Updated: September 2023
Ableton AG, Schönhauser Allee 6-7, D-10119 Berlin herewith informs you about the processing of personal data for which Ableton is the responsible controller according to the provisions of the EU General Data Protection Regulation (GDPR). Your data may also be processed by other companies belonging to the Ableton group, whereas such data processing is based on Adequacy Decisions by the EU Commission and EU standard contractual clauses (with additional safeguards where legally required).
Apart from sending us a letter, you may contact us at any time via privacy[at]ableton[dot]com.
You can reach our data protection officer by sending an e-mail to AbletonDSB[at]daspro[dot]de or by sending a letter to Ableton DSB, daspro GmbH, Kurfürstendamm 21, 10719 Berlin.
Below you can find the most important information on typical processing of your data, organized by affected user groups (groups of data subjects). For certain data processing operations, which only concern specific groups, the information requirements are fulfilled separately. Where the term "data" is used, we refer to personal data within the meaning of the GDPR only.
- Website Visitors
- Ableton Account User, Ableton Product Customer
- Newsletter Recipients
- Survey, interview and usability test participants
- Job Candidates
- Applicants and Participants of Loop
- Help and Support Requesters
- Ableton Forum Members
- Ableton Social Media Pages Visitors
- Communication Partners, Artists, Certified Trainers, Community Members, other Externals
- Development Partners
- Rights of Data Subjects and Further Information
- Information for Non-EU and US Residents
1. Website Visitors
1.1 Server-log data
When using our websites, certain information is sent to the server of our websites by the browser used on your device for technical reasons. This data is stored and processed on our server.
(i) We process the following data for the purpose of providing the contents of the website that you have visited, to ensure the security of the IT infrastructure used, to correct errors, to enable and simplify searches on the website and to manage cookies.
(ii) The data processed is HTTP data: HTTP data is protocol data that is generated when the Websites is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (for example: when requesting third-party content).
(iii) The legal basis for the processing of the abovementioned data is our legitimate interest in the operation of an online presence, communication with communication partners and internal compliance reporting (Article 6 para. (1) (f) GDPR).
(iv) The data is automatically transmitted by the browser of the user.
(v) Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.
(vi) IP addresses are anonymized after 24 hours at the latest. Pseudonymous usage data will be deleted after six months.
(vii) Without disclosure of personal data such as the IP address, the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.
1.2 Technically required cookies
We use cookies on our websites. Cookies are small text files containing information that can be stored on the user's device via the browser when visiting a website. The information stored in cookies can be read out and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device.
In the structure of our privacy policy, we differentiate between technically required cookies and tracking cookies. Cookies that are technically required for the functioning of the websites cannot be deactivated via the cookie management function of the websites. However, you can generally deactivate cookies at any time in your browser. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions of the websites may not or no longer function properly if you generally deactivate cookies in your browser settings.
a) Consent Cookies
We use so-called Consent Cookies to store your consent, possible right to withdraw your consent and opt-out of the use of cookies on our websites.
(i) The purpose of data processing is the storage of the user decisions on cookies (consent, withdrawal, opt-out).
(ii) The processed data are:
HTTP data:
HTTP data is protocol data that is technically generated when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
User decision on cookies:
User's decision on individual cookies or groups of cookies. Time of the decision and of the last visit.
(iii) The legal basis for the processing is our legitimate interest of easy and reliable control of cookies settings in accordance with the respective user decisions and improving of user experience (legal basis: Article 6 para. (1) (f) GDPR).
(iv) The data is actively provided by the user (decision on cookies) or automatically transmitted by the user's browser (protocol data, time stamp).
(v) Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.
(vi) Information about your decision rejecting cookies is deleted at the end of the session. The remaining other data will be deleted after one year.
(vii) Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.
b) Session Cookies
We use Session Cookies on our websites. This enables us to save information about your customer account, individual settings and certain user actions for the duration of your visit (for example: login, language settings, shopping basket function).
(i) The purpose of data processing is to enable the login, user-specific settings (for example: language) and the technical provision of a shopping cart function.
(ii) The processed data are data concerning the customer account, language selection, country, cookie settings and shopping cart.
(iii) The legal basis for the processing is the usage contract for visiting the website and our legitimate interest in the provision of the individual sessions for the users, including the cookies accepting/rejecting function, shopping basket function or the respective language setting function, each in accordance with Article 6 para. (1) (f) GDPR.
(iv) The data is automatically transmitted by the browser of the user.
(v) Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.
(vi) The data is deleted after one year.
(vii) Without disclosure of personal data the use of the website is not possible. Communication via the website without disclosure of data is technically not possible
c) IT Security Cookies
We use IT Security Cookies on our websites to protect our websites and also our website visitors against IT Security attacks, like for example so-called cross-site request forgery attacks or other attacks by malicious visitors. Some attackers attempt to display fake requests to website visitors.
(i) The purpose of the data processing is to increase the IT Security of the website and of our website visitors and to prevent IT Security attacks.
(ii) The data processed are the IT Security test results and the HTTP log data. Wherever it is possible we use one-way hashes of certain test result values.
