1. Goethe-Institut e.V., Oskar-von-Miller-Ring 18, 80333 Munich, Germany, Phone: +49 89 15921-0, E-Mail: info@goethe.de (hereinafter "we").

Contact details of data protection officers: Die Datenschutzbeauftragte, Goethe-Institut e.V., Dachauer Str. 122, 80637 Munich, Germany, e-mail: datenschutz@goethe.de

You can use the downloaded espoto App either without logging in or by registering and creating a user account.

If you choose to use an account without registering, a random, non-existent email address will be generated and saved as your user account. However, you will unfortunately not be able to retrieve your progress in the game after logging out of the App. This is only possible if you register and create a personal user account. Your number of points is limited to 3,000 if you do not use a personal user account to log in to the App. Beyond this limit, you will no longer be able to play any tasks. If you wish to continue playing, you must register.

The option of an account without registration is only possible once prior to your first login. Later, this option will no longer be available.

If you want to use the espoto App via your own personal user account, you must first register in the App with your email address, a password of your choosing, and a user name (the “Login Information”). You are free to choose any user name you want but it must not be your real name.

We use the double opt-in procedure for registration. This means that your registration will only be finalized when you confirm a link contained in a confirmation email sent to you for this purpose prior to your registration. In this way, we ensure that only you, the owner of the email address, can register.

After successful registration, we will create a personal user account for you through which your progress in the game and other information connected with the use of the App can be saved on our servers.

With your login data you can also identify yourself on other devices and use the treasure hunt app installed there with your user account.

You cannot log out on a device in the app itself. The login remains in the app until you log in with other login data or on another device with your login data.

After logging off, access to the information, saved in your user account, will only be possible by entering your password.

If you forget your password, you can use your email address to reset your password. To do this, click on the “?” on the login screen and follow the instructions.

As long as you do not log off, your login information will be saved in a “token” on your device, through which you can be identified so that you do not have to register again every time you use the App.

You can make changes to your personal user account by adding additional information within the account. Thus, you can, for example, enter your name, address or sex, select a team name or add a team photo in your user account. We use this data if we contact you and when you use the app as described below. The data will be saved on our server until you change the saved data or delete your user account.

In the context of creating the Goethe.de account, only those data are required as mandatory data which we need to carry out our offers or any contractual relationship with you.

We collect and process the data provided by you in the context of the contract execution of this user contract according to Art. 6 Para. 1 lit. b GDPR

• to check your application to create a Goethe.de account
• to provide the free services in which you participate (blogs, forums, comments, self-presentation, communities, chats, etc.)
• to fulfill our obligations from contracts that exist with you, in particular the use of the paid functions of the App.

You may voluntarily provide further personal information and post content (so-called user-generated content), such as a photo of you, texts in the form of blog or forum posts, discussion posts, etc., to the website. Which data is collected in detail and which information is mandatory and which is voluntary can be seen from the respective input forms. We process the voluntarily provided data in order to protect the predominant common interests in a diverse exchange within the framework of our platform in accordance with Art. 6 para. 1 lit. f GDPR.

For marketing purposes, we also use the data you provide in your user account for a personalised design of our website and internet offers, e.g. a personal homepage and a profile area in which we present suitable offers to you. This serves to safeguard our overriding legitimate interests in optimum marketing of our offers in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR.

We reserve the right to use your first and last name, your postal address for our own advertising purposes, e.g. to send you interesting offers and information about our products by letter post. This serves to safeguard our predominantly legitimate interests in advertising to our customers in accordance with Art. 6 Para. 1 lit. f of the GDPR within the scope of a weighing of interests. You can object to the storage and use of your data for these purposes at any time by sending a message to datenschutz@goethe.de.

If you consent to the processing of your data to create a user account in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, other users may see the data you have provided using the Goethe.de account, such as your name or user name, your contributions incl. creation date and time, your memberships in groups, your friends, your learning lists, your files, your online status, your ratings, the duration of your membership, your gender and your guestbook entries.

If you have already provided personal data to another Goethe-Institut service in the past and if you consent to this pursuant to Art. 6 Para. 1 S. 1 lit. a GDPR, we will merge this previously provided data with your data in the app. The same applies to the opposite direction: if you wish to use other services of the Goethe-Institut's Internet offering or apps in the future, we want to make your data available internally to these services via our central customer database so that you can also use these services conveniently without re-entering your data.

If you do not confirm your registration within 7 days, your Goethe.de account will be deleted along with the data provided during registration. If you confirm the registration, a user account will be created according to the present explanations. It is possible to delete your Goethe.de account and your data left there at any time and can be done either by sending a message to the contact option described below or by using a function in the user account provided for this purpose.

