We take data protection at Blacksquared GmbH (hereinafter referred to as Blacksquared) very seriously and would like to inform you in the following about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) when using our climate partner offer.
1. Scope of application
With regard to the terms used, such as “personal data” or their “processing”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (DSGVO).
2. Providers and contact persons
Responsible for the collection, processing and use of personal data in the context of the provision of the Climate Partner Platform:
Local Court Charlottenburg HRB 185884 B
Ust-IdNr. DE 282 11 63 39
3. Collection, processing and use of personal data for the operation of the Climate Partner Platform
3.1 Use of the Climate Partner Platform and Services
The apps developed and published by Blacksquared (hereinafter apps) each have an app-internal marketplace that provides various offers (such as discounts on purchases, vouchers or free items) in exchange for collected climate thalers.
Climate partners can provide their own offers for display in the apps developed by Blacksquared via the Climate Partner Portal. There, they can provide all the details about their products and services, add images and videos to them and formulate offers to users that will be displayed in the marketplace in the app.
With this entry, all climate partners also receive their own wallet, a unique IP address that connects them to the app. This wallet appears as a QR code on advertising materials, such as a poster, which is downloaded by the climate partner, printed out and hung in the shop window or on the door, for example. The retailer or restaurant is already part of the Climate Partner network.
The app user can now browse through the various offers in the marketplace and view offers in detail and on a map. The app automatically detects the means of transport used and the distance travelled. For avoiding CO2 emissions, i.e. for using low-emission mobility such as walking, cycling or using public transport, the user automatically collects climate tokens.
All information provided in the Climate-Taler-Partner-Portal is voluntary and the processing of this data is only carried out with the express consent of the user.
3.2 General explanations
In order to use the Climate Partner Portal, the user must create an account and register with a name and e-mail address.
We use the data you provide for the provision of the services we offer in accordance with our General Terms and Conditions [link to AGBs for the operation and improvement of our Kima Partner Portal, for answering your questions.
As a matter of principle, your personal data will not be passed on to third parties. The only exceptions to this are our service and contractual partners who are used in the course of processing the contractual relationship and companies who serve Blacksquared GmbH as cooperation partners. As the anonymisation of your data constitutes the processing of your personal data, we would like to obtain your permission to do so with this declaration.
Data processing for other purposes or transfer to third parties, unless expressly stipulated in these data protection regulations, will not take place without your express consent. Something else only applies if we are legally obligated to release data (information to law enforcement agencies and courts; information to public bodies that receive data due to legal regulations, e.g. tax authorities).
3.3 Registration information and other personal data of the users
If you register as a Climate Partner in the Climate Partner Portal, it will be necessary for you to provide us with an e-mail address, which will henceforth serve as your login ID, your name and surname and to choose a secret password, which will be stored in our system (“Registration Information”).
In order to post offers in the Climate Partner Portal, they must also provide the following information:
- Company name and address
- type of business
- Company form
- Tax number (alternatively international tax number, if available)
- Contact information
With your registration in the app, we store your account data as well as the date and time of your registration on the servers of our service provider AWS, based in Frankfurt am Main, Germany.
3.4 Data storage
The data is stored in the data center of our service provider, AWS Frankfurt in Frankfurt am Main, Germany.
The operator wants to ensure the user full control over his personal data. The legal right of the user to information, correction and deletion of data remains unaffected.
3.4.1 Data storage with third party manufacturers
The operator wants to ensure the user full control over his personal data. The User’s legal right to information, correction and deletion of data remains unaffected. The deletion of the user’s personal data does not include the data aggregated and anonymised from this data, which is collected by the operator in order to compile statistics on the exchange of offers and the use of the Climate Partner Portal.
3.5 What data do the participating companies receive?
Via the company challenge website and the administrators’ area, customers who use the apps developed by Blacksquared can view the offers provided by the climate partners and publish them in their respective company areas or in their own white label app. Blacksquared’s customers decide in their respective areas or their white label app which offers are visible to users and which are not.
Participating companies receive daily updated information and evaluations about the activities in the app. The data is only passed on cumulatively. We exclude the transfer of data of individual employees to third parties.
