Residents of the State of California can find our CCPA Privacy Policy here
سياسة الخصوصية للبيانات
Name and Contact Information of the Controller and Group Data Privacy Officer
The joint controllers for the data processed on this website are:
-
Chrono24 GmbH
Haid-und-Neu-Strasse 18, 76131 Karlsruhe, Germany
and
-
MPN Marketplace Networks GmbH
Haid-und-Neu-Strasse 18, 76131 Karlsruhe, Germany
The companies (hereinafter "Chrono24") can be contacted at:
Chrono24's company data privacy officer can be contacted at the address provided above (Attn.: Data Privacy Department) or at .
Information About Processors and Third-Country Transfers
Chrono24 may use service providers to process personal data on our behalf (processors) for a number of processes.
Chrono24 has concluded data processing contracts in accordance with Article 28 of the General Data Protection Regulation of the European Union (hereinafter GDPR) with all processors specified in this Data Privacy Policy. These contracts ensure that the processors process the data on our behalf in accordance with the GDPR and that the rights of the data subject are protected.
When personal data are transferred to a third country (e.g., the USA) in connection with these data processing contracts, Chrono24 takes appropriate measures to ensure that a substantially equivalent level of data protection is provided.
Chrono24 has signed standard data protection clauses with all processors that are based in a third country. These clauses have been adopted by the European Commission and, in accordance with Article 46(2)(c) GDPR, constitute an appropriate safeguard to ensure the required level of data protection. In addition, we only commission service providers based in a third country that can demonstrate they can ensure a substantially equivalent level of protection for the personal data transferred by taking appropriate additional measures.
Collection and Storage of Personal Data and the Nature and Purpose of the Use Thereof
Visiting the Website
When you visit our website, the browser you are using on your device automatically sends information to our website server. This information is temporarily stored in a log file. The following information is automatically collected and automatically deleted after 20 weeks:
- IP address of the requesting computer
- Date and time of access
- Name and URL of the accessed file
- Website from which the site was accessed (referrer URL)
- Session ID
- User agent
- Cookies / flash cookies
- Browser used, and if applicable, your operating system and access provider
We process the data listed above for the following purposes:
- To ensure that the connection to the website is established smoothly;
- To ensure that our website can be used with ease and to optimize our platform;
- To ensure and evaluate system security and stability;
- To detect and prevent attacks on our website;
- For other internal statistical and administrative purposes.
In general, we do not use the collected data to identify you as an individual. However, in the event of an attack on our network infrastructure, your IP address will be analyzed in order to assert or defend against legal claims.
The data processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. Our legitimate interests result from the aforementioned purposes for data collection.
We also use cookies and analytics services when you visit our website. For further details, see Sections 6. und 7. of this Data Privacy Policy.
Registering as a User on Our Platform
Buyers, private sellers, and professional dealers can create a Chrono24 account on our platform. In order to set up the account, the data specified under Sections 3.2.1., 3.2.2., 3.2.3., and 3.2.4. must be provided. These data are processed for the following purposes:
- To identify you as our contract partner;
- To establish, formulate, execute, and amend contractual relationships concerning the use of our platform and the services it offers;
- To assess the plausibility of the data provided;
- To contact you with any questions that arise;
- To assert any claims against you, as necessary.
The processing of the data specified under Sections 3.2.1., 3.2.2., 3.2.3., and 3.2.4. is carried out upon your request and is necessary for the purposes outlined above, i.e., for the use of the platform and thus for the performance of the contract as well as in order to take steps prior to entering into a contract, in accordance with Article 6(1)(b) GDPR.
In addition, you must provide your taxpayer ID number if you use our platform to sell items. The legal basis for collecting your taxpayer ID number is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is reporting obligations under tax law stipulated in the German Platform Transparency Act and thus the prevention of administrative offenses. If you are not a reportable seller within the meaning of the German Platform Transparency Act, your taxpayer ID number will be deleted upon expiry of the reporting period, unless you have consented to storage beyond this point in accordance with Article 6(1)(a) GDPR. For more information on the processing of your taxpayer ID number, see Section 4.1..
You may have the option of providing voluntary information, depending on the type of account you have. We process voluntarily provided information on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. This information is used to facilitate contact with you and ensure any questions that arise are answered quickly.
If you delete your account, your data are automatically deleted to prevent further use unless, in accordance with Article 6(1)(c) GDPR, these data must be stored for a longer period in line with retention and documentation obligations under tax and commercial law (stipulated by the German Commercial Code, German Criminal Code, or the Fiscal Code of Germany), or if you have consented to storage for a longer period in accordance with Article 6(1)(a) GDPR.
Chrono24 Account
The following data are required to register as a user (buyer) and set up an account:
- Valid email address
- Password of your choice
These data are used as your login information.
You also have the option of uploading a profile picture and voluntarily providing the following data:
- Your first and last name
- Your address (street, post code, city/town, country)
- Your phone number
- Your date of birth
- Your gender
- Your profession
- The languages you speak
Registering and Logging in With Apple/Google (Third Parties)
You can register for Chrono24 or log in to your Chrono24 account using a third-party provider. This means that you use your Apple or Google account as an authentication method to register for or log in to Chrono24.
If you decide to register or log in using a third-party provider, you will be taken to the respective interface from Apple or Google to enter your login information. Apple or Google will then indicate which data are transferred to us for authentication purposes as part of the registration or login process. These are:
- Your first and last name;
- Your profile picture, if available;
- Your email address (unless you have selected "Hide My Email" in your Apple account)
If we do not recognize your email address, you will be asked if you already have a Chrono24 account. If you already have a Chrono24 account, you have the option of linking it to your third-party login. If you do not have a Chrono24 account, you can create one using your third-party login.
The data processing is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest in enabling you to use an additional, more convenient service.
The purpose and scope of the data collection as well as the further processing and use of your data by Apple or Google, including your rights and setting options in order to protect your privacy, can be found in Apple's privacy policy and Google's privacy policy.
Private Sellers
In order to create listings as a private seller, you will need a Chrono24 account (see Section 3.2.1.). To publish a listing on the platform, you must provide the following data:
- Your first and last name
- Your address (street, city/town, ZIP/post code, state, country)
- Your date of birth
- Your nationality
- Your taxpayer ID number
In order to sell items using the Escrow Service, you must first register for the Escrow Service as a private seller.
By registering, you are applying to open an escrow account with the payment service Mangopay from Mangopay S.A. (2 Avenue Amélie, L-1125 Luxembourg; hereinafter "Mangopay"). This account is then used to process your payouts from the Escrow Service.
In accordance with anti-money laundering and counter-terrorism financing laws, Mangopay is obligated to identify every seller on the basis of specified documents and other information.
For this reason, the following data and documents are required for registering for the Escrow Service and will be transferred to Mangopay:
- Last name, first name, email address, date of birth, nationality, and your country of residence.
- Information about the bank account to be used for payouts.
- A copy of a valid, government-issued ID:
- German identity card (front and reverse) for German nationals or passport for foreign residents in Germany and abroad.
- Within the EEA: Passport, national identity card, or driving license; residence permit for citizens of third-party countries.
- Outside the EEA: Passport; passport or driving license for US and Canadian citizens.
Dealers
The following data are required to register as a professional dealer:
- Your company name
- A contact person (first and last name)
- Your address (street, city/town, ZIP/post code, state, country)
- A phone number
- A valid email address
- A username of your choice
- A password of your choice
- Your taxpayer ID number(s)
- Your commercial registration number
The following information is optional:
- Fax number
- Cell phone number
- Website
To activate two-factor authentication for your dealer account, you will receive a text message after your account has been created. This involves transferring your phone number to the service provider Twilio Inc. (101 Spear Street, Ste 500, San Francisco, CA 94105, USA). Twilio Inc. conducts two-factor authentication using the phone number provided.
The legal basis for the processing of personal data is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is the general improvement of the marketplace's security and thus optimization of the transaction process.
After registering as a professional dealer on Chrono24, it is possible that we will send you print mail to keep you up to date on the latest watch trends.
This involves transferring the following personal data to the corresponding service provider:
- Your first and last name
- Your address
The legal basis for the processing of personal data is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is the implementation of direct marketing. This is a legally recognized legitimate interest under Recital 47 GDPR.
It is also possible to register as a professional dealer via the contact form displayed as an advertisement on LinkedIn. We receive dealer address data for acquiring new customers by purchasing data and carrying out relevant research online. We use the data we receive to contact you about registering as a professional dealer on Chrono24. The contact form and customer acquisition processes require the following personal data to be processed:
- Your first and last name
- Your email address
- Your business phone number
The legal basis for the processing of personal data is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is the purpose of the communication mentioned above.
When in contact, the data you provide us will be stored in Salesforce, the CRM solution from Salesforce.com, Inc. (415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA).
Complying With US Statutory Tax Requirements (Sales Tax)
In order to comply with US statutory tax requirements, we use AvaTax, a cloud-based solution from our processor Avalara, Inc. (255 South King Street Suite 1800 Seattle, WA 98104, USA). AvaTax automates the determination of sales tax rates and the complex calculation of US sales tax. For this purpose, the following personal data belonging to dealers (see Section 3.2.4.) based in the USA will be processed:
- Delivery and billing address
The purpose of data collection is to determine the regional tax regulations we are subject to. In the US, these differ not only at state level but, to some extent, also from county to county. It is therefore essential for us to know exactly where a dealer is located in the USA in order to determine the correct sales tax rate using AvaTax.
The legal basis for the processing of your personal data is Article 6(1)(c) and (f) GDPR, as the processing is necessary for the fulfillment of our legal obligation under US tax laws. In addition, as an international marketplace, we have a legitimate interest in observing the legislation in the markets in which we operate. Only the personal data of dealers in the USA who are subject to US tax laws are processed.
Using Our Platform-Internal Messenger
Registered users are able to use the platform-internal messenger to communicate with us and with dealers, buyers, and private sellers. Registration is required to use the platform-internal messenger (see Section 3.2.).
