DATA PROTECTION

EXIT VR Privacy Policy according to GDPR The following privacy policy is intended to inform you in particular about the type, scope and purpose for the processing of personal data (hereinafter referred to in short as “data”) on our website.

1. Name and address of the responsible party

The party responsible (the controllers) in the sense of the General Data Protection Regulation and other national privacy laws of Memberstates, as well as other privacy regulations, are: EXIT Adventures GmbH Am Zirkus 4 10117 Berlin Managing Directors: Max Mühlbach, Nico Nonne Commercial Register: Amtsgericht Charlottenburg, HRB 180871 B Telephone: +49 (0) 30 208 499 070 E-Mail: hello@exit-vr.de

1. General information about the processing of data

1. Scope of the processing of personal data

We process personal data only in so far as necessary to provide our contents, services and a functioning website. User data is regularly only processed after the user consented. An exception is made only in such cases where a previous consent is not possible and where processing of such data is permitted through legal provisions. We process inventory data (e.g. name, address and email-address), contractual data (e.g. provided services, payment information) in order to fulfill our contractual duties and services in line with Art. 6 Para. 1 lit b. GDPR. The required entries in online forms are necessary for the conclusion of a contract.

2. Legal basis for the processing of personal data

If we obtain the consent of a user for processing operations of his or her data, then Art. 6 Para. 1 lit. a) GDPR is the legal basis for this processing. When the processing of data is required to fulfill a contract with a concerned party, then Art. 6 Para. 1 lit. b) GDPR is the legal basis for this processing. This also applies to processing operations which are required to carry out precontractual measures. If a processing of personal data is required to fulfill legal obligations which our company is subject to, then Art. 6 Para. 1 lit. c) GDPR is the legal basis for this processing. In the case that vital interests of a concerned party or another natural person require the processing of personal data, then Art. 6 Para. 1 lit. d) GDPR is the legal basis for this processing. If the processing of data is required to protect a legitimate interest of our company or a third party and if said interests outweigh the interests, fundamental rights and fundamental freedoms of the concerned party, then Art. 6 Para. 1 lit. f) GDPR is the legal basis for this processing.

3. Deletion of data and duration of data storage

The personal data of a concerned party will be deleted or blocked when the purpose of its storage ceases to apply. Storage beyond this can be done if stipulated by European or national legislation in federal regulations, laws or other provisions which the responsible party is subject to. Unless further storage is required to conclude or fulfill a contract, data will also be deleted or blocked if a stipulated storage period of aforementioned standards expires.

4. Cooperation with processors and third parties

If we transmit data to other persons and companies (processors or third parties) or grant them otherwise access in order to process data, we only do so on the basis of a legal permission, the consent of the concerned party, a legal obligation, executing contractual relationships (e.g. bookingkit, Mangopay) with the concerned party or if we have a legitimate interest in the transmission (e.g. for the assignment of agents or webhosts etc.). If we assign third parties with the processing of data on the ground of a so called “order-processing contract”, then Art. 28 GDPR is the legal basis for such actions.

5. Data security

We employ on our website the widespread SSL-method (Secure Socket Layer) in conjunction with the encryption which is supported by the user’s browser. In most cases this will be 256-bit encryption. If the used browser does not support 256-bit encryption, the 128-bit v3 technology will be applied instead. Whether a single page of our internet presence is transmitted with encryption can be discerned by the depiction of a key or closed padlock in the lower status bar of the used browser. We furthermore apply suitable technological and organizational safety measures to protect data against accidental or intentional manipulations, partial or complete loss, destruction or unauthorized access by third parties. Our safety measures are continuously improved according to technological advancements.

6. Company profiles on social media

We operate company profiles on social networks and platforms to communicate with customers, potential customers and users in order to inform them about our services. Business conditions and data processing regulations of the respective operators apply when accessing their networks and platforms. Unless otherwise indicated in our data protection declaration, we process the data of users who interact with us on social networks and platforms, e.g. by posting or sending us messages.

