Data protection policy
www.wee.com
Issue date: June 2018

1. What is it about? Who is responsible for data processing?

Following separate registration via an app (the "weeApp") and/or a card (the "weeCard"; weeApp and weeCard are also referred to collectively as the "wee Cashback Tools"), weeMarketplace AG, Burgstrasse 8, CH-8280 Kreuzlingen (hereinafter also "weeMarketplace", "we", "us") offers its customers ("wee Customers") the opportunity to take advantage of certain cashback services ("wee Cashback") in connection with the purchase of goods and services from certain partner companies of weeMarketplace ("weePartners"; wee Customers and weePartners collectively or individually also "Users"). Further information on wee Cashback can be found in our general terms and conditions and on the website www.wee.com (the "Website", hereinafter the weeApp and Website are also referred to collectively as the "Services").

This data protection policy applies to the processing of personal data by us in connection with the weeApp, the weeCard and the Website, for both wee Customers as well as weePartners (insofar as the weePartners are natural persons) or for contact persons of weePartners.

We (weeMarketplace) are the legal data controller in the sense of the EU General Data Protection Regulation ("GDPR") in connection with the weeMarketplace.

2. What personal data is processed and for what purpose?

2.a Informational use of the Website

In the case of merely informative use of the Website, i.e. if users do not actively transmit information to us via the Website, we will not collect any personal data, except for the data provided by the user's browser to enable the visit to the Website, unless indicated otherwise in this data protection policy. This includes, for example:

We are not able to associate this data with specific persons. The aforementioned processing of data is solely for the purpose of enabling the use of the Website (establishing a connection).

Further information on data processing concerning the Website can be found below under sections 3.a and 3.b.

2.b Making contact, contact requests

If a user contacts us via the Services, the data provided in the course of contacting us will be used to answer their request. For example, a contact form is available on the Website which can be used for electronic contact. If a user sends us a request in this way, the data entered in the input form is transmitted to us and stored. At the time a contact request is sent via the contact form, the date and time of the corresponding request will also be saved. The aforementioned data will be used exclusively for the purpose of processing the corresponding contact requests. Further information on data processing concerning the Services can be found below under section 3.

2.c Registration as a wee Customer; registration as a weePartner

In order for wee Customers to use the weeMarketplace and wee Tools, they provide us with their name and e-mail address as part of the registration process. In order to take advantage of weeMarketplace's payout option (wee payment in the respective local currency), they also provide us with their date of birth, address and bank details. We use this data to provide wee Customers with the functions of wee Tools, e.g. to set up a corresponding wee customer account or (with regard to the bank account data) to make corresponding payments in connection with the weeMarketplace. During registration, we also create a non-transferable customer number (the "User ID") for each wee Customer. The User ID is a number used for identification purposes, in particular in connection with the use of the weeMarketplace and the wee Tools at weePartners (see also section 2.d below). Finally, the account access data generated by wee Customers during the registration process (e-mail address and password) is stored in our systems so that wee Customers can access their specific account.

In order to participate as an authorised weePartner in the weeMarketplace that we provide, appropriate applicants must register at www.b2b.wee.com. In this context, we process the following data of weePartner applicants in particular: Name, address, company name if applicable, e-mail address, telephone number, bank details, proof of independent business activity (without this information, registration as a weePartner cannot take place; we use this data, for example, to set up a corresponding weePartner account or for billing purposes). Finally, the account access data generated by weePartners during the registration process (e-mail address and password) is stored in our systems so that weePartners can access their specific account.

2.d Processing of data in connection with the use of wee Tools by weePartners

When wee Customers use the wee Tools in connection with the payment for goods or services to a weePartner at the checkout, the corresponding wee Tool transmits certain data to the checkout or the weePartner's POS terminal using various technical procedures. This data concerns the customer ID of the wee Customer (see section 2.c above) and the corresponding payment amount. The weePartner reports this data as well as the location, checkout or terminal ID, time and transaction ID, and the name of the weePartner to us for administration and wee payment or for accounting purposes with regard to the corresponding weePartner.

2.e Consent; newsletter

If a user consents to receive newsletters or similar promotional information, for example, we use the data to which the corresponding consent refers (e.g. the e-mail address for sending the newsletter) in order to be able to provide the user with the corresponding information.

The wee Customer also has the option of receiving newsletters from the weePartner from whom he has received his weeCard. The weePartner who sends out the newsletter will not receive the personal data of the wee Customer at any time.

Such a consent can be revoked for the future at any time.

If a user requests a newsletter on the Website, they receive a confirmation and authorisation email from us in which we ask them to click on the link included in this e-mail and confirm that they actually wish to receive the newsletter. Only after this confirmation will we send the user the corresponding newsletters. The user can cancel the subscription to the newsletter at any time by clicking on the (unsubscribe) link provided for this purpose in every newsletter. The newsletter is only sent to promote our own products and services.

