Privacy Policy


1 PRIVACY STATEMENT FOR LENGALIA
We treat personal data under the Germany Data Protection Act (incorporating the EU General Data Protection Regulation - GDPR) to our global operations unless the local equivalent laws are stronger. Also, we apply the personal data under the provisions of the California Consumer Privacy Act (CCPA) in our operations in California.
We operate the website www.lengalia.com along with our learning portal learning.lengalia.com and subdomains blog.lengalia.com/spanisch-lernen-online/, support.lengalia.com/hc/en-gb and collect certain data from our visitors and customers as necessary. With this privacy policy, Lengalia would like to explain how your personal data is processed and in what form some of this data may be accessible to other users.
In the following privacy policy, you will learn what we do with your personal data and why. We will also tell you how we protect your data, when the data will be deleted and what rights you have under data protection law.

2 SCOPE OF THIS PRIVACY POLICY

The German version of this privacy policy is deemed to be the basis for using the Lengalia’s online-service. Its translation into English, Spanish, French, Italian and Portuguese is provided for information purposes only. In case of contradictions, the only legally binding version of the document (which can be viewed here) is the German version.

3 DECLARATION OF CONSENT
By using the service offered on the Lengalia website you automatically agree to the following privacy policy. Your declaration of consent will be recorded by us. 
You can withdraw your declaration of consent at any time via email, however not in retrospect. Withdrawing your consent means that you may no longer use any of the services provided by Lengalia. In addition to the data processing on our website, we explain in this privacy policy the data processing in the services we offer for which our customers can register.
This privacy policy will explain:
- What data Lengalia collects and what we do with it.
- What technologies we use for provision and personalization.
- What data protection rights you have and how you can exercise them.

4 CONTACT
The trust of our users is important to us. Lengalia therefore wishes to provide its users with full information on the processing of their personal data at all times. If any queries remain unanswered by this privacy statement or if more detailed information is required on any point, please contact the following address at any time.
Author of this page:
Lengalia, José Delgado
Schmarjestr. 42 22767
Hamburg
email: mail (@) lengalia.com
You can also reach our Data Protection Supervisor and other data protection-related contacts via these contact details. In this context, we process data exclusively for the purpose of communicating with you. The legal basis for the data processing is the performance of the contract pursuant to Article 6(1)(b) GDPR.

5 WHAT RIGHTS DO YOU HAVE?
- Withdrawal of consent in accordance with Article 7(3) GDPR (e.g. you can contact us to withdraw consent and stop receiving the newsletter)
- Right of Access in accordance with Article 15 GDPR (e.g. you can contact us to find out which data of yours we have saved)
- Rectification in accordance with Article 16 GDPR (e.g. you can contact us if your email address has changed and you want us to update it)
- Erasure in accordance with Article 17 GDPR (e.g. you can contact us if you want us to delete any of your data that we have saved)
- Restriction of processing in accordance with Article 18 GDPR (e.g. you can contact us if you do not want us to delete your email address but only want to receive emails that are strictly necessary)
- Data portability in accordance with Article 20 GDPR (e.g. you can contact us to obtain the data we have saved on you in a compressed format as you may want to provide the data to another website)
- Objection in accordance with Article 21 GDPR (e.g. you can contact us if you do not consent to one of the advertising or analytical procedures listed in this document)
- Right to lodge a complaint with the relevant supervisory authority in accordance with Article 77(1) GDPR (e.g. in the event of a complaint you could contact the data protection supervisory authority in your state directly)

Supervisory authority in Hamburg
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22
20459 Hamburg

Your rights concerning the processing of your personal data
To exercise your rights, you must send us a request in writing, either by post or email. If you would also like to speak to someone in person, you can contact us by telephone. You will need to provide:
. proof of identity
. proof of address
. any additional details we need to locate the information you have requested (for example, details regarding Lengalia or staff that you have had contact with and when).
We will not start looking for your information until we confirm your identity.

