Data privacy statement

Using the Octaved Flow system

Status: September 2023

Data protection notice on the processing of personal data as part of the subscription and use of the Octaved Flow system in accordance with Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR).

Preamble

In accordance with the provisions of Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR), we hereby inform you about the processing of your personal data and your rights under data protection law in this regard. Which data is processed in detail and how it is used depends largely on the services requested or agreed. To ensure that you are fully informed about the processing of your personal data as part of the fulfillment of the contract or the implementation of pre-contractual measures, please take note of the following information.

Responsible

Company: h.com networkers GmbH
Address: Schäferstraße 4, 40479 Düsseldorf, Germany
Commercial register number: HRB 59429
Register court: Düsseldorf Local Court
Managing Director: Dipl.-Math. Christian Haag
Phone: +49 (211) 233942-0
Email address: info@hcom.de

Data Protection Officer

Name: Guido Petermann
Address: Siemensstraße 34, 40227 Düsseldorf
Phone: +49 (211) 72139550
Email address: info@planitas.de
Website: www.planitas.de

General information on data processing

Scope of the processing of personal data

We process the personal data of our users in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Personal data is only processed to the extent necessary to provide our Octaved Flow system and the associated content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

Data erasure and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. The purpose of storage regularly ceases to apply when the subscription to use the Octaved Flow system is terminated, namely at the time the termination takes effect.
Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

Your rights

You can request confirmation from us as to whether personal data concerning you is being processed.
If this is the case, you can request the following information from us:
You have the right to request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for you as the data subject.
You have the right to obtain from the controller the rectification and/or completion of inaccurate or incomplete personal data concerning you. The controller must carry out the rectification without undue delay.
You have the right to request the restriction of the processing of your personal data if you contest the accuracy of the data, the processing is unlawful, you oppose the erasure of the data, we no longer need the data, but you require it for the establishment, exercise or defense of legal claims or you have objected to processing pursuant to Art. 21 GDPR.
You have the right to request the erasure of your personal data stored by us if it is no longer necessary for the purposes for which it was collected or otherwise processed or if you withdraw your consent to processing.
You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller.
You have the right to object, on reasons relating to your particular situation, at any time to processing of personal data concerning you. This also applies to profiling based on these provisions. We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR.

Changes to the privacy policy

We reserve the right to update this privacy policy in compliance with the applicable data protection regulations in order to comply with legal requirements and in the event of enhancements to the Octaved Flow system, for example to provide new functions.
The latest version of the privacy policy is always available on the Octaved Flow website.
The various purposes of data processing are listed in the following sections.

Registration, user account and organization

Scope and purpose of data processing

On our website, we offer the option of registering for the Octaved Flow system by providing personal data. The data is entered into a form, transmitted to us and stored in a user account. In addition to the user account, a so-called organization is created. An organization is, for example, a company or a public institution. A user can belong to several organizations and log in to the organizations to which the user is assigned with the same access data, consisting of user name and password.
When a person registers for the Octaved Flow system via the website, a user account and an organization are created as part of the registration process. When a person is invited to join an organization by an existing user, the invited person creates a user account, if it does not already exist, which is then linked to the organization.
The registration of a user account is necessary for the performance of a contract with the user or for the performance of pre-contractual measures, as the system can only be used with such an account and the registration process must be carried out within the software itself.
The data is used for the one-time setup of the account, the assignment to an organization, the personalization of the system and for sending e-mails that are necessary for the fulfillment of the contract.

Categories of personal data

The data collected during registration includes name, e-mail address, a self-chosen password, IP address, time stamp and other voluntary information on the planned use of the system.

Legal basis for the processing of personal data

The legal basis for data processing is the necessity to fulfill the contract pursuant to Art. 6 para. 1 lit. b GDPR.

Recipient of the data

The user data is processed by Amazon AWS as the infrastructure service provider. The Octaved Flow system is operated by Amazon AWS, namely at the server location Frankfurt am Main, Germany.
Address:
Amazon Web Services, Inc.
410 Terry Avenue North
Seattle WA 98109
USA
Amazon AWS fulfills an adequate level of protection and we have concluded a contract with Amazon AWS in which Amazon AWS undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection.
The SES service from Amazon AWS is used to send emails. E-mails are sent, among other things, to confirm the e-mail address, to reset the password and to invite other users to Octaved Flow.

Duration of data storage

The storage of the data serves the fulfillment of the contract. After termination of the contract, the data will be deleted. The duration of data storage therefore depends on the term of the contract. As a rule, annual subscriptions are concluded with a notice period of one month to the end of the contract year. The start of the contract year is usually the date (day/month) on which the contract is concluded.

Subscription and invoicing

Scope and purpose of data processing

We use the sevDesk accounting system for invoicing.

Categories of personal data

Names and contact details of contact persons as well as data for payment transactions and invoicing are stored.

Recipients of the data

The user data is processed by sevDesk. sevDesk GmbH is a German company.
Address:
sevDesk GmbH
Hauptstraße 115
77652 Offenburg
Deutschland
Link to the privacy policy: https://sevdesk.de/datenschutz
sevDesk fulfills an adequate level of protection and we have concluded a contract with sevDesk in which sevDesk undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection.

Duration of data storage

The duration of data storage depends on the statutory retention obligations.

Success of marketing activities

Scope and purpose of data processing

We use marketing services to efficiently carry out marketing activities for our online offering. These help us to deliver advertising in line with actual interest and to make the success of our marketing activities measurable.

Categories of personal data

Personal data transmitted by the browser is collected: IP address, timestamp, page accessed, access status, amount of data transferred, website from which the request came, cookies with markings from clicked advertising campaigns, browser, operating system, language and version of the browser.

