Privacy Policy
Compliance with applicable data protection law is very important for OneFor Holding GmbH (“OneFor”, “we”, “us”), to protect your individual rights and freedoms with regard to the processing of personal data. This privacy policy describes how we process your personal data as the responsible controller and provides you with all mandatory information according to the General Data Protection Regulation (“GDPR”).
1. Who is responsible for the processing of personal data?
1.1 Identity and contact information
For the processing of personal data on https://www.onefor.com (“website”) as well as in the context of our business operations we determine the purposes and means alone.
OneFor Holding GmbH
Blumenstraße 14, 40212 Düsseldorf, Germany
Phone: +49 211 97539038
Email: info@onefor.com
Contact details of our data protection officer
Marc Neumann
IBS data protection services and consulting GmbH
Zirkusweg 1, 20359 Hamburg, Germany
Email: dataprotection@onefor.com
1.2 Joint controller
For the processing of personal data with our mobile app for Android and iOS (“app”) as well as for the OneFor Wallet and OneFor Debit Card, we determine the purposes and means together with
Moorwand Ltd
Irongate House, 22-30 Dukes Place, London EC3A 7LP, United Kingdom
Email: customerservices@moorwand.com
Controller’s representative
David Campbell
Email: legal@moorwand.com
Contact details of the data protection officer
Email: legal@moorwand.com
Via Payments UAB
Konstitucijos pr. 7, Vilnius, Lithuania
Email: https://www.vialet.eu/contact-us
Contact details of the data protection officer
Email: dpo@viasmsgroup.com
1.3 Joint controller Facebook and Instagram Page Insights
For the processing of personal data with page insights on Facebook and Instagram we determine the purposes and means together with
Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (Ireland)
https://www.facebook.com/help/contact/2061665240770586
Contact details of the data protection officer
https://www.facebook.com/help/contact/540977946302970
2. How and why do we process personal data?
2.1 Providing our Website
If you visit our website, your web browser communicates with our web server to provide the requested pages and content. Therefore, the following information is collected and stored automatically in so-called server log files.
· type and version of web browser and operating system
· Referrer URL (visited page)
· Target URL (requested page)
· IP address and hostname of the accessing device
· timestamp of the request
Purpose and legal basis
The server log files are processed for the purpose of providing the website on the basis of our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR.
The legitimate interests pursued by us, are to ensure a secure, technically error free and comprehensible operation of our website.
As the processing of the data in the server log files is essential to operate the website, we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms in case you claim the right to object according to Art. 21 (1) GDPR.
Storage period
The server log files will be stored for 90 days and then deleted automatically.
2.2. Cookies and local storage
Cookies are small text files which are stored locally in your web browser and do not cause any damage to your device. Alternatively, your web browser provides a local storage to store small sizes of information. Cookies and local storage are storage technologies (“web technologies”), provided by your browser.
Web technologies could be used temporarily to store data for the duration of a session (“session cookies”, “session storage”) or permanently to archive data on your device until you or your browser actively delete them (“persistent cookies”, “local storage”).
In some cases, the web technologies are not set by our web server directly than by another server (“third party cookies”), to enable you or us to take advantage of certain services offered by the third party.
Purpose and legal basis
We use technically essential cookies or local storage for the purpose of providing certain website features on the basis of our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interests pursued by us or a third party, are to provide essential website features which would not work in the absence of those web technologies.
As the processing of the data in the technically essential cookies or local storage is necessary to operate the website, we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms in case you claim the right to object according to Art. 21 (1) GDPR.
Additionally, we use technical essential cookies for the storage of your consent to the use of technically non-essential cookies (cookie consent) for the purpose of demonstration of compliance with the GDPR pursuant to Art. 6 (1) (c) GDPR.
We use technically non-essential cookies or local storage for analytics, marketing or functional purposes on the basis of your prior consent pursuant to Art. 6 (1) (a) GDPR. Your consent will be obtained via the cookie banner if you accept all cookies or if you select your preferences in the cookie settings. You have the right to withdraw your consent at any time with future effect, by changing your preferences in the cookie settings.
Independently from any setting on this website, you can control the use of web technologies with your browser settings at any time. Please be aware, that the use of our website could be restricted, in case we are not able to use technically essential cookies or local storage.
Storage period
More detailed information about the specific usage of cookies and third party services, including the storage periods, we provide in the cookie settings.
2.3 Analytics services
We use analytical webservices to help us understand the use and accessibility of our website by tracking and reporting the website traffic and visitor related behaviour.
