Data Privacy

Responsible

Company:

Evolution Codes OHG

Address:

Hauptstraße 4
93352 Rohr i. NB (Germany)

HRA:

10202

Managing Directors:

Sascha Klein, Daniel Klein

Email address:

Contact person for data protection

Name:

Sascha Klein

For all questions regarding the collection, processing or use of your personal data as well as information, corrections, blocking or deletion of your personal data and revocation of consent to the collection, processing or use of your personal data, please contact the above-mentioned contact person for data protection.

Status:

April 2023

  1. Basic information on data processing and legal basis

    1. This privacy policy informs you about the type, scope and purpose of the processing of personal data within our website and beyond in the case of a contact or a contractual relationship with us, unless otherwise contractually agreed. This privacy policy is applicable regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the website is executed.

    2. For a description of the terms used, such as “personal data” or “processing” of personal data, we would like to refer to the definitions in article 4 of the General Data Protection Regulation (GDPR).

    3. The term “user” describes all categories of data subjects affected by data processing and is to be understood as gender-neutral. The categories include business partners, customers, interested people, and other visitors of our website.

    4. The term “customer” describes all categories of data subjects who have a contractual relationship with us and who are affected by the data processing. The term is to be understood as gender-neutral. The categories include business partners & customers.

    5. The following personal data of the users are processed in the context of the use of our website:

      1. Name (first and / or last name), when using the contact form.

      2. Telephone number, when using the contact form and on condition of prior optional input.

      3. Email address, when using the contact form.

      4. If applicable, personal data entered voluntarily and without prior request in the free text field (“Your request”) of the contact form.

      5. IP address (anonymized) – for analysis purposes – when using our website.

    6. Further information on the processing of the above-mentioned personal data can be found in this privacy policy in the sections “5. Contacting” and “8. Matomo”.

    7. Data of users and customers will only be processed if a legal permission exists and therefore always in compliance with the applicable data protection regulations. This means that we will only process your personal data if one or more of the conditions described below are given:

      1. The data processing is necessary for the provision of our contractual services (e.g. processing of orders) or for the online services of the website.

      2. The processing of data is required by law.

      3. Consent for data processing has been given by you as a user of our website or by you as a customer with a contractual relationship with us.

      4. There are legitimate interests on our part (interests in the analysis, optimization and economic operation as well as the security of our website and our business operation within the meaning of article 6 paragraph 1 letter f. GDPR).

    8. In the following, we provide you an overview of the legal basis for the conditions – mentioned under point 1.5 – for the permissions to process personal data:

      1. Legal basis for the processing for the fulfillment of our services and the performance of contractual obligations: Article 6 paragraph 1 letter b. GDPR

      2. Legal basis for processing for the fulfillment of our legal obligations: Article 6 paragraph 1 letter c. GDPR

      3. Legal basis for consent to the processing: Article 6 paragraph 1 letter a. and article 7 GDPR

      4. Legal basis for processing to protect our legitimate interests: Article 6 paragraph 1 letter f. GDPR

  2. Security measures

    1. We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the regulations of the data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

    2. The security measures include in particular the encrypted transmission of your data between your browser and our server. The encryption method “Secure Sockets Layer (SSL)” is used for this. We also protect your data by setting appropriate access restrictions to our servers.

  3. Sharing your data with third parties and third-party providers

    1. We only share personal data of our users and customers with third parties if the transfer is permitted by law. I.e. a transfer of data to third parties only takes place if, for example, this is necessary for contractual purposes – based on article 6 paragraph 1 letter b. GDPR – or on the basis of legitimate interests on our part in the economic and effective operation of our business – according to article 6 paragraph 1 letter f. GDPR.

    2. Insofar we use subcontractors for the provision of our services, we take legal measures as well as technical and organizational measures to ensure the protection of the personal data of users and customers in accordance with the statutory provisions.

    3. If our website uses content, tools or other methods from other providers (hereinafter referred to as ” third-party providers”) whose registered office is located in a third country, it must be assumed that your personal data will be transferred to this third country. A “Third Country” is understood to be a country in which the GDPR is not directly applicable law. Particularly, these are countries outside the European Union or outside the European Economic Area. The transfer of your data to such a third country will only take place if either an adequate level of data protection, a consent by you or otherwise a legal permission exists.

