Privacy Policy for the ALLPLAN Shop
 

As of: April 16, 2026

Data protection is of the utmost importance to our company. This privacy notice provides you with an overview of how we process your personal data when you visit our ALLPLAN Shop and purchase our ALLPLAN products. We inform you about what data we collect from you and how we use it. We also explain your rights under applicable data protection laws and let you know who to contact if you have any questions.

Personal data refers to any data that can be personally identified with you, such as your name, address, email addresses, and user behavior. We have implemented comprehensive technical and operational safeguards to protect your data from accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security procedures are regularly reviewed and adapted to technological advancements.

 

1. Data Controller

Jointly responsible in accordance with Art. 4(7) of the EU General Data Protection Regulation (GDPR)

ALLPLAN GmbH
Konrad-Zuse-Platz 1
81829 Munich
Germany

as well as the following companies affiliated with ALLPLAN GmbH:

  • ALLPLAN Deutschland GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany
  • ALLPLAN Austria GmbH, 1, Urstein S 19, 5412 Puch, Austria
  • Design Data Corp. (d/b/a ALLPLAN), 8333 Glynoaks Dr., Suite 200, Lincoln, Nebraska 68516, USA
  • NEMETSCHEK APAC PTE. Ltd., 9 Raffles Place, #24-01 Republic Plaza, Singapore 048619
  • ALLPLAN France S.a.r.l., Tour Hyfive, 1 Avenue du Général de Gaulle, 92800 Puteaux, France
  • ALLPLAN Italia S.r.l., Via Giovanni Battista Trener, 8, 38121 Trento TN, Italy
  • ALLPLAN Schweiz AG, Hertistrasse 2C, 8304 Wallisellen, Switzerland
  • ALLPLAN SYSTEMS ESPAÑA, S.A., C. de Raimundo Fernández Villaverde, 30, Office 314, 28003 Madrid, Spain
  • ALLPLAN Česko s.r.o., Evropská 2590/33c, Dejvice, 160 00 Prague 6, Czech Republic
  • ALLPLAN Slovensko s.r.o., Bajkalská 19B, 821 01 Bratislava, Slovakia
  • SCIA nv, Corda Campus 1 / 2nd floor, Kempische Steenweg 311 / 2.06, 3500 Hasselt, Belgium

Email: info[at]allplan.com

As part of business operations, it is essential that data be exchanged regularly between ALLPLAN’s branches and subsidiaries to promote intra-group collaboration and utilize resources effectively. For this reason, central processes are not limited to a single group company but extend to other group companies as well, benefiting from the processes and resources established there. The ALLPLAN companies therefore collaborate in many areas, particularly regarding order processing in our ALLPLAN Shop, and act as so-called joint controllers for this website in the sense of data protection law, as indicated above.
 

Information on the essential content of the agreement regarding joint responsibility:

To ensure the security of processing and the effective exercise of your rights, and against the background described above, the member companies have entered into an agreement as joint controllers within the meaning of Art. 26 GDPR in conjunction with Art. 4(7) GDPR. This agreement governs the following points in particular:

  • Subject matter, purpose, means, and scope, as well as the responsibilities and liability regarding data processing
  • Information for data subjects
  • Fulfilment of the data subjects’ other rights
  • Security of processing
  • Engagement of processors
  • Procedure in the event of data breaches
  • Other joint and mutual obligations
  • Cooperation with supervisory authorities
  • Liability

 

2. How to contact the Data Protection Officer

You can contact our Data Protection Officer at datenschutzbeauftragter[at]allplan.com or at our mailing address with the note “Data Protection Officer.”

 

3. Legal Basis for Our Data Processing

The processing of personal data may be based on various legal grounds. If we require your data to fulfill a contract with you or to respond to inquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(b) of the GDPR. If we obtain your consent for a specific data processing activity, the legal basis is Article 6(1)(a) of the GDPR. We carry out some data processing activities based on our legitimate interests, always balancing your interests worthy of protection against our legitimate interests. The legal basis for this is Article 6(1)(f) of the GDPR. To the extent that processing is necessary to fulfill a legal obligation to which we are subject, the legal basis is Article 6(1)(c) of the GDPR.

Below, we explain how we process your personal data when you use the ALLPLAN Shop.

Legal basis for our data storage under the TTDSG

According to § 25 TTDSG, the storage of information on the end user’s terminal device or access to information already stored on the terminal device is only permissible if the end user has given consent based on clear and comprehensive information, i.e., has agreed to the data processing.

For the storage of information on your device or access to information already stored on your device, we therefore obtain your consent in accordance with Section 25(1) TTDSG and consequently process even purely technical data only after obtaining your consent.

In providing information to you and obtaining your consent, we adhere to the requirements of the TTDSG in accordance with the provisions of the GDPR.

Pursuant to Section 25(2) of the TTDSG, consent is not required in exceptional cases

  • if the sole purpose of storing information in the end-user’s terminal equipment or the sole purpose of accessing information already stored in the end-user’s terminal equipment is the execution of the transmission of a message via a public telecommunications network, or
     
  • if the storage of information in the end-user’s terminal equipment or access to information already stored in the end-user’s terminal equipment is absolutely necessary for the provider of a telemedia service to make available a telemedia service expressly requested by the user.

 

4. Processing of Personal Data When Visiting the ALLPLAN Shop Website

Our ALLPLAN Shop is available at https://www.allplan.com/shop. When you visit the ALLPLAN Shop for informational purposes only—that is, without registering—we collect the following technical information (log file data):

DataPurpose of processingRetention period
Operating system usedAnalysis by device to ensure optimized website displayThe data is generally deleted from log files after 30 days for the purpose of operating the website and protecting against misuse in accordance with our security regulations.
Information about the browser type and version usedAnalysis of the browsers used to optimize our websites for them
User’s Internet service providerAnalysis of Internet service providers
IP addressDisplay of the website on the respective device
Date and time of the visitEnsuring the proper functioning of the website.
If applicable, manufacturer and model name of the smartphone, tablet, or other end deviceAnalysis of device manufacturers and types of mobile devices for statistical purposes
Name of the page accessedEnsuring the proper functioning of the website
Referrer URL (the source URL from which you arrived at the website)Ensuring the proper functioning of the website


The collection of this data is technically necessary to display our website to you and to ensure stability and security. We (and our hosting service providers) generally do not know who is behind an IP address. We do not combine the data listed above with other data.

The legal basis is the legitimate interest pursuant to Art. 6(1)(f) GDPR, as well as § 25(2)(2) TTDSG. In the context of the balancing of interests pursuant to Art. 6(1)(f) GDPR, we have considered and weighed our interest in providing the service against your interest in the processing of your personal data in compliance with data protection regulations. Since the following data is technically necessary for the provision of our service in order to offer you our website and to ensure stability and security, in particular to provide protection against misuse, we have concluded that this data must be processed—with state-of-the-art data security measures in place—while your interest in data protection-compliant processing is appropriately taken into account. If the processing is based on a different legal basis (e.g., consent pursuant to Art. 6(1)(a) GDPR, § 25(1) TTDSG), this will be indicated accordingly.
 

4.1 Use of Alokai

We use the services of Alokai Sp. z.o.o., Przeskok 2, 00-032 Warsaw, Poland (“Alokai”) for the technical provision and delivery of our online store. Alokai is a front-end platform (“Frontend as a Service”) for e-commerce applications through which the content of our online store is delivered to and processed on end devices. In this context, the processing of personal data may occur.

Nature and Scope of Processing
When using our online store via Alokai, the following data in particular may be processed:

  • IP address
  • Device and browser information (e.g., type, version)
  • Operating system
  • Time of access
  • Referrer URL
  • Technical usage data and interactions in the online store (e.g., pages viewed, navigation, shopping cart actions)
  • Login and customer data, if applicable (particularly when using a user account or as part of the ordering process)

Processing is carried out for the technical provision, optimization, and security of our online store. Without processing this data, the use of our online store is technically not possible or only possible to a limited extent.

Purposes of processing
The processing of the aforementioned data is carried out for the following purposes:

  • Provision and delivery of web shop content
  • Ensuring the stability and security of the systems (e.g., defense against attacks, error analysis)
  • Optimizing loading times and performance (e.g., use of caching mechanisms and content delivery networks)
  • Supporting the functionalities of the online store (e.g., shopping cart, login, order processing)
     

Legal Basis
Processing is based on:

  • Art. 6(1)(b) GDPR (performance of a contract), to the extent that processing is necessary for the use of the online store, the maintenance of a user account, and the fulfillment of orders;
  • Art. 6(1)(f) GDPR (legitimate interest), in particular in the secure, efficient, and user-friendly provision of our online store, as well as in ensuring the functionality and security of our IT systems.
     

Data Processing
Alokai acts as a data processor for us within the meaning of Art. 28 GDPR. We have entered into a data processing agreement with Alokai that specifically governs the nature, scope, and purpose of the processing, as well as appropriate technical and organizational measures to protect your data. Alokai processes personal data exclusively in accordance with our documented instructions and not for its own purposes.

Data Transfer to Third Countries
Alokai uses a cloud infrastructure based on the Google Cloud Platform to provide its services and may utilize Content Delivery Networks (CDN) with locations worldwide . It cannot therefore be ruled out that, in the course of Alokai’s service provision, personal data may be processed in countries outside the European Union or the European Economic Area (in particular in the USA).

In such cases, we ensure that appropriate safeguards exist in accordance with Article 46 of the GDPR, in particular by entering into the Standard Contractual Clauses adopted by the European Commission and, where necessary, by implementing additional technical and organizational measures (e.g., encryption, pseudonymization). Upon request, we will be happy to provide you with further information regarding the safeguards in place.

Retention Period
We generally store personal data only for as long as is necessary for the purposes mentioned above or as required by law.

This means in particular:

  • Log and usage data (e.g., IP address, access times, technical events) are generally retained for a period of 30 days to ensure the stability and security of the online store and for the purposes of error analysis, and are subsequently deleted or anonymized unless longer retention is required in individual cases (e.g., to investigate a security incident).
     
  • Customer data associated with user accounts and orders is processed for the duration of the user account or for the performance of the contractual relationship and is otherwise stored in accordance with statutory retention periods.

To the extent that data is processed based on your consent, it will be deleted if you revoke your consent with future effect, provided there is no other legal basis for further processing.

 

5. Registration

To shop in our ALLPLAN Shop, you must first register with us and create a user account. We process your personal data as part of the registration process for individual user access and to process orders and payments, as well as to handle contact and service requests.

We use the so-called double opt-in procedure for registration. This means that after you provide your email address, we will send a confirmation email to the address you provided, asking you to confirm your registration. If you do not confirm this within 24 hours, your registration will be automatically deleted from the database. Upon confirmation, we store your data for the retention period specified in the table. This storage also enables participation in the ALLPLAN Community, which allows you to use our services (ALLPLAN Cloud, ALLPLAN Connect, ALLPLAN Campus) with a single account. After successful registration, you will receive personal, password-protected access and can view and manage the data you have provided.

Furthermore, we store the time of registration during the registration process. The purpose of this procedure is to be able to verify your registration in accordance with our accountability obligations and, if necessary, to investigate any potential misuse of your personal data. Based on the fulfillment of our accountability obligations, we have a legitimate interest pursuant to Art. 6(1)(f) GDPR in processing the data from the double opt-in procedure.

For registration, we collect and store the following personal data from you:

