Privacy Notice for Our SaaS & App Solution

 

I. General information

1. Controller

We, d.velop AG, take your privacy and our legal obligations to protect your personal data very seriously. Legal regulations require us to be completely transparent in how we process your personal data. In order for you, as the data subject, to understand how we process your data, you need to be sufficiently informed about the necessity, purpose and scope of the processing. Our privacy statement therefore explains in detail which personal data we process when you use the SaaS solution (terms such as “platform,” “system,” “foxdox” or other names may refer to the following: “d.velop postbox,” “d.velop file sharing” or “d.velop documents light”).

 

The “controller” within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other data protection regulations is

 

d.velop AG

Schildarpstrasse 6-8, 48712 Gescher, Germany

+49 (0) 2542 9307-0

info@d-velop.de

www.d-velop.de

 

hereinafter referred to as “we,” “us” or the “controller.”

 

You can contact the data protection officer at:

Nils Möllers

Keyed GmbH, Siemensstrasse 12, 48341 Altenberge, Germany

datenschutz@d-velop.de

 

 

 

Please note that we are not responsible for any data processing by the app stores (iTunes Store® or Google Play®) where you download our app. Please refer to the privacy statements from the operators of these app stores. 

 

Please note that links in our SaaS solution may take you to websites that are not operated by us, but rather by third parties. Such links are either clearly marked by us or can be identified by a change in the address line of your browser. We are not responsible for compliance with data protection regulations or the safe handling of your personal data on these third-party websites.

 

2. Definitions

2.1 From the GDPR

This privacy statement uses the terms defined in the legal text of the GDPR. These definitions (Art. 4 GDPR) can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679.

 

2.2 Cookies

Cookies are text files that are stored or read by an SaaS solution or a website on your end device. They contain combinations of letters and numbers and are used to recognize the user and their settings when they reconnect to the website or SaaS solution that set the cookie, to enable the user to remain logged in to a customer account, or to analyze a specific user behavior.

 

2.3 Categories of data

When we specify in this privacy statement which categories of data we process, we are referring in particular to the following data: Master data (e.g. names, addresses, dates of birth), contact details (e.g. e-mail addresses, telephone numbers, messenger services), content data (e.g. text entries, photographs, videos, contents of documents/files), contract data (e.g. subject of the agreement, terms, customer category), payment data (e.g. bank details, payment history, use of other payment service providers), usage data (e.g. history on our SaaS solution, use of certain content, access times), connection data (e.g. device information, IP addresses, URL referrer) and diagnostic data (e.g. crash logs, performance data for the website/app, other technical data for analyzing malfunctions and errors).

 

3. Information about data processing

We process personal data only to the extent permitted by law. Personal data will be passed on to third parties only in the cases described below. Personal data is protected by appropriate technical and organizational measures (e.g. pseudonymization, encryption).

 

Unless we are legally obliged to store or pass on personal data to third parties (in particular law enforcement agencies), the decision as to which personal data we process, how long we process it for and the extent to which we disclose it to others depends on which functions of the SaaS solution you use in each individual case.

 

4. Duration of storage

Personal data shall be deleted as soon as the purpose for which it was processed no longer exits or a prescribed retention period expires, unless we need to continue storing the personal data in order to conclude or fulfill a contract. If we use cookies that are not absolutely necessary to provide the service you requested, we inform you about the expiration dates of these cookies at the end of this privacy statement.

 

5. Automated individual decision-making including profiling

We do not use automated individual decision-making including profiling to reach decisions pursuant to Art. 22 Para. 1, 4 GDPR.

 

6. Rights of the data subject

As the data subject, you have the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restrict processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. The restrictions from Sections 34, 35 BDSG apply to the right of access and the right to erasure. You have the right to lodge a complaint with a supervisory authority for data protection matters (Article 77 GDPR in conjunction with Section 19 BDSG). The supervisory authority to which we are subject is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestrasse 2-4, 40213 Düsseldorf, Germany. However, you are free to lodge a complaint with any supervisory authority for data protection matters of your choosing.

 

7. Notification obligations of the controller

We will notify all recipients to whom your personal data has been disclosed of any rectification or deletion of your personal data or any restriction of processing pursuant to Art. 16, Art. 17 Para. 1 and Art. 18 of the GDPR, unless such notification is impossible or involves disproportionate effort. Upon your request, we will inform you of who received this notification.

 

8. Obligation to provide information

Unless otherwise explained below in the legal bases under II or III, you are not obliged to provide personal data. However, in the cases described in Art. 6 Para. 1 Lit. b) of the GDPR, the personal data is necessary for the performance or conclusion of a contract. If you do not provide this personal data, it is not possible to fulfill or conclude the contract. If you do not provide personal data in the cases described in Art. 6 Para. 1 Lit. a) and f) of the GDPR, it is not possible to use the parts of our SaaS solution in question.

 

To use the services described here on your device (notebook, smartphone, tablet), you may also be required to grant us access to the following interfaces, functions and data on your device: system functions (e.g. camera or microphone), stored content (e.g. documents or photos). You are not required to grant this access. However, if you do not, you may not be able to use the functions and services or your use may be restricted.

 

9. Right to object and revoke consent

You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6 Para. 1 Lit. f) of the GDPR. Where personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing.

 

Pursuant to Art. 7 Para. 3 Clause 4 of the GDPR, you also have the right to revoke your consent to future processing at any time. Such a revocation does not affect the lawfulness of processing carried out before the revocation. You can revoke your consent by mail or e-mail without the need for a specific form. If you object, we will cease to process your personal data unless another (legal) basis permits the processing. If, however, you revoke your consent and there is no other basis that permits the processing, the personal data must be deleted immediately pursuant to Art. 17 Para. 2 Lit. b) of the GDPR.

 

No specific form is required to lodge an objection or revoke consent. Such communications should be addressed to:

 

d.velop AG

Schildarpstrasse 6-8, 48712 Gescher, Germany

+49 (0) 2542 9307-0

info@d-velop.de

 

You can also revoke certain consent(s) in the app’s settings or on your device by disabling the functions in question (see examples under the functions in Section II). 

 

II. Data processing in connection with use of the SaaS solution

Your use of the SaaS solution and its functions requires us to process certain personal data. This section explains how we process and handle your personal data.

 

 

Operating the SaaS solution

Purpose of processing: Optimizing and ensuring the proper functioning of our service, ensuring the security of our information technology systems. This also constitutes our legitimate interest pursuant to Art. 6, Para. 1, Lit. f) GDPR.

Legal basis: Art. 6, Para. 1, Lit. b) and f) GDPR

Categories of data: Contact details, master data, content data, usage data, connection data, diagnostic data

Recipient of the data: IT service providers, affiliated companies within the d.velop group

Intended transfer to third countries: None

Does providing your consent mean that we store or read personal information on your device? No

 

Registration (user account)

Purpose of processing: Creating a user account for you to use foxdox.

Legal basis: Art. 6, Para. 1, Lit. b) GDPR

Categories of data: Master data, contact details, content data (if applicable)

Recipient of the data: None

Intended transfer to third countries: affiliated companies within the d.velop group

Does providing your consent mean that we store or read personal information on your device? No

 

Matomo

Purpose of processing: Optimizing, designing and statistically evaluating our SaaS solution “foxdox.”

Legal basis: Art. 6, Para. 1, Lit. f) GDPR

Categories of data: Usage data, connection data

Recipient of the data: IT service providers, affiliated companies within the d.velop group

Intended transfer to third countries: None

Does providing your consent mean that we store or read personal information on your device? Yes, see the list at the end of this privacy statement.

 

Contacting us (e-mail, telephone, contact form)

Purpose of processing: Replying to your inquiry in the contact form in our SaaS solution, your e-mail or your callback request.

