Privacy policy for website, services and services of exaas

Status: January 2021

1. Introduction

In this privacy policy you will learn,

  • how we handle personal data in the context of your use of the exaas expert platform and when booking exaas web sessions and
  • how we process your personal data within the framework of the contractual relationship.

2. Responsible 

This data protection declaration applies to data processing by us as the responsible party pursuant to.
Article 4 (7) of the General Data Protection Regulation (DSGVO). Our contact details are:

exaas GmbH
Zielstattstr. 19
81379 Munich

Contact: 
E-mail: info@exaas.io
Tel. : +49 160 955 024 32

3. Definitions

Unless this Privacy Policy contains or implies a different definition, reference is made to the definitions in Art. 4 GDPR with regard to the terms used.

4. Processing of your personal data

4.1. When you call up our website 

When you call up our website, i.e. when you otherwise transmit information to us, we or the host provider acting on our behalf only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Data volume transferred in each case
  • Website from which the request comes
  • Browser 
  • Operating system
  • Language and version of the browser software

This data is technically necessary for us to display and provide you with our website. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f DSGVO. This data is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of 14 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident. The hosting service provider we use processes personal data for us on behalf of and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE, alternatively you can also request these documents from us using the contact options specified in section 2.

4.2. Evaluation of your usage behavior

We use technology from Matomo (formerly Piwik) to analyze your browsing behavior and to create anonymized usage statistics. Matomo is a service of InnoCraft Ltd, 150 Willis St. , 6011 Wellington, New Zealand,

The software sets a cookie on your end device. Cookies are text files that are stored in the internet browser or by the internet browser on your end device. This cookie contains a characteristic string of characters that enables unique identification of the browser when the website is called up again. The following data is stored during your use:

  •  Two bytes of your IP address
  • The subpages called
  • Your dwell time
  • The frequency of use
  • Browser version
  • Model of your terminal device
  • Screen resolution
  • Place of access
  • Time of access
  1.  
  •  

We process this data exclusively with your consent. The legal basis for this is Art. 6 para. 1 p. 1 lit. a DSGVO. The data is deleted as soon as it is no longer required for the analysis purposes. We review the necessity every 6 months.

The service provider we use, Matomo, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in a country for which the European Commission has issued a so-called adequacy decision. This is available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32013D0065&from=DE at any time, alternatively you can also request these documents from us using the contact details provided in section 2. The legal basis for the transfer is Art. 45 (3) DSGVO.

4.3. Embedded videos from Vimeo

We have integrated videos from the Vimeo platform on our website. Vimeo (Vimeo LLC, 555 West 18th Street New York, NY 10011 USA) is responsible for the operation of the Vimeo platform under data protection law. You can find Vimeo’s privacy policy at: https://vimeo.com/privacy.

In this context, Vimeo processes the following personal data from you to our knowledge:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Data volume transferred in each case
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software
  • Data on interaction with the Vimeo plug-in
  • Device identifier of your end device, if applicable
  • the version of the Vimeo software we use 
  • Information about the video playback so far
  • Information about the way of playback (e.g. full screen)

The integration of videos from Vimeo is done in our interest to present you high quality content directly on our website. Instead of just giving you a link to an interesting video, this allows you to watch the video right here on our site. This extends our service and makes it easier for you to access interesting content. The legal basis for the processing of personal data in connection with the integration of the Vimeo videos and the associated transfer of personal data to Vimeo LLC is Art. 6 para. 1 p. 1 lit. f DSGVO.

Vimeo necessarily obtains knowledge of the above data. Vimeo is a service provided by a provider from the USA. The level of data protection in the USA is judged by the European Commission to be inadequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 para. 2 lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

As an additional protective measure, the videos from Vimeo are only integrated in the so-called “Do Not Track” variant. This means that personal data is only transmitted to Vimeo in a minimal way. 

4.4. When using the chat

We use technology from crisp to operate a live chat system. Therefore, we transfer the following data to crisp (Crisp IM SARL, 2 Boulevard de Launay, 44100 Nantes, France):

  • E-mail address
  • Message exchange
  • Activity status (online / offline)
  • Date and time of the activity
  • IP address
  • Device type (operating system and browser)
  • Geographical location, city, country 
  • Preferred language
  • Time zone
  • Web pages that were called 

We process this data in order to offer you real-time communication with us in our interest. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. We delete this data if it is no longer required for the purpose for which it was collected and there are no legal obligations to the contrary. The deletion regularly takes place within one month after the end of the chat.

Crisp processes your above-mentioned personal data on our behalf and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.

