Privacy statement of Zebrabox

1. Responsible party and content of this privacy statement

We, FRAZE MANAGEMENT, a simplified joint-stock company with a share capital of EUR 1,000, whose registered office is located at 55 Rue Joseph Cugnot, 11100 Narbonne, registered with the Trade and Companies Register of Narbonne under number 951 388 693, operate the website https://www.zebrabox.fr/en.

(the website) and, unless otherwise stated in this privacy statement, are responsible for the data processing described in this privacy statement.

In order for you to know which personal data we collect from you and for what purposes we use it, please read the information below. With regard to data protection, we primarily rely on the legal provisions of the French Data Protection Act of 6 January 1978, as amended, and on the General Data Protection Regulation (GDPR).

Please note that the information below is regularly reviewed and amended. We therefore recommend that you consult this privacy statement regularly. In addition, for certain data processing operations described below, other companies are responsible for data protection or jointly responsible with us, so that in such cases the information provided by those providers is also relevant.

DISCLAIMER: In the event of any dispute relating to data and this privacy statement, the French version of this privacy statement shall be the only legally valid document.

Status: March 2026

2. Contact person for data protection

If you have any questions about data protection or wish to exercise your rights, please contact our data protection contact by sending an e-mail to: contact-rgpd@zebrabox.fr

You can reach our EU data protection representative at:

MLL EU-GDPR GmbH
Ganghoferstrasse 37
DE-80339 Munich
zebrabox@mll-gdpr.com

3. Data processing when contacting us

When you contact us via our contact addresses and channels, for example by e-mail, telephone or contact form, your personal data is processed. The data processed is the data you have provided to us, such as your title, name, e-mail address, postal address and telephone number, as well as your request, in particular the site concerned, the category of the request and the communication. In addition, the time at which the request is received is documented. Mandatory information is marked with an asterisk (*) in the contact forms. Depending on the request, we may also ask you for additional information if you have not already provided it to us, such as:

• Vehicle rental: in particular rental period, pick-up location, number of drivers, copies of driving licences, payment method and payment details;

• Packaging material: requested product, quantity, collection location, payment method and payment details;

• Moves: moving date, old and new address, information for planning the move and transport, for example furniture, living area, floor, etc., payment method and payment details;

• Receipt of goods: number of parcels, site concerned, drop-off or pick-up, payment method and payment details;

• Document destruction: quantity of documents, location concerned, requested date, payment method and payment details;

• Archive systems: type and quantity of shelving units, information for the creation of customised shelving systems, rental or purchase, payment method and payment details.

We process this data in order to respond to your request, for example to provide you with information about our products and services, assist you with the performance of a contract, take your feedback into account in order to improve our products and services, and so on.

The legal bases for this data processing are as follows:

• Your consent for requests for information;

• Our legitimate interest within the meaning of Article 6(1)(f) GDPR in handling your request;

• If your request relates to the conclusion or performance of a contract, the necessity to carry out pre-contractual or contractual measures within the meaning of Article 6(1)(b) GDPR.

4. Data processing when reserving a Zebrabox and registering on a waiting list

On our website, you have the possibility to rent a Zebrabox or to be registered on a waiting list for the rental of a Zebrabox. For this purpose, we collect the following data, whereby mandatory data in the booking process are marked with an asterisk (*):

• Personal data:

  • Salutation

  • Name and first name

  • Residential address

  • Date of birth

  • Company name for corporate clients

  • E-mail address

  • Telephone number

• Product data:

  • Details of the desired Zebrabox (type, size, duration, reason for storage)

  • Value of goods

  • Stored goods

We use your personal data to verify your identity before concluding a contract. We need your e-mail address to confirm your booking and for future communication necessary for contract processing. The telephone number is used - after successful verification by means of the validation code sent - to deliver the access code. We store your data together with the peripheral data of the booking (e.g. timestamp, booking number, etc.), details of the product (e.g. size, exact facility, identification number of the Zebrabox), the payment data (e.g. selected payment method, confirmation of payment and timestamp; see also section 6) as well as the information on the processing and fulfilment of the contract (e.g. rectification of problems, use of customer service, etc.) in our CRM database (see also section 7) so that we can guarantee correct booking processing and fulfilment of the contract.