Legal basis for the processing of personal data

The processing of this personal data is based on consent in accordance with Art. 6 para. 1 lit. a) GDPR to the use of cookies for marketing & retargeting.

Recipients of the data

The data is processed by Google.
Address:
Google-Re/Marketing-Services
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043, USA
Link to the privacy policy: https://policies.google.com/privacy
Google marketing services allow us to display advertisements for and on our website in a more targeted manner in order to present users only with advertisements that potentially match their interests. If, for example, a user is shown ads for products that they have shown an interest in on other websites, this is referred to as remarketing. For these purposes, when our and other websites on which Google marketing services are active are accessed, Google executes a Google code directly and so-called remarketing tags (invisible graphics or code) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). The cookies can be set by various domains, including google.com, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records which websites the user has visited, what content they are interested in and which offers they have clicked on, as well as technical information about the browser and operating system, referring websites, time of visit and other information about the use of the online offer. The IP address of the user is also recorded, whereby we inform you in the context of Google Analytics that the IP address is shortened within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases transmitted in full to a Google server in the USA and shortened there. The IP address is not merged with the user's data within other Google offers. Google may also combine the aforementioned information with such information from other sources. If the user subsequently visits other websites, they can be shown ads tailored to their interests. User data is processed pseudonymously as part of Google marketing services. This means that Google does not store and process the user's name or email address, for example, but processes the relevant data in relation to cookies within pseudonymous user profiles. This means that, from Google's perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected by Google marketing services about users is transmitted to Google and stored on Google's servers in the USA.
The Google marketing services we use include the online advertising program Google AdWords. With Google AdWords, every AdWords customer receives a so-called conversion cookie. Cookies can therefore not be traced via the websites of AdWords customers. The information collected with the help of the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers find out how many users in total have clicked on their ad and been redirected to a page with a conversion tracking tag. However, they do not receive any information with which users can be personally identified.
We may display third-party advertisements based on Google's AdSense marketing service. AdSense uses cookies that allow Google and its partner websites to serve ads based on users' visits to this website and other websites on the Internet.
Since the IP address is transmitted to Google in the USA, further protective mechanisms are required to ensure the level of data protection under the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the European level of protection. In cases where this cannot be ensured even by this contractual extension, we will endeavor to obtain further regulations and assurances from the recipient in the USA.
If you wish to object to interest-based advertising by Google marketing services, you can use the settings options provided by Google: https://adssettings.google.com/authenticated.

Analysis tool for product improvement

Scope and purpose of data processing

As part of the use of the Octaved Flow system, we collect user movement data to continuously improve the service. It is used to understand and improve the functions used.

Categories of personal data

Event data is collected about which functions are used and on which pages this occurs. In addition to the pseudonymized account information, this data contains the respective event, a timestamp, the IP address and browser-specific information.

Legal basis for the processing of personal data

The legal basis for data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the continuous improvement of our service.

Recipient of the data

The data is processed by Heap, a platform specializing in product improvements. The data is processed pseudonymously on the Heap Analytics server and prepared for statistical evaluations.
Address:
Heap Inc.
225 Bush St #200
San Francisco CA 94104
USA
Link to the privacy policy: https://www.heap.io/privacy
Heap fulfills an adequate level of protection and we have concluded a contract with Heap in which Heap undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection.

Duration of data storage

The data is automatically deleted after 12 months. If the deletion of the user account is initiated by the user, the data will be deleted accordingly.

Logging of errors

Scope and purpose of data processing

During system operation, we record any errors that occur in the Octaved Flow application in order to detect faults at an early stage and efficiently rectify errors in the software. The pseudonymized processing of the data is carried out by Sentry.

Categories of personal data

The personal data processed includes the address and type of the respective server request, the timestamp, the data transmitted, the notification of successful retrieval, the error message, the stack trace, the browser version and the IP address.

Legal basis for the processing of personal data

The legal basis for data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR in ensuring proper system operation.

Recipients of the data

The data is processed by the provider Sentry. Sentry is a bug tracking platform for software applications to collect and categorize messages, send alerts to operators and facilitate traceability for developers to fix bugs.
Address:
Functional Software Inc.
32 Hawthorne Street
San Francisco, CA 94107
USA
Link to the privacy policy: https://sentry.io/security/
Sentry fulfills a sufficient level of protection and we have concluded a contract with Sentry in which Sentry undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection.

Duration of data storage

The data is automatically deleted as soon as it is no longer required to solve problems or for statistical evaluations.

Sales activities and newsletter

Scope and purpose of data processing

As part of the registration process, in addition to user and organization data, we also collect data to qualify for our sales activities. The data is processed by Hubspot.

Categories of personal data

Contact details (name, e-mail), information about the company (industry, size, area of application), notes during the conversation and e-mail correspondence are stored and processed on Hubspot's servers.

Legal basis for the processing of personal data

The legal basis for the processing of the data is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR for the efficient processing of customer inquiries, existing customer management and new customer acquisition.

Recipients of the data

The data is processed by HubSpot.
Address:
HubSpot, Inc.
25 First Street
Cambridge, MA 02141
USA

Duration of data storage

We process the data only in the context of contract initiation, for the acquisition of follow-up orders and for sending the newsletter, provided there is a subscription to at least one newsletter.

Other services

Microsoft Outlook calendar

Within our system, we offer the option of displaying calendar entries from a connected Microsoft Outlook calendar. To do this, the user must actively establish a connection to their Microsoft Outlook calendar within Octaved Flow.
The use of the data is limited to the extent necessary to provide the functions described. Octaved Flow stores, transmits, views or uses the user data obtained from these services only to provide, improve and maintain the functions.
Further information on the processing of user data can be found in Microsoft's privacy policy.
Address:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA