Data Protection Notice

Updated: February 2023

1. Who is responsible for data processing and who do you contact if you have any questions?

The controller responsible for data processing is:

ALMEFY GmbH
Feringastrasse 6
85774 Munich
Germany

(hereinafter referred to as ”Almefy”, ”we” and ”us”)

If you have any questions regarding data protection, please contact: [•][1] at any time.

The protection of the data of our customers is a cornerstone of our business. We are therefore committed to data protection and transparency. We attach great importance to compliance with all legal regulations and exclusively process your personal data as prescribed in the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and all other relevant laws. All data is securely stored and limited to the data points necessary for the provision of the service. You are our focus and that is why we give you full control over your data.

This Data Protection Notice describes how we collect, store, process, pass on and transmit your personal data when you are a customer of ours or are interested in the services we offer, as well as when you are our supplier or business partner. In addition, this Data Protection Notice describes data processing in connection with the use of the almefy.com website and Almefy App operated by us.

2. Which data do we process?

Administration/handling of customer relationships

  • Description. As part of our business relationship with you, your employer or your company, your data will be processed for various detailed processes for the purpose of administration and handling customer relationships.
  • Data categories. Customer number, first name, last name, date of birth, gender, email address, company address, (mobile) telephone number, enterprise logo, sales tax ID, account data, assigned company, position within the company, related orders, information on payments made or not made, customer care data that relates to you (such as telephone calls made with you, your employer or your company [summarised in writing, no records or recordings], internal communication on the customer relationship, incoming and outgoing documents/communication), (digital) signature and correspondence in this context.
  • Purpose. Administration and processing of the customer relationship; maintaining contacts; appointment management; invoicing; accounting; sending information about our new offers; citing as reference customer.
  • Legal basis. Fulfilment of contractual obligations or implementation of corresponding pre-contractual measures pursuant to Article 6(1) lit. b GDPR; fulfilment of legal obligations according to Article 6(1) lit. c GDPR; legitimate interest according to Article 6(1) lit. f GDPR: Sending information about our own offers; consent according to Art 6(1) lit. a GDPR: Citing as reference customer.
  • Storage duration. Citing as reference customer: until revocation of your consent; otherwise: At least for the duration of the business relationship and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any pending legal dispute.


Administration of customer accounts on the website

  • Description. If you create a customer account on our website, we process the information that we receive from you in this context.
  • Data categories. First name, last name, display name, email address, password, standard currency, invoice address and delivery address (first name, last name, country/region, postal address, telephone number, email address), related orders, subscription data (name/ID of the subscription, start date, end date, last order date, next payment date, information about payments made, subscription amounts, related orders, invoice address).
  • Purpose. Administration of the customer account.
  • Legal basis. Fulfilment of contractual obligations or implementation of corresponding pre-contractual measures pursuant to Article 6(1) lit. b GDPR.
  • Storage duration. At least for the duration of the business relationship and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any pending legal dispute.


Usage behaviour of corporate customers

  • Description. We process your usage behaviour to improve product security and performance, to check compliance with the licence conditions and (in this case only on the basis of your consent) for advertising purposes.
  • Data categories. Usage behaviour of the services ordered.
  • Purpose. Improvement of product safety and performance, verification of compliance with the terms of the licence, promotional purposes.
  • Legal basis. Fulfilment of contractual obligations or implementation of corresponding pre-contractual measures pursuant to Article 6(1) lit. b GDPR: Verification of compliance with the terms of the licence; legitimate interest according to Article 6(1) lit. f GDPR: Improvement of product safety and performance; consent according to Art 6(1) lit. a GDPR: Advertising purposes.
  • Storage duration. Advertising purposes: until revocation of your consent; checking compliance with the terms of the licence, improvement of product safety and performance: At least for the duration of the business relationship and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any pending legal dispute.


Almefy API

  • Description. The Almefy API provides the core authentication functionality to our customers. To ensure security and monitor fraud activity, we process data linked with the user’s session.
  • Data categories. IP, date and time, request data (user agent), functional session cookie, audit log of enrolments and authentications based on the third-party identifier.
  • Purpose. Safeguarding security, monitoring and preventing fraudulent behaviour.
  • Legal basis. Legitimate interest according to Article 6(1) lit. f GDPR; improvement of product safety and fraud prevention.
  • Storage duration. […]


Use of the Almefy App

  • Description. The Almefy App (”App”) enables users to log into websites that offer Almefy login without entering a password. With the App, users always have an overview of their current logins and manage their accounts within the App.
  • Data categories. Email address assigned username and ID, device name(s) and model, connected accounts (including the date of the last login), identity-based-encryption secrets, phone number (for security purposes).
  • Purpose. Operation and execution of the App.
  • Legal basis. Fulfilment of contractual obligations or implementation of corresponding pre-contractual measures pursuant to Article 6(1) lit. b GDPR.
  • Storage duration. At least as long as the App is installed on the user’s end devices and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any pending legal dispute.


App Performance Tracking

  • Description. Almefy collects metrics about interactions within the App.
  • Data categories. Metadata (date and time, URL, device, OS Version), type of connection (WLAN or mobile data), time from scanning to opening and vice versa, active app theme, app-interaction (clicks and accesses, including external links available in the app, sortings, searches, filters, favourites, opened tabs, scanned codes), changes (e.g., nickname, PIN), errors, app permission set, account details, deletion of account.
  • Purpose. Improving the user experience and further development of the App.
  • Legal basis. Consent according to Art 6(1) lit. a GDPR.
  • Storage duration. Until revocation of your consent; otherwise: at least as long as the App is installed on the user’s end devices and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any pending legal dispute.


Inquiries via the contact form

  • Description. You can use the contact form to contact us and send us inquiries.
  • Data categories. Name, email address, subject and content of the request, further correspondence in this context.
  • Purpose. Processing and answering your inquiries.
  • Legal basis. Fulfilment of contractual obligations or implementation of corresponding pre-contractual measures pursuant to Article 6(1) lit. b GDPR; legitimate interest according to Article 6(1) lit. f GDPR: Processing and answering inquiries from data subjects who do not have an existing contractual relationship with us.
  • Storage duration. At least for the duration of the business relationship and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any pending legal dispute.


Supplier and business partner management

  • Description. In the course of our business relationship with you or your employer, we process your data to initiate, maintain and process our contracts for goods and services with you or your employer.
  • Data categories. Name, gender, contact details (telephone number, email address, other electronic contact details), current company and position(s), further correspondence in this context. If you are a sole proprietor, also: company or other business name, sales tax ID, commercial register number, bank and transfer data, invoicing, payment and booking data, data on creditworthiness/solvency, dunning data, data on the opening of insolvency, commercial register data.
  • Purpose. Initiation, maintenance and processing of our contracts for goods and services with suppliers and business partners.
  • Legal basis. If you are a sole proprietor: fulfilment of contractual obligations or implementation of corresponding pre-contractual measures pursuant to Article 6(1) lit. b GDPR. If you are not a sole proprietor and we maintain the appropriate business relationship with your employer: legitimate interest according to Article 6(1) lit. f GDPR: Initiation, maintenance and processing of our contracts for goods and services with suppliers and business partners.
  • Storage duration. At least for the duration of the business relationship and beyond that in accordance with the statutory retention and documentation obligations; beyond this, until the end of any legal dispute.


Website

  • Description. We process certain categories of personal data automatically to provide access to our website.
  • Data categories. Connection data (including IP address, information on the website from which the request came, information on the browser used, operating system used, referrer URL, your Internet service provider, date/time) to establish an Internet connection between (i) your device and (ii) our website or the external content that we may have integrated into our website.
  • Purpose. Enabling our website to be technically viewed on the user’s device and ensuring the stability and security of our website; traceability of technical or other problems with the use and operation of the website from the server log files.
  • Legal basis. Legitimate interest pursuant to Article 6(1) lit. f GDPR: Enabling our website to be technically viewed on the user’s device and ensuring the stability and security of our website; traceability of technical or other problems with the use and operation of the website from the server log files.
  • Storage duration. This data is only processed for the duration of the connection for the transmission of data packages that are technically necessary for the display of our website on your device and is not stored permanently (apart from certain connection data in the server log files which is stored until the server is restarted).


3. Who is data transmitted to?

The data relevant in each individual case is transmitted to the following bodies on the basis of the statutory provisions or contractual arrangements:

  • service providers (IT service providers, agencies, etc.);
  • lawyers, tax consultants, auditors, other consultants;
  • participating contractual and business partners or companies within the Group;
  • authorities and credit agencies in connection with the prevention of money laundering and terrorist financing;
  • banks, payment service providers, debt collection service providers;
  • public authorities and courts.

Some of the recipients named above are located outside the European Union or the European Economic Area or process your personal data there (e.g. Amazon Web Services, Google or Apple Inc.). The level of data protection in other countries may not correspond to that within the European Union or the European Economic Area. However, we only transfer your personal data to countries where either the EU Commission has decided that they have an adequate level of data protection, or we take measures to ensure that the recipients have an adequate level of data protection. To this end, for example, we conclude Standard Contractual Clauses issued by the EU Commission. Beyond that, we only process your personal data in third countries if you have given your explicit consent in accordance with Article 49(1) lit. a GDPR.

4. Cookies

We use so-called cookies in order to make our website and App user-friendly and to enable the use of certain functions. These are small text files that are stored on your device. Some of the cookies we use are erased after the end of the browser or App session, i.e. after you close your browser or App (so-called session cookies). Other cookies remain stored on your device until you erase them. These enable us for example to recognise your browser the next time you visit our website (persistent cookies).

Different types of cookies exist, for example, so-called essential cookies and other cookies. Essential cookies are required to ensure basic functions of the website and App. For example, when using a cookie consent management system (“cookie banner”), a cookie is required that permanently saves the user’s decision (whether or which cookies are accepted) so that the query does not appear again every time the website or App is accessed.

We only process non-essential cookies with your consent. Using the “cookie banner” that appears the first time you visit the website and App, you can decide which cookies you want to allow and which you do not. You have the right and the option to withdraw your consent to the use of such cookies at any time; for example, by managing, deactivating or erasing the relevant cookies in your browser and App.

Specifically, we process the following non-essential cookies (provided you have given your explicit consent in accordance with Article 49(1) lit. a GDPR.):

Website: Google Analytics

We use Google Analytics on our website, a web analysis service provided by Google Inc. (”Google). Google Analytics uses cookies. The information generated by the cookie about the use of the online offering by the user is usually transmitted to a Google server in the US and stored there.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of the user is truncated by Google within the member states of the European Union or in other contracting states to the Agreement on the European Economic Area. The full IP address will only be sent to a Google server in the US and truncated there in exceptional circumstances. The IP address transmitted by the user’s browser will not be merged with other Google data.

Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities carried out within this online offering, and to provide us with other services related to the use of this online offering and the Internet. In doing so, pseudonymous user profiles can be created from the processed data.

Google Analytics uses the following cookies: _ga (storage period 2 years), _gid (storage period 24 hours), _gat (storage period 24 hours)


Google Analytics, among others, is used as a marketing cookie and performance cookie. It cannot be ruled out that Google Ireland as our contractual partner may transfer personal data to the USA (in particular there to Google LLC). In the USA, there is no level of data protection equivalent to the European Union in substance and there is no adequacy decision by the European Commission. This may result in risks for you because you cannot effectively enforce your rights as a data subject in the USA, there are no data protection principles in the USA, and because it cannot be ruled out that, due to current laws, US security authorities may gain access to data, whereby interference with your personal rights and freedoms is not limited to what is absolutely necessary. Should you also allow the setting of cookies for Google Analytics, you thereby also consent to the transfer of the personal data contained in the corresponding cookies in accordance with Art 49 (1) lit a) GDPR.

You are free to give, refuse or withdraw your consent at any time.

App: Google Firebase

Website and / or App: Google Fonts

 

5. Your rights

Taking into account the legal requirements, you may have the following rights:

  • Right to information. You can request confirmation as to whether and to what extent data about you is being processed.
  • Right to rectification. If we process incomplete or incorrect data received from you, you can request that it be corrected or completed at any time.
  • Right to erasure. You can request the erasure of your data if the purpose for which it was collected no longer applies, if unlawful processing has taken place, if you object to data processing because it interferes in an inadmissible and disproportionate manner with your legitimate protection interests, or if the data processing is based on your consent and you have revoked such. It should be noted here that there may be other reasons that may prevent your data from being immediately erased, e.g. statutory retention requirements, pending proceedings, the assertion, exercise or defence of legal claims, etc.
  • Right to restriction of processing. You have the right to request the restriction of processing of your data if:
    • you dispute the accuracy of your data for a period of time that enables us to verify the accuracy of the data;
    • the processing of your data is unlawful, but you refuse to have it erased and instead request a restriction of its use;
    • we no longer require the data for the intended purpose, but you still require this data for the assertion, exercise or defence of legal claims; or
    • you have lodged an objection to the processing of the data until it has been determined whether our legitimate grounds outweigh yours.
  • Right to data portability. You can ask us to provide you with the data you have provided us with in a structured, common and machine-readable format or to transmit this data to another controller without hindrance from us, provided that we process the data on the basis of your consent or to fulfil a contract between us and the processing is carried out using automated procedures.
  • Right to object. If we process your data to carry out tasks that are in the public interest, in the exercise of official authority, or if we invoke the need to safeguard our legitimate interest during processing, you can object to this data processing provided that an overriding interest in protecting your data exists.

To exercise these rights, please use the contact details stated above in section 1.

Rights in the context of consent granted to us. You can withdraw declarations of consent granted to us at any time without stating reasons, whereby you can withdraw each individual declaration of consent independently of other declarations of consent granted to us.

We expressly point out that a withdrawal has no direct or indirect negative consequences for your contractual relationship with us. The only consequence of a withdrawal of consent is that, from that point in time, we will no longer process your data for the purposes stated in the respective declaration of consent and any rights and/or advantages (if any) associated with the processing of the specific data can no longer be claimed.

To withdraw your consent, please use the contact details stated above in section 1.

Right to lodge a complaint. If you believe that the processing of your data violates data protection law or that your data protection claims have been violated in any other way, please contact us directly (for contact details, see Section 1 above). Of course, you can also lodge a complaint with the responsible data protection authority (for further information, see: <lda.bayern.de>).

***