Data protection information about our SaaS solution

 

I. General

1. Person responsible

We, d.velop business services GmbH, take the protection of your personal data and the legal obligations serving this protection very seriously. The legal requirements demand comprehensive transparency regarding the processing of personal data. Only if you are sufficiently informed about the meaning, purpose and scope of the processing, the processing is comprehensible for you as a data subject. Our data protection declaration therefore explains in detail which personal data is processed by us when using the SaaS solution ("platform", "system", "foxdox" or other designations could be the following: "d.velop postbox", "d.velop file sharing", "d.velop documents light").

 

The responsible party within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other data protection regulations is the

 

d.velop business services GmbH

Schildarpstraße 6-8, 48712 Gescher

+49 (0) 2542 9307-0

info@d-velop.de

www.d-velop.de

 

hereinafter referred to as the "responsible party" or "we".

 

The Data Protection Officer can be contacted at

Nicolas Kötter

c/o intersoft consulting services AG, Beim Strohhause 17, 20097 Hamburg

datenschutz@d-velop.de

 

reachable.

 

Please note that we are not responsible for the data processing of the app stores (iTunes Store® or Google Play®) where you can download our app. Please inform yourself about this in the respective data protection statements of the operators of the app stores.

 

Please note that links in our SaaS solution may take you to other websites that are not operated by us but by third parties. Such links are either clearly marked by us or are recognisable by a change in the address line of your browser. We are not responsible for compliance with data protection regulations and secure handling of your personal data on these websites operated by third parties.

 

2. Definitions

2.1 From the GDPR

This data protection declaration uses the terms of the legal text of the GDPR. You can view the definitions (Art. 4 GDPR), for example, at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679.

 

2.2 Cookie

Cookies are text files that are stored on or read from your end device by a SaaS solution or website. They contain letter and number combinations, e.g. to recognise the user and his or her settings when reconnecting to the cookie-setting SaaS solution or website, to enable the user to remain logged in to a customer account or to analyse specific usage behaviour.

 

2.3 Data categories

When we specify the categories of data processed in this privacy policy, we mean in particular the following data: master data (e.g. names, addresses, dates of birth), contact data (e.g. email addresses, telephone numbers, messenger services), content data (e.g. text entries, photographs, videos, content of documents/files), contract data (e.g. subject matter of contract, terms, customer category), payment data (e.g. bank details, payment history, use of other payment service providers), usage data (e.g. history on our SaaS solution, use of certain content, access times), as well as connection data (e.g. data on the use of other payment service providers).(e.g. bank details, payment history, use of other payment service providers), usage data (e.g. history on our SaaS solution, use of certain content, access times), as well as connection data (e.g. device information, IP addresses, URL referrers); diagnostic data (e.g. crash logs, performance data of the website/app, other technical data for the analysis of faults and errors).

 

3. Information on data processing

We process personal data only to the extent permitted by law. Personal data is only passed on in the cases described below. Personal data is protected by appropriate technical and organisational measures (e.g. pseudonymisation, encryption).

 

Unless we are required by law to store or disclose personal data to third parties (in particular law enforcement agencies), the decision as to which personal data we process and for how long, and the extent to which we disclose it, depends on which functions of the SaaS solution you use in each individual case.

 

4. Storage period

The personal data will be deleted as soon as the purpose of the processing no longer applies or a prescribed storage period expires, unless there is a necessity for the continued storage of the personal data for the conclusion or fulfilment of a contract. If we use cookies that are not strictly necessary to provide the service you have requested, we will inform you about the functional duration of these cookies at the end of this privacy policy.

 

5. Automated decisions in individual cases including profiling

Automated decisions in individual cases including profiling to bring about such a decision pursuant to Art. 22 (1), (4) GDPR do not take place.

 

6. Rights of data subjects

As a data subject, you have the right to information pursuant to Article 15 of the Data Protection Regulation, the right to rectification pursuant to Article 16 of the Data Protection Regulation, the right to erasure pursuant to Article 17 of the Data Protection Regulation, the right to restriction of processing pursuant to Article 18 of the Data Protection Regulation and the right to data portability pursuant to Article 20 of the Data Protection Regulation. The restrictions from §§ 34, 35 BDSG apply to the right to information and the right to deletion. You have the right to complain to a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). The data protection supervisory authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf. However, you are free to complain to another data protection supervisory authority.

 

7. Notification obligations of the responsible person

We will notify all recipients to whom your personal data has been disclosed of any rectification or erasure of their personal data or restriction of processing in accordance with Articles 16, 17(1) and 18 of the GDPR, unless such notification is impossible or involves a disproportionate effort. We will inform you of the recipients if you request this.

 

8. Obligation to provide

Unless otherwise explained below under II. or III. in the information on the legal basis, you are not obliged to provide personal data. However, in the cases of Art. 6 para. 1 letter b GDPR, the personal data is necessary for the performance of a contract or for the conclusion of a contract. If you do not provide the personal data concerned, the performance or conclusion of the contract is not possible. If you do not provide the data in the cases of Art. 6 para. 1 lit. a, f GDPR, the use of the affected parts of our SaaS solution is not possible.

 

In order to make use of the services explained here on your end device (notebook, smartphone, tablet), access rights to the following interfaces, device functions and device data of your end device may also be required: system functions (e.g. camera or microphone), stored content (e.g. documents or photos). You are not obliged to grant the authorisations explained. However, use of the services and functions is then not possible or only possible to a limited extent.

 

9 Right of objection and revocation of consent

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(f) GDPR. If personal data are processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing.