• Provision of the website and generation of logfiles

When accessing our website https://exit-vr.de, the browser on the used terminal automatically sends information to the server of our website. This information is temporally stored in a so called logfile. The following information is mechanically collected and stored until it is automatically deleted:

1. type and version of the used browser
2. the user’s operating system

• the user’s internet service provider

1. the user’s IP address
2. the date and time of the visit
3. the website from which the user came (referrer URL)

• the webpages on our site visited
• protocol (GET or POST)

1. status code (200 or 500)

The stated data is used for the following purposes:

• to ensure a smooth access to the website
• to ensure a comfortable use of our website
• to evaluate the security and stability of the system
• for further administrative purposes

The basis for this storage is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the above listed purposes. The collected data is under no circumstances used to draw conclusions to the user as an individual. We furthermore use cookies and analytical services when our website is visited. Further explanation about said devices can be found under Art. V and VIII of this data protection declaration.

1. Usage of cookies

1. General information

We use cookies on our website. Cookies are small text files or other storage technologies stored on your terminal (laptop, tablet, smartphone etc.) by your browser. These cookies process certain specific information about you, such as your browser, location data, or IP address. Cookies do not harm the terminal, do not contain viruses, trojans or other malware. Cookies contain information which corresponds to the specifically used terminal, but that does not mean that we gain direct knowledge about your identity. This processing makes our website more user-friendly, efficient, and secure, allowing us, for example, to discern which pages your terminal has visited on our website, to display our website in different languages or to offer a booking function. When you close your browser, these session cookies are automatically deleted. We also use temporary cookies which temporarily store entries the user makes on our website. If the user leaves and comes back to make use of our services, those entries are restored so the user does not need to enter them again. We furthermore use those cookies to gather statistical data about the usage of our website in order to optimize our service for the user (see VII.). Temporary cookies are automatically deleted after a certain period. When visiting our website, the user is automatically informed about our usage of cookies and directed to this data protection declaration. The legal basis for such processing is Art. 6 Para. 1 lit. b) GDPR, insofar as these cookies are used to collect data to initiate or process contractual relationships. If the processing does not serve to initiate or process a contract, our legitimate interest lies in improving the functionality of our website. The legal basis is then Art. 6 Para. 1 lit. f) GDPR.

2. Third-party cookies

If necessary, our website may also use cookies from companies with whom we cooperate for the purpose of advertising, analyzing, or improving the features of our website. Please refer to the following information for details, in particular for the legal basis and purpose of such third-party collection and processing of data collected through cookies.

3. Disabling cookies

The user can refuse the use of cookies by changing the settings on your browser. Likewise, the user can use the browser to delete cookies that have already been stored. However, the steps and measures required vary, depending on the browser in use. For any questions, please use the help function or consult the documentation for the browser or contact its maker for support. Browser settings cannot prevent so-called flash cookies from being set. Instead, the user will need to change the setting of the Flash player. The steps and measures required for this also depend on the Flash player in use. For any questions, please use the help function or consult the documentation for the Flash player or contact its maker for support. If the installation of cookies is prevented or restricted, not all the functions on our site may be fully usable.

1. E-mail contact

If you contact us via our email address hello@exit-vr.de, the data you provide will be used for the purpose of processing your request. We must have this data in order to process and answer your inquiry; otherwise we will not be able to answer it in full or at all. This also establishes our legitimate interest for collecting and processing of data acquired by e-mail contacts. Data which is gathered in this context is not transferred to third parties and will solely be used to process the conversation with the user. Legal basis for the processing of data transmitted by sending an email is Art. 6 Para. 1 lit. f) GDPR. If the purpose of the email contact is to conclude a contract, then the legal basis for this data processing is Art. 6 Para. 1 lit. b) GDPR. Personal data will be deleted once we have fully answered the inquiry and there is no further legal obligation to store said data, such as if a contract resulted therefrom. The user may anytime revoke his/her consent for the processing of personal data which is gathered in this way. If the user contacts us via e-mail, then he/she can object the storage of his/her personal data. The conversation cannot be continued in such a case and all personal data collected in such an approach will be deleted.

1. Contact form

For any requests we offer the possibility to contact us via our contact form on our website. The provisioning of the following personal data is required to do so:

• E-mail address

We need this information in order to know who made the request and to answer him/her. The legal basis for this data processing is Art. 6 Para. 1 P. 1 lit. f) GDPR. Said data will be automatically deleted after the conclusion of the request.

• Tracking tools

We use the following tracking tools on the legal basis of Art. 6 Para 1 P. 1 lit. f) GDPR. We want to ensure the adequate configuration and continuous optimization of our website. We furthermore use those tools to gather statistical data about the usage of our website in order to optimize our service for the user. Those interests are considered justified in accordance with the aforementioned regulation. The respective categories and purposes for the processing of data follow below in the corresponding paragraphs:

1. Google Analytics

We use Google Analytics on our website. This is a web analytics service provided by Google Inc. (https://www.google.com/intl/en/about/), 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google). Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU’s data protection regulations when processing data in the United States. The Google Analytics service is used to analyze how our website is used. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, optimization, and economic operation of our site. Usage and user-related information, such as:

• Browser type / version
• Used operating system
• Referrer-URL
• IP address and
• Time of server request

of your visits to our website will be transmitted to a Google server in the United States and stored there. However, we use Google Analytics with the so-called anonymization function, whereby Google truncates the IP address within the EU or the EEA before it is transmitted to the US (IP-Masking). The data collected in this way is in turn used by Google to provide us with an evaluation of visits to our website and what visitors do once there. This data can also be used to provide other services related to the use of our website and of the internet in general. Google states that it will not connect your IP address to other data. In addition, Google provides further information with regard to its data protection practices at https://www.google.com/intl/de/policies/privacy/partners and https://support.google.com/analytics/answer/6004245?hl=en, including options you can exercise to prevent such use of your data. In addition, Google offers an opt-out add-on at https://tools.google.com/dlpage/gaoptout?hl=en along with further information. This add-on can be installed on the most popular browsers and offers you further control over the data that Google collects when you visit our website. The add-on informs Google Analytics’ JavaScript (ga.js) that no information about the website visit should be transmitted to Google Analytics. However, this does not prevent information from being transmitted to us or to other web analytics services we may use as detailed herein. Alternatively, especially when using a mobile device, the link above may be used to put a opt-out-cookie in the used browser, which inhibits further collection of data via our website. Said opt-out-cookie only works in the browser it was installed on and only on our website.

• Social media plug-ins

Our website uses the plug-ins of the following social networks:

• Facebook
• Twitter
• Instagram

The legal basis is Art. 6 Para. 1 P. 1 lit. f) GDPR. Our legitimate interest lies in improving the quality of our website and advertising purposes. The responsibility to comply with data protection regulations lies with the corresponding service providers. The integration of the mentioned plug-ins is done with the 2-click-method to provide the users of our website with the best protection possible.

1. Facebook

Our website uses the plug-in of the Facebook social network, namely the “Like” and “Share” buttons. Facebook.com is a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. In the EU, this service is also operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, hereinafter both referred to as “Facebook.” Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active Facebook guarantees that it will follow the EU’s data protection regulations when processing data in the United States. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in improving the quality of our website and advertising purposes. Further information about the possible plug-ins and their respective functions is available from Facebook at https://developers.facebook.com/docs/plugins/ If the plug-in is stored on one of the pages you visit on our website, your browser will download an icon for the plug-in from Facebook’s servers in the USA. For technical reasons, it is necessary for Facebook to process your IP address. In addition, the date and time of your visit to our website will also be recorded. If you are logged in to Facebook while visiting one of our plugged-in websites, the information collected by the plug-in from your specific visit will be recognized by Facebook. The information collected may then be assigned to your personal account at Facebook. If, for example, you use the Facebook Like button, this information will be stored in your Facebook account and published on the Facebook platform. If you want to prevent this, you must either log out of Facebook before visiting our website or use an add-on for your browser to prevent the Facebook plug-in from loading. Further information about the collection and use of data as well as your rights and protection options in Facebook’s privacy policy found at https://www.facebook.com/policy.php