4.5. Within the framework of contacting us by e-mail

We process e-mails that you send to us and that we send to you using the services of our e-mail provider. In the context of e-mail communication, our e-mail provider processes your personal data (i.e. your e-mail address and the information you provide in the e-mail) on our behalf to enable us to communicate with you by e-mail or, if you are our customer, to process the contract. The processing of your personal data occurs on the basis of Art. 6 para. 1 p.1 lit. f or Art. 6 para. 1 p. 1 lit. b DSGVO. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every twelve months.

4.6. Within the framework of contact by telephone

If you contact us by phone, we need your personal data (e.g. name, telephone number, address or e-mail address) to process your inquiry or request. The processing of your personal data is based on Art. 6 para. 1 p. 1 lit. b DSGVO. We delete this data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.

4.7. Within the scope of contacting us via contact form

If you contact us via contact form, e-mail, we need your personal data (eg name, contact details, etc.) to process your request or your request. This data processing is necessary to enable us to communicate with you or, if you are our customer, to process the contract. The processing of your personal data is based on Art. 6 para. 1 p.1 lit. f or Art. 6 para. 1 p. 1 lit. b DSGVO. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.

4.8. As part of the subscription to our newsletter

With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. Incidentally, our newsletters contain information about our products, promotions and our company.

For the registration to our newsletter we use the so-called double opt-in procedure. This means that after your registration we send you an e-mail to the specified e-mail address, in which we ask you to confirm that you wish to receive the newsletter. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

Mandatory information for sending the newsletter is only your e-mail address. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO. We store your email address for this purpose until you revoke your consent.

We use technology from Mailjet to send the newsletters and to evaluate your interaction with the newsletter. Therefore, we transfer your data (email address) provided as part of your newsletter subscription to Mailjet (Mailjet SAS, 13-13bis, Rue de l’Aubrac, 75012 Paris, France), Mailjet processes your personal data on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO. 

5. When registering on our platform

In addition to the information in section 4, we process your data as part of your registration on our expert platform as shown in this section 5.

5.1. When calling our platform

When you call up our website, i.e. when you otherwise transmit information to us, we or the host provider acting on our behalf only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Data volume transferred in each case
  • Website from which the request comes
  • Browser 
  • Operating system
  • Language and version of the browser software

This data is technically necessary for us to display and provide you with our website. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f DSGVO. This data is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of 14 days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until the final clarification of the respective incident. The hosting service provider we use processes personal data for us on behalf of and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

5.2. Mandatory information for registration on our expert platform 

When you register on our platform, you must provide certain information about yourself as mandatory data. We therefore process the following personal data from you:

  • Name
  • Phone number
  • E-mail address
  • Account type (expert or enterprise customer)
  • Password

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO. We store your data until you cancel your user account. After that, your data with regard to the user account will be deleted, unless their retention is necessary for commercial or tax reasons in accordance with Art. 6 para. 1 S.1 lit. c DSGVO.

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

5.3. Optional details on our expert platform 

In addition to the required mandatory information, you can provide additional information that makes it easier for other users to get to know you better and thus select you as a suitable business contact, for example. We may therefore process personal data that you voluntarily add to your profile, such as

  • Profile photo
  • Resume
  • Competencies
  • Uploaded documents (e.g. brochures, resumes, etc.); this data is read automatically
  • Third party references
  • Brief description of your expertise
  • Detailed text description of yourself or your expertise.

Other users may view, share or link to this data. Certain information about you may be accessible to other users of our platform by default (e.g., your username, profile picture, content added to your profile). 

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO. The deletion of this data takes place either selectively for certain details when you remove them from our platform or completely when you delete your account on our platform.

To fulfill our contractual obligations, we rely on the services of carefully selected third parties who process the data on our behalf. These are in each case processors with whom we have concluded an agreement in accordance with Art. 28 DSGVO. In addition, we naturally ensure in advance that our processors comply with all data protection requirements so that your data is always secure.

One of the service providers we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

5.4. When you provide a reference for an expert

When using our platform as a corporate customer, you have the option of providing references for experts registered on our platform and thus evaluating their services. For the submission of such an evaluation, we process the following personal data:

  • Name 
  • Access data (date and time, data for session identification (session ID); IP address)
  • Contact details (company, your position within the company, industry)
  • Evaluation contents

This data processing serves to enrich the profiles of our experts with ratings and thus create added value for both experts and corporate customers. In addition, we reserve the right to check the ratings for legal violations and authenticity.

This data processing only takes place with your consent. The legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO. We store your e-mail address for this purpose until you revoke your consent, but for a maximum period of 10 years. 

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

5.5. When you communicate with other users of our platform.

You have the possibility to get in contact with other users of our platform. In the context of this communication, we generally process all data that you provide in the course of it and transmit it to the message recipient selected by you. These data include in particular 

  • News content
  • Shared files

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO. The deletion of this data takes place either selectively for certain information when you remove it from our platform or completely for all data when you delete your account on our platform.

