Privacy.

ternaty provides the website https://ternaty.com (“Website”). On this Website, ternaty provides information as well as various opportunities for participation and interaction.

The protection of personal data is very important to ternaty. The extent to which data is collected when visiting the website and using the services offered there, and the purpose for which this data is processed, is explained in the following data protection declaration. ternaty complies with all applicable legal provisions on the protection of personal data and data security.

The legal basis for data processing is Art. 6 para. 1 a), Art. 7 GDPR for consents, Art. 6 para. 1 b) GDPR for the fulfillment of services and execution of contractual obligations, Art. 6 para. 1 c) GDPR for the fulfillment of legal obligations and Art. 6 para. 1 f) GDPR for the protection of legitimate interests. In the case of processing of special categories of personal data, your consent pursuant to Art. 9 para. 2 GDPR serves as the legal basis.

I. Name and contact details of the responsible parties

Responsible in the terms of Art. 4 DSGVO for the processing of personal data are:

ternaty GbR
Jennifer Beitel and Markus Traber
An der Kappe 56
13583 Berlin
hi@ternaty.com

II. Type of processed data / purpose of processing / legal basis

In the following, we explain what kind of personal data is processed when visiting the website and using our offer. Processing in this sense means any form of use of the data, for example, the collection, recording, storage, provision, organization, transmission, display, editing, deletion, reading or retrieval. Personal data is only processed to the extent that it is necessary for the provision of our offer, communication with users, the provision of services, the implementation of the contractual / business relationship, as well as for the optimization of business processes and the needs-based design of our services.

We adhere to the principle of data minimization and process your personal data only in strict compliance with data protection regulations. In particular, corresponding data will only be processed if there is a legal permission / legal basis.

1. Visiting the website

1.1 Server log files

When visiting the website and using the services, so-called server log files are automatically collected. These server log files contain the IP address – only in anonymized form – browser information (type, version, if transmitted by the visitor), the operating system of the device, date and time of the server request, number of visits, length of stay on the website, date and time of the server request, the previously visited website (if transmitted by the visitor).

Additional personal data, such as names, are not collected.

The data is processed by us in order to establish a seamless connection to our website. The processing is necessary to ensure the security and stability of the system and a convenient use of the website.

In addition, we use the log data for statistical evaluations, for the purpose of optimizing the processes and the security of the services. We reserve the right to check the log data retrospectively if there are concrete indications of suspected illegal use of the service provided.

The legal basis for the data processing is Art. 6 para. 1 b) and f) GDPR.

1.2. Website Analytics

We do not use Website Analytics, yet.

1.3. Cookies

The website does not use cookies.

2. Contact

If you contact us under our postal address, e-mail address or telephone number provided on the website, we will process the contact data provided by you, i.e. name, postal address, e-mail address, telephone number and any additional information you may have provided, e.g. date of birth, bank details, marital status or similar.

In this case, the processing of your contact data is essential in order to get in touch with you and to be able to answer your request. If additional data is provided, the purpose of processing it is to individualize it so that we can respond to your request in the best possible way.

The legal basis for the data processing is Art. 6 para. 1 a), b) and f) GDPR.

3. Newsletter

We do not offer a newsletter yet, but if we do, the privacy stuff in relation to the newsletter will be displayed here.

4. Creation of an user account / registration

The creation of the user account is voluntary and serves to simplify the use of the functions offered on the website and to enable the use of extended functions.

If you choose to set it up, we will process your email address.

If you have chosen to create a user account, the processing of the personal data you provide during registration is essential to set up the account for you individually, to identify you and to grant you access to the account each time you log in.

The legal basis for the data processing is Art. 6 para. 1 a), b) and f) GDPR.

5. Setting up a room

When setting up a room (in the ternaty virtual space), we process the opening of the room, room name with description, two accent colors for the design of the room and user interface. To set up a room these products must be purchased beforehand (see Chapter 8). The associated personal data is processed in the course of the setup.

In addition, we process the personal data that you upload to set up the room. This includes, for example, texts, photo, video or audio files or other information such as names or contact addresses.

If you have chosen to set up a room, the processing of the voluntarily provided personal data is necessary to fully display and allow the use of the room with the content you have specified.

The legal basis for data processing is your consent pursuant to Art. 6 para. 1 a), b) and f) GDPR.

6. Visit of a room

Rooms on our website can be public, i.e. accessible to everyone, or private, i.e. accessible only to invited guests.

Access to public rooms is done by selecting the room on the website. Access to private rooms is granted either via a link sent by e-mail or by selecting the room on the website and entering the access data sent in advance. The processing of your e-mail address is necessary to grant you access to the room.

If you enter and use the rooms as a registered user, we can recognize this, so that an assignment to your personal data specified when setting up the user account takes place.

6.1. Entering the room:

When you enter the room or attend the party, we process the following data:

a. User account data:

You do not need to create an account to use the ternaty virtual space. If you choose to create an account with your email address, we will receive your email address to send you a login link, but will only store a hashed version of your email address.

b. Technical data:

We receive and store data about room URLs and names, the type of device you use to interact with ternaty virtual space, as well as the operating system, language, browser name and version, and other data used to load and operate the room.

c. Interaction data:

We receive data about your interactions with ternaty virtual space, such as the number of rooms created, the maximum number of users in a particular room at the same time, the start and end time of a user’s interaction with ternaty virtual space, the duration of a user’s interaction with ternaty virtual space through virtual reality, the first time in a particular month or on a particular day that a user starts using ternaty virtual space. ternaty uses third-party services to store and analyze these operational messages.

d. Error data:

In order to diagnose problems, ternaty virtual space sends logs of error messages (which include the space URL, request response time, the page you were on when the error occurred, your operating system, browser information, and possibly your anonymized IP address) to ternaty.

6.2. during the stay and use of the room:

We need certain information to operate ternaty virtual space. For example, we need information about your account to store your avatar. We may receive the following information from you:

a. Sever log files

If you decide to visit ternaty virtual space, we also process your server log files already mentioned in section. 1, so that, among other things, the time and duration of your visit and your click behavior are known.

b. Microphone

To participate in the voice chat in a public ternaty virtual space room, it is mandatory to enable the microphone function on your end device. This function is only activated if you give your explicit consent. When the service is activated, we process the audio data you provide via this function.

c. Account information:

You do not need an account to use ternaty virtual space. However, for certain functions (like saving your avatar) an account is required. You can create an account through ternaty virtual space (currently only after personal or written agreement with ternaty). When you create an account using your email address, we store a hashed version of your email address.

d. Room name and URL

Rooms and room names are publicly available to anyone who knows the URL. ternaty stores the name and URL for the link you share so that you and others who have the link to the room can reuse it.

e. Avatar data

The use of ternaty virtual space rooms is done through avatars. You can use one of the ternaty virtual space default avatars or create your own personal avatar.

We process the name, design features as well as the positioning of the avatar in the room and any interactions with other avatars or objects in the room.

Your selected avatar and name will be shared with other participants in the room. Your browser saves the avatar selection and nickname you provide. Registered users can optionally upload their own avatars to our servers.

Visiting as a spectator:
The previously mentioned data in chapter 6.2. e. will not be transmitted.

Visiting in VR:
During the visit in VR, we additionally process the viewing direction transmitted by you via the headset as well as the hand, head and movement data.

f. Voice data

When your microphone is on, ternaty sends audio to other users in the room. ternaty does not store the audio data; we only receive it temporarily to transmit it to others in the room.

g. Chatting

When you send messages in ternaty virtual space, ternaty shares them with other users in the space. ternaty does not store chats; we only receive them temporarily to broadcast them to others in the space.

h. Photos and videos you take, and photos, videos and objects you upload

You have the possibility to upload pictures, videos, audios, texts or other files or information in the room and share them via the chat function.

We process the data that you provide. The data will be shared in the ternaty virtual space room you have selected and will be accessible to all visitors of the room.

Visiting as a spectator:
The upload of pictures, videos, audios or other files is not possible as a spectator.

When you take photos and videos in a ternaty virtual space room, or upload photos, videos, or objects to a room, ternaty stores them so you can share them within the room. The files will be deleted within 72 hours unless you pin them. If you pin them, they are stored until you remove them from the room, and they can be viewed by all users who can access the room.

You can learn more by looking at the code itself: ternaty virtual space client (the frontend) Dialog (the webRTC server) Reticulum (the backend web server) Hubs-Ops (the infrastructure code).

We process the data mentioned under 6.1. and 6.2. in order to enable you to use the corresponding functions and to present the data voluntarily submitted by you in the respective rooms as requested.

The legal basis for the data processing is Art. 6 para. 1 a), b) and f) GDPR.

7. Feedback

You have the possibility to give us feedback about our service via the corresponding contact field on the website. The contact is made by e-mail.

The disclosure and processing of your e-mail address is mandatory. Any further processing of data will only take place with regard to data that you provide voluntarily.

If you contact us via the contact field provided on the website, the data you voluntarily provide as well as your registration data will be processed in the event that you contact us as a registered participant to enable the desired communication with us.

The legal basis for the data processing is Art. 6 para. 1 a), b) and f) GDPR.

8. Purchase order

You have the option to purchase or order our products and services via the “Order” function. To process the order through our online store, we process the contact data requested via the input mask, namely name and e-mail address, shipping address and bank details. If you provide additional data voluntarily, such as address or date of birth, we will process it.

The processing of the data is necessary to provide you with the best possible advice, to personalize the products ordered and to process the order, in particular to enable payment and the sending of the products.

The legal basis for data processing is your consent pursuant to Art. 6 para. 1 a) and para. 1 b) GDPR.

---

Note: Special categories of personal data
If, in the course of using our service, you provide us with data that falls under the so-called special categories of personal data within the meaning of Article 9 of the GDPR (ethnic origin, political opinions, religious or ideological beliefs, trade union membership, genetic data, biometric data for the unique identification of a natural person, health data, and data concerning sex life or sexual orientation), we will only process this data on the basis of your consent.

We would also like to point out at this point that the granting of consent is voluntary. It can be refused without giving reasons and can be revoked at any time after it has been granted. In the event of revocation, the data covered by the consent will be deleted immediately.

---

III. Duration of data storage

Your data will be stored for as long as is necessary to fulfill the above-mentioned purposes.

As soon as this is no longer the case, e.g. after the complete termination of the contractual/business relationship, they will be deleted or blocked if and as long as commercial or tax retention obligations require this (Art. 6 para. 1 p. 1 c) GDPR). From the point in time when there are no longer any legal storage obligations to the contrary, the data will be deleted unless you have expressly consented to its further use (Art. 6 para. 1 p. 1 a) GDPR).

• Server log files are stored on the server for a maximum of 14 days. We store this information for a maximum period of 2 months. Backups are kept in encrypted form for 14 days.
• When you upload chat messages, photos, videos, audio or other files to a room, ternaty stores them so you can share them within the room. They will be deleted within 72 hours unless you pin them (which requires a user account). If you pin them, they are stored until you remove them from the room, and they can be viewed by anyone who has access to the room.
• If you have subscribed to our newsletter, we will store the information you have provided for the duration of the subscription. Once you have unsubscribed from the newsletter, we will keep the data for another year, after which it will be automatically deleted.
• With regard to data transmitted by e-mail, a check is made at the end of each year to determine whether further storage is necessary or whether there are retention obligations for the e-mails. Depending on this, e-mails are stored further or deleted.
• For a detailed overview of the cookies used in the operation of the website and the duration of storage, please see our Cookie declaration.

IV. Disclosure of data to third parties / transfer to third countries

In principle, the data you provide will not be made available to third parties. In individual cases, however, it may be necessary to pass on your personal data to companies that are entrusted by us with the provision of individual services (e.g. web host, programmer, payment service provider, cloud provider, accounting).

If, in the course of our processing, we disclose data to third parties, transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission, your consent, a legal obligation or on the basis of our legitimate interests. If we commission third-party providers with the processing of data on the basis of a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR.

For their part, the third parties are obliged to comply with the legal regulations when handling and processing this data.

It is possible that the headquarters of a third party is located in a third country, i.e. in a country in which the GDPR does not have direct legal effect. In this case, the transfer of data will only take place if you have given your consent, an adequate level of data protection prevails, for example due to individual agreements, the use of EU standard contractual clauses, the existence of an EU adequacy decision, or other legal permission exists.
A transfer to authorities and state institutions entitled to receive information is also possible, but will only take place within the scope of the legal obligations to provide information and in the event of a court decision obligating us to do so. In these cases, ternaty may provide the information, e.g. for the assertion, exercise and defense of legal claims, enforcement of existing contracts, in the context of allegations of fraud, security measures or generally legally applicable regulations.

Personal data will not be passed on outside the scope described here without express consent.

Under no circumstances will ternaty sell or rent personal data to third parties.

V. Third-party services when operating the website

We would like to draw your attention separately to the following third-party providers whose services we use as part of the operation of the website and to provide our services, and who may come into contact with the personal data presented above:

• Sketchfab Inc., 440 9th Avenue, Suite 1700, New York, NY 10001, USA (“Sketchfab”)
• Wolf3D, Pardi tn 2d, Pärnu, Pärnu County, 80015, Estonia (“ReadyPlayerMe”)
• Digital Ocean LLC., 101 Avenue of the Americas 10th Floor, New York, NY 10013, USA (“Digital Ocean”)
• Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany (“Hetzner”)

We expressly point out that we ourselves have no influence on the scope of the data that these companies collect. We must therefore rely on the information provided by the respective companies with regard to data protection, to which we refer in the following clarification. 

If necessary, please inform yourself further with the companies in detail about the purpose and scope of the data collection as well as your rights in this regard and setting options to protect your privacy. We have provided the links to the data protection declarations here.

In the following, you will find information on the possible data protection implications of working with the third-party providers as well as further links.

1. Sketchfab

We use the services of the provider Sketchfab, a database of 3D objects, to be able to use these 3D objects in our ternaty virtual space rooms.

You can learn more about Sketchfab’s privacy policy here:

• https://sketchfab.com/terms
• https://sketchfab.com/privacy

2. ReadyPlayerMe

The ReadyPlayerMe service allows visitors of our website to create and use avatars.

You can learn more about ReadyPlayerMe’s privacy policy here:

• https://readyplayer.me/terms
• https://readyplayer.me/privacy

3. Digital Ocean

We use Digital Ocean for the operation of the virtual 3D spaces of ternaty virtual space.

You can learn more about Digital Ocean’s privacy policy here:

• https://www.digitalocean.com/legal/terms-of-service-agreement
• https://www.digitalocean.com/legal/privacy-policy

We have entered into an data processing agreement with Digital Ocean and fully implement the strict requirements of the German data protection authorities when using Digital Ocean: Link Data Processing Agreement

4. Hetzner

We use Hetzner for the operation of the website, its analysis, email traffic and the newsletter tool.

You can learn more about Hetzner’s privacy policy here:

• https://www.hetzner.com/legal/terms-and-conditions
• https://www.hetzner.com/legal/privacy-policy

We have concluded data processing agreements with Hetzner and fully implement the strict requirements of the German data protection authorities when using Hetzner: Link Data Processing Agreement

VI. Online presences / company profile in social media

Our company has online presences on various social media and platforms, currently GitHub, Instagram, Mastodon and LinkedIn. Through this, we simplify the search for our services for interested parties and offer an additional channel of communication.

The purpose of the processing of user data by the respective social media and platforms is usually user-specific advertising, i.e. individualized advertising can be displayed that corresponds to the presumed interests of the user or results from his/her previous usage behavior.

It is possible that the headquarters of a social medium or platform is located in a third country, i.e. in a country in which the GDPR does not have direct legal effect. In this case, the transfer of data will only take place if your consent is given, if an adequate level of data protection prevails in the third country (for example, due to individual agreements, the use of EU standard contractual clauses or in the case of an EU adequacy decision) or if there is another legal permission for the data transfer.

We would like to make it clear that in the event of information requests and/or the assertion of other data subject rights, users should contact the respective third-party providers directly. They have insight and access rights to the user data stored and processed there and can provide information and/or take measures accordingly. If you contact us directly, we will try to support your request as best we can. However, since we have no insight into or access to the data stored by third-party providers, our options for action are limited.

Please inform yourself about the data processing principles of the respective companies by referring to the corresponding data privacy policies.

Further information on the handling of user data can be found here: GitHub, Instagram, Mastodon, LinkedIn.

VII. Data subject rights

As a person affected by the processing of personal data, you are entitled to the rights listed below. These rights result from the requirements of the General Data Protection Regulation and are reproduced here in a partially simplified form.

1. Right to revoke the consent declaration

Pursuant to Art. 7 (3) GDPR, you have the right to revoke your consent to processing at any time. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected. The right of revocation can be exercised by an informal declaration. A written declaration or, alternatively, an e-mail to the above contact address is sufficient.

2. Right to information

According to Art. 15 GDPR, you have the right to request confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have the right to information about this personal data and the information referred to in Art. 15 para. 1 second sentence GDPR. This includes in particular the purpose of the processing, the categories of data processed, the recipients to whom data has been or will be disclosed, as far as possible the planned duration of storage or the criteria for the duration of storage.

3. Right to rectification

In accordance with Art. 16 GDPR, you have the right to demand that we correct any inaccurate personal data relating to you without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.

4. Right to deletion

According to Art. 17 GDPR, you have the right to demand that personal data concerning you be deleted without delay. We are obliged to delete personal data without delay if one of the reasons listed in Art. 17 para. 1 GDPR applies. These reasons include, for example, that the data is no longer necessary for the purposes for which it was collected or otherwise processed.

5. Right to restriction of processing

Pursuant to Art. 18 GDPR, you have the right to demand that we restrict processing if one of the conditions listed in Art. 18 GDPR applies. This includes, for example, that you dispute the accuracy of the personal data. Then we may only process the data in a restricted manner for as long as it takes to verify the accuracy of the personal data.

6. Right of data portability

Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. You have the right to transfer this data to another controller, i.e. another entity that processes data, without hindrance, provided that the original processing was based on consent or was necessary for the performance of a contract.

7. Right to object

Pursuant to Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you, if this data is processed on the basis of Art. 6 para. 1 e) or f) GDPR and there are reasons arising from your personal situation. You may object to the processing of data for the purpose of direct marketing at any time. Personal data will then no longer be processed for this purpose. The right to object can be exercised by an informal declaration. A written statement or, optionally, an e-mail to the above contact address is sufficient.

8. Automated decision in individual cases including profiling

Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. Article 22 para. 1 of the GDPR provides for exceptions to this right, although Article 22 para. 4 of the GDPR contains partial exceptions.

9. Right to complain to a supervising authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, pursuant to Article 77 of the GDPR, without prejudice to any other administrative or judicial remedy, if you consider that the processing of personal data concerning you infringes this regulation.

In the present case, the competent supervisory authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin

Entrance visitors: Puttkamerstr. 16-18

Phone: +49 30 13889-0
Telefax: +49 30 2155050
E-Mail: mailbox@datenschutz-berlin.de

VIII. Technical and organizational measures

We take technical and organizational measures to ensure that the security and protection requirements of the GDPR are met and that personal data is protected against loss, destruction, manipulation or access by unauthorized persons. The measures are adapted to the current state of the art in each case.

IX. Changes to the privacy policy

We reserve the right to change this privacy policy at any time. You are encouraged to periodically review the contents of this Privacy Policy.

Status: 6th October 2022