quantilope GmbH Privacy Policy

Valid as of 05/23/2018

 

Table of contents

 

  1. 1. Introduction
  2. 2. Definitions
  3. 3. User categories
  4. 4. Further purposes and legal bases for processing data
  5. 5. Additional requirements regarding the storage duration of your data
  6. 6. Processing of your data in third countries
  7. 7. Data processors
  8. 8. Existence of automated decision-making in individual cases (including profiling)
  9. 9. Rights as a data subject
  10. 10. Name and address of the controller as well as of the data protection officer

 

 

1. Introduction

quantilope GmbH takes the protection of your personal data very seriously. We treat your personal data as confidential and in compliance with the statutory data protection regulations, in particular in accordance with the EU General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG).

We are committed to transparency!

For each category of person working with services provided by quantilope GmbH, you will therefore find information in the following sections on the extent to which personal data is processed, the legal basis for the processing of this data, the purpose of data processing, the recipients of your data, the duration of data storage, and the scope of your obligations to provide us with data. You will also find information on the further purposes of processing and any associated statutory requirements as well as on additional storage duration requirements, on data processing in third countries, and on our data processors.

Finally, we give you fundamental information on your rights as a data subject, within the meaning of the GDPR, as well as information on the data controller and the contact details of the data protection officer.

We will occasionally amend this Privacy Policy, in particular to comply with forthcoming legal practice in regard to GDPR. In cases where such a change fundamentally alters the way in which we collect or use your personal data, we shall notify all account owners of this change. The history of changes (change log) shall be displayed on this subpage.

Unless otherwise specified, this Privacy Policy applies to all services, products, services, events, websites and apps offered by quantilope GmbH.

 

 

2. Definitions

 

This Privacy Policy pertains to the following user ategories:

Category

Description

Website visitor

You visit our website (www.quantilope.com) or a subpage of this domain (collectively “Website”).

Inquirer

You email us, contact us by telephone, or fill out a form regarding the newsletter, in regards to being contacted by sales, to being contacted in general, or to the provision of more marketing material (e.g. whitepaper).

Customers and prospective clients

Your company has concluded an individual contract with us or is initiating such a contract, and you are this company’s contact person or you have a user account with us, or you have registered for an event and are attending this event.

Respondent

You are a participant in a survey and visit one of our subdomains (survey.quantilope.com/xxx).

Applicant

You submit a (speculative) application for a position at quantilope GmbH.

 

Please note that you may be assigned to one or more categories based on your use of our services.

 

 

3. User categories

In regards to the individual categories of users, information on the extent to which personal data is processed, the legal basis for the processing of personal data, the purpose of data processing, the recipients of your data and the duration of data storage is provided hereinafter. Please also see “Section 4: Further purposes and legal bases for processing data” and “Section 5: Additional requirements regarding the storage duration of your data”.

 

3.1 Website visitor

3.1.1. Scope of processing personal data

When you visit our website, our system processes automatically specified and, in part, personal data. This includes the following data:

  • General usage data, in particular
    • what is your referring site,
    • which subpage you are visiting,
    • which buttons you click,
    • when,
    • from where in the world and
    • with which language settings you do this.
  • Device-related and browser-related data, in particular
    • your IP address,
    • your type of device,
    • your browser type and version, and
    • your operating system.

Our website also uses cookies. You can find further information on our use of cookies in our Cookie Policy.

 

3.1.2. Legal basis for the processing of personal data

The legal basis for processing here is Art. 6 (1) (f) GDPR: our legitimate interest.

 

3.1.3. Purpose of processing personal data

The basic purpose of processing data is to ensure the proper display of our website.

  • It is necessary to temporarily store your IP address for the transmission of our website.
  • Other data mentioned serves to optimize our website and to ensure the functionality and security of our website or of any background systems.
  • If you are classified in the “Customers and prospective clients” or “Inquirer” user group, we also use the subpages you visit and your language settings to optimize our services and our communication with you.