The data is output and included for the entire company and for individual teams:
- Number of participants
- Climate Thaler earned
- Climate Thaler exchanged
- Winners of prizes in a raffle with name and e-mail address
- Number of offers sold in the rewards marketplace
3.6 Contact via the contact form or our helpdesk
If you wish to contact us via the contact form on our website, we will process your first and last name, your email address and the message text you send to us in accordance with Art. 6 (1) lit. b) DSGVO in order to process your request. This does not create a link to the data collected in the app. Your information may be stored in our customer relationship management system (“CRM system”) or comparable request organization.
We use the CRM system “Helpdesk”, of the provider Zendesk, Inc.- 1019 Market St, San Francisco, CA 94103, USA) based on our legitimate interests (efficient and fast processing of user requests). For this purpose, we have concluded a contract with Zendesk with so-called standard contractual clauses, in which Zendesk undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. All processors that previously operated under the now invalid Privacy Shields agreement have since added the relevant standard contractual clauses approved by the European Commission to their data processing terms and security provisions, which continue to be legally valid for the transfer of data outside the EU, Switzerland and the United Kingdom in accordance with the ruling.
We delete the requests if they are no longer necessary. We review the necessity every two years; inquiries from customers who have a customer account, we store permanently and refer to the information on the customer account for deletion. In the case of legal archiving obligations, the deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).
If you subscribe to our newsletter, we will store your e-mail address and optionally your name for the personal address and use it to send the newsletter. Your e-mail address will not be published or passed on to third parties.
You can unsubscribe from our newsletter at any time via a link contained in each issue. We will then delete your e-mail address from our distribution list.
3.7.1 Shipping service provider
All processors that previously operated under the now invalid Privacy Shields agreement have since added the relevant European Commission-approved standard contractual clauses to their data processing terms and security provisions, which remain legally valid for transfers of data outside of the EU, Switzerland and the UK, according to the ruling.
4. Legal basis
4.1 Cooperation with processors and third parties
If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1) lit. b DSGVO), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties with the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 DSGVO.
4.2 Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this will only occur if it is done in order to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 et seq. DSGVO are met. This means that the processing takes place, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to the EU or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
4.3 Cookies & Reach Measurement
Cookies are pieces of information that are transferred from our web server or third party web servers to users’ web browsers and stored there for later retrieval. Cookies may be small files or other types of information storage.
We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. in order to be able to save your login status or the shopping cart function and thus enable the use of our online offer at all). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and log out or close the browser, for example.
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
4.4 Collection of access data and log files
We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO data about each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of seven days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
4.5 Online presence in social media
We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties and users active there and to be able to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operators apply.
4.6 Google Analytics
All processors that previously operated under the now invalid Privacy Shields agreement have since added the relevant European Commission-approved standard contractual clauses to their data processing terms and security provisions, which remain legally valid for transfers of data outside the EU, Switzerland and the UK, according to the ruling.
This website uses Google Analytics, a web analytics service provided by Google, Inc (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. In the event that IP anonymisation is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.
The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. We use Google Analytics to display the ads placed within Google’s advertising services and those of its partners only to users who have also shown an interest in our online offering or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Google (so-called “Remarketing Audiences” or “Google Analytics Audiences”). With the help of Remarketing Audiences, we also want to ensure that our advertisements correspond to the potential interest of the users and do not have a harassing effect.
This website anonymizes the IP of data sent to Google Analytics. IP addresses are processed in abbreviated form, which means that they cannot be traced back to a specific person. Insofar as the data collected about you is personally identifiable, this is immediately excluded and the personal data is deleted immediately.
We use Google Analytics to analyse and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Art. 6 para. 1 lit f. DSGVO.
Information of the third party provider: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions: https://www.google.com/analytics/terms/, Overview of data protection: https://www.google.com/intl/de/analytics/learn/privacy.html , as well as the data protection notice: https://www.google.de/intl/de/policies/privacyDiese Website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID. You can deactivate the cross-device analysis of your usage in your customer account under “My data”, “Personal data”.
4.7 Google Re/Marketing Services
We use the marketing and remarketing services (in short “Google Marketing Services”) of Google LLC, 1600 Amphitheatre Park Park, Mountain View, CA 9.5. DSGVO) the marketing and remarketing services (in short “Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
Google is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google’s marketing services allow us to display advertisements for and on our website in a more targeted manner in order to present users only with ads that potentially match their interests. For example, if a user is shown ads for products in which they have expressed interest on other websites, this is referred to as “remarketing”.