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

5.6. Responsibility for personal data of other users of our platform

If you communicate with another user (e.g., an expert) and receive personal data from them (such as name, email address, or other contact details), you are the controller of this personal data and its processing independently of us after we have transmitted it to you. We therefore recommend that you inform your communication partners about your data processing in a data protection declaration and fulfill your obligations under data protection law beyond this.

5.7. In the context of receiving marketing emails

We process certain personal data from you in order to send you regular status emails as well as advertising for our own similar products and services or surveys for the purpose of our own market research. This includes the following personal data from you

  • Name
  • E-mail address

This processing is done in our interest in direct marketing and maintaining customer relations. The legal basis for this is Art. 6 para. 1 p. 1 lit. f DSGVO. The deletion of this data takes place either selectively for certain details when you remove them from our platform or completely when you delete your account on our platform. 

5.8. Payment processing through Stripe

The execution and thus the collection, processing and storage of electronic payment transaction data is carried out by our payment service provider, Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland (“Stripe”). Through Stripe it is possible to offer various payment methods, such as credit card payments or direct debit.

For each payment transaction, Stripe receives data for the processing of electronic payment transactions, such as the information you provided during the ordering process together with information about your order (name, address, account number, bank routing number, credit card number (if applicable), invoice amount, currency and transaction number). The processing of your data by Stripe is necessary for payment processing and thus for the execution of the contract. The legal basis for this is Art. 6 para. 1 p. 1 lit. b DSGVO. This data will be deleted after expiry of the statutory retention obligations. Stripe processes your personal data on our behalf and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.

The service provider we use in this context, Stripe, which processes personal data for us on our behalf and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO, transmits data to group companies in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

6. When booking or participating in web sessions

You have the option of booking web sessions with registered experts via our platform. The prerequisite for this is that they themselves are registered on the platform. Therefore, the information on data processing provided under 5. applies accordingly. In addition, we process your personal data as shown below.

6.1. When handling the web session

When you book or participate in a web session, we process certain personal data about you. In addition to the data required for the technical provision of our website and listed in section 4.1, this also includes your name. In addition, we may record the web session in order to be able to provide you with the content at a later point in time as well as to prove the proper provision of services.

The processing of your name takes place for the fulfillment of the contract. The legal basis for this is
Art. 6 para. 1 p. 1 lit. b DSGVO. The recording of the web session only takes placeif all participants have given us their permission to do so. The legal basis for this is Art. 6 para. 1 p. 1 lit. a DSGVO. This data is processed by us at least for the duration of the contractual relationship plus the respective warranty obligation. Subsequently, the data will be deleted if it is no longer required to achieve the stated purpose in accordance with Art. 17 (1) a DSGVO.

6.2. Processing of your data for contract management

If you are or become our customer, we process data from you that may have personal reference in the context of processing your order and fulfilling our contractual obligations. The processed data includes master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) and payment data (e.g., your bank details, payment history). This data is required by us for the fulfillment of the contract. If this includes personal data, the processing is based on Art. 6 (1) lit. b DSGVO. There is no legal or contractual obligation to provide this data. 

All data processed for contractual purposes will be processed by us at least for the duration of the contractual relationship plus the respective warranty obligation. Subsequently, the data will be deleted if it is no longer required to achieve the stated purpose pursuant to Art.
Art. 17 para. 1 lit. a DSGVO.

6.3. Processing of your data for contact management purposes

We store master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers) and contract data (e.g., services used, contract contents, contractual communication, names of contact persons) of customers, prospective customers, suppliers and other business partners, e.g., for the purpose of contacting them later. This personal data can be stored in a CRM system (“Customer-Relationship-Management System”) or comparable systems for the organization of inquiries. This enables us to efficiently organize the incoming contacts. This processing of your personal data is done on the basis of Art. 6 para. 1 lit. f DSGVO. All data processed in this context will be stored by us at least for the duration of the contractual relationship plus a period of three years.

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO , in turn has the data processed in the USA. The level of data protection in the USA is assessed by the European Commission as inadequate. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

6.4. Processing of your data for accounting purposes

In addition, we process your data, in particular your master contract and payment data, for accounting purposes. On the one hand, this processing takes place on the basis of legal obligations pursuant to Art. 6 para. 1 lit. c DSGVO.