Please also see “Section 4: Further purposes and legal bases for processing data”.

 

3.1.4. Recipients of your data

Inside our company, your data is disclosed only to those internal offices or organizational units that need it to fulfill the specified purposes. Your data shall also be forwarded to the following data processors (please see the subsection on “Data processors”):

  • Google Inc. (“Google Analytics”)
  • HubSpot Inc. (“Website” and “CRM”)
  • LiveChat Software Inc. (“Live chat”)

Our website also uses cookies. You can find further information on our use of cookies in our Cookie Policy.

 

3.1.5. Storage duration of personal data

Data shall be erased as soon as it is no longer required to achieve the specified purpose.

  • Your IP address will not be processed any further once the session (visit to our website) has ended.
  • As described above, log files are stored in anonymized form until they are no longer required.

Please also see “Section 5: Additional requirements regarding the storage duration of your data” as well as our Cookie Policy.

 

3.1.6. Scope of your obligations to provide us with data

You are not obligated to provide us with personal data.

 

 

3.2. Inquirer

 

3.2.1. Newsletter

 

3.2.1.1. Scope of processing personal data

You can subscribe to our free newsletter at various points on our website as well as on the websites of certain partner companies. We acquire the following data when you subscribe to the newsletter:

  • Email address
  • First name [optional]
  • Surname [optional]
  • Size of your company [optional]
  • Where and when you filled out which form (“Usage data”)
  • IP address
  • Whether you verified your email address (double opt-in)
3.2.1.2. Legal bases for processing personal data

The legal basis for processing here is Art. 6 (1) (f) GDPR: your consent.

 

3.2.1.3. Purposes for processing personal data

We process your data for the following purposes:

  • We save your email address in order to send you our newsletter.
  • Data labeled as optional is used for personalization.
  • We save the IP address to protect ourselves against abuse; in other words, to allow us to determine who gave us a specific email address.
  • Usage data is stored and processed anonymously for the purpose of optimizing the website.

Please also see “Section 4: Further purposes and legal bases for processing data”.

 

3.2.1.4. Recipients of your data

Inside our company, your data is disclosed only to those internal offices or organizational units that need it to fulfill the specified purposes. Your data shall also be forwarded to the following data processors (please see “Section 7: Data processors”):

  • HubSpot Inc. (“CRM”), if it is about a sales contact
  • Google Inc. (“Email” and “Data storage”)
  • Zapier Inc. (“Process automation”)
  • Slack Inc. (“Internal communication”)

If you have subscribed to the newsletter via a partner company (e.g. Facebook), this company will have saved this information. The respective partner company is therefore responsible for this information.

 

3.2.1.5. Storage duration of personal data

We respect the following erasure time limits:

  • If you do not verify your email address (double opt-in), we will erase the data provided during the registration process at the latest after 30 days.
  • If you verify your registration, we shall store your data as long as the newsletter subscription is still active.
  • You can unsubscribe to the newsletter at any time by clicking on the respective link included in every newsletter. Your subscription will thereby be deactivated and we shall erase your data within seven days.

Please also see “Section 5: Additional requirements regarding the storage duration of your data”.

 

3.2.1.6. Scope of your obligations to provide us with data

You need to provide only that data required to distribute the newsletter or the data that we are legally required to collect. We are generally not in a position to complete or continue to carry out the newsletter subscription without such data. If we request further data from you, you will be separately informed of the voluntary nature of the information.

 

3.2.2. Contact for general purposes and sales purposes

 

3.2.2.1. Scope of processing personal data

You can contact quantilope GmbH at various points on our website, by email or by telephone.

If you use the form provided on the website to contact us, the following data will be transmitted to us and then stored:

  • Form of address [optional]
  • Title [optional]
  • First name
  • Surname
  • Email address
  • Telephone number
  • Name of your company
  • Size of your company [optional]
  • Message [optional]
  • Where and when you filled out which form (“Usage data”)
  • IP address

We shall save the data you voluntarily give to us when you contact us by phone or email.