2.f Legal bases

The legal basis for the processing (or transmission) of personal data is, with regard to

3. Are cookies and other tools used in connection with the Services?

3.a Cookies

We use cookies on the Website. Cookies are small text files that are stored in the memory of the browser and whose data are used for technical session control. When accessing individual pages of the Website, we use "session cookies" to facilitate navigation. These cookies expire after the end of the session.

You can configure your browser so that no cookies are stored or a message always appears before a new cookie is created. However, disabling cookies may mean that not all functions of our website are (fully) available.

The legal basis for the processing of personal data described in section 3.a (insofar as this is actually personal data) is point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest follows from the purposes stated above, in particular optimisation of website use and improvement of user experience).

3.b Use of further tools concerning the Website

3.b.i Facebook Connect

Facebook users can simplify registration on our Website by registering as a (potential) wee Customer with Facebook Connect. In this case, the wee Customer clicks the "Connect with Facebook" button and is automatically forwarded to the Facebook platform, where they log on with their user data. Their Facebook profile will be linked to our Services and we will have access to their data stored on Facebook. The following data is used for the purpose of providing and personalising the wee Customer account with us:

Registration with Facebook Connect is voluntary to make it easier for wee Customers to register.

3.b.ii Google Analytics

The Website uses Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the Website analyse how users use the site. The information generated by the cookie about your use of the Website is usually transferred to and stored on a Google server in the USA. However, if IP anonymisation is activated on the Website, Google will shorten your IP address beforehand within Member States of the European Union or in other States party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this Website, Google will use this information to evaluate your use of the Website, to compile reports on Website activities and to provide the Website operator with other services in connection with Website and Internet use. The IP address transferred from your browser by Google Analytics will not be merged with other Google data.

This Website uses IP anonymisation in the aforementioned sense.

You may refuse the use of cookies by selecting the appropriate settings on your browser. However, we would like to point out that in this case you may not be able to use all functions of the Website to their full extent. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the Website (including your IP address) and from processing this data by downloading and installing the browser plug-in available from the following link: http://tools.google.com/dlpage/gaoptout?hl=en

As an alternative to the browser plug-in or within browsers on mobile devices, click the following link to set an opt-out cookie that will prevent future collection by Google Analytics within the Website (this opt-out cookie only works in this browser and only for the Website, if you delete your cookies in your browser, you must click on this link again): disable Google Analytics

Further information on Google Analytics is available here:

http://www.google.com/analytics/terms/gb.html

https://support.google.com/analytics/answer/6004245

https://policies.google.com/privacy?hl=en-GB

and from Google Inc, 1600 Amphitheater Parkway, Mountainview, California 94043, USA.

Google is committed (to the best of our knowledge) to the EU-US Privacy Shield Agreement published by the US Department of Commerce on the collection, use and retention of personal data from EU member states. Google has declared through certification that it will comply with the relevant Privacy Shield Principles. The European Commission expects the US to provide adequate protection for personal data transferred from the EU to US organisations self-certified under the Privacy Shield. Further information can be found at: https://www.privacyshield.gov/EU-US-Framework

3.b.iii Remarketing/retargeting

The Website uses the remarketing function "Custom Audiences" of Facebook Inc. ("Facebook"). This allows users of the Website to see interest-based advertisements ("Facebook ads") when visiting the social network Facebook or other websites that also use the process. We are interested in showing you advertisements that are of interest to you in order to make our Website more interesting to you.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Facebook server. We have no control over the extent and further use of the data collected through Facebook's use of this tool and therefore inform you of the following according to our knowledge. The integration of Facebook Custom Audiences means that Facebook receives information that you have visited the corresponding page on our Website, or that you have clicked on an advertisement from us. If you are registered with a Facebook service, Facebook can associate your visit with your account. Even if you are not registered with Facebook or have not logged in, it is possible that the provider may obtain and store your IP address and other identifying information.

It is possible to deactivate the "Facebook Custom Audiences" function for logged-in users at https://www.facebook.com

For more information about Facebook's data processing, please visit https://www.facebook.com/about/privacy

The legal basis for the processing of your data is point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest follows from the purpose stated in section 3.c)).

3.c Use of tools regarding the weeApp

3.c.i Crashlytics (Fabric)

The weeApp uses the tool "Crashlytics" as well as "Answers for Crashlytics" and "Beta by Crashlytics" from Fabric, a company of Google Inc. ("Google"; cf. Google above). The Crashlytics tool sends us error messages and detailed crash reports, for both Android and iOS, in the event that the weeApp crashes. The "Answers for Crashlytics" tool tracks user actions in the app. This allows us to investigate the error and improve the stability of the weeApp for future versions. As part of these error reports, weeApp may also send information to Google, including the type and version of the mobile device, the time the error occurred, the feature used and the status of the application when the error occurred. We receive an evaluation of the error messages from Google. The user has the option at any time to disable the logging of error reports.