For these purposes, when our website and other websites on which Google marketing services are active are called up, a code is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user’s device (comparable technologies can also be used instead of cookies). Cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records which websites the user has visited, which content he is interested in and which offers he has clicked on, as well as technical information on the browser and operating system, referring websites, time of visit and other information on the use of the online offer.
The IP address of the user is also recorded, whereby we inform you within the scope of Google Analytics that the IP address is shortened within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases is transferred in full to a Google server in the USA and shortened there. The IP address will not be merged with data of the user within other offers of Google. The aforementioned information may also be combined by Google with such information from other sources. If the user subsequently visits other websites, he can be shown ads tailored to his interests.
User data is processed pseudonymously within the scope of Google marketing services. I.e. Google does not store and process e.g. the name or email address of the users, but processes the relevant data cookie-related within pseudonymous user profiles. I.e. from Google’s perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has explicitly allowed Google to process the data without this pseudonymisation. The information collected by Google marketing services about users is transmitted to Google and stored on Google’s servers in the USA.
The Google marketing services we use include the online advertising program “Google AdWords”. In the case of Google AdWords, each AdWords customer receives a different “conversion cookie”. Cookies can therefore not be tracked through the websites of AdWords customers. The information obtained with the help of the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. The AdWords customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that personally identifies users.
We can also use the “Google Optimizer” service. Google Optimizer allows us to track the effects of various changes to a website (e.g. changes to the input fields, the design, etc.) as part of so-called “A/B testing”. For these testing purposes, cookies are placed on users’ devices. Only pseudonymous user data is processed in the process.
Furthermore, we may use the “Google Tag Manager” to integrate and manage Google analytics and marketing services on our website.
If you wish to object to interest-based advertising by Google marketing services, you can use the settings and opt-out options provided by Google: https://adssettings.google.com/authenticated.
4.8 Data permissions in the apps
4.8.1 Firebase Crashlytics / Firebase Crash Reporting
We use Firebase Crashlytics / Firebase Crash Reporting (hereinafter Google Firebase) to analyse user behaviour and to report on the stability and improvement of the website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Firebase Crashlytics / Firebase Crash Reporting is used for the stability and improvement of the app. Information about the device used and the use of our app is collected (e.g. the timestamp, when the app was started and when the crash occurred), which enables us to diagnose and solve problems. The data is stored anonymously.
Google Firebase Crashlytics / Firebase Crash Reporting is used to optimize this app and to improve our offers. This represents a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO.
For more information on Google Firebase, please visit
We also use Mixpanel, a service provided by Mixpanel Inc., 589 Howard Street, #4 San Francisco, CA 94105, USA (“Mixpanel”), to collect user data on the website to better understand how users interact with the Climate Partner Portal. Mixpanel is used to track and improve website activity, frequency of use, or web logouts.
4.9 Integration of third-party services and content
Within our online offer, we use content or service offers of third-party providers on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the presentation of this content. We strive to use only such content whose respective providers use the IP address only for the delivery of the content.
Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
The following presentation provides an overview of third-party providers and their content, together with links to their data protection declarations, which contain further information on the processing of data and, in part already mentioned here, options for objection (so-called opt-out):
4.10 Relevant legal bases
4.11 Revocation, amendments, corrections and updates
As a user, you have the right to request information free of charge about the personal data that has been stored about you. In addition, you have the right to correct inaccurate data, blocking and deletion of your personal data, provided that this does not conflict with any legal obligation to retain data. You can find our contact details here (https://changers.com/de/impressum).
4.12 Security measures
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons; the measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access concerning them, input, disclosure, ensuring availability and their separation.
Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data and reaction to data compromise. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Article 25 of the GDPR).
Security measures include, in particular, the encrypted transmission of data between your browser and our servers, and between the mobile apps and our servers.
4.13 Data Protection Officer
The data protection officer of Blacksquared GmbH is:
You can reach our company data protection officer by mail at:
10623 Berlin, Germany
We ask you to regularly inform yourself about the content of our data protection declaration. We adapt the data protection declaration as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.