Privacy Notice XeSIM

Privacy policy for visitors and/or users to our website

We would like to inform you about the protection of your privacy and data protection when using our website at https://xesim.com as follows:

1. Who are we?

The Controller of the website according to Article 4.7 EU Data Protection Regulation (GDPR) is:

transact Elektronische Zahlungssysteme GmbH
Managing Directors: Dr. Samareh Frantz, Marc Ehler, Dr. Markus Landrock, Martin Croot
Fraunhoferstr. 10
82152 Martinsried
Tel. +49 (0)89 899 64 3 0
e-mail: info@epay.de
(for further details see our Legal Notice.)

2. Who is responsible for the protection of your personal data?

All our employees oversee data protection. We have also appointed a data protection officer, whom you can contact as follows:
transact Elektronische Zahlungssysteme GmbH
Fraunhoferstr. 10
82152 Martinsried
e-mail: DPO_DE@epayworldwide.com

3. Collection of personal data when visiting our website

If you visit our website without registering or providing information, we only collect the personal data your browser transmits to our server. This data is technically necessary to display the website, ensure its stability, and maintain security (legal basis is Art. 6.1.f GDPR):

IP address
Date and time of the request
Time zone difference from Greenwich Mean Time (GMT)
Content of the request (concrete page)
Access status/HTTP status code
Data volume transferred in each case
Website from which the request comes
Browser
Operating System and its interface
Language and version of the browser software

4. Data processing in third countries

transact Elektronische Zahlungssysteme GmbH, as part of the Euronet Group, may share personal data, including identification, behavioral, and technical information, with affiliated companies within the Group for routine business operations, customer support, and compliance purposes. For example, comprehensive customer service may require data access across Euronet Group affiliates. If data is processed in a country outside the European Union (EU) or European Economic Area (EEA), or if third-party services are involved, we ensure this occurs strictly in accordance with legal requirements, relying on safeguards such as EU Commission standard contractual clauses or adequacy decisions, as outlined in Article 44 and subsequent articles of the GDPR.

5. Use of cookies

Our website uses cookies and similar technologies to ensure functionality, analyze usage, and optimize content and advertising. Cookies are small text files stored on the user's device by websites, containing information that can be retrieved during subsequent visits.

The following cookie types and functions are distinguished:

Session Cookies: Temporary cookies that store user information while browsing and manage essential website functions such as login status. They are automatically deleted when the browser is closed.
Necessary Cookies (also called Essential Cookies): These cookies are strictly necessary for the operation of the website, for example, to store logins or other user inputs, or for security purposes.
Statistics and Marketing Cookies: These cookies are generally used for measuring reach and when a user's interest or behavior (e.g., viewing specific content, using features, etc.) are stored in a user profile on individual websites. Such profiles are used, for example, to display content to users that matches their potential interests and optimize advertising. This process is also referred to as "tracking," i.e., the monitoring of users' potential interests. These cookies are only set with your explicit consent.

Types of data processed: Usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g., website visitors, users of online services).
Legal basis: The processing of personal data through cookies is based on:

Art. 6(1)(a) GDPR – if you have given your consent via our cookie banner.
Art. 6(1)(f) GDPR – for technically necessary cookies, based on our legitimate interest in providing a secure and functional website.

You may withdraw your consent or object to the processing of your data at any time. This can be done via our cookie consent tool or by adjusting your browser settings. Please note that disabling certain cookies may limit the functionality of our website.

6. Information about the collection of personal data

(1) Contacting us

If you contact us (e.g. via email), we process the personal data you provide only to the extent necessary to respond to your inquiry and any follow-up actions requested.

Types of data processed: Identification data (e.g. name, address), contact details (e.g. email address), and content data (e.g. text message, attachments).
Data subjects: Individuals initiating contact (e.g. website visitors, customers).
Purpose of processing: Handling and responding to contact requests and related communication.
Legal basis:
- Art. 6(1)(a) GDPR – if you have given your consent (e.g. via a contact form with a checkbox).
- Art. 6(1)(b) GDPR – if the contact is related to the performance of a contract or pre-contractual measures.

(2) Provision of the online offer and web hosting

To securely and efficiently provide our online services, we host your personal data on our servers located in Germany.

The data processed within the scope of the provision of the hosting offer may include all information concerning the users of our online offer, which accrues within the scope of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the contents of online offers to browsers, and all entries made within our online offer or from websites.

Services used and service providers:

Imperva Inc infrastructure service provider: Imperva Inc, One Curiosity Way, Suite 203 San Mateo, CA 94403. Website: www.imperva.com;
Privacy Policy: https://www.imperva.com/trust-center/privacy-statement (It ensures level of data protection when processing data in the USA)
https://www.imperva.com/trust-center/gdpr/
Web-Application-Firewall (WAF):
A Web Application Firewall enables filtering, monitoring and blocking of malicious HTTP traffic to and from a web service. Imperva WAF works as a reverse proxy, all transact web traffic is routed through the Imperva network, allowing Imperva to examine each request to identify and block malicious activity. Imperva identifies malicious requests based on predefined patterns for web application attacks (e.g. XSS, SSRF, XXE, etc.). Imperva Reverse Proxy also includes patterns for detecting personal data and immediately performs real-time data masking. In case of a malicious request, Imperva creates an event that contains the client IP address and allows us to review/analyze the request. This stored IP address is deleted after 10 weeks, or after the security-related event has been analyzed, remediated and resolved.
Protection against DDOS attacks:
A DDoS attack is an attempt to overload an Internet service with traffic by making a large number of targeted requests, so that it is no longer functional. When a DDoS attack occurs on a website, it can no longer be accessed. Imperva's service helps us to detect and defend against such attacks on our website. For this purpose, a reverse proxy server is connected upstream of the website to be protected. This accepts requests from the Internet on its behalf, filters out "harmful" requests and forwards only "secure" requests to the website servers. In this context, Imperva processes the IP address of the website visitors in order to evaluate whether the call is an attack. The data is stored exclusively on servers in countries of the European Union.
The IP address is stored for a period of 10 weeks and only for the aforementioned purposes; after this period, the data is deleted or only stored in anonymized form, unless a security-relevant event occurs (e.g. a DDoS attack). In the event of a security-relevant event, server log files are stored until the security-relevant event has been eliminated and fully resolved. In addition to minimizing DDoS attacks, Imperva uses this data to further improve its services as well as to provide us with information about traffic on our website. This is only aggregated data, which is displayed to us in the form of graphs and does not allow us to draw any conclusions about individual visitors to the website. This allows us to better understand the traffic on our website and identify possible attacks.
The legal basis for the data processing is Art. 6(1)(f) GDPR. Our legitimate interest derives from the aforementioned purposes.

(3) Web analysis and optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can recognize, for example, at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas require optimization.

In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online offering or its components.

For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures may be used with the same purpose. This information may include, for example, content viewed, websites visited and elements used there and technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer to you the information on the use of cookies in this privacy policy.

Types of data processed: Usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavior-based profiling, use of cookies), visit action evaluation, profiling (creation of user profiles).
Security measures: IP masking (pseudonymization of the IP address).
Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate Interest (Art. 6(1)(f) GDPR).

Services used and service providers:

Cookiebot CMP Widget
Usercentric A/S, Havnegade 39, 1058 Kopenhagen (Dänemark). The Cookiebot Consent Management Platform (CMP) provides a widget for the website that makes the consent request dialog with your end users faster and more responsive than ever before.
Website: https://www.cookiebot.com/de/widget
Privacy policy: https://www.cookiebot.com/de/privacy-policy
Google Analytics 4
If you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google LLC. We integrate Google Analytics 4 via plugin. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.
Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is done to analyze your usage behavior and improve our website. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. We will use the information to help us better understand how our website is used and to generate reports on website activities, among others.
As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. The data evaluations are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find more about this in the associated Google documentation.

Processed data: The following data can be processed by Google Analytics 4:

IP address;
User ID and device ID;
Referrer URL (previous visited page);
Pages viewed (date, time, URL, title, duration of visit);
Downloaded files;
Clicked links to other websites;
Achievement of specific goals (Conversions);
Technical information (operating system; browser type, version and language; device type, brand, model and resolution);

You can find more information regarding the data that is processed in the following link: [GA4] Data collection - Analytics Help

Security measures: We have implemented the following security measures for Google Analytics 4:

Anonymization of the IP address;
deactivated advertising function;
deactivated personalized advertising;
deactivated remarketing;
retention period of 2 months (and no reset of retention period with new activity);
deactivated cross-device and cross-page tracking (Google Signals);
deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).

You may revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. This will not affect the lawfulness of the processing carried out on the basis of consent until revoked.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to Google LLC in the USA, the data transfer takes place on the basis of the adequacy decision for the USA due to the certification of Google LLC according to the EU-US Data Privacy Framework.

You can find more information about Google Analytics 4 below:
Google Ireland Limited - Gordon House - Barrow Street - Dublin 4 - Ireland Website: https://marketingplatform.google.com/about/analytics/
Privacy policy: https://policies.google.com/privacy?hl=en

(4) Use of GoogleAdsense

This website uses Google AdSense, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for the integration of advertisements. Google AdSense uses cookies and similar technologies to analyze user behavior and display personalized ads based on users’ interests and previous visits to this and other websites.

As part of this service, Google may collect and process personal data, such as IP addresses and user activity, to create pseudonymous user profiles. These profiles are used to display interest-based advertising both within the Google advertising network and on third-party websites. Further information on how Google processes personal data can be found in the Google Privacy Policy and in the Google Ad Technologies Policy.

Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), which we obtain before activating this technology.

If you do not wish to receive personalized advertising, you can disable the use of cookies for advertising purposes in your Google account settings. You can also manage or withdraw your consent at any time via our cookie settings.

7. Data erasure and storage period

Personal data are retained only for the duration necessary to fulfil the purposes for which they were collected. Typically, such data are preserved until an enquiry has been processed, or until the user requests deletion provided no legal basis exists for continued retention or as required to comply with applicable legal and regulatory obligations.

8. Rights of the data subjects

As a data subject, you are granted various rights under applicable law, which may include:

Right to object: You have the right to object to the processing of your personal data at any time, based on your specific situation.
Right of revocation for consents: You have the right to revoke any consent you have given at any time.
Right of access: You have the right to request confirmation about whether your data is being processed. You can also obtain information about this data and a copy of the data, in accordance with legal requirements.
Right to rectification: You have the right to request that your data be completed or corrected if it is inaccurate.
Right to erasure and restriction of processing: You have the right to request that data relating to you be erased immediately or, alternatively, to request restriction of the processing of your personal data.
Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements or to request that it be transferred to another controller.
Complaint to supervisory authority: You also have the right, in accordance with the law, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

If you have a complaint regarding the processing of your personal data, you may contact us at DPO_DE@epayworldwide.com. If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been violated in some way, you can lodge a complaint with the supervisory authority.

Europe (EEA): Members | European Data Protection Board (europa.eu)
UK: Information Commissioner Officer (ICO)