Privacy Policy

Introduction

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as “data”) we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).


The terms used are not gender-specific.


Status: March 30, 2022


Controller

PathConnect GmbH

Zimmerstraße 3

76137 Karlsruhe

Germany


Authorized representatives:


Moritz Busch



Overview of processing activities

The following overview summarizes the types of data processed and the purposes of their processing and refers to the affected persons.


Types of processed data

  • Inventory data (e.g. names, addresses)
  • Contact data (e.g. email, phone numbers)
  • Content data (e.g. text entries, photographs, videos)
  • Contract data (e.g. subject matter of the contract, term, customer category)
  • Usage data (e.g. visited websites, interest in content, access times)
  • Meta/communication data (e.g. device information, IP addresses)

Categories of affected persons

  • Customers.
  • Interested parties.
  • Communication partners.
  • Users.
  • Business and contractual partners.

Purposes of processing

  • Provision of contractual services and customer service.
  • Contact requests and communication.
  • Security measures.
  • Office and organizational procedures.
  • Administration and response to inquiries.
  • Feedback.

Relevant legal bases

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.


  • Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR)

    – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures carried out at the request of the data subject.

  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR)

    – Processing is necessary for compliance with a legal obligation to which the controller is subject.


In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, in particular, special regulations on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. Furthermore, it regulates data processing for purposes of the employment relationship (§ 26 BDSG), in particular with regard to the establishment, implementation, or termination of employment relationships and the consent of employees. In addition, state data protection laws of the individual federal states may apply.


Security measures

In accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.


These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through control of physical and electronic access to data, access to the data itself, data entry, disclosure, securing availability, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data threats. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software, and processes, in accordance with the principle of data protection by design and by default.


SSL encryption (https): To protect data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in your browser’s address bar.


Deletion of data

The data processed by us will be deleted in accordance with legal requirements as soon as the consents permitting processing are revoked or other permissions cease to apply (e.g. if the purpose of processing no longer applies or the data is no longer required for that purpose).


If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.


Our privacy notices may also contain further information on the retention and deletion of data that applies specifically to individual processing activities.


Business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contract partners”), within the scope of contractual and comparable legal relationships as well as related measures and communication with contract partners (or pre-contractually), e.g. to respond to inquiries.


We process this data in order to fulfill our contractual obligations. This includes in particular obligations to provide the agreed services, any update obligations, and remedies for warranty and other service disruptions. In addition, we process the data to safeguard our rights and for purposes of administrative tasks and corporate organization associated with these obligations. Furthermore, we process the data on the basis of our legitimate interests in proper and economically efficient business operations as well as security measures to protect our contract partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g. involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Within the framework of applicable law, we only pass on contract partner data to third parties insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations. Contract partners will be informed about other forms of processing, e.g. for marketing purposes, within the scope of this privacy policy.


We inform contract partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by special markings (e.g. colors) or symbols (e.g. asterisks), or personally.


We delete the data after expiry of statutory warranty and comparable obligations, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons (e.g. for tax purposes, generally 10 years). Data disclosed to us by the contract partner as part of an order will be deleted in accordance with the specifications of the order, generally after the end of the order.


If we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between users and providers.


Customer account

Contract partners can create an account within our online offering (e.g. customer or user account, referred to as “customer account”). If registration of a customer account is required, contract partners will be informed accordingly as well as about the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent logins and use of the customer account, we store customers’ IP addresses along with access times in order to prove registration and prevent misuse of the customer account.


If customers have canceled their customer account, the data related to the customer account will be deleted, unless retention is required for legal reasons. It is the responsibility of customers to back up their data upon cancellation of the customer account.


Provision of software and platform services

We process the data of our users, registered users, and any test users (collectively referred to as “users”) in order to provide our contractual services to them and on the basis of legitimate interests to ensure the security of our offering and to further develop it. The required information is marked as such within the scope of order placement or comparable contract conclusion and includes the information necessary for service provision and billing as well as contact information to enable follow-up communication.


  • Types of processed data:

    Inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. email, phone numbers); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

  • Affected persons:

    Customers; interested parties; business and contractual partners.

  • Purposes of processing:

    Provision of contractual services and customer service; security measures; contact requests and communication; office and organizational procedures; administration and response to inquiries.

  • Legal bases:

    Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).

Payment methods

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer affected persons efficient and secure payment options and, in addition to banks and credit institutions, use other service providers for this purpose (collectively referred to as “payment service providers”).


The data processed by the payment service providers includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract-related, amount-related, and recipient-related information. This information is required to carry out the transactions. However, the entered data is processed and stored only by the payment service providers. This means that we do not receive any account- or credit-card-related information, but only information confirming or rejecting the payment. In some cases, the payment service providers may transmit data to credit agencies. This transmission serves the purpose of identity and creditworthiness checks. In this regard, we refer to the terms and conditions and privacy notices of the payment service providers.