6 DELETION OF DATA AND STORAGE PERIOD
If not otherwise noted, we delete personal data as soon as it is no longer needed. Your data will also be locked or deleted if a storage period set out by law expires, unless the data must be kept in order to complete or fulfil a contract. Some data may have to be stored for a longer time period if the law requires it. You can, of course, request information regarding the personal data we have saved on you at any time.

Right to erasure - 'right to be forgotten'
After your access period to our Learning portal has finished, your data will be completely deleted after 30 days (both your personal data and data concerning your learning progress connected to your account). You also have the option of deleting your data yourself at any time during your period of access under ‘Profile‘. This is because the personal data are no longer necessary in relation to the purposes for which they were collected.
The legal basis is your consent in accordance with the European data protection requirements from Article 17(1) GDPR.

7 SERVER LOG FILES
If you visit our website, we do not collect any personal data, with the exception of the data that your browser transmits to enable you to visit the website. The website provider -Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen (Germany)- automatically collects and stores information that your browser automatically transmits to us in "server log files". These are:
- File names of the pages and files called up
- Date and time of the visit - Amount of data transferred
- Status messages (i.e. whether the data transfer was successful)
- Information about your device (e.g. browser version, app version, operating system, language settings, device identifiers)
- The previously visited page (if you accessed our website via a link)
- Online identifiers (e.g. IP address, session IDs, cookies, device identifiers)
- Geo data (e.g. city, postal code) transmitted via the IP address
As a protective measure in favour of your privacy, we delete or anonymize the IP address after specified periods. Therefore, other related data can no longer be traced back to you and may only serve anonymous, statistical purposes for the optimization of our website. The purpose of the temporary storage of the data is a technical necessity for establishing the connection, and the correct and error-free display of our website. The IP address and the technical data already mentioned are needed to display the website, to prevent display problems for visitors and to correct error messages.
The legal basis is the so-called legitimate interest which has been examined in the context of the aforementioned protective measures and in accordance with the European data protection requirements from Article 6(1)(f) GDPR.

