Privacy Policy

Part 1: Information on data protection regarding our processing under Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

The protection of your privacy and personal data is important to us, and this is a key factor in how we design and implement our activities on the internet.

1.       Office responsible for data processing and contact data

responsible office in the meaning of data-protection law

This privacy policy applies to the website(s) operated by Agraya GmbH (formerly FoodPLUS GmbH), Spichernstr. 55, 50672 Cologne, Germany; email: info@agraya.com; tel.: +49 (0) 221 57776 0 (hereinafter referred to as “AGRAYA” or “we”) as the data controller. This includes www.agraya.org (hereinafter referred to as “Website”). This privacy policy can be accessed from this Website.

For questions relating to data protection and the processing of your personal data, please contact our data-protection officer:

HEC Harald Eul Consulting GmbH

Auf der Höhe 34

50321 Brühl

Email: dataprivacy@agraya.com

In this privacy policy, we inform you about the type, scope, and purposes of the collection, processing, and use of your personal data when visiting or using our Website. This is performed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and other applicable (federal) data protection legislations (hereinafter referred to jointly as “Applicable Data Protection Law”).

No automated decision-making/profiling is performed.

2.       Purposes and legal foundations upon which we process your data

We process personal data in accordance with the stipulations of the General Data-Protection Regulation (GDPR), the German Federal Data-Protection Act (Bundesdatenschutzgesetz - BDSG) and other applicable data-protection provisions (details are provided in the following). The details of which data are processed and how they are used, possibly also using artificial intelligence (AI), depends largely on the services requested or agreed in each case. Further details or additions for the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e.g. in the context of the use of our website or our terms and conditions). In addition, this data protection information may be updated from time to time, as you may find out from our website www.agraya.com.

2.1     Purposes pursuant to fulfilment of an agreement or pre-contractual measures (Art. 6, section 1 b of the GDPR)

The processing of personal data is carried out in order to carry out our contracts with you and the execution of your orders as well as to carry out measures and activities within the framework of pre-contractual relations, e.g. with interested parties. In particular, the processing thus serves to provide services according to your orders and wishes and include the necessary services, measures and activities. This essentially includes contract-related communication with you, the corresponding billing and associated payment transactions, credit checks, the verifiability of transactions, orders and other agreements as well as quality control by means of appropriate documentation, goodwill procedures, measures to control and optimize business processes as well as the fulfilment of general duties of care, control and supervision by affiliated companies (e. g. Parent company); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; ensuring IT security ((inter alia system and plausibility tests) and general security, including building and plant security, securing and exercising domestic authority (e. g. by means of access controls); guaranteeing the integrity, authenticity and availability of data, preventing and investigating criminal of-fences; control by supervisory bodies or supervisory authorities (e. g. auditing).

2.2     Purposes within the framework of a legitimate interest on our part or of third parties (Art. 6, section 1 f of the GDPR)

Above and beyond the actual fulfilment of the (pre-) agreement, we process your data whenever this is necessary to protect legitimate interests of our own or of third parties, in particular for the following purposes:

2.3     Purposes within the framework of your consent (Art. 6, section 1 a of the GDPR)

Your personal data can also be processed for certain purposes (e.g. use of company communication systems for private purposes; photographs/videos of you for publication in the Intranet/Internet) including as a result of your consent. As a rule, you can revoke this consent at any time. You shall be separately informed about the consequences of revocation or refusal to provide consent in the respective text of the consent.

Generally speaking, revocation of consent only applies to the future. Processing that takes place prior to consent being issued is not affected by such and remains lawful.

2.4    Purposes relating to adherence to statutory requirements (Art. 6, section 1 c of the GDPR) or in the public interest (Art. 6, section 1 e of the GDPR)

Just like any actor which takes part in business life, we are also subject to a large number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws), but also if applicable supervisory law or other requirements set out by government authorities (e.g. generally accepted industry standards or guidelines).

The purposes of processing may also include identity and age checks, prevention of fraud and money laundering (e.g. comparisons with European and international anti-terror lists), compliance with control and notification obligations under tax law as well as the archiving of data for the purposes of data protection and data security as well as for purposes of audits by tax advisors/auditors, fiscal and other government authorities. In addition, it may be necessary to disclose personal data within the framework of official government/court measures for the purposes of collecting evidence, law enforcement and criminal prosecution or the satisfaction of civil law claims.

3.       The categories of data that we process as long as we do not receive data directly from you, and its origin

If necessary for the contractual relationship with you and the activities performed by you, we may process data which we lawfully receive from other offices or other third parties (e.g. audit reports, inspections findings or complaints by retailers, suppliers, traders or consumers).

