1. Introduction

Jimdo recognizes that data protection is a difficult topic and a major challenge for many. It is especially difficult for small businesses to find their way through the legal jungle and to recognize and fulfil the necessary requirements while also running their business at the same time.

In order to provide some insight and to shed some light onto the topic, we have created this help article to give you a set of sample texts for your privacy policy, which describe in short what data processing takes place on Jimdo websites. However, the data processing can differ greatly depending on the content and settings of your website. It is very important that you study the information on this page carefully and adapt it to your specific needs and do not adopt it unchecked. We strongly recommend that you seek the advice of an expert, such as a lawyer and/or data protection expert.

If this sounds like a big hassle to you and you want to be extra safe then Jimdo has got you covered. In cooperation with Trusted Shops Jimdo is offering the Legal Text Generator add-on. The Legal Text Generator makes it easy for you to get customized legal texts for your website including the shop and integrate them automatically into your website. Plus: they get updated automatically whenever there is a change in law! In addition, you are covered by Trusted Shops' excellent warning notice protection in case something should go wrong. Click here to find out more about our offer.

2. What is a Privacy Policy?

You should see the Privacy Policy of your Jimdo site like a personal letter directed to the visitors of your website. The general purpose of a Privacy Policy is to inform your visitors and customers exactly about how you collect and use their personal data on your website, how it is protected, what rights they have, etc.. In case data protection laws are applicable to you (e.g. the well-known General Data Protection Regulation - GDPR), this Privacy Policy is one step to your data protection compliance.

3. How do I edit my Privacy Policy?

In this Jimdo help center article we explain how you can edit your website’s Privacy Policy.

4. What information do I need in my Privacy Policy?

This is a tough question to answer since the level of detail and the amount of information that needs to be provided depends entirely on how you use your website, what service you have integrated, the type and amount of data that is processed, and many more factors. We unfortunately cannot give you a definitive answer on this, but we can give you an idea of what we believe are topics that could be mentioned according to Art. 13 and Art. 14 of the GDPR.

Before we start, it is important to note that this article focuses on GDPR requirements. Depending on your location, other specific laws of EU member states or data protection laws of non-EU countries such as the CCPA for California, USA, may apply. Please reach out to your legal advisor for clarification.

Following you will find some pointers what information should be included in your Privacy Policy:

I. Contact details

Here you should provide the visitors of your website with the name and contact details of the person or business in charge of the website and data processing. That is usually yourself.

II. Data Protection Officer

Under certain conditions, the General Data Protection Regulation (GDPR) requires you to appoint a Data Protection Officer (DPO). You need to check if you are required to name a DPO and add their contact information here. In Germany for example you could check § 38 BDSD to see if you are required to appoint a DPO.

III. Data Processing

Your Privacy Policy is a kind of personal letter directly to your website visitors and customers and should mention all services (Data Processing Activities) you are providing. Please note, that this could also include services that will be provided or conducted by other parties you use, such as Jimdo.

To give you an overview about which potential processing activities could take place on your website, we have created the following sample texts that you are free to use and to amend.

Provision of the online offer and web hosting

Description: Our website is hosted by a dedicated website hosting provider that uses cloud-based servers located within the EU to provide a stable and secure hosting platform. Our website is distributed using a content delivery network provider with servers located all over the world to ensure a fast and safe delivery of our website.
Types of data processed:Usage data: e.g. web pages visited, access times, all entries made within our online offer or from websites
Communication data: e.g. browser type, operating system or IP addresses
Data subjects: Users (website visitors).
Purpose of processing: Provision of a stable and secure online offer that is easy to use.
Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
Recipients or Categories of Recipients: Website hosting providers, SSL certificate providers, Content Delivery Network Providers
Data Transfer in Third Countries: We transfer your personal data to processors in the USA for this purpose. Information on the transfer of personal data to third countries can be found in section Transfer to third countries.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Collection of log files

Description: We save log files for analyzing and maintaining the technical operation of the servers as well as assisting anti-abuse measures and protecting the security of the hosting platform.
Types of data processed:
Usage data: e.g. web pages visited, access times.
Communication data: e.g. browser type, operating system or IP addresses.
Data subjects: Users (website visitors).
Purpose of processing: Improving the stability and functionality of our website.
Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO). Our legitimate interest is to ensure the stability and functionality of the website.
Recipients or Categories of Recipients: Website hosting providers, website analysis providers
Data Transfer in Third Countries: Your personal data is processed within the EU.
Storage Period or criteria on the basis of which the Storage Period is determined: The log files are stored for 3 months and deleted afterwards.