The legal basis for this data processing is the fulfilment of a contract with you according to Art. 6 Para. 1 lit. b GDPR.

The provision of data (e.g. reason for storage, knowledge of Zebrabox) that is not marked as mandatory is voluntary. We process this data in order to tailor our products and services to your personal needs in the best possible way, to facilitate contracts processing, to contact you by an alternative means of communication if necessary, with a view to fulfilling the contract or for statistical recording and evaluation in order to optimise our products and services.

The legal basis for this data processing is your consent within the meaning of Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time by notifying us.

You have the option of adding your access code to the wallet on your (iOS or Android) smartphone using the "PassKit" app, so that you can easily find the code and have it to hand faster. In this case, with your consent, we will transmit the following data to PassKit, Inc. (6/F Golden Sun Centre Sheung Wan Hong Kong): Customer number, first name, last name and location of the booked Zebrabox. The legal basis for this data processing is your consent within the meaning of Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by notifying us. For any other processing of your data by PassKit, Inc., please refer to their data protection information.

We use the software application Mailchimp of Intuit Inc. (2700 Coast Avenue, Mountain View, CA 94043, USA) to send contract-relevant customer information by e-mail. Consequently, your data may be stored in a database of Intuit Inc., which may allow Intuit Inc. to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this data protection declaration. The legal basis for the disclosure of data is our legitimate interest in the use of third-party services within the meaning of Art. 6 Para. 1 lit. f GDPR.

Intuit Inc. may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Intuit Inc. is the controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Intuit Inc. can be found at: https://www.intuit.com/privacy/statement.

5. Data processing during identity verification

To prevent, detect and prosecute unlawful and abusive behaviour on the part of customers, we require identification by means of an official identity document in order to book a Zebrabox. In this respect, biometric data, i.e. data requiring special protection, may be processed.

You have the option to complete the identification online or visit one of our facilities and have the check carried out by one of our employees. During the check at our facility, we verify whether you are the person in the photo on the ID document and whether the data on the ID document matches the data entered in the booking process (see point 4). We then save a copy of the ID document.

For online identification, we use the "PXL Ident" solution from PXL Vision AG (Rautistrasse 33, 8047 Zurich, Switzerland (PXL)). In this context, we redirect you to the web or mobile app and PXL receives the information that you intend to make a booking for a Zebrabox, as well as other technical data associated with accessing the website or app (see in particular section 8.1 regarding log file data). From PXL we receive information whether the identification was successful or not, as well as a copy of the ID card used. The legal basis for the data processing carried out by us as the data protection controller is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in protecting our property and the property of our customers and in safeguarding our legal claims and the legal claims of our customers.

PXL is the data controller for further data processing within the scope of online identification. PXL only processes your data for online identification with your express consent as the legal basis within the meaning of Art. 6 Para. 1 lit. a and Art. 9 Para. 2 lit. a GDPR. You can revoke your consent at any time with effect for the future by notifying PXL. You can find detailed information on this here: https://www.pxl-vision.com/en/privacy-policy-daego.

6. Data processing during payment processing

When you make bookings on our website, depending on the service and the desired payment method, it may be necessary, in addition to the information mentioned in section 4, to provide further data, such as your credit card information or the login details for your payment service provider. This information, as well as the fact that you have made a booking with us for the relevant amount and date, will be forwarded to the respective payment service providers, such as providers of payment solutions, credit card issuers and credit card acquirers. Please always take note of the information provided by the relevant company, in particular its privacy policy and general terms and conditions. The legal basis for this data processing is the performance of a contract in accordance with Art. 6 para. 1 lit. b GDPR.

To avoid payment defaults, the necessary data, in particular your personal details, may also be transmitted to a credit agency for the automated assessment of your creditworthiness. In this context, the credit agency may assign you a so-called score value. This is an estimate of the future risk of a payment default, for example based on a percentage. The value is determined using mathematical and statistical procedures and by including data from other sources of the credit agency. We reserve the right, based on the information received, not to offer you the payment method “invoice”. In this context, automated decision-making, and possibly profiling, may also take place, which may result in the payment method “invoice” not being made available to you. Where the legal requirements are met, you have the right to express your point of view and request a review of the decision by a natural person. The legal basis for this data processing is our legitimate interest in avoiding payment defaults in accordance with Art. 6 para. 1 lit. f GDPR.

