Privacy statement

Germany

1. Introduction

In the following, we provide information about the processing of personal data when using

our website www.baobab.io
our social media profiles
as part of the insurance purchase and management process

Personal data is all data that can be related to a specific natural person, such as their name or IP address.

1.1. contact details

The controller in accordance with Article 4 (7) of the EU General Data Protection Regulation (GDPR) is Baobab Insurance GmbH, Jägerstraße 27, 10117 Berlin, Germany, e-mail: contact@baobab.io. We are legally represented by Vincenz Klemm, Anton Foth.
‍
Our data protection officer is HeyData GmbH, Kantstr. 99, 10627 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2. Scope of data processing, processing purposes and legal bases

The scope of data processing, processing purposes and legal bases is set out in detail below. In principle, the following can be considered as the legal basis for data processing:

Article 6 (1) (1) (a) GDPR serves us as the legal basis for processing operations for which we obtain consent.
Art. 6 (1) (b) GDPR is the legal basis insofar as the processing of personal data is necessary to fulfill a contract, e.g. when a site visitor purchases a product from us or we perform a service for him. This legal basis also applies to processing that is necessary for pre-contractual measures, such as inquiries about our products or services.
Art. 6 (1) (c) GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, in tax law.
Article 6 (1) (f) GDPR serves as the legal basis if we can rely on legitimate interests to process personal data, e.g. for cookies that are necessary for the technical operation of our website.

1.3. Data processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, the security of the data when transferred, where available (e.g. for Great Britain, Canada and Israel), guarantees the security of the data (Art. 45 (3) GDPR).
‍
If there is no adequacy decision (e.g. for the USA), the legal basis for the transfer of data is usually standard contractual clauses, i.e. unless we provide otherwise. These are rules adopted by the EU Commission and are part of the contract with the respective third party. In accordance with Article 46 (2) (b) GDPR, they guarantee the security of data transfer. Many of the providers have provided contractual guarantees that go beyond the standard contractual clauses, which protect the data beyond the standard contractual clauses. These include, for example, guarantees with regard to the encryption of data or with regard to an obligation on the part of a third party to notify data subjects when law enforcement agencies want to access data.

1.4. Storage period

Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its purpose and the deletion does not conflict with any legal storage requirements. If the data is not deleted because it is necessary for other and legally permissible purposes, its processing will be restricted, i.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that we must store for commercial or tax reasons.

1.5. Rights of those affected

Data subjects have the following rights vis-à-vis us with regard to personal data concerning them:

right to information,
right to correction or deletion,
right to restrict processing,
right to object to processing,
right to data portability,
Right to withdraw consent at any time.

Data subjects also have the right to complain to a data protection supervisory authority about the processing of their personal data. Contact details of data protection supervisory authorities are available at https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.

1.6. Obligation to provide data

As part of a business relationship or other relationship, customers, interested parties or third parties must only provide us with the personal data that is necessary to establish, carry out and end the business relationship or for the other relationship or which we are legally obliged to collect. Without this data, we will usually have to refuse to conclude a contract or provide a service or will no longer be able to carry out an existing contract or other relationship.
‍
Mandatory information is marked as such.

1.7. No automatic decision-making in individual cases

In principle, we do not use fully automated decision-making in accordance with Article 22 GDPR to establish and carry out a business relationship or other relationship. Should we use these procedures in individual cases, we will inform you of this separately, provided this is required by law.

1.8. contacting

When you contact us, e.g. by e-mail or telephone, the data provided to us (e.g. names and e-mail addresses) is stored by us in order to answer questions. The legal basis for processing is our legitimate interest (Art. 6 (1) (f) GDPR) to answer inquiries addressed to us. We delete the data arising in this context after storage is no longer necessary, or restrict processing if there are legal storage obligations.

1.9. customer surveys

From time to time, we conduct customer surveys to get to know our customers and their needs better. In doing so, we collect the data requested in each case. It is our legitimate interest to get to know our customers and their wishes better, so that the legal basis for the associated data processing is Art. 6 (1) (f) GDPR. We delete the data when the results of the surveys have been evaluated.

2nd newsletter

We reserve the right to inform customers who have already used our services or bought goods about our offers from time to time by e-mail or other means electronically, if they have not objected to this. The legal basis for this data processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in direct marketing (recital 47 GDPR). Customers can object to the use of their email address for advertising purposes at any time at no additional cost, for example via the link at the end of each email or by sending an email to our email address mentioned above.