DataPurpose of processingLegal basis for processingRetention period
Email address and usernameCreation of the user accountLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the user account is closed
PasswordCreation of the user accountLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the user account is closed
IP address upon registrationProof of double opt-inLegitimate interest; Art. 6(1)(f) GDPR; § 25(2)(2) TTDSG – technical necessity3 years after termination of the customer relationship
Time of registrationProof of double opt-inLegitimate interest; Art. 6(1)(f) GDPR; § 25(2)(2) TTDSG – technical necessity3 years after the end of the customer relationship
IP address for DOIProof of double opt-inLegitimate interest; Art. 6(1)(f) GDPR; § 25(2)(2) TTDSG – technical necessity3 years after the end of the customer relationship
Time of DOI verificationProof of double opt-inLegitimate interest; Art. 6(1)(f) GDPR; § 25(2)(2) TTDSG – technical necessity3 years after the end of the customer relationship
Customer numberAssignment in the case of an existing contractual relationshipLegitimate interest; Art. 6(1)(f) GDPR; performance of a contract; Art. 6(1)(b) GDPRUntil the end of the tax statute of limitations (10 years after the end of the contractual relationship)
SalutationDirect communication within the scope of the contractual relationshipLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the end of the tax limitation periods (10 years after the end of the contractual relationship)
First nameDirect communication within the scope of the contractual relationship / invoicingLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the end of the tax limitation periods (10 years after the end of the contractual relationship)
Last nameDirect communication within the scope of the contractual relationship / invoicingLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the end of the tax limitation periods (10 years after the end of the contractual relationship)
CompanyInvoicingLegitimate interest; Art. 6(1)(f) GDPRUntil the end of the tax limitation periods (10 years after the end of the contractual relationship)
PhoneContract performance 
(User support)		Legitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRAfter the end of the contractual relationship
LanguageLanguage settingsLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRafter the end of the contractual relationship)
CountryConclusion and performance of the contractLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the end of the tax limitation periods (10 years after the end of the contractual relationship)
AddressInvoicingLegitimate interest; Art. 6(1)(f) GDPR; Performance of a contract; Art. 6(1)(b) GDPRUntil the end of the tax limitation periods (10 years after the end of the contractual relationship)


The personal data that must be provided is marked as a required field on the respective registration form; any additional information is voluntary.

You can delete your user account at any time. Upon deletion of the account, all personal data not subject to a legal retention obligation or Article 17(3) of the GDPR will be anonymized.

 

6. Order Processing and Payment Handling

When you place an order in our ALLPLAN Shop to purchase one of our products, we process the data stored in your user account to enable you to complete your order. This includes the following data:

  • First name, last name
  • Company
  • Customer number
  • Billing/shipping address
  • Email address
  • Phone number (if applicable)
     

In addition, we process the following additional data that you provide to us when placing your order:

  • Information about orders placed (products, licenses, license terms)
  • Information regarding the payment method, as well as the associated details required to process the payment.


The legal basis for the data processing involved here is Article 6(1)(b) of the GDPR, insofar as the processing of your data is necessary for the execution of the order process, the purchase, and payment processing. Furthermore, the legal basis for the associated data processing is Article 6(1)(f) of the GDPR, our legitimate interest in enabling a smooth ordering process and the provision of our products, and in handling all your requests as efficiently as possible. If you order products/licenses as a contact person for a company or organization, we process your data on the basis of Article 6(1)(f) of the GDPR, namely our legitimate interest in offering our products to your company and, for this purpose, processing your data as the responsible contact person.
 

Reseller Verifone (dba 2Checkout)

For the distribution of our products in the ALLPLAN Shop, we use our distribution partner Verifone Payments B.V. dba 2Checkout, Singel 250, 2nd Floor, 1016AB Amsterdam, Netherlands, or Avangate, Inc., Suite 1100, 817 Broadway, New York, NY, USA, or Avangate BV Merkezi Hollanda Istanbul Merkez Subesi, Mecidiyeköy Mahallesi, Şehit Ahmet Sokak, ADA Residence Apt. No: 6 -10/16, Şişli / Istanbul, Turkey—depending on our customer’s location—(hereinafter “Verifone”), a provider of e-commerce sales services. Verifone is an authorized reseller of all our products offered to you in our ALLPLAN Shop. When you order one of our products through the ALLPLAN Shop, Verifone is therefore your contractual partner and seller, and you are the buyer. Verifone is authorized by us to conclude the purchase or license agreement with you in its own name and to carry out and monitor the subsequent processing of your order, in particular payment processing. The provision of the license key for the software purchased from , as well as support, maintenance, and further development services, will be provided by us, the product manufacturer, following your order.

When you submit your order in our ALLPLAN Shop by clicking the “Place Order” button, your order and payment details are forwarded to our sales partner Verifone. The data includes your first name, last name, company name, information about the order placed (products/licenses and terms), billing and shipping addresses, email address, and bank and payment details.

