Privacy Policy

Notice: This text is a machine translation. Only the German original version is legally binding.

This privacy policy informs you about the nature, scope, and purpose of the processing of your personal data. It applies to all services of grove.eco by Looking4Cache UG (haftungsbeschränkt) (hereinafter “we” or “our”). These include, among others:

• the website https://www.grove.eco, hereinafter “Website”.
• the web application https://app.grove.eco, hereinafter “WebApp”.
• our apps on mobile devices for optimized use of the WebApp, hereinafter “mobile app”

The collection and processing of your personal data is carried out in compliance with the applicable data protection regulations, in particular the General Data Protection Regulation (hereinafter “GDPR”).

The purpose of collecting and processing your personal data is to provide functional services, communicate with you, implement security measures, and conduct marketing including reach measurement.

1. Name and Address of the Controller

The controller within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection provisions is:

Looking4Cache UG (haftungsbeschränkt)
Oberer Wasen 12
74626 Bretzfeld
Germany
Email: [email protected]

2. Withdrawal

You may revoke consent already granted for the processing of your personal data at any time without stating reasons. To do so, send us an email at [email protected]. Please use as sender the email address with which you registered for our services.

3. Legal Basis for the Processing of Personal Data

Based on Art. 13 GDPR, we inform you of the legal basis of our data processing. Unless otherwise specified, the processing of your personal data is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. Your consent is obtained in accordance with Art. 7 GDPR.

4. Your Rights as a Data Subject

Under applicable law, you have various rights regarding your personal data. If you wish to exercise these rights, please send your request by email or by post, clearly identifying your person, to the address stated in section 1.

Below is an overview of your rights.

4.1. Right to Confirmation and Access

You have the right at any time to obtain confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have the right to obtain from us, free of charge, information about the personal data stored about you, including a copy of this data. Furthermore, you have a right to the following information:

1. the purposes of processing;
2. the categories of personal data that are processed;
3. the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the planned period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of a right to rectification or erasure of personal data concerning you, or to restriction of processing by the controller, or a right to object to such processing;
6. the existence of a right to lodge a complaint with a supervisory authority;
7. where the personal data is not collected from you, any available information as to its source;
8. the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and para. 4 GDPR and—at least in those cases—meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

Where personal data is transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

4.2. Right to Erasure (Right to be Forgotten)

Pursuant to Art. 17 para. 1 GDPR, you have the right to demand that we erase personal data concerning you without undue delay, and we are obliged to erase personal data without undue delay where one of the following grounds applies:

1. The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
2. You withdraw consent on which the processing is based according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
3. You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
4. The personal data has been unlawfully processed.
5. Erasure of the personal data is required for compliance with a legal obligation under Union or Member State law to which we are subject.
6. The personal data has been collected in relation to the offer of information society services referred to in Art. 8 para. 1 GDPR.

Where we have made the personal data public and are obliged pursuant to Art. 17 para. 1 GDPR to erase it, we shall, taking account of available technology and implementation costs, take reasonable steps, including technical measures, to inform controllers processing the personal data that you have requested erasure by such controllers of any links to, or copy or replication of, that personal data.

4.3. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller without hindrance from us, where

1. the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, or on a contract pursuant to Art. 6 para. 1 lit. b GDPR, and
2. the processing is carried out by automated means.

In exercising your right to data portability pursuant to Art. 20 para. 1 GDPR, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

4.4. Automated Decisions Including Profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you.

Automated decision-making based on the personal data collected does not take place.

4.5. Right to Withdraw Data Protection Consent

You have the right to withdraw consent to the processing of personal data at any time.

4.6. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you is unlawful.

5. Security Measures

In accordance with Art. 32 GDPR, we implement security measures such as truncating your IP address and SSL encryption.

5.1 IP Address

Your IP address is, wherever possible, always stored only in truncated form. This prevents or significantly complicates identification of your person. IP address truncation does not occur for security-relevant events. These include failed login attempts, password resets, and confirmation (consent) of email addresses.