In addition, we process personal data that we have lawfully collected, received or acquired from publicly accessible sources (such as, for example, commercial registers and association registers, civil registers, the press, Internet and other media) if such is necessary and we are allowed to process this data in accordance with statutory provisions.

Relevant personal data categories may in particular be:

4.       Recipients or categories of recipients of your data

At our company, your data is received by those internal offices or organisational units that need such to fulfil our contractual and statutory obligations or that require such data within the framework of processing and implementing our legitimate interests.

Your data is disclosed/passed on to external offices and persons solely

We shall moreover refrain from transmitting your data to third parties if we have not informed you of such separately. If we commission service providers within the framework of processing an order, your data will be subject there to the security standards stipulated by us in order to adequately protect your data. In all other cases, recipients may only use the data for purposes for which the data has been sent to them.

5.       Length of time your data is stored

We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.

Above and beyond this, we are subject to various retention and documentation obligations that emanate inter alia from the German Commercial Code (HGB) and the German Tax Code (AO), as well as other statutory retention and documentation obligations. The periods and deadlines for retention and/or documentation stipulated therein are up to ten years beyond the end of the contractual relationship or the pre-contractual legal relationship.

Furthermore, special statutory provisions may require longer retention such as for example the preservation of evidence in connection with statutory timebarring provisions (statute of limitations). Under §§ 195 ff. of the German Civil Code (BGB), the regular timebarred period is three years, but timebarred periods of up to 30 years may also be applicable.

If the data is no longer required to meet contractual or statutory obligations and rights, it is regularly deleted unless its further processing - for a limited period - is necessary to fulfil the purposes listed under number 2.2 due to an overriding legitimate interest. Such an overriding legitimate interest is deemed to be the case, for example, if it is not possible to delete the data as a result of the special type of storage or such is only possible at an unreasonably great expense and processing for other purposes is excluded by appropriate technical and organisational measures.

6.       Processing of your data in a third country or through an international organisation

Data is transmitted to offices in countries outside the European Economic Area EU/EEA (so-called third states) whenever such is necessary to meet a contractual obligation towards you (e.g. if you are despatched to another country), such is required by law (e.g. notification obligations under tax law), such is in the legitimate interest of us or a third party or you have issued us your consent to such.

At the same time, your data may be processed in a third country including in connection with the involvement of service providers within the framework of the processing of the order. If no decision has been issued by the EU Commission regarding the assurance of an adequate level of data protection for the respective country or for one or more specific sectors within a third country, appropriate contracts (such as EU standard contracts) and additional measures may be used as a basis for the transfer. Information on the appropriate or adequate safeguards and on the possibility of obtaining a copy from you can be re-quested from the company data protection officer.

7.       Your data-protection rights

If certain conditions are met, you can assert your data-protection rights against us

Whenever possible, your applications for the exercise of your rights should be sent in writing to the address stated above or addressed directly to our data-protection officer.

8.       Scope of your obligations to provide us your data

You only need to provide data that is necessary for the commencement and performance of the business relationship or for a pre-contractual relationship with us or the collection of which we are required by law. Without this data, we are generally not able to conclude the agreement or continue to perform such. This may also relate to data that is required later within the framework of the contractual relationship. If we request data from you above and beyond this, you shall be informed about the voluntary nature of the information separately.

9.       Presence of an automated decision made in individual cases (including profiling)

We do not use any purely automated decision-making procedure as set out in Article 22 of the GDPR. If we do institute such a procedure in individual cases in the future, we shall inform you pursuant hereto separately if this is required by law.

Information on your right of objection under Art. 21 of the GDPR

1. You have the right to file an objection at any time against processing of your data which is performed on the basis of Art. 6, section 1 f of the GDPR (data-processing on the basis of a weighing out of interests) or Art. 6, section 1 e of the GDPR (data-processing in the public interest). The precondition for this, however, is that there are grounds for your objection emanating from your special personal situation. This also applies to profiling that is based on this purpose in the meaning of Art. 4, no. 4 of the GDPR.

If you file an objection, we shall no longer process your personal data unless we can demonstrate compelling reasons warranting protection for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

2. We will also use your personal data in order to perform direct advertising. If you do not want to receive any advertising, you have the right to file an objection to such at any time. This also applies to the profiling to the extent that it is connected with such direct advertising. We shall respect this objection with effect into the future.

We shall no longer process your data for the purpose of direct advertising if you object to processing for this purpose.