(iii) The legal basis for the processing is our legitimate interest in protecting our website and our website visitors from IT Security attacks (Article 6 para. (1) (f) GDPR).
(iv) The data is automatically transmitted by the browser of the user.
(v) Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.
(vi) The data is usually deleted at the end of the session.
(vii) Without disclosure of personal data the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.
1.3 Tracking Cookies
We use cookies on our websites. Cookies are small text files containing information that can be stored on the user's device via the browser when visiting a website. The information stored in cookies can be read out and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device.
In the structure of our privacy policy, we differentiate between technically required cookies and tracking cookies. Depending on their function and purpose, the use of certain cookies may require the user's consent. Your consent is given through a so-called "cookie banner": When you visit our websites, we display our cookie banner. In our cookie banner you can declare your consent to the use of all cookies requiring consent on this website by clicking on the "Accept" button. Without such consent, the cookies requiring consent are not activated. By clicking the "Close" button, you can also completely reject the use of cookies requiring consent. Your decision will be saved in a cookie. Alternatively, you have the possibility to access our "cookie settings section" by clicking on the "More information" button. In the cookie settings section, you can make an individual selection of cookies and customize them at a later time. We store your cookie settings in the form of a cookie on your device in order to determine whether you have already made cookie settings the next time you visit the websites.
a) Matomo (on-premise version)
We use the web analysis tool Matomo on our websites. We only process data generated by Matomo on our own servers (on-premise). With the help of Matomo, we can analyze the usage behavior of visitors to our websites in pseudonymized and anonymized form. Your IP address is anonymized because we have enabled this function.
You can deactivate the data processing by Matomo at any time in our “cookie settings section”.
(i) The purpose of data processing is to analyze user behavior and to measure the reach of our website and advertisements to optimize our website.
(ii) The processed data or information are:
HTTP data: HTTP data are information generated for technical reasons when using the web analysis tool Matomo via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: Such data include anonymized IP address, type and version of your Internet browser, operating system used, the page visited and URL, the page previously visited (referrer URL), date and time of the visit.
Location data (based on anonymized IP address): Such data may include country, region, city.
Data generated for web analysis and assigned to your device: This includes the User ID. Such User ID is a feature in Matomo that lets us connect together a given user’s data collected from multiple devices and multiple browsers.
Ecommerce data (only when you purchase Ableton products): transaction value, product purchased, product price purchased.
Customer account data (only when you are logged in your Ableton Account): Such data may include current licenses, type of registered hardware unit(s), date of first free unlock of a license, date of last product purchase.
Interaction and event tracking data: Such data are generated from your interactions with functions on our website. Such data include newsletter subscription, form interactions, video and audio interactions, adds to cart, clicks on payment method, links (internal and external) and downloads.
Analytics measurement and report data: Data contained in aggregated segment and device-related reports by the Matomo web analysis tool based on a heatmap analysis and session recordings. These data include information where on a page you as website visitor tried to click, where you moved the mouse and how far down you scrolled as well as clicks, mouse movements, scrolls, window resizes, form interactions, and changes to the website.
(iii) The legal basis for the processing of the above mentioned data is your consent (Article 6 para. (1) (a) GDPR).
(iv) The data is automatically transmitted by the browser of the user.
(v) We use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems.
(vi) The data will be deleted after 6 months at the latest.
(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot perform web analysis using Matomo.
b) Web Extend (Emarsys)
If you have given your consent, we use the web analysis tool Web Extend from the provider Emarsys Interactive Services GmbH on our website. With the help of Web Extend, we can examine the user behavior of visitors to our website in pseudonymized and anonymized form and, for example, evaluate purchases made as a result of email campaigns.
You can deactivate data processing by Web Extend at any time in the “cookie settings section“.
(i) The purpose of data processing is to analyze user behavior and to measure the reach of our newsletter in order to optimize our offers. The main focus here is on the analysis of purchases as a result of email campaigns.
(ii) The processed data are:
Web Extend HTTP data:
This is protocol data that is generated for technical reasons when using the web analysis tool Web Extend via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
Web Extend identifiers
These are pseudonymized identifiers such as external IDs or hashed email addresses for cases where customers are logged in.
Web Extend Browsing Information
Data generated by the web analysis tool Web Extend: Information about the last shopping cart that was canceled, the last completed purchase, and the last web page session.
(iii) The legal basis for the processing is your consent (Article 6 para. (1) (a) GDPR).
(iv) The data is automatically transmitted by the browser of the user.
(v) The recipient of the data is Emarsys Interactive Services GmbH, Stralauer Platz 34, 10243 Berlin, which we use as processor within the framework of a data processing agreement. In the case of data processing in the USA, the basis for data processing is your consent granted through the cookie banner (Art. 49 para. (1) (a) GDPR). In the USA, there is no level of data protection entirely equivalent to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably possible only to a limited extent in the USA. You can withdraw your given consent at any time with effect for the future through the “cookie settings section”.
(vi) The data from the session cookie is deleted after the end of the session. The remaining data will be deleted after one year.
