At Cloover GmbH (“Cloover”), data protection is our highest priority. We are pleased that you want to help shape the future of green energy with us, and we are firmly convinced that protecting your data plays an extremely important role in this. With the following information, we would therefore like to explain which types of your personal data we process, for which purposes and to what extent in the context of your use and the provision of your data via the Cloover website [https://cloover.co/](https://cloover.co/). If you become a customer of Cloover, we will inform you at the time of concluding the contract about the further data processing carried out in the course of providing our services. We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Personal data in this sense is all individual information about the personal or factual circumstances of an identified or identifiable natural person, such as name, telephone number or address.

1. Controller

Controller pursuant to Art. 4 No. 7 GDPR:
Cloover GmbH
Hussitenstraße 32–33, 13355 Berlin
Email: [info@cloover.co](mailto:info@cloover.co)
Phone: +49 (0) 30 300151 39

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

You can also contact our Data Protection Officer at any time if you have questions about data protection in connection with our products and services or the use of our website. You can reach him at the postal address above and at the email address below.

You can reach our Data Protection Officer at:

Cloover GmbH
Hussitenstraße 32–33, 13355 Berlin
Email: [contact@cloover.co](mailto:contact@cloover.co)

2. Data processing on our website

2.1 Accessing our website / connection data

Every time you use our website, we process connection data that is automatically transmitted by the browser in order to enable you to visit the website. This connection data includes the so-called HTTP header information, including the user agent, and in particular comprises:

* IP address of the requesting device;
* method, date and time of the request;
* address of the requested website and path of the requested file;
* where applicable, the previously visited website/file (HTTP referrer);
* information about the browser and operating system used;
* version of the HTTP protocol, HTTP status code, size of the file delivered;
* request data such as language, type of content, content encoding, character sets;
* cookies stored on the end device for the requested domain.

Processing this connection data is absolutely necessary to enable the visit to the website, to ensure the permanent functionality and security of our systems, and generally to maintain our website for administrative purposes. In addition, the connection data is temporarily stored in internal log files, limited in content to what is necessary, for the purposes described above, in order to identify the cause and take action in the event of repeated or criminal accesses that endanger the stability and security of our website.

The legal basis for this processing is Art. 6(1)(b) GDPR, insofar as the page view occurs in the context of initiating or performing a contract; otherwise Art. 6(1)(f) GDPR.

2.2 Credit assessment

On Cloover’s website you have the option of calculating how much you could save with a solar power system. In the context of this credit check, the following personal data is processed:

* first and last name
* date of birth
* number of children under 18
* property ownership
* street and house number
* postal code
* other persons in the household
* information about the employment relationship
* information about income, mortgages and loans
* bank details

The legal basis for this processing is Art. 6(1)(b) GDPR, insofar as the page view occurs in the context of initiating or fulfilling a contract, and otherwise Art. 6(1)(f) GDPR on the basis of our legitimate interest that you contact us and we can answer your inquiry.

On Cloover’s website you have the option of calculating the savings you can achieve with a solar system. In the context of this credit assessment, the following personal data is processed:

* first and last name
* date of birth
* number of children under 18
* ownership of the property
* street and house number
* postal code
* other persons living in the household
* information about the employment relationship
* information about income, mortgages and loans
* bank details

The legal basis for this processing is Art. 6(1)(b) GDPR, insofar as the page view occurs in the context of initiating or performing a contract, and otherwise Art. 6(1)(f) GDPR on the basis of our legitimate interest that you contact us so that we can answer your inquiry.

2.3 Becoming a partner

On the Cloover website you have the opportunity to get in touch with us by creating an account. The following data is collected via the field under “Account”:

* email address
* name of contact person
* position in the company
* telephone number
* information about the company (contact details, age, number of installations)
* information about the company’s registration
* information about the main owner of the company
* consent to a credit check
* operational information (manufacturers, warranty period, certifications, subcontractors)
* financial information (business figures)
* company logo

The legal basis for this processing is Art. 6(1)(b) GDPR, insofar as the page view occurs in the context of initiating or performing a contract, and otherwise Art. 6(1)(f) GDPR on the basis of our legitimate interest that you contact us and we can respond to your request.