 

3.2.2.2. Legal bases for processing personal data

The legal basis for processing here is Art. 6 (1) (a) GDPR and Art. 6 (1) (f) GDPR: your consent and our legitimate interest.

If you contact us to potentially conclude a contract with us, we process your data on the basis of Art. 6 (1) (b) GDPR. You are simultaneously classified under the category “Customers and prospective clients”.

 

3.2.2.3. Legal basis for processing personal data

We process your data for the following purposes:

  • The purpose of processing your personal data is to process your contact request with us.
  • We save the IP address to protect ourselves against abuse; in other words, to allow us to determine who gave us a specific email address or message.
  • Usage data is anonymized and stored and processed for the purpose of optimizing the website.

Please also see “Section 4: Further purposes and legal bases for processing data”.

 

3.2.2.4. Recipients of your data

Inside our company, your data is disclosed only to those internal offices or organizational units that need it to fulfill the specified purposes. Your data shall also be forwarded to the following data processors (please see “Section 7: Data processors”):

  • HubSpot Inc. (“CRM”), if it is about a sales contact
  • Google Inc. (“Email” and “Data storage”)
  • Zapier Inc. (“Process automation”)
  • Slack Inc. (“Internal communication”)

 

3.2.2.5. Storage duration of personal data

Data shall be erased as soon as it is no longer required to achieve the specified purpose.

  • If you contact us with the intent of potentially concluding a contract with us, please see “Subsection 3.3: Customers and prospective clients” for information on the storage duration of data.
  • In all other instances, we shall erase your data as soon as your request for contacting us has been clarified or the conversation with you has ended, at the latest within 90 days.

Please also see “Section 5: Additional requirements regarding the storage duration of your data”.

 

3.2.2.6. Scope of your obligations to provide us with data

You need to provide only that data required to make contact or the data that we are legally required to collect. We are generally not in a position to process your contact request without such data. If we request further data from you, you will be separately informed of the voluntary nature of the information.

 

3.2.3. Additional marketing material

 

3.2.3.1. Scope of processing personal data

You can request our whitepaper and other marketing material at various points on our website.

If you use the form provided on the website to contact us, the following data will be transmitted to us and then stored:

  • Form of address
  • Title [optional]
  • First name
  • Surname
  • Email address
  • Where and when you filled out which form (“Usage data”)
  • Whether you have given us consent to further contact you

 

3.2.3.2. Legal basis for the processing of personal data

The legal basis for processing here is Art. 6 (1) (a) GDPR and Art. 6 (1) (f) GDPR: your consent and our legitimate interest.

 

3.2.3.3. Purpose of processing personal data

We process your data for the following purposes:

  • We save the email address in order to send you our marketing material.
  • Data labeled as optional is used for personalization.
  • If you have given us your consent to make further contact with you, we shall use the data to contact you.
  • Usage data is stored and processed anonymously for the purpose of optimizing the website.

Please also see “Section 4: Further purposes and legal bases for processing data”.

 

3.2.3.4. Recipients of your data

Inside our company, your data is disclosed only to those internal offices or organizational units that need it to fulfill the specified purposes. Your data shall also be forwarded to the following data processors (please see the subsection on “Data processors”):

  • HubSpot Inc. (“CRM”)
  • Google Inc. (“Email” and “Data storage”)
  • Zapier Inc. (“Process automation”)
  • Slack Inc. (“Internal communication”)

 

3.2.3.5. Storage duration of personal data

Data shall be erased as soon as it is no longer required for the context of achieving the specified purpose.

  • If you have given us consent to further contact you, please see “Subsection 3.3: Customers and prospective clients” for information on the storage duration of data.
  • In all other instances, we shall erase your data within 30 days.

Please also see “Section 5: Additional requirements regarding the storage duration of your data”.

 

3.2.3.6. Scope of your obligations to provide us with data

You need to provide only that data needed to request marketing material or the data that we are legally required to collect. We are generally not in a position to fulfill your request without such data. If we request further data from you, you will be separately informed of the voluntary nature of the information.