In the app you can enter personal data. You can also make personal settings in the app.

We collect and process this data within the framework of contract processing in accordance with Art. 6 Para. 1 lit. b GDPR in order to provide the functions of the App.

Collection and use of data when using the espoto treasure hunt App
When you use the espoto App, we collect and use the following data for the purposes described:

To be able to use the app and to play an event / a game fully, it is necessary to determine and use your current location. Your location will only be collected, in accordance with the consent you submitted at the time of registration, if you have activated the location function of your device and have allowed the espoto App to process your location data. We collect and use your location data as follows:

While you are playing, the espoto App will transmit your current location via GPS and/or device ID location in short intervals of approximately 15 to 25 seconds, usually to the nearest metre.

The most recently transmitted location will be saved and used by your device to show you your current location on the map and to check if you are close to a event / game task.

Your current location will also be transmitted to our servers and saved there in accordance with the consent you submitted. This is to allow espoto, partners of espoto or other organizers of the event / game / application to determine where individual participants of the game / event are, so that they can offer them support if necessary.

If you reach the location of a task, we save your location as well as the date and time when you reached the location of the task and when you completed the task. The purpose of this is to determine how much time you needed for the event / game / application and each of the tasks, including in comparison with other players.

We save the location data transmitted to our servers until the game / event is over. This data is then deleted from our servers. The most recent transmitted position on your device will remain saved in the App until a new position can be transmitted or the App is uninstalled.

Sometimes it can be, when allowed by the event / game organizers, that you share your current location with fellow players of the game / event in your vicinity and shown together with your user name, team name and team photo on the map. Similarly, you can also see the locations of your fellow players on the map during a game / event and, for example, work together to solve a task.

This collection and use is only possible if you have given your data protection consent separately. You can read the consent statement below.

You can stop the collection of your location data temporarily or permanently at any time by deactivating the location function in your device’s settings or withdrawing your permission for the processing of your location from the Game App. Please note that you can only participate in events / games to a very limited extent via the Game App because most of the tasks can only be solved if you are in the location and if this can be tracked.

The solutions submitted by you in response to a task will either be compared with the model solution on your device or transmitted to our servers and saved and checked there. We will use the result of this check to calculate your points, which will be displayed in the high score list.

Your solution entries can also be viewed and checked in the Content Management System on our server by the respective organizer of the game / event or by espoto GmbH for support purposes.

Please note: The game / event creator / organizer can request further personal data from you within the game / event by answering tasks. We would like to point out that this information is always provided voluntarily. Like all other game data, the data will also be processed by espoto and the implementing partner / organizer.

Partners / organizers / event and game creators are generally obliged to strictly avoid personal data in events / games / tasks. In particular, we ask that you do not provide any information about racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health data or data about sex life or sexual orientation, or data about criminal convictions and crimes.

If you are requested to provide such data by answering a task or if such data is processed in the task itself, please contact support@espoto.com directly. If you decide to respond nevertheless, you also agree that espoto and the organizer/event creator will process the corresponding responses.

We collect and use the speed of your device’s internet connection to optimize your use of the App, particularly in connection with the download of event data. We also use the information about your connection speed for statistical analyses of the network coverage in the area of an event / game in order to transfer tasks in future games / events to other areas should any problems occur.

We collect and save your current battery status so that we can inform you if your remaining battery life will not be sufficient for the entire event / game / application.

If devices of the espoto GmbH or off the respective organizer are used, we will also use the battery status to inform players to exchange the device in good time.

If you participate in an event via the App that is organized by espoto or by a partner of espoto, the employees of espoto or the employees of the partner can, for the purpose of carrying out the event / game / application and providing support, access your data as described above and your data saved on our servers, and contact you during your participation in an event / game / application by means of in-app push notifications. This is only possible if you have submitted your consent.

If you are one of the top ten best players of an event / game / application, your rank, team name and statistics related to the tasks you have completed in the high score list will be shown to the other players of the event.

In order to make the user experience attractive and to enable the use of certain functions, we use so-called cookies. This serves to safeguard our predominantly legitimate interests in the provision of a user-friendly service in accordance with Art. 6 Para. 1 lit. f GDPR as part of a balancing of interests. These are small text files that are stored on your mobile device.

Cookies remain on your end device and enable us to recognize your app on your next visit and to enable you to log in automatically (persistent cookies).

You can deactivate the acceptance of cookies. If cookies are not accepted, the functionality of the app may be restricted.

We use Google (Universal) Analytics, a web analytics service provided by Google LLC (www.google.de). This serves to safeguard our predominantly legitimate interests in an optimised presentation of our offer in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR within the scope of a weighing of interests. Google (Universal) Analytics uses methods that allow an analysis of the use of the app by you, such as cookies. The automatically collected information about your use of this website is usually transferred to a Google server in the USA and stored there. By activating IP anonymization in the app, the IP address is shortened before transmission within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address anonymized by the app within the framework of Google Analytics is not merged with other Google data. The data collected in this context will be deleted after the purpose and end of the use of Google Analytics by us.

The Google LLC is headquartered in the USA and is certified under the EU-US Privacy Shield. A current certificate can be found here: https://www.privacyshield.gov/list Based on this agreement between the USA and the European Commission, the latter has determined an appropriate level of data protection for companies certified under the Privacy Shield.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

To be able to use the espoto App with all the functions, the App requires the following permissions on your mobile device.

You can restrict the individual permissions in your device settings in accordance with your preferences, but the Game App might then only function to a limited extent.

The following permissions will be required by the App for the purposes described:

We collect and process this data within the framework of contract processing in accordance with Art. 6 Para. 1 lit. b GDPR in order to provide the functions of the App.

Your information will be shared with technical service providers (e.g. the App developer, server hosting, etc.) who support us in order to prepare the App and for the aforementioned purposes. They are chosen carefully by us and their engagement is formalized in writing. These service providers are obligated to follow our instructions and are controlled by us regularly.

The legal basis is Art. 28 GDPR (order processing).

Some of the service providers have their headquarters in the USA and are certified under the EU-US Privacy Shield. A current certificate can be found here: https://www.privacyshield.gov/list Based on this agreement between the USA and the European Commission, the latter has determined an appropriate level of data protection for companies certified under the Privacy Shield.

Am Luftschiffhafen 1, 14471 Potsdam
Managing Director: Michael Haufe
Service category: App developer and content management system developer.

Heinrich-Baumgarte-Str. 3a, 30823 Garbsen
Managing Director: Dr.-Ing. Daniel Krause
Service category: System Administration and Data Center

Leutragraben 1, 07743 Jena
Owner: Martin Eckart
Service category: Central IT service provider in the area of hosting

Visual Studio - App Center
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399
Authorized representative: Benjamin O. Orndorff

Passage du Cardinal 1, 1700 Fribourg, Switzerland

Google LLC
1600 Amphitheatre Parkway
Mountain View CA 94043, USA

One of our service providers is the platform appcenter.ms. In the case of an app crash, we receive crash reports via this platform. Crash reports help us to track and correct mistakes in the app. The following data will be transmitted to appcenter.ms during the app crash and communicated to us:

App name, version code, version, operating system, manufacturer of the device, model, type of crash, crash date, account ID, team ID as well as the team name, the set language, event ID and server time.

We protect our systems against loss, destruction, access, alteration or distribution of your data by unauthorised persons through technical and organisational measures, such as the creation of the Goethe.de account or a subsequent login using SSL encryption.

As a data subject, you have the following rights:

• pursuant to Art. 15 GDPR, you have the right to request information about your personal data processed by us to the extent specified therein;
• pursuant to Art. 16 GDPR, you have the right to demand the immediate correction of incorrect or incomplete personal data stored by us;
• In accordance with Art. 17 GDPR, you have the right to demand the deletion of your personal data stored by us, unless further processing is required;
  
  • on the exercise of freedom of expression and information;
  • to fulfill a legal obligation;
  • for reasons of public interest, or
  • for the assertion, exercise or defence of legal claims
• the right, pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as
  
  • the correctness of the data is denied by you;
  • the processing is unlawful, but you refuse to delete it;
  • we no longer need the data, but you need it to assert, exercise or defend legal claims, or
  • you have lodged an objection against the processing under Article 21 GDPR;
• Pursuant to Art. 20 GDPR, you have the right to receive the personal data you have provided to us in a structured, common and machine-readable format or to request transmission to another responsible party;
• the right to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at our company headquarters.

If you have any questions regarding the collection, processing or use of your personal data, for information, correction, restriction of the processing or deletion of data as well as revocation of any consent given or objection to a specific use of data as well as regarding the right to data transfer, please contact our company data protection officer (see section 1).

Insofar as we process personal data as described above in order to safeguard our predominantly legitimate interests as part of a weighing of interests, you may object to this processing with effect for the future. If the processing is carried out for direct marketing purposes, you may exercise this right at any time as described above. Insofar as processing is carried out for other purposes, you are only entitled to object if there are reasons arising from your particular situation.

After exercising your right of objection, we will not process your personal data further for these purposes unless we can prove compelling reasons for processing worthy of protection which outweigh your interests, rights and freedoms, or if the processing serves the assertion, exercise or defence of legal claims.

This does not apply if the processing is carried out for the purposes of direct marketing. Then we will not further process your personal data for this purpose.