Privacy Policy

Version 1.0 - 31.05.2025

In the following privacy policy, visiting the website mybuypal.com, as well as the use of services on the website mybuypal.com, including web application, browser extensions, and mobile iOS and Android applications (once you download them to your mobile device), and services accessible through the above-mentioned applications, are described as the "buyPal" service. This privacy policy refers to "buyPal". It informs you about the reason and scope of the collection and processing of your personal data when you use "buyPal".

Personal data is any data that can personally identify you. If you have questions, wishes, or problems regarding your personal data, please contact our data protection officer at datenschutz@mybuypal.com.

Responsible Parties

The controller for the collection and processing of your personal data in accordance with the EU General Data Protection Regulation ("GDPR") is:

Lumiflow UG (limited liability)
Hauptstraße 10/1
74232 Abstatt
HRB 798642 (AG Stuttgart)

Legal Basis for Processing Your Personal Data:

Legitimate Interests:

Error-free provision of services on the website or in mobile applications
Personalization of services
Ensuring IT security
Prevention of criminal activities
Push notifications or messages about your existing or new services/offers
Analysis and optimization of the application and services
Defense of and against legal claims

Consent:

If you have given us consent to process your personal data for one or more specific purposes, this data will be processed in accordance with Art. 6 (1) lit. a GDPR. You can revoke your consent at any time, for example by clearing your browser cache. However, please note that processing that took place before the revocation of consent remains effective.

For more information, please see our Cookie Policy.

When is Personal Data Collected:

Data is automatically collected when visiting "buyPal" by our IT systems. These are primarily technical data (e.g., internet browser, operating system, or time of page access). The collection of this data occurs automatically as soon as you enter this website.
Furthermore, data is collected when using the service, e.g., data from captured order pages (amount, date, addresses of online shops, etc.). Through the browser plug-in, the current page (rendered DOM) is captured and transmitted to our backend for processing.
Your data is also collected when you provide it to us, e.g., through input in forms in "buyPal".

How is Personal Data Processed:

Use of "buyPal" services: For the provision of the service, the collection and processing of your personal data is necessary (e.g., capturing order pages during ordering processes, evaluating data in order pages, storing associated information such as order volume, shipping costs, date, time, shop address, etc.). The page information (rendered DOM) transmitted by the browser plug-in is processed in our backend. Only the minimum of required data is extracted and stored. The storage of extracted data occurs pseudonymized (if you are logged in via email) or anonymized (only identifiable via device), after extraction and processing is completed.

Use of AI/LLM (ChatGPT) for Data Extraction and Customer Communication: We use AI-based models (Large Language Models - LLM) from OpenAI (ChatGPT) for various purposes:

Data Extraction and Analysis: To optimize and automate the extraction of relevant order information from captured website data. This happens particularly to automatically determine the necessary "scan parameters" (rules for data extraction) initially or after updates of an online shop. Parts of the rendered DOM or derived information may be transmitted to OpenAI's servers.
Customer Communication: For automatic response to inquiries in our contact form, chat, or via email (e.g., to kontakt@mybuypal.com, please check the correct email address if it differs). When you start a conversation with us through our website or send an email, your inputs including metadata may be transmitted to OpenAI's servers and processed there.

We have configured the LLM so that transmitted data is not used for training the algorithm. The use of ChatGPT is based on our legitimate interest according to Art. 6 (1) lit. f GDPR (for efficient data processing and customer communication) and, if appropriate consent has been requested (e.g., for chat usage), on the basis of Art. 6 (1) lit. a GDPR. The provider is OpenAI, 3180 18th St, San Francisco, CA 94110, USA, https://openai.com. For more information about data processing by OpenAI, please visit: https://openai.com/policies/privacy-policy. We have concluded a data processing agreement (DPA) for the use of the service. This is a contract required by data protection law that ensures that this party processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

Website Visit: When you visit our website, we may automatically collect some personal data from your device. This information may include: your IP address, date and time of the request, browser language and version, operating system version or manufacturer, information about your device, and some data about how you interact with our website (e.g., which website you came from, pages visited, links clicked). We do this to ensure the security of our website and to understand who visits it and which pages are found interesting, so we can improve the website and provide relevant content. Some of this data is collected using cookies. For more information, please see our Cookie Policy.
Analytics: We process the personal data you provide to us, as well as data created due to your use of our application, for analysis purposes. For example, we analyze how you interact with the app and make it more intuitive and easier for you to use, or to understand if our products and services are tailored to your needs, so we can make changes and develop new products and services. In this case, these data are stripped of direct identifiers to ensure an additional layer of protection.
Newsletter: From time to time, we will contact you to inform you about improvements and extensions of "buyPal" that we believe may be of interest to you. This type of activity is considered direct marketing, and in this case, we rely on your consent or our legitimate interest to process your personal data for this purpose. If you wish to revoke your consent or object to this processing, you can disable notifications in your app preferences or click the "Unsubscribe" link at the end of the email you receive from us.