 

3.3. Customers and prospective clients

3.3.1. Scope of processing personal data

We process personal data rightfully obtained from other companies or other third parties (e.g. credit agencies, directory publishers) insofar as it is necessary for us to carry out our services. We also process personal data that we have rightfully taken, obtained or acquired from publicly accessible sources (e.g. phone directories, trade and association registries, resident registries, lists of debtors, press, career networks, the Internet and other media).

Relevant data categories of personal data may include in particular:

  • Personal data (form of address, title, full name and professional title)
  • Contact data (employer’s address, business email address, business telephone number, business fax number and similar data)
  • Project data (The project names in which you are involved and the position(s) you hold, provided these projects are carried out in collaboration with quantilope GmbH)
  • Usage data (i.e. where you found out about us or whether we are providing you with further material)
  • Payment data (business payment methods, invoicing details and similar data)
  • Other data (i.e. statements or sound and video recordings) which you provide to us on a voluntary basis or with consent
  • Survey data on customer satisfaction surveys that you voluntarily provide to us
  •  
3.3.2. Legal basis for the processing of personal data

The legal basis for processing here is Art. 6 (1) (a) GDPR and Art. 6 (1) (b) GDPR and Art. 6 (1) (f) GDPR: your consent, the fulfillment of a contract or measures to initiate a contract as well as our legitimate interest.

 

3.3.3. Purpose of processing personal data

Personal data is processed in order to implement pre-contractual measures, to fulfill our contracts with you, and to execute your orders. The main purpose of processing is to provide market research services in line with your orders and wishes. It also includes the services, measures and activities necessary for this purpose. This data includes, in particular, pre-contractual and contractual communication with you, access to the Help Center, the traceability of transactions, orders and other agreements, as well as quality control through appropriate documentation, goodwill procedures, measures to control and optimize business processes, and for the fulfillment of general obligations of due diligence, governance and control by affiliated companies (e.g. parent company); statistical analyses for management control, cost accounting and controlling, reporting, internal and external communication, emergency management, invoicing and tax assessments relating to operational services, risk management, the assertion of legal claims and defense in litigation; guarantee of IT security (including system and plausibility tests) and general safety, including building and plant safety, safeguarding and exercising the right to grant or deny access (e.g. via access controls); guaranteeing the integrity, authenticity and availability of data, prevention and solving of crimes; monitoring by supervisory committees or control bodies (e.g. audits).

In addition to the actual fulfillment of the contract or pre-contract, we may process your data as necessary to safeguard our legitimate interests or the legitimate interests of third parties, especially in regards to:

  • Advertising or market research or opinion polling in connection to the services used by you (product update newsletter, etc.), unless you have objected to the use of your data;
  • Obtaining information and for the exchange of data with credit agencies insofar as this exceeds our economic risk;
  • Reviewing and optimizing procedures for assessing needs;
  • Improving services and products as well as existing systems and processes;
  • Disclosing personal data as part of a due diligence review in corporate sales negotiations;
  • Enriching our data, including through the use or searches of publicly accessible data;
  • Statistical analyses or market analyses;
  • Benchmarking;
  • Asserting legal claims and defending against litigation that is not directly attributable to the contractual relationship;
  • Limiting the storage of data if the erasure of data is not possible or possible only with disproportionate effort due to the unique kind of data storage;
  • Developing scoring systems or automated decision-making processes;
  • Preventing and solving crimes, provided this is not exclusively to fulfill statutory requirements;
  • Building and facility safety (e.g. access controls and video monitoring) insofar as it exceeds the general duties of care;
  • Internal and external inspections, security checks;
  • After consent is given, possibly listening in on or recording telephone conversations for quality control and training purposes;
  • Receiving and maintaining certifications of a private or official nature;
  • Publishing information on our website or our social media channels after consent is given or after prior notification.

Please also see “Section 4: Further purposes and legal bases for processing data”.