7. Central data storage and analysis in the CRM system

Provided is possible to clearly identify you, we will store and link the data described in this data protection declaration, i.e. in particular your personal details, your contact details, your contract details and your browsing behaviour on our websites in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables the efficient provision of the services requested by you and the processing of the associated contracts. The legal basis for this data processing is our legitimate interest in the efficient administration of user data within the meaning of Art. 6 Para. 1 lit. f GDPR.

We also analyse this data to further develop our products and services in a needs-oriented manner and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future bookings based on your use of our website. Part of these analyses could be judged as profiling (with or without high risk). The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in carrying out marketing activities.

For central data storage and analysis in the CRM system, we use a software application from Uniserv B.V. (Korte Hogendijk 14, 1506 MA Zaandam, The Netherlands). Therefore, your data may be stored in a database of Uniserv, which may allow Uniserv to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this data protection declaration. Further information on data processing in connection with Uniserv can be found here. The legal basis for the transfer of data is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in the use of third-party services.

Uniserv may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Uniserv is the controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Uniserv can be found here.

8. Background data processing on our website

This section covers the following data processing operations:

8.1 Data processing when visiting our website (log file data)
8.2 Cookies
8.3 Tracking and web analysis tools
8.4 Online advertising and targeting
8.5 Social media
8.6 How long is personal data collected through cookies retained?

8.1 Data processing when visiting our website (log file data)

When you visit our website, the web servers temporarily store each access in a log file. The following data is collected without your intervention and stored until it is automatically deleted by us:

• IP address of the requesting computer;

• date and time of access;

• name and URL of the file accessed;

• website from which the access was made, if applicable with the search word used;

• operating system of your computer and the browser you are using (including type, version and language setting);

• device type in the case of access by mobile phones;

• city or region from which the access was made; and

• name of your internet access provider. 

The collection and processing of this data is carried out for the purpose of enabling the use of our website (connection establishment), to permanently guarantee system security and stability, to enable error and performance analysis and optimisation of our website (see also section 8.3 for the last points). In the event of an attack on the network infrastructure of the website or if there is a suspicion of other unauthorised or improper use of the website, the IP address and the other data will be evaluated for the purpose of clarification and defence and, if necessary, used in the context of civil or criminal proceedings to identify the user concerned. The purposes described above are our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR and thus the legal basis for data processing.

For the operation of our website, we use the services of our hosting provider iquer.net GmbH & Co. KG, Klingenderstraße 5, 33100 Paderborn, Germany. Therefore, at most, your data will be stored in a database of iquer, which may allow iquer to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this privacy policy. Further information on data processing in connection with iquer can be found at https://www.iquer.net/datacenter/. The legal basis for the transfer of data is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in the use of third-party services. It is possible that iquer would like to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). For these data processing activities, iquer is the data controller and must ensure compliance with the data protection laws in connection with these data processing activities. Information about data processing by iquer can be found at https://www.iquer.net/datacenter/. 

Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. In this context, the data described here may also be processed. You will find more details on this in the following sections of this data protection declaration, in particular section 8.2 below.

8.2 Cookies

Cookies are information files that your web browser stores on your computer’s hard drive or memory when you visit our website. Identification numbers are assigned to cookies, which allow your browser to be identified and the information contained in the cookie to be read. Cookies are small files containing various text-based information, generally consisting of letters and numbers. They are placed on your device, such as a computer, tablet or smartphone, via your browser by the website you visit. This makes it possible to recognise your device whenever a connection is established between the website server and your browser. The main purpose of a cookie is therefore to enable the website server to adapt the content of webpages to your personal preferences and thereby personalise your visit.

There are several types of cookies:

• Session cookies: these cookies are temporary and are stored in your browser’s cookie file until your browser is closed. These cookies are necessary for certain applications or functions of the website to operate properly.

• Persistent cookies: the website may use persistent cookies to improve your user experience, for example by providing optimised navigation. These cookies remain in your browser’s cookie file for a longer period. The storage period depends on the configuration choices of your internet browser. Persistent cookies make it possible to transmit information to a web server each time a person visits the website and may in particular be used to remember your preferences and choices for a website or to target advertising. Persistent cookies are also referred to as tracking cookies.

• First-party cookies: these cookies are placed by the website when you visit it in order to improve your experience.