  4. Provision of contractual services

    1. Insofar as a contractual relationship with you is established and you become our customer, we process your data (e.g. name and addresses as well as contact data) and contractual data (e.g. services used, name of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to article 6 paragraph 1 letter b. GDPR.

    2. Contact data communicated to us by the customer (e.g. company name, first and last name as well as email address & telephone number of a contact person, address) as well as business email traffic, within the scope of the services “Azure” & “Microsoft 365”, are stored on the servers of Microsoft Corporation (hereinafter referred to as “Microsoft”).

      This also applies to personal data which are part of orders, contracts, notes or similar documents, as we also use Azure or Microsoft 365 to centrally store documents and share them internally.

      Despite Microsoft’s headquarters in the USA, the personal data we process are always stored on servers located in Germany or inside the European Union / inside the European Economic Area.

      To additionally ensure the secure handling of this data, we have concluded a data processing agreement with Microsoft. This contract regulates that Microsoft only processes the data within the scope of our order and not beyond.

    3. Furthermore, the contact data communicated to us by the customer (e.g. company name, first and last name as well as email address & telephone number of a contact person, address) as well as business email traffic may be stored on servers of Amazon.com Inc. or Amazon Web Services, Inc. (hereinafter referred to as “AWS”) as part of the “AWS” service.

      This also applies to personal data which are part of orders, contracts, notes or similar documents, as we also use AWS to centrally store documents and to share documents internally.

      Despite AWS being headquartered in the USA, the personal data we process are always stored on servers located in Germany or inside the European Union / inside the European Economic Area.

      To additionally ensure the secure handling of this data, we have concluded a data processing agreement with AWS. This contract regulates that AWS only processes the data within the scope of our order and not beyond.

    4. For the time-related billing of our customer projects, our employees record their working hours in a time recording system. For this, we use Harvest, which is provided by the manufacturer Iridesco LLC a/b/a Harvest (hereinafter referred to as “Iridesco”).

      To be able to allocate the recorded times to the correct customer in the context of billing, we store the company names of our customers in Harvest. The processing of this data takes place on the systems of Iridesco. Iridesco is headquartered in the USA and the storage of the company names we process (which may be classified as personal data) therefore takes place in the USA.

      To ensure the secure handling of this data, we have concluded a data processing agreement with Iridesco. This contract regulates that Iridesco only processes the data within the scope of our order and not beyond.

    5. We perform invoicing of our customers with the help of the web service “sevDesk” of SEVENIT GmbH (hereinafter referred to as “SEVENIT” or “sevDesk”). Therefore, we store the data of our customer at sevDesk. SEVENIT is a company headquartered in Germany and thus in the European Union or the European Economic Area. Therefore, the GDPR is also directly applicable law for SEVENIT.

      At sevDesk, we store the company name, the first and last name of the contact person given to us by the customer, the address of the company, contact data (telephone, fax, email) of the company or of the contact person given to us by the customer. This data is used exclusively for the purpose of invoicing and for sending the invoice by email or by post and is stored in Germany or the European Union / European Economic Area.

      To ensure the secure handling of this data, we have concluded a data processing agreement with SEVENIT. This contract regulates that SEVENIT only processes the data within the scope of our order and not beyond.

    6. We perform our accounting with the help of DATEV eG (hereinafter referred to as “DATEV”). Therefore, we store the data of our customer at DATEV. DATEV is a company headquartered in Germany and therefore in the European Union or the European Economic Area. This means that the GDPR is also directly applicable law for DATEV.

      At DATEV, we store the company name, the first and last name of a contact person given to us by the customer, the address of the company, contact data (telephone, fax, email) of the company or of the contact person given to us by the customer. This data is used exclusively for the purpose of invoicing, accounting and stored in Germany or the European Union / the European Economic Area.

      To ensure the secure handling of this data, we have concluded a data processing agreement with DATEV. This contract regulates that DATEV only processes the data within the scope of our order and not beyond.

    7. In the case of providing domains and SSL certificates, we transfer personal customer data to InterNetX GmbH (hereinafter referred to as “InterNetX”) and store them there. In detail, this includes customer master data (name, first name, address, date of birth), communication data (mail address, telephone number), contract master data (e.g. product, interest), customer history and logs (e.g. about orders), configuration data and stored user IDs. InterNetX is a company headquartered in Germany and therefore in the European Union or the European Economic Area. This means that the GDPR is also directly applicable law for InterNetX.

      To ensure the secure handling of this data, we have concluded a data processing agreement with InterNetX. This contract regulates that InterNetX will only process the data within the scope of our order and not beyond. The data is stored in Germany or the European Union / the European Economic Area.

    8. In the context of software versioning, we partly store our source codes on servers of GitHub Inc (hereinafter referred to as “GitHub”). If users or customers are granted access to our source codes on GitHub, this also involves the processing of personal data (in particular contact data such as first name and last name, email address and, if applicable, address) by GitHub. In this case, the data subject usually registers himself or herself at GitHub, so that the data processing no longer takes place in the context of a subcontracting relationship between Evolution Codes OHG and GitHub.

      In individual cases, it may occur that personal data is stored in source codes and is therefore also stored on GitHub’s servers as part of the storage of these source codes. The storage of personal data within the source code in this way is, in general, not advised.

      As GitHub is headquartered in the USA and stores the data there, data of the user or the customer are transferred to a third country which is not located in the European Union or the European Economic Area.

      To ensure the secure handling of this data, we have concluded a data processing agreement with GitHub. This contract regulates that GitHub only processes the data within the scope of our order and not beyond.

    9. To be able to manage projects and project tasks (plan, organize, administer), we use the project management system Jira, within a cloud of Atlassian Pty Ltd (hereinafter referred to as “Atlassian”). If users or customers are granted access to the project management system, this also involves the processing of personal data ( particularly contact data such as first name and last name, mail address and, if applicable, address and, if necessary, a profile picture).

      Despite Atlassian’s headquarters in Canada, the personal data processed by us are always stored on servers located in Germany or inside the European Union / inside the European Economic Area.

      To ensure the secure handling of this data in addition, we have concluded a data processing agreement with Atlassian. This contract regulates that Atlassian only processes the data within the scope of our order and not beyond.

    10. For the automated sending of emails (e.g. newsletters) we use Mailtrap, a web tool from Railsware Products Studio, LLC. (hereinafter referred to as “Railsware”). If users or customers are granted access to Mailtrap, personal data are also processed. Furthermore, a processing of personal data of the persons affected, who receive the automated emails, takes place. The personal data processed by Railsware may include the mail address, the telephone number, the last and first name, the company name, the bank details, the postal / billing address and the IP address. Furthermore, Railsware may process (e.g. in the context of tracking statistics of sent mails) data containing the client ID of the used web browser, the browser type and also geographical locations.

      Since Railsware is headquartered in the USA and stores the data there, user or customer data are transferred to a third country that is not located in the European Union or the European Economic Area.

      To ensure the secure handling of this data, we have concluded a data processing agreement with Railsware. This contract regulates that Railsware only processes the data within the scope of our order and not beyond.

    11. Login data (user name and password) provided by the customer may be stored digitally. This data may also contain personal data – e.g. the name of a customer, which is used as a user name or to which the stored data is assigned during storage.

      We use 1Password for the storage. This is a service provided by AgileBits Inc (hereinafter referred to as “1Password” or “AgileBits”). Despite AgileBits being headquartered in Canada, the personal data we process are always stored on servers inside the European Union. Personal data are therefore not processed in a third country.

  5. Contacting

    1. When contacting us (via contact form, email or telephone), we process the information provided by the user or customer exclusively for the purpose of processing the contact request and its processing according to article 6 paragraph 1 letter b. GDPR.

    2. The user’s or customer’s data are stored on the email server of our mail provider Microsoft Corporation (hereinafter referred to as “Microsoft”) when a contact request is made via contact form or email.

      Despite Microsoft’s headquarters in the USA, the personal data processed by us are always stored on servers located in Germany or in the European Union / in the European Economic Area.

      To ensure the secure handling of this data, we have concluded a data processing agreement with Microsoft. This contract regulates that Microsoft only processes the data within the scope of our order and not beyond.

    3. We also use the “Spark” or “Spark Teams” service of Readdle GmbH (hereinafter referred to as “Readdle”). This service enables us to organize emails and their processing efficiently and to share and jointly process emails between internal employees. In the context of this, emails are also stored on Readdle’s servers. I.e. the information and therefore personal data of the user or customer can also be stored in a third country.

      Readdle is headquartered in Germany and therefore in the European Union and the European Economic Area, so the GDPR is also directly applicable law for Readdle. Additionally, to ensure the secure handling of this data, we have concluded a data processing agreement with Readdle (as part of the Terms of Use). This contract regulates that Readdle only processes the data within the scope of our order and not beyond.

    4. The storage takes place only as long as it is necessary according to the purpose. I.e., insofar as a business relationship with us arises from the contact request, the customer’s details will be stored in our email inbox on the Microsoft server for 6 years from the end of the year in which they were received – according to legal requirements for the storage of business correspondence. If no business relationship arises from the contact request, the user’s details will be deleted from the Microsoft server after just 14 days.

  6. Collection of access data and log files

    1. Based on our legitimate interests – in the context of article 6 paragraph 1 letter f. GDPR – we collect data about every access to the server on which our website and possibly other of our online services are located. This data are stored in so-called “server log files”. The access data include the IP address of the user, the date and time of the page call, the URL called up and the user agent (browser).

    2. The above-mentioned data in the server log files are collected for security reasons – e.g. to investigate acts of abuse or fraud. The data are stored for a period of 30 days and are then deleted. Data that must be retained for evidentiary purposes are excluded from deletion until final clarification of the incident.

    3. The data are stored on servers of DigitalOcean Inc. (hereinafter referred to as “DigitalOcean”), Amazon.com Inc. / Amazon Web Services Inc. (hereinafter referred to as “AWS”) or Microsoft Corporation (hereinafter referred to as “Microsoft”).

      DigitalOcean is headquartered in a third country (USA), but the personal data are stored on servers in Germany. A transfer of data to a third country (USA) therefore does not take place and the user’s data remain in the European Economic Area. Nevertheless – to ensure the secure handling of this user data – we have concluded a data processing agreement with DigitalOcean. This regulates that DigitalOcean will only process the data within the scope of our contract and not beyond.

      AWS is headquartered in a third country (USA), but the personal data are stored on servers in Germany or in the European Union / European Economic Area. A transfer of data to a third country (USA) therefore does not take place and the user’s data remain in the European Economic Area. Nevertheless – to ensure the secure handling of this user data – we have concluded a data processing agreement with AWS (within the scope of the Terms of Use). This regulates that AWS will only process the data within the scope of our order and not beyond.

      Microsoft is headquartered in a third country (USA), but the personal data are stored on servers in Germany or in the European Union / European Economic Area. A transfer of data to a third country (USA) therefore does not take place and the user’s data remain in the European Economic Area. Nevertheless – to ensure the secure handling of this user data – we have concluded a data processing agreement with Microsoft. This contract regulates that Microsoft only processes the data within the scope of our contract and not beyond.

  7. Cookies & web analysis

    1. Cookies are pieces of information that are transmitted from our web server or third-party web servers to users’ web browsers, where they are stored for later retrieval. Cookies may be small files or other types of information storage.

    2. Cookies are stored in the user’s web browser by our web server or third-party web servers for the following cases:

      1. As soon as the user visits our website for the first time, he receives a notice that this website uses cookies. Insofar as he confirms or rejects this notice – and the storage of the cookies – our web server stores a cookie in the user’s web browser, which has the effect that this notice is not displayed again when visiting our website again.

      2. As soon as the user visits our website, he receives a so-called “cookie layer”. If the user confirms this, cookies are set for analysis purposes (using Matomo). For more information about the Matomo web analytics service, please refer to chapter “8. Matomo” of this privacy policy.

    3. If you do not want cookies to be stored in your web browser, please disable the corresponding options in the system settings of your web browser. Stored cookies can also be deleted in the system settings of the web browser. Please note that the exclusion of cookies may lead to functional restrictions on our website.

  8. Matomo

    1. On our website we use Matomo, a web analytics service. The use is based on our legitimate interests, i.e. interest in the analysis, optimization and economic operation of our website according to article 6 paragraph 1 letter f. GDPR. Cookies are used for Matomo to work. These cookies are only set in the browser, respectively, processing by Matomo only takes place if the user consents to this – by confirmation via the so-called “cookie layer” or by activating the corresponding checkbox in our electronic privacy policy.

    2. The information about the user’s use of the website generated by these cookies are stored on the servers of DigitalOcean Inc. (hereinafter referred to as “DigitalOcean”), Amazon.com Inc. / Amazon Web Services Inc. (hereinafter referred to as “AWS”) or Microsoft Corporation (hereinafter referred to as “Microsoft”).

      DigitalOcean is headquartered in a third country (USA), but the personal data are stored on servers in Germany. A transfer of data to a third country (USA) therefore does not take place and the user’s data remain in the European Economic Area. Nevertheless – to ensure the secure handling of this user data – we have concluded a data processing agreement with DigitalOcean. This regulates that DigitalOcean will only process the data within the scope of our contract and not beyond.

      AWS is headquartered in a third country (USA), but the personal data are stored on servers in Germany or in the European Union / European Economic Area. A transfer of data to a third country (USA) therefore does not take place and the user’s data remain in the European Economic Area. Nevertheless – to ensure the secure handling of this user data – we have concluded a data processing agreement with AWS (within the scope of the Terms of Use). This regulates that AWS will only process the data within the scope of our order and not beyond.

      Microsoft is headquartered in a third country (USA), but the personal data are stored on servers in Germany or in the European Union / European Economic Area. A transfer of data to a third country (USA) therefore does not take place and the user’s data remain in the European Economic Area. Nevertheless – to ensure the secure handling of this user data – we have concluded a data processing agreement with Microsoft. This contract regulates that Microsoft only processes the data within the scope of our contract and not beyond.

    3. In particularly, data is transferred that is used to analyze usage behavior, the device used (desktop or mobile), the approximate geographic location, and the entry and exit pages. In addition, the IP address – anonymized – is transferred.

    4. The users of our website can prevent the processing of their data within the framework of the Matomo web analysis service by deactivating the following checkbox or by rejecting the use of Matomo in the so-called “cookie layer” displayed.

      [wp-piwik module=”opt-out” language=”en”]

      It should be noted that the setting of cookies by our web server must generally be permitted in the user’s web browser for the opt-out to be effective. This means that when the above checkbox is used, a cookie is stored by our web server in the user’s web browser. This cookie has the effect that the user’s data is not used within the framework of Matomo.

      Generally, users can prevent the storage of cookies and therefore the transfer of data within the scope of web analysis using Matomo by making the appropriate settings in their web browsers.

  9. Rights of users & customers

    1. Users and customers have the right to obtain information about the personal data that we store about them. This information is provided free of charge at the request of the user or customer.

    2. Furthermore, the users and customers have the right to correct any incorrect data that we have stored about these users and customers.

    3. Users and customers also have the right to restriction of processing and deletion of their personal data. Where applicable, users and customers may exercise their right to data portability.

    4. In the case of the assumption of unlawful processing of their personal data, users and customers have the right to file a complaint with the relevant regulatory institution.

    5. Users and customers can also revoke their consent, in principle with effect for the future.

  10. Deletion of data

    1. The data stored by us will be deleted by us as soon as they are no longer required for their intended purpose, insofar as the deletion does not conflict with any legal retention requirements. If the data are still required for other and legally permissible purposes and are not deleted, their processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies, for example, to customer data that must be retained for reasons of commercial or tax law.

    2. The data is stored according to legal requirements for 6 years according to § 257 paragraph 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting records, etc.) and for 10 years according to § 147 paragraph 1 AO (books, records, management reports, accounting records, commercial and business letters, documents relevant for taxation, etc.).

  11. Right of objection

    1. According to legal requirements, users and customers can object to the future processing of their personal data at any time. Please address the objection to our contact person for data protection – named at the beginning of this privacy policy.

  12. Changes to the privacy policy

    1. We reserve the right to change this privacy policy in case of changes in the legal situation or changes in the service and the processing of personal data. This only applies, in relation to the declarations on data processing. Insofar as user or customer consents are required for an adjusted privacy policy or components of the privacy policies contain regulations of the contractual relationship with the customers, the changes will only be made with the consent of the users or customers.

    2. Users and customers are requested to inform themselves regularly about the content of the privacy policy.