2.4 SCHUFA

We carry out a credit check as part of pre-contractual measures for the purpose of protection against payment defaults, since Cloover, on the one hand, makes advance payments with the installation of our products and, on the other hand, enters into a long-term contractual relationship with you as a customer. We transmit your name, address and date of birth to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. If we receive data from SCHUFA, we also process your place of birth, your SCHUFA score, your score range, your risk set and your rating level. The SCHUFA score is transmitted to the respective company in the Cloover group of companies that concludes a contract with you. The scoring is based on a mathematically and statistically recognised and proven procedure. Further information on scoring can be found under “Scoring at SCHUFA: Information on the procedure”. Please note that we only make a “condition request” (Konditionsanfrage) with SCHUFA, which does not negatively affect your credit rating or your SCHUFA score.

The legal basis for this transmission is Art. 6(1)(b) and Art. 6(1)(f) GDPR. Transmissions based on Art. 6(1)(f) GDPR may only take place insofar as this is necessary to safeguard the legitimate interests of Cloover or third parties and provided that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail. The exchange of data with SCHUFA also serves to fulfil legal obligations to conduct credit checks on customers (§ 505a and 506 German Civil Code – BGB).

3. Use of cookies and similar technologies on the website

3.1 Technologies used

This website uses various services and applications that are offered either by us or by third parties. These include in particular cookies and similar technologies used to store or access information on the end device:

* **Cookies:** Information stored on the end device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
* **Web storage (local storage / session storage):** Information stored on the end device that consists of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored unless a deletion mechanism has been set up (e.g. storing local storage with a time entry). Information in local and session storage can also be removed manually.
* **JavaScript:** Programming code (scripts) embedded in or called by the website that can, for example, set cookies and web storage or actively collect information from the end device or about visitors’ usage behaviour. JavaScript can be used for “active fingerprinting” and to create user profiles. JavaScript can be blocked via a browser setting, but then most services will no longer function.
* **Pixels:** A tiny graphic automatically loaded by a service that, through the automatic transmission of the usual connection data (in particular IP address, information about browser, operating system, language, the accessed address and time of access), can enable recognition of the user in order to detect visitors and, for example, the opening of an email or a website visit. Using pixels can enable “passive fingerprinting” and the creation of usage profiles.

Using these cookies and comparable technologies, but also through the mere establishment of a connection to a page, so-called “fingerprints” can be created, i.e. usage profiles that do not rely on cookies or web storage and can still recognise visitors. Fingerprints based on the connection cannot be completely prevented manually.

Most browsers are set by default to accept cookies, execute scripts and display graphics. However, you can usually adjust your browser settings so that all or certain cookies are rejected or scripts and graphics are blocked. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services will probably not function or not function correctly.

In the cookie settings, the cookies and comparable technologies used by us are listed by category. There we inform you in particular about the providers of the technologies, the storage duration of cookies or information in local and session storage, as well as the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to the use of cookies and comparable technologies and how you can revoke this consent.

3.2 Legal basis and withdrawal

3.2.1 Legal basis

For the operation of the website’s basic services, we rely on our legitimate interest pursuant to Art. 6(1)(f) GDPR in providing the basic functions of our website. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures; in such cases, processing is carried out pursuant to Art. 6(1)(b) GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementation acts of the EU Member States for the ePrivacy Directive, in Germany pursuant to Section 25(2) TDDDG.

All other non-essential (optional) cookies and comparable technologies that provide additional functions are used by us on the basis of your consent pursuant to Art. 6(1)(a) GDPR. Access to and storage of information on the end device is then carried out on the basis of the implementation acts of the ePrivacy Directive by the EU Member States, in Germany pursuant to Section 25(1) TDDDG.

Where personal data is transferred to third countries, we refer to Section 7 (“Data transfer to third countries”), also with regard to the associated risks. If you have consented to the use of certain tools and the associated transfer of your personal data to third countries, we will transfer the data processed when using the tools (also) to third countries on the basis of this consent in accordance with Art. 49(1)(a) GDPR.

3.2.2 Obtaining your consent

We use a tool from “Zeroqode” to obtain and manage your consent. It generates a banner that informs you about data processing on our website and gives you the option of consenting to all, individual or no data processing by optional tools. This banner appears when you visit our website for the first time and when you open your settings again to change them or revoke your consent. The banner also appears on subsequent visits to our website if you have disabled the storage of cookies or if cookies or information in local storage have been deleted or have expired.

As part of your website visit, your consent or revocation, your IP address, information about your browser, your device and the time of your visit are transmitted to Zeroqode. In addition, necessary information is stored on your end device in order to document your consents and revocations (“Cookie_Name” (x years)).

The data processing is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis is Art. 6(1)(f) GDPR, justified by our interest in fulfilling the legal requirements for consent management. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementation acts of the ePrivacy Directive by the EU Member States, in Germany pursuant to Section 25(2) TDDDG.

3.2.3 Withdrawal of your consent or change of your selection

You can withdraw your consent for certain tools – i.e. for the storage and access to information on the end device, the processing of your personal data and the transfer of your data to third countries – at any time with effect for the future in the settings. There you can also change the selection of tools for which you wish to give your consent and obtain further information about the tools used. Alternatively, you can also address your withdrawal for specific tools directly to the respective provider.

3.3 Basic services

We use certain cookies and similar technologies to enable the basic functions of our website (“basic services”). These include, for example, cookies for creating and displaying website content, for managing and integrating cookies, and for prevention and ensuring the security of our website. Without these cookies, we would not be able to provide our service. Therefore, the basic services are used without consent.

The legal basis for these basic services is the necessity to pursue our legitimate interests under Art. 6(1)(f) GDPR in providing the respective basic functions and operating our website. In cases where provision of the respective website functions is necessary for the performance of a contract or for the implementation of pre-contractual measures, the legal basis for data processing is Art. 6(1)(b) GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementation acts of the ePrivacy Directive by the EU Member States, in Germany pursuant to Section 25(2) TDDDG.

If personal data is transferred to third countries, we additionally refer, alongside the information below, to Section 7 (“Data transfer to third countries”).

3.4 Marketing and analytics cookies

In addition to these basic services, we also use marketing and analytics cookies. Marketing and analytics cookies include cookies that we use to analyse your interaction with our website or for marketing purposes. We also use analytics services to evaluate the use of our various marketing channels. The usage data collected is aggregated and enables us to track the usage habits of our visitors. This helps us to adapt and optimise the design of our website and make the user experience more pleasant.

The legal basis for the marketing and analytics cookie is your consent pursuant to Art. 6(1)(a) GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementation acts of the ePrivacy Directive by the EU Member States, in Germany pursuant to Section 25(2) TDDDG. If personal data is transferred to third countries, we additionally refer, alongside the information below, to Section 7 (“Data transfer to third countries”).

4. SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser bar. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

5. Recipients of personal data

The data we collect will only be passed on if a data protection legal basis exists in the individual case, in particular if:

* you have given your express consent in accordance with Art. 6(1)(a) GDPR,
* the transfer is necessary pursuant to Art. 6(1)(f) GDPR for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
* we are legally obliged to disclose data pursuant to Art. 6(1)(c) GDPR, in particular where this is necessary for legal prosecution or enforcement due to official requests, court orders and legal proceedings, or
* the disclosure is legally permissible and necessary pursuant to Art. 6(1)(b) GDPR for the performance of contractual relationships with you or for the implementation of pre-contractual measures taken at your request.

Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this Privacy Policy, these can in particular be data centres that host our website and databases, software providers, IT service providers that provide our systems, CRM systems, agencies, communication service providers, market research companies, group companies and consulting firms.