2. Twitter

Our website uses the plug-in of the Twitter social network. The Twitter service is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (“Twitter”). Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active Twitter guarantees that it will follow the EU’s data protection regulations when processing data in the United States. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in improving the quality of our website and advertising purposes. If the plug-in is stored on one of the pages you visit on our website, your browser will download an icon for the plug-in from Twitter’s servers in the USA. For technical reasons, it is necessary for Twitter to process your IP address. In addition, the date and time of your visit to our website will also be recorded. If you are logged in to Twitter while visiting one of our plugged-in websites, the information collected by the plug-in from your specific visit will be recognized by Twitter. The information collected may then be assigned to your personal account at Twitter. If, for example, you use the Twitter Tweet button, this information will be stored in your Twitter account and may be published on the Twitter platform. To prevent this, you must either log out of Twitter before visiting our site or make the appropriate settings in your Twitter account. Further information about the collection and use of data as well as your rights and protection options in Twitter’s privacy policy can be found at https://twitter.com/privacy

3. Instagram

Our website uses the plug-in of the Instagram social network. The Instagram service is being offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in improving the quality of our website and advertising purposes. If the plug-in is stored on one of the pages you visit on our website, your browser will download an icon for the plug-in from Instagram’s servers in the USA. For technical reasons, it is necessary for Instagram to process your IP address. In addition, the date and time of your visit to our website will also be recorded. If you are logged in to Instagram while visiting our plugged-in website, the information collected by the plug-in from your specific visit will be recognized by Instagram. The information collected may then be assigned to your personal account at Instagram. If, for example, you use the Instagram button, this information will be stored in your Instagram account and may be published on the Instagram platform. To prevent this, you must either log out of Instagram before visiting our site or make the appropriate settings in your Instagram account. Further information about the collection and use of data as well as your rights and protection options in Instagram’s privacy policy can be found at https://instagram.com/about/legal/privacy/

1. Third party services

1. Google Maps

Our website uses Google Maps to display our location and to provide directions. This is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google). Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU’s data protection regulations when processing data in the United States. To enable the display of certain fonts on our website, a connection to the Google server in the USA is established whenever our website is accessed. If you access the Google Maps components integrated into our website, Google will store a cookie on your device via your browser. Your user settings and data are processed to display our location and create a route description. Your IP-address in particular is necessary for the functionality of Google Maps. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in optimizing the functionality of our website. By connecting to Google in this way, Google can determine from which website your request has been sent and to which IP address the directions are transmitted. If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Further details can be found in the section about cookies above. In addition, the use of Google Maps and the information obtained via Google Maps is governed by the Google Terms of Use https://policies.google.com/terms?gl=DE&hl=en and the Terms and Conditions for Google Maps https://www.google.com/intl/de_de/help/terms_maps.html. Google also offers further information at https://adssettings.google.com/authenticated https://policies.google.com/privacy

2. bookingkit

In order to market our services (EXITVR-missions and -vouchers) we use the booking system provided by bookingkit GmbH, Sonnenallee 233, 12059 Berlin (“bookingkit”). When the user books something on our website, he or she consents to the collection and processing of his or her data via bookingkit. The user’s personal data is transmitted to bookingkit and processed by them. This collection and processing of data takes place for the purposes of support and processing of the user’s orders, his or her authentication, the processing of transactions and the optimization of the services of bookingkit. Further information on the terms of use, data protection and potential commissioning of third parties for the processing of data via bookingkit can be found at https://bookingkit.net/privacy-statement/.