• Third-party cookies: these cookies are placed by third parties, which may be our partners. A third-party cookie is a file integrated via a browser by a website other than the one you are visiting, in order to store information locally and track your journey across multiple websites. These cookies are therefore not hosted on the website itself.

Among other things, cookies help to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are necessary, that is to say technically necessary, for your intended use of the website. For example, we use cookies to provide booking functions or to temporarily store the information you enter when completing a form on the website, so that you do not have to repeat the entry when visiting another subpage. Cookies also perform other technical functions necessary for the operation of the website, such as load balancing, that is to say the distribution of the site’s performance load across different web servers in order to relieve the servers. Cookies are also used for security purposes, for example to prevent the unauthorised publication of content. Finally, we also use cookies as part of the design and programming of our website, for example to enable the uploading of scripts or code.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in providing a user-friendly and modern website.

Most internet browsers automatically accept cookies. However, when you access our website, we ask for your consent for cookies that are not technically necessary, in particular for the use of third-party cookies for marketing purposes. Details of the services and data processing associated with the individual cookies can be found in the following sections of this privacy statement.

You may also configure your browser so that no cookies are stored on your computer or so that a message always appears whenever you receive a new cookie. On the following pages, you will find explanations on how to configure the processing of cookies for selected browsers:

• Google Chrome für Desktop

• Google Chrome für Mobile

• Apple Safari

• Microsoft Windows Internet Explorer

• Microsoft Windows Internet Explorer Mobile

• Mozilla Firefox

Deactivating cookies may mean that you cannot use all the functions of our website.

8.3 Tracking- and web analysis tools

8.3.1 General information on tracking

We use the web analysis services listed below for the purpose of demand-oriented design and continuous optimisation of our website. In this context, pseudonymised user profiles may be created and cookies may be used. Please also refer to section 8.2. The information generated by the cookie about your use of this website is generally transmitted together with the log file data listed in section 8.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, for example in the USA.

By processing the data, we may obtain the following information in particular:

• the navigation path followed by a visitor on the website, including content viewed and products selected or purchased or services booked;

• the length of stay on the website or a subpage;

• the subpage on which the website is left;

• the country, region or city from which access is made;

• the device used, including type, version, colour depth, resolution and browser window width and height; and

• whether the visitor is a returning or new visitor.

On our behalf, the provider will use this information for the purpose of evaluating the use of the website, in particular to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and demand-oriented website design. For these processing activities, we and the providers may be considered jointly responsible to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You may withdraw your consent or refuse processing at any time by rejecting or deactivating the relevant cookies in your browser settings, as described in section 8.2, or by making use of the service-specific options described below.

For the further processing of the data by the respective provider as the sole controller, in particular any onward transfer of this information to third parties, such as public authorities due to national legal regulations, please refer to the respective provider’s privacy information.

8.3.2 Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland, or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Contrary to the description in section 8.3.1, Google Analytics, in the version Google Analytics 4 used here, does not log or store IP addresses. In the case of access originating from the EU, IP address data is only used to derive location data and is then deleted immediately. When collecting measurement data in Google Analytics, all IP lookups take place on servers located in the EU before the traffic is forwarded to Analytics servers for processing. Regional data centres are used in Google Analytics. If a connection is established to the nearest available Google data centre, the measurement data is sent to Analytics via an encrypted HTTPS connection. At these centres, the data is further encrypted before being forwarded to Analytics processing servers and made available on the platform. The most appropriate local data centre is determined on the basis of the IP addresses. This may also result in data being transferred to servers abroad, for example in the USA.

We also use the technical extension Google Signals, which enables cross-device tracking. This makes it possible to associate a single website visitor with different end devices. However, this only occurs if the visitor has logged into a Google service when visiting the website and has activated the personalised advertising option in their Google account settings. Even in this case, no personal data or user profiles are made available to us. They remain anonymous to us. If you do not wish to use Google Signals, you can deactivate the personalised advertising option in your Google account settings.

Users can prevent Google from collecting the data generated by the cookie and relating to their use of the website, including the IP address, and from processing this data by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en. An opt-out cookie is then stored on the user’s device. If cookies are deleted, the link must be clicked again.

