Privacy Policy

We are very pleased about your interest. Data protection has a particularly high priority for us.

Responsible for data protection in our company is: Peter Esser, UHS Computer.

In principle, using our company's websites is possible without providing any personal data (PD). If you would like to use special services of our company via our website or decide to use the "YourShelf" app, processing of PD may become necessary. If processing of PD is required and there is no legal basis for such processing, we generally obtain your consent.

PD within the meaning of this declaration see under definition of terms.

The processing of PD, for example the name, address, email address or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation and in compliance with the country-specific data protection regulations applicable to our company. By means of this privacy policy, we would like to inform you about the type, scope and purpose of the PD we collect, use and process. Furthermore, data subjects are informed about their rights by means of this privacy policy.

As those responsible for processing PD, we have implemented numerous technical and organizational measures to ensure the most comprehensive protection possible of the data collected. Nevertheless, internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit PD to us by alternative means (e.g. by post).

1. Definitions

Our company's privacy policy is based on the definitions used by the European Directive and Regulation Authority when issuing the General Data Protection Regulation (GDPR). To ensure easy readability, we would like to explain the terms used in advance.

We use the following terms in this privacy policy, among others:

    1. Personal Data (PD)

      2. PD is any information relating to an identified or identifiable living person. A natural person is considered identifiable who can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person. Various pieces of information that together can lead to the identification of a specific person also constitute PD.
    1. Data Subject

      2. Data subject is any identified or identifiable natural person whose PD is processed by the controller responsible for processing.
    1. Processing

      2. Processing is any operation or set of operations performed with or without the aid of automated procedures in connection with personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.
    1. Restriction of Processing

      2. Restriction of processing is the marking of stored PD with the aim of limiting their future processing.
    1. Profiling

      2. Profiling is any form of automated processing of PD that consists of using this data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of this natural person.
    1. Pseudonymization

      2. Pseudonymization is the processing of PD in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.
    1. Controller or Data Controller

      2. Controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of PD. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
    1. Processor

      2. Processor is a natural or legal person, public authority, agency or other body which processes PD on behalf of the controller.
    1. Recipient

      2. Recipient is a natural or legal person, public authority, agency or another body, to which PD are disclosed, whether a third party or not. However, public authorities which may receive PD in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
    1. Third Party

      2. Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process PD.
    1. Consent

      2. Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her PD.

2. Name and Address of the Controller

Controller within the meaning of the GDPR, as well as the applicable data protection laws that develop their legal standard in the country of the controller is:


585:609:616:615:606:563:537:548:557:562:537:555:554:558:556:552:562:560:554:562:556:560:565:603:619:567:589:606:613:606:607:602:625:563:537:548:557:562:537:555:554:558:556:552:562:560:554:562:556:561:565:603:619:567:574:550:582:602:610:613:563:537:614:606:569:626:616:622:619:550:620:609:606:613:607:551:602:617:617


585:606:621:606:619:537:574:620:620:606:619:565:603:619:567:590:577:588:550:572:616:614:617:622:621:606:619:565:603:619:567:592:610:606:620:606:615:620:621:619:551:537:554:557:565:603:619:567:557:554:556:556:557:537:583:606:621:621:606:621:602:613

Website:

https://www.your-shelf.app/

3. Cookies

These websites may use cookies. Cookies are text files that are stored and saved via an internet browser on a computer system. These contain a so-called cookie ID. This ID is a unique identifier of the cookie. It consists of a string of characters through which websites and servers can be assigned to the specific internet browser. This enables the visited websites and servers to distinguish the individual browser of the data subject from other internet browsers that contain other cookies.

Through the use of cookies, UHS Computer can provide users of this website with more user-friendly services. Furthermore, we use cookies that enable an analysis of the surfing behavior of the respective user.

In this way, the following data can be transmitted:

  • Frequency of page views
  • Use of website functions

This user data is pseudonymized through technical precautions. The data is not stored together with other PD of the users.

