The Platform – Data protection statement
Data protection statement
As at: 12/2019
This Data Protection Declaration gives you an overview of how The Platform
processes your data. It applies to all websites, apps and other benefits and services
offered by The Platform.
How you can read these Data Protection Declarations: We offer you various
options for reading this Data Protection Declarations. Firstly, you can find very basic
information in this section. Then we have sorted this Data Protection Declaration into
topics relevant for you and divided it accordingly into individual chapters. If you are
already a “pro”, you can jump directly to individual chapters.
We have avoided cross-references wherever possible. That way you get all
information coherently explained, regardless of which chapter you are currently
reading. If you read this Data Protection Declaration from start to finish, you may find
that parts of the text are repeated. We were unable to avoid a few cross-references.
Which services and offers this Data Protection Declaration applies to:
The Platform processes your data in a similar way for most of our services. This
Data Protection Declaration therefore applies to all benefits and services which we
offer our European customers. This is true regardless of whether we do this via a
website, an app, in transactions, on the phone, at events or via social networks or
other channels. For ease of comprehension, we use the term “services” to
summarize this “normal case”.
There are, however, also exceptional services where we process your data differently
or for particular purposes. This may be due to the nature of a service or country-
specific requirements. When we are referring to these cases (that is “deviations from
the normal case”), we call them “service-specific” or “country-specific”.
Finally, you should also bear in mind that The Platform is not just a single company.
The Platform is a group and thus consists of multiple companies. Not all of these
companies offer you services or process your data. For simplicity, only the The Platform
OÜ Group companies which are actually involved in processing your data are named
below. Where we refer below to “The Platform”, “we” or “us”, we mean the
responsible companies within The Platform Group which process your data.
Specifically, this refers to the following The Platform companies
What you will learn in this Data Protection Declaration:
– Which data The Platform stores.
– What we do with this data and what it is needed for.
– Which data protection rights and options you have.
– Which technologies and data we use to personalize and coordinate our services in
order to offer you a secure, simple, seamless and individual shopping experience.
– Which technologies and data we use for advertising, including the tracking
technologies we use.
If you have a question regarding this Data Protection Declaration or the topic of data
protection at the Platform in general, you can contact our customer service at any
Which data does the Platform process?
The Platform offers you a wide range of services, which you can also use in a wide
range of ways. Depending on whether you contact us online, by phone or otherwise
and on which services you use, various data from different sources may come into
play. Much of the data we process is provided by you yourself when you use our
services or contact us, for example when you register and provide your name or
email address or address. We do, however, also receive technical device and access
data which is automatically collected when you interact with our services. This may,
for example, be information on which device you are using. We collect further data
using our own data analyses (e.g. within the framework of market research studies
and customer evaluations). We may also receive data on you from third parties, for
example for credit rating agencies and payment service providers.
What does The Platform use my data for?
The Platform processes your data in accordance with all applicable data protection
laws. Of course, we observe the principles of data protection law for the processing
of personal data. We therefore generally only process your data for the purposes
explained to you in this Data Protection Declaration or shared when we collect the
data. These are mainly purchase processing and the provision, personalization and
development as well as security of our services. We also use your data within the
framework of the strict European data protection law, but also for other purposes
such as product development, scientific research (especially in the areas of machine
learning, artificial intelligence and deep learning) and market research, for the
optimization of business processes, the needs-based design of our services and
The development and provision of personalized functionalities and services for you is
our top priority. We offer you an individual shopping experience and a range tailored
to your individual interests, regardless of location, time and devices used. The
processing of your data to personalize our service is therefore an integral part of
The Platform’s service.
Info on websites and apps
We use your data to provide access to the The Platform websites and apps. Along
with the device and access data collected whenever you use these services, the type
of data processed as well as the processing purposes depend especially on how you
use the functions and services provided via our services. We also use the data
collected when you use our services to find out how our online offering is used. We
use this information and other information in the course of shopping personalization
to improve our services and for personalized advertising.
Information about Social Media Fan Pages
The Platform maintains social media profiles on the social networks of Facebook,
Instagram, TikTok, Yutube, Pintarest (so-called "fan pages"). We regularly publish
and share content, offers and product recommendations on our fan pages. The
operators of the social networks record your usage behavior via cookies and similar
technologies upon every interaction on our fan pages or other websites. Fan page operators can view general statistics about the interests and demographic
characteristics (e.g. age, gender, region) of fan page visitors. When you use social
networks, the nature, scope and purposes of processing social network data are
determined primarily by the social network operators.