5.2 SSL Encryption

Our services transmit your data only with active SSL encryption. You can recognize this by the “https://” protocol in the address bar. We automatically redirect you to “https://” if you attempt to open an unencrypted connection.

6. Transfer and Disclosure of Your Data

Your data may be transferred or disclosed to other companies or persons outside our company. This occurs, for example, to payment institutions during payment processing or to IT service providers for IT tasks that we may outsource.

In such cases, we conclude corresponding contracts or agreements to protect your data.

7. Cookies

We use cookies exclusively for technically necessary purposes.

On our website, technically necessary cookies may be set in connection with Cloudflare providing and protecting the site.

In our WebApp, we use cookies for login (e.g., user token) and for storing application-specific settings and states (e.g., currently edited year, selected language).

As these cookies are required for the technical operation and provision of our services, we do not use a cookie consent banner.

The legal basis for this processing is Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in a secure and functional operation of our services).

8. Storage Period

We delete your data in accordance with legal requirements. If this is not possible, processing is restricted.

Unless otherwise stated in the individual sections of this privacy policy, we delete the data as soon as it is no longer required for its intended purpose and no statutory retention obligations prevent deletion.

If deletion is prevented by a statutory retention obligation (e.g., commercial and tax law reasons, logging of consent), processing of the data is restricted. This means the data is blocked and not used for other purposes.

9. Data Collected by Us

9.1. Web Server Log Files

Every access to our server is logged in log files. This always happens when you use our services, i.e., our Website, WebApp, mobile app, or open or use a notification.

The following information is stored:

1. URL accessed
2. Date and time
3. Anonymized IP address

The purpose of logging is to trace errors and analyze server stability. Data is not assigned to your person.

Different legal basis
The legal basis for logging is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

Storage period
The logs are automatically deleted after 30 days.

9.2. Storage of Your Email Address

We store your email address together with the following information:

1. At what time and from which IP address your email address was submitted to us.
2. Whether the email address has already been confirmed by you (double opt-in).
3. At what time and from which IP address your email address was confirmed (double opt-in).
4. Which type of emails we may send you (e.g., notifications regarding your user profile, newsletter).
5. Copy of the email we sent you to confirm your email address (double opt-in).

The purpose of storing your email address is to be able to contact you by email. Storage of your full IP address is necessary for the double opt-in process.

Different legal basis
The legal basis for storage is your consent pursuant to Art. 6 para. 1 lit. a GDPR as well as our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The legal basis for storing the email address together with the full IP address is the legal obligation pursuant to Art. 6 para. 1 lit. c GDPR as well as Art. 7 GDPR.

Storage period
Due to the obligation to provide proof of consent pursuant to Art. 7 GDPR, we store this information for a further 3 years after withdrawal of this privacy policy. During this period, the data is blocked for further use and may only be used, if applicable, to defend against legal claims pursuant to Art. 8 para. 2 GDPR.

9.3. Name and Billing Address

Providing your name and billing address is optional if this is not required for the invoice. If legal requirements require your name and address on the invoice (e.g., due to invoice amount), we request them. If these are not necessary, you may still provide the data if you wish.

The following are stored:

1. First and last name
2. Billing address
3. VAT ID for companies

Different legal basis
The legal basis for storing your name and billing address is a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR.

Storage period
We store this information until withdrawal of this privacy policy. A copy of the invoice, which also contains this data, is stored in accordance with statutory retention periods.

9.4. Comments

If you submit a comment, we store the specified name, the email address, and the time in addition to the comment itself.

Different legal basis
The legal basis for the comment function is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

10. Integrated Systems and Service Providers

10.1. Payment Service Providers

We use professional payment service providers for payment of our services. Depending on the service provider and the payment method selected by you, different data is processed by them. This data includes master data such as name, address, bank details, credit card numbers, and security features (passwords, TANs, check digits). This data is required to carry out the transaction. This data is processed and, if applicable, stored by the payment service provider. Where applicable, your data may be used or transferred by the payment service provider for a credit check.

Of the data we receive from the payment service provider, we store only the information absolutely necessary for us. This is the payment status (successful or not), a reference number (for possible refunds), the method (e.g., credit card or SEPA direct debit), and, if applicable, the type of credit card (e.g., VISA) and the country in which it was issued.

Please note the terms and conditions and privacy notices of the respective payment service provider. We refer to these for further information and for exercising rights of withdrawal, access, and other data subject rights.

Different legal basis
Legal basis is the fulfillment of contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR.

Storage period
We do not store payment information on our systems.

Stripe:
Stripe Technology Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Irland
Webseite: https://stripe.com/de
Datenschutzerklärung: https://stripe.com/de/privacy

10.2. AI Assistant (Mistral AI)

We use an AI-supported chat assistant on our platform, based on the technology of Mistral AI. This assistant helps you with questions about garden planning and using our services.

Processed data
Only the chat messages you enter during your conversation with the chat assistant are transmitted to Mistral AI. These messages are processed to generate responses. We recommend not entering personal or sensitive information into the chat.

Purpose of processing
Processing is carried out to provide a functional AI chat assistant that supports you in using our services and answers questions.

Legal basis
The legal basis for processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you grant before using the chat assistant.

Storage period
Chat histories are automatically deleted 30 days after the last interaction. If you delete a chat yourself, the chat history is deleted immediately. The purpose of this storage is that you can view your previous conversations later and continue them if needed. Your chat messages are transmitted to Mistral AI solely for processing and generation of responses. Your chat messages are not permanently stored by Mistral AI. Information on data processing by Mistral AI can be found in their privacy policy.

Mistral AI:
Mistral AI, 15 rue des Halles, 75001 Paris, Frankreich
Webseite: https://mistral.ai
Datenschutzerklärung: https://mistral.ai/terms/#privacy-policy

10.3. Content Delivery Network (CDN)

We use the CDN service provider Cloudflare to provide our services. A CDN stores static files (e.g., graphics) of a website on regional servers. As soon as you want to access these files, they may be loaded from the CDN provider’s server instead of our server. This gives you faster access to our services and reduces load on our own servers.

Third-country transfer
Cloudflare has submitted to and is certified under the EU-US Data Privacy Framework (DPF). The DPF ensures an adequate level of data protection when processing data in the USA. The certification can be viewed here: https://www.dataprivacyframework.gov/s/participant-search

Different legal basis
Legal basis is our legitimate interest in the secure and efficient provision of our services pursuant to Art. 6 para. 1 lit. f GDPR.

Cloudflare:
Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Webseite: https://www.cloudflare.com/de-de
Datenschutzerklärung: https://www.cloudflare.com/de-de/privacypolicy

10.4. Social Media Buttons

On our website, we provide links to our profiles on social media platforms. No scripts, plugins, or other content from the respective providers are embedded on our site. Therefore, when you visit our website, no data is automatically transmitted to social media providers. A connection to the respective platform is established only when you actively click one of these links, and their data protection provisions then apply.

Information about the collection and use of your data in social networks can be found in the respective terms of use and privacy notices of the corresponding providers.

We have integrated social media buttons on our website from the following companies:

• Instagram: https://privacycenter.instagram.com/policy
• Facebook: https://www.facebook.com/about/privacy
• YouTube: https://policies.google.com/privacy
• Pinterest: https://policy.pinterest.com/de/privacy-policy
• WhatsApp: https://www.whatsapp.com/legal/privacy-policy
• Telegram: https://telegram.org/privacy
• Reddit: https://www.reddit.com/policies/privacy-policy
• Pocket: https://getpocket.com/de/privacy

10.5. Affiliate Programs

On our website, we sometimes link to products that can be purchased from a partner such as Amazon. So that the respective partner can pay us a commission, the link transmits information that the link originates from us (so-called referrer URL).

We do not embed scripts or elements hosted by the respective partner. This means that unless you click the link, no data about you is transmitted to the partner.