8 CLOUDFLARE SSL, CDN & WAF
Our website uses the services of Cloudflare Inc. (USA) for secure encrypted data transmission on the Internet (SSL), to improve worldwide website performance through the Cloudlflare Content Delivery Network (CDN) and to improve security and protection against hacker attacks through the Cloudflare Web Application Firewall (WAF). It is possible that Cloudflare uses its own cookies to provide these services. With Cloudflare a corresponding GDPR-compliant contract for commissioned data processing exists. More detailed information about GDPR and Cloudflare can be found on the GDPR pages of Cloudflare.
What is Cloudflare?
A Content Delivery Network (CDN), as provided by Cloudflare, is nothing more than a network of servers connected via the Internet. Cloudflare has distributed such servers all over the world to bring websites faster to your screen. Simply put, Cloudflare makes copies of our website and places them on their own servers. When you visit our website now, a load balancing system ensures that the majority of our website is delivered from the server that can display our website the fastest. The distance of the data transfer to your browser is considerably shortened by a CDN. Thus the content of our website is delivered to you by Cloudflare not only from our hosting server, but from servers all over the world. The use of Cloudflare is especially helpful for users from abroad, because here the page can be delivered from a server nearby. Besides the fast delivery of websites Cloudflare also offers various security services like DDoS protection or the Web Application Firewall.
Why we use Cloudflare on our website?
Of course we want to offer you the best possible service with our website. Cloudflare helps us to make our website faster and more secure. Cloudflare offers us web optimizations as well as security services such as DDoS protection and web firewall. This includes a reverse proxy and the content distribution network (CDN). Cloudflare blocks threats and limits abusive bots and crawlers that waste our bandwidth and server resources. By storing our website in local data centers and blocking spam software, Cloudflare allows us to reduce our bandwidth usage by about 60%. Delivering content from a data center near you and some web optimizations performed there reduces the average loading time of a website by about half. According to Cloudflare, the setting "I'm Under Attack Mode" can be used to mitigate further attacks by displaying a JavaScript calculation task that must be solved before a user can access a web page. Overall, this makes our website much more powerful and less susceptible to spam or other attacks.
Which data is stored by Cloudflare?
Cloudflare generally only forwards those data that are controlled by website operators. The contents are therefore not determined by Cloudflare, but always by the website operator himself. In addition, Cloudflare may collect certain information about the use of our website and process data that is sent by us or for which Cloudflare has received appropriate instructions. In most cases, cloudflare receives data such as contact information, IP addresses, security fingerprints, DNS protocol data and performance data for web pages derived from browser activity. For example, log data helps cloudflare to detect new threats. So Cloudflare can guarantee a high security protection for our website. Cloudflare processes these data within the framework of the services in compliance with the applicable laws. This naturally includes the General Data Protection Regulation (GDPR).
For security reasons Cloudflare also uses a cookie. The cookie (__cfduid) is used to identify individual users behind a shared IP address and to apply security settings for each individual user. This cookie is very useful, for example, if you use our website from a location where there are a number of infected computers. However, if your computer is trustworthy, we can recognize this by the cookie. So you can surf through our website unhindered, despite infected PCs in the area. It is also important to know that this cookie does not store any personal data. This cookie is essential for the cloudflare security features and cannot be disabled.
Cookies from Cloudflare
Cloudflare also works together with third party providers. They may only process personal data under instructions from Cloudflare and in accordance with the privacy policy and other confidentiality and security measures. Cloudflare will not pass on any personal data without our explicit consent.
How long and where is the data stored?
Cloudflare stores your information mainly in the USA and the European Economic Area. Cloudflare can transmit and access the above described information from all over the world. In general, Cloudflare stores user-level data for domains in the Free, Pro and Business versions for less than 24 hours.
How can I delete my data or prevent data storage?
Cloudflare keeps data logs only as long as necessary and in most cases these data are deleted within 24 hours. Cloudflare also does not store any personal data, such as your IP address. However, there is information that Cloudflare stores indefinitely as part of its permanent logs to improve the overall performance of Cloudflare Resolver and to identify any security risks. You can find out exactly which permanent logs are saved here. All data that Cloudflare collects (temporary or permanent) will be cleaned from all personal data. All permanent logs are also anonymized by Cloudflare.
Cloudflare will mention in your privacy policy that they are not responsible for the content they receive. For example, if you ask Cloudflare whether they can update or delete your content, Cloudflare always refers to us as the website operator. You can also completely prevent the entire collection and processing of your data by Cloudflare by deactivating the execution of script code in your browser or by including a script blocker in your browser. Cloudflare is an active participant in the EU-U.S. Privacy Shield Framework which regulates the correct and secure transfer of personal data. You can find more information here.
The legal basis for the use of this service is our legitimate interest pursuant to Article 6(1)(f) GDPR

9 PROVISION OF THE LENGALIA LEARNING PORTAL
We process your data to the extent necessary in each case for the performance of the contract and for the purposes of providing and carrying out other services requested by you, as described in this Privacy Policy. This includes:
- The provision, personalization and needs-based design of our website
- Ensuring the general security, operability and stability of our services, including defense against attacks
- Non-promotional communication with you on technical, security and contract-related topics (e.g. fraud alerts, account blocking or contract changes)
Insofar as the purpose is the performance of a contract agreed with you or the provision of a service requested by you, the legal basis is Article 6(1)(b) GDPR. Otherwise, the legal basis is Article 6(1)(f) GDPR, whereby our legitimate interests lie in the above-mentioned purposes.

10 YOUR LENGALIA ACCOUNT
The use of our learning portal Spanish language courses, requires registration on our website. When you register with us, we collect and store the basic data you enter, such as (user) name, email address, and your password, as required fields as part of the registration process. We may receive further information from you about the learning portal, e.g. in your personal profile.
As a protective measure, the transmission of the data you enter, as happens when you visit the rest of the learning portal, takes place via an encrypted connection. After successful confirmation, your data will be stored until you decide to delete either individual data or the entire user account. The purpose of the requested data is the creation of a user account for the use of extended functions on the website. Registration is voluntary and can be revoked or the user data deleted at any time.

11 USE OF THE LENGALIA LEARNING PORTAL
a) Profile
Using the information you provide when you pay for a course, we create a personal profile for you. This profile contains the following information: title, first name and surname, street, postcode, town/city, country and email address. Furthermore, the email addresses of course participants, or those employed by companies, schools and institutions who are using the learning platform, will be taken. You will need your email address to log in. We use your email address to communicate with you within the framework of our contract. We use your first and last names in order to directly address you when using the learning platform. We need your address in order to fulfil our contractual duties for you. When we send you your access details and your bill via email, we include your address at the top of these documents.
You can delete your profile information at any time. If you delete your profile you will only be able to use the service again after paying for a new course. Your learning progress (learning statistics) and all contents of the learning tools will all be reset.


b) Learning statistics
While you practise, Lengalia automatically creates statistics which record and analyze the progress of your learning. In your statistics, we save and make use of data that is needed by other learning tools (for example, ‘Vocabulary trainer‘, Verb conjugator‘, ‘correct mistakes‘). In your statistics, these tools would not be useable if the data were not available. Therefore, we save and use the results of the progress you made whilst practising. Your learning statistics are only visible to you and to the Lengalia teacher or Lengalia team responsible for you. If you use an online course in the context of your company, a school or any other institution the teacher (supervisor) may be appointed by Lengalia or by your company, school, or institution respectively. The legal basis for the data processing is the fulfillment of the contract according to Article 28 GDPR.

12 PERSONAL VOCABULARY TRAINER
Lengalia offers a personal vocabulary trainer that allows users to transfer their own vocabulary in order to repeat and learn later. This data is not visible to other users.
The legal basis for the data processing is the fulfillment of the contract according to Article 6(1)(b) GDPR.

13 DEEPL
On our website we use the service of the company DeepL GmbH, Maarweg 165, 50825 Köln (Germany). Our legitimate interest in using this service is to translate user requests quickly. When using DeepL, the texts and/or documents you submit are not stored permanently and are only kept temporarily to the extent necessary for the creation and transmission of the translation. After the translation has been transmitted to you, both the submitted texts and/or documents and their translations will be deleted. This data cannot be viewed by other users. The use of DeepL is optional.
The legal basis for the use of this service is our legitimate interest pursuant to Article 6(1)(b) GDPR.

14 VOICE RECORDER
In order for us to check your pronunciation, we use voice recognition systems. For this purpose, we store the audio recordings you make for a short period of time and delete them immediately after evaluation. To do this, we first need authorized access to the microphone of your terminal device. Your audio recordings are then processed via an interface and subsequently evaluated. Lengalia does not store these audio recordings after evaluation with regard to the accuracy of your pronunciation.
The legal basis for the aforementioned data processing is the fulfillment of the contract pursuant to Article 6(1)(b) GDPR.

15 SOCIAL SIGN-IN & SOCIAL LOGIN
In addition to manual registration, we offer you the option of registering with us directly via an exisiting social media account from selected providers. We use the ‘Facebook Sign In‘ platforms for this purpose. If you want to use one of these functions, you will be redirected to the page of the respective provider and taken through the registration process.
As a protective measure, the transmission of the data you enter takes place via an encrypted connection of the respective platform. We do not use the registration to access personal data such as friend lists or contacts or to store them for our own purposes. A permanent link between your user account and the user account with Facebook and Google does not take place. We do not know what data the social networks collect in the course of registration or how data is linked. Further details can be found in Facebook’s privacy policy. The purpose of the requested data is the registration via an existing user account for the use of extended functions on the website. Registration via the social networks is voluntary and can be revoked or the user account can be deregistered at any time.
The legal basis is your consent in accordance with the European data protection requirements from Article 6(1)(a) GDPR.