Communication via the platform-internal messenger always takes place between you, the person you are contacting, and Chrono24. Chrono24 is an active participant in the communication and a moderator thereof. When using the platform-internal messenger, we will automatically and manually scan the messages you send. The purposes of doing so are to:
- Prevent fraud;
- Detect any illegal activities and violations of our general terms and conditions;
- Improve communication and customer support.
The data processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. The processing of data for the purposes specified above is considered a recognized legitimate interest under the GDPR.
You can manage the messages you have sent and received independently, or submit a request for us to delete them. In the event of attempted fraud, illegal activity, or a violation of our general terms and conditions, we may continue to store any relevant messages on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR for use as evidence and for establishing, exercising, and defending our legal claims, even if you have submitted a deletion request.
Automatically Creating a Customer Profile
We create a customer profile for your Chrono24 account in order for you to use our platform as a registered user/dealer. We categorize your customer profile and supplement it with additional data so that you only receive information likely to be of interest to you. To do so, we use the following data:
- Your personal information (e.g., your basic profile information);
- The length of your membership;
- Statistical information (e.g., the type, frequency, and intensity of your use of the website);
- The history of the listings, brands, and sellers you've visited.
We process the data listed above for the following purposes:
- For statistical evaluation;
- For market research;
- To ensure that the platform functions properly and that it is user-oriented;
- To personalize our services;
- To show advertising to you which is exclusively targeted to your actual or assumed needs and thus eliminate irrelevant advertising.
The data processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. The processing of data for the purposes specified above is considered a recognized legitimate interest under the GDPR.
We may only create a full profile for you if you have given us your consent for the use of Chrono24's personalization cookies in accordance with Article 6(1)(a) GDPR (further information about cookies is provided under Section 6.). You can manage your cookies .
If you object to the creation of a customer profile and the evaluation and personalization of our services and advertising, processing will be stopped, and your customer profile will be immediately deleted. You can file this objection at any time via this link.
You may also file your objection at any time by sending an email to .
Using the Escrow Service
A Chrono24 account is required to initiate and conclude sales contracts with dealers / private sellers using our Escrow Service (see Section 3.2.1.). The following data are also required:
- Your first and last name
- Your address (street, city/town, ZIP/post code, state, country)
- Your phone number
We process the data listed above for the following purposes:
- To check and identify who the dealer / private seller's contract partner is;
- To support the establishment, formulation, and execution of sales contracts;
- To contact you if any questions arise.
If you request a purchase offer from a dealer / private seller or conclude a purchase contract with the dealer / private seller, we also transfer your personal data to the dealer / private seller for the purposes stated above.
The processing of the data specified is carried out upon your request and is necessary for the purposes outlined above, i.e., for the use of the platform and thus for the performance of the contract as well as in order to take steps prior to entering into a contract, in accordance with Article 6(1)(b) GDPR.
Paying Through Chrono24 Via Credit Card or Wire Transfer
Upon concluding a sales contract, you can pay for the item via credit card or wire transfer. In order to facilitate the general processing of these payment methods and prevent fraud, payments are processed by the service provider Mangopay (10 Boulevard Royal, L-2449, Luxembourg). This involves transferring the following personal data to Mangopay:
- Your first and last name
- Your address
- Your bank account details or credit card information
The data processing is carried out on the basis of Article 6(1)(b) GDPR since the data are necessary for the performance of the sales contract.
You can find more information in Mangopay's data privacy policy .
If you choose to pay by credit card, you can also have this payment processed by the service provider Checkout SAS (37-39 Rue de Surène, 75008 Paris, France). The following personal data will be transmitted to Checkout SAS:
- Your first and last name
- Your email address
- Your billing address
- Your shipping address (if different from billing address)
The data processing is also carried out on the basis of Article 6(1)(b) GDPR since the data are necessary for the performance of the sales contract.
You can review Checkout SAS's privacy policy here .
If you want to pay by credit card, you can also use the "Apple Pay" service from Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA; hereinafter "Apple"), provided you've already saved your credit card information with Apple Pay.
Credit card payments will continue to be processed by the payment service provider Checkout SAS (see above). In these cases, Apple Pay serves as an additional authentication method for Checkout SAS, thus helping to prevent fraud.
There is no further processing of personal data by Chrono24 when paying with Apple Pay.
You can find more information on Apple Pay's security and privacy overview page.
Registering for Our Newsletter
We use your email address to regularly send you our personalized newsletter, provided you have expressly consented thereto in accordance with Article 6(1)(a) GDPR. You only need to provide us with your email address to receive the newsletter.
In order to personalize the newsletter content, a customer profile for you may be created using the following personal data:
- Your first and last name
- Your gender
- Your home country
In addition, personal aspects from previous orders such as product affinities, interests, purchasing decisions, preferred shopping time, etc., are processed automatically and analyzed so that we can show you relevant listings. Profiling can also take place without your consent on the basis of our legitimate interests (see Section 3.5.) by virtue of Article 6(1)(f) GDPR.
Under certain circumstances, we also use your email address without your express consent to send you information about similar products from our company, provided you are a return customer and have not objected to the use of your email address. For the purposes of advertising to return customers, the processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. The processing of your email address for the purpose of direct marketing is thereby considered a legally recognized legitimate interest under the GDPR.
You can unsubscribe from both of these services at any time. To do so, you can click the unsubscribe link at the bottom of any newsletter or send your intention to unsubscribe via email to .
We use the Mailchimp tool from The Rocket Science Group LLC d/b/a Mailchimp (675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308, USA) to send our newsletter.
You can find more information about data processing by this processor at https://mailchimp.com/legal/privacy/.
If you have given us your consent under Article 6(1)(a) GDPR, we will transfer your email address to our partners, Chrono24 Direct GmbH (Sachsenallee 24, 01723 Kesselsdorf, Germany) and Fratello Watches B.V. (Het Kleine Loo 284, 2592CK The Hague, The Netherlands). Our partners will use your email address to regularly send you personalized newsletters with offers, deals, and the latest releases. You only need to provide us with your email address to receive the newsletter.
You can unsubscribe at any time. To do so, you can click the unsubscribe link at the bottom of any newsletter or send your intention to unsubscribe via email to .
Using Our Contact Form
You can use a form on our website to contact us with questions or contact a dealer / private seller. If you wish to address your question to a dealer / private seller, we will forward your contact request to them. The following data are required to use the contact form:
- Valid email address
- Your question/message
We process the data listed above for the following purposes:
- To identify you;
- To answer your question;
- To forward your question to the relevant dealer / private seller, as needed.
In addition, you can voluntarily provide your name and phone number for a quicker response time.
When you use our contact form, we may scan and analyze your message. This is carried out for the purposes of preventing fraud, detecting illegal activity, detecting violations against our general platform terms and conditions, and improving communication and customer support in general.
The data processing is carried out upon your request and is necessary for the purposes outlined above, i.e., for the performance of the contract as well as in order to take steps prior to entering into a contract, in accordance with Article 6(1)(b) GDPR. In addition, data processing with regard to the contact request is based on our legitimate interests in accordance with Article 6(1)(f) GDPR. These also result from the aforementioned purposes.
The personal data required to use the contact form are automatically deleted once your request has been processed.
Contact With a Private Client Advisor
Listings for watches that exceed a certain value offer a form for establishing contact with a private client advisor.
The following data are required to contact a private client advisor:
- Your name
- Your title
- Subject of your message
- Your message
Depending on how you would like the private client advisor to contact you, you will have to provide your email address and/or phone number.
When you use our contact form, we may scan and analyze your message. This is carried out for the purposes of preventing fraud, detecting illegal activity, detecting violations against our general platform terms and conditions, and improving communication and customer support in general.
The data processing is carried out upon your request and is necessary for the purposes outlined above, i.e., for the performance of the contract as well as in order to take steps prior to entering into a contract, in accordance with Article 6(1)(b) GDPR. In addition, data processing with regard to the contact request is based on our legitimate interests in accordance with Article 6(1)(f) GDPR. These also result from the aforementioned purposes.
The data you provide are transferred to an interface within the HubSpot software from our processor, HubSpot Ireland Ltd. (1 Sir John Rogerson's Quay, Dublin 2, Ireland).
If you already have a Chrono24 account at the time contact is established, the data in HubSpot will be supplemented with further data from our database.
The private client advisor will have access to the following information in order to provide you with the best possible service:
- Information about your use of the Chrono24 marketplace and the features it offers (e.g., the Notepad, saved searches, and the Watch Collection) to help you find watches and provide you with suitable offers;
- Information about pending requests and ongoing purchasing processes to proactively help you use our platform;
- Previous communication with Chrono24 in order to give due consideration to topics already discussed.
The processing of personal data in the context of the private client advisor service is carried out in accordance with Article 6(1)(f) GDPR. Our legitimate interest is the purposes specified above.
Shipping Packages
In order for you to track your order electronically from the time it is shipped, private sellers are asked to provide us with the relevant delivery service and tracking number. Dealers are required to provide the relevant tracking number. Using this information, our service provider, AfterShip Ltd. (One Midtown 38/f Hoi Shing Road Tsuen Wan Unit 2 No. 11, Hong Kong), provides a method to track the delivery status. This involves the processing of the following data:
- Your shipping or delivery address
- Other shipping information
- Order data
- Data about the shipment status
These data are processed on the basis of Article 6(1)(b) GDPR since they are necessary for the performance of the contract for the use of the platform or for the performance of the sales contract.
Leaving a Comment in Our Magazine
You may leave comments on articles published in our magazine. In order to publish your comment, your IP address is processed. You must also provide the following data in addition to your comment:
- Your name
- a valid e-mail address
- the comment.
Commenting on articles is voluntary. We use your personal data to publish your comment and to give other users the opportunity to respond to it. We require your email address in order to be able to contact you and to pursue any legal violations. Your IP address is also required to pursue any legal violations.
The data processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR to offer you the opportunity to comment on articles in our magazine and to interact with us and other users.
To post comments on articles in our magazine, we use the Wordpress plug-in wpDiscuz from the service provider gVectors Team.
You can find more information about wpDiscuz at https://wpdiscuz.com/docs/wpdiscuz-7/privacy-and-gdpr/.
Submitting Customer Reviews on Trustpilot and sitejabber
Your opinion about our products and our service is important to us. We therefore offer you the possibility to review our platform using www.trustpilot.com from our processor Trustpilot A/S (Pilestræde 58, 3rd floor, 1112 Copenhagen K, Denmark; hereinafter "Trustpilot"). If you submit a review, it will be published on our website and on the Trustpilot website. We reserve the right to delete or decide not to publish the review.
Once your purchase is complete, you will receive an email from us asking you to review our platform and our services. The email will contain a "Business Generated Link" from Trustpilot, which you can use to access Trustpilot and review your order. The "Business Generated Link" contains the following personal data:
- Your first and last name
- Your home country
- Your email address
- The transaction number
When you click the link, your personal information will be transferred to Trustpilot, so we can match your review to your purchase and confirm that the review is legitimate.
Reviews submitted directly to Trustpilot can also be published on our website, provided that we are able to confirm the review's legitimacy.
The data processing involved in facilitating customer reviews via Trustpilot takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. By doing so, we want to ensure the user-oriented design and optimization of our website.
For more details on the purpose and scope of data processing by Trustpilot, please refer to Trustpilot's privacy policy.
If you have a billing address in the United States, you will be invited to review our platform on www.sitejabber.com , a service provided by our processor GGL Projects, Inc. (1528 South El Camino Real, Suite 110, San Mateo, CA 94402, USA; hereinafter "sitejabber"). Any review you leave will be published on sitejabber's website.
Once your purchase is complete, you will receive an email from us asking you to review our platform and our services. The email will contain a review request from sitejabber, which you can use to access sitejabber and review your transaction. The review request contains the following personal data:
- Your first and last name
- Your email address
- The transaction number and transaction date
When you click the link, your personal information will be transferred to sitejabber, so we can match your review to your purchase and confirm that the review is legitimate.
For more details on the purpose and scope of data processing by sitejabber, please refer to sitejabber's privacy policy .
Using the Watch Collection
You have the option of maintaining and managing your watch collection online in your personal Watch Collection by adding watches, entering details, and uploading pictures of your own watches. You can view and manage your Watch Collection from home or on the go, keep an eye on watches you're interested in, and quickly and easily get an estimation of a watch's value.
This involves the collection of the following data:
- The watch's reference number, brand, model, condition
- Whether you own the watch
You can also specify the purchase price, time and place of purchase, and upload a picture of your watch. This information is provided voluntarily.
We process the data listed above for the following purposes:
- To document and assess the value of your personal collection;
- To register your interest in individual watches you do not yet own;
- To perform a statistical evaluation about your watches;
- To expand our product catalog to include watches previously unknown to us.
The data we collect is person-related rather than personal. Person-related data are data with no direct reference to a person, but from which a person's identity can still be derived. We thus also require a legal basis for processing person-related data.
The data processing takes place on the basis of Article 6(1)(b) GDPR and our legitimate interest under Article 6(1)(f) GDPR.
Our legitimate interest lies in using the Watch Collection as a source of information to deepen our understanding of the current market situation through statistical data evaluation and to optimize our services in a user-oriented manner.
If you have provided us with your express consent in accordance with Article 6(1)(a) GDPR, the data listed above will also be used to purchase and sell the watches in your Watch Collection.
Purchase and Sale of Watches and Consignment in Cooperation With Our Partner Companies
If you've decided to sell your watch directly to Chrono24 or in consignment, and have given your express consent in accordance with Article 6(1)(a) GDPR, we will contact you via email and issue a purchase offer in cooperation with Chrono24 Direct GmbH and Xupes Watches Ltd. For this purpose, the following personal information must be transferred to Chrono24 Direct GmbH and Xupes Watches Ltd.:
- Your first and last name
- Your email address
- Any message you have left
- Information about the watch for sale (brand, model, reference number)
- Your phone number
The processing of your data for the purpose of transferring them to Chrono24 Direct GmbH and Xupes Watches Ltd. only takes place after you have given your express consent in accordance with Article 6(1)(a) GDPR.
In addition, we offer you the possibility to buy watches in cooperation with our partner companies Chrono24 Direct GmbH and Xupes Watches Ltd. This involves the following data being transferred to the two companies:
- Your first and last name
- Your address
- Your message to the dealer
The data specified above are collected in order to sell you a watch and ship it to your address.
In cooperation with Chrono24 Direct GmbH, we also offer advice in all matters relating to direct sales. In order to provide you with professional support and process your request as quickly as possible, the following personal information are transferred to Chrono24 Direct GmbH:
- Your first and last name
- Your phone number
- Your request
The processing of the data listed above is carried out upon your request and is necessary to ensure that the sales process runs smoothly, and thus necessary for the performance of the contract and in order to take steps prior to entering into a contract in accordance with Article 6(1)(b) GDPR.
Collection of Personal Data From Third Parties
On rare occasions, users may communicate to us personal data from third parties (e.g., authorized representatives, contact persons, other account holders). In such instances, users are required to provide information only to the extent that the third-party data subject is aware of. In particular, this awareness on the part of the third-party data subject includes information about us as the data controller, as well as the disclosed data and the purpose of said disclosure.
In all other respects, this data privacy information applies to third-party data subjects, to the extent that said information is not only relevant for contractual partners. This includes, in particular, information about us as the data controller and our data privacy officer, as well as information about the rights of data subjects. If we, as an exception, receive contact data for a third-party data subject, we will inform the data subject directly. However, we do not typically request contact data from third parties. We will only use the third-party information for the intended purpose (e.g., necessary contact and payment processing using the account details provided).
Data belonging to third-party data subjects will be deleted at the latest upon the deletion of the data pertaining to the stated person, or if this person amends or deletes the data concerned.
The processing of the data of third-party data subjects takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR in providing our contractual partners the opportunity to justifiably involve third parties.
Participation in User Studies
You will be offered the opportunity to participate in user studies on the platform. The purpose of these voluntary user studies is to gather targeted insights into user behavior, needs, and motivations. This helps optimize Chrono24's platform, apps, products, and processes.
Depending on which user study you participate in, we will use either SurveyMonkey or Hotjar as the survey provider.
When you participate in a user study using SurveyMonkey from our processor Momentive, Inc. (One Curiosity Way, San Mateo, CA 94403, USA), the following personal data are transferred to it:
- Date and time of participation and submission of the form
- Groupings of personal data, such as your age group (e.g., 19-29)
- Your IP address
These data are processed in accordance with Article 6(1)(a) GDPR provided you have given your consent.
If you decide to participate in a user study, you may be forwarded to a screening questionnaire created with Hotjar, a tool from our processor Hotjar Ltd. (Level 2, St. Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta). This questionnaire checks whether you are a good match for the study. This involves the processing of the following data:
- Your name
- Your email address
- Your phone number
These data are processed in accordance with Article 6(1)(a) GDPR provided you have given your consent.
Furthermore, in the questionnaire, you will be asked which additional processing of your personal data you consent to as part of the user study. With your consent, the following processing occurs on the basis of Article 6(1)(a) GDPR:
- Recording of the conversation
- Sharing and recording of your screen
The recording facilitates the internal evaluation of the study and is deleted upon the study's completion. It takes place using the video and telecommunication software Zoom. Zoom is a service provided by Zoom Video Communications, Inc. (55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA).
We have implemented additional security measures by changing our Zoom configurations so that all online meetings are only processed by data centers in the European Union, European Economic Area, or secure third countries like Canada or Japan.
After-Sales Calls
To improve the lead time of after-sales calls, we commission a call center. If you potentially initiated a purchase on the platform, your data will be forwarded to a call center so that you can be called to confirm whether a sale took place. This involves forwarding the following personal data to the call center:
- Your first and last name
- Your phone number
The legal basis for the processing of the personal data is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is improving the lead time of after-sales calls and thus improving the customer experience.
We use the services of our processor Termitel GmbH (Zehntwiesenstr. 37, 76275 Ettlingen, Germany) to conduct after-sales calls.
Translation of User-Generated Content
In order to translate dealer reviews, messages sent via the Chrono24 Messenger, listings, and listing descriptions, we use the Google Translate API from our processor Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). We also use the DeepL Translate API from our processor DeepL SE (Maarweg 165, 50825 Cologne, Germany) to translate listing descriptions.
Personal data may be transferred depending on the content that is translated.
The legal basis for the processing of personal data is Article 6(1)(f) GDPR. Our legitimate interest lies in the purposes outlined above and the associated user-oriented design of the website, in particular the removal of language barriers for communicating user-generated content.
Recording of Calls
For quality assurance and training purposes, and with your consent, we record incoming calls. The following personal data are processed for this purpose:
- Audio data
- Content of the conversation
Data are only processed by the employees involved in the call and their supervisor. Third parties do not have access to your personal data.
These data are processed in accordance with Article 6(1)(a) GDPR provided you have given us your express consent.
Call recordings are only stored for 90 days and deleted thereafter.
Contact With Our Support Team
If you reach out to our support team by phone or email, they will use the omnichannel tool Sprinklr, provided by our partner Sprinklr, Inc. (29 West 35th Street, New York, NY 10001, USA; hereinafter "Sprinklr"), to manage your contact information.
The following personal data will be processed:
- Your first and last name
- Your address
- Your request
Depending on whether you contact us by phone or email, your email address or phone number will also be processed using our omnichannel tool.
Your personal data is processed at your request and is necessary according to Article 6(1)(b) GDPR. Our use of the omnichannel tool Sprinklr to improve customer management is our legitimate interest under Article 6(1)(f) GDPR.
If you give your effective consent pursuant to Article 6(1)(a) at the beginning of a telephone call, the call will also be recorded. The recording will be used exclusively for training purposes and transcribed to ensure that your request can be fully processed. The recording will be deleted after three months.