 

In accordance with Art. 7 (3) sentence 4 GDPR, you also have the right to revoke consent given to us at any time with effect for the future. The lawfulness of the processing carried out until such a revocation is not affected by this. The revocation is possible informally by post or e-mail. If you object, we will no longer process your personal data unless another (legal) basis permits this. However, if a revocation is made and there is no other permissible basis, the personal data must be deleted immediately in accordance with Art. 17 (2) b GDPR.

 

Objection and revocation can be made form-free and should be addressed to:

 

d.velop business services GmbH

Schildarpstraße 6-8, 48712 Gescher

+49 (0) 2542 9307-0

info@d-velop.de

 

You can also revoke certain consent(s) in the settings of the app or your end device by deactivating the corresponding functions (see examples under Functions under II.).

 

II. Data processing in connection with the use of the SaaS solution

The use of the SaaS solution and its functions regularly requires the processing of certain personal data. In the following, we explain how we process data and how we handle your personal data.

 

 

Operation of the SaaS solution

Purpose of the processing: Provision of functionality and optimisation of our service; ensuring the security of our information technology systems. This is also our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. User account

Legal basis: Art. 6 para. 1 lit. b, f GDPR

Data categories: Contact data, master data, content data, usage data, connection data, diagnostic data

Recipients of the data: IT service provider, affiliated companies of the d.velop Group

Intended third country transfer: None

Do we store or read out personal data on your end device based on your consent? No

 

Registration (user account)

Purpose of the processing: creation of a user account for the use of foxdox.

Legal basis: Art. 6 para. 1 letter b GDPR

Data categories: Master data, contact data, content data if applicable

Recipient of the data: None

Intended third country transfer: affiliated companies of the d.velop Group

Do we store or read out personal data on your end device based on your consent? No

 

Matomo

Purpose of the processing: Statistical evaluation, optimisation and needs-based design of our SaaS solution "foxdox".

Legal basis: Art. 6 para. 1 letter a GDPR

Data categories: Usage data, connection data

Recipients of the data: IT service provider, affiliated companies of the d.velop Group

Intended third country transfer: None

Do we store or read out personal data on your end device based on your consent? Yes, see overview at the end of this privacy policy.

 

Contact us (e-mail, telephone, contact form)

Purpose of processing: To respond to your enquiry via contact form on our SaaS solution, your email or your callback request.

Legal basis: Art. 6 para. 1 letter f GDPR; Art. 6 para. 1 letter b GDPR (if your request concerns a conclusion of a contract or an existing contract);

Data categories: Master data, contact data, content data, if applicable usage data, connection data, if applicable contract data

Recipients of the data: affiliated companies of the d.velop Group, Mailgun Technologies Inc., 112 E Pecan St Ste 1135, San Antonio, TX, 78205-1509

Intended third country transfer: None

Do we store information on your end device based on your consent or read out such information? No

 

Payment (Payment Provider)

Purpose of the processing: Payment processing when using fee-based services of our SaaS solution.

Legal basis: Art. 6 para. 1 letter b GDPR.

Data categories: Master data, contact data, contract data, payment data.

Recipients of the data: PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, affiliated companies of the d.velop Group, IT service provider

Intended third country transfer: None

Do we store or read out personal data on your end device based on your consent? No

 

Feedback forum

Purpose of the processing: Implementation of a feedback forum and comment function, direct exchange with you, possibility to comment on services provided by us, ensuring the security of our information technology systems.

Legal basis: Art. 6 para. 1 letter f GDPR

Data categories: Master data (if you comment), contact data (if you comment), content data (if you comment), usage data, connection data

Recipients of the data: affiliated companies of the d.velop Group, IT service providers

Intended third country transfer: None

Do we store or read out personal data on your end device based on your consent? No

 

E-mail newsletter

Purpose of the processing: Administration of our distribution list and sending of our newsletter requested by you, personalisation of our newsletter based on your usage behaviour as well as proof of your consent to the sending of the newsletter.

Legal basis: Art. 6 para. 1 letter a GDPR

Data categories: Contact data, master data, usage data, connection data

Recipients of the data: affiliated companies of the d.velop Group, Mailgun Technologies Inc., 112 E Pecan St Ste 1135, San Antonio, TX, 78205-1509

Intended third country transfer: None

Do we store information on your end device based on your consent or read out such information? No

 

Notifications from the platform via e-mail

Purpose of the processing: sending of contract-relevant notifications by the platform.

Legal basis: Art. 6 para. 1 letter b GDPR

Data categories: Contact data, master data, usage data, connection data

Recipients of the data: affiliated companies of the d.velop Group, Mailgun Technologies Inc., 112 E Pecan St Ste 1135, San Antonio, TX, 78205-1509

Intended third country transfer: None

Do we store information on your end device based on your consent or read out such information? No

 

Crashlytics

Purpose of the processing: Maintaining the functionality of the platform as well as our other information technology systems.

Legal basis: Art. 6 para. 1 letter a GDPR

Data categories: Usage data, connection data.

Recipients of the data: affiliated companies of the d.velop Group, Google Ireland Ltd, Gordon House, Barrow Street Dublin 4 Ireland

Intended third country transfer: Yes (in accordance with EU standard contractual clauses/SCC).

Do we store information on your end device based on your consent or read out such information? No

 

IV. Information on the cookies used

In the following, we inform you about the names and function duration of the cookies used by the above-mentioned plugins and services - in case of their consent - according to the scheme [name of the service]: [name of the cookie] ([function duration]).

Access to a cookie is generally only possible from the internet address from which the cookie is set. This means that we do not have access to the cookies of the providers used (above). They also have no access to our cookies. Third parties have access neither to our cookies nor to those of the providers used. Access by third parties can only be gained through technical attacks, which we cannot control and for which we are not responsible.

 

Matomo: piwik_auth (until the browser session is closed), PIWIK_SESSID (until the browser session is closed).