The objection can be filed without adhering to any form requirements and should if possible be sent to

Agraya GmbH
Spichernstr. 55
50672 Cologne
Germany

Our privacy policy and the information on data protection about our data processing according to article 13, 14 and 21 GDPR may change from time to time.

Access data and server log files

AGRAYA (or the webspace provider commissioned by AGRAYA) collects data about every visit to the Website. This data is saved in so-called server log files and includes the name of the accessed web page or webservice, file, date and time of the access, data volume transferred, any data input, report of successful access, browser type including version, your operating system, referrer URL (the page previously visited), Internet Protocol (IP) address, and where relevant username and the requesting provider. AGRAYA uses this data exclusively for statistical analyses and the purpose of operating, securing, and optimizing the Website. This data is not merged with other data sources or other personal data about you. The system needs to store the IP address temporarily to enable the Website to be delivered to you. The IP address is stored for the duration of the session for this purpose. Data is saved in server log files to safeguard the functionality of the Website. The data also helps AGRAYA to optimize the Website and safeguard the security of the IT systems. AGRAYA further reserves the right to review the data in the sever log files retrospectively if there are specific indications that justify a suspicion of unlawful use. These purposes represent an example of AGRAYA’s legitimate interest in data processing. The legal basis for this data processing is Art. 6 (1) f) GDPR.

Registration

You can register on our Website for a variety of purposes. Registration is used to sign up for specific events, to receive informational emails/newsletters, or to receive informational material (e.g., brochures or posters). During registration we collect data about you that we need for the specific registration (hereinafter referred to as “Registration Data”). This generally includes your first name, email address and further information about your company (where relevant). The specific data is set out in further detail in the registration form in each case. The legal basis for this data processing is Art. 6 (1) b) GDPR.

When you register, we store your IP address in addition to the Registration Data. This falls within our legitimate interests relating to log purposes and the prevention of abuse. The legal basis for this data processing is Art. 6 (1) f) GDPR.

https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below.

You can object to the further processing, storage, and use of your Registration Data at any time. However, this may result in a complete deregistration. You may submit your objection either directly via the Website or by contacting us at dataprivacy@agraya.com.

Committees/Specialist groups

In certain cases, if you become active in committees/specialist groups we also process personal data, e.g., in the form of participation lists. This is necessary for the performance and documentation of the committees/specialist groups. The legal basis for this data processing is Art. 6 (1) b) and f) GDPR.

As part of their participation in the committees/specialist groups or collaboration on other projects, we may email certain users, in particular customers or other third parties we work with, a link for sharing content via SharePoint which is offered by Microsoft Ireland Operations, Ltd. (hereinafter referred to as “Microsoft”). Further information about Microsoft SharePoint can be found at https://products.office.com/en-us/sharepoint/collaboration. For further information about the processing of your personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below. This processing is performed on the basis of your consent to the processing of your personal data pursuant to Art. 6 (1) a) GDPR or Art. 6 (1) b) GDPR when data is processed for the purpose of the performance of a contract.

Contact initiation

When you contact AGRAYA (e.g., via contact form, calendars, telephone, email, or as a follow-up to a contact made during a trade fair), your information is stored for the purpose of processing the request as well as for any follow-up queries. The legal basis for this data processing is Art. 6 (1) b) GDPR).

We process such information via Microsoft Dynamics. For further information about this service provider and the processing of your personal data in countries outside the EEA/EU, please see the section “Registration” above, and the section “Transferring data to countries outside the EEA/EU” below.

Comments and posts

If you leave a comment on our blog or make other posts, your IP address will be stored. This is done to protect AGRAYA if a user includes unlawful content in comments and/or posts (insults, forbidden political propaganda, etc.). AGRAYA may face legal action regarding the comment or post and thus has an interest in the identity of the author for the purposes of defending the claim or asserting recourse claims and may even be obliged to disclose such information to third parties, courts, or public authorities. These purposes represent an example of AGRAYA’s legitimate interest in data processing. The legal basis for this data processing is Art. 6 (1) c) and f) GDPR.

Informational emails, newsletters

We send informational emails to large mailing lists (hereinafter referred to as “Informational Emails”), in particular our newsletters on a range of subjects, to inform our consenting users about our products and services, invitations to certain events, as well as news about us or our Website. If you want to receive Informational Emails, we need you to provide a valid email address. We use a procedure to verify that you are the holder of the email address that was provided, or that the holder consents to receiving the Informational Emails (“double opt-in procedure”). This involves us sending an email to the email address that was provided with a request to reconfirm the registration to receive the Informational Emails (e.g., by clicking a link). Additionally, on request, you can indicate the specific topics we may inform you about. No further data is collected. This data is not used for any purpose other than sending Informational Emails and is not passed on to third parties. The legal basis for this data processing is your consent (Art. 6 (1) a) GDPR; section 7 (2) German Act on Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG)).