Contact Form

Description: We offer a contact form function on our website which gives you the opportunity to contact us by submitting your contact details and request and clicking on “submit”.
Types of data processed:
Usage data: name, email address and content of the message, web pages visited, access times
Communication data: e.g. IP addresses, browser type, operating system or IP addresses
Data subjects: Users (website visitors).
Purpose of processing: Processing of contact and pre-contractual inquiries via our website.
Legal basis: Legitimate interest (Art. 6 Abs. 1 p. 1 lit. f. GDPR), Contract fulfillment and/or pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR). Our legitimate interest is to answer your inquiry.
Recipients or Categories of Recipients: Website hosting providers, transactional email providers
Data Transfer in Third Countries: We transfer your personal data to processors in the USA for this purpose. Information on the transfer of personal data to third countries can be found in section Transfer to third countries.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Captcha

Description: We have implemented a third party captcha tool in the contact form to check whether the entries on the contact form are made by human visitors of this website or by machines or automated programs (also called "bots").
Types of data processed:
Usage data: e.g. website accessed and date and time of the access
Communication data: e.g. IP addresses, browser type, operating system, IP addresses
Data subjects: Users (e.g. website visitors, users of online services).
Purpose of processing: Securing the contact form with a spam protection
Legal basis: Legitimate interest (Art. 6 Abs. 1 p. 1 lit. f. GDPR). Our legitimate interest is to prevent misuse of our contact form.
Recipients or Categories of Recipients: 

• reCaptcha by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://policies.google.com/privacy
• Website hosting providers, captcha provider

Data Transfer in Third Countries: Your personal data is processed within the EU.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Online Store Order Confirmations

Description: When you order products in our shop on our website you will receive an order confirmation. To deliver these order confirmations we use a transactional email provider to ensure a quick and secure delivery.

Types of data processed:
Usage data: name, address, email-address, shopping cart, invoice amount, currency and transaction number.
Communication data: e.g. browser type, operating system or IP addresses.
Data subjects: Users (website visitors).
Purpose of processing: Sending of order confirmations to webshop users (customers).
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. DSGVO).
Recipients or Categories of Recipients: Website hosting provider, transactional email provider
Data Transfer in Third Countries: We transfer your personal data to processors in the USA for this purpose. Information on the transfer of personal data to third countries can be found in section Transfer to third countries.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Online Store Payment Service Provider

Description: We use external payment providers for the webshop on this website to offer our customers various payment options. The data processed will be disclosed solely for the purpose of processing the payment with the payment service provider and only to the extent necessary for this purpose. We do not store any credit card details ourselves.
Types of data processed:
Usage data: name, address, account number, bank routing number, credit card number (if applicable), invoice amount, currency and transaction number.
Communication data: e.g. IP addresses, browser type, operating system.
Data subjects: Users (website visitors).
Purpose of processing: Offering of external payment providers for the webshop on this website to offer customers various payment options.
Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. DSGVO).
Recipients or Categories of Recipients:

• Optional: Paypal, PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, https://stripe.com/de/privacy
• Optional: Stripe, Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland, https://stripe.com/de/privacy
• Optional: Klarna Sofort, Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, https://www.klarna.com/us/privacy/ 
• Optional: PostFinance, PostFinance AG, Mingerstrasse 20, 3030 Bern, Switzerland, https://www.postfinance.ch/en/detail/data-protection/general-privacy-policy.html 
• Website hosting provider, transactional email provider

Data Transfer in Third Countries:

• Optional: Paypal: Your personal data is processed within the EU.
• Optional: Stripe: Your personal data is processed within the EU.
• Optional: Klarna: Your personal data is processed within the EU.
• Optional: PostFinance: Your personal data is processed within a secure third country with an adequacy decision of the EU.

Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Website Analytics (Jimdo Statistics)

Description: When you visit our website, we collect information about your use of our website with the help of a web analysis function developed by our website hosting provider and store it in pseudonymised form. This tool collects your IP address and your user agent, merges them and shortens and stores this data using a so-called hash function. In this way, we generate a visitor identifier that is encrypted with a random value, the so-called SALT, which changes every 24 hours. This ensures that your IP address cannot be recovered from the visitor ID we store and that you cannot be personally identified. In addition, we do not merge this data with other data and only store it on the website hosting provider's server. We also process web analytics, HTTP data and web analytics profile data. The web analysis function we use creates and stores the web analysis profile. This contains information about the use of our website, in particular page views, frequency of visits and length of stay on the pages visited as well as the client user agent of your end device.
Types of data processed:
Usage data: e.g. websites visited, access times
Communication data: e.g. browser type, operating system or IP addresses
Persons affected: Users (website visitors)
Purpose of processing: Analysis of user behaviour in aggregated form in order to improve our website, including presentation and content.
Legal basis: Legitimate interest (Art. 6 Abs. 1 p. 1 lit. f. GDPR). Our legitimate interest is to carry out web measurements in order to improve our products and our website.
Recipients or categories of recipients: Website hosting provider
Data transfer to third countries: Your personal data is processed within the EU.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

 

Website Analytics (Google Analytics)

Description: If you visit our website, we collect information about your use of our website by means of a web analysis function developed by our website hosting provider and store it in a pseudonymous way. This tool collects your IP address and user agent, merges them, and truncates and stores this data using a so-called hash function. In this way, we generate a visitor identifier that will be encrypted using a random value, the so-called SALT, which changes every 24 hours. This ensures that your IP address cannot be recovered from the visitor identifier we store and that you cannot be identified personally. Furthermore, we do not merge this data with other data and only store it on the server of the website hosting provider. We also process web analytics, HTTP data and web analytics profile data. The web analysis function we use generates and stores the web analysis profile. This includes information about the use of our website, in particular page views, call frequency and dwell time on accessed pages as well as the client user agent of your terminal device.
Types of data processed:
Usage data: e.g. web pages visited, access times
Communication data: e.g. browser type, operating system or IP addresses
Data subjects: Users (website visitors).
Purpose of processing: Analyzing user behavior in aggregated form to improve our website including presentation and content.
Legal basis: Consent (Art. 6 para. 1 lit. (a) GDPR).
Recipients or Categories of Recipients:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://policies.google.com/privacy
• Website hosting provider

Data Transfer in Third Countries:Your personal data is processed within the EU.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Embedded Maps (Google Maps)

Description: We embed maps on this website by using a plugin of a map service provider to provide an appealing presentation of our online offers and an easy location of the places indicated by us on the website. After you give consent via the consent layer or the cookie banner, the map element is loaded and data is transferred to the servers of the map provider.
Types of data processed:
Usage data: e.g. web pages visited, access times.
Communication data: e.g. browser type, operating system or IP addresses.
Data subjects: Users (e.g. website visitors, users of online services).
Purpose of processing: Appealing presentation of our online offers and an easy location of the places indicated by us on the website.
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
Recipients or Categories of Recipients: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://policies.google.com/privacy
Data Transfer in Third Countries: Your personal data is processed within the EU.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

Video Content (Vimeo, Youtube, Dailymotion)

Description: We embed videos content on our website to provide you with an appealing presentation of our online offers. After you give consent via the consent layer or the cookie banner, the video content is loaded and data is transferred to the servers of the video hosting provider.
Types of data processed:
Usage data: e.g. web pages visited, access times.
Communication data: e.g. browser type, operating system or IP addresses.
Data subjects: Users (website visitors).
Purpose of processing: Appealing presentation of our online offers by implementation of video content.
Legal basis: Consent (Art. 6 para. 1 lit. (a) GDPR).
Recipients or Categories of Recipients:

• Optional: Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA, https://vimeo.com/features/video-privacy
• Optional: YouTube by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://policies.google.com/privacy
• Optional: Dailymotion, 140 boulevard Malesherbes, 75017 Paris, France, https://legal.dailymotion.com/en/privacy-policy/

Data Transfer in Third Countries:

• Optional: Vimeo: Your personal data is transferred to above mentioned processors in the USA for this purpose. Information on the transfer of personal data to third countries can be found in section Transfer to third countries.

• Optional: Youtube: Your personal data is processed within the EU.