Interested parties have the option of subscribing to a free newsletter. We process the data provided when registering exclusively for sending the newsletter. Registration is made by selecting the appropriate field on our website, by ticking the corresponding field in a paper document or by taking another clear action, by which interested parties give their consent to the processing of their data, so that the legal basis is Art. 6 (1) (a) GDPR. The consent can be withdrawn at any time, e.g. by clicking on the corresponding link in the newsletter or sending a message to our e-mail address provided above. The processing of data until revocation remains lawful even in the event of a revocation.

Based on the consent of recipients (Art. 6 (1) (a) GDPR), we also measure the opening and click rate of our newsletters in order to understand which content is relevant to our recipients.

We send newsletters using the Mailchimp tool from Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (privacy policy: https://mailchimp.com/legal/privacy/). The provider processes content, usage, meta/communication data and contact data in the USA.

3. Data processing on our website

3.1. Informational use of the website

When using the website for informational purposes, i.e. when site visitors do not provide us with separate information, we collect the personal data that the browser transmits to our server to ensure the stability and security of our website. This is our legitimate interest, so that the legal basis is Art. 6 (1) (f) GDPR.
‍
This data is:

IP address
Date and time of request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Each amount of data transferred
Website from which the request comes
browsers
Operating system and its interface
language and version of the browser software.

This data is also stored in log files. They are deleted when they are no longer required to be stored, at the latest after 14 days.

3.2. Web hosting and website delivery

Our website hosts Webflow. The provider is Webflow, Inc., 398 11th St., Floor 2, San Francisco, CA 94103, USA. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact data, in the USA. Further information can be found in the provider's privacy policy at https://webflow.com/legal/eu-privacy-policy.
‍
It is our legitimate interest to provide a website, so that the legal basis for the described data processing is Art. 6 (1) (f) GDPR.
‍
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
‍
We use a content delivery network to help make our website available. The provider is Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA, (privacy policy: https://aws.amazon.com/de/privacy/?nc1=f_pr). In doing so, the provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact data. It is our legitimate interest to provide a website, so the legal basis for data processing is Art. 6 (1) (f) GDPR.

3.3. job advertisements

We publish jobs that are vacant in our company on our website, on pages connected to the website, or on third-party websites.
‍
The data provided as part of the application process is processed to carry out the application process. Insofar as these are necessary for our decision to establish an employment relationship, the legal basis is Article 88 (1) GDPR in conjunction with Section 26 (1) BDSG. We have marked the data required to carry out the application process accordingly or refer to them. If applicants do not provide this information, we will not be able to process the application.
‍
Further data is voluntary and not required for an application. If applicants provide further information, the basis is their consent (Art. 6 (1) (a) GDPR).
‍
We ask applicants to refrain from including political opinions, religious beliefs and similarly sensitive data in their curriculum vitae and cover letter. They are not required to apply. If applicants nevertheless provide appropriate information, we cannot prevent their processing as part of processing the resume or cover letter. Your processing is then also based on the consent of the applicants (Art. 9 para. 2 lit. a GDPR).
‍
Finally, we process applicants' data for further application processes if they have given us their consent to do so. In this case, the legal basis is Art. 6 (1) (a) GDPR.
We pass on the applicants' data to the responsible personnel department, to our contract processors in the area of recruiting and to the other employees involved in the application process.
‍
If we enter into an employment relationship with the applicant following the application process, we will only delete the data after the employment relationship has ended. Otherwise, we will delete the data no later than six months after an applicant has been rejected.
If applicants have given us their consent to also use their data for further application processes, we will only delete their data one year after receipt of the application.

3.4. Interest in our services/registration

Interested parties can open a customer account on our website or, as long as our offer is still being prepared, make a preliminary request for a customer account.
‍
In doing so, we process the email address of end customers as users. With regard to brokers as users, we also process the following data:

undertakings
name
Business email address
phone number
address
town
ZIP

The data is processed to fulfill the respective user contract concluded via the account, so that the legal basis for processing is Art. 6 (1) (b) GDPR. Insofar as our offer is still in preparation, processing is carried out to prepare a corresponding contract with the user.
‍
In this context, we contact customers to discuss the conclusion or execution of a contract. We have a legitimate interest in responding to user inquiries. The legal basis is Art. 6 (1) (f) GDPR. Based on our legitimate interest in improving our email communication, we process the opening and click rates of emails.

3.5. Payment service provider

To process payments, we use payment processors who are themselves responsible for data protection within the meaning of Art. 4 No. 7 GDPR. Insofar as they receive data and payment data entered by us during the ordering process, we thus fulfill the contract concluded with our customers (Art. 6 (1) (b) GDPR).
‍
These payment service providers are:

Klarna Bank AB (publ), Sweden (“Klarna Sofort”)
Mastercard Europe SA, Belgium
Visa Europe Services Inc., Great Britain

3.6. third party

3.6.1. Weglot

We use Weglot for translations. The provider is Weglot, 138, rue Pierre Joigneaux in BOIS-COLOMBES (92270), France. The provider processes meta/communication data (e.g. device information, IP addresses) in the EU.
‍
The legal basis for processing is Art. 6 (1) (f) GDPR. We have a legitimate interest in automatically translating information on our website.
‍
The data will be deleted when the purpose of its collection no longer applies and there is no obligation to store it. Further information is available in the provider's privacy policy at https://weglot.com/de/privacy/ retrievable.

3.6.2. Google reCAPTCHA

We use Google reCAPTCHA to manage authentications. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
‍
The legal basis for processing is Art. 6 (1) (a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
‍
The legal basis for transfer to a country outside the EEA is consent.
‍
Further information is available in the provider's privacy policy at https://policies.google.com/privacy?hl=de retrievable.

3.6.3. MailChimp

We use Mailchimp for email marketing and email management. The provider is Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. The provider processes usage data (e.g. websites visited, interest in content, access times), contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) in the USA.
‍
The legal basis for processing is Art. 6 (1) (a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
‍
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
‍
The data will be deleted when the purpose of its collection no longer applies and there are no storage obligations. Further information is available in the provider's privacy policy at https://mailchimp.com/legal/privacy/ retrievable.

3.6.4. Google Analytics

We use Google Analytics for analysis. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
‍
The legal basis for processing is Art. 6 (1) (a) GDPR. Processing is based on consent. Data subjects can withdraw their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of processing up to the revocation.
‍
The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses adopted in accordance with the audit procedure in accordance with Article 93 (2) GDPR (Article 46 (2) lit. c GDPR), which we have agreed with the provider.
‍
The data will be deleted when the purpose of its collection no longer applies and there is no obligation to store it. Further information is available in the provider's privacy policy at https://policies.google.com/privacy?hl=de retrievable.

4. Data processing on social media platforms

We are represented on social media networks to present our company and our services. The operators of these networks regularly process their users' data for advertising purposes. Among other things, they create user profiles from their online behavior, which are used, for example, to show advertising on network sites and elsewhere on the Internet that meets the interests of users. For this purpose, network operators store information on usage behavior in cookies on the user's computer. In addition, it cannot be ruled out that operators may combine this information with other data. Users can obtain further information and advice on how users can object to processing by the site operators in the data protection declarations of the respective operators listed below. It may also be that the operators or their servers are located in non-EU countries so that they process data there. This can result in risks for users, for example because it is difficult to enforce their rights or because government agencies gain access to the data.
‍
When users of the networks contact us via our profiles, we process the data provided to us in order to answer the inquiries. This is our legitimate interest, so that the legal basis is Article 6 (1) (f) GDPR.

4.1. Linkedin

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://https://www.linkedin.com/legal/privacy-policy?_l=de_DE.

One way to object to data processing is through the settings for advertisements: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

5. Data processing in connection with insurance

As a German MGA, Baobab sells and manages insurance products and related services for one or more insurance companies with permission in accordance with §34 d GewO (also known as “underwriter”). Within the framework of the agreements and powers of attorney concluded with insurance companies, Baobab's tasks include, in particular, issuing the insurance policy and collecting premiums. However, the insurance company named in the insurance policy always remains the risk carrier and service provider in the event of a claim.
‍
For this purpose, information, including personal data, is shared between the various parties involved during the term of the insurance contract.
‍
To explain the terms used in this privacy policy, the following is a description of the functions and tasks of the most important Parties to the execution of the insurance contract:

Policyholders apply for insurance coverage against risks that may affect them. To take out insurance, they can contact an intermediary or contact an insurer directly or via a price comparison website.
Intermediaries help policyholders and insurers arrange insurance coverage. They can offer advice and handle claims. Many insurance and reinsurance contracts are concluded through intermediaries.
Insurers offer insurance coverage to policyholders against payment of a contribution (insurance premium).
Reinsurers provide insurance coverage for another insurer or reinsurer. This insurance is known as reinsurance.