8.4 Online advertising and targeting

8.4.1 In general

We use the services of various companies in order to provide you with interesting offers online. In this context, your user behaviour on our website and on the websites of other providers is analysed so that online advertising tailored to your individual needs can subsequently be displayed to you.

Most technologies used to track your user behaviour (tracking) and to display targeted advertising (targeting) work with cookies (see also section 8.2) or similar technologies and unique identifiers, for example advertising IDs, which make it possible to recognise your browser across different websites. Depending on the service provider, it may also be possible for you to be recognised online even when you use different devices, for example a laptop and a smartphone. This may be the case, for example, if you have registered for a service that you use on multiple devices.

For these purposes, the data generated when visiting web pages (log file data, see section 8.1) and when using cookies (section 8.2) may be transmitted to the companies participating in the advertising networks and processed by them. In this context, the data may also be disclosed to countries worldwide (see in particular section 9 regarding the lack of an adequate level of data protection and the safeguards provided). In addition, the following data in particular may be used in order to select the advertising that is potentially most relevant to you:

• Information about you that you provided when registering for or using a service from advertising partners (for example your gender or age group); and

• User behaviour (for example search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, and newsletters to which you are subscribed).

We and our service providers use this data to determine whether you belong to the target group we wish to address and take this into account when selecting advertising. For example, after visiting our website, advertisements for the products or services you viewed may be shown to you when you visit other websites (re-targeting). Depending on the scope of the data, a user profile may also be created and analysed automatically, that is to say by means of what is known as profiling, with advertisements being selected on the basis of the information stored in the profile, such as belonging to certain demographic segments or having potential interests or behaviours. These advertisements may be displayed to you on different channels, including our website or app as part of onsite and in-app marketing, as well as advertisements delivered through the online advertising networks we use, such as Google.

The data may then be analysed for billing purposes with the service provider and in order to evaluate the effectiveness of advertising measures, so as to better understand the needs of our users and customers and improve future campaigns. This may also include information showing that the performance of an action, for example visiting certain sections of our websites or sending information, is attributable to a specific advertisement. In addition, the service providers provide us with aggregated reports on advertising activity and information on how users interact with our website and our advertisements.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) GDPR. You may withdraw your consent at any time by rejecting or disabling the relevant cookies in your web browser settings (see section 8.2). You will also find further options for blocking advertising in the information provided by the relevant service provider.

8.4.2. Google Ads

For online advertising, as explained in section 8.4.1, this website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). For this purpose, Google uses cookies (see the list here) as well as similar technologies and unique identifiers, for example advertising IDs, which make it possible to recognise your browser when you visit other websites. The information generated about your visit to these web pages, including your IP address, is transmitted in particular to Google servers in the United States and stored there (see in particular section 9 regarding the lack of an adequate level of data protection and the safeguards provided). Google processes personal data in order to display personalised advertising on Google services, for example the search engine. Further information on data protection at Google is available here.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) GDPR. You may withdraw your consent at any time by rejecting or disabling the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here.

8.4.3. Microsoft Advertising/ Bing Ads

For online advertising, as explained in section 8.4.1, the website uses services provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA (Microsoft)). For this purpose, Microsoft uses cookies (see the list here) and unique identifiers, for example the advertising ID or the UET tag, which make it possible to recognise your browser when you visit other websites. The information generated about your visit to these web pages, including your IP address, is transmitted in particular to Microsoft servers in the United States and stored there (see in particular section 9 regarding the lack of an adequate level of data protection and the safeguards provided). Microsoft will process personal data in order to display personalised advertising on Microsoft services, for example the search engine. Further information on data protection at Microsoft can be found here.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) GDPR. You may withdraw your consent at any time by rejecting or disabling the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here.

8.4.4. Yieldlab

For online advertising, as explained in section 8.4.1, the website uses the services of Virtual Minds GmbH (Ellen-Gottlieb-Str. 16, 79106 Freiburg i. Breisgau, Germany (Yieldlab)). For this purpose, Yieldlab uses cookies and unique identifiers, for example the Mobile Advertisement ID (MAID), which make it possible to recognise your browser when you visit other websites. The information generated about your visit to these web pages, including your IP address, is transmitted in particular to Yieldlab servers in Germany and stored there, although transfer to other countries may also take place (see in particular section 9 regarding the lack of an adequate level of data protection and the safeguards provided). Yieldlab will process personal data in order to display personalised advertising on the websites and services of affiliated companies, in particular in the media sector. Further information on data protection at Yieldlab is available here.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) GDPR. You may withdraw your consent at any time by rejecting or disabling the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here.

8.4.5. Meta Pixel and Custom Audience

For online advertising, as stated in section 8.4.1, the website uses the services of Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (Meta)). For this purpose, Meta uses technologies such as cookies and the Meta Pixel, which make it possible to recognise your browser when you visit other websites. The information generated about your visit to these websites, including your IP address, is transmitted in particular to Meta servers in the United States and stored there (see in particular section 9 regarding the lack of an adequate level of data protection and the safeguards provided). Meta will process personal data in order to display personalised advertising on Meta services, for example Facebook or Instagram. For this purpose, we use the targeting functions offered by Meta, namely Website Custom Audiences, which allows us to recognise you on Meta services after you have visited our website and to display targeted advertising to you. Further information on data protection at Meta can be found here and here.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) GDPR. You may withdraw your consent at any time by rejecting or disabling the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here.

8.5 Social Media

8.5.1 Social Media Profile

We have included links to our profiles on the social networks of the following providers on our website:

• Meta Platforms Ireland Limited (Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Notice;

• LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Notice;

• Google Ireland Limited (Youtube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Privacy Notice.

When you click on the icons of the social networks, you are automatically redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives in particular the data described in the section on log files (section 8.1), i.e. namely the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an appropriate level of data protection and on the guarantees provided, section 9).

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website may be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case when you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore note the data protection information on the website of the network.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use and promotion of our social media profiles.

8.5.2 Social Media Plugins

On our website you can use social media plugins from the providers listed below:

• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy;

We use social media plugins to make it easier for you to share content from our website. The social media plugins help us to increase the visibility of our content in social networks and thus contribute to better marketing.

By default, the plugins are deactivated on our websites, and they do not send any data to social networks when you simply visit our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the networks' servers. Only when you activate the plugins by clicking on them and thus give your consent to the transmission and processing of data by the providers of the social networks, does your browser establish a direct connection to the servers of the respective social network.

The content of the plugin is transmitted directly to your browser by the social network and integrated into the website. This provides the respective provider with the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address and the other log file data (section 8.1)) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there (cf. on this, in particular on the lack of an appropriate level of data protection and on the guarantees provided, section 9). We have no influence on the scope of the data that the provider collects with the plugin, although from a data protection perspective we can be considered jointly responsible with the providers up to a certain extent.

If you are logged into the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g. that you like a product or service from us) may also be published on the social network and possibly displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisements and tailoring the respective offer to your needs. For this purpose, usage, interest and relationship profiles could be created, e.g. in order to automatically evaluate your use of our website with regard to the advertisements displayed to you on the social network (in particular by means of profiling), to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks as well as your rights in this regard and setting options for protecting your privacy can be found directly in the data protection information of the respective provider.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. Your consent within the meaning of Art. 6 (1) a GDPR forms the legal basis for the data processing described above. Some of the data processing could also be assessed as profiling (with or without high risk), to which your consent also extends. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information in their privacy policy.

8.6 How long is personal data collected through cookies retained?

Personal data collected through cookies on the website is retained for a maximum period of 12 months. Your choice to accept or refuse the use of cookies on the website will be retained for a maximum period of 6 months.

9. Transfer and transmission abroad

9.1 Disclosure to and access by third-party access

Without the support of other companies, we would not be able to provide our products and services in the desired manner. In order for us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. We share your personal data with selected third-party service providers only to the extent necessary to provide you with the best possible service.

Various third-party service providers are already explicitly mentioned in this data protection declaration. Your data will also be passed on if this is necessary to process the contractual relationship, i.e. e.g. to removal companies or providers of document shredding services. The legal basis for these disclosures is the necessity for the fulfilment of a contract within the meaning of Art. 6 Para. 1 lit. b GDPR. The third-party service providers are responsible for this data processing in the sense of the Data Protection Act and not we. It is the responsibility of these third-party service providers to inform you about their own data processing - which goes beyond the transfer of data for the provision of services - and to comply with data protection laws. In addition, we may transfer personal data to third-party providers of shipping, printing, security, IT support, data management, data backup, cloud and storage services if this is necessary for the use of the third-party services. Our legitimate interest within the meaning of Art. 6 (1) f GDPR in using third-party services forms the legal basis for this data processing.

In addition, your data may be passed on, in particular to authorities, legal advisors or collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to conduct due diligence or to complete the transaction. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in the protection of our rights and compliance with our obligations or the sale of our company or parts thereof.

9.2 Transfer of personal data abroad

We are authorized to transfer your personal data to third parties abroad, if this is necessary to carry out the data processing mentioned in this data protection declaration. Individual data transfers have already been mentioned in the preceding sections (see in particular section 8). It goes without saying that we comply with the statutory provisions on the disclosure of personal data to third parties. The countries to which data is transferred include those that have an adequate level of data protection according to the decision of the Federal Council and the EU Commission (such as the member states of the EEA or, from the EU's perspective, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (see Annex 1 of the Data Protection Ordinance (DPA) and the EU Commission's website). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies by means of suitable guarantees, unless an exception is specified in the individual case for the data processing (cf. Art. 49 GDPR). Unless otherwise stated, these are the choice of companies certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46 (2) (c) of the GDPR, which can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please contact our contact person for data protection (see point 2).

9.3 Information on data transfers to the USA

Some of the third-party service providers mentioned in this data protection declaration are based in the USA. For the sake of completeness, we would like to point out for users residing or having registered office in Switzerland or the EU that there are monitoring measures in place in the USA by US authorities which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes that can justify the intrusion associated with both the access to and the use of these data. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies or effective legal protection against general access rights of US authorities that would allow them to obtain access to the data concerning them and to obtain their correction or deletion. We explicitly draw your attention to this legal and factual situation in order to enable you to make an appropriately informed decision to consent to or object to the use of your data.

We would also like to point out to users residing in Switzerland or a member state of the EU that, from the point of view of the European Union and Switzerland, the USA does not have an adequate level of data protection, partly because of the statements made in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected with our third-party service providers by choosing companies that are certified under the Privacy Framework Agreement or contractual arrangements with these companies, as well as any additional appropriate guarantees that may be required.

10. Retention periods

We retain personal data only for as long as necessary to carry out the processing operations described in this privacy statement within the scope of our legitimate interest. For contractual data, retention is required by statutory retention obligations. The requirements obliging us to retain data arise from accounting regulations and tax law provisions.

In accordance with these provisions, business communications and concluded contracts must be retained for up to 5 years from the end of the contractual relationship, except for distance contracts exceeding EUR 120, which must be retained for 10 years, and accounting records must be retained for 10 years.

If we no longer need this data in order to provide services to you, the data will be blocked. This means that the data may then only be used if this is necessary to comply with retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer any retention obligation and no legitimate interest in retaining it.

Data collected for commercial prospecting purposes is retained for a maximum period of 3 years from the last contact with you.

11. Data security

We use appropriate technical and organisational security measures to protect your personal data stored with us against loss and unlawful processing, namely unauthorised access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfil their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot therefore provide an absolute guarantee for the security of information transmitted in this way.

12. Your rights

Provided that the legal requirements are met, you have the following rights as a person affected by data processing:

• Right of access: you have the right to request access to your personal data stored by us at any time, free of charge, if we process it. This gives you the opportunity to check what personal data we process about you and whether we process it in accordance with the applicable data protection regulations.

• Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

• Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to erasure may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.

• Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.

• Right to data transfer: You have the right to receive from us, free of charge, the personal data you have provided to us in a readable format.

• Right to review: In the case of automated individual decisions, you have the right to express your point of view and request a review of the decision by a natural person.

• Right to object: You can object to data processing at any time, especially in the case of data processing in connection with direct marketing (e.g. marketing e-mails).

• Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your withdrawal.

• Post-mortem right: You have the right to designate a person who may access your data in the event of your death. In the absence of such designation, your heirs will be entitled to access your data.

To exercise these rights, please send us an e-mail to the following address: contact-rgpd@zebrabox.fr

If you have any concerns or complaints regarding the protection of your personal data, you have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) via the following link: Plaintes en ligne | CNIL

The CNIL can also be contacted at the following address: 3 Place de Fontenoy, 75007 Paris, telephone: 01 53 73 22 22