The protection of your personal data is very important to us. We comply with the statutory provisions in all data processing operations. In the following, we inform you in accordance with Articles 12, 13 and 21 of the General Data Protection Regulation (GDPR) about how we handle your personal data:

  • when using our website www.compay.de
  • when using the services of Compay GmbH in the context of a purchase contract with a Compay partner as a payment person (hereinafter referred to as “receivables management”)
  • in connection with age verification
  • when contacting Compay GmbH via the aforementioned website
  • when communicating, e.g. by email or via our web form

This privacy policy also explains what rights you have in relation to your personal data and how you can control them and protect your privacy.

We also explain the technical and organisational measures we take to protect your data from unauthorised access, accidental loss, destruction, damage or misuse.

1. details of the person responsible and contact with the data protection officer

Compay GmbH, Mettmanner Straße 25, Building 13, 40699 Erkrath, Germany, telephone number +49 (0)211 545726 00, e-mail: service@compay.de is responsible for data processing.

The company Compay GmbH is also meant when the terms “we” or “us” are used in the following.

You can contact our data protection officer by e-mail at datenschutz@compay.de or by post at
Compay GmbH
z.Attn: Data Protection Officer
Mettmanner Straße 25 / Building 13
40699 Erkrath
Germany

2. purposes and legal basis of the processing of personal data

When we provide you (hereinafter also referred to as “user”) with a service for use, we process personal data from various sources:

  • We process data that is collected automatically, for example when you visit our website.
  • We process data that you actively provide to us.
  • We receive personal data when it is transmitted to us by our client (hereinafter also referred to as the “webmaster”).

2.1 Automatic data processing when you visit the website

When you visit our website, your browser automatically sends technical information to our server. This includes your IP address, the time of access, the page accessed, the amount of data transferred, the previously visited website and the browser version used.

We store this so-called usage data in pseudonymised form. This means that we process the data in such a way that it cannot be directly attributed to a specific person. Data processing is necessary to enable the use of our services and to ensure the security and functionality of the website. The data also helps us to detect attacks, prevent misuse, analyse errors and improve the website. Personal identification does not take place. We delete the server log data after 7 days. The server log data is deleted after 7 days.
The legal basis for the processing of this data is Art. 6 (1) lit. f) GDPR, the protection and functionality of the services are legitimate interests in this sense.

Cookies and tracking tools: We use cookies to enable the technical processes for the automatic processing of this usage data. Further information on this can be found in the appendix to this data protection information here.

2.2 Data processing in connection with claims management if you are registered as a payment person with us

Compay handles the processing and settlement of payments (receivables management). You may be registered with us as a payment person because you have submitted your data yourself via a web form (sign-up) or because you have a contract with a webmaster and this webmaster has provided us with your data. Which data is processed depends on which product you use and which service and payment method you have selected with the webmaster. Depending on the order, we carry out payment processing or other checks for the webmaster using your data.

2.2 a) Data processing in connection with age verification

A webmaster may instruct us to check whether you are of legal age. This check serves to ensure compliance with youth protection regulations. For age verification (FSK18 check), we use credit agencies to which we transmit your full name, address and date of birth. As soon as your age of majority has been confirmed, we will inform you and the webmaster. If your age of majority cannot be confirmed, the contract with the webmaster may not be concluded.

2.2 b) Other checks/blacklists

A webmaster can also instruct us to carry out further checks before concluding a contract with you. For example, we may check whether you are on a Compay GmbH blacklist. This list includes people who have had returned direct debits or payment defaults in existing or previous contracts in the past. As soon as outstanding debts have been paid, the entry in the blacklist is deleted.

The processing is carried out on behalf of the webmaster and serves to prevent new contracts with people who have not paid in the past. It is also intended to help prevent fraud and protect our clients from payment defaults. At the same time, it serves to ensure the security and reliability of the service offered.

When we make automated decisions, you have the right to receive information about the logic involved and the significance and consequences of this processing. For example, why a contract was rejected in your case. You can have the decision reviewed by explaining your point of view. We will then check this manually. Please send an e-mail to: service@compay.de.