 

3.3.4. Recipients of your data

Inside our company, your data is disclosed only to those internal offices or organizational units that require this data to fulfill our (pre-)contractual or statutory obligations or as part of the processing and enforcement of our legitimate interest. Your data will be disclosed to external parties only:

  • in relation to the contract performance;
  • for the purposes of complying with statutory requirements according to which we are obliged to provide information, ensure registration or disclose data;
  • Insofar as external service providers process data on our behalf as data processors (see “Section 7: Data processors”) or they have been commissioned with a function (e.g. CRM provider, Help Center, external computer centers, support/maintenance of EDP/IT applications, archiving, invoice processing, call center services, compliance services, controlling, data screening for anti-money-laundering purposes, data validation or plausibility tests, data destruction, purchasing/procurement, customer care, letter shops, marketing, media technology, research, risk controlling, invoicing, telephone services, website management, audit services, banking institutions, print shops or companies providing data disposal, courier services, logistics);
  • due to our legitimate interest or the legitimate interest of the third party for the specified purposes (e.g. to authorities, credit agencies, collection agencies, lawyers, courts, surveyors, affiliated companies and committees and supervisory bodies);
  • if you have given your consent to disclosure to third parties.

Who receives what data is largely dependent on the respective role defined in the contractual relationship and the purpose of the processing. You can find information about the specific cases in which we store and process which personal data in “Section 9: Rights as a data subject”.

 

3.3.5. Storage duration of personal data

We will process and store your data for the duration of our business relationship. This includes the process of initiating a contract (pre-contractual legal relationship) and the performance of a contract.

Please also see “Section 5: Additional requirements regarding the storage duration of your data”.

 

3.3.6. Scope of your obligations to provide us with your data

You need to provide only the data needed to initiate or implement a business relationship, or that is needed for a pre-contractual relationship with us, or that data that we are legally required to collect. Without such data we are generally not in a position to conclude, execute or further elaborate a contract. This may also apply to data required at a later point in time within the scope of the business relationship. If we request further data from you, you will be separately informed of the voluntary nature of the information.

 

3.4. Respondent

If you participate in a survey on the quantilope platform, we process only the data that you voluntarily provide to the company carrying out the survey.

In general, surveys are conducted anonymously, meaning that we store no personal data.

If you voluntarily provide your personal data in a survey (e.g. your email address for participation in a draw), quantilope generally stores this data technically separated from your other answers.

If you participate in a non-anonymous survey, you shall be notified of this fact before the survey begins. Participation in these surveys and the associated processing of your personal data should always be voluntary.

Each company that conducts the survey is, however, fundamentally responsible for the type and scope of the processing, the storage, the purpose of the processing, the recipients and the duration of the storage of your personal data.

Should you participate or have participated in a survey that does not comply with these principles, please contact the company carrying out the survey or quantilope directly (privacy (at) quantilope.com).

 

3.5. Applicant

3.5.1. Scope of processing personal data

We process personal data rightfully obtained from other agencies or third parties insofar as it is necessary for our contractual relationship with you and the application submitted by you. We also process personal data that we have lawfully taken, received or obtained from publicly accessible sources (e.g. trade and association registries, resident registries, press, career networks, the Internet or media) insofar as this data is required and that we are permitted to process it in accordance with the law.

Relevant categories of personal data may include in particular:

  • Address and contact data (registration data and similar data, such as email address and telephone number)
  • Professional data (education, qualifications, further training, degrees/certificates and similar data)
  • Information about you available online or in career networks
  • Sound and video recordings
  • Other data you voluntarily give to us

 

3.5.2. Legal basis for the processing of personal data

The legal basis for processing here is Art. 6 (1) (a) GDPR, Art. 6 (1) (b) GDPR, Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR: your consent, the fulfillment of a contract or measures to initiate a contract, fulfillment of statutory requirements as well as our legitimate interest.

 

3.5.3. Purpose of processing personal data

Your personal data is processed to process your application in response to a specific advertisement of a vacant position or your unsolicited application, and in this connection particularly for the following purposes: examination and assessment of your suitability for the vacant position, assessment of performance and conduct within the legally permissible limits, where applicable for the purpose of registration and authentication of the application via our website, where applicable for the drafting of an employment agreement, the verifiability of transactions, orders and other agreements, also for quality assurance by way of the relevant documentation, measures for the fulfillment of general obligations of due diligence, statistical analyses of corporate management, travel and event management, travel reservations and settlement of travel expenses, authorization and credentials management, cost accounting and controlling, reporting, internal and external communications, invoicing and tax assessments relating to operational services (e.g. meals in canteen), settlement of company credit card expenses, health and safety at work, contract-related communication with you (including deadline agreements), the assertion of legal claims and defense in litigation; guarantee of IT security (including system and plausibility tests) and general safety, including building and plant safety, safeguarding and exercising the right to grant or deny access by taking appropriate measures, such as, where applicable, CCTV for the protection of third parties and our staff, as well as for the prevention of crimes and the preservation of related evidence; guaranteeing integrity, prevention and solving of crimes; authenticity and availability of data, controls by supervisory bodies or control bodies (e.g. auditing).

In addition to the actual performance of the (preliminary) contract, we may process your data as necessary to safeguard our legitimate interests or the legitimate interests of third parties. Your data is processed only if and to the extent that there are no overriding legitimate interests of yours against such processing, in particular for the following purposes: measures for the further development of existing systems, processes and services; comparisons with European and international anti-terror lists in cases where this goes beyond the statutory obligations; enhancement of our data, inter alia through the use of or research into publicly accessible data, where necessary; benchmarking; development of scoring systems or automated decision-making processes; safety of buildings and plant (e.g. by using access controls and CCTV) in cases where this goes beyond general obligations of due diligence; internal and external investigations, security checks.

Your personal data may also be processed for specific purposes (e.g. obtaining references from previous employers or using your data for future vacancies) if you have given your consent.

Like everyone involved in economic activity, we too are subject to a number of legal obligations. Primarily, these are statutory requirements (e.g. works constitution act, social security code, commercial and tax law), but there may also be obligations imposed by supervisory and other public authorities (e.g. employers' liability insurance association). The purposes of processing may include, in certain cases, identity and age verification, fraud and money-laundering prevention (e.g. comparisons with European and international anti-terror lists), company health management, ensuring safety at work, fulfilling tax law control and reporting obligations and the archiving of data for the purpose of data protection and data security, and for the purpose of auditing by tax consultants/auditors, tax authorities and other public authorities. It may also be necessary to disclose personal data for purposes of collecting evidence, prosecuting or enforcing civil claims in the event of any official or judicial measures.

Please also see “Section 4: Further purposes and legal bases for processing data”.

 

3.5.4. Recipients of your data

Inside our company, your data is disclosed only to those internal offices or organizational units that require this data to fulfill our contractual or statutory obligations (e.g. managerial personnel and heads of department who are looking for new staff or who are involved in the decision to fill the position, the accounting department, medical officer, occupational safety, where applicable staff representatives, etc.) or as part of the processing and enforcement of our legitimate interest. Your data will be disclosed to external parties only:

  • for the purpose of complying with statutory requirements, according to which we are obliged to provide information, ensure registration or disclose data (e.g. tax authorities) or when the disclosure of the data is in the public interest (cf. Section 2.4);
  • insofar as external service providers process data on our behalf as data processors or they have been commissioned with a function (e.g. banks, external computer centers, travel agencies/travel management, print shops or companies providing data disposal, courier, postal or logistic services);
  • due to our legitimate interest or the legitimate interest of the third party for the specified purposes (e.g. transfer to authorities, credit agencies, collection agencies, lawyers, courts, surveyors, affiliated companies and committees and supervisory bodies);
  • if you have given your consent to disclosure to third parties.