Purpose and legal basis
We use analytics services for the purpose of optimization of our website on the basis of your prior consent pursuant to Art. 6 (1) (a) GDPR. Your consent will be obtained via the cookie banner if you accept all cookies or if you select your preference to analytical cookies in the cookie settings. You have the right to withdraw your consent at any time with future effect, by changing your preferences in the cookie settings as referred to in section 2.2 of this policy.
Storage period
More detailed information about the specific usage of cookies and third party services, including the storage periods, we provide in the cookie settings (details for analytical cookies).
2.4 Marketing services
We use marketing webservices to optimize our marketing activities, integrate additional services and serve targeted ads to people who already visited or taken action on our website.
Purpose and legal basis
We use marketing services for the purpose of marketing activities on the basis of your prior consent pursuant to Art. 6 (1) (a) GDPR. Your consent will be obtained via the cookie banner if you accept all cookies or if you select your preference to marketing cookies in the cookie settings. You have the right to withdraw your consent at any time with future effect, by changing your preferences in the cookie settings as referred to in section 2.2 of this policy.
Storage period
More detailed information about the specific usage of cookies and third party services, including the storage periods, we provide in the cookie settings (details for marketing cookies).
2.5 Functional services
We use functional webservices to optimize the use and accessibility of our website and to provide comfortable features to our visitors.
Purpose and legal basis
We use functional services for the purpose of optimization of our website on the basis of your prior consent pursuant to Art. 6 (1) (a) GDPR. Your consent will be obtained via the cookie banner if you accept all cookies or if you select your preference to functional cookies in the cookie settings. You have the right to withdraw your consent at any time with future effect, by changing your preferences in the cookie settings as referred to in section 2.2 of this policy.
Storage period
More detailed information about the specific usage of cookies and third party services, including the storage periods, we provide in the cookie settings (details for functional cookies).
2.6 Content Delivery Networks
To provide our website and several webservices, we use content delivery networks (“CDN”), which are connected to our website to optimize and deliver content like files, images and scripts. It is technically necessary that those external CDN servers process your IP-address and browser-based data to establish a connection and to provide the content.
Purpose and legal basis
For those CDN which are part of the operation and provision of our website or part of technical essential cookies, the purpose of processing is identical to 2.1 and 2.2 (essential web technologies) of this policy.
In case that the CDN is part of a webservice for which we obtain your prior consent for technical non-essential cookies, the purpose and legal basis is identical to 2.2 (non-essential web technologies) of this policy.
Storage period
We do not store any separate information about the server connection from our website to CDN servers.
More information about the storage of server logs in responsibility of the service providers can be found:
· jQuery CDN: https://www.stackpath.com/legal/privacy-statement/
· HubSpot CDN: https://legal.hubspot.com/de/privacy-policy
· Google CDN: https://policies.google.com/privacy
2.7 Helpdesk Chat, Request by email or telephone
On our website we offer you a helpdesk chat to contact us 24/7. By default, this chat does not obtain any personal data from you, unless you tell us such information or you upload attachments, containing any personal data you share with us.
Additionally, you may contact us via email or phone. In any case, we only collect personal data directly from you which is necessary to handle your request. E-Mails and phone calls are transmitted over the internet. Please be aware, that those connections are not encrypted by default and may cause risks for your rights and freedoms.
Purpose and legal basis
We process personal data related to the use of the helpdesk chat, electronic mails or phone calls for the purpose of handling your request. The legal basis depends on the context of your relationship.
Generally, if you are a customer or an interested person, we process your personal data for the performance of a contract to which you are party or in order to take steps prior to entering into a contract according to Art. 6 (1) (b) GDPR.
Otherwise we process your personal data on the basis of our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interests pursued by us, are to be able to handle your request.
Storage period
We store any personal data related to a request via helpdesk chat, email or telephone as long as it is necessary to handle the request.
2.8 Newsletter
If you subscribe to our newsletter, we collect your email address and store it together with the timestamp and the IP address of your subscription as well as the confirmation with a separate mail (double opt-in). With every newsletter you will receive we process your email address to send you an email.
Purpose and legal basis
We process personal data related to the newsletter service to send you emails and provide you interesting informations about our products and services, based on your prior consent according to Art. 6 (1) (a) GDPR. Your consent will be obtained by subscribing to the newsletter and confirming your subscription (double opt-in). You have the right to withdraw your consent at any time with future effect, by using the link “Unsubscribe” in the newsletter email.
Furthermore, you can withdraw your consent and change your preferences for several newsletter topics by using the link “Manage preferences” in the newsletter email.
Additionally, we process the information related to your subscription and unsubscription (withdrawal of your consent) for the purpose of demonstrating compliance with the GDPR, based on our legal obligation according to Art. 6 (1) (c) GDPR.
Storage period
Your email address will be stored as long as your consent to receive the newsletter is active. After your withdrawal we store your personal data related to the newsletter subscription for an additional period of two years to demonstrate your consent.
2.9 Providing the app
Together with Moorwand Ltd. and Via Payments UAB, we determine the purposes and means of processing your personal data in our app and to provide you the e-money account (“OneFor Wallet”) and the Debit Card (“OneFor Card”), so we are joint controllers as referred to in the joint controller agreement.
If you register an account and use our app we process the personal data, you provide to us. We only obtain those personal data from you, which is necessary for the operation of the app, including the app related features of sending and requesting money as well as the use of the OneFor Wallet connected to the OneFor Card.
More information about the processing of personal data and details about the OneFor Services related procedures we provide with the General Terms and Conditions for the Use of the OneFor Services.
More information about Moorwand’s privacy policy can be found here.
More information about Via Payment’s privacy policy can be found here.
Purpose and legal basis
We process your personal data within the registration process and during the use of our app to perform a contract to which you are party either as main account holder with the option to send money or as a companion, receiving money and use the debit card connected to the eWallet. This processing also includes the processing of your personal data in our customer relationship management system (“CRM”), the performance of technical bug fixes and any communications with our support team or helpdesk.
As part of the pre-contractual measures we collect and process your personal data within the registration process to perform a Know-your-Customer (“KYC”) process, including anti money laundering (“AML”) and counter terrorism measures as well as international payment standards.
This processing is necessary for the performance of the contract to which you are party or in order to take steps at your request prior to entering into a contract pursuant to Art. 6 (1) (b) GDPR or necessary to comply with legal obligations pursuant to Art. 6 (1) (c) GDPR.
Additionally, we process your personal data within our app, based on our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interests pursued by us or a third party, are to comply with legal or contractual obligations we are subject to, including an appropriate risk management, to ensure an appropriate level of security and to operate and run our technical systems related to our business.
As far as the processing of the data is necessary to operate our business and to safeguard the rights and freedoms of natural persons, we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms in case you claim the right to object according to Art. 21 (1) GDPR.
Storage period
We store any personal data related to the contract to which you are party as long as it is necessary to perform the contract. Personal data, processed for the purpose of KYC is stored for five years.
2.10 OneFor on Facebook
The OneFor Facebook Fanpage is provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
If you visit our Facebook Fanpage, we process the following data:
· your username,
· comments posted on our Fanpage,
· messages you send us via Facebook,
· page insights (site visits, range of contribution, country/city the visitors come from, gender related statistics).
More information about Page Insights can be found here.
Purpose and legal basis
Together with Facebook, we determine the purposes and means of processing your personal data on our Facebook Fanpage including the Page Insights, so we are joint controllers as referred to in the page controller addendum (“joint controller agreement”).
We process your personal data on our Facebook Fanpage for the purpose of providing this page to you, run our business and to perform public relations and direct marketing activities on the basis of our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interests pursued by us, are to support the contract between you and Facebook as well as to present our business and perform marketing activities.
As the processing of the Facebook Fanpage data is dependent from your activity and membership on Facebook, we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms in case you claim the right to object according to Art. 21 (1) GDPR.
Storage period
The storage of your personal data collected and stored within our Facebook Fanpage will be performed solely by Facebook. Therefore, we do not determine the purposes of storage and any storage periods. More information about Facebook as the controller of personal data can be found here.
2.11 OneFor on Instagram
The OneFor Instagram page is provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
If you visit our Instagram page, we process the following data:
· your username,
· comments posted on our page,
· messages you send us via Instagram,
· page insights (site visits, range of contribution, country/city the visitors come from, gender related statistics).
More information about Page Insights can be found here.
Purpose and legal basis
Together with Facebook, we determine the purposes and means of processing your personal data on our Instagram page including the Page Insights, so we are joint controllers as referred to in the page controller addendum (“joint controller agreement”).
We process your personal data on our Instagram page for the purpose of providing this page to you, run our business and to perform public relations and direct marketing activities on the basis of our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interests pursued by us, are to support the contract between you and Facebook as well as to present our business and perform marketing activities.
As the processing of the Instagram page data is dependent from your activity and membership on Instagram, we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms in case you claim the right to object according to Art. 21 (1) GDPR.
Storage period
The storage of your personal data collected and stored within our Instagram page will be performed solely by Facebook. Therefore, we do not determine the purposes of storage and any storage periods. More information about Facebook as the controller of personal data can be found here.
2.12 OneFor on YouTube
The OneFor YouTube channel is provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google is operating YouTube as a separate controller, responsible for the processing of your personal data as a registered user. More information about Google’s privacy policy can be found here.
If you visit or subscribe to our YouTube Channel or watch and react to our YouTube Videos, Google is collecting and providing the following information to us:
· your username,
· comments posted on our video’s page,
· if you subscribe to our channel,
· if you liked or disliked our video,
Additionally, Google is collecting your reaction and behavior related to our YouTube channel and our videos and providing statistical information in an anonymized way to us via the YouTube Analytics. Google processes the personal data as a processor on our behalf pursuant to Art. 28 GDPR.
Storage period
The storage of your personal data collected and stored within our YouTube Channel or related to our video will be performed by Google on our behalf. Your personal data will be stored as long as our videos will be published on YouTube or you delete them on your own. Additionally, the storage of your personal data related to your membership as a YouTube user will be performed solely by Google in their responsibility.
3. Who will receive your personal data?
3.1 Internal recipients and processors
Generally, we disclose your personal data internally only to those persons, who need to know them for the legitimate purposes of processing.
Processors according to Art. 28 GDPR, who are processing personal data on our behalf, will receive your personal data, as far as this is necessary for the purpose of processing.
3.2 Third parties
We transmit your personal to third parties, if they are
· joint controllers and the transmission is necessary for the legitimate purposes of processing;
· any other third party and you have given your explicit prior consent to the disclosure of your personal data;
· any other third party and the transmission is necessary for the performance of a contract to which you are party;
· any other third party and the transmission is based on our legal obligation to disclose your personal data;
· any other third party and the transmission is necessary to establish, exercise or defend legal claims;
Any other third party could be especially courts, public authorities, payment providers, banks, tax or legal consultants, auditors, insurance companies and data protection officers.
3.3 Transmission of personal data to third countries outside the EU/EEA
For the provision of website services as well as for the performance of the contract you are party, we transmit your personal data to third countries outside the European Union (“EU”) or European Economic Area (“EEA”).
In particular, your personal data will be processed by service providers, joint controllers and third parties in the United Kingdom (“UK”) and United States of America (“USA”). Those transmissions are not based on an adequacy decision by the European Commission pursuant to Art. 45 GDPR, but the transfer is either subject to standard data protection clauses adopted by the European Commission pursuant to Art. 46 (2) (c) GDPR or one of the following derogations pursuant to Art. 49 (1) GDPR apply.
· you have given your explicit consent to the processing of your personal data with cookies and the webservice provider or the third party servers are located outside the EU / EEA. Therefore, you agree to the transfer of your personal data to the UK or USA, although there is no adequacy decision or appropriate safeguards and this could cause risks for your rights and freedoms due to the absence of an adequate level of data protection;
· we transfer your personal data to a third country as far as this is necessary for the performance of a contract between you and us;
· we transfer your personal data to a third country as far as this is necessary for the implementation of pre-contractual measures taken at your request.
4. What rights do you have?
4.1 Access to your personal data
Under the provisions of Art. 15 GDPR you have the right to obtain a confirmation as to whether or not we process your personal data. If so, you have the right of access to your personal data, including a copy of the processed personal data and the information according to Art. 15 (1) GDPR. The right to obtain a copy of your data shall not adversely affect the rights and freedoms of others.
4.2 Rectification of your personal data
Under the provisions of Art. 16 GDPR you have the right to obtain from us the rectification of your inaccurate personal data without undue delay as well as the completion of incomplete data, where this is necessary for the purposes of processing your personal data.
4.3 Erasure of your personal data
Under the provisions of Art. 17 GDPR you have the right to obtain from us the erasure of your personal data without undue delay. We are obliged to erase your personal data without undue delay, where one of the grounds according to Art. 17 (1) GDPR apply.
If we made your personal data public and we are obliged to erase your personal data, we take reasonable steps, including technical measures, to inform other controllers which are processing your personal data, that you requested the erasure of any links to, or copy or replication of those data.
If a legal exception according to Art. 17 (3) GDPR applies, we are not obliged to erase your personal data, especially when the processing is necessary for the compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
4.4 Restriction of processing
Under the provisions of Art. 18 GDPR you have the right to obtain from us the restriction of processing where one of the following applies.
· If you contest the accuracy of your personal data, you may obtain the restriction for the period enabling us to verify the accuracy of your personal data.
· If the data processing is unlawful and you oppose the erasure of your personal data, you may obtain the restriction of their use instead.
· In case we do not need your personal data for the purposes of processing anymore, but they are required for the establishment, exercise or defence of legal claims, you may obtain the restriction.
· If you object to the processing of your personal data according to Art. 21 (1) GDPR, you may obtain the restriction for the period pending the verification whether our legitimate interests override yours.
If the processing has been restricted, your personal data will not be processed anymore, except the storage and if you have given your consent or to establish, exercise or defend legal claims. According to Art. 18 (3) GDPR, we will inform you, before the restriction of processing your personal data is lifted.
4.5 Data portability
Under the provisions of Art. 20 GDPR you have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format as well as the right that we transmit those data to another controller.
This right is limited to those personal data, where the processing is legally based on your consent according to Art. 6 (1) (a) GDPR or a contract according to Art. 6 (1) (b) GDPR. The right to of data portability shall not adversely affect the rights and freedoms of others.
4.6 Object to processing
Under the provisions of Art. 21 GDPR you have the right to object to processing of your personal data at any time, on grounds relating to your particular situation, where the processing is legally based on our overriding legitimate interests according to Art. 6 (1) (f) GDPR.
We no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is necessary to establish, exercise or defend legal claims.
If you object to the processing of your personal for direct marketing purposes according to Art. 21 (2) GDPR, we no longer process them for such purposes.
4.7 Withdraw your consent
If the processing of your personal data is legally based on your consent according to Art. 6 (1) (a) GDPR, you have the right to withdraw your consent at any time with future effect according to Art. 7 (3) GDPR.
4.8 Lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority according to Art. 77 GDPR, in particular if you consider that the processing of your personal data infringes the GDPR. You may contact any supervisory authority in the Member State of your habitual residence, place of work or place of alleged infringement, including our competent supervisory authority.
Our responsible supervisory authority
Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
Kavalleriestraße 2 - 4
40213 Düsseldorf
5. What else should you know?
5.1 Automated decision-making
You are not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, according to Art. 22 GDPR.
5.2 Required or obligated provision of personal data
Generally, the provision of your personal data is neither a statutory or contractual requirement or a requirement necessary to enter into a contract nor you are obliged to provide your personal data to us.
In case you want to use our app and register an account, you are obliged to provide the requested personal data to us. Otherwise we could not comply with legal obligations, so it is not possible to register your account or provide the payment features to you without the processing of the related personal data.
5.3 Additional storage of your personal data
Additional to the storage periods, mentioned in section 2 of this privacy policy, we store personal data as long as we are obliged to by law or as long as it is necessary for the establishment, exercise or defence of legal claims.
The purpose of processing will be extended either to the compliance with a legal obligation we are subject to, based on Art. 6 (1) (c) GDPR or our overriding legitimate interests pursuant to Art. 6 (1) (f) GDPR. The legitimate interests pursued by us or a third party, are to comply with legal obligations or to establish, exercise or defend legal claims.
5.4 Source of your personal data
Generally, we collect personal data directly from the data subject. Where a processor (service provider) pursuant to Art. 28 GDPR is collecting personal data from you on our behalf, this processing will be handled like we collect the data directly from you.
To register you as a companion and provide a debit card to you, we collect your name and contact details from the main account holder, which invites you to our app.
In specific cases, where we collect personal data from joint controllers or third parties, we will inform you separately.
5.5 Effectiveness of this privacy policy
This privacy policy is effective from 01 July 2021 and replaces all previous versions.
Changes to our Privacy Policy
We may change this Policy at any time by notifying you of any amendments through SMS, the App functionality, push notification, or e-mail at least one month prior to the amendment becoming effective. The latest version of the policy you will be able to obtain at our Website and App.
How to contact us
If you have any questions about this Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.
Email us at: info@onefor.com
Last Updated: 01 July 2021
OneFor Holding GmbH, Blumenstrasse 14, 40212 Düsseldorf, Germany