2.2 c) Receivables management

We process the following personal data for payment processing:

  • If you pay by direct debit or prepayment, we collect your master data (full name, address, date of birth), your contact details (e-mail address) and your payment details, in particular your IBAN and BIC if applicable. In addition, we process data relating to your order (e.g. product description) as well as contract data such as the customer number assigned by the webmaster, our transaction number, your IP address and other information if this has been transmitted by the webmaster.
  • We do not store any payment data for payments by credit card. This data is stored exclusively by the payment service provider. We only record your master and contact data. In addition, we process contract data such as product information, the webmaster’s customer number, our transaction number, IP address if applicable and other data if provided by the webmaster.
  • For Cashtocode and Tink, we collect the transaction number, customer number, transaction number and, if applicable, your IP address. We process further information, such as the purchase amount, currency and country of origin, if provided by the webmaster. With Tink, we also process your e-mail address, your name and your IBAN.
  • If you pay as a recurring user with “One-Click“, we also collect connection data such as your IP address and other usage data in addition to order and contract data. This is used for verification purposes and fraud prevention.
  • If a payment is made, we process your master data, payment data, copies of ID cards, copies of documents with proof of address (account statement, registration certificate, utility bill, etc.) and copies of the bank card if necessary – due to obligations under money laundering law.

2.2 d) Purposes and legal basis

We process your data for the following purposes:

  • To identify you as our or a webmaster’s contractual partner and to check the plausibility of your details;
  • To protect the legitimate economic interests of our clients (webmasters). For example, to avoid payment defaults and to recognise and prevent attempted fraud;
  • To check whether you are suitable for certain products and services of a webmaster and to comply with the legal protection of minors;
  • For claims management on behalf of a webmaster;
  • For documentation and for the assertion and defence of legal claims;
  • To ensure the security and functionality of our IT systems;
  • To analyse and defend against attacks on our systems;
  • To protect against malicious data traffic;
  • To inform you about our services and provide you with information;
  • For our business correspondence;
  • To fulfil obligations under the Money Laundering Act or tax obligations;
  • And to fulfil other legal obligations.

The processing of your data is based on the legitimate interests of us and our clients (webmasters), Art. 6 para. 1 lit. f) GDPR. The processing of payment data is also necessary for the fulfilment of the contract between you and the webmaster. Our partners have a legitimate economic interest in avoiding payment defaults (protection against economic risk), simplifying payment processes and optimising costs – also in your interest as a user. If Compay GmbH is legally obliged to process certain data, this is done on the basis of Article 6(1)(c) GDPR.

2.3 When using our contact forms and when communicating by email

If you use the contact form, which is available on our website, the data entered in the input mask is transmitted to us and stored. These data are:

  • First name
  • Surname
  • email address
  • Subject
  • Message content

We also store

  • Your IP address (in anonymised form)
  • Date and time of sending

This data is processed because you wish to contact us. The basis is Art. 6 para. 1 sentence 1 lit. b GDPR (implementation of pre-contractual measures) or Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in responding to customer enquiries and ensuring a functioning customer service.

The personal data stored by us will be deleted as soon as your enquiry has been fully processed – unless there are statutory retention obligations or the nature of the enquiry makes longer storage necessary. In this case, the processing is based on Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with commercial and tax regulations (HGB, StGB, AO).

2.4 Data processing in connection with job applications

Information on data processing in connection with an application to us can be found here.

2.5 When recording telephone conversations with telephone support

If you consent to the recording of a telephone call with our support team, we will process your personal data.

On the one hand, this involves the audio recording of the call itself and, on the other, so-called metadata such as your telephone number or the time of the call. During the call, a mandatory identification or authentication process takes place. The personal data you provide during this process is also stored in the recording.

The recording is made for training and quality purposes. The legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Recording will only take place if you have given your express prior consent. In the case of a percentage of calls, a recording is automatically started after your consent.

We delete call recordings that are not used for training purposes after 30 days. We store recordings that are used for training purposes for a maximum of 3 months.

3. recipients

We treat your personal data confidentially and carefully. We only pass it on to the following recipients to the extent specified:

3.1 a) Transfers to webmasters

As part of the payment service, we transmit your data to the respective webmaster (i.e. our client or your contractual partner) or make your data available for retrieval.

3.1 b) Transmission of data to technical service providers (order processors)

We transfer your data to technical service providers who support us in the operation of our systems. These include, for example, hosting or printing service providers based in Germany. Data is only passed on on the basis of a contract in which the service providers undertake to process the data exclusively on our instructions, not to pass it on to third parties and to comply with high data protection standards. Data is not transferred to countries outside the EU.

3.1 c) Transmission of data to third parties

For payment processing, we transfer your data to payment processors, such as banks or payment service providers. In the event of payment defaults, your data may be passed on to third parties such as debt collection agencies, credit agencies or lawyers.

Authorities – e.g. tax offices, investigating authorities or courts – may also receive data if we are legally obliged to do so. Otherwise, data will only be passed on to third parties with your consent or if this is necessary to fulfil legal obligations.

3.1 d) Data transfers to third countries outside the EU or the EEA

We do not transfer your personal data to countries outside the EU or the EEA for which there is no so-called adequacy decision by the EU Commission (e.g. India).

If such a transfer is nevertheless necessary, we ensure that suitable protective measures are taken. Without such measures or without your express consent, no transfer will take place. In particular, there is a risk that authorities in third countries may be able to access the data without you being able to take effective legal action against this.

Data will only be transferred if:

  • there is an adequacy decision by the EU Commission (e.g. for the USA under the EU-U.S. Data Privacy Framework),
  • the recipient offers suitable guarantees in accordance with Art. 46 GDPR (e.g. standard contractual clauses or binding internal data protection regulations),
  • you have expressly consented (in accordance with Art. 49 para. 1 lit. a GDPR) after we have informed you of possible risks, or
  • the transfer is necessary for the fulfilment of the contract.

We will be happy to provide you with further information on the protective measures used on request.

4. storage period

We store your personal data for as long as is necessary to fulfil our contractual or legal obligations. This means that we generally store your data for as long as we are obliged or authorised to do so by law or contractual regulations. As soon as the data is no longer required for these purposes, it is deleted regularly and promptly, unless we need to continue processing it in order to protect legitimate contractual or public interests.

If you provide us with personal data in the context of initiating a contract, we will delete it if no contract is concluded or as soon as your enquiry has been dealt with. Unless there are statutory retention or proof obligations that prevent deletion.

5. data security when visiting the website

When you visit our website, we use the well-known SSL (Secure Socket Layer) encryption method in conjunction with the highest level of encryption supported by your browser. As a rule, this is TLS AES 256-bit encryption. If your browser does not support this, we use 128-bit v3 technology instead.
You can recognise whether a particular page of our website is transmitted in encrypted form by the closed lock or key symbol in the status bar of your browser.

In addition, we use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are regularly updated in line with the state of the art.

6. information on your rights of objection

You have the right to object to the processing of your personal data at any time if this is based on a legitimate interest (Art. 6 para. 1 lit. f GDPR) and there are reasons arising from your particular situation. In this case, we will no longer process your data unless there are compelling legitimate grounds or legal claims.

You can also object to the processing of your personal data for advertising purposes at any time. This also applies to any associated profiling. After your objection, we will no longer use your data for these purposes.

Please note that the use of our website or services may be restricted if you do not provide certain data or object to the processing. You can send your objection informally by e-mail to service@compay.de.

7. your further data subject rights and control options

If we process your personal data, you have the following rights under the GDPR (Art. 15 to 18 and 21)

Withdrawal of your consent to data processing

You can withdraw your consent to the processing of your data at any time. The processing carried out up to that point remains lawful.

Right to information (Article 15 DS-GVO)

You have the right to information about your data, its origin, recipients and processing purposes. You can also request a copy of your data free of charge.

Right to rectification (Article 16 DS-GVO)

You can request the rectification of your incorrect or incomplete data.

Right to erasure (Article 17 DS-GVO)

You can request that we erase your personal data if the legal requirements for this are met. This is the case, for example, if:

  • The data is no longer necessary for the purposes for which it was collected or otherwise processed
  • you withdraw your consent, which is the basis for the data processing, and there is no other legal basis for the processing
  • you object to the processing of your data and there are no overriding legitimate grounds for the processing or you object to data processing for direct marketing purposes
  • The data has been processed unlawfully
  • The processing is not necessary to ensure compliance with a legal obligation that requires us to process your data

Right to restriction of processing (Article 18 DS-GVO)

You have the right to demand that we restrict the processing of your personal data if

  • You contest the accuracy of the data, for the period during which we verify the accuracy.
  • the processing is unlawful, but you request the restriction of use instead of erasure
  • We no longer need your data, but you need it to assert, exercise or defend legal claims
  • you have objected to processing pending the verification whether our legitimate grounds override yours

Right to data portability (Article 20 DS-GVO)

You have the right to data portability if the processing is based on your consent or a contract and is technically feasible.