 

3.5.5. Storage duration of personal data

In general, we process and store your data for the duration of your application. This also includes the process of initiating a contract (pre-contractual legal relationship).

If you have not been engaged, your original application documents will be returned to you (or destroyed) at the end of a period of six months. Electronic documents are accordingly erased after six months. Should we wish to store your data longer in case of future vacancies or if you have entered your data in an applicants' pool, the data will be erased at later points of time; you will be given the details in connection with the process in question.

Please also see “Section 5: Additional requirements regarding the storage duration of your data”.

 

3.5.6. Scope of your obligations to provide us with your data

You need to provide only the data required for the purpose of processing your application or implementing a pre-contractual relationship with us or the data which we are legally required to collect. We are generally not in a position to complete the application or selection process without such data. If we request data from you above and beyond this, you shall be informed separately about the voluntary nature of the information.

 

4. Further purposes and legal bases for processing data


Like everyone involved in economic activity, we too are subject to a number of legal obligations. For this reason, it may be necessary to process personal data in accordance with Art. 6 (1) (c) GDPR (to fulfill statutory requirements) or Art. 6 (1) (e) GDPR (on grounds of public interest). Primarily, these are statutory requirements (e.g. commercial and tax law), but there may also be obligations imposed by supervisory and other public authorities. The purposes of processing may include, in certain cases, identity and age verification, fraud and money-laundering prevention, the prevention, fighting and clearing up of terrorism financing and crimes endangering property, comparisons of European and international anti-terror lists, fulfilling tax law control and reporting obligations and the archiving of data for the purpose of data protection and data security, and for the purpose of auditing by tax and other public authorities. It may also be necessary to disclose personal data for purposes of collecting evidence, prosecuting or enforcing civil claims in the event of any official or judicial measures.

 

5. Additional requirements regarding the storage duration of your data


We have listed how long we store data in the different user categories provided above. Like everyone involved in economic activity, we too are subject to a number of different legal obligations concerning storage and documentation which are set forth, inter alia, in the German Commercial Code and German Tax Code. The deadlines specified there stipulate storage and documentation for up to ten years after the business relationship or the pre-contractual legal relationship has terminated.

In addition, special statutory provisions may require a longer storage period, such as the preservation of evidence in connection with statutes of limitations. According to §§ 195 ff. of the German Civil Code (BGB), the conventional statute of limitation is three years; however, limitation periods of up to 30 years may also be applicable.

Data is regularly erased once it is no longer required for contractual or legal obligations and rights unless said data is – for a limited period – required for processing to fulfill the respective purposes specified due to an overriding legitimate interest. An overriding legitimate interest also exists, for example, if the erasure of data is not possible or possible only with disproportionate effort due to the special kind of data storage, and processing of this data for other purposes is prevented by appropriate technical and organizational measures.

 

6. Processing of your data in third countries


Data is transmitted to parties in countries outside the European Union (EU) or European Economic Area (EEA), otherwise known as third countries, whenever such is necessary to meet an order/contractual obligation towards or with you, such is required by law (e.g. reporting obligations under tax law), or where such is in our legitimate interest or the legitimate interest of a third party, or if you have issued us with consent.

Your data may be simultaneously processed in a third country, including the involvement of service providers for the processing of an order. If no decision has been issued by the EU Commission regarding the presence of an appropriate level of data protection for the respective country, we warrant that your rights and freedoms will be reasonably protected and guaranteed in accordance with EU data protection requirements through contractual agreements to this effect. Upon request, we can provide you with relevant detailed information.

Information on the suitable or appropriate guarantees and about how and where you can obtain a copy of these may be requested from privacy (at) quantilope.com.

 

7. Data processors


Should one of the data processors we commissioned receive your data, your data shall be subject to at least the same security standards as our standards.

Below you will find descriptions of companies located outside of Germany with which we cooperate. You will also find a description of the basis for these collaborations:

Name of data processor

Location

Description

Measures taken

Google Inc.