When you register for one of our Informational Emails, we store your IP address and the date of the registration. This data is stored solely for evidential purposes in the event that a third party misuses an email address and registers to receive Informational Emails without the knowledge of the authorized party. This falls within the legitimate interests of both us and our users (Art. 6 (1) f) GDPR).

You can withdraw your consent to the saving of your data, your email address, and its use for the sending of Informational Emails at any time effect for the future. Your withdrawal can be performed via a link in the Informational Emails themselves or by notifying us, as described in further detail in the section “Rights of data subjects”.

We process your data in connection with Informational Emails via Microsoft Dynamics. For further information about this service provider or the processing of your personal data in countries outside the EEA/EU, please see the section “Registration” above, and the section “Transferring data to countries outside the EEA/EU” below.

Inxmail

This website uses Inxmail for sending newsletters. The provider is the Inxmail GmbH, Wetzinger Straße 17, 79106 Freiburg (hereinafter referred to as “Inxmail”).

Inxmail is a service that, among other things, organizes the mailing of newsletters and allows the analysis of such services. The data you enter for the purpose of subscribing to the newsletter is processed on Inxmail servers.

Inxmail Data Analysis

With the assistance of Inxmail, we are in a position to analyze our newsletter campaigns. For instance, this allows us to see whether a newsletter message has actually been opened and which links were clicked. This enables us to find out which links are clicked with great frequency.

We can also see whether any predefined activities took place after opening / clicking (conversion rate). This allows us to recognize whether a purchase was made after the newsletter was clicked.

Inxmail also allows us to divide newsletter recipients into different categories (clusters). It is, for example, possible to divide the newsletter recipients based on age, gender, or place of residence. This allows us to adapt our newsletters more effectively for the respective target groups. If you do not want to participate in the Inxmail analysis, you will have to unsubscribe from the newsletter. We provide a link to opt out in every newsletter message.

To review the Data Privacy Policy of Inxmail please click here: https://www.inxmail.de/datenschutz.

Anonymized Tracking

We use Inxmail’s anonymous tracking, which only allows us to identify you if you have explicitly consented to this in advance.

Legal Basis

The data is processed on the basis of your consent Art. 6(1)(a) GDPR. You may revoke your consent at any time with future impact.

Archiving Period

The data you provide for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after unsubscribing from the newsletter or after the purpose for its use has ceased to exist. We reserve the right to delete email addresses from our newsletter distribution at our own discretion in conjunction with our legitimate interest pursuant to Art. 6(1)(f) GDPR or to block them. This will not affect data we store for other purposes.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist, if such action is necessary to prevent future mailings. Data from the blacklist will be used exclusively for this purpose and will not be merged with other data. This is in your and our best interest and also in the interest of compliance with the statutory mandates for the sending of newsletters (legitimate interest as defined in Art. 6 (1)(f) GDPR). There is no time limit for archiving in the blacklist.You may object to the storage if your interests outweigh our legitimate interests.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Surveys/Microsoft forms

We may also conduct online surveys on the basis of your respective consent with the aid of Microsoft Forms, a service offered by Microsoft, with whom we have entered into a data processing agreement. The surveys may be disseminated in a number of ways (via hyperlink, QR code, embedding in a website or Sway, or sent by email). Processing is performed on the basis of your consent to the processing of your personal data pursuant to Art. 6 (1) a) GDPR or Art. 6 (1) b) GDPR when data is processed for the purpose of the performance of a contract.

Further information about Microsoft Forms can be found at https://support.office.com/en-us/forms. It cannot be ruled out that in individual cases your data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information about the processing of your personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below.

Jotform

We have integrated Jotform into this website. The provider is Jotform Inc., 111 Pine St. Suite, 1815 San Francisco, California 94111, USA (hereinafter referred to as “Jotform”).

Jotform enables us to generate online forms to record messages, inquiries and other entries entered by visitors to our website. All entries you make will be processed on Jotform’s servers.

We use Jotform on the basis of our legitimate interest in determining your needs as effectively as possible (Art. 6(1)(f) GDPR). If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

The data you enter into the form will remain in our possession until you ask us to delete them, revoke your consent to the archiving of your data or until the purpose of archiving the data no longer exists (e.g., upon completion of the processing of your inquiry). This does not affect mandatory statutory provisions – in particular those governing retention periods.