According to legal requirements in Germany, we are also obliged to retain or store certain data, so that we may not delete or destroy them even after the purpose has been achieved; Art. 17 para. 3 lit. b DSGVO. This affects master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) and payment data (e.g., bank details, payment history). Thus, the retention or storage in particular of books, records, inventories, annual financial statements, management reports, the opening balance sheet as well as the respective work instructions and other organizational documents required for their comprehension, the received and sent commercial or business letters, the accounting vouchers as well as other documents, insofar as they are of importance for taxation, is prescribed for ten years in accordance with Section 147 (1) AO. This also applies to any personal data of data subjects contained in the aforementioned documents. The legal basis for this retention or storage is Art. 6 Para. 1 lit. c DSGVO.

6.5. Transfer of your data to external consultants and professional secrecy holders and for accounting purposes

In addition, we may transfer your personal data to consultants such as tax advisors, lawyers, auditors or accountants. This is done in our interest in legally compliant operating procedures or for financial accounting. The legal basis for this is
Art. 6 para. 1 p. 1 lit. f DSGVO or § 24 para. 1 no. 2 BDSG n.F.

6.6. Use of office programs

In the course of our activities, we use various IT systems and services. When you contact us individually, we process the following data, which may be personally identifiable:

  • Inventory data (names, addresses);
  • Contact information (email, phone numbers, fax, messenger);
  • Contract data (time, content, payment information);
  • Content data (emails, calendar entries, documents and files)

We process this data to simplify our office structures, to enable backups, for internal file sharing and to create a device-independent access option. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. We delete this data after it is no longer necessary for the purpose for which it was collected. We review the necessity every six months . 

The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.

6.7 Use of “hCaptcha”

We use the anti-bot service hCaptcha (hereinafter “hCaptcha”) on our website. This service is provided by Intuition Machines, Inc., a US company based in Delaware (“IMI”). hCaptcha is used to check whether the data entered on our website (e.g. on a registration page or contact form) has been entered by a human or an automated program. For this purpose, hCaptcha analyses the behaviour of the visitor to the website or mobile app based on various characteristics. This analysis begins automatically as soon as the visitor to the website or mobile app enters a part of the website or app with hCaptcha activated. For the analysis, hCaptcha evaluates various information (e.g. IP address, duration of the visitor’s stay on the website or app or mouse movements of the user). The data collected during the analysis is forwarded to IMI. The hCaptcha analysis in “invisible mode” can take place entirely in the background. Visitors to the website or app are not made aware that such analysis is taking place if no challenge is displayed to the user. The data processing is based on Art. 6(1)(f) of the DSGVO: The operator of the website or mobile app has a legitimate interest in protecting its website from abusive automated crawling and spam. IMI acts as a “data processor” acting on behalf of its customers within the meaning of the GDPR and as a “service provider” within the meaning of the California Consumer Privacy Act (CCPA). For more information about hCaptcha and IMI’s privacy policy and terms of use, please see the links below: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms.

7. Data deletion

The data processed by us will be deleted in accordance with Art. 17 DSGVO or restricted in its processing in accordance with Art. 18 DSGVO. 

Unless otherwise stipulated in this data protection declaration, the data we process will be deleted as soon as it is no longer required for its intended purpose and the deletion is not contrary to any statutory retention obligations. We review the necessity every six months.

8. Data subject rights

You have the right:

  • in accordance with Art. 15 DSGVO to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • in accordance with Art. 16 DSGVO to immediately demand the correction of incorrect or completion of your personal data stored by us;
  • pursuant to Art. 17 DSGVO to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  • to request the restriction of the processing of your personal data in accordance with Art. 18 DSGVO, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 DSGVO;
  • pursuant to Art. 20 DSGVO to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller;
  • to complain to a supervisory authority in accordance with Art. 77 DSGVO. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

9. Revocation of consent given

If we process your personal data on the basis of your consent pursuant to Art. 9 para. 2 lit. a or 6 para. 1 lit. a DSGVO, you have the right to revoke any consent granted to us pursuant to Art. 7 para. 3 DSGVO with effect for the future. 

If you wish to exercise your right of withdrawal, you can notify us by e-mail to info@exaas.io. Alternatively, you can also use the contact details mentioned above under point 2.

10. Objection in case of processing based on legitimate interest

If we process your personal data on the basis of our legitimate interests pursuant to Art. 6 (1) p. 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation.

If you wish to exercise your right of objection, you can notify us by e-mail to info@exaas.io. Alternatively, you can also use the contact details mentioned above under point 2.

11. Security measures

We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. The security measures include in particular the encrypted transmission of data between your browser and our server.

12. Changes to this privacy policy

We reserve the right to change our privacy policy if this should be necessary due to new technologies or changes in our data processing procedures or in order to adapt it to changes in the legal situation applicable to us. However, this only applies to this privacy policy. If we process your personal data on the basis of your consent or if parts of the data protection declaration contain provisions of the contractual relationship with you, any changes will only be made with your consent.

The current version of our privacy policy can be found at https://exaas.io/privacy-policy.