Legal basis:  Art. 6 Para. 1 Lit. f) GDPR; Art. 6 Para. 1 Lit. b) GDPR (if your inquiry concerns the conclusion of a contract or an existing contract)

Categories of data: Master data, contact details, content data, usage data (if applicable), connection data, contract data (if applicable)

Recipients of the data: affiliated companies within the d.velop group, Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany

Intended transfer to third countries: None

Does providing your consent mean that we store or read information on your device? No

 

Payments (payment provider)

Purpose of processing: Processing payments for fee-based services in our SaaS solution.

Legal basis: Art. 6, Para. 1, Lit. b) GDPR

Categories of data: Master data, contact details, contract data, payment data

Recipient of the data: PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, Germany, affiliated companies within the d.velop group, IT service providers

Intended transfer to third countries: None

Does providing your consent mean that we store or read personal information on your device? No

 

 

E-mail newsletter

Purpose of processing: Managing our distribution list and sending the newsletter you requested, personalizing our newsletter based on your usage behavior and documenting your consent to receive the newsletter.

Legal basis: Art. 6, Para. 1, Lit. a) GDPR

Categories of data: Contact details, master data, usage data, connection data

Recipients of the data: affiliated companies within the d.velop group, Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany

Intended transfer to third countries: None

Does providing your consent mean that we store or read information on your device? No

 

E-mail notifications from the platform

Purpose of processing: Sending contract-related notifications from the platform. 

Legal basis: Art. 6, Para. 1, Lit. b) GDPR

Categories of data: Contact details, master data, usage data, connection data

Recipients of the data: affiliated companies within the d.velop group, Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany

Intended transfer to third countries: None

Does providing your consent mean that we store or read information on your device? No

 

Google Crashlytics and Firebase in the app

Purpose of processing: Keeping the platform and our other IT systems functioning properly

Legal basis: Art. 6, Para. 1, Lit. a) GDPR

Categories of data: Usage data, connection data

Recipients of the data: affiliated companies within the d.velop group, Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland

Intended transfer to third countries: Yes (in accordance with EU standard contractual clauses/SCC)

Does providing your consent mean that we store or read information on your device? No

 

Transfer to third countries

The controller may transfer personal data to a third country. In principle, the controller may provide various safeguards to ensure that all processing is subject to an adequate level of protection. Data transfers may be initiated on the basis of an adequacy decision, internal data protection regulations, approved codes of conduct, standard data protection clauses or an approved certification mechanism pursuant to Art. 46, Para. 2, Lit. a) through f) GDPR.

 

If the controller intends to transfer data to a third country on the basis of Art. 49, Para. 1, Lit. a) GDPR, you will be notified at this point about the possible risks of transferring data to a third country.

 

There is a risk that the third country receiving your personal data may not provide a level of protection that is equivalent to the data protection required in the European Union. This may be the case, for example, if the EU Commission has not issued an adequacy decision for the third country in question or if certain agreements between the European Union and the third country are declared invalid. Specifically, surveillance laws in some third countries (for example, the USA) pose risks to certain EU fundamental rights. In such cases, it is the responsibility of the controller and the recipient to assess whether the rights of data subjects in this third country are protected to an equivalent level as in the European Union and can also be effectively enforced.

 

Pursuant to the General Data Protection Regulation, the level of data protection enjoyed by individuals within the European Union shall not be undermined when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, including when personal data are further transferred from a third country or international organization to controllers or processors in the same or another third country, or to the same or another international organization.

 

 

IV. Information about the cookies we use

Below is a list of the names and expiration dates of the cookies used by the above mentioned plugins and services—provided you consent to their use—with the following pattern: [name of the service]: [name of the cookie] ([expiration date]).

A cookie can only be accessed from the Internet address at which the cookie was set. This means that we have no access to the cookies used by the other providers (above). They also have no access to our cookies. Third parties have access neither to our cookies nor to those of the other providers. Third parties can only access these cookies by means of technical attacks, which we cannot control and for which we are not responsible.