• Optional: Dailymotion: Your personal data is processed within the EU.

Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

External Services via Powr.io

Jimdo offers you the possibility to integrate third-party services via a third-party tool to integrate with your Jimdo Creator website. After the website visitors* have have given their consent, a connection to the third-party provider's servers will be is established. The legal basis for this is consent (Art. 6 para. 1. S. 1 lit. a. GDPR). After the website visitor*s have given their consent the integration app stores cookies on the devices of the website visitors, which store data so that you can implement certain third-party apps/services on your website. on your website.

Powr.io

Description: Powr.io is a third party tools that enables the integration of third party services on a website.
Types of data processed:
Usage data: e.g. websites visited, access times.
Communication data: e.g. browser type, operating system or IP addresses.
People concerned: Users* (website visitors*).
Purpose of processing: Appealing presentation of our online offers through the use of content from third-party providers.
Legal basis: Consent (Art. 6 para. 1 lit. (a) GDPR).
Recipients or categories of recipients:
Powr. io, POWR HQ, 44 Tehama Street, San Francisco, California 94105, USA, https://www.powr.io/privacy
Data Transfer in Third Countries: We transfer your personal data to processors in the USA for this purpose. Information on the transfer of personal data to third countries can be found in section Transfer to third countries.
Retention periods or criteria on the basis of which retention periods are determined: For more information, see Storage periods.

IV. Storage Periods

Under this point you should explain to your website visitors and users how long the data you collect and process on your website is stored.

A text for this part could look like this:

In general, we process and store your personal data for the duration for which the respective purpose of use requires corresponding storage. If applicable, this also includes the periods of the initiation of a contract (pre-contractual legal relationship) and the processing of a contract. On this basis, personal data is regularly deleted as part of the fulfillment of our contractual and/or legal obligations, unless its temporary further processing is necessary for the following purposes:

• Fulfillment of legal retention obligations (commercial or tax law)
• Retention of evidence taking into account the statute of limitations
• assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.

V. Transfer to Third Countries

At this point you should inform your website visitors about whether data collected on the website is transferred to third countries outside the European Union (EU) in case the GDPR is applicable.

A text for this part could look like this:

We ensure that your data is processed in the EU or in the European Economic Area. Should this no longer be possible and data needs to be transferred to a third country, Jimdo will ensure, after prior review, that an adequate level of data protection that meets the requirements of the Court of Justice of the European Union and the EU Commission is adhered to in the country the data is transferred to.

In these cases, the data is transferred on the basis of an Adequacy Decision of the European Commission or the Standard Contractual Clauses for the transmission of personal data to third countries in its currently valid version. These can be accessed here.

Data transmission to a third country may also take place on the basis of your consent. You will be provided with details of this separately, if applicable.

VI. The rights of your visitors and users (Data Subject Rights)

According to the GDPR, your website visitors and users have certain data protection related rights that should also be mentioned in your Privacy Policy.

A text for this part could look like this:

• Access to Information
  You can request access to information about your personal data processed by us.
• Correction
  If your data is not (or no longer) correct, you can request that your data be corrected. If your data is incomplete, you can request that it be completed.
• Deletion
  You have the right to request the deletion of your data in accordance with applicable data protection laws. Please note that a request for deletion may depend on the existence of a legitimate reason and the absence of a legal reason that oblige us to retain your data.
• Restriction of processing
  You have the right to request the restriction of the processing of your data. Please note that a request for restriction of processing depends on the existence of a legitimate reason.
• Objection
  You have the right to object to the processing of your data on grounds relating to your particular situation. In the event of a justified objection, we will no longer process your data.
• Objection to the processing of your data for direct marketing purposes
  You have the right to object at any time to the processing of your data for direct marketing purposes. This also applies to profiling in connection with direct advertising. You can send your objection form-free to us, preferably to the contact details above, stating the keyword "Objection to the processing of my personal data for advertising purposes".
• Right to lodge a complaint
  You are entitled to lodge a complaint with a data protection supervisory authority if you do not agree with the processing of your data.
• Data portability
  You have the right to receive personal data that you have provided to us in an electronic format.
• Withdrawal of your consent
  You have the right to withdraw your consent that you have given to us at any time. The easiest way to withdraw your consent is to send an email to the contact details above. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal