located outside the EU/EEA. You can find a list of commercetools Group companies here.
By using third-party providers, personal data is transmitted to service providers in the USA in the context of contract management.

5. Recipients of data and data sources

5.1 Categories of recipients of the personal data

In order to process personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

Service provider for hosting servers for the provision of web-based services
Service provider for operation of e-mail servers
Software service provider e.g. for sales, marketing, contract management and support services

Other recipients who are not processors:

Financial institutions and providers of payment services for billings as well as processing of payments
Lawyers for the defense and enforcement of claims
Tax consultants for financial accounting and preparation of balance sheets
Credit bureaus and scoring providers for credit reports, for assessing the risk of default
Affiliated commercetools Group companies: As a global company, we also share your information with affiliated companies within the commercetools Group. You can find a list of commercetools Group companies here.

Your data will also be passed on if we are legally obliged to do so.

5.2 Data sources

We process personal data that we have received from suppliers and business partners in the course of our business relationships. Insofar as it is necessary for the provision of our service, we process personal data that we permissibly obtain from publicly accessible sources (debtor directories, land registers, commercial and association registers, press, Internet) or that we are legitimately provided with by other third parties (a credit agency or an address service provider).

6. Period for which the personal data will be stored or criteria used to determine that period

Personal data will only be stored as long as necessary to fulfill the purposes mentioned here or as required by the retention periods specified by law.

We store your data for the period of the existing contract and after termination of the contract with you, for a period until the completion of the tax audit of the last calendar year in which you were our supplier or business partner. In addition, we store your data for the duration of the settlement of legal disputes and the assertion, exercise or defense of legal claims. If there are statutory retention periods, we are obliged to store the data until the expiry of these periods. After expiry of the statutory retention periods, which result primarily from commercial and tax law (in particular §§ 147 AO and 257 HGB), we delete this data again.

VI. Privacy policy for applicants

1. Privacy notice for processing in connection with an access of our career portal at https://boards.greenhouse.io/commercetools and in the context of processing personal data for the purpose of recruiting

The following information is to be provided pursuant to Art. 13 et seq. GDPR when collecting personal data on https://boards.greenhouse.io/commercetools (hereinafter "career portal").

Note: If you are interested in one of the job offers on our career site (https://commercetools.com/careers/jobs) and therefore click on it, you will automatically be redirected to a (sub-) domain of our service provider Greenhouse. Greenhouse provides our career portal, which you can use to apply for a job with us (for more information on the service provider Greenhouse, see section 1.3.).

1.1 Processing of access data

For technical reasons, a limited amount of data (so-called connection data) is processed each time you access the Greenhouse career portal. These data (so-called log files) are technically necessary to establish and execute a connection between your terminal device and the servers of our career portal. The data is processed in the main memory of the web server for the duration of the connection:

The following data or data categories are collected:

IP address
Source port of the calling device or a gateway (e.g. firewall or proxy).
Timestamp (date and time) of the retrieval
Amount of data transferred
Message whether the retrieval was successful (by means of HTTP error code)
Message why a retrieval failed, if applicable (using HTTP error code).
Referer (web page from which calls were made to our main page or sub-pages)
User agent (type of browser you use to access our website and its version)
Display screen width and height
Language settings of your browser

The IP address, timestamp, HTTP error code, referer and user agent are automatically logged when the career portal is called up in order to ensure the functionality and protection of the website. Furthermore, the logs serve to optimize the website. A creation of user profiles with personal reference is not possible with this data.

The processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the processing operations are necessary to protect our legitimate interests in providing and optimizing the content and informational functions of the career portal accessed by you in a user-friendly manner and in ensuring the security of the IT infrastructure used to provide the career portal and that these interests outweigh your interests, fundamental rights and freedoms that require the protection of personal data.

1.2 Cookies and related technologies

Greenhouse sometimes uses so-called cookies and related technologies (e.g. scripts) on the career portal. Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make the offer more user-friendly, effective and secure. Cookies are small text files that are stored on your terminal device and saved by your browser, for example, to "remember" information about you, such as your language settings or login information.