3. MANGOPAY

Services for the payment via [bank transfer, credit and debit cards, SEPA direct debit, direct banking, giropay, iDeal and Przelewy24] will be provided by MANGOPAY S.A, 10 boulevard Royal, L-2449 Luxembourg. MANGOPAY collects, stores and processes personal data according to their terms of use and is responsible for the lawful handling of said data. Further information about their privacy policy can be found at https://www.mangopay.com/privacy

4. PayPal

The PayPal service is provided by the PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxemburg. When the user commits transactions via PayPal he or she is forwarded with a link to the website of PayPal. To make the processing of transactions possible, it is necessary for PayPal to collect, store and process the user’s personal data like name, address, telephone number, email-address and credit card or bank account data. The responsibility for security and handling of said data lies solely with PayPal. The corresponding terms of use can be found at www.PayPal.com. Further information about the handling of data and the possible commissioning of third parties for the processing of data can be found in PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

1. Rights of users and data subjects

If personal data of a person is processed, he or she is a user or data subject within the meaning of the GDPR and has the following rights:

1. Right of access

The user may demand confirmation from the controller if his or her personal data is processed by us. If such processing is done, the user may demand disclosure about the following:

• the purposes of processing his or her personal data;
• the categories of personal data which are processed;
• the recipients or categories of recipients which had access or will gain access to the user’s data;
• the planned duration of storage of the user’s personal data, or, if specific information is not possible, criteria for the determination of data storage duration;
• the existence of a right to rectification or deletion of the user’s data, a right to restrict the processing by the responsible or a right of objection to this processing;
• the existence of a right of appeal to a regulatory authority;
• all available information about the source of the user’s personal data, if said data was not provided by the user;
• the existence of a automated decision making process, including profiling according to Art. 22 Para. 1 and 4 GDPR and – at least in such cases – conclusive information about the involved logic as well as the implications and envisaged effects of such processing for the corresponding user.

The user furthermore has the right to demand information about possible transmission of his or her data to third countries or international organizations. In this context the user may also demand information about suitable guarantees in accordance to Art. 46 GDPR corresponding such transmissions.

2. Right of rectification

The user has the right to have personal data rectified (especially where the data are inaccurate or incomplete). Controllers must ensure that inaccurate or incomplete data are erased or rectified without undue delay.

3. Right to restriction of processing

The user has the right to obtain from the controller restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
• the data subject has objected to processing pursuant to 21 Para. 1 GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted according to one or more of the above-mentioned points, such personal data will, with the exception of storage, only be processed with the user’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A user who has obtained restriction of processing pursuant to the above-mentioned causes will be informed by the controller before the restriction of processing is lifted.

4. Right of erasure
5. Obligation to deletion

The user has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based according Art. 6 Para. 1 lit. a) GDPR, or Art. 9 Para. 2 lit. a) GDPR, and where there is no other legal ground for the processing;
• the data subject objects to the processing pursuant to Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 Para. 2 GDPR
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services referred to in 8 Para. 1 GDPR.

Where the controller has made the personal data public and is obliged pursuant to one or more of the above-mentioned points to erase the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

1. Exceptions

The right to erasure does not apply to the extent that processing is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with 9 Para. 2 lit. h) and i) as well as Art. 9 Para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Para. 1 GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;
• or for the establishment, exercise or defense of legal claims.

5. Right of notification

The controller will communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 Para. 1 and Art. 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller will inform the data subject about those recipients if the data subject requests it.

6. Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 Para. 1 lit. e) and f), including profiling based on those provisions. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 will be explicitly brought to the attention of the data subject and will be presented clearly and separately from any other information. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 Para. 1 GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7. Right to withdraw consent

The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

8. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. Date: January 2020