Privacy Policy

Table of content

  1. The person responsible for data collection on these web pages is
  2. Data Protection Officer
  3. General information on the collection and processing of data
  4. Legal basis for the processing of personal data
  5. Processing of data by means of log files
  6. Forms on our website
  7. Content Delivery Network
  8. Job offers
  9. Categories of recipients of data; data transfers to a third country
  10. Encryption
  11. Your rights
    1. Rights as a data subject
    2. In particular: Your right to object
    3. Contact address for exercising your rights
    4. Right of appeal to the supervisory authority
  12. Duration of storage and routine deletion


The person responsible for data collection on these web pages is:
Payla Services GmbH
Kaiserplatz 2
80803 Munich
(hereinafter: “we”, “us”)

Data Protection Officer
Our data protection officer is the
ISiCO Datenschutz GmbH, reachable under:

ISiCO Data Protection GmbH
Data Protection Officer Payla Services GmbH
Am Hamburger Bahnhof 4
10557 Berlin
or at [email protected]


General information on the collection and processing of data

We collect and process personal data if you provide it to us when contacting us or via an input form. We also collect and process data that is generated when you use our websites. Personal data is any information relating to an identified or identifiable natural person.

When you use our websites, we may also store information in the terminal device that you use to access our websites (e.g. your computer or smartphone) or access information that is already stored in this terminal device, in particular by setting so-called cookies.

Your data will be processed in accordance with the provisions of the EU General Data Protection Regulation (DS-GVO), the Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG).

In the following, we explain in detail how we process which data and on what legal basis. In addition, we explain what rights you have and how long your data will be stored.


Legal basis for the processing of personal data

The processing of your personal data may be necessary for various reasons. The processing is partly carried out on the basis of legal regulations, e.g. pursuant to Art. 6 (1) b) DS-GVO for the purpose of fulfilling a contract or for carrying out pre-contractual measures that take place in response to your request, or pursuant to Art. 6 (1) f) DS-GVO on the basis of our legitimate interests or the legitimate interests of third parties, e.g. in responding to any other request you have made to us. If no such legal permission for the processing of personal data exists, we ask for your consent before we process personal data. In the following, we would like to explain the different forms of collecting your data, the legal basis and, if applicable, the transfer to third parties.


Processing of data by means of log files

When using our websites, so-called log files are stored on the basis of Art. 6 para. 1 lit. f) DS-GVO, in which access data is stored each time a page is called up. The data record stored contains the following data:

The IP address, the date, the time, which file was accessed, the status, the request that your browser made to the server, the amount of data transferred and the website from which you came to the requested page (referrer), as well as the product and version information of the browser used, your operating system and your country of origin.

Our legitimate interest in collecting and processing your data is described below: We use the log data (logs) anonymously, i.e. without attribution or references to your person, for statistical evaluations, e.g. to find out on which days and at which times the offers of these websites are particularly popular and how much data volume is generated on these websites. In addition, the log files make it possible to detect errors if necessary, e.g. faulty links or program errors. In this way, we can use the log files for the further development of these websites. We do not link the page views and usage stored in the server log to individual persons at any time. However, we reserve the right to use data from log files if we suspect, on the basis of certain facts, that users are using these websites and/or services in a manner that is illegal or in breach of contract. In the event of such suspicion, IP addresses may also have to be stored temporarily, but we delete these immediately as soon as they are no longer required.


BORLABS Cookie Consent Tool

We use BorlabsCookie on our website, which is among other things a tool to store your cookie consent. Service provider is the German company Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg, Germany. You can learn more about the data processed through the use of BorlabsCookie in the Privacy Policy at


Forms on our website

If we provide forms on our website, you can provide your contact details on our website via the forms we provide, e.g. in order to request offers regarding our services. In these cases, we process the data requested in the form in accordance with Art. 6 para. 1 letter b) DS-GVO for the purpose of fulfilling your pre-contractual enquiry addressed to us.

If you send us other enquiries and provide us with personal data in the process, we process your data pursuant to Art. 6 (1) (f) DS-GVO on the basis of our legitimate interest in responding to your enquiry.


Content Delivery Network

We use a so-called Content Delivery Network (“CDN”) of the technology service provider Cloudinary. A content delivery network is an online service that is used in particular to deliver large media files (such as graphics, page content or scripts) through a network of regionally distributed servers connected via the internet. The use of Cloudinary’s Content Delivery Network helps us to optimise the loading speeds of our website.

When you access our website, your access data, in particular the IP address, is therefore transmitted to the technical service provider Cloudinary Inc. 111 W Evelyn Ave, Suite 206 Sunnyvale, CA 94086, USA ( This transfer takes place in accordance with Art. 6 (1) (f) DS-GVO and serves our legitimate interest in providing a secure and efficient service, improving the stability and functionality of our website and providing a voluntary user-friendly network. Please note that your data is usually transferred to a Cloudinary server in the USA and stored there. The data is stored exclusively pseudonymised by Cloudinary with its own ID.

To protect your data in the USA, we have concluded a data processing agreement (“Data Processing Agreement”) with Cloudinary based on the standard contractual clauses of the European Commission to enable the transfer of your personal data to Cloudinary. You can view Cloudinary’s privacy policy here:


Job offers

We use our website in particular for job offers. In order to decide on the chances of success of an application, the provision of personal data is desired and also necessary. We require name and contact details, date of birth, place of birth, details of professional circumstances, professional qualifications, professional experience, certificates and details of other special qualifications in accordance with the specific job advertisement (such as language skills or programming skills).

You can provide us with further information voluntarily, but it is not a prerequisite for consideration of an application. You will not be disadvantaged if you do not provide this information. This voluntary information also includes application photos.

Your application documents will be digitally stored and processed by us. This applies regardless of how you send us your application documents, i.e. in particular also for applications sent to us by post.

The legal basis for the processing is Section 26 (1) sentence 1 BDSG, insofar as it concerns information that we request from you as part of the application process for the establishment of an employment relationship with us. If you voluntarily provide us with further information in your application documents, we process this on the basis of your consent, Art. 6 para. 1 letter a DS-GVO in conjunction with. § Section 26 (2) BDSG.

Please note that in particular CVs, cover letters or other data provided by you for the purpose of the interview may also regularly contain information on “special categories of personal data” within the meaning of Article 9 (1) of the GDPR (e.g. a photo that reveals ethnic origin, information on severely disabled status, etc.). If you send us information of this kind, you agree that we may store this information as part of your application documents, Art. 9 para. 2 letter a DS-GVO in conjunction with. § 26 para. 2 BDSG. Your personal data will only be processed beyond this storage if this is expressly stated in this data protection declaration.

If special legal obligations arise for us from health-related information, such as a severely disabled status, we will process this data on the basis of Art. 9 para. 2 letter b DS-GVO in conjunction with Art. 26 para. 3 BDSG in order to be able to comply with these legal obligations. § Section 26 (3) BDSG in order to comply with these legal obligations.

If you do not apply for a specific job advertisement with us, or if we select another person for the specific job advertisement, but would nevertheless like to consider your application for future vacancies, we can include you in our talent pool and continue to store your application so that we can contact you at a later date. However, this requires that you expressly give us your consent to do so within the meaning of Art. 6 Para. 1 Letter a, 9 Para. 2 Letter a DS-GVO in conjunction with. § 26 para. 2 BDSG. In such a case, we will request this separately from you. In all other respects, the general data protection information also applies accordingly in these cases.

For our job offers we use an online tool of Recruitee B.V.. Keizersgracht 313, 1016 EE Amsterdam, The Netherlands. Recruitee processes data that you provide to us as part of the application or the subsequent exchange of electronic messages, as well as usage data (log files, access times) exclusively on our behalf and in accordance with our instructions as part of a commissioned processing (Art. 28 DS-GVO). You can view the terms of the order processing agreement here: You can access Recruitee’s data protection notice here:

Categories of recipients of data; data transfers to a third country
We have engaged various service providers who process personal data of our users and customers on our behalf. These include, for example, cloud providers for software that we use, but also our host provider, on whose servers our websites are located. As a matter of principle, we carefully select all service providers and oblige them to protect the personal data of our customers and users. Data is not transferred to third countries unless expressly described otherwise herein.



If you are able to enter personal data on our website, this is transmitted via the Internet using SSL encryption. We secure our website and other systems by technical and organisational measures against loss, destruction, access, modification or distribution of your data by unauthorised persons.


Your rights

a) Rights as a data subject
Pursuant to Art. 15 of the German Data Protection Regulation (DS-GVO), you have the right, upon request and free of charge, to receive information about the personal data that has been stored about you. In accordance with Art. 16, 17 and 18 DS-GVO, you also have the right to correct inaccurate data and to restrict processing or delete your personal data.

You are also entitled, under the conditions set out in Art. 20 DS-GVO, to receive the personal data relating to you that has been stored in a structured, common and machine-readable format and to transfer this data to another controller without hindrance from us.

b) In particular: Your right to object
In addition, you have the right to object to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(f) of the GDPR, including profiling, on grounds relating to your particular situation, in accordance with Article 21(1) of the GDPR. We will comply with this objection insofar as the legal requirements for its assertion are met.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing, including profiling, insofar as it is related to such direct marketing, in accordance with Article 21(2) of the GDPR. In such a case, we will no longer use your personal data for the purposes of direct marketing.

c) Contact address for exercising your rights
Please address any requests regarding your personal data to the contact details provided at the beginning of this privacy policy, but also in the imprint of our website.

d) Right of appeal to the supervisory authority
Every data subject also has the right to lodge a complaint with a data protection supervisory authority about our processing of personal data.


Duration of storage and routine deletion

Unless otherwise expressly stated in this privacy policy, we process and store personal data only for the time necessary to achieve the purpose of the processing or as soon as provided for by laws or regulations to which we are subject.

If the purpose of storage no longer applies or a legally prescribed storage period expires, the personal data will be routinely restricted in its processing or deleted in accordance with the statutory provisions.


Status: 18.10.2022