The transfer of the data to the United States is safeguarded by EU Standard Contract Clauses we have executed with Jotform. For details, please follow this link: https://www.jotform.com/gdpr-compliance/dpa/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/6788.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Online payments

If you register for an event, we make it possible for any payable fees to be paid online, depending on the specific offering. Similarly, all invoices issued by AGRAYA can be paid online using a credit card. The data required to initiate the online payment is strictly separated from your Registration Data. If you opt for online payment, the data you input, including the intended use and the sum to be transferred for the online payment, is not saved directly by us, but forwarded straight to BS Payone GmbH for payment verification and the initiation of the payment process. BS Payone GmbH transfers no more than minimal information about the payment procedures to us (e.g., allocation to invoice number and status of the payment transaction). BS Payone GmbH is therefore responsible for processing and storing personal data in connection with online payments. This serves the purpose of performing a contract between you and AGRAYA and thus falls within the legitimate interests of both parties (Art. 6 (1) b) and f) GDPR). The data protection regulations of BS Payone GmbH can be accessed at https://www.payone.com/DE-en/data-protection-regulations.

If you and/or your company are located in the United States, the payment service provider used is First Data Merchant Services, LLC. (hereinafter referred to as “Payeezy”). To pay, you will be redirected to Payeezy’s website, where you can enter the data required for payment processing (Art. 6 (1) b) and f) GDPR). We do not transfer any personal data to Payeezy. For more information on how Payeezy processes personal data, please refer to Payeezy’s privacy policy at https://merchants.fiserv.com/en-us/privacy/?utm_source=firstdataus.

Applications

On our Website we may publicize job advertisements for vacancies in our company, at our subsidiary in the USA (GLOBALG.A.P. North America Inc.), or our offices in South Africa. Responsibility for filling the vacancies and processing the respective applications lies with the company to which you make the specific application.

If you submit an application to us or our subsidiary or other offices, the respective company will process the information and documents you submit including the personal data included therein, such as your full name, address, email address, telephone number, information about your professional development/résumé, references, or other information that you communicate to that company in the course of your application. Prior to any appointment, the personal data (full name, date of birth, place of birth, nationality) of the applicants short-listed following the application process shall be checked against entries on blacklists, and especially the EU terrorist list pursuant to the EU anti-terror regulations. The purpose of this is to enter into a contract of employment with these applicants and to comply with a legal obligation to which we are subject (Article 6 (1) c) GDPR), because statutory provisions prohibit financial benefits, including the payment of a salary, being paid to persons who are included on such blacklists.

If we forward your application to our subsidiary in the USA, we do so to comply with your request to enter into/initiate an employment contract with the subsidiary pursuant to Art. 49 (1) 1b) GDPR. The submission of application documents including personal data is necessary for the performance of the application process.

You are not obliged, either under statute or contractually, to provide personal data for application purposes. However, if you supply no information about yourself, your application cannot be processed.

Transferring data to third parties

We will not disclose your personal data to third parties unless you have provided your consent or another permitted circumstance applies in accordance with the Applicable Data Protection Law. These third parties include in the first instance service providers commissioned by us to support our business operations (Art. 28 GDPR). This covers, e.g., webspace providers for the operation of our Website or the forwarding of invoicing or tax-relevant information to service providers for the purposes of invoicing and accounting or controlling. In these cases, however, the scope of the transmitted data will extend only to the minimum required to achieve the purposes pursued via the data processing. If you register on our Website for an event, we transmit the information you submit during registration to the organizations and companies we work with to run the respective event. The legal basis for this data processing is Art. 6 (1) b) GDPR.

For the purpose of pooling resources and optimizing our business processes, we operate a CRM system with our affiliated company, GLOBALG.A.P. North America Inc., under joint responsibility pursuant to Art. 26 GDPR. In this regard, we have concluded a so-called joint controller agreement (Art. 26 (1) GDPR). You can assert your data protection rights with each controller. The parties will inform each other without delay of claims asserted by data subjects in relation to the joint processing. They will provide each other with all the information necessary to respond to requests for information. Agraya GmbH will generally process and respond to requests from data subjects. GLOBALG.A.P. North America Inc. is located outside the EU/EEA and in the USA. To ensure an appropriate level of data protection, we have concluded so-called standard contractual clauses. You can find more information on data transfers to third countries in the following section.