Since these cookies are not set by us, they are so-called third-party cookies. These originate from a domain other than that of the commercetools website you originally visited. These cookies can be set either directly by the service provider Greenhouse or by another third-party provider.

1.3 Processing of personal data for the context of background checks as well as legal basis

In case of a successful hiring process, you may be required to verify identity and eligibility to work, which may also include a criminal background check under certain circumstances (e.g. depending on department and job position), in order to be validly employed by commercetools, and will include checks in global sanctions list (such as in the US and European sanctions lists) that can impact commercetools’ business. The result of criminal background checks will be stored for no longer than 45 days. The result of checks in global sanctions lists is an ongoing process that may be done regularly during your employement by commercetools, as such lists are changed on a regular basis.

The following data or data categories may be collected and processed in this process, depending on the position and the location you have applied:

Personal identification data, such as name, nationality, date of birth/place, national identity card, parent’s name,
Current and previous addresses
Phone number
Criminal records

The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interests assessment was carried out and came to the conclusion that the interests of the data subject do not outweigh our interests in processing. We have a legitimate interest in protecting our business and that of our customers, for which the processing of the data and data categories mentioned here is necessary.

1.4 Recipients of data and data sources

1.4.1 Categories of recipients of the personal data

In order to process personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

Service provider for hosting servers for the provision of web-based services, in this case, the recruiting tool Greenhouse
Service provider for operation of fraud detection service
Service service provider for contract management
Service provider for background checks.

Other recipients who are not processors:

Affiliated commercetools Group companies: As a global company, we also share your information with affiliated companies within the commercetools Group. You can find a list of commercetools Group companies here.

2. Privacy notice for processing in connection with the recruiting process by submitting an application

2.1 EU/EEA/German Applicants

2.1.1 Personal data we use regarding the recruiting process

Personal master data (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)
Job / application related data (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)
Communications data (e.g. e-mails, IP-address, login-data)
Special categories (e.g. health data)

2.1.2 Sources from where we collect personal data

We collect personal data from you during the application process. Insofar as it is necessary for the hiring process and employment by commercetools, we process personal data that we are legitimately provided with by other third parties for the purpose of conducting background and global sanction lists checks.

2.1.3 Purpose for processing personal data

We process personal data from you for the purpose to carry out the recruiting process. In this context, if located in Germany, personal data may be processed that is necessary for the decision to enter into an employment relationship with you, pursuant to § 26 sec. 1 Bundesdatenschutzgesetz (BDSG).

Moreover, we may process personal data from you in relation to the recruiting process that you are providing to us based on a voluntary consent, pursuant to Article 6 sec. 1 lit. a General Data Protection Regulation (GDPR), § 26 sec. 2 BDSG (§ 26 sec. 2 BDSG if located in Germany). This can be in particular the case regarding the integration of your personal data in respect of our talent pool. Furthermore, we may process special categories of personal data from you in relation to the recruiting process that you are providing to us based on a voluntary explicit consent, pursuant to Article 9 sec. 2 lit. a GDPR. You can revoke this declaration of consent at any time without giving reasons, with effect for the future. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right. From the receipt of your revocation declaration, we will process your personal data no longer than required by the provisions of law on retention of records.

2.1.4 To whom personal data will be passed on

Your personal data will be processed mainly within our human resources department. However, it can be the case that your personal data will be shared with the relevant departments, depending on the position you have applied to, within our company in order to carry out the recruiting process. Furthermore, your personal data may be passed on to certain service providers for the recruiting management, hosting and maintenance services.

