Privacy policy for website, services and services of exaas
Status: January 2021
1. Introduction
In this privacy policy you will learn,
2. Responsible
This data protection declaration applies to data processing by us as the responsible party pursuant to.
Article 4 (7) of the General Data Protection Regulation (DSGVO). Our contact details are:
exaas GmbH
Zielstattstr. 19
81379 Munich
Contact:
E-mail: info@exaas.io
Tel. : +49 160 955 024 32
3. Definitions
Unless this Privacy Policy contains or implies a different definition, reference is made to the definitions in Art. 4 GDPR with regard to the terms used.
4. Processing of your personal data
4.1. When you call up our website
When you call up our website, i.e. when you otherwise transmit information to us, we or the host provider acting on our behalf only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data:
This data is technically necessary for us to display and provide you with our website. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f DSGVO. This data is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of 14 days and then deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident. The hosting service provider we use processes personal data for us on behalf of and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE, alternatively you can also request these documents from us using the contact options specified in section 2.
4.2. Evaluation of your usage behavior
We use technology from Matomo (formerly Piwik) to analyze your browsing behavior and to create anonymized usage statistics. Matomo is a service of InnoCraft Ltd, 150 Willis St. , 6011 Wellington, New Zealand,
The software sets a cookie on your end device. Cookies are text files that are stored in the internet browser or by the internet browser on your end device. This cookie contains a characteristic string of characters that enables unique identification of the browser when the website is called up again. The following data is stored during your use:
We process this data exclusively with your consent. The legal basis for this is Art. 6 para. 1 p. 1 lit. a DSGVO. The data is deleted as soon as it is no longer required for the analysis purposes. We review the necessity every 6 months.
The service provider we use, Matomo, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in a country for which the European Commission has issued a so-called adequacy decision. This is available at https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32013D0065&from=DE at any time, alternatively you can also request these documents from us using the contact details provided in section 2. The legal basis for the transfer is Art. 45 (3) DSGVO.
4.3. Embedded videos from Vimeo
We have integrated videos from the Vimeo platform on our website. Vimeo (Vimeo LLC, 555 West 18th Street New York, NY 10011 USA) is responsible for the operation of the Vimeo platform under data protection law. You can find Vimeo’s privacy policy at: https://vimeo.com/privacy.
In this context, Vimeo processes the following personal data from you to our knowledge:
The integration of videos from Vimeo is done in our interest to present you high quality content directly on our website. Instead of just giving you a link to an interesting video, this allows you to watch the video right here on our site. This extends our service and makes it easier for you to access interesting content. The legal basis for the processing of personal data in connection with the integration of the Vimeo videos and the associated transfer of personal data to Vimeo LLC is Art. 6 para. 1 p. 1 lit. f DSGVO.
Vimeo necessarily obtains knowledge of the above data. Vimeo is a service provided by a provider from the USA. The level of data protection in the USA is judged by the European Commission to be inadequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 para. 2 lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
As an additional protective measure, the videos from Vimeo are only integrated in the so-called “Do Not Track” variant. This means that personal data is only transmitted to Vimeo in a minimal way.
4.4. When using the chat
We use technology from crisp to operate a live chat system. Therefore, we transfer the following data to crisp (Crisp IM SARL, 2 Boulevard de Launay, 44100 Nantes, France):
We process this data in order to offer you real-time communication with us in our interest. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. We delete this data if it is no longer required for the purpose for which it was collected and there are no legal obligations to the contrary. The deletion regularly takes place within one month after the end of the chat.
Crisp processes your above-mentioned personal data on our behalf and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.
4.5. Within the framework of contacting us by e-mail
We process e-mails that you send to us and that we send to you using the services of our e-mail provider. In the context of e-mail communication, our e-mail provider processes your personal data (i.e. your e-mail address and the information you provide in the e-mail) on our behalf to enable us to communicate with you by e-mail or, if you are our customer, to process the contract. The processing of your personal data occurs on the basis of Art. 6 para. 1 p.1 lit. f or Art. 6 para. 1 p. 1 lit. b DSGVO. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every twelve months.
4.6. Within the framework of contact by telephone
If you contact us by phone, we need your personal data (e.g. name, telephone number, address or e-mail address) to process your inquiry or request. The processing of your personal data is based on Art. 6 para. 1 p. 1 lit. b DSGVO. We delete this data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.
4.7. Within the scope of contacting us via contact form
If you contact us via contact form, e-mail, we need your personal data (eg name, contact details, etc.) to process your request or your request. This data processing is necessary to enable us to communicate with you or, if you are our customer, to process the contract. The processing of your personal data is based on Art. 6 para. 1 p.1 lit. f or Art. 6 para. 1 p. 1 lit. b DSGVO. We delete the data if it is no longer necessary and there are no legal obligations to the contrary. We review the necessity every six months.
4.8. As part of the subscription to our newsletter
With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. Incidentally, our newsletters contain information about our products, promotions and our company.
For the registration to our newsletter we use the so-called double opt-in procedure. This means that after your registration we send you an e-mail to the specified e-mail address, in which we ask you to confirm that you wish to receive the newsletter. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.
Mandatory information for sending the newsletter is only your e-mail address. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO. We store your email address for this purpose until you revoke your consent.
We use technology from Mailjet to send the newsletters and to evaluate your interaction with the newsletter. Therefore, we transfer your data (email address) provided as part of your newsletter subscription to Mailjet (Mailjet SAS, 13-13bis, Rue de l’Aubrac, 75012 Paris, France), Mailjet processes your personal data on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO.
5. When registering on our platform
In addition to the information in section 4, we process your data as part of your registration on our expert platform as shown in this section 5.
5.1. When calling our platform
When you call up our website, i.e. when you otherwise transmit information to us, we or the host provider acting on our behalf only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data:
This data is technically necessary for us to display and provide you with our website. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f DSGVO. This data is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of 14 days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until the final clarification of the respective incident. The hosting service provider we use processes personal data for us on behalf of and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
5.2. Mandatory information for registration on our expert platform
When you register on our platform, you must provide certain information about yourself as mandatory data. We therefore process the following personal data from you:
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO. We store your data until you cancel your user account. After that, your data with regard to the user account will be deleted, unless their retention is necessary for commercial or tax reasons in accordance with Art. 6 para. 1 S.1 lit. c DSGVO.
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
5.3. Optional details on our expert platform
In addition to the required mandatory information, you can provide additional information that makes it easier for other users to get to know you better and thus select you as a suitable business contact, for example. We may therefore process personal data that you voluntarily add to your profile, such as
Other users may view, share or link to this data. Certain information about you may be accessible to other users of our platform by default (e.g., your username, profile picture, content added to your profile).
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO. The deletion of this data takes place either selectively for certain details when you remove them from our platform or completely when you delete your account on our platform.
To fulfill our contractual obligations, we rely on the services of carefully selected third parties who process the data on our behalf. These are in each case processors with whom we have concluded an agreement in accordance with Art. 28 DSGVO. In addition, we naturally ensure in advance that our processors comply with all data protection requirements so that your data is always secure.
One of the service providers we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
5.4. When you provide a reference for an expert
When using our platform as a corporate customer, you have the option of providing references for experts registered on our platform and thus evaluating their services. For the submission of such an evaluation, we process the following personal data:
This data processing serves to enrich the profiles of our experts with ratings and thus create added value for both experts and corporate customers. In addition, we reserve the right to check the ratings for legal violations and authenticity.
This data processing only takes place with your consent. The legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO. We store your e-mail address for this purpose until you revoke your consent, but for a maximum period of 10 years.
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
5.5. When you communicate with other users of our platform.
You have the possibility to get in contact with other users of our platform. In the context of this communication, we generally process all data that you provide in the course of it and transmit it to the message recipient selected by you. These data include in particular
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO. The deletion of this data takes place either selectively for certain information when you remove it from our platform or completely for all data when you delete your account on our platform.
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
5.6. Responsibility for personal data of other users of our platform
If you communicate with another user (e.g., an expert) and receive personal data from them (such as name, email address, or other contact details), you are the controller of this personal data and its processing independently of us after we have transmitted it to you. We therefore recommend that you inform your communication partners about your data processing in a data protection declaration and fulfill your obligations under data protection law beyond this.
