Legal

Privacy policy

1. Privacy at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.

Data collection on this website

Who is responsible for the data collection on this website?

Data processing on this website is carried out by the website operator:

Giant Monkey GmbH
Brunnenstr. 39
10115 Berlin
Germany
Managing Directors: Lion Vollnhals and Adrian Fuhrmann
Email: kontakt@giantmonkey.de

Data protection officer

Marco Köhler (attorney at law)
Friedrichstraße 63
10117 Berlin
Germany
Phone: +49 30 20644496
Email: datenschutz@giantmonkey.de

2. Hosting

This website is hosted by Hetzner Online GmbH. For details, see Hetzner's privacy policy: hetzner.com/de/legal/privacy-policy.

3. General notes and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

Notice on the responsible body

The body responsible for data processing on this website is:

Giant Monkey GmbH
Brunnenstr. 39
10115 Berlin
Germany
Managing Directors: Lion Vollnhals and Adrian Fuhrmann
Email: kontakt@giantmonkey.de

4. Data collection on this website

Server log files

The provider of these pages automatically collects and stores information in so-called server log files, which your browser transmits automatically. These are:

  • Browser type and browser version
  • Operating system in use
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. The collection of this data is based on Art. 6 (1) lit. f GDPR.

Cookies and local storage

This website does not set any tracking cookies. We store one technically necessary entry in your browser's local storage to remember your choice in the cookie banner (consented or rejected). The entry contains no personal data and is stored exclusively locally on your device. No cookie is set if you neither accept nor reject - the banner stays visible.

Contact form (HubSpot)

We use HubSpot (HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA) for our contact form. The HubSpot script is only loaded after you have consented to the use of cookies. Without your consent, no HubSpot script is loaded and no data is transmitted to HubSpot. Alternatively, you can contact us at any time by email at sales@giantmonkey.de.

If you have agreed to load the contact form and contact us through it, your information will be processed and stored at HubSpot. HubSpot may set cookies to identify recurring visitors. The data processing is based on Art. 6 (1) lit. a GDPR (consent). For more information: HubSpot privacy policy.

5. Your rights

You have the right at any time to obtain free information about your stored personal data, their origin and recipients and the purpose of the data processing, as well as the right to correction, blocking, deletion and data portability (Art. 15-22 GDPR). You can contact us at any time about this and other questions on the subject of personal data.

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or the place of the alleged violation (Art. 77 GDPR). The supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin
Germany
www.datenschutz-berlin.de

6. Data protection on the go~mus platform

The privacy policy above covers the marketing website at gomus.de. The go~mus platform itself - the SaaS that museums and cultural institutions use for ticketing and visitor management - is operated under data processing on behalf in the sense of Art. 28 GDPR. The customer (museum or institution) is the data controller, Giant Monkey GmbH is the processor.

6.1 Data processing agreement (DPA / AVV)

For every contractual relationship around the go~mus platform, a data processing agreement under Art. 28 GDPR is concluded. Our standard DPA template - including the technical and organisational measures (TOMs) - is available on request via sales@giantmonkey.de. Existing customers find the current version in the go~mus help desk.

6.2 Place of data processing

Personal data on the go~mus platform is processed exclusively within the European Union, the European Economic Area and Germany. Backups stay within the same area. Any future shift to a third country requires the customer's prior consent and the conditions of Art. 44 ff. GDPR.

6.3 Subprocessors

To deliver the platform we rely on the following subprocessors. The complete list with purpose, scope of personal data and place of processing is part of the DPA appendix:

  • Hetzner Online GmbH (Germany) - hosting on infrastructure certified to ISO 27001
  • Combase AG (Germany) - interface to the Korona POS system, where this is contracted
  • Atlassian Pty Ltd (Australia) - support ticket system; transfer impact assessment available, EU standard contractual clauses in place
  • Specialised monitoring provider (third country) - scope strictly limited to technical telemetry for error analysis, no content data, short retention; processing under EU standard contractual clauses

Adding a new subprocessor requires a written notification to the customer; objection rights as agreed in the DPA apply.

6.4 Technical and organisational measures (TOMs)

The platform is operated under technical and organisational measures appropriate to the protection requirements (Art. 32 GDPR). Selected highlights:

  • Tenant separation - each customer's data lives in a separate database, on physically separated server infrastructure with independent backup pipelines
  • Encryption in transit - all communication between client and server uses TLS 1.3
  • Encryption at rest for backups - 256-bit AES, integrity checked with HMAC-SHA256, encryption performed client-side before transmission
  • Password handling - bcrypt with salting; mandatory two-factor authentication on the back office, configurable for the shop systems
  • Access controls - documented role and permission concept, hard-disk encryption on staff laptops, building access control with logging
  • Tested under load and attack - regular penetration tests, automated tests of core flows
  • Trained staff - annual data-protection training for all staff by an external specialised lawyer

The full TOMs are part of the DPA appendix. Material changes are communicated to customers in advance.

6.5 Storage and deletion

Storage periods on the platform are configurable per data class with sensible defaults (e.g. shop guest with order, annual-pass personalisation, widget customer). Customers define the retention windows that match their legal and operational requirements; if no own setting is made, the configured defaults apply. Automated, retention-based deletion is part of the platform.

6.6 Data breach reporting

In the event of a data breach we follow the legal duty to notify under Art. 33/34 GDPR. The internal escalation path - central mailbox, external data protection officer plus management reachable around the clock - is set up to keep us within the statutory 72-hour window. Customers are informed of any breach affecting their data without undue delay; the case is documented end-to-end.

6.7 Certifications

Hetzner, our hosting partner, operates the underlying data-centre infrastructure certified to ISO 27001 (Hetzner certifications). For Giant Monkey GmbH itself, an own ISO 27001 certification is in preparation; we are not yet certified. We will communicate progress here. For specific procurement requirements, ask via sales@giantmonkey.de.

6.8 Data subject rights on the platform

Data subject rights (Art. 15-22 GDPR) are addressed by the customer as the controller, with our support. The DPA commits us to providing relevant data sets in a structured, common, machine-readable format within five working days on request, where the request triggers a portability case under Art. 20 GDPR.

6.9 Data protection officer

Our external data protection officer is in charge of platform-related data-protection matters as well:

Marco Köhler, LL.M. (KI Datenschutz & Compliance)
Friedrichstraße 63
10117 Berlin
Germany
Phone: +49 30 20644496
Email: datenschutz@giantmonkey.de