caritag Privacy Policy – App


Information regarding the processing of personal data in conjunction with the mobile version of the caritag app

 

ETO DYNAMIC App Services GmbH (“ETO DYNAMIC“) considers the protection and security of your personal data to be highly important. In the following document, you will find the information required in accordance with the General Data Protection Regulation (“GDPR”) regarding the processing of your personal data by ETO DYNAMIC in conjunction with your use of the mobile version of the caritag app (“app”).

 

1 Who is the controller under data protection law?

 

The company

 

ETO DYNAMIC App Services GmbH | Hardtring 6 | 78333 Stockach | Germany | legally represented by its Managing Director Dr. Michael Schwabe (“ETO DYNAMIC”)

provides the app to you for your use, and is the controller responsible for processing your personal data as described in this Data Privacy Notice.

 

2 How can I contact the ETO DYNAMIC Data Protection Officer?

 

to the attention of ETO DYNAMIC Data Protection Officer:
ETO DYNAMIC App Services GmbH | Hardtring 6 | 78333 Stockach | Germany | privacy@caritag.com

 

3 Which of my personal data is processed by ETO DYNAMIC?

 

ETO DYNAMIC processes the following categories of your personal data in conjunction with your use of the app:

 

3.1 Log data

When you use the app, ETO DYNAMIC processes the “log data” transmitted by your device to the app server, including in particular the following information:

  • IP address of the device used
  • Operating system version of the device used
  • Date and time the connection was formed to the app servers / date and time of the last login
  • Access token used
  • IMEI/IMSI of bought and configured caritags

 

3.2 Setting data

ETO DYNAMIC processes the “setting data” transmitted by your device to the app server in conjunction with your use of the app, including in particular the following information:

  • Information regarding the settings you select in the app (such as app language)

 

3.3 Account data

When you create an account for the app, ETO DYNAMIC collects “account data” from you, including in particular the following information:

  • Email address
  • User name
  • Password hash
  • Address
  • Telephone number

 

3.4 Identifiers

“Identifiers” are processed in conjunction with your use of the app, and allow ETO DYNAMIC to identify you as a user, the device you use, or a caritag published/obtained by you in the app. Identifiers include, in particular, the following information:

  • User ID
  • Device ID
    • IP address of the device used
    • caritag ID
    • caribase ID
    • carihub ID

 

3.5 Device data

ETO DYNAMIC processes “device data” entered by you or other users into the app, as well as information derived from said device data in conjunction with your use of the app, including in particular the following information:

  • Device data generated by you using the app and the caritag (i. e. battery status, end-to-end-encrypted location data)
  • End-to-end encrypted chat messages that you send to other users in the app/that you receive from other users in the app

 

3.6 Location data

ETO DYNAMIC processes the “location data” transmitted by your device to the app server in conjunction with your use of the app, including in particular the following information:

  • Information regarding your geographic location when you are using the app. Location data of the smartphone, which is shown in the map of the app, is not processed.
  • Information regarding the geographic location of your caritag devices cannot be processed by ETO DYNAMIC and its processors, as caritag has been developed in such a way that the locations of caritag devices can only be displayed in your app. There is no technical possibility for us as the operator to localize your caritag devices.

 

3.7 Usage data

ETO DYNAMIC may process “usage data” in conjunction with your use of the app, including in particular the following information:

  • Information regarding your use of individual app functions
  • Information regarding your dwell time in individual areas of the app
  • Information regarding crashes of the app

 

3.8 Master data

ETO DYNAMIC may process your “master data”, including in particular the following information:

  • Last name
  • First name
  • Address
  • Company name

 

3.9 Correspondence data

In addition, the content of the correspondence you carry out with ETO DYNAMIC in writing, by email or using the app contact function (“correspondence data”) will be processed.

 

4 For what purposes, and on what legal basis does ETO DYNAMIC process my personal data?

 

4.1 Provision of the app and free functions

In order to make it possible for you to use the app and the free online functions available there, in particular the

  • Functions to create device data
  • Push notification function
  • Chat function
  • Search function

 

ETO DYNAMIC processes the following categories of personal data:

  • Log data (section 3.1)
  • Setting data (section 3.2)
  • Account data (section 3.3)
  • Identifiers (section 3.4)
  • Device data (section 3.5)
  • Location data (section 3.6)

 

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. f) GDPR (balancing of interests). ETO DYNAMIC has a legitimate economic interest in providing the app to you for your use.

 

4.2 Guaranteeing security for the IT infrastructure used to provide the app

ETO DYNAMIC may process the following categories of personal data in order to ensure the IT security of the IT infrastructure used to provide the app:

  • Log data (section 3.1)
  • Account data (section 3.3)
  • Identifiers (section 3.4)

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. f) GDPR (balancing of interests). ETO DYNAMIC has a legitimate economic interest in ensuring the security of the IT infrastructure of the app, in particular to identify, correct, and document faults in a secure evidentiary manner (such as DDoS attacks).

 

4.3 Improvements to the app and optimising marketing (usage analysis)

In order to improve the app and optimise marketing of the app and new functions, ETO DYNAMIC may process the following categories of personal data if you grant your consent to such processing:

  • Log data (section 3.1)
  • Identifiers (section 3.4)
  • Location data (section 3.6)
  • Usage data (section 3.7)

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. a) GDPR (consent).

 

4.4 Identification

If you grant your consent for it to do so, ETO DYNAMIC may process the following categories of personal data in order to identify you. ETO DYNAMIC carries out such identification in order to prevent misuse of the app:

  • Identification data (section 3.10)

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. a) GDPR (consent).

 

4.5 Fulfilment of legal retention obligations

ETO DYNAMIC processes the following categories of personal data in order to fulfil its legal retention obligations:

  • Master data (section 3.8)

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. c) GDPR (legal obligation) if the processing is necessary to fulfil retention obligations of ETO DYNAMIC according to the law of the European Union or member states.

If the processing is necessary to fulfil retention obligations in countries outside of the European Union, then the legal basis is Art. 6 para. 1 subpara. 1 lit. f) GDPR (balancing of interests). ETO DYNAMIC has a legitimate legal interest in fulfilling its legal obligations in third countries.

 

4.6 Cooperation with authorities and courts

ETO DYNAMIC may process all of the categories of personal data listed in section 3 for the purpose of cooperating with courts or authorities, in particular to fulfil its legal duties to provide information.

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. c) GDPR (legal obligation), if ETO DYNAMIC is obligated to provide certain information to authorities or courts under the law of the European Union or member states.

If the processing is necessary to fulfil legal obligations in countries outside of the European Union, then the legal basis is Art. 6 para. 1 subpara. 1 lit. f) GDPR (balancing of interests). ETO DYNAMIC has a legitimate legal interest in fulfilling its legal obligations in third countries.

 

4.7 Fulfilling legal obligations towards other users and third parties

ETO DYNAMIC may process all of the categories of personal data listed in section 3 in order to fulfil legal obligations it has towards other users and third parties, in particular obligations to provide information.

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. c) GDPR (legal obligation) if ETO DYNAMIC is obligated to undertake certain types of processing in the interest of other users or third parties under the law of the European Union or the member states.

If the processing is necessary to fulfil legal obligations in countries outside of the European Union, then the legal basis is Art. 6 para. 1 subpara. 1 lit. f) GDPR (balancing of interests). ETO DYNAMIC has a legitimate legal interest in fulfilling its legal obligations in third countries.

 

4.8 ETO DYNAMIC asserting, exercising or defending legal claims

ETO DYNAMIC may process all of the categories of personal data listed in section 3 in order to assert, exercise, or defend its own legal claims against you, other users, and/or third parties.

The legal basis for said processing is Art. 6 para. 1 subpara. 1 lit. f) GDPR (balancing of interests). ETO DYNAMIC has a legitimate legal interest in asserting, exercising or defending its legal claims.

 

5 Am I obligated to provide my personal data to ETO DYNAMIC, and what will the consequences be if I do not do so?

Categories of data

Obligation to provide / necessity to conclude a contract

Consequences of not providing data

Log data (section 3.1)

Providing this data is not required by law or contract.

If the data is not provided, you will not be able to use the app.

Setting data (section 3.2)

Providing this data is not required by law or contract.

If the data is not provided, you will not be able to use the app.

Account data (section 3.3)

Providing this data is not required by law or contract, however the data is necessary to conclude a usage agreement for the app between yourself and ETO DYNAMIC.

If the data is not provided, you will not be able to use the app.

Identifiers  (section 3.4)

Providing this data is not required by law or contract.

If the data is not provided, you will not be able to use the app.

Device data (section 3.5)

Providing this data is not required by law or contract.

If the data is not provided, you will only be able to use the app with restrictions.

Location data (section 3.6)

Providing this data is not required by law or contract.

If the data is not provided, you will only be able to use the app with restrictions.

Usage data (section 3.7)

Providing this data is not required by law or contract.

None

Master data (section 3.8)

Providing this data is not required by law or contract.

If you do not provide the data, you will not be able to carry out transactions in the app or use the transaction functions.

Correspondence data (section 3.9)

Providing this data is not required by law or contract.