When our website is accessed, the user is informed about the possible use of cookies for analysis purposes and their consent to the processing of PD used in this context is obtained. In this context, reference is also made to this privacy policy.

The legal basis for processing PD using cookies for analysis purposes is Article 6 Para. 1 lit. a GDPR if the user has given their consent in this regard.

The data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting of the internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an internet browser or other software programs. This is possible in all common internet browsers. If the data subject deactivates the setting of cookies in the internet browser used, not all functions of our website may be fully usable.

4. Collection of General Data and Information

The website and the app of the company UHS Computer collect a series of general data and information with each call of the website and during the use of the app. This general data and information is stored in the logfiles of the server.

The following may be collected:

  1. browser types and versions used,
  2. the operating system used by the accessing system,
  3. the website from which an accessing system reaches our website (so-called referrer),
  4. the sub-websites that are accessed via an accessing system on our website,
  5. the date and time of access to the website,
  6. the Internet Protocol address (IP address),
  7. the Internet Service Provider of the accessing system and
  8. other similar data and information that serve to prevent dangers in case of attacks on our information technology systems.

When using this data and information, UHS Computer does not draw any conclusions about the data subject.

This information is rather needed to

  1. correctly deliver the content of our website and app,
  2. optimize the content of our website and app as well as advertising for them,
  3. ensure the permanent functionality of our information technology systems and the technology of our website and app as well as
  4. to provide law enforcement authorities with the information necessary for prosecution in case of a cyber attack.

This anonymously collected data and information is therefore evaluated by the company UHS Computer on the one hand statistically and furthermore with the aim of increasing data protection and data security in our company, in order to also ensure an optimal level of protection for the PD processed by us. The anonymous data of the server logfiles are stored separately from all PD provided by a data subject.

In addition, provided the express permission of the relevant users exists and in compliance with applicable data protection regulations, the following personal data is also collected:

  • IP address of users
  • Email address of users
  • User passwords
  • Username
  • Books read
  • Book reviews
  • Images of books
  • "Follows", which user follows which other user

The processing of PD is carried out based on our legitimate interest to fulfill our contractually agreed services and to optimize our online offering.

The website can also be used without providing information about your person. However, to improve our online offering, we store (without personal reference) your access data to this website. However, to use the app, it is necessary to create a user profile, so that the personal data (see above) can be assigned to a user and the functions of the app can be enabled.

5. SSL Encryption

To protect the security of data during transmission, we use encryption methods (e.g. SSL) via HTTPS that correspond to the current state of technology. Furthermore, the password set by the user is not transmitted to the server and therefore cannot be "read out". Instead, a so-called challenge (a complex mathematical task) is solved by the password on the user's device and only the result of this challenge is transmitted to the server and stored there.

6. Registration in our App

The data subject has the possibility to register via the app of the data controller by providing PD. Which PD is transmitted to the data controller results from the respective input mask used for registration. The PD entered by the data subject is collected and stored exclusively for internal use by the data controller and for its own purposes. The data controller may arrange for the transfer to one or more processors, for example a parcel service provider, who also uses the PD exclusively for internal use attributable to the data controller.

Through registration via the app of the data controller, the IP address assigned by the Internet Service Provider (ISP) of the data subject, the date and the time of registration are also stored. The storage of this data takes place against the background that this is the only way to prevent misuse of our services, and this data enables the investigation of crimes committed if necessary. In this respect, the storage of this data is necessary to secure the data controller. This data is generally not passed on to third parties, unless there is a legal obligation to pass it on or the transfer serves law enforcement purposes.

The registration of the data subject with voluntary provision of PD serves the data controller to offer the data subject content or services that can only be offered to registered users due to the nature of the matter. Registered persons are free to change the PD provided during registration at any time or to have it completely deleted from the data stock of the data controller.

The data controller provides each data subject at any time upon request with information about which PD is stored about the data subject. Furthermore, the data controller corrects or deletes PD at the request or indication of the data subject, insofar as no statutory retention obligations conflict with this. All employees of the data controller are available to the data subject as contact persons in this context.