The data is processed by the recipient Google on our behalf within 90 days. Google is also entitled to store the collected data on Google Inc. servers in the USA. Google Inc. is certified under the EU-US Privacy Shield Agreement on the collection, use and storage of personal data from EU member states: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI More information on Crashlytics is available here: https://try.crashlytics.com/terms/privacy-policy.pdf

The legal basis for the processing of personal data described in section 3.c (insofar as this is actually personal data) is point (f) of Article 6(1) GDPR (legitimate interests; the legitimate interest follows from the fact that we have an interest in offering the app with as few errors as possible and therefore rely on appropriate tools).

3.c.ii Apple iTunes TestFlight

We provide beta versions of our app for iOS through Apple's TestFlight service. Apple subjects the app to a short test and, if appropriate, releases it to defined test users for download. When wee Customers sign up for the iOS beta, they expressly agree that we may communicate their email address and, if provided voluntarily, their name, to Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA for the purpose of enabling and referencing the iOS beta version via Apple TestFlight. When TestFlight is installed and/or used, additional personal information may be collected, for example cookie, e-mail and usage data. You can find the TestFlight data protection policy here: https://www.apple.com/legal/internet-services/itunes/testflight/sren/terms.html

To find out more about TestFlight and to install the TestFlight app, please see: https://itunes.apple.com/us/app/testflight/id899247664?mt=8

4. Is users' personal data shared with third parties?

In principle, we do not pass on the user's personal data to third parties, unless otherwise stated in this data protection policy.

We may transfer users' data (to a limited extent) to affiliated companies within the wee Group so that we can assist those companies in processing and managing the respective user accounts or contracts with users. The legal basis for the processing of personal data is point (f) of Article 6(1) GDPR (legitimate interest; the legitimate interest follows from the aforementioned purposes) and point (b) of Article 6(1) GDPR (performance of the contract or pre-contractual measures).

We also use (technical) service providers who process personal data on our behalf (e.g. IT service providers). These service providers process the corresponding personal data exclusively according to our instructions (processors). The legal basis of this data processing is Article 28 GDPR (processing) and usually point (b) of Article 6(1) GDPR (contract performance or pre-contractual measures).

We may disclose the user's personal data to third parties if we are required to do so by law (e.g. at the request of a court or law enforcement agency). The legal basis of this data processing is point (c) of Article 6(1) GDPR (legal obligation).

5. How long is a user's personal data stored?

Insofar as no other storage period results from the other information in this data protection policy, we store the personal data of the users that we receive in connection with the wee Cashback programme for the duration of the contractual relationship with the respective user, thereafter only in the scope and to the extent that we are obliged to do so due to mandatory statutory storage obligations. Insofar as we no longer need the data of the respective user for the purposes described above, it will only be stored for the respective legal retention period and not processed for other purposes.

6. What rights do users have?

Users have the right to request information from us at any time about their personal data that we have stored. If the legal requirements are met, users also have the right to ask us to correct, delete or restrict the processing of the corresponding personal data, the right to object to the processing of their personal data by us and the right to obtain from us the personal data concerning them that they have provided to us in a structured, current and machine-readable format (users can transmit this data to other places or have it transmitted).

If users have consented to the use of their personal data, they can revoke this for the future at any time.

If users believe that the processing of personal data concerning them by us violates the applicable data protection law, they can complain to the competent data protection supervisory authority.

Information about your right to object under Article 21 GDPR

6.a Right to object in individual cases

You have the right to object to the processing of your personal data for reasons arising from your particular situation, unless this data processing is in the public interest or is based on a balance of interests. This also applies to profiling. In the event of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing of this data that outweigh your interests, rights and freedoms. Or where your personal data is used to assert, exercise or defend legal claims.

6.b Objection to the processing of your data for direct marketing purposes

If your personal data is processed for our direct marketing, you have the right to object at any time; this also applies to profiling if it is related to direct marketing. In the event of an objection, we will no longer process your personal data for these purposes. The objection is not subject to any condition regarding form and should be addressed to our data protection officer at the bellow-mentioned contact details, if possible.

7. How can I contact you? Who can I contact?

Users can contact us at the address given in section 1. and via info@wee.com, telephone: +49 (0)71 688 86 63, as well as via the contact form on the homepage www.wee.com.

For all questions regarding data protection (including the assertion of rights pursuant to section 6.), users can also contact our data protection officer directly. The contact details of the data protection officer are: Dipl.-Inform. Udo Wenzel weedatenschutz@agentia.de Tel: +49 (0)30 21964398.

8. What do we do to protect users' personal data (from access by third parties)?

We maintain current technical measures to guarantee data security, in particular to protect the personal data of users from the risks of data transmission and from third parties gaining knowledge of it. These are adapted to the current state of the art in each case.