We offer you various newsletter services. When you register for a newsletter service
you will receive information on the topics dealt with by the individual newsletters.
There are also service-specific newsletters, which are integral components of a
particular service. For example, you will only receive The Platforms newsletter if
you are a member of The Platforms club. When you use our newsletters, we also
connect device and access data.
Individual product recommendations by email and push service.
In connection with our services we present information and offerings from The Platform
OÜ on the basis of your interests. You will receive these individual product
recommendations from us regardless of whether you have subscribed to a
newsletter. In accordance with legal stipulations, we preferentially use your previous
shopping and interests data, which allow us to derive your product interests in view of
the interests, preferences and profile data you have shared with us, to select
individual product recommendations.
We use the data submitted when ordering The Platform vouchers to check and
process the order and to issue and redeem the voucher. This also includes the
recording and processing of the data connected to use of the voucher, especially for
How does The Platform use my data for advertising?
We and our advertising partners use your data for personalized advertising presented
to you in The Platform’s services and on other providers’ websites and apps. We
and our advertising partners use the prevailing market technologies for this purpose.
This allows us to advertise in a more targeted way in order to display as many
adverts and offers to you which are actually relevant to you. This allows us to better
meet our users’ needs as regards personalization and discovering new products and
to interest you in our service in the long run by providing a more personalized
Who is my data forwarded to?
The Platform only forwards your data if this is allowed by European law. We work
particularly closely with certain service providers, for example in the area of customer
service (e.g. hotline service providers), with technical service providers (e.g. running
computer centers) or with logistics companies (e.g. postal companies such as DHL).
These service providers may generally only process your data on our behalf under
special conditions. Where we use them to process orders, the service providers only
receive access to your data in the scope and for the time period required for provision
of the relevant service. If you shop with a The Platform partner, we forward particular
shopping data regarding you to the The Platforms partner (e.g. your name and your
delivery address), so that the The Platforms partner can send you the goods ordered.
Which data protection rights do I have?
You have the following legal data protection rights under the relevant legal
conditions: Right to information (Article 15 GDPR), right to deletion (Article 17
GDPR), right to correction (Article 16 GDPR), right to restriction of processing (Article
18 GDPR), right to data portability (Article 20 GDPR), right to lodge a complaint with
a supervisory authority (Article 77 GDPR), right to withdraw consent (Article 7 (3)
GDPR) as well as the right to object to particular data processing measures (Article
When will my data be deleted?
We will store your personal data as long as is necessary for the purposes named in
this Data Protection Declaration, especially for the fulfilment of our contractual and
legal obligations. We may also store your personal data for other purposes if or as
long as the law allows us store it for particular purposes, including for defense
against legal claims.
How does The Platform protect my data?
We transmit your personal data securely using encryption. This applies to your order
and your customer login. We do this using the coding system SSL (Secure Socket
Layer). We also use technical and organizational measures to secure our website
and other systems against loss, destruction, access, change or dissemination by
Changes to this Data Protection Declaration and points of contact
Further development of our websites and apps and the implementation of new
technologies to improve our service for you may require changes to this privacy
policy. We therefore recommend that you re-read this Data Protection Declaration
from time to time.
Our data processing may differ from service to service. Here you can find out which
service-specific deviations apply.
to access or store information. Specific information about how we use such
technologies and how you can refuse certain cookies is set out in our Cookie
– “Cookies” are data files that are placed on your device or computer and often
include an anonymous unique identifier.
– “Log files” track actions occurring on the Site, and collect data including your IP
address, browser type, Internet service provider, referring/exit pages, and date/time
– “Web beacons,” “tags,” and “pixels” are electronic files used to record information
about how you browse the Site.
We want you to have the best user experience possible. To help us deliver this, we
use tools to track and analyze user behavior and compile statistics. We
pseudonymize user profiles to offer features such as product sorting according to
popularity or personalized product suggestions (‘Recommended for you’) to help
improve our services. In addition, data tracking is used for online marketing purposes
such as retargeting. This also includes tracking tools and cookies from third party
service providers and advertising partners on our platform.
Security on The Platform
The Platform values your privacy, and it is our goal to maintain the security
of our platform. This page describes some steps that we are taking to address
potential security issues, and to help protect The Platform, our users, and
their data. For more information about how we may collect, store, and use
If you encounter or identify any security issues with The Platform or any of
websites, mobile applications, or services, you may contact our Engineering
Team directly by email at firstname.lastname@example.org. Someone will be in
touch, usually within 7 days.
The Platform BUG BOUNTY PROGRAM
We welcome security researchers that practice responsible disclosure and
comply with our policies. Programs by Google, Facebook, Mozilla, and
others have helped to create a strong bug-hunting community. The Platform bug bounty program gives a tip of the hat to these researchers and
rewards them for their efforts. In order to be eligible for a reward under our
bug bounty program, you must comply with the terms outlined below.
terms and conditions, you must also follow these basic rules when
participating in our bug bounty program:
Do not access (or attempt to access) any user’s account or non-
Do not affect or harm other users (or their access to or use of our
Do not perform any attack that could harm the reliability or integrity
of our services or data. For example, DDoS/spam attacks are
Do not publicly disclose a vulnerability before we have resolved it.
Do not perform (or attempt) non-technical attacks, including spam,
social engineering, phishing, or physical attacks against our
employees, users, or infrastructure.
WHAT KINDS OF REPORTS DO NOT QUALIFY?
The following is a non-exhaustive list of reports that do not qualify for a
reward under our bug bounty program:
Disclosure of public information or information that in our opinion
does not present a significant risk.
Disclosure of client identifiers and keys intended as a convenience
for open-source contributors.
Disclosure of credentials by other parties unaffiliated with
Bugs, such as XSS, that only affect legacy browser/plugin
versions, bugs that require exceedingly unlikely user activity or
interaction, or timing attacks that prove, for example, the existence
of a user.
Cookies shared between different *.Gallerima.com domains.
Bugs that have already been reported to us (i.e. first-come, first-
served), or bugs that we are otherwise already aware of.
Issues with functionality that is in-development, experimental, or
released in a "beta" stage.
Scripting or other automation and brute forcing of intended
functionality (all of which is strictly prohibited).
Issues related to software or protocols not under our control.
We may issue monetary rewards for reported issues that we decide to fix,
with higher rewards for distinctly creative or severe security issues. Issues
that we determine to be an insignificant or accepted risk will not be eligible
for a reward. A typical reward for a single reported issue is U.S. $25. Some
more severe issues can be $100. The maximum amount for any issue that the
bug bounty program pays for single issue is of $250. If we determine that an
issue you report does not qualify for a monetary reward, or if you’re unable or
unwilling to provide the personal information we require to issue a monetary
reward. Please note that only reports submitted by email
to email@example.com may be eligible for a reward under our bug
CHECKING THE STATUS OF REPORTS OR REWARDS
We are a small and very busy Engineering Team, and we receive a lot of
email. Please do not send us multiple or repetitious email asking the same
questions about submitted reports or the status of potential bounty payments.
This will not accelerate the process, and may actually result in a slower
response due to the extra burden on our inbox. We appreciate your patience.
A FEW LEGAL TERMS
Our bug bounty program is not a contest or competition. It is an experimental
and discretionary rewards program. We may modify the terms of this
program or terminate this program at any time without notice. All decisions
as to the amount and type of rewards that may be issued, the method of
payment (for monetary rewards), and whether or not any reported issue
constitutes a significant risk or is eligible for a reward, will be determined at
The Platform’s complete discretion in each case. We only issue rewards to
individuals. We typically issue monetary rewards by Paypal or check, and
require your full name and appropriate contact information. You are
responsible for any tax implications of any reward you receive and must
comply with all tax laws applicable to any rewards that we may issue you.
We cannot issue rewards to individuals who are on sanctions lists, or who are
located in countries (e.g. Cuba, Iran, North Korea, Sudan or Syria) that are on
sanctions lists. You must comply with all applicable local, state, national, and
international laws, rules, and regulations in connection with your
participation in this program. Your participation in this program must not
disrupt or compromise any data that does not belong to you.