2.1.5 Transfer of personal data outside the European Union and European Economic Area

We transfer personal data during the recruiting process outside the European Union (EU) and the European Economic Area (EEA). In this regard we particularly transfer personal data to the United States of America (US). There is currently no adequate decision from the EU Commission applicable for the US. Personal data that is processed outside the EU and EEA may not be covered by the same level of data protection as applicable in the EU and EEA. For this reason, we have entered into data processing agreements and the standard contractual clauses provided by the EU Commission with our service providers in countries outside the EU and EEA. In this regard, these measures provide an appropriate guarantee for the processing of your personal data outside the EU and EEA.

of an adequacy decision of the European Commission according to Art. 45 GDPR (in case of the USA based on the Data Privacy Framework, if applicable).
of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.
of standard data protection clauses adopted by the Commission in accordance with the examination procedure under Article 93 (2) GDPR.

Currently, in the context of recruiting and in connection with the conclusion of a contract, if applicable, data transfers to countries outside the EU and the European Economic Area ("Third Countries") take place in the following cases:

In the course of recruiting or in the course of using our central IT services, we transfer data to affiliated companies within the commercetools Group located outside the EU/EEA. You can find a list of commercetools Group companies here.
By using third-party providers, data is transmitted to the following service providers in the USA, as informed in Section 1.3 of this Privacy Policy for applicants.

2.1.6 Automated decision-making, profiling

In respect of our recruiting process, we do not exercise any automated decision-making nor profiling.

2.1.7 Storage of personal data

Your personal data will be stored as long as it is necessary for the completion of the recruiting process. In principle, where no employment relationship has been established, we will store your personal data for up to six months after completion of the recruiting process due to evidence purposes in order to protect us against possible legal claims.

In cases where you revoke your declaration of consent for the processing of personal data we will stop processing your personal data from the point of your revocation and we will delete your personal data in accordance with the provisions of the applicable laws on retention of records.

2.2 UK Applicants

2.2.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)
Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)
Communications data / information (e.g. e-mails, IP-address, login-data)
Special categories (e.g. health data)

2.2.2 Sources from where we collect personal data / information

2.2.3 Purpose and legal basis for processing personal data / information

We process personal data / information from you for the purpose to carry out the recruiting process. In this context, personal data / information may be processed that is necessary for the decision to enter into an employment relationship with you. Furthermore, we process personal data / information from you that you have provided us voluntarily including your consent for us to process it. In addition, your provided personal data / information may be of particular importance to us, and we have a specific legitimate interest under law to process it or we may have a legal obligation to process it or where necessary to protect the vital interests of you or any person.

If the collection or processing is based on your consent, you may withdraw your consent at any time to the extent permitted by applicable law. Please send your revocation by email to jobs@commercetools.de in order to exercise your revocation right.

2.2.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

Processing your application
Assessing your qualifications and capabilities
Conducting reference checks
Communicating with you regarding your application
Complying with or monitoring compliance with any applicable law or regulation
Enforcing our terms and conditions
Cooperating with law enforcements
Conducting background checks consistent with applicable law

If we are going to enter into an employment relationship with you, personal data / information we collect linked with your application may be incorporated into our human resources and contract management system and used to manage the onboarding process, including the execution of contractual documents, if applicable.

2.2.5 To whom personal data will be passed on

We may share personal data / information of you with our affiliates that are involved in the particular recruiting process. If your personal data / information will be shared the personal data / information will be shared on a need- to-know basis. We may also share personal data / information with approved third-party service providers to facilitate the services they provide to us, including hosting and operating our careers site and recruiting management.

2.2.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data to the EU as well as US.

2.2.7 Storage of personal data / information

2.2.8 Your rights

You have the right at any time to exercise your rights, which include:

Right to information of your personal data / information
Right to rectification of your personal data / information
Right to erasure of your personal data / information
Right to restriction of processing of your personal data / information
Right to data portability of your personal data / information
Right to object the processing of your personal data / information

In order to enforce your rights please contact us.

2.2.9 Complaints

You also have the right to complain to your local data protection authority. In the UK this is the Information Commissioner’s Office whose contact details are accessible here: https://ico.org.uk/ and for complaints please see here: https://ico.org.uk/make-a-complaint/.

2.2.10 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

2.3 US Applicants

2.3.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)
Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)
Communications data / information (e.g. e-mails, IP-address, login-data)
Special categories (e.g. health data)

As permitted with applicable law, we may ask questions about race/ethnic origin, gender, veteran status and disability of our applicants, for the monitoring of equal employment opportunity compliance. Furthermore, we may ask about criminal records following a conditional offer of employment, where permitted by applicable law.

If you provide us with personal information of a reference or any other individual as part of your application, it is your responsibility to obtain consent from that individual prior providing the information to us. By providing that personal information, you are affirming that you have obtained such consent from the individual.

2.3.2 Sources from where we collect personal data / information

2.3.3 Purpose and legal basis for processing personal data / information

2.3.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

Processing your application
Assessing your qualifications and capabilities
Conducting reference checks
Communicating with you regarding your application
Complying with or monitoring compliance with any applicable law or regulation
Enforcing our terms and conditions
Cooperating with law enforcements
Conducting background checks consistent with applicable law

2.3.5 To whom personal data will be passed on

2.3.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data / information outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data / information to the EU.

2.3.7 Storage of personal data / information

2.3.8 Your rights

You have the right at any time to exercise your rights, which include:

Right to information of your personal data / informationRight to rectification of your personal data / information
Right to erasure of your personal data / information
Right to restriction of processing of your personal data / information
Right to data portability of your personal data / information
Right to object the processing of your personal data / information

In order to enforce your rights please contact us.

2.3.9 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

2.4 Australian Applicants

2.4.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)
Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)
Communications data / information (e.g. e-mails, IP-address, login-data)
Special categories (e.g. health data)

2.4.2 Sources from where we collect personal data / information

We collect personal data from you during the recruiting process. Insofar as it is necessary for the hiring process and employment by commercetools, we process personal data that we are legitimately provided with by other third parties for the purpose of conducting background and global sanction lists checks.

2.4.3 Purpose and legal basis for processing personal data / information

2.4.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

Processing your application
Assessing your qualifications and capabilities
Conducting reference checks
Communicating with you regarding your application
Complying with or monitoring compliance with any applicable law or regulation
Enforcing our terms and conditions
Cooperating with law enforcements
Conducting background checks consistent with applicable law

2.4.5 To whom personal data will be passed on

2.4.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data / information outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data / information to the EU.

2.4.7 Storage of personal data / information

2.4.8 Your rights

You have the right at any time to exercise your rights, which include:

Right to access your personal data / information
Right to have your personal data / information being corrected
Right to withdraw your consent for processing your personal data / information

In order to enforce your rights please contact us.

2.4.9 Complaints

If you think your personal data / information has been mishandled you can contact us at any time and we will review your complain and, if appropriate, we will act accordingly in order to stop / correct the mishandling.

2.4.10 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

2.5 Singapore Applicants

2.5.1 Personal data / information we use regarding the recruiting process

In order to carry out the recruiting process we process personal data / information that is necessary for this purpose. In this regard, the personal data / information may consist of the following:

Personal master data / information (e.g. first name, surname, title, address, birthday, phone number, e-mail, location, social security number, tax code, signature in contractual documents, if applicable)
Job / application related data / information (e.g. position applied to, cover letter, qualifications, certifications, former activities, certificates of employment, interview protocols)
Communications data / information (e.g. e-mails, IP-address, login-data)
Special categories (e.g. health data)

2.5.2 Sources from where we collect personal data / information

2.5.3 Purpose and legal basis for processing personal data / information

2.5.4 Use of your personal data / information

We process your personal data / information in accordance with the following:

Processing your application
Assessing your qualifications and capabilitiesConducting reference checks
Communicating with you regarding your application
Complying with or monitoring compliance with any applicable law or regulation
Enforcing our terms and conditions
Cooperating with law enforcements
Conducting background checks consistent with applicable law

2.5.5 To whom personal data will be passed on

2.5.6 Transfer of personal data / information outside your jurisdiction

We may transfer personal data / information outside your jurisdiction regarding the recruiting process. In this regard we may transfer personal data / information to the EU.