We also use Sprinklr AI, the artificial intelligence (hereinafter "AI") from Sprinklr, Inc., to summarize the content of emails and transcripts requiring consent and to help our team communicate with you and process your requests. Any and all personal data is anonymized before the content of emails and transcripts is transmitted to and processed by the AI. It is important to note that complete anonymization cannot be guaranteed; however, we have contractually agreed with Sprinklr that the transmitted content will not be used for AI training purposes. This means that processing can be carried out for the stated purposes, while transfer of personal data is kept to a minimum.
The processing of your personal data using AI is carried out according to Article 6(1)(f) GDPR. The legitimate interest required by this provision derives from the aforementioned purposes.
Data Processing for Our Certification Service
When you or your contract partner use our Certification Service, we transfer personal data to Chrono24 Direct GmbH (Sachsenallee 24, 01723 Kesselsdorf, Germany). Chrono24 Direct GmbH is our partner company that oversees the certification of watches, among other things. Regardless of whether you or your contract partner uses our Certification Service, the following personal data are transferred to Chrono24 Direct GmbH:
- Your first and last name
- Your email address
Chrono24 Direct GmbH needs this information for the certification process in order to identify you and send you information via email.
If you use our Certification Service, we also transmit your shipping address to Chrono24 Direct GmbH, so that they can ship the watch directly to you following successful certification. In such instances, the processing of your personal data takes place on your request and is required for the performance of the contract and in order to take steps prior to entering into a contract in accordance with Article 6(1)(b) GDPR.
If your contract partner makes use of our service, the processing of personal data is based on our legitimate interests in accordance with Article 6(1)(f) GDPR. Our legitimate interest results from legal requirements pertaining to fraud prevention and thus the general increase in the security of the marketplace.
We have signed a data processing contract with Chrono24 Direct GmbH in accordance with Article 28 GDPR. As part of the contract, Chrono24 Direct GmbH ensures that it processes data on our behalf in compliance with the GDPR, and guarantees that it protects the rights and freedoms of the data subject.
Creating Invoices and Trusted Checkout Certificates
When you buy a watch on our platform, we usually provide you with an invoice and a Trusted Checkout certificate in PDF format. These PDF files are created using a server provided by our processor, Amazon Web Services EMEA Sarl (38 Avenue John F. Kennedy, L-1855, Luxembourg; hereinafter "AWS"). To do this, we encrypt the required data and send it to AWS, which then generates the PDF files on the server. These PDF files are then encrypted and sent to us.
Depending on the PDF file created for you, the following personal information may be processed by AWS:
- Your first and last name,
- Your delivery address,
- Your billing address,
- Your telephone number, and
- Your e-mail address.
The processing of your personal data is necessary for the performance of the contract between you and your contractual partner (in this case, the buyer or seller of the watch involved in the transaction), in accordance with Article 6(1)(b) of the GDPR.
In order to comply with the formal requirements for document retention under German law (Section 147 of the German Fiscal Code), invoices are deleted 10 years after they are issued. Trusted Checkout certificates are deleted 6 months after they are issued.
Disclosure of Data
We only disclose your personal data to third parties when:
- You have provided your express consent in accordance with Article 6(1)(a) GDPR;
- Disclosure is necessary for compliance with a legal obligation in accordance with Article 6(1)(c) GDPR;
- Disclosure is necessary for the establishment, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest that precludes disclosure of your data in accordance with Article 6(1)(f) GDPR.
Disclosure Within the Context of Tax Reporting Obligations
Under the German Act Implementing EU Directive 2021/514 on Administrative Cooperation in the Field of Taxation and the Modernization of Procedural Tax Law (hereinafter "DAC7"), we, as a platform operator, are obligated to process information about persons and companies that perform certain paid activities using our platform. For the purposes of taxation, these details must be reported annually to the German Federal Central Tax Office, together with information about the nature and scope of these activities. The German Federal Central Tax Office subsequently forwards the data reported by us to the responsible tax authorities in Germany or their counterparts in other EU member states.
Accordingly, the following personal data will be transferred to the German Federal Central Tax Office on an annual basis, provided that you are a reportable seller:
- Your first and last name
- Your address
- Your taxpayer ID number(s)
- Your date of birth
- Your VAT ID number (if applicable)
If you are registered as a professional dealer, we, as a platform operator, are also obligated by the DAC7 to transfer the following information to the German Federal Central Tax Office on an annual basis, provided that you are a reportable seller:
- Your company name
- Your address
- Your taxpayer ID number(s)
- Your VAT ID number
- Your commercial registration number
Once you sell a watch on Chrono24, you are considered a reportable seller.
The legal basis for the transfer of your personal data to the German Federal Central Tax Office is Article 6(1)(c) GDPR, as we, as a platform operator, are obligated to do so under Section 13 DAC7.
We are also obligated to transfer the following data to the German Federal Central Tax Office:
- Your bank account number;
- Any additional information that serves to identify the account holder;
- Every EU member state in which you are considered a resident;
- Any fees, commission, or taxes charged or withheld by us during the reporting period, broken down quarterly;
- The total remuneration paid or credited during the reporting period;
- The number of relevant activities for which remuneration was paid or credited during the reporting period.
In the course of transferring the information described above to the German Federal Central Tax Office, you may continue to assert your rights as a data subject under Section 12. of our Data Privacy Policy.
Disclosure as Joint Controllers for Processing Personal Data
As a platform operator, we jointly determine the purposes and means of certain processing operations with other data controllers, such that we act as joint controllers within the meaning of Article 26 GDPR.
Chrono24 and Our Partner Companies as Joint Controllers
Chrono24 and our partner companies (hereinafter "parties" or "we") work closely together in many areas due to our organizational structure. We use uniform IT systems across our businesses and operate joint databases in which customer data from both parties are processed.
In doing so, we process the personal data of dealers and users of the online platforms of Chrono24 as joint controllers within the meaning of Article 26 GDPR. As we act as joint controllers, we have concluded corresponding agreements about this joint responsibility with regard to the personal data concerned.
Chrono24 is responsible for processing personal data as far as this relates to the provision of IT systems and internal databases in relation to customers.
Both parties are responsible for entering data into the internal databases and maintaining the records of personal data of both registered and unregistered platform users, as well as personal data of registered dealers.
Within the scope of the joint responsibility, we have also determined which party fulfills the specific obligations laid down in the GDPR. This relates in particular to the rights of the data subjects and the fulfillment of the information obligations in accordance with Articles 13 and 14 GDPR.
Both parties have agreed that Chrono24 shall publish on its platforms the information required in accordance with Articles 13 and 14 GDPR concerning data processing regulated as joint controllers and the essential content of the processing conditions.
Both parties shall also inform each other of data protection rights asserted by users as data subjects. They shall provide each other with all the information necessary to respond to requests for access.
Data protection rights can be asserted against Chrono24 as well as against the respective dealer. Chrono24 undertakes to comply with the rights of data subjects to access, rectify, erasure, and restrict their personal data upon request.
Chrono24 and Professional Dealers as Joint Controllers
We and our contractual partner (hereinafter the "dealer") work together contractually in connection with the online marketplace for watches. Chrono24 operates the online platform on which the respective dealer can sell and buy watches.
In doing so, Chrono24 and the respective dealer process the personal data of users of the platform as joint controllers within the meaning of Article 26 GDPR. As we act as joint controllers, we have concluded a corresponding agreement about this joint responsibility with regard to the personal data concerned.
Under this agreement, Chrono24 is responsible for processing personal data, as far as this concerns the techniques for analyzing user behavior on the website, the statistical evaluation and provision of statistical data to the dealer, and the transfer of customer contact data for the purpose of order processing/shipping. The respective dealer, on the other hand, is responsible for processing personal data, insofar as this concerns the parameterization of statistical data via the drop-down function and the receipt and use of contact data for shipping the item that was purchased.
Within the scope of the joint responsibility established between Chrono24 and the respective dealer, we have also determined which party fulfills the specific obligations laid down in the GDPR. This relates in particular to the rights of the data subjects and the fulfillment of the information obligations in accordance with Articles 13 and 14 GDPR.
Both parties have agreed that Chrono24 publishes on its platform the information required in accordance with Articles 13 and 14 GDPR concerning data processing regulated as joint controllers, as well as the essential content of the processing conditions.
Both parties shall also communicate to each other any data protection rights asserted by users as data subjects. They shall provide each other with all the information necessary to respond to requests for access.
Data protection rights can be asserted against Chrono24 as well as against the respective dealer. Chrono24 undertakes to comply with the obligation in accordance with Article 15 GDPR to guarantee the right of access by the data subject and to provide the data subject with access, as laid down in the same article, upon their request.
Mangopay and Chrono24 as Joint Controllers for 1099-K Reporting to the IRS
We have concluded a contract with Mangopay S.A. (2 Avenue Amélie, L-1125 Luxembourg; hereinafter "Mangopay") to carry out reporting related to Form 1099-K as required by the IRS. Accordingly, sellers in the USA who generate transactions of $600 or more in one calendar year must file a Form 1099-K with the IRS. Mangopay, as a payment service provider, is obligated to report to the IRS sellers in the USA who are required to file such forms. To this end, as a platform operator, we ask sellers in the USA to provide the required taxpayer identification numbers as part of the registration process. We then transfer these taxpayer identification numbers to Mangopay in order to ensure that both Mangopay and Chrono24 can fully comply with their legal obligations to the IRS.
If you are a seller located in the USA, we will process your taxpayer identification number with Mangopay as joint controllers on the basis of Article 26 GDPR. We have entered into a corresponding agreement for this joint responsibility with regard to the personal data concerned.
Chrono24 is responsible for collecting the taxpayer identification numbers required for 1099-K reporting to the IRS. Mangopay is responsible for carrying out the reporting.
Within the scope of the joint responsibility established and as part of our agreement with Mangopay, we have also determined which party fulfills the specific obligations laid down in the GDPR. This relates in particular to the rights of the data subjects and the fulfillment of the information obligations in accordance with Articles 13 and 14 GDPR.
Mangopay and Chrono24 shall communicate to each other any data protection rights asserted by users as data subjects. Both parties shall provide each other with all data necessary to respond to requests for access.
You may assert your rights as a data subject under Section 12. of this Data Privacy Policy with Chrono24 as well as with Mangopay. We undertake to comply with the rights of data subjects to access, rectify, erasure, and restrict their personal data upon request, provided that there are no other precluding legal provisions.
Visibility of Your Data for Third Parties
As a User and Private Seller
Personal data stored in your Chrono24 account (see Sections 3.2.1. and 3.2.3.) cannot be viewed by third parties unless you have published listings on the platform. When you publish a listing on the platform as a private seller, registered and unregistered users will only be able to see your seller information on the platform, provided you have expressly given your consent to the publishing thereof in accordance with Article 6(1)(a) GDPR.
As a Dealer
If you are registered as a dealer and publish listings on the platform, registered and unregistered users can view your seller information (see Section 3.2.4.). You can restrict the visibility of your data so that your address is not displayed when you register for an account and at any time thereafter in your profile settings.
The publication of seller information is required to fulfill and execute the contract between Chrono24 and the dealer for the use of the platform in accordance with Article 6(1)(b) GDPR.
Cookies and Pixels
We use cookies and pixels on our website (hereinafter also collectively referred to as "scripts") to statistically record the use of our website and to evaluate such use to optimize our offerings for your benefit (see Section 7.). These scripts allow us to automatically recognize that you are a returning visitor. The scripts used on our website are divided into two categories: those that are technically necessary and those that are not technically necessary.
Insofar as personal data are also processed for technically necessary cookies, this processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. Our legitimate interest required by this clause is to operate our website without disruptions. Scripts that are not technically necessary will only be activated after you provide your express consent. For more detailed information on the specific scrips in question, see Section 7..
Cookies
Cookies are small files that your browser automatically creates and saves on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not harm your device and do not contain any viruses, Trojans, or other malicious software.
The cookie stores information related to the specific device being used. This does not mean that we have direct knowledge of your identity.
Among other things, cookies make it easier for you to use our services. We use session cookies, for example, to recognize that you have already visited individual pages of our website or have already logged into your Chrono24 account. These are automatically deleted after you leave our site.
We also use temporary cookies, which are saved on your device for a specified time, to optimize user-friendliness. If you return to our site to use our services, we automatically recognize that you have visited the site before and which entries and settings you have made, so that you do not have to enter them again.
Most browsers accept cookies automatically. However, you can configure your browser to reject cookies or to notify you before a new cookie is saved. However, if you completely disable all cookies, you may not be able to use all the features of our site.
List of Cookies
Pixels
Pixels, also known as tracking pixels, are small 1×1 pixel GIF files that can be stored in graphics or emails, e.g., when you visit a website. Pixels do not harm your device and do not contain any viruses, Trojans, or other malicious software.
The pixels send your IP address, the referrer URL of the website you visited, the time at which the pixel was viewed, the browser used, and previously saved cookie information to a web server. This allows us to measure reach and other statistical analyses to optimize our platform and offerings.
Most browsers accept pixels automatically. You can prevent the use of pixels on our sites by using appropriate tools or browser add-ons (e.g., the "AdBlock" add-on for Firefox).
Essential Technologies
To ensure the operation of our platform and the performance of our website and app, and thus our ability to provide you with the services described in our General Terms and Conditions, it is necessary for us to use certain technologies in accordance with Art. 25(2)(2) of the German Telecommunications Digital Services Data Protection Act (TDDDG). Insofar as personal data is processed in this context, this processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. The following essential cookies are used when you visit the website and the app:
Chrono24
When you visit our website or use our app, we use cookies that are necessary to provide you with all the features of our online platform. The data collected by these cookies are used for various purposes, including the following:
- To ensure that you stay logged in while using the website or app and after closing your browser or the app (provided that you opted to do so in the login window)
- To identify which app version you're using and correctly display the corresponding features
- To remind you to confirm your email address when using certain features involving email notifications
- To display the website or app to you in the right language
- To recognize what country you're in so that we can display the correct shipping rates, currency, and time zone
- To recognize you during two-factor authentication and third-party logins
- To recognize you when you reset your password
- To ensure your security and prevent others from misusing your information
- To determine if and how you've previously interacted with the Cookie Consent Manager
Cookies on our site regularly collect the following information:
- Your IP address,
- information about your browser and the device used,
- as well as relevant information about your activity.
Each cookie is stored for a specific period of time (see section 6.1.).
The legal basis for the processing of your data for the aforementioned purposes is our legitimate interest according to Art. 6(1)(f) GDPR.
Riskified
For the purpose of preventing credit card fraud, we use the services of Riskified, Inc. (220 Fifth Avenue, Floor 2, New York, NY 10001, USA; hereinafter referred to as "Riskified"). Riskified is an independent controller as described in Art. 4(7) GDPR. Riskified determines whether your credit card payments to Chrono24, which are not secured by the 3D Secure procedure, are insured against fraudulent chargebacks. For this, the following data is collected via cookies and processed by Riskified so that they can analyze your behavior on the website and app:
- Your IP address,
- information about your browser and the device used,
- as well as information about your general activity on our website.
The processed data is stored by Riskified for 48 months and then deleted in their entirety.
The legal basis for the processing of your data is our legitimate interest according to Art. 6(1)(f) GDPR in increasing the general security of our platform and preventing fraud. As attempted fraud is detrimental to Chrono24 and its users, fraud prevention is expressly recognized as a legitimate interest pursuant to Recital 47 GDPR.
Firebase Crashlytics
Our app uses Firebase Crashlytics, an analysis program provided by our processor, Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter "Crashlytics"). Crashlytics collects data on app usage relating to system crashes and errors. Information about the device used and app version installed are collected, along with other information which facilitates troubleshooting, such as the user's software and hardware. Your IP address is also transmitted to Firebase in this context. More information can be found in Crashlytic's privacy policy.
The processed data are stored by Crashlytics for 90 days and then deleted in their entirety.
The legal basis for the processing of your data is our legitimate interest according to Art. 6(1)(f) GDPR in the analysis and troubleshooting of technical problems with our app. To analyze crashes and other errors that occur upon launching the app, Crashlytics is initialized as soon as the app is opened.
accessiBe
When you visit the internet domain "chrono24.com," we use the services of accessiBe Ltd (David Ben Gurion Rd 1, Bene Beraq, Tel Aviv, 5120149, Israel; hereinafter referred to as "accessiBe") to comply with the requirements of the ADA (Americans with Disabilities Act) and provide you with an accessible online platform. For this, accessiBe uses a script that stores information on your device in order to offer you a button in the footer of the website that you can use to create your own accessibility settings. Information about your browser and your behavior on our website, as well as your IP address, are also collected by accessiBe to ensure that the accessibility settings are implemented in accordance with US law.
The legal basis for the processing of your personal data is pursuant to Art. 6(1)(f) GDPR. Our legitimate interest is in providing you with an accessible online platform in compliance with the legal requirements of the ADA.
Cloudflare
To protect our online platform against DDoS (Distributed Denial-of-Service) attacks, which can restrict or impair the functionality of our website, and to increase the associated general security of our marketplace, we rely on a tool provided by our data processor Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA; hereinafter "Cloudflare"). When you use the website and app, Cloudflare automatically selects from a set of browser challenges based on telemetry and user behavior during a session on our website to check for potential DDoS attacks. Cloudflare processes the following data for this purpose:
- Your IP address,
- information about your system configurations,
- information about your operating system,
- your device settings (e.g., language and browser settings, header, user agent), and
- your activity on our platform.
The legal basis for the processing of your personal data within the context of DDoS protection is pursuant to Art. 6(1)(f) GDPR. Our legitimate interest arises from the abovementioned purposes and the associated general increase in the security of our marketplace.
Disclosure of Data in Connection With Fixed-Term Cooperations With Marketing Agencies
In order to run marketing campaigns, we work closely with various marketing agencies. We transfer personal data to our marketing agencies, where necessary, to measure the success of the campaigns, optimize our activities in online marketing, and optimize our platform in a user-oriented manner. The personal data are collected as part of the use of marketing pixels (see Section 6.2.) and, where necessary, transferred to the relevant marketing agencies for the purposes described above. The relevant data categories include, but are not limited to, the following:
- Information about your browser and device;
- Our website address and the actions you took on our website;
- Date and time of the request;
- Your IP address.
These personal data can only be collected if you have given us your consent to use the corresponding marketing pixel in accordance with Article 6(1)(a) GDPR. The transfer of data to our marketing agencies takes place on the basis of our legitimate interests mentioned above in accordance with Article 6(1)(f) GDPR.
If your data are transferred, the marketing agencies are our processors (see Section 2.). We generally only work with agencies for a limited period of time. By concluding data processing contracts, the marketing agencies are obligated to immediately delete all personal data they received from us and not use these data for their own purposes after the contractual relationship has ended.
Analysis Tools
Tracking Tools
The following tracking measures are only used if you have provided your express consent in accordance with Article 6(1)(a) GDPR. You can withdraw your consent separately for each individual tool with future effect at any time with the help of the Consent Manager, which you will find at the end of this Data Privacy Policy. The lawfulness of processing up until the time you withdraw your consent is not affected. The purpose of the tracking measures is to ensure that our website has a user-oriented design and continues to be optimized. At the same time, we use the tracking measures to statistically record the use of our website and evaluate such use to further optimize our offerings for your benefit.
The purposes and categories of the data processing are listed below.
Google Analytics
In order to ensure a user-oriented design and continuous optimization of our websites, we use Google Analytics, a web analytics service provided by our processor Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). In this context, pseudonymized user profiles are created and cookies (see Section 6.1.) are used. The information generated by the cookie about your use of this website includes:
- Your browser type and version
- Your operating system
- The referrer URL (the previous page you visited)
- The host name of the querying computer (IP address)
- Time of the server request
These data are transferred to one of Google's servers in the USA and stored there.
The information is used to evaluate website use, compile reports on website activity, and to provide further services associated with website and Internet usage for the purposes of market research and the user-oriented design of these web pages. This information may also be transferred to third parties as appropriate, insofar as this is required by law or insofar as these parties process the data on our behalf. Under no circumstances will your IP address be merged with other data from Google. IP addresses are anonymized to eliminate any possibility of this happening (IP masking).
You can disable the use of cookies by selecting the appropriate settings in your browser. However, this may prevent you from using all the features of our site to their full extent.
You can find more information on data privacy and processing by Google Analytics here .
Google Ads
In order to statistically record the use of our website and to optimize our offerings for your benefit, we use the Google Ads tool provided by our processor Google (for more information about Google, see Section 7.1.1.). Google Ads saves a cookie (see Section 6.1.) on your computer if you have accessed our website via a Google advertisement. The information generated by the cookie is transferred to one of Google's servers in the USA and stored there.
These cookies expire after 30 days and are not used for personal identification. If the user visits certain pages of a Google Ads customer's website and the cookie has not yet expired, Google and the customer can recognize that the user clicked on the advertisement and was taken to this page.
Each Google Ads customer receives a different cookie, meaning cookies cannot be tracked across websites operated by different Google Ads customers. The information collected via the cookie is used to generate conversion statistics for Google Ads customers who have opted in to conversion tracking. Google Ads customers learn the total number of users who clicked on their advertisement and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.
If you want to opt out of tracking, you can deactivate the cookie required for tracking in your browser settings. You can find Google's privacy policy regarding tracking using Google Ads here .
Meta Custom Audiences
In order to statistically record the use of our website and to optimize our offerings for your benefit, we use the Meta Custom Audiences tool provided by our processor Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland; hereinafter "Meta"). Meta saves a cookie (see Section 6.1.) on your computer if you have accessed our website via an advertisement from Meta. The information generated by the cookie is transferred to one of Meta's servers in the USA and stored there.
These cookies expire after 180 days and are not used for personal identification. If the user visits certain pages of a website operated by a Meta Custom Audiences customer and the cookie has not yet expired, Meta and the customer can recognize that the user clicked on the advertisement and was redirected to that page.
Each Meta Custom Audiences customer receives a different cookie, meaning cookies cannot be tracked across websites operated by different Meta Custom Audiences customers. The information collected using the cookie is used to create conversion statistics for Meta Custom Audiences customers who have opted in to conversion tracking. Meta Custom Audiences customers learn the total number of users who clicked on their advertisement and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.
If you want to opt out of tracking, you can deactivate the cookie required for tracking in your browser settings. You can find Meta's privacy policy regarding tracking using Meta Custom Audiences here.
Hotjar
We use the analytics service Hotjar provided by our processor Hotjar Ltd. (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta) on our website. Hotjar is a user behavior analysis tool that we use for our user surveys. Hotjar allows us to measure and evaluate the behavior of participants in user studies (e.g., mouse movement, clicks, how far they scrolled, etc.). The following data, among others, are collected in the process:
- Your mouse movements;
- Clicks;
- How far you scrolled;
- Your device settings (e.g., user agent);
- The time you spent answering each question.
For this purpose, Hotjar saves cookies (see Section 6.1.) on the devices of site visitors, which can store their data such as browser information, operating system, time spent on the site, etc. in an anonymized format.
Microsoft Advertising
We use the Microsoft Advertising tool provided by our processor Microsoft Ireland Operations Ltd. (70 Sir John Rogerson's Quay, Dublin 2, Ireland; hereinafter "Microsoft"). The tool enables us to track the activities of users on our website when they access our website via advertisements from Microsoft Advertising. We use this Universal Event Tracking (UET) to design our website in a user-oriented manner.
If you access our website via a Microsoft Advertising advertisement, a cookie (see Section 6.1.) is saved on your computer. There is a Microsoft advertising tag integrated into our website. This is a code which, in conjunction with the cookie, stores some non-personal data about the use of the website. These data include, but are not limited to:
- The time you spent on the website;
- Information about which parts of the website you visited and which advertisement you used to access the website.
No information about your identity is collected. The data collected by the Microsoft advertising cookie are transferred to Microsoft servers in the USA and stored there for a maximum of 180 days.
You can find more information on Microsoft Advertising's analytic services on the Microsoft Advertising website.
You find more information on data privacy at Microsoft in their privacy statement .
MaxMind
For the purpose of fraud prevention, we transfer your IP address and information about the device you are using to our processor MaxMind, Inc. (14 Spring Street, 3rd Floor Waltham, MA 02451, USA; hereinafter "MaxMind"). Your data are transferred to one of MaxMind's servers in the USA and stored there. This allows us to statistically analyze IP addresses, devices used, and locations to detect and prevent attempted fraud.
Your data are processed exclusively for this purpose and deleted when you stop using our website. More information can be found in MaxMind's privacy policy .
You can disable the use of geolocation by selecting the appropriate settings in your browser. However, this may prevent you from using all the features of our site to their full extent.
Google Tag Manager
We use the tag management system "Google Tag Manager" from our processor Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter "Google") on our website to manage JavaScript and HTML tags for tracking and analysis with our own and third-party software. Tags are small code elements that help us measure traffic and visitor behavior, understand the impact of our advertising, set up remarketing and targeting, and test and optimize our website, among other things. Google Tag Manager is an auxiliary service that facilitates the integration and management of our tags via an interface. As soon as Google Tag Manager implements tags, the following data is transmitted to Google:
- Your IP address and
- information about your web browser and the device used
The processed data are stored by Google for 180 days and then deleted in their entirety.
Tags set by Google Tag Manager prompt other tags, which also collect personal data; however, Google Tag Manager does not access this data.
If deactivation occurs at the domain or cookie level, this remains in effect for all tags implemented with Google Tag Manager. Data processing only takes place if you have given your express consent in accordance with Article 6(1)(a) GDPR.
You can find more information in Google's privacy policy .
AppsFlyer
In our app, we use the AppsFlyer tracking tool provided by our processor AppsFlyer Ltd. (14 Maskit St., 46733 Herzliya, Israel) to measure the success of advertising campaigns, including tracking how many people were directed to our app by a QR code. To track the use of our app, AppsFlyer transmits the necessary information to us in aggregate form. In order to measure how you interact with the app, it is necessary to process the following personal information:
- Your IP address and
- Your user ID
Based on the information collected, we can, for example, determine which advertising campaigns drove app downloads.
AppsFlyer only collects information about your behavior in our app if you've given us your express consent to do so via our Consent Manager, in accordance with Section 6(1)(a) GDPR.
Targeting Tools
We only use the following targeting measures if you have given us your express consent in accordance with Article 6(1)(a) GDPR. You can withdraw your consent for each individual tool with future effect at any time using the Consent Manager, which you can find at the end of this Data Privacy Policy. The lawfulness of processing up until the time you withdraw your consent is not affected. By using the following targeting measures, we want to ensure that only advertisements based on your actual or assumed interests are displayed on your devices.
The purposes and categories of the data processing are listed below.
Google Ads
We use the Google Ads tool provided by our processor Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter "Google"). Google uses cookies (see Section 6.1.), which are saved on your computer, to analyze your website usage. The information collected by the cookie about your website usage (including your IP address) is transferred to one of Google's servers in the USA and stored there.
Google removes the last three digits from your IP address, making it impossible to determine your exact IP address. Google uses the data it collects to analyze your website usage, compile reports on website activity for website operators, and provide other services relating to website activity and Internet usage. In addition, we use the information collected by the cookie to classify our customers into different user groups (segmentation). This segmentation does not reveal your identity.
Google may also transfer these data to third parties if required to do so by law, or if these third parties process the data on Google's behalf. Third parties, including Google, display advertisements on websites on the Internet and use stored cookies to show advertisements based on a user's previous visits to that website. Google will not connect your IP address with any other data held by Google.
You can find more information on Google's policies here .
Meta Custom Audiences
We use Meta Custom Audiences provided by our processor Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland; hereinafter "Meta"). This is a marketing service provided by Meta that allows us to display customized and interest-based advertising on our social media platforms to certain groups of pseudonymized visitors to our website who also use Facebook and Instagram. Thus, we use the information collected by the cookie to divide our customers into different user groups (segmentation).
There is a Meta Custom Audiences pixel integrated into our website. This is a Java script code that stores non-personal data about your website usage, including your IP address, your browser, and the source and target pages. These data are transferred to Meta servers in the USA.
The system automatically checks whether there is a Meta cookie saved on your device. The Meta cookie is used to automatically determine whether you belong to the relevant target group. If so, you will be shown advertisements from us on Facebook and Instagram. This cross-check does not reveal your identity to us or Meta.
You can refuse the Custom Audiences service on the Facebook website. After logging into your Facebook account, navigate to your settings for Facebook ads and set your preferences.
You can find more information on data privacy at Meta in their privacy policy .
CrossEngage
Information about user behavior on our website is collected using cookies (see Section 6.1.) and analyzed by our processor CrossEngage GmbH (Bertha-Benz-Str. 5, 10557 Berlin, Germany). This enables us to optimize our marketing measures according to users' actual or assumed interests and display content to them on other websites or via other advertising channels.
You can find more information on data privacy and processing by CrossEngage here .
We use technologies provided by our processor LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2, Ireland; hereinafter "LinkedIn") on our website to collect and store data for marketing and optimization purposes. The technologies from LinkedIn enable us to create reports on marketing campaigns and to gather information about user behavior on our website in order to optimize marketing strategies as well as our platform in a user-oriented manner. To do so, we use a marketing pixel from LinkedIn to create pseudonymized user profiles. This involves transferring your IP address to LinkedIn in shortened or hashed form. We pseudonymize the IP address within seven days and delete it after 90 days at the latest.
You can find more information on data privacy and processing by LinkedIn here .
Google Customer Match
In order to match customers with similar interests, we use Google Ad's Customer Match lists from our processing partner Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as "Google"). To use Customer Match, lists of encrypted ("hashed") email addresses are uploaded to Google. Google then compares those email addresses to see if they match existing Google customers. This information can then be used to create audiences for targeted ads and ad campaigns. The matching process can take up to 48 hours. We use secure hash algorithms to pseudonymize the email addresses we send to Google. This form of encryption provides the highest level of protection for your data. Once the matching process is complete, the encrypted email addresses are automatically deleted, ensuring that Google does not acquire any new addresses.