7. Contact Possibility

Both the website and the app contain information required by law that enables quick electronic contact with our company as well as direct communication with us, which also includes email address.

8. Cover Upload, Comment Functions and Writing Book Reviews

The YourShelf app offers users the opportunity to leave individual comments on individual user-generated posts. This includes writing reviews of books. Furthermore, app users can upload images of books to improve the "User Experience" (user experience during app usage).

If a data subject leaves a comment, an image or a review via the app, in addition to the texts or images left by the data subject, information about the time of entry as well as the username (pseudonym) chosen by the data subject is stored and published. The publication can be reduced to certain user groups in the app settings. Furthermore, the IP address assigned by the Internet Service Provider (ISP) of the data subject is also logged. This storage of the IP address takes place for security reasons and in case the data subject violates the rights of third parties or posts illegal content through a post. The storage of this PD therefore takes place in the own interest of the controller responsible for processing, so that he can oppose in case of a legal violation if necessary. There is no transfer of this collected data to third parties, unless such transfer is legally required or serves the legal defense of the controller responsible for processing.

9. Subscription to Updates in the App

The app basically offers the possibility to be notified about new comments, posts or other user-related events (such as a new following user). The functions of the corresponding mobile device providers are used for this purpose and their applicable privacy policies and terms of use apply.

10. Routine Deletion and Blocking of PD

The controller responsible for processing processes and stores PD of the data subject only for the period required to achieve the storage purpose or as provided by the European Directive and Regulation Authority or another legislator in laws or regulations to which the controller responsible for processing is subject.

If the storage purpose ceases to apply or if a storage period prescribed by the European Directive and Regulation Authority or another competent legislator expires, the personal data is routinely blocked or deleted in accordance with legal provisions.

11. Rights of the Data Subject

1) Right to Confirmation

Every data subject has the right granted by the European Directive and Regulation Authority to request confirmation from the controller responsible for processing whether PD concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they can contact an employee of the controller responsible for processing at any time (see contact options mentioned above).

2) Right to Information

Every person affected by the processing of PD has the right granted by the European Directive and Regulation Authority to receive free information at any time from the controller responsible for processing about the personal data stored concerning their person and a copy of this information. Furthermore, the European Directive and Regulation Authority has granted the data subject information about the following:

  • the processing purposes
  • the types of PD being processed
  • the recipients or categories of recipients to whom the PD have been or will be disclosed, particularly recipients in third countries or international organizations
  • if possible, the planned duration for which the PD will be stored, or if this is not possible, the criteria for determining this duration
  • the existence of a Right of Correction or erasure of PD concerning them or to restriction of processing by the controller or a right to object to such processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • if the PD was not collected from the data subject: All available information about the origin of the data
  • the existence of automated decision-making including profiling according to Article 22 Para. 1 and 4 GDPR and — at least in these cases — meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject

Furthermore, the data subject has the right to information about whether PD has been transmitted to a third country or an international organization. If this is the case, the data subject also has the right to information about the appropriate safeguards in connection with the transmission. If a data subject wishes to exercise this right to information, they can contact an employee of the controller responsible for processing at any time.

3) Right of Correction

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority to request immediate rectification of incorrect PD concerning them. Furthermore, the data subject has the right to request completion of incomplete PD - including by means of a supplementary statement - taking into account the purposes of the processing. If a data subject wishes to exercise this Right of Correction, they can contact an employee of the controller responsible for processing at any time.

4) Right to Erasure (Right to be Forgotten)

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority to request that the controller delete the PD concerning them immediately, provided that one of the following reasons applies and the processing is not necessary:

  • The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
  • The data subject has died or been declared incapacitated and the estate administrators, heirs or guardians request the deletion of the data.
  • The data subject withdraws their consent on which the processing was based according to Art. 6 Para. 1 Letter a GDPR or Art. 9 Para. 2 Letter a GDPR, and there is no other legal basis for the processing.
  • The data subject objects to the processing according to Art. 21 Para. 1 GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing according to Art. 21 Para. 2 GDPR.
  • The personal data has been processed unlawfully.
  • The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • The personal data was collected in relation to information society services offered according to Art. 8 Para. 1 GDPR.

If one of the above reasons applies and a data subject wishes to arrange for the deletion of PD stored at UHS Computer, they can contact an employee of the controller responsible for processing at any time. The employee will ensure that the deletion request is complied with immediately.

5) Right to Restriction of Processing

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority to request that the controller restrict the processing when one of the following conditions is met:

  • The accuracy of the PD is disputed by the data subject, for a period that enables the controller to verify the accuracy of the personal data.
  • The processing is unlawful, the data subject refuses the deletion of the PD and instead requests the restriction of the use of the personal data.
  • The controller no longer needs the PD for the purposes of processing, but the data subject needs them for the assertion, exercise or defense of legal claims.
  • The data subject has objected to the processing according to Art. 21 Para. 1 GDPR and it is not yet established whether the legitimate reasons of the controller outweigh those of the data subject.

If one of the above conditions is met and a data subject wishes to request the restriction of PD stored at UHS Computer, they can contact an employee of the controller responsible for processing at any time. The employee of UHS Computer will arrange for the restriction of processing.

6) Right to Data Portability

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority to receive the PD concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the PD was provided, provided that the processing is based on consent according to Art. 6 Para. 1 Letter a GDPR or Art. 9 Para. 2 Letter a GDPR or on a contract according to Art. 6 Para. 1 Letter b GDPR and the processing is carried out using automated procedures, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, when exercising their right to data portability according to Art. 20 Para. 1 GDPR, the data subject has the right to have the PD transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others. To assert the right to data portability, the data subject can contact an employee of UHS Computer at any time.

7) Right to Object

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority to object at any time, on grounds relating to their particular situation, to the processing of PD concerning them which is based on Art. 6 Para. 1 Letters e or f GDPR. This also applies to profiling based on these provisions. UHS Computer will no longer process the PD in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or the processing serves the assertion, exercise or defense of legal claims. If UHS Computer processes PD for direct marketing purposes, the data subject has the right to object at any time to the processing of PD for the purpose of such marketing. This also applies to profiling insofar as it is connected with such direct marketing.

If the data subject objects to UHS Computer's processing for direct marketing purposes, UHS Computer will no longer process the PD for these purposes. In addition, the data subject has the right to object, on grounds relating to their particular situation, to the processing of PD concerning them that takes place at UHS Computer for scientific or historical research purposes or statistical purposes pursuant to Art. 89 Para. 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest. To exercise the right to object, the data subject may contact any employee of UHS Computer directly. The data subject is also free to exercise their right to object through automated means using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

8) Automated Decisions in Individual Cases, Including Profiling

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them, provided that the decision

  1. is not necessary for entering into, or performance of, a contract between the data subject and the data controller, or
  2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
  3. is based on the data subject's explicit consent.

If the decision

  1. is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or
  2. is based on the data subject's explicit consent, UHS Computer implements suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision. If the data subject wishes to exercise rights regarding automated decisions, they may contact an employee of the data controller at any time.

9) Right to Withdraw Data Protection Consent

Every data subject affected by the processing of PD has the right granted by the European Directive and Regulation Authority to withdraw consent to the processing of PD at any time. If the data subject wishes to exercise their right to withdraw consent, they may contact an employee of the data controller at any time.

12. Legal Basis for Processing

Art. 6 I lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If processing of PD is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 I lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. If our company is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, then the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d GDPR. Finally, processing operations could be based on Article 6 I lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

13. Legitimate Interests Pursued by the Controller or a Third Party

Where the processing of PD is based on Article 6 I lit. f GDPR our legitimate interest is the carrying out of our business in favour of the well-being of all our employees and our shareholders.