2.5.7 Storage of personal data / information

2.5.8 Your rights

You have the right at any time to exercise your rights, which include:

Right to access your personal data / information
Right to have your personal data / information being corrected
Right to withdraw your consent for processing your personal data / information

In order to enforce your rights please contact us.

2.5.9 Complaints

2.5.10 Information related to children

Our career site is not intended for minors in any jurisdiction. It is required that you prove you are over the age of majority in your jurisdiction regarding our recruiting process.

VII. Information on your data subject rights

1. Data subject rights according to Chapter III of the GDPR

You have the right to request from us access to personal data (Art. 15 GDPR) and the rectification of inaccurate personal data (Art. 16 GDPR). Furthermore, you have the right to obtain the erasure of personal data (Art. 17 GDPR) concerning your person, the right to restriction of processing (Art. 18 GDPR) and the right to receive (Art. 20 GDPR) the personal data provided to us by you, in a structured, commonly used and machine-readable format.

In addition, you have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).

Where the processing is based on your given consent you can withdraw the consent (Art. 7 Sec. 3 GDPR) at any time. Upon receipt of your withdrawal of consent, we will no longer use or process the data concerned for purposes mentioned in your consent.

If you wish to exercise your data subject rights, please send your request by e-mail to privacy@commercetools.com or by mail to the address mentioned in chapter I (Name and contact details of the controller).

2. Rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

If you live in California and have a business, employment, independent contractor, or application for employment relationship with us, in addition to any other rights provided herein (including those in Section VI.2.3 “US Applicants”), you may request a list of the third parties to whom we have disclosed information about you for their marketing purposes. You may make such a request no more than twice per year. To exercise your rights or if you have questions or concerns about our privacy policies or practices, you may email us at privacy@commercetools.com or write to us at the address provided here. We will respond to you within 30 days.

You may also request that we provide you with an accounting of your personal data held by commercetools. You may also request that commercetools delete your personal data or correct any inaccurate personal data. You may also make such requests to privacy@commercetools.com.

Upon verification of your identity and within 45 days, we will provide you with a paper copy of your personal information via the United States Postal Service.

commercetools will not discriminate against any end user who exercises his or her rights under the California Consumer Privacy Act and California Privacy Rights Act. commercetools does not sell or share your personal information as those terms are defined in the California Consumer Privacy Act.

3. Right to lodge a complaint with a supervisory authority

Furthermore you have the right to lodge a complaint with a supervisory authority. The Bavarian State Office for Data Protection Supervision, Promenade 18, 91522 Ansbach, P.O. Box 1349, 91504 Ansbach, e-mail: poststelle@lda.bayern.de, telephone: +49 (0) 981 180093-0, is generally responsible for us.

Alternatively, you can approach the supervisory authority that is locally responsible for you.

Effective Date: April 2024

This Privacy Policy is subject to ongoing review and commercetools reserves the right to make changes at any time. Such changes will be published accordingly on this website.

Privacy Policy

Table of Contents

1. Purposes for which the personal data are processed as well as the legal basis for the processing

2. Automated decision making including profiling

3. Data transfer to a third country

4. Categories of recipients of the personal data

5. Period for which the personal data will be stored or criteria used to determine that period

6. Privacy notices for all third-party services implemented on our websites

1. Purposes for which the personal data are processed as well as the legal basis for the processing

2. Obligation to provide the data

3. Automated decision making including profiling

4. Data transfer to a third country

5. Recipients of data and data sources

6. Period for which the personal data will be stored or criteria used to determine that period

7. Security

1. Purposes for which the personal data are processed as well as the legal basis for the processing

2. Obligation to provide the data

3. Automated decision making including profiling

4. Data transfer to a third country

5. Recipients of data and data sources

6. Period for which the personal data will be stored or criteria used to determine that period

1. Privacy notice for processing in connection with an access of our career portal at https://boards.greenhouse.io/commercetools and in the context of processing personal data for the purpose of recruiting

2. Privacy notice for processing in connection with the recruiting process by submitting an application

1. Data subject rights according to Chapter III of the GDPR

2. Rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

3. Right to lodge a complaint with a supervisory authority