(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot perform web analysis using Web Extend.
c) Zendesk (on Ableton Help Website)
We use the help desk software tool Zendesk on our Ableton Help Website. Zendesk is acting as our processor within the framework of a data processing agreement. With the help of Zendesk we can answer your questions and help requests in a better way. When Zendesk is used, cookies are used to improve the user experience. If you do not want us to process your data with specific requests through the Zendesk tool and thereby process your usage data, you can alternatively use our other communication channels: https://www.ableton.com/en/contact-us/
(i) The purpose of data processing is to answer help requests of our users on our Ableton Help Website, to analyze user help requests and to improve the user experience.
(ii) The processed data are:
Zendesk HTTP data:
This is protocol data that is generated for technical reasons when using the help desk software Zendesk via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
Zendesk identifiers
These are pseudonymized identifiers such as external IDs or hashed email addresses for cases where customers are logged in (chat widget authentication).
(iii) The legal basis for the processing is your consent (Article 6 para. (1) (a) GDPR).
(iv) The data is automatically transmitted by the browser of the user.
(v) The recipient of the data is Zendesk, Inc., 1019 Market Street, San Francisco, CA 94193, USA, which we use as processor within the framework of a data processing agreement. We have concluded the EU standard contractual clauses with Zendesk, Inc., so that Zendesk, Inc may only process your data for our purposes. In addition, Zendesk, Inc., has established Binding Corporate Rules (Article 42 para. (2) (b), 47 GDPR), which have been approved by the Irish data protection supervisory authority. If the aforementioned measures are not considered sufficient the data processing in the USA is based on your consent (Article 49 para. (1) (a) GDPR). It is possible that US authorities may access personal data without us or you being informed.
(vi) The majority of data is deleted at the end of the session. The support preference settings are stored for one year. Aggregated data will not be deleted.
(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot answer your questions and help requests via Zendesk help desk software.
1.4 Audio and other content from third parties
There are links on our websites to audio files that are stored and accessible on external music content platforms. As soon as you click the button to play a content from such music content platform, the file is loaded by such platform. Technically, the same thing happens as if you would go to the respective platform website via a link: The external music content platform receives all information that your browser automatically transfers (including your IP address). Such external music content platform also sets its own cookies on your device. This also happens if you do not have an external music content platform user account. If you are logged in to such account, your data is directly associated with your account. If you do not want your profile to be associated with such external platform you must log out of your account there before clicking on the audio file content.
Please find more details about the external music content platforms below and in their respective privacy information linked on the external music content platforms.
a) Soundcloud Embedding
The collection and processing of this data is the sole responsibility of SoundCloud Global Limited & Co. KG, Rheinsberger Str. 76/77, 10115 Berlin, Germany, or SoundCloud Inc, 71 5th Avenue, 5th Floor, New York 10003, NY, USA (if you are located in the US). Ableton has no influence on the data processing of Soundcloud.
For information about the processing of personal data by Soundcloud, please refer to the Soundcloud Privacy Policy: https://soundcloud.com/pages/privacy
b) YouTube Embedding (Privacy Enhanced Mode)
The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. Ableton has no influence on the data processing of Google. For information about the processing of personal data by Google, please refer to the Google Privacy Policy: https://policies.google.com/privacy
c) Spotify Embedding
The collection and processing of this data is the sole responsibility of Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. Ableton has no influence on the data processing by Spotify. For information about the processing of personal data by Spotify please refer to the Spotify Privacy Policy: https://www.spotify.com/de/legal/privacy-policy/
d) Bandcamp Embedding
The collection and processing of this data is the sole responsibility of Bandcamp, Inc., USA. Ableton has no influence on the data processing of Bandcamp. For information about the processing of personal data by Bandcamp please refer to the Bandcamp Privacy Policy: https://bandcamp.com/privacy
e) Facebook Video and Instagram Embedding
The collection and processing of this data is the sole responsibility of Facebook (if user is located in the EU: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). Ableton has no influence on the data processing of Facebook. For information about the processing of personal data by Facebook or Instagram please refer to the Facebook products Privacy Policy: https://www.facebook.com/about/privacy
f) Vimeo Embedding
The collection and processing of this data is the sole responsibility of Vimeo.com, Inc., 555 West 18th Street, New York, New York 10011, USA. Ableton has no influence on the data processing of Vimeo. For information about the processing of personal data by Facebook or Instagram please refer to Vimeo Privacy Policy: https://vimeo.com/privacy
2. Ableton Account User, Ableton Product Customer
(i) We process your data for the purpose of performing the obligations stemming from our contractual relationship, for credit checks prior to purchases and for license checks. This includes setting up and using your Ableton Account for interactions with Ableton as well as consulting, support, fault analysis, and the information about new features in the product and new products and the analysis of the usage behavior of the software for product improvement. We also process your data for verification and authentication purposes and for storing such authentication information. A change of these purposes is not planned.
(ii) The processed data are
IP address, name and contact data, user name, language settings, data of the registration of the Ableton account, account events, communication data and usage data, content preferences, user-generated data
and if you acquire an Ableton product:
billing address and details, data of the registration of the Ableton license, type of Ableton Product (for example: Trial License, Live Lite, Live Intro, Live Standard, Live Suite, EDU, Max for Live, Push), order history, download data, account events including validation, data on your eligibility for educational discounts, timestamp and the payment confirmation from Stripe or Worldpay and details on your usage behavior related to the Ableton products.