5.7. In the context of receiving marketing emails
We process certain personal data from you in order to send you regular status emails as well as advertising for our own similar products and services or surveys for the purpose of our own market research. This includes the following personal data from you
This processing is done in our interest in direct marketing and maintaining customer relations. The legal basis for this is Art. 6 para. 1 p. 1 lit. f DSGVO. The deletion of this data takes place either selectively for certain details when you remove them from our platform or completely when you delete your account on our platform.
5.8. Payment processing through Stripe
The execution and thus the collection, processing and storage of electronic payment transaction data is carried out by our payment service provider, Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland (“Stripe”). Through Stripe it is possible to offer various payment methods, such as credit card payments or direct debit.
For each payment transaction, Stripe receives data for the processing of electronic payment transactions, such as the information you provided during the ordering process together with information about your order (name, address, account number, bank routing number, credit card number (if applicable), invoice amount, currency and transaction number). The processing of your data by Stripe is necessary for payment processing and thus for the execution of the contract. The legal basis for this is Art. 6 para. 1 p. 1 lit. b DSGVO. This data will be deleted after expiry of the statutory retention obligations. Stripe processes your personal data on our behalf and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO.
The service provider we use in this context, Stripe, which processes personal data for us on our behalf and within the scope of our instructions as a so-called order processor pursuant to Art. 28 DSGVO, transmits data to group companies in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
6. When booking or participating in web sessions
You have the option of booking web sessions with registered experts via our platform. The prerequisite for this is that they themselves are registered on the platform. Therefore, the information on data processing provided under 5. applies accordingly. In addition, we process your personal data as shown below.
6.1. When handling the web session
When you book or participate in a web session, we process certain personal data about you. In addition to the data required for the technical provision of our website and listed in section 4.1, this also includes your name. In addition, we may record the web session in order to be able to provide you with the content at a later point in time as well as to prove the proper provision of services.
The processing of your name takes place for the fulfillment of the contract. The legal basis for this is
Art. 6 para. 1 p. 1 lit. b DSGVO. The recording of the web session only takes placeif all participants have given us their permission to do so. The legal basis for this is Art. 6 para. 1 p. 1 lit. a DSGVO. This data is processed by us at least for the duration of the contractual relationship plus the respective warranty obligation. Subsequently, the data will be deleted if it is no longer required to achieve the stated purpose in accordance with Art. 17 (1) a DSGVO.
6.2. Processing of your data for contract management
If you are or become our customer, we process data from you that may have personal reference in the context of processing your order and fulfilling our contractual obligations. The processed data includes master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) and payment data (e.g., your bank details, payment history). This data is required by us for the fulfillment of the contract. If this includes personal data, the processing is based on Art. 6 (1) lit. b DSGVO. There is no legal or contractual obligation to provide this data.
All data processed for contractual purposes will be processed by us at least for the duration of the contractual relationship plus the respective warranty obligation. Subsequently, the data will be deleted if it is no longer required to achieve the stated purpose pursuant to Art.
Art. 17 para. 1 lit. a DSGVO.
6.3. Processing of your data for contact management purposes
We store master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers) and contract data (e.g., services used, contract contents, contractual communication, names of contact persons) of customers, prospective customers, suppliers and other business partners, e.g., for the purpose of contacting them later. This personal data can be stored in a CRM system (“Customer-Relationship-Management System”) or comparable systems for the organization of inquiries. This enables us to efficiently organize the incoming contacts. This processing of your personal data is done on the basis of Art. 6 para. 1 lit. f DSGVO. All data processed in this context will be stored by us at least for the duration of the contractual relationship plus a period of three years.
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO , in turn has the data processed in the USA. The level of data protection in the USA is assessed by the European Commission as inadequate. The data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
6.4. Processing of your data for accounting purposes
In addition, we process your data, in particular your master contract and payment data, for accounting purposes. On the one hand, this processing takes place on the basis of legal obligations pursuant to Art. 6 para. 1 lit. c DSGVO.
According to legal requirements in Germany, we are also obliged to retain or store certain data, so that we may not delete or destroy them even after the purpose has been achieved; Art. 17 para. 3 lit. b DSGVO. This affects master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) and payment data (e.g., bank details, payment history). Thus, the retention or storage in particular of books, records, inventories, annual financial statements, management reports, the opening balance sheet as well as the respective work instructions and other organizational documents required for their comprehension, the received and sent commercial or business letters, the accounting vouchers as well as other documents, insofar as they are of importance for taxation, is prescribed for ten years in accordance with Section 147 (1) AO. This also applies to any personal data of data subjects contained in the aforementioned documents. The legal basis for this retention or storage is Art. 6 Para. 1 lit. c DSGVO.
