PortfolioReach
LanguageEN-GB

Privacy Policy

1) Introduction and contact details of the controller

1.1 We are pleased that you are visiting our website and thank you for your interest. Below, we inform you how we process your personal data when you use our website and our platform. Personal data means any information relating to an identified or identifiable natural person.

1.2 The controller for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

PortfolioReach UG (haftungsbeschränkt) Kolonnenstraße 8 10827 Berlin Germany Phone: +49 155 10182722 E-mail: contact@portfolioreach.com

2) Data collection when visiting our website

2.1 When you use our website for informational purposes only, meaning if you do not register or otherwise submit information to us, we collect the data that your browser transmits to the server of our website. This includes in particular:

  • visited page
  • date and time of access
  • amount of data transferred
  • referrer URL
  • browser used
  • operating system used
  • IP address

2.2 This data is processed in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interests in the stability, security and functionality of our website.

2.3 This website uses SSL or TLS encryption to ensure the secure transmission of personal data.

3) Hosting, infrastructure and content delivery

3.1 For the technical provision of our website, our platform functions and our APIs, we use external infrastructure and hosting providers.

3.2 In the course of providing our services, personal data may be processed on the servers of hosting, infrastructure, security and content-delivery providers where this is necessary for the operation, delivery of content, error analysis, security and performance of our services.

3.3 This may include in particular connection data, IP addresses, meta data and log data, technical request data, browser information, as well as content and account data processed in the course of using our service.

3.4 The processing is carried out on the basis of Art. 6(1)(f) GDPR on the basis of our legitimate interests in the secure, stable and high-performance operation of our website and platform.

4) Consent management with Cookiebot

4.1 This website uses a consent management tool to obtain, manage and document consent for cookies, similar technologies and services that require consent.

4.2 Your selection decisions are stored so that only those services for which you have given consent are loaded. The tool also serves to enable withdrawals of consent and later changes to your settings.

4.3 Where personal data is processed within the scope of consent management, this is done on the basis of Art. 6(1)(c) GDPR to fulfil our legal obligations and on the basis of Art. 6(1)(f) GDPR on the basis of our legitimate interests in lawful and user-friendly consent management.

5) Cookies and local storage in the browser

5.1 We use cookies and similar technologies as well as local storage mechanisms in the browser where this is technically necessary or where you have consented to this.

5.2 Such storage mechanisms may in particular serve to:

  • store your language settings and user interface preferences,
  • support login and security functions,
  • document consent decisions,
  • maintain sessions and certain platform states,
  • prevent abuse and improve the stability of the platform.

5.3 The legal basis is Art. 6(1)(f) GDPR where the processing is technically necessary or serves our legitimate interests in the secure and functional provision of our services. Where legally required, the processing is carried out on the basis of your consent in accordance with Art. 6(1)(a) GDPR.

6) Contact by e-mail

6.1 If you contact us by e-mail, we process the data you provide solely for the purpose of handling your request and the associated technical and organisational communication.

6.2 The legal basis is Art. 6(1)(b) GDPR if your request is aimed at the conclusion or performance of a contract, and otherwise Art. 6(1)(f) GDPR on the basis of our legitimate interests in the proper handling of enquiries.

6.3 If you submit requests to us via forms on our platform, we process the data you provide and the technically required submission data in order to handle, document and, where applicable, respond to your request, troubleshoot issues, prevent abuse and improve our services. This may include in particular your message, the selected category, any e-mail address you provide voluntarily, the assignment to your user account, the current page or URL, the time of submission, browser/device information, IP address and comparable request metadata. The legal basis is Art. 6(1)(b) GDPR where the request relates to your account or the use of our services, and otherwise Art. 6(1)(f) GDPR on the basis of our legitimate interests in request handling, product improvement, abuse prevention and platform security. If you provide an e-mail address, we use it only to contact you regarding the relevant request.

7) Registration, user account and authentication

7.1 You can create a user account on our platform. In the course of registration, we process the mandatory data you provide as well as any additional information that you voluntarily provide.

7.2 We use your registration data to set up and manage your user account, provide access to protected areas and carry out security-relevant processes.

7.3 In the course of account use, we may also process data that is necessary for authentication, account security, the prevention of abuse and technical administration.

7.4 The legal basis is Art. 6(1)(b) GDPR where the processing is necessary for the performance of the contractual relationship with the user, and Art. 6(1)(f) GDPR on the basis of our legitimate interests in abuse prevention, IT security and platform stability.

8) Sending system e-mails and account-related communication

8.1 In connection with registration, login, e-mail confirmation, password reset, security notifications and account-related communication, we may use e-mail service providers.

8.2 In particular, e-mail address, technical sending data and content are processed where this is necessary for the delivery and documentation of the relevant communication.

8.3 The legal basis is Art. 6(1)(b) GDPR where the communication is necessary for the performance of the contractual relationship with the user, and Art. 6(1)(f) GDPR for security-related and administrative communication.

9) Public profiles, portfolios and published content

9.1 Our platform is designed to enable users to publish public profiles, portfolios, media content and other platform-related information.