Personal data is also transferred to the following service providers:

* public bodies that receive data on the basis of statutory provisions (e.g. tax authorities or the Federal Network Agency);
* credit agencies,
* internal departments of Cloover GmbH, insofar as this is required for the handling of tasks;
* companies affiliated with Cloover GmbH within the meaning of Sections 15 et seq. German Stock Corporation Act (AktG), insofar as this is necessary for the implementation of pre-contractual measures or in the context of the conclusion of a contract. The jointly responsible parties have concluded an appropriate agreement pursuant to Art. 26(1) GDPR.
* such partners of Cloover that are responsible for providing a corresponding offer to you or for further steps towards concluding a contract within the scope of your referral request to us.

If we pass data on to our service providers, they may use the data only to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions in accordance with Art. 28 GDPR, have suitable technical and organisational measures in place to protect the rights of data subjects, and are regularly monitored by us.

6. Data transfer to third countries

Insofar as Cloover transfers personal data to countries outside the scope of the GDPR, Cloover ensures that the recipient of the data guarantees an adequate level of data protection. If the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for all data transfers. These include the European Union’s standard contractual clauses or binding corporate rules; where this is not possible, we base the data transfer on derogations pursuant to Art. 49 GDPR, in particular on your express consent or on the necessity of the transfer for the performance of a contract or the implementation of pre-contractual measures.

If a transfer to a third country is planned and there is no adequacy decision or suitable safeguards, there is the possibility and the risk that authorities of the respective third country (e.g. intelligence services) may gain access to the transmitted data to collect and analyse it, and that the enforceability of your data subject rights may not be guaranteed. When obtaining your consent via the consent banner, you will also be informed about this.

7. Deletion of data

We process your personal data for as long as this is necessary for the establishment, performance or termination of the contractual relationship between you and Cloover or for the exercise or fulfilment of the rights and obligations arising from the contractual relationship.

In addition, we are subject to various retention and documentation obligations arising, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods stipulated there are two to ten years.

Finally, the retention period is also determined by the statutory limitation periods, which according to Sections 195 et seq. of the German Civil Code (BGB) are generally three years, but in certain cases may be up to thirty years.

Storage serves as evidence for civil-law claims, for statutory retention obligations or there is another data protection legal basis for the further processing of your data in the specific individual case.

8. Data protection rights

You may assert the data subject rights under Art. 7(3), Art. 15–21 GDPR at any time if the respective statutory requirements are met:

* right to withdraw consent (Art. 7(3) GDPR),
* right of access to the processing of your personal data (Art. 15 GDPR),
* right to rectification of your incorrect personal data stored by us (Art. 16 GDPR),
* right to erasure (Art. 17 GDPR),
* right to restriction of processing (Art. 18 GDPR),
* right to object to processing (Art. 21 GDPR),
* right to data portability (Art. 20 GDPR).

With regard to the right of access and the right to erasure, the restrictions under Sections 34 and 35 BDSG apply.

You also have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR in conjunction with Section 19 BDSG. You can exercise this right, for example, with a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin.

Your requests to exercise data protection rights and our responses to them are stored for documentation purposes for a period of up to three years and, in individual cases, beyond this if there are grounds for the establishment, exercise or defence of legal claims. The legal basis is Art. 6(1)(f) GDPR, based on our interest in defending possible civil-law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5(2) GDPR.

You have the right to withdraw your consent at any time. This means that we will no longer continue the data processing based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

If we process your data on the basis of legitimate interests, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your data. If the objection concerns data processing for direct marketing purposes, you have a general right to object which we will implement without you needing to provide reasons.

If you wish to exercise your right of withdrawal or objection, a simple informal message to the contact details provided above is sufficient.

In the context of operating the Cloover website, there is no automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

9. Changes to the Privacy Policy

We update this Privacy Policy from time to time, for example when we adjust our website or when legal or regulatory requirements change.