For fraud prevention purposes, we may also request evidence from you verifying your billing address (e.g. utility bill or telephone bill (feel free to black out any personal account numbers or balances on these) and request confirmation of your billing address, shipping address and the full name on the credit card you use.
You can change the contact data, account settings and content preferences in your user account at any time.
(iii) The legal basis for processing the data of account users and customers who are natural persons is the contract with you (Article 6 para. (1) (b) GDPR), legal obligations (Article 6 para. (1) (c) GDPR) and, if applicable, their consent (Article 6 para. (1) (a) GDPR). The legal basis for the processing of contact data for account users or customers who are not natural persons is the legitimate interest, namely communication with the customer (Article 6 para. (1) (f) GDPR). The legal basis for information on products is the legitimate interest, namely advertising (Article 6 para. (1) (f) GDPR). The legal basis for the analysis of the usage behavior of the software is the legitimate interest, namely product and service improvement and fault analysis (Article 6 para. (1) (f) GDPR) and, if applicable, their consent (Article 6 para. (1) (a) GDPR). The legal basis for the transfer of payment information to payment providers is the fulfillment of contract or legitimate interest of performing payments of our purchase transactions (Article 6 para. (1) (b) or (f) GDPR). The legal basis for querying the data for fraud prevention in case of suspicion is the legitimate interest in the protection against fraud (Art. 6 para. (1) (f) GDPR). The legal basis for the transfer of historic order and payment information to payment providers is your consent (Article 6 para. (1) (a) GDPR). The legal basis on keeping your data – which might be relevant for certain legal disputes – usually for three years (statutory limitation period) is the legitimate interest to defend us against possible claims (Article 6 para. (1) (f) GDPR). The legal basis for processing your data related to the skipping authentication cookie is your consent (Article 6 para. (1) (a) GDPR).
(iv) The IP address, the download data, the account events and details on your usage behavior of the Ableton software are transmitted automatically by your browser. The payment confirmation is provided via Stripe or Worldpay. The other data is provided by you.
(v) We use service providers as processors within the framework of a data processing agreement for the provision of services, such as a service provider, which enables installment payments, as well as other services providers for the provision, maintenance and servicing of IT systems. Banks and payment providers may be recipients of data for the processing of payments and credit worthiness checks. In individual cases, data may be transferred to debt collection service providers, lawyers and courts.
(vi) All data relevant to contracts and book keeping shall be stored for a period of ten calendar years after the contract’s end in accordance with tax and commercial law retention periods. Data that become relevant for a defense against possible claims are stored for three years (statutory limitation). If you do not want the analysis of the usage behavior and fault analysis of the software for product improvement, you can prevent this at any time by yourself in the software preferences; otherwise, such data is retained for up to two years. The data related to the skipping authentication cookie are stored up to two years.
(vii) The provision of data is obligatory for account users to create an Ableton account and for product customers based on statutory and contractual regulations. The contractual relationship cannot be established and carried out without providing data. If you choose to use this option data are necessary for skipping the authentication process on certain devices. You can withdraw such consent at any time via removing the skip authentication cookie (“abltrustagent-<hash>”) in the cookie settings in your browser.
3. Newsletter Recipients
If you subscribe to a newsletter, we will send you information about Ableton and our products and partners. We also occasionally invite you to participate in surveys as part of our newsletter. If you participate in such surveys, the information in Section 4 applies, and we also monitor the reach and success of the newsletter.
If we have an existing contractual relationship with you and you did not opt-out, we may send you information about similar Ableton products and services.
(i) In these events we process your data for the purpose of sending the newsletter. We may also use your usage data to send you more relevant content.
(ii) The processed data are:
name, email address
HTTP data:
This is protocol data that is technically required for opening the newsletter via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
Web Extend Identifiers
These are pseudonymized identifiers such as external IDs or hashed email addresses
Opening and reading times of the newsletter
(iii) If you subscribed for our newsletter the legal basis for the processing of newsletter data is Article 6 para. (1) (a) GDPR (consent). If we have an existing contractual relationship with you and you did not opt-out the legal basis for processing of newsletter data is Article 6 para. (1) (b), (f) GDPR, 7 German Unfair Competition Act (contract with you, legitimate interest about keeping you updated about our products). We may also process your usage data based on our legitimate interest of improving our newsletters, verifying mailing lists and showing you more relevant content (Article 6 para. (1) (f) GDPR).
(iv) You provide your contact details yourself when you engage into a contractual relationship with us or subscribe to the newsletter; the further data for analysis is transmitted automatically by your browser and email client.
(v) We use service providers as processors within the framework of a data processing agreement for the provision and improvement of services, especially for the provision, maintenance and servicing of IT systems. In particular, we use Emarsys Interactive Services GmbH, Stralauer Platz 34, 10243 Berlin, Germany. We may also use the CRM (= customer relation management) service by salesforce.com GmbH, Erika-Mann-Strasse 31-37, 80636 Munich, Germany. We have concluded the EU standard contractual clauses with salesforce.com and salesforce.com may only process your data for our purposes. In addition, salesforce.com has established Binding Corporate Rules.