9.2 If you use the relevant functions, the profile details, portfolios, media, comments, interactions or other content that you release may be publicly visible or shared with other users.

9.3 Which content is visible depends on the respective function, the type of content, the releases granted and the platform settings.

9.4 The legal basis is Art. 6(1)(b) GDPR where publication is part of the service you use, and Art. 6(1)(f) GDPR on the basis of our legitimate interests in operating a portfolio and community platform.

10) Comments, interactions and reporting system

10.1 If you use comment functions or comparable interaction functions, we process your comment, the time of creation, the assignment to your user account or username and, where applicable, other technically required contextual data.

10.2 We use this data to provide the respective function, display content, enable communication between users and prevent abuse or legal infringements.

10.3 Users may under certain circumstances report content. In this context, we process the data necessary for review, moderation, documentation and, where applicable, enforcement of our rules.

10.4 The legal basis is Art. 6(1)(b) GDPR where the processing is necessary to provide the respective function, and Art. 6(1)(f) GDPR on the basis of our legitimate interests in the security, integrity and lawful use of our platform.

11) Own web analytics and event tracking

11.1 We may use our own analytics and event-tracking functions to evaluate the use of our website and platform, improve technical stability, detect abuse, analyse the reach of content and support the ongoing development of our services.

11.2 In particular, information about pages accessed, referrers, technical request data, timestamps, campaign parameters, interactions, share-related events and usage-related contextual data may be processed.

11.3 Where the analysis is technically necessary or serves the security and operation of our services, the processing is carried out on the basis of Art. 6(1)(f) GDPR. Where legally required, the processing is carried out only on the basis of your consent in accordance with Art. 6(1)(a) GDPR.

12) Map and location functions

12.1 We may use map and geolocation functions in order to provide locations, regional assignments, search results or location-related information visually or functionally.

12.2 When using the relevant functions, in particular IP address, technical request data, location references, search details or map-related usage data may be transmitted to the map services used in each case or to supporting geodata providers.

12.3 The legal basis is Art. 6(1)(f) GDPR on the basis of our legitimate interests in the user-friendly and needs-based provision of map and location functions. Where legally required, the processing is carried out on the basis of your consent in accordance with Art. 6(1)(a) GDPR.

13) Bot protection and abuse prevention with Cloudflare Turnstile

13.1 To prevent automated entries, abusive requests, spam activities and other automated harmful access, we may use the Cloudflare Turnstile service.

13.2 In the course of using Turnstile, in particular IP address, browser and device information, operating system information, time and duration of a visit, and further technical signals may be processed where this is necessary to distinguish human use from automated or abusive use.

13.3 The processing is carried out on the basis of Art. 6(1)(f) GDPR on the basis of our legitimate interests in protecting our website and platform against abuse, spam, DDoS attacks and other automated disruptions. Where legally required, we obtain consent for this in accordance with Art. 6(1)(a) GDPR.

14) Age verification and youth-protection related checks with Ondato

14.1 Where we use age-verification, age-assurance, identification or youth-protection related procedures on our platform, we may use Ondato as a service provider for this purpose.

14.2 Such processing may take place in particular in order to restrict access to certain areas, content, functions or user groups to adults, to implement youth-protection requirements, to prevent abuse, and to enforce access-control rules or comparable protective mechanisms. Where relevant for our youth-protection setup, the triggering of such checks may depend on the jurisdiction determined by us on a server-side basis from request-related data, including country information derived from the request, and not solely on information self-declared by the user.

14.3 Depending on the verification flow used in the individual case, the following categories of personal data may in particular be processed by us and/or by Ondato on our behalf:

  • first and last name
  • date of birth
  • information from identity documents
  • photo, selfie or other facial capture of the person
  • photo of the identity document
  • IP address
  • technical request, device, session and consent-related data
  • biometric facial data or biometric facial features used for biometric age-assurance or identity-related checks
  • result, status and reference data of the age or identity check
  • where applicable, video recordings or other verification data, where required for the specific procedure or fallback flow

14.4 Where special categories of personal data are processed, in particular biometric data, this is done only where and to the extent necessary for the respective procedure. The processing is based on an applicable legal basis under data protection law. Depending on the context, this may include in particular Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR and, where required for the processing of special categories of personal data, your explicit consent pursuant to Art. 9(2)(a) GDPR.

14.5 We process the outcome of such checks only to the extent necessary for age assurance, access control, youth-protection enforcement, abuse prevention, evidentiary purposes, dispute handling and compliance with legal obligations. We generally aim to store on our side only the minimum result and reference data necessary for these purposes. Additional verification materials may be processed and stored within Ondato’s systems for up to 60 days after the relevant verification, subject to the configured retention settings and unless a different retention period is required by law or is necessary in an individual case. After deletion or redaction, limited status, timestamp, reference and audit-related information may remain where necessary for documentation, security, compliance or evidentiary purposes.

14.6 Ondato acts for these purposes generally as our processor on the basis of the applicable contractual arrangements. According to the contractual framework currently in place, processing is intended to take place within the EEA and is not intended to be transferred outside the EEA without the prior written consent of the controller.