None

 

6 To whom, and to which third countries is my personal data transmitted?

 

6.1 Transmission from ETO DYNAMIC to ETO DYNAMIC Connect GmbH

 

Purpose of transmission:

Performing the services necessary to provide and operate the app to ETO DYNAMIC, in particular providing the technical infrastructure, moderation, and handling complaints.

Recipient:

ETO DYNAMIC Connect GmbH

Role of the recipient:

Contract processor

Location of data processing:

Germany

 

6.2 Transmission from ETO DYNAMIC Connect GmbH to other contract processors

 

In the course of performing its services for ETO DYNAMIC, ETO DYNAMIC Connect GmbH transmits your personal data to the following other contract processors:

 

Purpose of transmission:

Provision of the technical infrastructure for the app (Push Notifications)

Recipient:

WonderPush, Société par actions simplifiée (SAS)

Role of the recipient:

Other contract processors

Location of data processing:

European Union

 

Purpose of transmission:

Provision of the technical infrastructure for the app (cloud services)

Recipient:

SysEleven GmbH

Role of the recipient:

Other contract processors

Location of data processing:

Germany

 

Purpose of transmission:

Map services

Recipient:

Google Ireland Ltd.

Role of the recipient:

Other contract processors

Location of data processing:

European Union/EEA

 

Purpose of transmission:

Administration and maintenance of the apps and their technical infrastructure (Backend)

Recipient:

SSI Software Services GmbH

Role of the recipient:

Other contract processors

Location of data processing:

Germany, Pakistan

Adequacy decision or suitable or appropriate safeguards for transfers to third countries and/or international organizations:

SSI Software Services GmbH as data exporter has agreed standard data protection clauses with the data importer for the transfer of data to Pakistan. A copy of the standard data protection clauses can be obtained from ETO DYNAMIC.

 

6.3 Transmission to other recipients 

 

Purpose of transmission:

Cooperation with authorities and courts, fulfilling legal obligations towards authorities and courts and exercising the rights of ETO DYNAMIC

Recipient:

Courts and authorities

Role of the recipient:

Controller

 

7 How long is my personal data stored?

 

Categories of data

Storage duration

Log data (section 3.1)

Log data is generally stored on ETO DYNAMIC’s servers from the time you start the app, and deleted or anonymized when you end the app (storage during each usage session). In deviation from this, the date (including time) of your last login to the app will continue to be stored even after you end your usage session. The data of your last login will generally be deleted one week after your account for the app is deleted.

If an incident occurs that is relevant for security or legal reasons, ETO DYNAMIC shall store the log data relevant for this purpose in each individual case until the incident relevant for security or legal reasons is corrected and clarified in full, or, in case of a legal dispute, to the end of the dispute.

Setting data (section 3.2)

Your current setting data will be stored on ETO DYNAMIC’s servers from the time you register as an app user and will be deleted at the latest one week after you delete your account for the app. 

Account data (section 3.3)

Your current account data will generally be stored on ETO DYNAMIC’s servers from the time you register as an app user and will be deleted at the latest one week after you delete your account for the app.

If an incident occurs that is relevant for security or legal reasons, ETO DYNAMIC shall store the account data relevant for this purpose in each individual case until the incident relevant for security or legal reasons is corrected and clarified in full, or, in case of a legal dispute, to the end of the dispute.

Identifiers (section 3.4)

The IP address of the device used, the device ID and the app instance ID will be stored on ETO DYNAMIC’s servers from the time you start the app and deleted when you end the app (storage during each usage session).

User and photo/video ID will continue to be stored even after the end of the usage session. In general, user and photo/video ID will be deleted one week after your app account is deleted.

If an incident occurs that is relevant for security or legal reasons, ETO DYNAMIC shall store the identifiers relevant for this purpose in each individual case until the incident relevant for security or legal reasons is corrected and clarified in full, or, in case of a legal dispute, to the end of the dispute.

Device data (section 3.5)

If device data has not already been removed by you or by ETO DYNAMIC in the course of moderation (clause 4.7), the device data will generally be stored from the date it is created in the app on ETO DYNAMIC’s servers and will be deleted or anonymized at the latest one week after your app account is deleted.

If an incident occurs that is relevant for security or legal reasons, ETO DYNAMIC shall store the content data relevant for this purpose in each individual case until the incident relevant for security or legal reasons is corrected and clarified in full, or, in case of a legal dispute, to the end of the dispute.

Location data (section 3.6)

Information regarding your geographic location while you use the app is generally stored on ETO DYNAMIC’s servers from the time you start the app, and deleted or anonymised when you end the app (storage during each usage session).