You can read more about how Google handles data here.
Social Media
When it comes to social media, we understand our responsibilities for processing personal data. In this context, we would like to inform you about the use of social media plugins on our platform and our responsibility under data protection law in connection with our social media presences.
Social Media Plugins
We use social plugins for different social networks on our website. The legal basis is Article 6(1)(a) GDPR. You can withdraw your consent for each individual tool with future effect at any time with the help of the Consent Manager, which you can find at the end of this Data Privacy Policy. The lawfulness of processing up until the time you withdraw your consent is not affected. It is the responsibility of the respective provider to ensure that operation is in compliance with data protection regulations.
Social media buttons are integrated using our specially-developed solution that prevents a connection to a social network from being established simply because you visit a page with a social media button, without you having activated it. This means that information is not transferred to the social network until you activate the button.
Our platform uses social media plugins from Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland; hereinafter "Facebook") to personalize the user experience, for example through the use of "Like" and "Share" buttons. These are Facebook offerings.
When you visit a page of our online presence featuring such a plugin, and you activate that plugin, your browser establishes a direct connection to Facebook servers. The plugin content is sent by Facebook directly to your browser and integrated into the site.
When a plugin is integrated, Facebook receives the information that your browser accessed the corresponding page of our online presence, even if you do not have a Facebook account or are currently not logged in to Facebook. This information (including your IP address) is transferred by your browser directly to one of Facebook's servers in the USA and stored there.
If you are logged in to Facebook, Facebook can directly associate your visit to our website with your Facebook account. If you interact with a plugin, for example by clicking the "Like" or "Share" button, the corresponding information is also transferred directly to one of Facebook's servers and stored there. The information is also published on Facebook and displayed to your Facebook friends.
Facebook can use this information for the purposes of advertising, market research, and designing Facebook pages in a user-oriented manner. This involves Facebook creating user, interest, and relationship profiles, for example to evaluate your use of our website in relation to advertisements displayed to you on Facebook, to inform other Facebook users of your activities on our website, and to provide other services related to the use of Facebook.
If you do not want Facebook to associate information about you collected via our online presence to your Facebook account, you must log out of Facebook before visiting our website.
Please see Facebook's privacy policy for information regarding the purpose and scope of data collection, further processing and use of data by Facebook, your data privacy rights, and data privacy configuration settings.
X (Formerly Twitter)
Plugins from the microblogging and social network X from Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland; hereinafter "X") are integrated into our web pages. X plugins (e.g., the post button) can be identified by the X logo that appears on our website.
When you visit a page of our online presence featuring such a plugin, and you activate that plugin, a direct connection is established between your browser and an X server. X then receives information that you have visited our page and your IP address. You can link content from our webpages with your X account by clicking on the "Post" button while logged in to your X account. This enables X to cross-reference your visit to our webpages to your user account. Please note that, as website provider, we have no knowledge of the content of the data transferred or regarding its use by X.
If you do not want X to associate your visit to our pages, please log out of your X account before visiting our website.
More information can be found in X's privacy policy .
Our website also uses social plugins from Instagram, which is operated by Instagram LLC. (1601 Willow Road, Menlo Park, CA 94025, USA; hereinafter "Instagram").
The plugins are marked with an Instagram logo, for example the "Instagram camera."
When you visit a page of our online presence featuring such a plugin, and you activate that plugin yourself, a direct connection is established between your browser and the Instagram servers. The plugin content is sent by Instagram directly to your browser and integrated into the site. When a plugin is integrated, Instagram receives the information that your browser accessed the corresponding page of our online presence, even if you do not have an Instagram account or are currently not logged in to Instagram.
This information (including your IP address) is transferred by your browser directly to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can directly associate your visit to our website with your Instagram account. If you interact with the plugins, for example by clicking the "Instagram" button, this information is also transferred directly to an Instagram server and stored there.
The information will also be published on your Instagram account and shown to your followers.
If you do not want Instagram to associate information about you collected via our online presence directly with your Instagram account, you must log out of Instagram before visiting our website.
More information can be found in Instagram's privacy policy .
YouTube
On our website, you have the option of being redirected straight to our YouTube channel. This is not a link requiring consent in accordance with Article 6(1)(a) GDPR. We use YouTube’s privacy-enhanced mode to prevent these links from saving cookies that analyze usage behavior.
The controller for this external link is Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland).
More information can be found in Google's privacy policy .
Social Media Profiles
We operate public profiles on the following social media channels:
- Facebook: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (hereinafter "Facebook")
- X (formerly Twitter): Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland (hereinafter "X")
- Instagram: Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (hereinafter "Instagram")
- YouTube: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "YouTube")
- LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn")
- Pinterest: Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (hereinafter "Pinterest")
- TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter "TikTok")
We operate our social media profiles as joint controllers with the respective network operators on the basis of joint responsibility agreements under Article 26 GDPR.
When visiting our social media profiles, your personal data are processed by the responsible parties as follows:
We use the analysis functions provided to obtain statistical evaluations of visitors to our social media profiles.
To this end, the network operators use profile cookies and similar technologies when you visit our platform, and a unique user ID is created. This ID may be linked to your user data if you are registered with the respective network operator.
The information stored in the user ID is processed by the network operators, especially when you as a user visit these services. Other entities, such as partners or third parties, may also use cookies within these services to provide services to companies that advertise on the networks.
You can find more detailed information on data processing by the network operators in the respective privacy policies:
- Facebook: Data privacy policy, information about Page Insights Data, cookie policy
- X (formerly Twitter): Data privacy policy, cookie policy
- Instagram: Data privacy policy, see also Meta's cookie policy
- YouTube: Google's privacy policy
- LinkedIn: Data privacy policy, cookie policy
- Pinterest: Data privacy policy, cookie policy
- TikTok: Data privacy policy, cookie policy
Data processing enables network operators to improve their advertising and allows us to optimize our marketing activities based on the statistics we obtain.
We receive the visitor statistics generated in an anonymous form. We do not have access to the underlying data.
We also use our social media profiles to communicate with our customers, users, and other parties, and to provide them with information about our services. Thus, we may receive further information, e.g., information in user comments or private messages. The processing thereof takes place for the sole purpose of communicating and interacting with these parties.
The processing takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR to optimize the presentation of our company and services.
In the case of Facebook, X, Instagram, YouTube, LinkedIn, Pinterest, and TikTok, it is possible that some information collected may also be processed in the USA. For those outside the USA, the data transfer takes place on the basis of standard clauses approved by the European Commission that ensure an appropriate level of data protection is provided. We have no influence on these processing operations. We do not transfer any personal data that we receive via our social media profiles.
Tools for Sending Emails
Service and Transaction Emails
In order to send transaction and service emails, we use the Mailgun and Sparkpost tools provided by our processors Mailgun Technologies, Inc (112 E Pecan St, #1135, San Antonio, TX, 78205, USA) and Sparkpost (9160 Guilford Rd, Columbia, MD 21046, USA). We transfer the following personal data to the service providers that send emails on our behalf:
- Your email address
- Your first and last name
- Your dealer names
- Your transaction number.
The data processing involved in sending transaction and service emails takes place on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR. By doing so, we endeavor to ensure that communication processes are automated in a user-oriented manner, in particular with regard to those actions taken by you, and in order to be able to inform you about security-relevant matters as quickly as possible.
Outreach Emails
We conduct and manage outreach campaigns using the Pitchbox tool provided by Pitchbox, LLC (626 Jacksonville Rd., Suite 105, Warminster, PA 18974, USA). Pitchbox is a web-based solution that enables us to send and receive emails and measure the success of our outreach campaigns. This process involves the following personal data being transferred to Pitchbox:
- Your email address
You may be contacted via Pitchbox during an outreach campaign. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is in direct marketing recognized in Recital 47 GDPR and the fact that only bloggers and editors who may have an interest in working with Chrono24 are contacted.
Solutions for Fraud Prevention
We want to make buying and selling on Chrono24 as secure as possible. We therefore use solutions from specialized service providers in order to prevent fraud and receive information regarding transactions on Chrono24. The IP address of the device that accesses our website as well as other data relating to the use of Chrono24 are processed. It is not possible for us to assign such data to a specific user. This is only carried out in cases where fraudulent behavior is suspected based on the information received. The specialized service providers may be based in the USA. We only work with service providers that offer the standard contractual clauses approved by the EU Commission and thus guarantee an appropriate level of data protection equivalent to that in the EU. The legal basis is Article 6(1)(f) GDPR. Preventing fraud attempts at the expense of our customers as well as at our own expense is expressly recognized as a legitimate interest in Recital 47 GDPR.
IDnow
To identify users on our platform, we use the AutoIdent technology from our processor IDnow (Auenstrasse 100, 80469 Munich, Germany). This is a verification app that captures the end user's identification document using a smartphone camera and completes online verification. The following personal data are collected:
- Your first and last name
- Your date of birth
- The number of your identification document
- Your email address
- Your phone number
- Video recording of your face
We also collect personal data from the identification document, which is used to confirm the identity of the user beyond doubt. All information is used exclusively for the purposes of verifying and identifying the user. Further processing for other purposes does not take place.
The AutoIdent solution is not a fully automated process. As soon as the verification app detects any discrepancies, IDnow employees manually double-check the data.
Personal data are collected in accordance with Article 6(1)(b) GDPR to take steps prior to entering into a contract.
Data are also collected on the basis of Article 6(1)(f) GDPR. Our legitimate interest is preventing fraud and, thus, increasing the marketplace's overall security.
Reporting a Listing
If you suspect that a listing is fraudulent, you can report it to Chrono24 using the appropriate form. This involves transferring the following personal data to our processors Sparkpost and Mailgun:
- Your first and last name
- Your email address
- Your phone number
The legal basis for processing your personal data is Article 6(1)(f) GDPR. Chrono24 GmbH's legitimate interest required by this clause is preventing fraud and, thus, improving the marketplace's security.
You can find more information on the providers we use for sending emails on our behalf under Section 9.1. of this Data Privacy Policy.
Intragroup Exchange of Personal Data for Fraud Prevention
As part of our fraud prevention measures, data belonging to customers suspected of fraudulent activity are forwarded within the Group to Chrono24 Direct GmbH. Chrono24 Direct GmbH is a partner company of Chrono24 that lists watches on our platform. The user's personal data are transferred to Chrono24 Direct GmbH in order to prevent the latter from entering into potentially fraudulent transactions. In such cases, the following personal data are exchanged between Chrono24 GmbH and Chrono24 Direct GmbH:
- Your email address
- Your first and last name
The legal basis for transferring personal data is Article 6(1)(f) GDPR. Chrono24 GmbH and Chrono24 Direct GmbH's legitimate interests required by this clause as joint controllers under Article 26 GDPR are preventing fraud and, thus, increasing the platform's overall security.
We have agreed with Chrono24 Direct to act as joint controllers within the meaning of Article 26 GDPR to ensure that the rights and freedoms of data subjects continue to be guaranteed by both parties. Furthermore, both parties undertake to process data in accordance with the GDPR.
Spam Protection
We use Turnstile, a tool provided by our processor Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA; hereinafter "Cloudflare"), to determine whether interactions on our website are performed by humans or automated machines. This way, we can protect our website from automated spam, spying, and misuse.
In order to do this, Turnstile automatically selects from a set of browser challenges based on telemetry and user behavior during a session on our website. This data includes but is not limited to the following:
- Your IP address
- Information about your system configurations
- Information about your operating system
- Your device settings (e.g., language and browser settings, header, user agent)
Turnstile also uses private access tokens to carry out analysis for the purpose described above. These tokens are provided by device manufacturers and help Turnstile confirm whether visitors to our website are indeed human. By working with third parties such as device manufacturers, data can be validated without having to be captured again by Turnstile.
If Turnstile's purely data-driven analysis does not deliver clear results, the site visitor is prompted to take another action (e.g., click a button). This interaction serves as a final check as to whether the website visitor is human.
Cloudflare does not process the data for its own purposes. Furthermore, no cookies are set in the course of the analysis, nor are cookies searched for in order to collect or store information.
The legal basis for the processing of personal data within the context of our spam protection procedure with Turnstile is Article 6(1)(f) GDPR. The legitimate interest required by this clause is the purposes mentioned above and, thus, improving the marketplace's overall security.
You can find more information in Cloudflare's privacy policy.
Identity Verification Through Ubble
To help prevent fraud, we use the Ubble AutoIdent solution provided by our processor NJFVision SAS (20 Bis Rue La Fayette, 75009 Paris, France; hereinafter "Ubble") to identify users on our platform. As part of the identity verification process, you will receive a link via QR code or SMS. Then you'll be asked to make video recordings of your proof of identity and your face. Simply follow Ubble's instructions to verify your identity.
The following personal data will be processed:
- Video recording of your face
- Video recording of your proof of ID
- Your first and last name
- Your date of birth
- Your address
- Your phone number,
- Your ID number
- Your biometric identifiers
Your personal data will be processed according to Article 6(1)(f) GDPR. Our legitimate interest results from legal requirements pertaining to fraud prevention and thus a general increase in the security of our marketplace. According to Recital 47 GDPR, this is a legally recognized legitimate interest.
Your personal data will only be processed to verify your identity and will not be used for any other purpose.
The personal information you provide will be deleted after 96 hours. The result of the identity verification process will be visible to us for 90 days.
The AutoIdent solution is not a fully automated process. If Ubble detects any discrepancies during the identity verification process, the data is checked again manually by an employee.
Virtual Meeting Platforms
Zoom
To conduct interviews for our user studies, we use the Zoom software provided by our processor Zoom Video Communications, Inc. (55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA; hereinafter "Zoom"). We use Zoom to communicate with Chrono24 users who have agreed to participate in our research. When you use Zoom, different types of data are processed, and the scope of the data depends on the information you provide before and during your participation in the Zoom meeting. Ultimately, the following personal data may be subject to processing:
- Your display name
- Your email address
- Your profile picture
- Meeting metadata (date, time, meeting ID, and device and hardware information)
- Your IP address
- Text, audio, and video data
For the duration of the Zoom meeting, data from the microphone and video camera on your device is processed to enable video display and audio playback. However, you can turn off the camera or mute the microphone yourself at any time in the Zoom application.
You can also dial into Zoom meetings using a phone. In this case, the following personal data will also be processed:
- Your phone number
- Your country
- Other connection data, e.g., IP address of the device used (if applicable)
The legal basis for the processing of personal data is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is efficiently conducting virtual meetings for our user studies.
If you have provided your consent in accordance with Article 6(1)(a) GDPR, we will record the Zoom meeting. In this case, an MP4 file of all video, audio, and presentation recordings; an M4A file of all audio recordings; and a text file of the Zoom meeting chat will be stored internally on our servers to evaluate the user study.
In order to guarantee an appropriate level of data privacy, we have configured our Zoom settings so that all data from virtual meetings are stored in data centers in the European Economic Area or in secure third countries such as Canada and Japan.
Microsoft Teams
In order to conduct virtual meetings and webinars and to communicate via chat, we use the Microsoft Teams communication platform provided by our processor Microsoft Ireland Operations Limited (70 Sir John Rogerson's Quay, Dublin 2, Ireland; hereinafter "Teams"). We communicate via Teams with external parties and Chrono24 users who have agreed to participate in our studies. When using Teams, various types of data are processed, and the scope of the data depends on the information you provide before and during your participation in the Teams meeting. Ultimately, the following personal data may be processed:
- Your display name
- Your email address
- Your profile picture
- Meeting metadata (date, time, meeting ID, and device and hardware information)
- Your IP address
- Text, audio, and video data
For the duration of the Teams meeting, data from the microphone and video camera on your device is processed to enable video display and audio playback. However, you can turn off the camera or mute the microphone yourself at any time in the Teams application.
You can also dial into Teams meetings using a phone. In this case, the following additional personal data will be processed:
- Your phone number
- Your country
- Other connection data, e.g., IP address of the device used (if applicable)
The legal basis for data processing in the context of Teams meetings is Article 6(1)(b) GDPR, insofar as the meetings take place within the context of a contractual relationship.
If we have not concluded a contract with you, the legal basis for processing your personal data is Article 6(1)(f) GDPR. Our legitimate interest required by this clause is the effective facilitation of Teams meetings and conducting our user studies in a user-oriented manner.
If we intend to record a Teams meeting, we will communicate this intention transparently in advance. The meeting will only be recorded if you have given us your consent in accordance with Article 6(1)(a) GDPR.
In order to guarantee an appropriate level of data privacy, we have configured our Teams settings so that all data from virtual meetings are stored in data centers in the European Union.
Rights of the Data Subject
You have the right:
- To withdraw consent you have granted us at any time in accordance with Article 7(3) GDPR. If you do so, we are no longer permitted to continue the data processing that was based on this consent in the future.
- To access information about the personal data of yours that we are processing in accordance with Article 15 GDPR. In particular, you are entitled to information about the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed; the envisaged period for which the personal data will be stored; the existence of the right to request rectification, erasure, and restriction of processing of personal data or to object to such processing; the right to lodge a complaint; for instances in which the personal data are not collected from the data subject, any available information as to their source; and the existence of automated decision-making, including profiling and meaningful information on their details.
- To request the rectification of inaccurate personal data belonging to you and have incomplete personal data completed in accordance with Article 16 GDPR.
- To request the erasure of personal data belonging to you and stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims in accordance with Article 17 GDPR.
- The right to request the restriction of the processing of your personal data in accordance with Article 18 GDPR, insofar as you contest the accuracy of your personal data; the processing is unlawful, but you oppose its erasure; we no longer need the personal data, but you require them for the establishment, exercise, or defense of legal claims; or you have objected to the processing in accordance with Article 21 GDPR.
- To receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that they be transferred to another controller in accordance with Article 20 GDPR.
- To lodge a complaint with a supervisory authority in accordance with Article 77 GDPR. You can do so with a supervisory authority in the place of your permanent residence, place of work, or our company headquarters.
Right to Object
If your personal data are processed on the basis of legitimate interests in accordance with Article 6(1)(f) GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR provided there are grounds relating to your particular situation or the objection pertains to direct marketing. In the latter case, you have a general right to object which we will act upon without you having to provide special circumstances.
If you would like to exercise your right to object, you can do so by sending an email to stating this intention.
Data Protection
We use the prevalent TLS (Transport Layer Security) protocol for our website in combination with the highest level of encryption supported by your browser. TLS is a secure and proven standard used in online banking, as well as many other applications. A secure TLS connection is indicated among other things by the letter "s" appended to the "http" (i.e., https://…) in the address bar of your browser, as well as a padlock symbol either in your address bar or at the bottom of your browser.
We also implement appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction and unauthorized access by third parties. The security measures we implement are continuously upgraded to remain up to date with advances in technology.
If you register with us as a user, you can only access your user account after entering your personal password. You should always keep your access data confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.
We take company-internal data protection very seriously. Our employees and contracted service companies are obliged to maintain strict confidentiality and to comply with data protection regulations.
Retention Period
In principle, your data will be deleted, taking into account retention periods under commercial and tax law, when the purpose for which the data were collected no longer applies, unless you have consented to further processing. We also reserve the right to retain certain categories of data for a period of three years, provided that the data can be used to prove certain facts and to establish, exercise, or defend legal claims.
Updates and Amendments to This Data Privacy Policy
This is the current version of our Data Privacy Policy after it was last updated on September 2024.
It may be necessary to amend this Data Privacy Policy as our website and offerings are updated, or to comply with changes in legal or regulatory requirements. You can access and print the current version of this Data Privacy Policy on our website at any time at
https://www.chrono24.bh/info/datenschutz.htm .