6.5. Transfer of your data to external consultants and professional secrecy holders and for accounting purposes
In addition, we may transfer your personal data to consultants such as tax advisors, lawyers, auditors or accountants. This is done in our interest in legally compliant operating procedures or for financial accounting. The legal basis for this is
Art. 6 para. 1 p. 1 lit. f DSGVO or § 24 para. 1 no. 2 BDSG n.F.
6.6. Use of office programs
In the course of our activities, we use various IT systems and services. When you contact us individually, we process the following data, which may be personally identifiable:
We process this data to simplify our office structures, to enable backups, for internal file sharing and to create a device-independent access option. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f DSGVO. We delete this data after it is no longer necessary for the purpose for which it was collected. We review the necessity every six months .
The service provider we use in this context, which processes personal data for us on our behalf and within the scope of our instructions as a so-called processor pursuant to Art. 28 DSGVO, is located in the USA. The level of data protection in the USA is assessed by the European Commission as not adequate. The transfer of data to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO. The standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. Alternatively, you can request these documents from us using the contact details provided in section 2.
6.7 Use of “hCaptcha”
We use the anti-bot service hCaptcha (hereinafter “hCaptcha”) on our website. This service is provided by Intuition Machines, Inc., a US company based in Delaware (“IMI”). hCaptcha is used to check whether the data entered on our website (e.g. on a registration page or contact form) has been entered by a human or an automated program. For this purpose, hCaptcha analyses the behaviour of the visitor to the website or mobile app based on various characteristics. This analysis begins automatically as soon as the visitor to the website or mobile app enters a part of the website or app with hCaptcha activated. For the analysis, hCaptcha evaluates various information (e.g. IP address, duration of the visitor’s stay on the website or app or mouse movements of the user). The data collected during the analysis is forwarded to IMI. The hCaptcha analysis in “invisible mode” can take place entirely in the background. Visitors to the website or app are not made aware that such analysis is taking place if no challenge is displayed to the user. The data processing is based on Art. 6(1)(f) of the DSGVO: The operator of the website or mobile app has a legitimate interest in protecting its website from abusive automated crawling and spam. IMI acts as a “data processor” acting on behalf of its customers within the meaning of the GDPR and as a “service provider” within the meaning of the California Consumer Privacy Act (CCPA). For more information about hCaptcha and IMI’s privacy policy and terms of use, please see the links below: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms.
7. Data deletion
The data processed by us will be deleted in accordance with Art. 17 DSGVO or restricted in its processing in accordance with Art. 18 DSGVO.
Unless otherwise stipulated in this data protection declaration, the data we process will be deleted as soon as it is no longer required for its intended purpose and the deletion is not contrary to any statutory retention obligations. We review the necessity every six months.
8. Data subject rights
You have the right:
9. Revocation of consent given
If we process your personal data on the basis of your consent pursuant to Art. 9 para. 2 lit. a or 6 para. 1 lit. a DSGVO, you have the right to revoke any consent granted to us pursuant to Art. 7 para. 3 DSGVO with effect for the future.
If you wish to exercise your right of withdrawal, you can notify us by e-mail to info@exaas.io. Alternatively, you can also use the contact details mentioned above under point 2.
10. Objection in case of processing based on legitimate interest
If we process your personal data on the basis of our legitimate interests pursuant to Art. 6 (1) p. 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation.
If you wish to exercise your right of objection, you can notify us by e-mail to info@exaas.io. Alternatively, you can also use the contact details mentioned above under point 2.
11. Security measures
We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. The security measures include in particular the encrypted transmission of data between your browser and our server.
12. Changes to this privacy policy
We reserve the right to change our privacy policy if this should be necessary due to new technologies or changes in our data processing procedures or in order to adapt it to changes in the legal situation applicable to us. However, this only applies to this privacy policy. If we process your personal data on the basis of your consent or if parts of the data protection declaration contain provisions of the contractual relationship with you, any changes will only be made with your consent.
The current version of our privacy policy can be found at https://exaas.io/privacy-policy.