14.7 A successful age-verification result does not necessarily expire automatically after a fixed period. However, we may revoke, review or require a renewed verification where this is necessary for legal, regulatory, security, abuse-prevention or operational reasons, including where there are indications of misuse, changes in the applicable rules, or justified doubts regarding the continued validity of the previous result.

15) Storage of media and uploaded content

15.1 If you upload images, avatars, portfolios, files or other content to our platform, we process this content for storage, provision, delivery, protection and, depending on the permissions granted, publication.

15.2 Technical meta and access data may also be processed where this is necessary for upload, storage, access protection, display and delivery.

15.3 The legal basis is Art. 6(1)(b) GDPR where the processing is necessary for the provision of upload and platform functions, and Art. 6(1)(f) GDPR on the basis of our legitimate interests in the secure, high-performance and user-friendly provision of media.

16) Payment processing with Stripe

16.1 Where we offer paid services, subscriptions or other paid functions, payments may be processed through the payment service provider Stripe.

16.2 In particular, master data, contact data, transaction data, payment information, billing data and security-related information may be processed where this is necessary for payment processing, fraud prevention, invoicing and performance of the contractual relationship.

16.3 The legal basis is Art. 6(1)(b) GDPR.

17) Login or linking via third-party platforms, in particular Meta/Instagram

17.1 Where we offer functions that allow you to link your user account with third-party services or log in via third-party services, we process the data required for this.

17.2 Depending on the function, this may include in particular your external user identifier, profile information, technical authentication data and account information made available by you.

17.3 The processing is carried out on the basis of Art. 6(1)(b) GDPR where the respective function is necessary for the provision of the service and, where required, on the basis of your consent in accordance with Art. 6(1)(a) GDPR.

18) Advertising monetisation with ExoClick

18.1 Where we use advertising services or advertising-based monetisation, we may use external advertising service providers such as ExoClick for this purpose.

18.2 In the course of such services, cookies, similar technologies, device identifiers, IP addresses, browser information, interaction data and usage-related information may be processed in order to deliver advertising, measure reach, prevent abuse or implement frequency limitations.

18.3 Such services are used only where this is legally permissible and, where required, on the basis of your consent in accordance with Art. 6(1)(a) GDPR.

19) Exercise of your data subject rights

19.1 Applicable data protection law grants you the statutory data subject rights, in particular:

  • access pursuant to Art. 15 GDPR
  • rectification pursuant to Art. 16 GDPR
  • erasure pursuant to Art. 17 GDPR
  • restriction of processing pursuant to Art. 18 GDPR
  • right to be informed of rectification, erasure or restriction pursuant to Art. 19 GDPR
  • data portability pursuant to Art. 20 GDPR
  • withdrawal of consents granted pursuant to Art. 7(3) GDPR
  • complaint to a supervisory authority pursuant to Art. 77 GDPR

19.2 To exercise your rights, you may contact us at contact@portfolioreach.com.

19.3 We reserve the right to require suitable proof of your identity before processing a request where this is necessary for the protection of personal data.

20) Data export and DSAR process

20.1 Where we provide corresponding functions, users may also submit data protection-related requests, in particular access and export requests, via platform functions or through support.

20.2 We process the identification data, contact data and request-related information required for this in order to review, assign, process and document your request.

20.3 The legal basis is Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR on the basis of our legitimate interests in the proper, timely and secure handling of data protection-related requests.

21) Account deletion and deletion requests

21.1 You may delete your user account by using the "Delete account" function in your profile settings or by contacting us at contact@portfolioreach.com.

21.2 In the event of account deletion, we generally delete or anonymise personal data unless statutory retention obligations, security interests, evidentiary interests or other legitimate reasons prevent immediate complete deletion.

21.3 Public or community-related content may in certain cases be technically or organisationally adjusted, anonymised or removed where this is envisaged by the nature of the function and the specific content.

22) Data retention period

22.1 We store personal data only for as long as this is necessary for the respective purposes of processing.

22.2 Beyond this, we store data only where statutory retention periods exist or where we have legitimate interests in the establishment, exercise or defence of legal claims.

23) Transfers of data to third countries

23.1 In the course of using external service providers, personal data may be transferred to or processed in states outside the European Union or the European Economic Area.

23.2 In such cases, we ensure that appropriate safeguards within the meaning of Art. 44 et seq. GDPR are in place, such as adequacy decisions, standard contractual clauses or comparable protective mechanisms.

23.3 Where a service provider processes data within the European Economic Area or processing outside the EEA takes place only under additional conditions, we take this into account when selecting and contractually engaging the respective provider.

24) Right to object

24.1 If we process your personal data on the basis of our legitimate interests, you have the right to object to this processing at any time with effect for the future on grounds relating to your particular situation.

24.2 If you exercise your right to object, we will stop processing the data concerned unless we can demonstrate compelling legitimate grounds for the processing or the processing serves the establishment, exercise or defence of legal claims.

This translation is provided for user convenience. In the event of discrepancies, the German version shall be used as the reference version.