(vi) Data regarding newsletters will be deleted when you unsubscribe from the newsletters (for example via using the unsubscribe button in a newsletter or via the settings in your Ableton Account). Data with regard to opening and reading times, will usually be deleted or anonymized after 13 months. The remaining data will be deleted after one year if we are not required to keep your data for legitimate interests (such as follow up questions) or compliance with our legal retention obligations the data.
(vii) Data is required to receive newsletters. Without providing data, they cannot be sent. A withdrawal of your consent is possible at any time. Please use the unsubscribe function in the newsletter.
4. Survey, interview and usability test participants
(i) We process your data for the purpose of conducting surveys, interviews and usability tests and the evaluation of the respective results.
(ii) Processed data are name (if it is provided), survey and interview content, time stamp of participation and technical metadata of participation.
(iii) The legal basis for data processing for the conduction and evaluation of surveys, other interviews and usability tests is your consent (Article 6 para. (1) (a) GDPR) or, if you are a frequent tester, a contract (Article 6 para. (1) (b) GPDR). We may also process your mostly aggregated data with our legitimate interest of aligning and improving our products, services and customers’ needs (Article 6 para. (1) (f) GDPR). The legal basis on keeping your data – which might be relevant for certain legal disputes - for three years (statutory limitation period) is Article 6 para. (1) (f) GDPR (legitimate interest to defend us against possible claims).
(iv) You provide your name and the survey, interview and usability test content yourself when you take part in the survey, interview or usability test; the further data is transmitted automatically by your browser.
(iv) We use service providers as processors within the framework of a data processing agreement for conducting and evaluating surveys, interviews and usability tests, as well as for the provision, maintenance and servicing of IT systems. A data transfer to the USA takes place, when we use the software of our service providers. Such service providers include Zoom Video Communications Inc., Zendesk, Inc., Momentive Europe UC, Zenloop GmbH and UserZoom, Inc. (including the Software EnjoyHQ) to conduct surveys and usability tests and improve Ableton products and support service. Zenloop is a business-to-business software-as-a-service platform that allows us to collect your survey responses and analyze feedback from our customers. This enables us to align and improve our needs of our customers and improve them. The basis for data processing in the USA is your consent (Art. 49 para. (1) (a) GDPR). In the USA, there is no level of data protection entirely equivalent to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably possible only to a limited extent in the USA. You can withdraw your given consent at any time with effect for the future. The providers Zoom Video Communications Inc., Zendesk, Inc., Momentive Europe UC, and UserZoom, Inc. are bound by EU Standard Contractual Clauses, so that Zoom Video Communications Inc., Zendesk, Inc., Momentive Europe UC and UserZoom, Inc. may only process your data for our purposes. We also use the CRM (= customer relation management) service by salesforce.com GmbH. We have concluded the EU standard contractual clauses with salesforce.com and salesforce.com may only process your data for our purposes. In addition, salesforce.com has established Binding Corporate Rules.
(v) If we are not required to keep your data for follow up questions or compliance with our legal retention obligations, the data regarding surveys, other interviews or usability tests will usually be deleted once the user testing contract with you has ended or one year after having taken part in a survey, interview or test, at the latest. Data that become relevant for a defense against possible claims are stored for three years (statutory limitation). If you no longer wish to participate in surveys, you can use the unsubscribe button in the emails or change your settings in your Ableton Account under “Personal Details”.
(vi) Taking part in surveys, interviews and usability tests is voluntary and not obligatory. The use of all Ableton products and services is possible without taking part in surveys, interviews and usability tests.
5. Job Candidates
(i) The purpose of data processing is the selection of job candidates. In addition, after the conclusion of an unsuccessful application procedure and with your consent, we may store your applicant data in our applicant pool for the purpose of contacting you again. In this case, we may also contact you in the future with suitable job offers that match your profile. There are no plans to change these purposes.
(ii) Processed data are name, contact data, communication details, job application documents including certificates and curriculum vitae, time stamp of communication as well as technical metadata of communication.
(iii) The legal basis is Section 26 German Federal Data Protection Act (2017) in conjunction with Article 6 para. (1) (b) (employment contract) and Article 88 GDPR and, in the event of requested inclusion in our applicant pool, Article 6 para. (1) (a) GDPR (consent).
(iv) You provide your application data and communication details yourself when you apply for jobs at Ableton; the further data is transmitted automatically by your browser.
(v) The candidate’s data will be transferred internally to the responsible employees in charge of the decision-making. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially the service provider Personio and providers for the provision, maintenance and servicing of IT systems.
(vi) The data will be deleted three months after the application process has ended. In the event of a requested inclusion in our applicant pool, your data will be deleted if you withdraw your consent or after two years latest.