If we are legally obliged to disclose specific personal data on the basis of a judicial decision or following a request for information from law enforcement or supervisory authorities or authorized third parties in conjunction with investigatory proceedings or the suspicion of a criminal act, an unlawful act, or other acts that may give rise to legal liability for you or us, we will disclose the data required for the investigation, such as your full name, address, email address, or other relevant information (Art. 6 (1) c) GDPR). Similarly, we reserve the right to process and use users’ personal data to enforce or defend against claims.

Transferring data to countries outside the EEA/EU

Personal data may be transferred to third parties that are located in non-EEA or non-EU countries and where no so-called adequacy decision exists, i.e., the European Commission has not established a level of data protection comparable to that in the EU (e.g., the USA, South Africa). In this case, prior to transferring, we ensure in compliance with the requirements of Art. 44 et seq. GDPR that an adequate level of data protection is in place at the recipient, in particular by conducting what are known as transfer impact assessments, by obtaining your consent in advance, or through specific guarantees, in particular the self-certification of a recipient in the USA in accordance with the principles of the EU – US Privacy Framework as well as concluding what are referred to as the EU standard contractual clauses. A copy of suitable guarantees can be obtained on request via the email address set out at the beginning of this privacy policy. Basic information about the participants of the EU–US Privacy Framework can also be found here. Basic information about the EU standard contractual clauses can be found here, and information about the adequacy decisions here.

Furthermore, even when we have concluded standard contractual clauses, we seek to establish further measures that provide an equal level of data protection compared to the applicable standards in the EU when personal data is forwarded to third countries (e.g., the USA, South Africa). Such further measures shall be established to accommodate CJEU decision C-311/18 (Schrems II). For further information on this topic, please contact our Data Protection Officer via the email address set out at the beginning of this privacy policy.

Integration of third-party content and services

Third-party content, such as YouTube videos, RSS feeds, or graphics from other websites, may be integrated into our online offerings. This usually assumes that the providers of this content (hereinafter referred to as “Third-Party Providers”) will be aware of the user’s IP address. This is because they would not be able to transmit the content to the browser of the user in question without the IP address. The IP address is therefore necessary in order to display this content. We endeavor only to use such content in those cases in which the respective Third-Party Provider only uses the IP address to deliver the content. However, we have no influence over whether the Third-Party Providers use IP addresses, e.g., for statistical purposes. Where we are aware of this, we will notify the users accordingly. The use of enhanced presentation options for information purposes and to optimize your user experience is within our mutual legitimate interest (Art. 6 (1) f) GDPR).

Further information about the use of YouTube videos can be found below.

YouTube with expanded data protection integration

This website integrates videos from the YouTube website. The operator of the website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit one of these websites on which YouTube is integrated, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

We use YouTube in extended data protection mode. According to YouTube, videos that are played in extended data protection mode are not used to personalize browsing on YouTube. Ads that are played in extended data protection mode are also not personalized. No cookies are set in extended data protection mode. Instead, so-called local storage elements are stored in the user's browser, which contain personal data similar to cookies and can be used for recognition. Details on the extended data protection mode can be found here: https://support.google.com/youtube/answer/171780.

After activating a YouTube video, further data processing operations may be triggered over which we have no influence.

The use of YouTube is based on our interest in presenting our online content in an appealing manner. Pursuant to Art. 6(1)(f) GDPR, this is a legitimate interest. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

For more information on how YouTube handles user data, please consult the YouTube Data Privacy Policy under: https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Cookies

Cookies are small files that permit specific information relating to a device to be stored on the user’s accessing device (PC, smartphone, etc.). Some enhance the user-friendliness of websites and aid the user (e.g., by storing login data), some enable the recording of statistical data about website use and the analysis to improve the Website or the placement of targeted ads. You can influence how cookies are used. Most browsers have an option that limits or completely prohibits the storage of cookies. However, it should be noted that use, and especially user comfort, may be restricted without cookies. Our users can manage many online advertising cookies from companies via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/uk/your-ad-choices/.For further information about the use of cookies and how you can deactivate them, see www.youronlinechoices.com.

We store cookies on our users’ hard drives unless they actively block them. The processing of personal data collected using cookies for analytical and marketing purposes is only done, and cookies are only dropped, subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR. You can withdraw your consent at any time with effect for the future. The legal basis for using cookies which are necessary for the technical operation of our website is Art. 6 (1) f) GDPR. Further information on which Third-Party Providers we use in this regard can be found in the following.

Piwik PRO

We have integrated Piwik PRO on this website. The provider of this service is Piwik PRO GmbH, Knesebeckstraße 62/63, 10719 Berlin.

Piwik PRO enables us to collect and analyze data about the behavior of website and app users. For this purpose, Piwik PRO processes surfing behavior, device information and the IP address. It also stores cookies in your browser.