If you have any questions, please contact our data protection officer at datenschutz@compay.de or our support team at service@compay.de

Or by post to:

Compay GmbH
Data Protection Officer
Mettmanner Straße 25 / Building 13
40699 Erkrath
Germany

You also have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR). Responsible for us is:

The State Commissioner for Data Protection of North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf
Germany

However, you can also contact the authority at your place of residence or workplace.

8. amendment of the data protection declaration

This privacy policy may change, e.g. if legal requirements are adapted or our services change (e.g. introduction of new services).

9. information on cookies and similar technologies, web analyses and tracking

We use so-called cookies on our website.
Cookies are small text files that are stored on your device. They contain information about your settings or actions on a website, but do not identify you directly.

We use two types of cookies: session cookies, which are automatically deleted when you close your browser, and persistent cookies, which remain stored on your device for a certain period of time.

Session cookies store a so-called session ID. This allows several requests from your browser to be assigned to one session. This means that your computer can be recognised when you return to our website. These cookies are deleted when you log out or close the browser.

Persistent cookies initially remain stored, even if you close the browser. They are only deleted after a certain period of time, which varies depending on the cookie. You can delete these cookies at any time in the security settings of your browser.

We also use other tracking technologies such as pixel tags. These help us to analyse the behaviour of users on our website. Pixel tags are transparent one-pixel images that are located on the website. They track, for example, whether a certain area of the website has been clicked on. When triggered, the pixel tag logs a user interaction and can read or set cookies. As pixels often rely on cookies to function, switching cookies off can affect them. But even if you switch off cookies, pixels can still recognise a website visit.

Such technologies make use more pleasant for you and increase user-friendliness. As a result, you do not have to make certain entries and settings again.

The data processing for the aforementioned purposes by these cookies is necessary to protect our legitimate interests and the interests of third parties in accordance with Article 6(1)(f) GDPR.

In order to fulfil legal requirements, we use the Borlabs consent service from Borlabs GmbH, Rübenkamp 32, 22305 Hamburg. The date and time of your visit, browser information, consent information, device information and your IP address are processed using cookies.

The legal basis for obtaining and managing legally required consents is Article 6(1)(c) GDPR.

Cookie-Einstellungen anpassen

Google Analytics

Our website uses Google Analytics. This service is operated by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ireland”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
Google Analytics uses cookies to analyse the use of the website – for example, how many visitors come and how they behave.

The information generated by the cookie about your use (e.g. identifier, browser type, operating system, referrer URL, shortened IP address, time) is usually transferred to a Google server in the USA and stored there.
However, your IP address is first truncated in the EU or EEA. We have integrated the code “gat.anonymizeIp();” for this purpose. This ensures that your IP address is collected anonymously (so-called IP masking).

Only in rare cases is the full IP address transmitted to a server in the USA and only truncated there.
If data is transferred to the USA, Google guarantees that the level of data protection corresponds to that in the EU within the framework of the Data Privacy Framework (DPF) and through EU standard contractual clauses.

Google uses the data on our behalf to compile reports on website activity, analyse usage and provide other services.
We do not merge the IP address transmitted by Google Analytics or Google Tag Manager with other Google data.


Detailed information on all cookies used can be found in our Consent Manager.

Google Signals

Our website can also use Google Signals as an extension of Google Analytics 4. This allows reports to be created that analyse cross-device usage.

If you have activated personalised advertising and your devices are connected to your Google account, Google can analyse your behaviour across different devices if you have consented to the use of Google Analytics (Art. 6 para. 1 lit. a GDPR). Among other things, Google creates database models for so-called cross-device conversions.
We do not receive any personal data from Google, only statistical analyses.

If you do not want this analysis, you can deactivate the “Personalised advertising” function in your Google account.
You can find more information here:
🔗 https://support.google.com/ads/answer/2662922?hl=de
🔗 https://support.google.com/analytics/answer/7532985?hl=de