(vii) The provision of personal data is required for the examination of the job application and, if applicable, the subsequent conclusion of an employment contract. Without personal data, a job application cannot be considered. However, applications can be submitted without providing the information that has been marked as voluntary. If you do not give your consent to the inclusion of your applicant data in our applicant pool, this will not result in disadvantages for you in future application procedures.
6. Applicants and Participants of Loop
(i) We process your data for the purpose of holding Loop Events, statistical evaluations about Loop Events, documenting the event by means of video and audio recordings and the use of the recordings made for press and public relations purposes. There are no plans to change these purposes. Additional information on the processing of data for the specific event can be found on the Loop website: https://loop.ableton.com/privacy
(ii) The processed data are: application and contact data (such as name, email), voluntary extra data, communication data, usage data, and video and audio recordings. Usually, you provide the data yourself when you apply for the Loop Event.
(iii) The legal basis for the processing of personal data of prospective participants and participants in Loop Events is Article 6 para. (1) (b) GDPR (contract for the participation of the event) and Article 6 para. (1) (c) GDPR (statutory obligations, in particular tax and commercial law provisions). The legal basis for the production of video and audio recordings is Article 6 para. (1) (f) GDPR (legitimate interest in the documentation of the events organized by Ableton and the legitimate interest in the representation of Ableton through press and public relations work). The legal basis for the processing of special categories of data (such as health data necessary to consider for a Loop Event) is Article 6 (1) (a) in connection with Article 9 para. (2) (a) GDPR (consent). We may also process your mostly aggregated data with our legitimate interest of aligning and improving our products, services and customers’ needs (Article 6 para. (1) (f) GDPR).
(iv) For the purpose of press and public relations work, the image and sound recordings produced can also be transmitted abroad to journalists, media companies, press and photo agencies as well as social media platforms and published by us in printed or digital form. We use data processors like service providers to organize Loop Events and for the provision of our services, in particular for the provision, maintenance and support of IT systems.
Some of our service providers offer the possibility to register directly to their end user services. If you enter into such a direct contractual relationship with one of our service providers the service provider is the independent controller for all data processing under such contract.
We use the CRM (= customer relation management) service by salesforce.com GmbH as a processor within the framework of a data processing agreement. We have concluded the EU standard contractual clauses with salesforce.com and salesforce.com may only process your data for our purposes. In addition, salesforce.com has established Binding Corporate Rules. For further information on data processing by the third party services (including your data being processed outside the EU) please refer to the Loop website https://loop.ableton.com/privacy and privacy policies of the respective third party services.
Banks and payment service providers may be recipients of data for the processing of payments. In individual cases, data may be transferred to debt collection service providers, lawyers and courts.
(v) As applicable, if you have not received a ticket for a Loop Event via drawing/selection, your application data will be deleted immediately. Archived video and sound recordings of the event as well as publications are usually not deleted. All contractual data and data relevant for accounting are stored for 10 calendar years.
(vi) Processing of data is necessary in order to attend Loop Events. If the personal data is not provided, you may not participate in Loop Events.
7. Help and Support Requesters
(i) The purpose of the processing is to provide you with a knowledge base and contact support regarding sales questions and technical support requests.
(ii) The data processed are:
Login data of the Ableton Account: To provide you with our supports regarding your technical requests you have to log into your Ableton Account otherwise we cannot help you with your specific question.
Name and contact data (email, phone, fax, and, as applicable, social media information)
Description of your support request including corresponding data files and meta data
Ableton Products you are using: To provide you with the relevant information we need to know which Ableton Products you are using.
(iii) The legal basis is the existing contract with you relating to the Ableton account and products (Article 6 para. (1) (b) GDPR) and our legitimate interest to provide our users with a knowledge base, a support contact and our legitimate interest in analyzing and evaluating support requests (Article 6 para. (1) (f) GDPR). We may also process your pseudonymous data with our legitimate interest of aligning and improving our products, services and customers’ needs (Article 6 para. (1) (f) GDPR). The legal basis on keeping your data – which might be relevant for certain legal disputes - for three years (statutory limitation period) is the legitimate interest to defend us against possible claims (Article 6 para. (1) (f) GDPR).
(iv) You provide the data yourself, if you send us an inquiry.
(v) We use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems. For online support requests the recipients of the data is Zendesk, Inc., which we use as processor. We have concluded the EU standard contractual clauses with Zendesk, Inc., so that Zendesk, Inc may only process your data for our purposes. In addition, Zendesk, Inc., has established Binding Corporate Rules. If the aforementioned measures are not considered sufficient the data processing in the USA is based on your consent (Article 49 para. (1) (a) GDPR). With your consent in individual cases, we may also use the service provider Zoom Video Communications, Inc.; see the details in section 4. It is possible that US authorities may access personal data without us or you being informed.
(vi) Your data will be deleted after you deleted your Ableton Account or your request has been resolved from our active systems. All contractual data and data relevant for accounting are stored for 10 calendar years. Data that become relevant for a defense against possible claims are stored for three years (statutory limitation).
(vii) The processing of the data is necessary to help you with your inquiries. If the data is not provided, we cannot provide you with the service of our help center.
8. Ableton Forum members
(i) The purpose of the processing is to provide a forum for users of the Ableton products as a platform for general exchange of information and experience reports.
(ii) The data processed are: Ableton Account data, Forum name, contact data, location, Forum registration date, URLs, usage data of the forum (for example: number of posts, friends and foes, moderators and administrators, online status), input in Forum content (for example: posts, messages or search box), website usage data
(iii) The legal basis for processing the data is the contract relating to the use of the Forum (Article 6 para. (1) (b) GDPR).
(iv) You mainly provide the data yourself. Further data is transmitted automatically by your browser.
(v) All data besides the registration data are public to other logged in Forum visitors. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems.
(vi) Your data will be deleted after you deleted your Ableton Account. When you delete your Ableton Account, you can choose whether you want your user posts to persist or not.
(vii) The processing of the data is necessary to execute the contract. If the data is not provided, a participation in the Ableton Forum is not possible.
9. Ableton Social Media Pages Visitors
Ableton operates social media sites. Social media pages are run by service providers who process data for providing such sites.
(i) The purpose for data processing on our social media sites is providing you with interesting content and to interact with you on social media platforms. Depending on the social media service usage data may also be analyzed to improve our social media presence.
(ii) The data processed are content and usage data on such social media pages.
(iii) Information and data displayed or shared on Ableton social media sites may be accessible to the applicable provider of the social media platform, its users and Ableton (or engaged service providers).
(iv) Further details on data processing on the respective social media sites can be found on the respective social media pages and this Privacy Policy.
Facebook:
We and Facebook (for users in the EU/EEA: Facebook Ireland Ltd. (Facebook), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are joint controllers of the processing of personal data via the Ableton Facebook page. The agreement on joint controllership is available under: https://www.facebook.com/legal/terms/page_controller_addendum. According to the agreement, Facebook is responsible to inform data subjects about the processing activities. Facebook’s Privacy Policy is available under: https://www.facebook.com/privacy/explanation. Data subjects may exercise their rights in respect of and against each of the controllers, Ableton and/or Facebook. For more information on the data Facebook shares with Ableton please visit https://www.facebook.com/business/learn/facebook-page-insights-basics. The legal basis for the processing of data by Ableton is the legitimate interest in the analysis of usage data in order to improve the Facebook Page (Article 6 para. (1) (f) GDPR).
Instagram:
We and Instagram (for users in the EU/EEA provided by Facebook Ireland Ltd. (Facebook), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are joint controllers of the processing of personal data via the Ableton Instagram page. The agreement on joint controllership is available under: https://www.facebook.com/legal/terms/page_controller_addendum. According to the agreement, Instagram (provided by Facebook) is responsible to inform data subjects about the processing activities. Instagram’s Privacy Policy is available under: https://help.instagram.com/519522125107875. Data subjects may exercise their rights in respect of and against each of the controllers, Ableton and/or Instagram (provided by Facebook). For more information on the data Instagram shares with Ableton please visit https://facebook.com/help/instagram/788388387972460?helpref=related. The legal basis for the processing of data by Ableton is the legitimate interest in the analysis of usage data in order to improve the Instagram Page (Article 6 para. (1) (f) GDPR).
YouTube:
We operate a social media page on the Youtube platform. The collection and processing of this data is the sole responsibility of Google (for EU/EEA Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider). We have no knowledge of further details of the processing of personal data in the area of data controllership of Google or a possible data processing in the USA. Ableton has no influence on the data processing of Google. For information about the processing of personal data by Google, please refer to the Google Privacy Policy: https://policies.google.com/privacy. As applicable, the legal basis for the processing of data by Ableton is the legitimate interest in the analysis of usage data in order to improve the Youtube Page (Article 6 para. (1) (f) GDPR).
Twitter:
We operate a social media page on Twitter (by Twitter, Inc., 1355 Market Street, Suite 900
San Francisco, CA 94103, USA). For users in the EU/EEA the controller to controller data protection addendum between Twitter and Ableton applies: https://gdpr.twitter.com/en/controller-to-controller-transfers.html. According to the agreement the collection and processing of this data is the sole responsibility of Twitter. Twitter’s Privacy Policy is available under: https://twitter.com/en/privacy. As applicable, the legal basis for the processing of data by Ableton is the legitimate interest in the analysis of usage data in order to improve the Twitter Page (Article 6 para. (1) (f) GDPR).
LinkedIn:
We and LinkedIn (for users in the EU/EEA: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland) are joint controllers of the processing of personal data via the Ableton LinkedIn page. The agreement on joint controllership is available under: https://legal.linkedin.com/pages-joint-controller-addendum. According to the agreement, LinkedIn is responsible to inform data subjects about the processing activities. LinkedIn’s Privacy Policy is available under: https://www.linkedin.com/legal/privacy-policy. Data subjects may exercise their rights in respect of and against each of the controllers, Ableton and/or LinkedIn. For more information on the data LinkedIn shares with Ableton please visit https://www.linkedin.com/help/linkedin/answer/4499/viewing-company-page-analytics?lang=en. The legal basis for the processing of data by Ableton is the legitimate interest in the analysis of usage data in order to improve the LinkedIn Page (Article 6 para. (1) (f) GDPR).
10. Communication Partners, Artists, Certified Trainers, Community Members, other Externals
(i) The purpose of the processing is the preparation and execution of a contractual relationship or other communication, improving our services and quality management for building communities and other relationships.
(ii) The data processed are: contact data (name, contact details), communication details, usage data (such as: technical metadata of the communication, usage data of Ableton products), other interaction data
(iii) The legal basis for processing the data is a starting or existing contractual relationship (Article 6 para. (1) (b) GDPR, for contracts with legal persons Article 6 para. (1) (f) GDPR with legitimate interest, namely communication with contact persons relevant to the contract). We may also process your data based on statutory obligations, such as tax and commercial law (Article 6 (1) (c) GDPR) and legitimate interests, including the documentation of the communication, improving Ableton products, relationship building and services as well as quality management (Article 6 para. (1) (f) GDPR).
(iv) You provide data by yourself when you communicate with us. Further data is transmitted automatically by your browser or collected from publicly available resources.
(v) Contact and contract data can be transmitted to other service providers, business partners as well as offices and authorities if necessary for the execution of the contract or request. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems. In particular, this includes the CRM (= customer relation management) service by salesforce.com GmbH. We have concluded the EU standard contractual clauses with salesforce.com and salesforce.com may only process your data for our purposes. In addition, salesforce.com has established Binding Corporate Rules.
(vi) Data of contract partners and service providers will be deleted ten calendar years after termination of the contract.
(vii) The processing of contact data on part of the service providers and business partners is necessary to execute the contract. If the data is not provided, the communication may be considerably disturbed.
11. Development Partners
(i) The purpose of the processing is the preparation and execution of a contractual relationship, other communication or improving Ableton products.
(ii) The data processed are: contact data (name, contact details, GitHub name, organization, Ableton Account information), data about development activities, license contract data, usage data (such as: usage data of Ableton products).
(iii) The legal basis for processing the data is a starting or existing contractual relationship (Article 6 para. (1) (b) GDPR, for contracts with legal persons Article 6 para. (1) (f) GDPR with legitimate interest, namely communication with contact persons relevant to the contract). We may also process your data based on statutory obligations, such as tax and commercial law (Article 6 (1) (c) GDPR) and legitimate interests, including the verification of your contact data, documentation of the communication and improving Ableton products (Article 6 para. (1) (f) GDPR).
(iv) You provide data yourself. Further data is transmitted automatically by your browser.
(v) Contact and contract data can be transmitted to other service providers, business partners as well as offices and authorities if necessary for the execution of the contract. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems. In particular, this includes the CRM (= customer relation management) service by salesforce.com GmbH. We have concluded the EU standard contractual clauses with salesforce.com and salesforce.com may only process your data for our purposes. In addition, salesforce.com has established Binding Corporate Rules. Some of our service providers (like Github) offer the possibility to register directly to their platform. If you enter into such a direct contractual relationship with one of our service providers the service provider is the independent controller for all data processing under such contract. More information regarding the data processing within the independent controllership of Github may be found here: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
(vi) Data of contract partners and service providers will be deleted ten calendar years after termination of the contract.
(vii) The processing of contact data on part of the service providers and business partners is necessary to execute the contract. If the data is not provided, the communication may be considerably disturbed.
12. Rights of Data Subjects and Further Information
(i) We do not use any methods of automated individual decision-making.
(ii) You have the right to request information at any time about all your personal data which we are processing.
(iii) If your personal data is incorrect or incomplete, you have the right to have it rectified and completed.
(iv) You can request the erasure of your personal data at any time, as long as we are not bound by legal obligations that require or allow us to continue processing your data.
(v) If the applicable legal requirements are met, you can request a restriction to the processing of your personal data.
(vi) You have the right to object to the processing, insofar as the data processing is based on profiling or direct marketing purposes.
(vii) If the processing is carried out on the basis of the balancing of interests, you may object to the processing by stating reasons arising from your particular situation.
(viii) If the data processing takes place on the basis of your consent or a contract, you have the right to a transfer of the data provided by you, insofar as the rights and freedoms of others are thereby not impaired.
(ix) If we process your data on the basis of a declaration of consent, you have the right to withdraw your consent at any time with future effect. The processing carried out prior to a withdrawal remains unaffected by such withdrawal.
(x) Moreover, you have the right to file a complaint at any time with a data protection supervisory authority, if you believe that data processing has been carried out in violation of the applicable law.
13. Information for Non-EU and US Residents
Ableton generally falls within the scope of the GDPR, which is why we have aligned the drafting of the entire Privacy Policy with the provisions of the GDPR. However, other local privacy law may be additionally applicable in individual cases, if you are a non-EU/EEA resident and visit the Ableton websites or online presences, interact with Ableton products, services or communities. We will provide you with additional information on such local laws via separate information where required.
Information regarding the processing of personal data from children under 13 years (under Children’s Online Privacy Protection Act, COPPA)
Ableton does not knowingly collect or use personal data from children under 13 years without containing verifiable consent from their parents. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce this privacy policy by instructing their children never to provide personal data without their permission.