Verifone processes your data for the purpose of concluding the contract, as well as for order and payment processing. Payment processing is carried out in accordance with the selected payment method. In this context, your data may also be processed by Verifone for the purpose of conducting identity and credit checks in order to assess your creditworthiness as accurately as possible when granting payment methods involving credit risk. In addition, your data is processed by Verifone for its own purposes, such as, in particular, the prevention of misuse and fraud.

Please note that, as stated in its own privacy policy, Verifone may transfer your personal data to servers located in the United States during the order and contract processing. According to Verifone, such data processing and transfers to the third country (the United States) are safeguarded by entering into data processing agreements in accordance with Art. 28 of the GDPR and the adoption of EU Standard Contractual Clauses in accordance with the requirements of Article 46(2)(c) of the GDPR, as well as, where applicable, further technical and organizational measures, to the extent that such measures are necessary.

Verifone is the sole controller within the meaning of Article 4(7) of the GDPR for all of the aforementioned data processing activities. Comprehensive information regarding data processing by Verifone can be found in their Privacy Policy: 2CO Support Center | Privacy Policy

Upon conclusion of the contract between you and Verifone, we receive, via an automated process for the purpose of transaction tracking, the provision of the license key for the products covered by the contract, and the provision of further services, information regarding whether the transaction was successfully completed. The legal basis for our data processing is Article 6(1)(b) of the GDPR, insofar as the processing of your data is necessary for the performance of the aforementioned activities. Furthermore, the legal basis for the associated data processing is Article 6(1)(f) of the GDPR, namely our legitimate interest in enabling to provide our products to you seamlessly and to address all your concerns as efficiently as possible. If you order products/licenses as a contact person for a company or organization, we process your data on the basis of Article 6(1)(f) of the GDPR, namely our legitimate interest in being able to offer our services to your company.

 

7. Cookies and Website Analytics

7.1. Cookies

Our website uses cookies. Cookies are files that are stored on your computer by a website you visit and enable your browser to be recognized upon subsequent visits. Cookies transmit information to the entity that sets the cookie. Cookies can store various types of information, such as your language settings, the duration of your visit to our website, or the data you enter there. This prevents you, for example, from having to re-enter required form data every time you use the site. The information stored in cookies can also be used to identify preferences and tailor content to your areas of interest.

There are different types of cookies: Session cookies are data sets that are only temporarily stored in the working memory and deleted when you close your browser. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. With this type of cookie, the information may also be stored in text files on your computer. However, you can delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is permitted to read information from these cookies. Third-party cookies are set by organizations that do not operate the website you are visiting. These cookies are used, for example, by marketing companies.

The legal basis for the processing of personal data via cookies and their retention period may vary. To the extent that you have given us your consent, the legal basis is Section 25(1) of the TTDSG and Article 6(1)(a) of the GDPR. To the extent that data processing is based on our overriding legitimate interests, the legal basis is Section 25(2)(2) of the TTDSG and Article 6(1)(f) of the GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionalities, to measure reach, and—with your consent via —to tailor our services to your preferred areas of interest.

You can delete cookies already stored on your device at any time. If you wish to prevent cookies from being stored, you can do so through the settings in your web browser. Instructions for common browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome Mobile, Microsoft Edge, Safari, Safari Mobile. Alternatively, you can install ad blockers. Please note that certain features of our website may not work if you have disabled cookies.

When visiting our website, all users are also informed about our use of cookies via an information banner from our consent management platform, Usercentrics, and directed to this privacy policy. As a user, you will also be asked to consent to the use of certain cookies, particularly those relevant for personalizing services and for marketing purposes. You may revoke any consent you have given at any time with future effect by accessing the cookie management settings via the icon (fingerprint) in the lower-left corner of each page and unchecking the box next to the processing for which you had given consent. In the cookie management settings, you will also find further information about the cookies we use.

 

7.2 Usercentrics

We use the Usercentrics service to manage consent on our website. Usercentrics is software provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich.

Usercentrics determines the language used by your browser. A cookie is set to check whether you have already made a selection in our consent tool during a previous visit to our website. This cookie is necessary because it allows the website to recognize whether you have consented to tracking or not. In addition, a log file is created to provide proof of consent. This file contains the IP address in anonymized form, information about the browser used, data regarding the scope of consent, as well as the date and time of the visit. The legal basis for this is found in Section 25(2)(2) of the German Teleservices Data Protection Act (TTDSG) as well as in our legitimate interest pursuant to Article 6(1)(f) of the General Data Protection Regulation (GDPR).

The purpose of data processing is to ensure that our website is user-friendly and compliant with the law. We want to make it as easy as possible for you to grant or revoke consent and to increase the transparency of data processing on our website using cookies, pixels, tags, or similar technologies. Our legitimate interest also lies in the purpose of data processing.

The cookie containing your consent or refusal to use cookies is stored on your device for one year. Consent data (consent granted and withdrawal of consent) is retained for three years.

Cookies are stored on the user’s computer and transmitted from there to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings of your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all of the website’s features to their full extent.

 

7.3. Website Analysis

For the purposes of analyzing and optimizing our websites, we use various services, which are described below. We use these services to analyze how many users visit our site, which information is most in demand, and how users find our offerings. In doing so, we also collect data on which website a user came from to reach our website (known as a referrer), which subpages of our website were accessed, and how often and for how long a subpage was viewed. This helps us design our offerings to be user-friendly, identify errors, and improve our offerings.

 

7.3.1 Matomo

We use the open-source web analytics software Matomo on our website. The software is operated exclusively on our own servers.

Cookies are used in this process, which enable an analysis of website usage. For this purpose, the usage information collected in the cookie (including your truncated IP address) is transmitted to our server and stored for usage analysis purposes. With Matomo, no data is transmitted to servers outside our control. Your IP address is immediately anonymized during this process, so that you, as a user, cannot be identified by us. The information collected about your use of this website is not shared with third parties. We use the collected data for statistical analysis of user behavior to optimize the functionality and stability of the website and for marketing purposes. Our interest in and the purpose of data processing lie in optimizing our website, tailoring the content, and improving our offerings. Users’ interests are sufficiently safeguarded through anonymization. We store the analysis data only for as long as required by the purpose of data processing, but for a maximum of 14 months.

The legal basis for accessing the information is your consent pursuant to Section 25(1) of the German Teleservices Data Protection Act (TTDSG). The legal basis for the data processing described is your consent, Article 6(1)(a) of the General Data Protection Regulation (GDPR). You may revoke your consent at any time with future effect by changing your selection in the cookie settings (see above, Section 5. Cookies). Alternatively, you may delete your cookies (all or only those from this website). The banner with the options will then be displayed again.

 

7.3.2 Google Analytics 4

If you have given your consent, this website also uses Google Analytics 4, a web analytics service provided by Google LLC. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Google Analytics 4 uses cookies that enable an analysis of your use of our websites. The information collected via the cookies regarding your use of this website is generally transmitted to a Google server in the U.S. and stored there.

In Google Analytics 4, IP address anonymization is enabled by default. Due to IP anonymization, your IP address is truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and truncated there. The IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your visit to the website, your user behavior is recorded in the form of “events.” Events may include:

  • Page views
  • First visit to the website
  • Start of the session
  • Your “click path,” interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal search queries
  • Interaction with videos
  • Ads viewed / clicked
     

The following is also tracked:

  • Your approximate location (region)
  • Your IP address (in truncated form)
  • Technical information about your browser and the devices you use (e.g., language settings, screen resolution)
  • Your internet service provider
  • The referrer URL (the website or advertising material through which you arrived at this website)

On behalf of ALLPLAN, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients of the data are/may be

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a processor pursuant to Art. 28 GDPR)
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
     

It cannot be ruled out that U.S. authorities may access the data stored by Google.

To the extent that data is processed outside the EU/EEA and there is no level of data protection equivalent to the European standard, we have entered into EU Standard Contractual Clauses with the service provider to ensure an adequate level of data protection. The parent company of Google Ireland, Google LLC, is headquartered in California, USA. The transfer of data to the USA and access by US authorities to data stored by Google cannot be ruled out. From a data protection perspective, the USA is currently considered a third country. You do not have the same rights there as you do within the EU/EEA. In some cases, you may not have any legal remedies against access by authorities.

The data we send and that is linked to cookies is automatically deleted after 14 months. Data that has reached the end of its retention period is automatically deleted once a month.

The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR. You may revoke your consent at any time with future effect by changing your selection in the tracking settings (see above, under Cookies). Alternatively, you can delete your cookies (all or only those from this website). The banner with the options will then be displayed again.

Alternatively, you can prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in limited functionality on this and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by

1. not giving your consent to the setting of the cookie or

2. downloading and installing the browser add-on to disable Google Analytics here.

For more information on the terms of use of Google Analytics and Google’s privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/de/ and https://policies.google.com/?hl=de.

 

7.3.3 WEBYN

Data processing serves the purpose of analyzing the website’s performance and improving the website’s design to meet user needs. Visitors’ digital behavior is analyzed using the WEBYN plugin. The analysis results are then presented graphically.

Specifically, the following data is processed:

o Unique identification information (e.g., IP addresses (for the website only), unique user IDs, and other similar unique identifiers);

o Technical information about the website and the mobile application (e.g., the pages of a website or application that a visitor has visited, the type of the visitor’s computer operating system, the type of the visitor’s web browser, JS errors, other technical backend data, etc.);

o Behavioral information (e.g., how a visitor interacted with the website or app, mouse or touch movements, scrolling, mouse clicks, screen taps, or zoom information; time of interaction, etc.).

This creates a log of mouse movements and clicks. We analyze logs from individual website visits on a random basis to identify opportunities for website improvements. From the information in the logs, we can determine which website sections are preferred by visitors.

We store this analytical data for 30 days.

The legal basis for the data processing described is your consent, Art. 6(1)(a) GDPR. You may revoke your consent at any time with future effect.

Further information on data protection at WEBYN can be found online at: https://www.webyn.ai/en/privacy.

 

8. Google Tag Manager

For transparency purposes, we would like to point out that we use Google Tag Manager from the provider Google Ireland Limited (Registration No.: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager does not collect any personal data itself. Google Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that serve, among other things, to measure traffic and visitor behavior, track the impact of online advertising and social media channels, set up remarketing and targeting, and test and optimize websites. We use Tag Manager for the Google Analytics service. If you have opted out, this opt-out will be honored by Google Tag Manager. For more information about Google Tag Manager, see: https://www.google.com/intl/de/tagmanager/use-policy.html.

 

9. Social Bookmarks

Our website integrates social bookmarks from the following providers:

  • Facebook (Operator: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland)
  • LinkedIn (Operator: LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA, 94085-2810 USA)
  • Instagram (Operator: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland)
  • YouTube (Operator: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043)
     

Social bookmarks are internet bookmarks that allow users of such services to collect links and news articles. These are integrated into our website solely as links to the respective services. After clicking on the embedded graphic, you will be redirected to the respective provider’s website; that is, user information is only transmitted to the respective provider at that point. For information on how your personal data is handled when using these websites, please refer to the respective providers’ privacy policies.

 

10. Retention Period

We store your personal data for as long as necessary to fulfill our legal and contractual obligations in connection with the processing of your order through our ALLPLAN Shop. Data related to an order process is generally retained for 10 years after the order is completed and then deleted, unless further processing is necessary for the following purposes:

After the expiration of a contract, we generally delete your data after 10 years to comply with commercial and tax law retention obligations (in particular retention periods under the German Commercial Code (HGB) or the German Fiscal Code (AO)). To preserve evidence within the framework of the statute of limitations provisions of the German Civil Code (BGB), retention for up to 30 years may be necessary in individual cases.

 

11. Disclosure of Data

We do not transfer your personal data to third parties for purposes other than those listed. We only disclose your personal data to third parties if:

  • you have given your express consent,
  • the disclosure is necessary to assert, exercise, or defend legal claims, and there is no reason to believe that you have an overriding legitimate interest in the non-disclosure of your data,
  • where there is a legal obligation to disclose such information, and where this is permitted by law and necessary for the initiation of contracts or the fulfillment of contractual relationships with you.
     

External service providers and partner companies receive your data from us only to the extent necessary to process your order. These are service providers in the following categories:

  • IT service providers (e.g., maintenance, hosting, and front-end service providers such as Alokai)
  • Payment service providers
  • Credit bureaus for the assessment of creditworthiness and default risks
     

In these cases, however, the scope of the data transmitted is limited to the necessary minimum. To the extent that our service providers come into contact with your personal data, we ensure, within the framework of order processing pursuant to Art. 28 GDPR, that they comply with the provisions of data protection laws in the same manner. Please also note the respective privacy policies of the providers. The respective service provider is responsible for the content of third-party services, although we will, to the extent reasonably possible, verify that the services comply with legal requirements.

 

12. Data Transfer to Third Countries

We place importance on processing your data within the EU/EEA. However, it may occur that we use service providers who process data outside the EU/EEA. In such cases, we ensure that an adequate level of data protection is established at the recipient’s end prior to the transfer of your personal data. This means that, through EU standard contracts (EU Standard Contractual Clauses) as well as through the agreement of any further necessary measures or an adequacy decision by the European Commission, a level of data protection is achieved that is comparable to the standards within the EU.

Such a transfer may occur in particular when using IT service providers for the operation of our ALLPLAN Shop (e.g., front-end platforms and content delivery networks such as when using Alokai, see Section 4.1) as well as when using our sales partner Verifone for order and payment processing. Further details regarding the service providers used in this context and the respective data processing activities can be found in the relevant sections of this Privacy Policy.

When data is transferred outside the European Union, the high European standard of data protection generally does not apply. In the event of a transfer, there may currently be no adequacy decision by the European Commission within the meaning of Article 45(1) and (3) of the GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the “ ” level of data protection in the European Union under the GDPR; therefore, we have established the aforementioned appropriate safeguards.

Possible risks associated with the data transfer that may not be entirely ruled out include, in particular:

  • Your personal data could potentially be processed beyond the original purpose.
  • Furthermore, there is a possibility that you may not be able to effectively assert and enforce your data protection rights, such as your right to access, rectification, erasure, or data portability.
  • There may also be a higher probability of incorrect data processing, and the protection of personal data may not fully meet the quantitative and qualitative requirements of the GDPR.

 

13. Data Security

Your personal data is transmitted securely via encryption at ALLPLAN. This applies to all form-based processes (including registration, login, and ordering). ALLPLAN uses the SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption system for this purpose. While no one can guarantee absolute protection, ALLPLAN secures its website and other systems through technical and organizational measures against loss, destruction, unauthorized access, alteration, or disclosure of your data by unauthorized persons. Our security procedures are regularly reviewed and adapted to technological advancements.

 

14. Your Rights

You have the following rights with respect to the personal data concerning you:

 

14.1. General Rights

You have the right to access, rectification, erasure, restriction of processing, objection to processing, and data portability. To the extent that processing is based on your consent, you have the right to withdraw this consent with future effect.

To exercise your rights, please contact us by email at datenschutzbeauftragter[at]allplan.com or by mail at ALLPLAN GmbH, Konrad-Zuse-Platz 1, 81829 Munich, Germany. Exercising the rights described in this section is free of charge for you.

 

14.2 Rights Regarding Data Processing Based on Legitimate Interest

Pursuant to Article 21(1) of the GDPR, you have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) GDPR (data processing in the public interest) or Article 6(1)(f) GDPR (data processing to safeguard a legitimate interest); this also applies to profiling based on these provisions. In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

 

14.3 Right to lodge a complaint with a supervisory authority

Without prejudice to these rights and the possibility of seeking other administrative or judicial remedies, at any time to exercise your right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes data protection regulations (Art. 77 GDPR).

 

15. Links to Other Websites

Our websites may contain links to websites operated by other providers. Please note that this privacy policy applies exclusively to the website https://www.allplan.com/shop. We have no influence over and do not monitor whether other providers comply with applicable data protection regulations.

 

16. Changes to the Privacy Policy

We reserve the right to change or amend this privacy policy at any time in accordance with applicable data protection regulations.