The use of the above-mentioned service is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the continuous optimization of the website and its content to offer users an improved and personalized user experience and to increase website performance. If a corresponding consent has been requested, the processing is carried out exclusively based on Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

Further details can be found in the provider’s privacy policy at https://piwikpro.de/datenschutz/#product.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Google Ads

The website operator uses Google Ads. Google Ads is an online promotional program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display ads in the Google search engine or on third-party websites, if the user enters certain search terms into Google (keyword targeting). It is also possible to place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target group targeting). As the website operator, we can analyze these data quantitatively, for instance by analyzing which search terms resulted in the display of our ads and how many ads led to respective clicks.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Our social media appearances

This privacy policy applies to the following social media presence

Data processing through social networks

We maintain publicly available profiles in social networks. The individual social networks we use can be found below.

Social networks such as Facebook, etc. can generally analyze your user behavior comprehensively if you visit their website or a website with integrated social media content (e.g., like buttons or banner ads). When you visit our social media pages, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged in to your social media account and visit our social media page, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, the operators of the social media portals can create user profiles in which their preferences and interests are stored. This way you can see interest-based advertising inside and outside of your social media presence. If you have an account with the social network, interest-based advertising can be displayed on any device you are logged in to or have logged in to.

Please also note that we cannot retrace all processing operations on the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. Details can be found in the terms of use and privacy policy of the respective social media portals.

Legal basis

Our social media appearances should ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. The analysis processes initiated by the social networks may be based on divergent legal bases to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6 (1) (a) GDPR).

Responsibility and assertion of rights

If you visit one of our social media sites (e.g., Facebook), we, together with the operator of the social media platform, are responsible for the data processing operations triggered during this visit. You can in principle protect your rights (information, correction, deletion, limitation of processing, data portability and complaint) vis-à-vis us as well as vis-à-vis the operator of the respective social media portal (e.g., Facebook).

Please note that despite the shared responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are determined by the company policy of the respective provider.

Storage time

The data collected directly from us via the social media presence will be deleted from our systems as soon as you ask us to delete it, you revoke your consent to the storage or the purpose for the data storage lapses. Stored cookies remain on your device until you delete them. Mandatory statutory provisions - in particular, retention periods - remain unaffected.

We have no control over the storage duration of your data that are stored by the social network operators for their own purposes. For details, please contact the social network operators directly (e.g., in their privacy policy, see below).

Your rights

You have the right to receive information about the origin, recipient and purpose of your stored personal data at any time and free of charge. You also have the right to object, the right to data portability and the right to file a complaint with the responsible regulatory agency. Furthermore, you can request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

Individual social networks

Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, Ireland.

According to Facebook, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Facebook. Further details can be found in Meta’s privacy policy: https://www.facebook.com/about/privacy/.

Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Irland.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

For details on how they handle your personal information, see the Instagram Privacy Policy: https://privacycenter.instagram.com/policy/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/4452

LinkedIn

We have a LinkedIn profile. The provider is the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you want to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

For details on how they handle your personal information, please refer to LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5448

YouTube

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow St, Dublin, D04 E5W5, Ireland. Details on how they handle your personal data can be found in YouTube’s privacy policy: https://policies.google.com/privacy?hl=de&gl=de#infocollect.

Additional California privacy terms and rights

The state of California enacted the California Consumer Privacy Act in 2018 and amended it in 2020 under the California Privacy Rights Act (hereinafter referred to collectively as “CCPA”). Together, the acts afford certain rights to California residents (“consumers”). This section specifically addresses the rights of California residents under the CCPA.

A. Collection categories

As explained above in this privacy policy, we collect a variety of categories of information, including sensitive personal information, in connection with providing the services. In this section, we explain these categories again specifically in the context of the CCPA. In providing the services on the Websites, we collect the following categories of personal information: the person’s name, postal/mailing address, IP address, unique personal identifier or online identifier, email address or telephone number, and other Registration Data.

B. Information sources

As explained above, we collect personal information from consumers themselves directly via our Website, through interactions with our company’s personnel, and through social media, and, in some cases, from service providers.

C. Personal information use and sharing for business purposes

As explained in greater detail above, we use the personal information that is collected for a wide variety of business purposes:

To fulfill any contractual obligations with you related to the Website

To facilitate the establishment and use of accounts created on the Website

To verify your identity and manage access to your accounts on the Website

To facilitate your participation in our online forums

For analytics purposes and to operate, maintain, and improve the Website

To market the Websites and gather additional information regarding the Website

To create new products and services on the Website

To protect against, investigate, and deter fraudulent, unauthorized, and/or illegal activity on or relating to the Website

When necessary, to meet legal requirements, such as legally mandated reporting, subpoenas, court orders, or other legal process requirements

We only disclose and share your personal information for business purposes with the following categories of third parties:

Service providers, as explained above, and with our affiliated company GLOBALG.A.P. North America Inc.

D. Sale of personal information

We do not engage in any sale of a consumer’s personal information as that term is defined under the CCPA.

E. Sharing of personal information

The CCPA defines “sharing” as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” personal information. We share your personal information, as described above, with the companies that provide cookies and similar technologies used on our Website. Those companies have access to and might use the personal information gathered through these technologies, which might include an individual consumer’s IP address. Such uses might include targeted advertising information based on individual internet activity and interests. It is possible that some of the businesses providing marketing services to us might share personal information with their business partners. In addition, some companies that provide services to us might need to access and use customer information as part of providing services to us, and these same companies might use this information for the development of their own business capabilities, not solely for the provision of services to us.

To notify us of your desire to restrict the use of your personal information by third parties, contact us and submit your request by emailing us at dataprivacy@agraya.com:

DO NOT SHARE MY PERSONAL INFORMATION

If you have any questions about submitting your request, please contact us and submit your request by emailing us at dataprivacy@agraya.com or calling toll-free at +1 833 879 8855.

F. Your California rights and choices

The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

i. Access to specific information.

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will disclose to you:

The categories of personal information we collected about you

The categories of sources for the personal information we collected about you

Our business or commercial purpose for collecting or selling that personal information

The categories of third parties with whom we share that personal information

The specific pieces of personal information we collected about you

If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

Sales, identifying the personal information categories that each category of recipient purchased

Disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained

Under the CCPA, you may also request that we disclose certain information to you about our collection and use of your personal information beyond the past 12 months. We, however, may decline to provide that information to you if doing so would require a disproportionate effort on our part.

ii. Deletion and correction request rights

You have the right to request that we delete or correct any of your personal information that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will delete (and direct our service providers to delete) or correct your personal information from our records, unless an exception applies.

In the absence of a verifiable consumer request from you, we will retain your personal information as described above, before automatically deleting (and directing our service providers to delete) it.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which we collected the personal information, provide goods or services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities

Debug products to identify and repair errors that impair existing intended functionality

Exercise free speech, ensure the right of another consumer to exercise their right to free speech, or exercise another right provided for by law

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.)

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent

Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us

Comply with a legal obligation

Make other internal and lawful uses of that information that are compatible with the context in which you provided it

iii. The right to opt out – the right to opt out of sharing of personal information

You have the right to opt out of the sharing of your information with a third party, i.e., to prevent a transfer of information to a third party that is not restricted in certain ways from making use of the information. As we explained above, some of the companies that provide cookies and similar technologies might use personal information for targeted advertising information based on individual internet activity and interests, potentially including the sharing of information with others. You can exercise your right to opt out of the sharing of your information by emailing us at dataprivacy@agraya.com:

DO NOT SHARE MY PERSONAL INFORMATION

iv. Exercising consumer rights

To exercise the rights described above, please submit a verifiable consumer request to us by one of the following methods:

• Emailing us at dataprivacy@agraya.com

• Calling us toll-free at +1 833 879 8855

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no more than twice within a 12-month period.

To verify the identity of an individual making a request, a two-step process will need to be completed. A verifiable consumer request must do the following:

Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it

Separately provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

iv. Response timing and format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Unless otherwise requested, any disclosures we provide will cover no more than the 12-month period preceding receipt of the verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, where applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless the request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

G. Nondiscrimination

We will not discriminate against you for exercising your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services

Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties

Provide you with a different level of quality of goods or services

Suggest that you may receive a different price or rate for goods or services or a different level of quality of goods or services

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. However, we do not currently provide any financial incentives.

H. “Shine the Light” disclosure

We have not shared any personal information with other companies for their direct marketing use within the immediately preceding calendar year. Accordingly, California’s “Shine the Light” law, Cal. Civil Code § 1798.83 to § 1798.84, does not apply to us, and we have not established any mechanism for you to request information on our sharing of information for third parties’ marketing purposes.

Updates to the privacy policy

In the course of the ongoing development of our Website, we will also continually modify our privacy policy. Any changes will be communicated on this page in good time. For that reason, our users should regularly view this page to find out about the current status of the privacy policy.

Last updated: 26/06/2025

Manage Consent