Data Sharing with Third Parties:

To provide you with certain features and services, we must share your personal data with partners, external third-party providers. They process your personal data only on the basis of data processing agreements and in accordance with strict instructions that do not allow them to use your data for other purposes without notifying you or asking for your consent. Here are the parties to whom we may share your data:

Hostinger

Provider is HOSTINGER operations, UAB Švitrigailos str. 34, Vilnius 03230 Lithuania When you visit our website, Hostinger collects various log files including your IP addresses. For more information, please see Hostinger's privacy policy: https://www.hostinger.com/de/legal/datenschutz-bestimmungen. The use of Hostinger is based on Art. 6 (1) lit. f GDPR. We have a legitimate interest in the most reliable presentation of our website. If appropriate consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's end device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time. Data Processing We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law that ensures that this party processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.
Google Analytics This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, duration of stay, operating systems used, and origin of the user. This data is summarized in a user ID and assigned to the respective end device of the website visitor. Furthermore, we can record your mouse and scroll movements and clicks with Google Analytics. Google Analytics also uses various modeling approaches to supplement the collected data sets and employs machine learning technologies in data analysis. Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is usually transmitted to a Google server in the USA and stored there. The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/. The company has certification under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that ensures compliance with European data protection standards for data processing in the USA. Each company certified under the DPF commits to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.
- IP Anonymization Google Analytics IP anonymization is enabled. This means your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities, and to provide other services related to website usage and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
Google Ads The website operator uses Google Ads. Google Ads is an online advertising program of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads allows us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available at Google (e.g., location data and interests) (target group targeting). As a website operator, we can evaluate this data quantitatively, for example by analyzing which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks. The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/. The company has certification under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that ensures compliance with European data protection standards for data processing in the USA. Each company certified under the DPF commits to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.
Google Ads Remarketing This website uses the functions of Google Ads Remarketing. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. With Google Ads Remarketing, we can assign people who interact with our online offering to specific target groups, to subsequently show them interest-based advertising in the Google advertising network (remarketing or retargeting). Furthermore, the advertising target groups created with Google Ads Remarketing can be linked with Google's cross-device functions. In this way, interest-based, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g., mobile phone) can also be displayed on another of your devices (e.g., tablet or PC). If you have a Google account, you can object to personalized advertising at the following link: https://adssettings.google.com/anonymous?hl=de. The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time. Further information and the privacy policy can be found in Google's privacy policy at: https://policies.google.com/technologies/ads?hl=de. The company has certification under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that ensures compliance with European data protection standards for data processing in the USA. Each company certified under the DPF commits to comply with these data protection standards. For more information, please contact the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.
Target Group Formation with Customer Matching For target group formation, we use, among other things, the customer matching of Google Ads Remarketing. Here, we transmit certain customer data (e.g., email addresses) from our customer lists to Google. If the relevant customers are Google users and logged into their Google account, they will be shown matching advertising messages within the Google network (e.g., on YouTube, Gmail, or in the search engine).

Data Storage/Transfer to Third Countries:

"buyPal" stores and processes your data in the European Union (EU), specifically in Germany. However, we cannot offer all our services alone. Some of the above-mentioned partners, service providers, or other parties may process the data in countries outside the EU or EEA. This also includes the processing of data by LLM providers such as OpenAI based in the USA, if their services are used for data processing. To ensure that your personal data receives a comparable level of protection, we implement appropriate safeguards in such cases, such as adequacy decisions and frameworks or standard contractual clauses approved by the European Commission. In the case of transfer to the USA, we additionally rely on the certification of providers under the "EU-US Data Privacy Framework" (DPF), if available.

Duration of Storage:

We retain your personal data for as long as necessary to achieve the purpose for which it was collected. Typically, the period ends at the latest 5 years after the end of the use of "buyPal". After this period, the data is anonymized.

If you make a legitimate deletion request or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial retention periods); in the latter case, deletion will occur after these reasons no longer apply.

Your Rights:

Information about the origin, recipients, and purpose of your stored personal data. You can exercise this right and contact our data protection officer for this purpose.
Deletion and correction of your personal data. You can exercise this right if you revoke your consent via email to our data protection officer and there is no further legitimate interest in the processing of your data by us.
Revocation of consent to data processing. You can object to the processing of your personal data and contact our data protection officer for this purpose.
Restriction of processing. You can object to the processing of your personal data and contact our data protection officer for this purpose.
Complaint to the competent supervisory authority. If you have concerns about the processing of your personal data (a list of national data protection authorities can be found on the website of the European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_de). We ask you to first contact us and give us the opportunity to understand and solve the problem before filing an official complaint. This way, your problem will be solved much faster.

Information Security:

To ensure the protection of personal data that you provide through the use of our website or mobile app, we maintain physical, technical, and administrative security measures to protect your data from unauthorized access. This includes, among other things, encryption of data transmission (e.g., via SSL/TLS) and storage of passwords only as hashed values. We point out that data transmission on the Internet (e.g., when communicating via email) can have security gaps. A complete protection of data against access by third parties is not possible.

Changes and Updates to the Privacy Policy:

As "buyPal" develops, this privacy policy may also change over time. We reserve the right not to send you a notification every time we update this privacy policy. We may send you periodic email reminders about our notices and terms and conditions and inform you about significant changes to this information. However, we invite you to regularly check our website or the app to view the current privacy policies and any updates that may have been made to them.

Notwendige Cookies

Cookie	Purpose	Duration
buypal_cookie_consent	Wird verwendet, um die Cookie-Einstellungen des Benutzers zu speichern.	1 year 1 month 1 day
buypal_session, XSRF-TOKEN	Wird zum sicheren Betrieb der Webseite benötigt.	0 seconds

Verarbeitung personenbezogener Daten

Cookie	Purpose	Duration
buypal_id	Wird zur Verarbeitung und Speicherung der Bestellungen eines Benutzers benötigt.	1 year 1 month 1 day
buypal_remember_me	Wird zur Speicherung der Benutzer-Session benötigt.	1 year 1 month 1 day

Marketing Cookies

Cookie	Purpose	Duration
buypal_marketing	Wird für Marketing-Zwecke und personalisierte Angebote / Werbung benötigt.	1 year 1 month 1 day