During the insurance contract, Baobab receives personal data from:

representatives of buying companies, applicants and other third parties involved in an application. Therefore, references to “persons” in this privacy statement include all of the above living individuals from whom Baobab receives personal information in connection with the services it provides to its customers. This privacy statement explains how Baobab uses and shares this personal information with other insurance market participants and other third parties.

In certain cases and for the purpose of providing certain services, Baobab and the customer agree that Baobab acts as a data processor. When Baobab acts as a data processor, it fulfills the obligations contained in the respective agreement concluded with its customers.
‍
Baobab collects and processes the following personal data:

Personally
Information Name, other contact information (such as email address and telephone number), employer, job title, relationship with the policyholder or applicant
identification
Data Identification numbers issued by governments or agencies
Financial data
Card number and bank details, income and other financial information
Police
Data Information about insurance offers and policies created
Anti-fraud and sanctions data
Information about fraud convictions, criminal charges, and details of penalties or sanctions from various fraud prevention and sanctions databases or from regulatory or law enforcement agencies
History of claims
Information that may also include personal data
Current Claims
Information that may also include personal data
commercialization
Information about whether the individual has consented to receive marketing communications from Baobab and third parties

If Baobab collects such information directly from individuals, we will let them know whether it is necessary to provide this information and what the consequences are if they do not provide it on the appropriate form.
‍
Baobab collects personal information from a variety of sources, including but not limited to (depending on your country of residence):

Individuals (buyer company representatives or third parties) — online, by telephone or in written communications
For insurance claims from third parties, including the other party (claimant or plaintiff/
accused), experts, lawyers and claims adjusters
Other insurance participants, such as insurers, reinsurers and other intermediaries
Anti-fraud databases and other third-party databases, including sanctions lists
authorities
Application/application forms

This section describes the purposes for which personal data is used, how this data is shared and what legal bases we rely on to process the data.
‍
These legal bases are set out in the General Data Protection Regulation (GDPR), which states that companies may only process personal data if processing is permitted in accordance with the specific legal bases set out in the regulation. The full description of the individual legal bases can be found in the table below.
‍
Please note that Baobab shares personal information with service providers, contractors, subcontractors, and members for the purposes set out in this Privacy Policy, except as set out in the table below:

‍

Zweck der Verarbeitung	Rechtsgrundlage	Weitergabe
1. Verwaltung
Allgemeine Kundenbetreuung, einschließlich Kommunikation mit Kunden	- Erfüllung des Vertrags mit dem Kunden - Berechtigte Interessen von Baobab (Kommunikation mit Kunden, Begünstigten und Antragstellern zur Erleichterung der Vermittlung von Versicherungen und der Bearbeitung von Ansprüchen aus Versicherungsverträgen)	- Versicherungsvermittler
Einziehung oder Erstattung von Versicherungsprämien, Auszahlung von Versicherungsleistungen	- Erfüllung des Vertrags mit dem Kunden - Berechtigte Interessen von Baobab (zur Einziehung von Forderungen oder geschuldeten Beträgen)	- Versicherungsunternehmen - Banken - Inkassodienstleister - Versicherungsvermittler
2. Bearbeitung von Versicherungsansprüchen
Bearbeitung von Versicherungsansprüchen	- Erfüllung des Vertrags mit dem Kunden - Berechtigte Interessen von Baobab (Kommunikation mit Kunden, Begünstigten und Antragstellern zur Erleichterung der Vermittlung von Versicherungen und der Bearbeitung von Ansprüchen aus Versicherungsverträgen)	- Versicherer - Schadensregulierer - Rechtsanwälte - Sachverständige - Versicherungsvermittler - Dritte, die an der Bearbeitung oder sonstigen Erledigung des Versicherungsfalls beteiligt sind
Untersuchung und Verfolgung von Betrug oder jeder anderen Art von Rechtsverteidigung	- Erfüllung des Vertrags mit dem Kunden - Berechtigte Interessen von Baobab (zur Unterstützung bei der Betrugsverhütung und -aufdeckung)	- Versicherer - Anwälte - Polizei - Experte - Betrugsbekämpfungsdatenbanken - Dritte, die an den Ermittlungen oder der Strafverfolgung beteiligt sind, wie z. B.Privatdetektive/Ermittler
3. Verlängerung des Versicherungsvertrags (Erneuerung)
Kontaktaufnahme mit dem Kunden, um die Verlängerung des Versicherungsvertrags zu organisieren	- Erfüllung des Vertrags mit dem Kunden - Berechtigte Interessen von Baobab (Kommunikation mit Kunden, Begünstigten und Antragstellern zur Erleichterung der Vermittlung von Versicherungen und der Bearbeitung von Ansprüchen aus Versicherungsverträgen)	- Versicherer - Versicherungsvermittler
4. Während des gesamten Versicherungslebenszyklus
Marketing-Analytik und Direktmarketing, einschließlich Datenanonymisierung	- Berechtigte Interessen von Baobab (um den Kunden entsprechende Angebote zu machen) - Wenn eine Beziehung zu der Person besteht, Einwilligung der betroffenen Person	- Versicherer - Verbundene Unternehmen
Übertragung von Geschäftsbüchern, Verkauf und Umstrukturierung von Unternehmen	- Berechtigte Interessen von Baobab (zur angemessenen Strukturierung des Unternehmens) - Berechtigte Interessen von Baobab (zur Erstellung von Risikomodellen, um Risiken bei geeigneten Versicherern zu platzieren)	- Verbundene Unternehmen - Käufer (potenzieller und tatsächlicher Käufer)
Allgemeine Risikomodelle	- Berechtigte Interessen von Baobab (zur Erstellung von Risikomodellen, um Risiken bei geeigneten Versicherern zu platzieren)
Einhaltung rechtlicher oder regulatorischer Verpflichtungen	- Erfüllung einer rechtlichen Verpflichtung	- Versicherungs-, Datenschutz- und andere Aufsichtsbehörden - Polizei - Versicherer

‍

In order to facilitate the provision of insurance coverage and the processing of insurance claims, Baobab relies on the consent of the data subject to process special categories of personal data, including but not limited to contact details. This consent allows Baobab to transfer the data to insurers, other intermediaries and reinsurers who need the data to perform their duties under the insurance contract. The consent of the data subject to the processing of special categories of personal data is a necessary condition for Baobab to be able to provide the services requested by the customer. If Baobab receives information about someone else, you agree to inform that third party about our use of their personal information and obtain their consent for us.
‍
Individuals can withdraw their consent to this processing at any time. However, as a result, Baobab is no longer able to provide the services to the customer in question. If an individual withdraws their consent to the processing of special categories of personal data by an insurer or reinsurer, further coverage may no longer be possible.
‍
Baobab has appropriate physical, electronic, and procedural security measures to protect the data managed by Baobab. These security measures depend on factors such as confidentiality, format, location, volume, distribution, and storage of personal information and include measures to protect personal information from unauthorized access by third parties. Where applicable, these security measures include encrypting communications via SSL, encrypting data at rest, firewalls, access controls, segregation of duties, and similar security protocols. Baobab limits access to personal data to those employees and third parties who have a legitimate and relevant business reason for accessing that data.
‍
Baobab collects, uses, discloses, and processes personal information for the purposes set out in this Privacy Policy or as permitted by law. If Baobab requests personal information for a purpose that is incompatible with the purposes set out in this privacy policy, customers will be notified of the new purpose and, where appropriate, consent will be obtained from individuals to process personal data for the new purpose or for new purposes (or third parties will be asked to obtain consent on Baobab's behalf).
‍
Baobab's retention periods for personal data are based on business requirements and legal requirements. Baobab keeps personal data for as long as is necessary or required by law for the purpose (s) of the processing for which the data was collected and for other permitted, related purposes. For example, Baobab may retain certain transaction data and communications until a claim relating to those transactions expires or to comply with legal or regulatory requirements regarding the retention of that data. When personal data is no longer required.

6. Changes to this privacy statement

We reserve the right to change this privacy policy with effect for the future. A current version is always available here.

7. Questions and comments

If you have any questions or comments regarding this privacy policy, please use the contact details provided above.