Privacy Policy of CoStore Holding GmbH

Note: This is an English translation for informational purposes only. The legally binding version is the original German document.

CoStore is pleased about your interest in our company and our services. We want you to feel comfortable when contacting us. Therefore, the security of your personal data that arises when contacting CoStore – such as name, address, telephone number or email address – is an important concern for us.

This privacy information is directed at all persons with whom CoStore ("we" or "us") interacts, including customers, potential customers, interested parties and visitors to our websites, users of our apps/applications, other users of our products or services, and visitors to our locations ("you" or "your"). It contains the information according to Art. 13 and 14 GDPR.

Terms

The processing of personal data takes place within the framework of legal regulations.

Personal data is all information that relates to an identified or identifiable natural person. Processing includes any operation related to personal data – such as collecting, recording, storing, adapting, using, transmitting or deleting. Further terms correspond to the definitions in Art. 4 GDPR.

Name and Address of the Responsible Parties

CoStore Holding GmbH
Große Rheinstrasse 22
76661 Philippsburg

1. General Processing Purposes and Legal Bases

We collect and process your personal data particularly in the following cases:

When you contact us directly – for example via our website, our customer service or during on-site visits.
When you participate in surveys, campaigns or competitions.
When you are interested in our storage solutions or other services.
When you or your company rent storage space or use additional services.
When you or your company request information about our offers.
When you or your company use or apply for our services.

Please keep your information up to date and inform us of changes – especially your contact details.

We process in particular the following data: Name, address, telephone number, email address, if applicable company name, function, business contact details as well as contract and transaction data, as far as they are necessary for the business relationship.

Processing for Contract Purposes and Website Use

We process personal data for the reservation, rental and management of storage space as well as for the processing of rental contracts and additional services, in particular:

Booking requests and creation of offers
Creation and management of rental contracts
Access control and use of rented spaces
Customer service and support
Invoicing, payment processing, dunning procedures
Processing of complaints and damage cases
Technical provision of the website

Data Categories

Contact data: Name, address, telephone, email
Business information: Company name, function, VAT ID
Booking data: Rented space, rental start
Payment data: Payment status, references, transaction data
Access data: Digital codes, key management
Communication data: Support histories

Email Delivery by Kinnovis

Booking, management and termination are handled through our partner Kinnovis. You will receive transaction-related emails (e.g., contract documents, collection information, invoices) according to Art. 6 para. 1 lit. b GDPR. These are necessary for contract fulfillment and cannot be unsubscribed from.

Further information: https://kinnovis.com/privacy-policy/

Data Transfer to Service Providers

Kinnovis – Booking and contract platform
Stripe – Payment service provider
Privacy policy: stripe.com/de/privacy
Collection agencies or lawyers – in case of outstanding receivables

Central Registration Service

User registration takes place via Kinnovis (www.kinnovis.com). Name, email address, telephone number and if applicable company name are processed. More information: kinnovis.com/privacy-policy

Receivables Management

In case of payment arrears, data (name, address, contract and invoice data) may be transmitted to collection agencies or lawyers. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

Storage and Deletion

Personal data is stored as long as it is necessary for contract processing. After that, statutory retention periods apply. We delete requests at the latest 12 months after completion, unless legal obligations prevent this.

Order Processing

We have order processing contracts according to Art. 28 GDPR with all service providers, ensuring data protection and data security.

2. Participation in Events and On-Site Visits

We process personal data for the organization, implementation and follow-up of visits and events.

Purposes of Data Processing

Planning and implementation of site visits and events
Provision of information and materials
Admission control and visitor management
Creation of image and video recordings for documentation and public relations

Processed Data Categories

Contact data: Name, address, telephone number, email
Company data: Company name, position
Visit information: Date, time, purpose
Image and video recordings (if created)

Coordination and Planning

For appointment planning and coordination we use Microsoft services. Legal basis: Art. 6 para. 1 lit. b GDPR. Privacy information: microsoft.com/de-de/privacy/privacystatement

Participation Without Registration

For freely accessible events, image and video recordings may be created for documentation and public relations purposes.

Signs on site inform about photo and video recordings.
If you do not wish to be recorded, please speak to the event team. We will anonymize or pixelate recordings if possible.

Objection

You can object to the processing of image and video data for personal reasons. Please inform us or the photographers on site so that we can take appropriate measures.

3. Use of Service Offerings (Consultation)

In addition to our products, we offer service and consultation services by telephone, email, contact form, WhatsApp Business, chatbot (JaneGPT by Kinnovis) or on site. Bookings or contract conclusions are exclusively handled via Kinnovis.

Purposes of Data Processing

Processing of inquiries about our services
Technical consultation and customer service
Support with booking and management (without contract conclusion)
Documentation of customer inquiries for service quality

Processed Data Categories

Contact data: Name, address, telephone number, email
Company data: Company name, position
Communication data: Contents of customer inquiries

Data Transfer to Service Providers

Kinnovis (JaneGPT chatbot) – Automated processing of customer inquiries
WhatsApp Business – Communication with our support
Privacy policy: whatsapp.com/legal/privacy-policy
We have an order processing contract according to Art. 28 GDPR with WhatsApp Business. Please note that data may be processed outside the EU.

Storage and Deletion

Service inquiries are stored for up to 12 months after processing and then deleted, unless statutory retention periods exist.

4. Newsletter

We offer newsletter services to regularly inform about products, services and offers.

Purposes of Data Processing

Sending email newsletters with current offers
Personalization of content based on your interests (with consent)
Statistical analysis (opening and click rates, if consented)

Processed Data Categories

Contact data: Email address, optional name
Interaction data: Opening rates, clicks (with consent)

Registration and Double-Opt-In Procedure

For registration to our newsletter, we use the double-opt-in procedure. This means:

After registration, you will receive a confirmation email with a link that you must click to complete your registration.
Only after this confirmation will your email address be added to our mailing list.
If this confirmation does not occur, the registration will be automatically deleted after 30 days.

Unsubscribing from the Newsletter

You can unsubscribe from the newsletter at any time via an unsubscribe link in every email or by making a direct request to us. After unsubscribing, your email address will be removed from the mailing list, unless legal retention obligations exist.

Data Transfer and Shipping Service Provider

For sending our newsletters, we use the email marketing service provider Klaviyo. Your data is processed exclusively on our behalf and is subject to Klaviyo's privacy policies. Further information can be found here: https://www.klaviyo.com/legal.

We ensure that Klaviyo acts as a processor according to Art. 28 GDPR and a GDPR-compliant data processing agreement (DPA) has been concluded with us.

Storage and Deletion of Data

We store your email address and preferences for the newsletter as long as you are subscribed. After unsubscribing, the data will be deleted within 30 days, unless other legal obligations exist.

Access to Business Premises and Video Surveillance

In the context of using our storage facilities and accessing our locations, we process personal data, particularly for access control, security and monitoring of the sites. This includes:

Recording of access data when using our digital access systems
Monitoring of sites through video surveillance to ensure operational safety and protection against theft or vandalism
Identification of vehicles, associated storage numbers and relevant image recordings in case of security issues
Sharing of relevant data with law enforcement authorities or security services for investigation of security-related incidents
Use of video recordings for evidence preservation in case of violations of the T&Cs, particularly regarding illegal waste disposal on the premises

Video Surveillance

Our locations are equipped with overt video surveillance to ensure the protection of facilities, employees and customers. Video surveillance is conducted particularly:

For burglary prevention and investigation of thefts or vandalism
To ensure compliance with the terms of use of our storage facilities
For evidence preservation in security-related incidents
For control and assurance of orderly operational procedures
For documentation and sanctioning of T&C violations, particularly in cases of property damage or unauthorized waste disposal on the premises

Video recordings are generally stored for a maximum of 14 days and then automatically deleted, unless security-related incidents require longer storage (e.g., official investigations).

Monitoring by Third Parties

For enhanced security of our locations, we work with external security service providers who monitor the video surveillance in real-time outside our business hours (between 10:00 PM and 8:00 AM). If security-related events occur, the security service can take appropriate measures or notify law enforcement authorities.

Information about Video Surveillance

Video surveillance is indicated by appropriate signage at the locations. Customers and visitors have the right at any time to request information about stored recordings or to object to the processing, unless overriding security interests oppose this.

Corporate Communication and Public Representation

In the context of our corporate communication and public relations, we process personal data, particularly for documentation of events, press work and digital media appearances. This includes in particular:

Creation and publication of image and video recordings during events, corporate activities or marketing measures
Provision of company information on our website and in social media
Communication with customers, business partners and the public about relevant topics related to CoStore
Use of testimonials or experience reports for marketing purposes

Photo and Video Recordings at Events

During our corporate events, image and video recordings may be made that are used for internal and external communication, reporting or advertising purposes. The recordings may be published on:

The CoStore website
Social media (e.g., LinkedIn, Facebook, Instagram)
Print or online publications for corporate purposes

If you do not wish recordings of you to be published, you can object to the use at any time. We will then take appropriate measures to ensure your right to data protection.

Compliance, Legal Enforcement and Crime Prevention

We process personal data to the extent necessary for the assertion, exercise or defense of legal claims or to fulfill legal obligations. This includes:

Investigation, prevention and clarification of fraud, abuse or other legal violations
Enforcement of our T&Cs, particularly in case of contract breaches or unauthorized use of our storage facilities
Fulfillment of legal requirements, particularly tax and commercial retention obligations
Cooperation with law enforcement authorities and courts when a legal obligation exists or a legitimate interest is present

Advertising Communication and Market Research

To the extent legally permissible based on Art. 6 para. 1 lit. f GDPR or if you give us your consent (Art. 6 para. 1 lit. a GDPR), we process your data particularly for advertising communication, customer satisfaction surveys, promotional campaigns and for conducting competitions. This enables us to specifically improve our products and services and respond more individually to customer needs.

Fulfillment of Legal Obligations (Art. 6 I c GDPR)

We are subject to a variety of legal obligations for the processing and retention of personal data. These concern, for example, commercial and tax retention requirements according to the German Commercial Code and Fiscal Code.

Further Processing Purposes

Data processing also takes place in the context of quality management, for determining and improving customer satisfaction, for further development of products and services, for conducting research and development, and for improving IT security and IT operations. The latter point also includes processing for detecting and preventing unauthorized access to personal data.

Sharing Data with Third Parties

For the aforementioned purposes, data may be shared with third parties who support the responsible party in pursuing the stated purposes.

Storage Duration

We store your personal data only as long as necessary for the purposes for which they were collected or as long as storage is required by law or within the framework of official requirements.

Data Protection Contact

For all questions regarding the processing of personal data, our Data Protection Officer Marcel Philipp Lang is available to you. You can reach him at the following email address: datenschutz@costore.de.

Data Security

We implement technical and organizational measures to protect personal data from unauthorized access, loss or manipulation.

Technologies on Our Website

Necessary Technologies

For the technical provision and security of our website as well as the booking and payment processes, we use the following service providers:

Amazon Web Services (AWS)

Hosting and cloud services for providing our website and applications. AWS processes data in data centers worldwide. Further information: https://aws.amazon.com/privacy/

Webflow

Web design and hosting platform for designing and managing our website. Further information: https://webflow.com/legal/privacy

Stripe

Payment service provider for processing online payments. Stripe processes, among other things, payment information, IP addresses and metadata for fraud prevention. Further information: https://stripe.com/de/privacy

Kinnovis

Booking and contract management platform through which rental contracts are processed and managed. Further information: https://kinnovis.com/privacy-policy/

Consentmanager

Tool for managing cookie consents according to GDPR requirements. This allows users to individually adjust their privacy settings. Further information: https://www.consentmanager.de/datenschutz

Cloudflare

Security and performance service for securing our website against attacks and for faster delivery of content. Further information: https://www.cloudflare.com/de-de/privacypolicy

Amazon Cloudfront

Content Delivery Network (CDN) for fast delivery of our web content via distributed servers worldwide. Further information: https://aws.amazon.com/cloudfront/

Google Maps

Provision of map services for locations and navigation. Google may process user data such as IP addresses or location data. Further information: https://policies.google.com/privacy?hl=de

Google Fonts

Provision of fonts for uniform display of the website. IP addresses may be processed by Google. Further information: https://fonts.google.com/about

jsDelivr

Provision of icons and other libraries for website design. Further information: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net

Unpkg

Provision of icons and other static files for website optimization. Further information: https://unpkg.com/

Satellite by Sipgate

Online telephony for receiving calls. Data is stored for processing telephone connections. Further information: https://www.sipgate.de/datenschutz

Further Technologies

Additionally, we use the following services to improve our website functionality, for analysis purposes and for marketing and communication measures:

Google Analytics

Web analytics service for collecting and analyzing usage behavior on our website. IP anonymization is activated, meaning IP addresses are anonymized within the EU or EEA before storage. Further information: https://policies.google.com/?hl=de

Google Tag Manager

Management of marketing and tracking tags without direct collection of personal data. Further information: https://policies.google.com/?hl=de

Google Ads Remarketing

Advertising based on user behavior with cookies for interest-based advertisements. Further information: https://policies.google.com/technologies/ads?hl=de

Facebook Plugin

Integration of Facebook functions for social interactions and advertising measures. Further information: https://de-de.facebook.com/about/privacy/

Facebook Remarketing (Custom Audiences)

Enables display of personalized advertisements based on your visit to our website. Further information: https://de-de.facebook.com/about/privacy/

Facebook Lead Ads

Use of Facebook advertising forms for collecting user inquiries. Further information: https://de-de.facebook.com/about/privacy/

Klaviyo

Email marketing service for sending newsletters and personalized customer communication. Further information: https://www.klaviyo.com/legal/privacy-policy

Microsoft Booking Tool

Enables online booking of appointments. Further information: https://privacy.microsoft.com/de-de/privacystatement

Microsoft Forms

Online forms for collecting customer inquiries and feedback. Further information: https://privacy.microsoft.com/de-de/privacystatement

WhatsApp Business

For customer communication via a GDPR-compliant business account. Users can contact us via WhatsApp, whereby metadata (e.g., phone number, timestamp) is processed. Further information: https://www.whatsapp.com/legal/business-data-processing-terms

Legal Bases for Processing

The processing of personal data is based on the following legal bases according to GDPR:

Art. 6 para. 1 lit. b GDPR (Contract Performance): If the processing is necessary for providing our services or processing your inquiries.
Art. 6 para. 1 lit. c GDPR (Legal Obligation): If legal regulations require processing (e.g., tax or accounting obligations).
Art. 6 para. 1 lit. f GDPR (Legitimate Interest): If we process personal data for optimizing our offers, for security measures or for direct marketing.
Art. 6 para. 1 lit. a GDPR (Consent): If you have given us your consent for specific purposes (e.g., for using cookies, marketing measures or participating in surveys).

Data Transfer to Third Parties: If transfer to service providers or partner companies is necessary, we ensure that they comply with data protection requirements (e.g., through data processing agreements or standard contractual clauses).

Storage Period and Deletion of Data

We store personal data only as long as necessary for the respective purpose. After the purpose ceases to exist or statutory retention periods expire, the data will be deleted.

The following general periods apply:

Communication data (emails, inquiries): Until final processing of the inquiry, maximum 12 months thereafter.
Contract-related data: According to statutory retention periods (e.g., 6 years for commercial documents, 10 years for tax documents).
Marketing and analysis tools: Storage according to individual consent, maximum 24 months.
Cookies: Depending on type and purpose up to 12 months.

If deletion is not possible (e.g., due to statutory retention obligations), processing will be restricted.

Data Protection Contact

Processing of Personal Data

Data Categories and Purposes of Processing

We process personal data for various purposes, including:

Communication and Inquiries: If you contact us (e.g., by email, telephone, social media or contact form), we process the data you provide to handle your inquiry.
Provision of Our Services: This includes in particular the use of our website, our platforms and any associated digital services.
User Interactions and Analyses: We record how our website or other digital channels are used to improve our content and offers.
Marketing and Advertising Purposes: If you have given us consent, your data may be used for targeted communication or display of personalized content.

The exact processing depends on the services and platforms used in each case. A detailed breakdown can be found in the respective sections of this privacy policy.

Data Security

We implement technical and organizational measures to protect personal data from unauthorized access, loss or manipulation. These include among others:

Encrypted data transmission (e.g., SSL/TLS on our website)
Access and authorization concepts to minimize data processing
Regular security updates for our systems
Data minimization (collection of only necessary information)

We point out that when using third-party services (e.g., social media, cloud services) additional security risks may exist over which we have no influence. We recommend informing yourself about the respective privacy policies of the providers.