The terms and conditions and privacy notices of the respective payment service providers apply to payment transactions and can be accessed on the respective websites or transaction applications. We also refer to these for further information and for asserting rights of withdrawal, access, and other data subject rights.


  • Types of processed data:

    Inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

  • Affected persons:

    Customers; interested parties.

  • Purposes of processing:

    Provision of contractual services and customer service.

  • Legal bases:

    Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).


Further information on processing activities, procedures, and services:


Registration, login, and user account

Users can create a user account. As part of the registration process, users are informed of the required mandatory information, which is processed for the purpose of providing the user account on the basis of contractual performance. The processed data includes, in particular, login information (username, password, and an email address).


When using our registration and login functions as well as the user account, we store the IP address and the time of the respective user action. This storage is based on our legitimate interests as well as those of the users in protecting against misuse and other unauthorized use. This data is generally not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.


Users may be informed by email about processes relevant to their user account, such as technical changes.


  • Types of processed data:

    Inventory data (e.g. names, addresses); contact data (e.g. email, phone numbers); content data (e.g. entries in online forms); meta/communication data (e.g. device information, IP addresses).

  • Affected persons:

    Users (e.g. website visitors, users of online services).

  • Purposes of processing:

    Provision of contractual services and customer service; security measures; administration and response to inquiries.

  • Legal bases:

    Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).


Further information on processing activities, procedures, and services:


  • Registration with pseudonyms:

    Users are permitted to use pseudonyms as usernames instead of real names.

  • Two-factor authentication:

    Two-factor authentication provides an additional layer of security for your user account and ensures that only you can access your account, even if someone else knows your password. For this purpose, you must perform an additional authentication step in addition to your password (e.g. entering a code sent to a mobile device). We will inform you about the procedure used by us.

  • Deletion of data after termination:

    If users cancel their user account, their data relating to the user account will be deleted, subject to a legal permission, obligation, or the user’s consent.

  • No obligation to retain data:

    It is the responsibility of users to back up their data upon termination before the end of the contract. We are entitled to irretrievably delete all data stored during the term of the contract.

Blogs and publication media

We use blogs or comparable means of online communication and publication (hereinafter referred to as “publication media”). Reader data is processed for the purposes of the publication media only to the extent necessary for its presentation and for communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication media within the scope of these privacy notices.


  • Types of processed data:

    Inventory data (e.g. names, addresses); contact data (e.g. email, phone numbers); content data (e.g. entries in online forms); usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).

  • Affected persons:

    Users (e.g. website visitors, users of online services).

  • Purposes of processing:

    Provision of contractual services and customer service; feedback (e.g. collecting feedback via online form).

  • Legal bases:

    Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Contact and inquiry management

When contacting us (e.g. via contact form, email, telephone, or social media) as well as within the framework of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to respond to the inquiries and any requested measures.


Responding to contact inquiries and managing contact and inquiry data within the framework of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries and maintaining user or business relationships.


  • Types of processed data:

    Inventory data (e.g. names, addresses); contact data (e.g. email, phone numbers); content data (e.g. entries in online forms).

  • Affected persons:

    Communication partners.

  • Purposes of processing:

    Contact inquiries and communication; provision of contractual services and customer service.

  • Legal bases:

    Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).


Further information on processing activities, procedures, and services:


  • Contact form:

    When users contact us via our contact form, email, or other communication channels, we process the data provided in this context to handle the communicated request. For this purpose, we process personal data within the framework of pre-contractual and contractual business relationships insofar as this is necessary for their fulfillment and otherwise on the basis of our legitimate interests and the interests of the communication partners in responding to the requests and our statutory retention obligations.

Amendment and update of the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as a participation action on your part (e.g. consent) or other individual notification becomes necessary as a result of the changes.


If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and ask that you verify the information before contacting them.


Rights of the data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:


  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent:

    You have the right to withdraw consent given at any time.

  • Right of access:

    You have the right to request confirmation as to whether data concerning you is being processed and to request access to such data as well as further information and a copy of the data in accordance with legal requirements.

  • Right to rectification:

    In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.

  • Right to erasure and restriction of processing:

    In accordance with legal requirements, you have the right to request that data concerning you be deleted without delay or, alternatively, to request a restriction of the processing of the data.

  • Right to data portability:

    You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.

  • Right to lodge a complaint with a supervisory authority:

    Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the provisions of the GDPR.

Rechtstext von Dr. Schwenke - für weitere Informationen bitte anklicken.