Information regarding the geographic location where the device data in the app was published is generally stored on ETO DYNAMIC’s servers from the date the device data was saved in the app and deleted once the device data in question is removed from the app by you or by ETO DYNAMIC in the course of moderation (clause 4.7).

If an incident occurs that is relevant for security or legal reasons, ETO DYNAMIC shall store the location data relevant for this purpose in each individual case until the incident relevant for security or legal reasons is corrected and clarified in full, or, in case of a legal dispute, to the end of the dispute.

Usage data (section 3.7)

In general, your usage data is stored on ETO DYNAMIC’s servers from the time you start the app (storage during each usage session) and deleted or anonymized four weeks after the end of the respective usage session.

Master data (section 3.8)

Your current master data will generally be stored on ETO DYNAMIC’s servers from the time you register as an app user and will be deleted at the latest one week after you delete your account for the app.

ETO DYNAMIC shall store your master data for a longer period of time if there are applicable legal retention obligations, in particular under money laundering, trade and/or tax law. Depending on the type of data, there may, in particular, be retention obligations under trade and tax law of six or ten years (Sec. 147 of the Tax Code (AO), Sec. 257 of the German Commercial Code (HGB)).

If an incident occurs that is relevant for security or legal reasons, ETO DYNAMIC shall store the master data relevant for this purpose in each individual case until the incident relevant for security or legal reasons is corrected and clarified in full, or, in case of a legal dispute, to the end of the dispute

Correspondence data (section 3.9)

The storage term for correspondence depends on the content of the correspondence. If the correspondence contains legally relevant content, ETO DYNAMIC shall store the correspondence for three years from the end of the year in which the correspondence was carried out, and in the case of legal disputes until the legal disputes have ended. If the correspondence is classified as a commercial letter, the storage term is six years from the end of the year in which the correspondence was carried out. In certain cases, however, the storage term can be up to thirty years.

 

 

8 What rights do I have with respect to the processing of my personal data?

 

As a data subject, you have the following rights with respect to the processing of your personal data described above. In order to exercise these rights, get in touch with ETO DYNAMIC using the contact information provided in section 1.

 

  • Right to information, Art. 15 GDPR: You have the right to determine which of your personal data has been processed. This includes further information on data processing, such as the purpose, legal basis and recipient. You also have the right to request a copy of your personal data.
  • Right to rectification, Art. 16 GDPR: You have the right to request rectification of your personal data if it is incorrect, and to request that incomplete personal data be supplemented.
  • Right to deletion (“Right to be forgotten”), Art. 17 GDPR: In cases specified by law, you can request that your personal data be deleted. This is the case, for instance, if the data is no longer needed for the purpose for which it was originally collected, or if the data has been processed illegally.
  • Right to restrict processing, Art. 18 GDPR: You can request that the processing of your personal data be restricted; in this case, processing may be carried out only in cases as required by law (such as with your consent or in order to exercise or defend our rights). You have the right to do so, for instance, if you dispute that the data is correct.
  • You also have the right to data portability, Art. 20 GDPR: In particular, you have the right to receive your personal data which you have provided to ETO DYNAMIC in a structured, commonly used and machine-readable format, and the right to transmit this data to other controllers without being prevented from doing so by ETO DYNAMIC, if the processing is based on your consent or in order to perform the contract and carry out measures prior to entering into a contract, or based on Art. 6 para. 1 subpara. 1 lit. b) GDPR (performing a contract and steps prior to entering into a contract).

 

In addition, of course, you always have the right to submit complaints to a supervisory authority, Art. 77 GDPR: You have the right to submit complaints to a data supervisory authority if you believe that the processing of your personal data violates the GDPR.

You can determine the full scope of your rights under the articles above, which you can access at the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679. Your rights may be restricted in individual cases in whole or in part under the law. 

 

Right of revocation

 

You have the right to revoke your consent at any time (Art. 7 para. 3 GDPR). In this case, your personal data covered by your consent will no longer be processed by the controller. Revocation of consent will not affect the legality of processing carried out until the consent was revoked.

 

Right to object

 

You have the right to object to the processing of your personal data as carried out in accordance with Art. 6 para. 1 subpara. 1 lit. f) GDPR (see section 4) at any time due to your personal situation (Art. 21 para. 1 GDPR). In this case, your personal data will no longer be processed by the controller unless the controller can verify that they have mandatory protected reasons for the processing that outweigh your interests, rights and freedoms, or if the processing is carried out for the purpose of asserting, exercising, or defending against legal claims.

Furthermore, you have the right to object to the processing of your personal data for direct marketing at any time (see section 4).