Privacy Policy

1. Introduction

The following sets out how we process personal data in connection with the use of our website https://lkw.app and our profiles on social media.

Personal data is any data that can be related to an identifiable natural person, e.g. their name or IP address.

1.1. Contact details

The controller within the meaning of Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is Aparkado UG (haftungsbeschränkt), Pilgrimstraße 6, 50674 Köln, Germany, email: info@aparkado.de. The company is represented by Roland Moussavi (Managing Director) and Sven Thiermann (holder of general power of attorney).

Our external Data Protection Officer can be reached via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

1.2. Scope of processing, purposes, and legal bases

The scope of data processing, the purposes of the processing, and the corresponding legal bases are described in detail below. Generally, the following legal bases apply:

Art. 6 (1) sentence 1 lit. a GDPR is our legal basis for processing operations for which we obtain consent.

Art. 6 (1) sentence 1 lit. b GDPR is our legal basis where the processing of personal data is necessary for the performance of a contract — for example when a visitor buys a product or we provide a service. It also covers processing operations that are required for pre-contractual measures, such as enquiries about our products or services.

Art. 6 (1) sentence 1 lit. c GDPR applies where we process personal data in order to comply with a legal obligation, e.g. under tax law.

Art. 6 (1) sentence 1 lit. f GDPR is the legal basis where we can rely on legitimate interests, e.g. for cookies required for the technical operation of our website.

1.3. Data processing outside the EEA

Where we transfer data to service providers or other third parties outside the European Economic Area (EEA), the security of those transfers is ensured by adequacy decisions of the EU Commission pursuant to Art. 45 (3) GDPR, where available (e.g. for the United Kingdom, Canada or Israel).

For transfers to service providers in the United States, the legal basis is an adequacy decision of the EU Commission where the provider is additionally certified under the EU-US Data Privacy Framework.

In other cases, the legal basis is usually Standard Contractual Clauses pursuant to Art. 46 (2) lit. b GDPR. Many providers have also given additional contractual guarantees regarding encryption or obligations to notify data subjects in the event of government access requests.

1.4. Retention period

Unless expressly stated otherwise in this privacy policy, the data we store will be deleted as soon as it is no longer required for its purpose and no statutory retention periods apply. Where data is not deleted because it is required for other lawful purposes, its processing is restricted. This applies, for example, to data which we must retain under commercial or tax law.

1.5. Rights of data subjects

Data subjects have the following rights regarding their personal data:

right of access,
right to rectification or erasure,
right to restriction of processing,
right to object to processing,
right to data portability,
right to withdraw consent at any time.

Data subjects also have the right to lodge a complaint with a data protection supervisory authority. Contact details of German supervisory authorities are available at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

1.6. Obligation to provide data

Within the scope of a business relationship or other relationship, customers, interested parties or third parties only need to provide us with the personal data that is required to establish, perform and terminate the relationship, or which we are legally required to collect. Mandatory fields in our forms are marked as such.

1.7. No automated decision-making

We do not use fully automated decision-making within the meaning of Art. 22 GDPR.

1.8. Contacting us

If you contact us, e.g. by email or via one of our forms, the data you provide (e.g. name and email address) is stored in order to respond to your enquiry. The legal basis is our legitimate interest under Art. 6 (1) sentence 1 lit. f GDPR. We delete the data once storage is no longer required, or restrict the processing if statutory retention periods apply.

2. Newsletter

Interested parties can subscribe to a free newsletter. We process the data provided at registration solely for sending the newsletter. Registration takes place via the newsletter form on our website. The legal basis is the subscriber's consent (Art. 6 (1) sentence 1 lit. a GDPR). Consent may be withdrawn at any time, e.g. via the unsubscribe link at the end of each newsletter or via a message to the contact details above. Processing prior to withdrawal remains lawful.

For dispatch and management of the newsletter, including the associated contact data, we use Pipedrive (see section 3.7).

3. Data processing on our website

3.1. Notice for website visitors from Germany

Our website stores information on visitors' terminal equipment (e.g. cookies) and accesses information already stored on such equipment (e.g. IP addresses). The following sections describe in detail which information this involves.

Such storage and access are based on the following provisions:

Where storage or access is strictly necessary in order to provide a service expressly requested by the visitor, or to ensure the IT security of our website, it is based on § 25 (2) no. 2 of the German Telecommunications Digital Services Data Protection Act (TDDDG).

In all other cases, storage and access are based on the visitor's consent (§ 25 (1) TDDDG). Consent is obtained via our cookie banner and may be withdrawn at any time via the "Cookie settings" link in the footer.

Subsequent processing is governed by the GDPR provisions described in the following sections.

3.2. Informational use of the website

When visitors use our website for information purposes only — i.e. without submitting any data — we collect the personal data that the browser transmits to our server in order to ensure the stability and security of the website. This is our legitimate interest, so the legal basis is Art. 6 (1) sentence 1 lit. f GDPR.

The data collected includes:

IP address
date and time of the request
time zone difference to Greenwich Mean Time (GMT)
content of the request (specific page)
access status / HTTP status code
amount of data transferred
website from which the request originates
browser
operating system and its user interface
language and version of the browser software

This data is also stored in log files. It is deleted once storage is no longer required, at the latest after 14 days.

3.3. Web hosting and provision of the website

Our website is hosted by Vercel. The provider is Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. The provider processes the personal data transmitted via the website (e.g. content, usage, meta/communication or contact data) in the United States. Content is served via Vercel's global edge network; we operate our region in Frankfurt am Main (eu-central-1).

The transfer of personal data to the United States is based on an adequacy decision of the EU Commission. Vercel Inc. is certified under the EU-US Data Privacy Framework. In addition, we have entered into a data processing agreement with Vercel pursuant to Art. 28 GDPR.

Providing a website is in our legitimate interest, so the legal basis for the processing described is Art. 6 (1) sentence 1 lit. f GDPR. Further information is available in the provider's privacy policy at https://vercel.com/legal/privacy-policy.

3.4. Contact and lead forms

We offer forms for truck-stop ("Autohof") enquiries and a newsletter form on our website. When you submit a form, we store the data provided (e.g. name, email address, phone number, company data, location details).

The legal basis for processing data submitted via the truck-stop lead form is Art. 6 (1) sentence 1 lit. b GDPR (pre-contractual measures). The legal basis for processing data submitted via the newsletter form is consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.

The data is stored in Pipedrive (see 3.7) and forwarded to the responsible staff. If Pipedrive is temporarily unavailable, the lead data is delivered as a fallback email to an internal address. Dispatch is handled via our mailbox support@aparkado.de using Microsoft 365 (see 3.7).

To protect against spam and automated submissions we use a hidden honeypot field (no third-party captcha) and an IP-based rate limit (see "Upstash" in 3.7).

3.5. Job postings

We publish job postings on our website. Applications are submitted through the applicant management system of our provider Personio, to which our job postings link. No applicant data is processed on our own website; privacy notices for the application process are available on the linked career portal.

3.6. Technically necessary cookies and storage

Our website uses cookies and similar browser storage (e.g. localStorage). Cookies are small text files stored in the visitor's web browser. Where these cookies are required for the operation or functions of our website, the legal basis is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in providing a functioning website to our customers and visitors.

Specifically, we use technically necessary storage for the following purposes:

storing the selected language and the light/dark colour mode
storing the cookie consent (banner state, selected categories)
protecting our forms against abusive use (rate limit)

3.7. Third-party services

3.7.1. Google Analytics 4

We use Google Analytics 4 to statistically analyse the use of our website. The provider for users in the EEA is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The provider processes usage data (e.g. pages visited, content interactions, access times) and meta/communication data (e.g. anonymised IP address, device information) in the United States.

The legal basis is the visitor's consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR and § 25 (1) TDDDG. Processing only takes place once the visitor has agreed to the "Statistics" category in the cookie banner. Consent may be withdrawn at any time.

The transfer of personal data to the United States is based on an adequacy decision (EU-US Data Privacy Framework). Data is deleted once the purpose of its collection no longer applies. Further information is available at https://business.safety.google/privacy/.

3.7.2. Amplitude

We use Amplitude for statistical product and usage analytics. The provider is Amplitude Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103, USA. The provider processes usage data (e.g. pages visited, interactions, access times) and meta/communication data (e.g. anonymised IP address, device information) in the United States.

The legal basis is the visitor's consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR and § 25 (1) TDDDG. Processing only takes place once the visitor has agreed to the "Marketing" category in the cookie banner. Consent may be withdrawn at any time.

The transfer of personal data to the United States is based on an adequacy decision (EU-US Data Privacy Framework). Amplitude Inc. is certified under the Data Privacy Framework. Data is deleted once the purpose of its collection no longer applies. Further information is available at https://amplitude.com/privacy.

3.7.3. YouTube (no-cookie mode)

We embed videos from YouTube on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube's "no-cookie" format (domain youtube-nocookie.com) and a "2-click" approach: before the visitor activates a video, only a static preview image is loaded; the YouTube iframe is only loaded after an active click on the play button. Before this click, no personal data is transmitted to YouTube.

By clicking on the video, the visitor consents to data processing by YouTube. The legal basis is Art. 6 (1) sentence 1 lit. a GDPR and § 25 (1) TDDDG. The transfer to the United States is based on an adequacy decision (EU-US Data Privacy Framework). Further information is available at https://policies.google.com/privacy.

3.7.4. TikTok embed

We embed individual videos from TikTok on our website. The provider in the EEA is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

We also use a "2-click" approach here: before the visitor activates a video, only a static preview image is loaded; the TikTok embed script and the actual video are only loaded after an active click on the play button. Before this click, no personal data is transmitted to TikTok.

By clicking on the video, the visitor consents to data processing by TikTok. The legal basis is Art. 6 (1) sentence 1 lit. a GDPR and § 25 (1) TDDDG. During playback TikTok may process personal data outside the EEA (in particular in the United States, the United Kingdom and Singapore); the legal basis for these transfers is Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR. Further information is available at https://www.tiktok.com/legal/page/eea/privacy-policy/en.

3.7.5. Pipedrive (CRM and newsletter)

We use Pipedrive to manage interested-party and customer data and to send our newsletter. The provider is Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia. The provider processes content, usage, meta/communication and contact data within the EU.

Data submitted to us via our forms (e.g. name, email address, phone number, company name, address, content of the enquiry) is stored in Pipedrive as a person, an organisation (where applicable) and a lead, and processed by our staff.

The legal basis is, depending on purpose, Art. 6 (1) sentence 1 lit. b GDPR (pre-contractual measures / contract performance), Art. 6 (1) sentence 1 lit. a GDPR (consent to the newsletter) or Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in efficient handling of enquiries). We have entered into a data processing agreement with Pipedrive pursuant to Art. 28 GDPR. Further information is available at https://www.pipedrive.com/en/privacy.

3.7.6. Microsoft 365 (email service and lead fallback)

For sending and receiving our business emails as well as as a fallback in case of a technical outage of Pipedrive, we use Microsoft 365. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Content, meta/communication and contact data are mainly processed in the EU; a transfer to the United States cannot be ruled out.

The legal basis is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in reliable email communication. The transfer to the United States is based on an adequacy decision (EU-US Data Privacy Framework). Further information is available at https://privacy.microsoft.com/en-us/privacystatement.

3.7.7. Upstash (form rate limit)

We use Upstash Redis to protect our form endpoints against abusive bulk submissions (rate limit, 5 requests per 10 minutes per IP). The provider is Upstash Inc., 1390 Market Street, San Francisco, CA 94102, USA. The IP address of the requester is briefly processed in an EU region (eu-west-1, Ireland).

The legal basis is Art. 6 (1) sentence 1 lit. f GDPR. We have a legitimate interest in protecting our systems against automated attacks. Further information is available at https://upstash.com/trust/privacy.pdf.

3.7.8. Pipedrive Web Visitors (Leadfeeder)

We use Pipedrive Web Visitors (brand name "Leadfeeder", operated by Dealfront Group Oy) to identify companies that visit our website. The provider for the DACH region is Dealfront Germany GmbH, Erkrather Straße 401, 40231 Düsseldorf, Germany. The provider processes usage data (e.g. pages visited, time on page) and meta/communication data (in particular the IP address used to resolve the visiting organisation) within the EU.

Only companies are identified, not natural persons. The resulting company visits feed into our Pipedrive CRM (see 3.7.5) so we can make tailored offers to relevant B2B prospects. Further information is available at https://www.dealfront.com/legal/privacy-policy/.

4. Data processing on social media platforms

We maintain profiles on social networks to present our organisation and our services. The operators of these networks regularly process their users' data for advertising purposes. They may, for example, create user profiles from online behaviour in order to display advertising that matches users' interests. Further information, including how users can object to such processing, is available in the privacy policies of the respective providers linked below.

When users contact us through our profiles, we process the data provided in order to respond to the enquiry. This is our legitimate interest, so the legal basis is Art. 6 (1) sentence 1 lit. f GDPR.

4.1. Facebook

We maintain a profile on Facebook. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available at https://www.facebook.com/policy.php. Together with Facebook we are joint controllers within the meaning of Art. 26 GDPR for the processing of data of visitors to our profile; details of which data are processed are explained by Facebook at https://www.facebook.com/legal/terms/information_about_page_insights_data.

4.2. Instagram

We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available at https://help.instagram.com/519522125107875.

4.3. TikTok

We maintain a profile on TikTok. The operator in the EEA is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. The privacy policy is available at https://www.tiktok.com/legal/page/eea/privacy-policy/en.

4.4. YouTube

We maintain a profile on YouTube. The operator is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The privacy policy is available at https://policies.google.com/privacy.

4.5. LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available at https://www.linkedin.com/legal/privacy-policy.

5. Changes to this privacy policy

We reserve the right to amend this privacy policy with effect for the future. The current version is always available here.

6. Questions and comments

For questions or comments regarding this privacy policy, please feel free to contact us using the contact details above.