1600 Amphitheatre Parkway

Mountain View, CA 94043

USA

Internal and external communication (Gmail), website analysis (Google Analytics), general data storage (Google Drive)

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

Pipedrive OÜ

Paldiski mnt 80

Tallinn 10617, Iceland

CRM

  • Data processing agreement concluded

HubSpot Inc.

25 First Street, 2nd Floor

Cambridge, MA 02141

USA

CRM; transmission of the website

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

LiveChat Software Inc.

One International Place

Suite 1400

Boston, MA 02110-2619

USA

Live chat function on the website

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

Zapier Inc.

549 Market St

San Francisco, CA 94104

USA

Process automatization

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

Slack Inc.

155 5th St Fl 6 (at Minna St)

San Francisco, CA 94103

USA

In-house communication tool

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

SaleForce.com Inc.

One Market, Suite 300

San Francisco, CA 94105

USA

Help Center (Desk.com)

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

AMAZON WEB SERVICES, INC.

410 Terry Avenue North

Seattle, WA 98109

USA

Hosting of image files on European servers (Ireland/Frankfurt)

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

Mailgun Technologies, Inc.

535 Mission St.

San Francisco, CA 94105

USA

Provider for sending emails

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

Digital Ocean, LLC

101 Ave of the Americas 10th Floor

New York, 10013

USA

Load balancer

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

MongoDB, Inc

229 West 43rd St.

New York, 10036

USA

Database management system

  • Successful examination of the EU-US Privacy Shield Certification
  • Data processing agreement concluded

 

We also work with companies headquartered in Germany. We select these companies as carefully as possible and, of course, conclude data processing agreements with all these companies.

 

8. Existence of automated decision-making in individual cases (including profiling)

 

We do not make use of a purely automated decision-making process as referred to in Art. 22 GDPR. If we should in future use such a process in individual cases, we will inform you separately, provided that this is required by law.

 

 

9. Rights as a data subject

 

You may assert data protection rights against us in certain circumstances:

  • You have the right to obtain information from us about your stored data in accordance with the provisions set forth in Art. 15 GDPR (subject possibly to restrictions in accordance with Section 34 BDSG).
  • At your request, we will rectify your stored data in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
  • At your request, we will erase your data in accordance with Art. 17 GDPR if doing so does not conflict with other statutory regulations (e.g. statutory storage obligations or restrictions in accordance with Section 35 BDSG) or an overriding interest on our part (e.g. to defend our rights and claims).
  • Based on the requirements set forth in Art. 18 GDPR, you can request that we restrict the processing of your data.
  • In addition, you may object to the processing of your data according to Art. 21 GDPR, on the basis of which we must end the processing of your data. However, this right to object applies only if special circumstances exist with regard to your personal situation, whereby rights of our company may outweigh your right of objection.
  • You also have the right to receive your data in a structured, common and machine-readable format under the provisions stipulated in Art. 20 GDPR, or to transmit them to a third party.
  • Furthermore, you have the right to withdraw consent you have given to the processing of personal data at any time with effect for the future. Should you object, we shall no longer process your personal data unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or unless the processing is for the purposes of asserting, exercising or defending legal claims.
  • In addition, you have the right to file a complaint with the data protection supervisory authority (Art. 77 GDPR). However, we recommend that any complaint be directed to our data protection officer first.

If possible, your requests to exercise your rights should always be addressed directly in writing to privacy (at) quantilope.com, at the above-stated address or to our data protection officer.

 

 

10. Name and address of the controller as well as of the data protection officer

 

Within the meaning of data protection law, the controller is:

quantilope GmbH

Charlottenstraße 26

20257 Hamburg, Germany

 

Email: privacy (at) quantilope.com

Internet: www.quantilope.com

Privacy policy: www.quantilope.com/de/datenschutzerklaerung

Contact details for our external data protection officer:

Herr Harald Eul

HEC Harald Eul Consulting GmbH

Auf der Höhe 34

50321 Brühl, Germany

Email: DSB-quantilope (at) he-c.de