16 ZENDESK
On our website we use the service of the company Zendesk Inc., 989 Market Street #300, San Francisco, CA 94102, USA. The legal basis for the use of this service is our legitimate interest pursuant to Article 6(1)(f) GDPR. Our legitimate interest in using this service is to be able to answer user inquiries quickly and efficiently. Zendesk uses their data only to forward your requests to us. It will not be passed on to third parties.
The service can also be used pseudonymously. In the course of processing service requests, it may be necessary to collect further data (e.g. first name, last name, address, etc.). The use of Zendesk is optional. If you do not agree to Zendesk collecting your data, we offer alternative ways for you to contact us to submit service requests by phone or email. For more information, please see Zendesk's privacy policy.

17 COOKIES
Our website uses cookies in some instances. Cookies are small text files that are usually saved in a folder in your browser. Cookies contain information on your current and previous website visits:
- Name of the website
- Cookie expiration date
- Cookie value
Provided that cookies do not contain a specific expiration date, they are only saved temporarily and automatically deleted as soon as you close your browser or turn off the device. Cookies with expiration data remain saved even after you have closed your browser or turned off your device. These cookies are only removed once they have reached their expiry date or if you manually delete them. Our website uses the following three types of cookies:
- Required cookies (these are needed, for example, in order to display the website correctly for you and to temporarily save certain settings)
- Functional and performance cookies (these cookies help us, for example, to evaluate technical data from your visit and therefore avoid error messages)
- Advertising and analytics cookies (these cookies ensure that, for example, you see ads for Spanish if you had previously searched for Spanish)
You can use your browser settings to configure, block, and delete cookies. If you delete all cookies from our website, you may find that some website features are not displayed properly. You can find helpful information and instructions for common browsers on the website of the German Federal Office for Information Security.
Cookies are only activated after you have granted express permission, with the exception of those cookies that are required for the technology to work. You can withdraw this permission at any time. You can find information on how to withdraw permission, as well as additional information, in the cookie configuration options.

18 YOUTUBE
We use the provider YouTube to integrate videos. YouTube is operated by YouTube LLC with headquarters at 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google Inc. with headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When playing the embedded videos, a connection to the YouTube servers is established and, for technical reasons, at least your IP address is transmitted. If you are also logged into your user account at YouTube, YouTube assigns, for example, information about the accessed videos to your personal user account.
You can prevent this assignment by logging out of your YouTube user account as well as other Google user accounts before using our website. The high security standards of the Google platform and Google’s associated privacy policy apply as protective measures. The purpose of the data transfer is the integration of the video offer of YouTube, which is popular among our users, in order to comfortably access the videos displayed without leaving our website.
The legal basis is your consent pursuant to Article 6(1)(f) GDPR.

19 GOOGLE FONTS
Google Fonts from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, a font collection from Google, are used to visually improve the typeface. These fonts are transferred to your browser's storage folder and activated when you access this website or other websites. If this is not supported, the text on the website will only be displayed in a standard font. To enable this, a request is sent to domains such as fonts.googleapis.com or fonts.gstatic.com, which contains your IP address for technical reasons. However, your data will not be merged with other data or traced back to you personally.
As a protective measure, we have ensured that the retrieval of the font collection from Google does not result in the data being merged with other Google offerings, e.g. if you have a Google user account. English information on data protection at Google Fonts confirms this. In addition, the high security standards of the Google platform and Google’s associated privacy policy apply. The purpose of the data transfer is the correct display of the fonts in the form we set. The IP address is required to establish a connection with Google's servers in order to download the font collection if it is not already stored on the end device.
The legal basis is the so-called legitimate interest, which has been examined in order to pursue the purpose and within the framework of the aforementioned protective measures, as well as in accordance with the European data protection requirements from Article 6(1)(f) GDPR.

20 GOOGLE ANALYTICS
If you have given your consent, this website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google‘).
Scope of processing
Google Analytics uses cookies that enable an analysis of your use of our website. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored.
We use the function User-ID. The User ID allows us to assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and to analyze user behaviour across devices.
We use Google Signals. This allows Google Analytics to collect additional information about users who have activated personalized ads (interests and demographic data). Also, ads can be delivered to these users in cross-device remarketing campaigns.
We use the function 'anonymizeIP' (so-called IP-Masking): Due to the activation of IP-anonymization on this website, your IP-address will be shortened by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.
During your website visit the following data will be collected:
- The pages you visit, your ‘click behaviour‘
- Achievement of ‘website goals‘ (conversions, e.g. newsletter registrations, downloads, purchases)
- Your user behaviour (for example clicks, dwell time, bounce rates)
- Your approximate location (region)
- Your IP address (in abbreviated form)
- Technical information about your browser and the end devices you use (e.g. language settings, screen resolution)
- Your internet provider
- The referrer URL (via which website/advertising medium you came to this website)
Purposes of processing
On behalf of the operator of this website, Google will use this information to evaluate your (pseudonymous [not user id]) use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyse the performance of our website and the success of our marketing campaigns.
Recipient
The data recipient is: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as data processor. For this purpose we have concluded a contract with Google. Google LLC, headquartered in California, USA, and, if applicable, US authorities can access the data stored at Google.
Transfer to third countries
A transfer of data to the USA cannot be excluded. Duration of storage The data sent by us and linked to cookies is automatically deleted after 14 months. Data is automatically deleted once a month as soon as the storage period is reached.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by:
a. not consenting to cookies or
b. downloading and installing the browser add-on to disable Google Analytics here.
By setting your browser software accordingly you can also prevent the storage of cookies. If your browser is set to refuse all cookies, the functionality of this and other websites may be limited.
Legal basis and right of withdrawal Your consent is the legal basis for this data processing, Article 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future by changing your selection in the cookie settings. More information here about Google Analytics terms of use and Google's privacy policy.

21 GOOGLE ADS AND GOOGLE CONVERSION TRACKING
This website uses Google Ads. Google Ads is an online promotional program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
In conjunction with Google Ads, we use a tool called Conversion Tracking. If you click on an ad posted by Google, a cookie for Conversion Tracking purposes will be placed. Cookies are small text files the web browser places on the user’s computer. These cookies expire after 30 days and are not used to personally identify users. If the user visits certain pages of this website and the cookie has not yet expired, Google and we will be able to recognise that the user has clicked on an ad and has been linked to this page.
A different cookie is allocated to every Google Ads customer. These cookies cannot be tracked via websites of Google Ads customers. The information obtained with the assistance of the Conversion cookie is used to generate Conversion statistics for Google Ads customers who have opted to use Conversion Tracking. The users receive the total number of users that have clicked on their ads and have been linked to a page equipped with a Conversion Tracking tag. However, they do not receive any information that would allow them to personally identify these users. If you do not want to participate in tracking, you have the option to object to this use by easily deactivating the Google Conversion Tracking cookie via your web browser under user settings. If you do this, you will not be included in the Conversion Tracking statistics.
The storage of “Conversion” cookies and the use of this tracking tool are based on Art. 6 Sect. 1 lit. f GDPR. The website operator has a legitimate interest in the analysis of user patterns, in order to optimize the operator’s web offerings and advertising. If a corresponding agreement has been requested (e.g. an agreement to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the agreement can be revoked at any time.
To review more detailed information about Google Ads and Google Conversion Tracking, please consult the Data Privacy Policies of Google. You can set up your browser in such a manner that you will be notified anytime cookies are placed and you can permit cookies only in certain cases or exclude the acceptance of cookies in certain instances or in general and you can also activate the automatic deletion of cookies upon closing of the browser. If you deactivate cookies, the functions of this website may be limited.

22 GOOGLE TAG MANAGER
We use Google Tag Manager, a service from Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (Google). Google Tag Manager allows website tags to be managed via an interface. According to Google, Google Tag Manager is a cookie-less domain that does not record any personal data. Google Tag Manager ensures that other tags are triggered that may in turn record data. Google Tag Manager does not access this data. If deactivation takes place on the domain or cookie level, this remains unchanged for all tracking tags implemented with Google Tag Manager. You can find more information on data protection in Google‘s data protection policy.
The legal basis for use of this service is your consent as laid out in Article 6(1)(a) GDPR, and consent is granted via our cookie banner. Consent can be withdrawn at any time via cookie management.

23 WHEN IS DATA PASSED ON?
Data collected by us will only be passed on if:
- You have given your express consent in accordance with Article 6(1)(a) GDPR
- The disclosure is necessary for the assertion, exercise or defense of legal claims pursuant to Article 6(1)(f) GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed
- We are legally obligated to disclose your data pursuant to Art. 6 Par. 1 Sentence 1 lit. c GDPR or
- This is legally permissible and necessary according to Article 6(1)(b) GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request In addition, disclosure may take place in connection with official inquiries, court decisions and legal proceedings if it is necessary for legal prosecution or enforcement.

24 PAYMENT SERVICE PROVIDER
We use external payment service providers. Depending on which payment method you select in the order process (Paypal or Stripe), the payment service providers commissioned by Lengalia collect the data for payment processing themselves on your own responsibility. This might include your bank account or credit card details, your IP address, your internet browser and device type, and in some cases your first and last name, your address and information about the product you purchased from us. The payment service provider does not transmit any of your payment data to us.
The legal basis for the use of this service is our legitimate interest pursuant to Article 6(1)(b) GDPR. Therefore, the privacy policy of the respective payment service provider applies. You can find more information on data processing when using the payment service provider here: PayPal and Stripe.

25 LINKS
Lengalia might contain links to other internet sites. We are not responsible for the private practices on other internet sites. We encourage our users to read through every privacy setting on every internet site individually before giving away any personal data.

26 AGE LIMIT FOR THE USE OF LENGALIA
The Lengalia offer is not aimed at children under 16 years of age. The Lengalia offer is also not offered to children whose age makes the processing of their personal data illegal or requires the consent of their parents to the processing of their personal data in accordance with the general data protection regulation (GDPR) or other local laws.
It is also pointed out that persons under 18 years of age always require the permission of parents or legal guardians in order to use the service. If you are under 16 years of age, do not provide us with any personal data. If you are a parent of a child under the age limit and you notice that your child has submitted personal data to Lengalia, please contact us using the contact form.

27 DATA SECURITY
Lengalia takes adequate security measures to protect the user's data. When you enter confidential data (e.g. passwords) we encode them by using secure SSL technology. Lengalia employs safety precautions to guarantee that your data are protected against loss, modification or misuse. To this end, Lengalia works with constantly updated firewalls meeting the industry standard as well as other security systems. At the same time, the user should be aware of the fact that one hundred per cent protection against attacks cannot be guaranteed because of the continual appearance of new viruses and other means of attacking the protected data systems of internet services. Lengalia will instigate civil and criminal proceedings against any attack by hackers and the like and will inform the users of any cases in which their data have been compromised.

28 PUBLICATION AND AMENDMENTS
We reserve the right to change our privacy policy. Amendments which are not fundamental become effective right away. Fundamental amendments become effective within 30 days of being published on the Lengalia website. If we make any changes we will make them public and mark the date when the change becomes effective at the top of the website. If we make fundamental changes to these guidelines, we will alert you here, via email, or via an announcement on your homepage. We recommend that you regularly come back to these guidelines and re-read them so that you are always completely informed about our privacy policy.

29 INDIVIDUALS IN THE EEA
In addition to the foregoing rights, you have the right to lodge a complaint with a supervisory authority if you believe we have processed your information in a manner inconsistent with your privacy rights. We kindly request that you contact us first by email so that we may address your concern.

30 CALIFORNIA AND NEVADA RESIDENTS (CCPA)
If you reside in California or Nevada, we are required to provide additional information to you about how we use and disclose your information, and you may have additional rights with regard to how we use your information. We have included this California-specific information below.
We may share your personal information in ways that could be considered a ‘sale‘ of personal information under certain state laws. Residents of California and Nevada have the right to opt-out of the sale of their personal information. If you are a qualifying resident of California or Nevada you can submit a request to opt out of any potential future sales under California and Nevada law by emailing us. We will respond to your verified request as soon as reasonably practicable, but no later than 30 days after receipt. If, due to unforeseen circumstances, there is a delay in our response, we will promptly notify you.
CA Personal Information
We collect certain categories and specific pieces of information about individuals that are considered "Personal Information" in California ("CA Personal Information"), specifically:
. Personal and Other Identifiers or Characteristics: such as first name and last name, personal or professional contact information, mailing address, telephone number, e-mail address, unique personal identifier, IP, device, and online activity information, gender, demographics, username and password to our Websites or services;
. Commercial Information: such as purchase or transaction history.
. Sources. We may collect certain categories of CA Personal Information from you and other third parties as described in our Privacy Policy.
Use of CA Personal Information
We may use CA Personal Information for business or commercial purposes. Please see our Privacy Policy for more details.
Use of CA Personal Information Sold or Disclosed For Business Purposes
In the preceding twelve months, we may have shared CA Personal Information for business purposes, or we may have “sold” (as defined under CCPA) some categories of CA Personal Information.
California Consumer Rights
Subject to certain exceptions, as a California resident, you may have the following rights to your CA Personal Information:
(i) Access. Request access to your CA Personal Information that we collect, use, disclose, or sell;
(ii) Deletion. Request deletion of your CA Personal Information; and
(iii) CA Personal Information Sold or Disclosed For Business Purposes.
Request information about the CA Personal Information we have "sold" (as defined under CCPA) or disclosed for business purposes within the preceding 12 months. To the extent permitted by applicable law, we may be required to retain some of your CA Personal Information and certain CA Personal Information is strictly necessary in order for us to fulfil the purposes described in this Privacy Policy.
Exercising California consumer rights
If you are a California resident and wish to exercise any of these rights, please:
(a) submit your request using our contact form;
(b) log into your account to make any updates or submit a request;
(c) contact us as described in the Website Privacy Policy.
When submitting your request, you may be asked to provide certain information, which may include additional proof of identification, so that we can verify your identity and validate the request. We are not responsible for requests that are not sent or submitted properly, or that do not have complete information. Please note that you are limited by law in the number of requests you may submit per year. We will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of products, based solely upon you exercising your rights to your CA Personal Information.
Do Not Sell My Personal Information
If we “sell” (as defined by CCPA) your CA Personal Information to a third party, as a California Resident, you have the right to opt-out of the sale of your CA Personal Information. If you wish to exercise this right, please contact us as described in the Website Privacy Policy section above. To the extent that you elect to designate an authorized agent to make a request on your behalf, they must identify that they are contacting us as agent and will be required to provide appropriate documentation including written signed authorization by you, proof of your identity, and verification of their identity; or a valid, designated power of attorney as required under the California Probate Code. We may require additional proof of authority or may need to contact you directly to validate the request. If you are under the age of 16, we will never "sell" your CA Personal Information without proper consent.

Last updated and effective as of: January 1, 2021
get help