14. Purpose of Data Processing

The "YourShelf" app and the associated website, operated by UHS Computer, collect and process PD for various purposes. The collected data serves to provide the functions of the app, generate personalized recommendations and ensure the legal protection of the company.

  1. Identification and networking of users: To use the app, registration is required. This involves capturing the username, email address and password of a data subject. This data serves to identify the user and enables networking with other users to facilitate the exchange of book recommendations and reviews.
  2. Personalized book recommendations: By capturing reviews consisting of a star rating and text, we can generate personalized book recommendations. These are based on the individual preferences of the user as well as the ratings of other users. The processing of this data enables us to suggest books to the user that might correspond to their reading interests.
  3. Book cover upload function: Users optionally have the possibility to upload book cover images to facilitate the identification of books read. These images can be viewed by all users. The processing of these images serves exclusively the purpose of displaying a visual book cover in the presentation and improving the user experience.
  4. Legal protection: For the legal protection of UHS Computer, the IP addresses of users who upload reviews, comments or images are stored. This serves to protect against possible legal violations through user uploads. The IP addresses are stored for a period required by applicable laws.
  5. Contact possibility with the data subject: So that important information and verification of the account is possible, automated emails are sent to the email address of the data subject.

The PD is stored as long as the user has an active account. After account deletion, the reviews are anonymized so that no conclusions about the user are possible anymore. The IP addresses are deleted according to legal requirements and to ensure legal protection and may possibly be deleted later.

15. Legal or contractual provisions for providing personal data; necessity for contract conclusion; obligation of the data subject to provide personal data; possible consequences of non-provision

We clarify that the provision of PD is partly legally required (e.g. tax regulations) or may also result from contractual arrangements (e.g. information about the contracting party). Sometimes it may be necessary for a contract conclusion that a data subject provides us with PD, which must subsequently be processed by us. The data subject is, for example, obligated to provide us with PD when our company concludes a contract with them. A non-provision of the PD would result in the contract with the data subject not being able to be concluded. Before a provision of PD by the data subject, the data subject must contact one of our employees. Our employee clarifies the data subject on a case-by-case basis about whether the provision of personal data is legally or contractually required or necessary for the contract conclusion, whether there is an obligation to provide the personal data, and what consequences the non-provision of personal data would have.

16. Transmission of Data to Third Parties

In the context of operating the "YourShelf" app and storing data in the Microsoft Azure Cloud, certain data may be transmitted to third parties. Please note that separate legal agreements or privacy policies may apply to these transmissions.

  • Microsoft Azure: The infrastructure of the app is operated in the Microsoft Azure Cloud, whereby the data is transmitted to Microsoft. However, no contract has been concluded that permits Microsoft to process this data. Azure does not pass on your data to advertising-financed services and does not conduct data mining for market research or advertising purposes. Your data is only processed with your consent and exclusively used to provide the services you have chosen. Azure may commission contractual partners or subprocessors who need access to your data. These partners are contractually obligated to only perform the functions commissioned by Microsoft and to be subject to the same contractual data protection provisions that Microsoft maintains towards you.

  • Transmission through mobile devices: Since the app is operated on mobile devices, log data and other information may be transmitted by device manufacturers. This is outside our sphere of influence, as the transmission of data through mobile devices is subject to the data protection policies of the respective manufacturers. However, PD is not logged in log outputs, so only UHS Computer with this data and access to internal databases is enabled to make assignments of log data to users.

  • Twilio Inc.: YourShelf sends automated emails to the data subject. This function is provided and executed through third parties (namely Twilio Inc. with the product SendGrid). For this purpose, the contents of the emails (including the username of the data subject) and the email address are transmitted to Twilio Inc.

It is important to note that we have no control over the data protection practices of third parties, including Microsoft, Twilio Inc. and mobile device manufacturers. However, we have taken appropriate measures to ensure that data transmission to third parties is carried out in accordance with applicable data protection laws.

17. Existence of Automated Decision-Making

As a responsible company, we refrain from automatic decision-making or profiling.