Privacy Policy – Website

Effective date: March 30, 2020

In this Privacy Policy, we inform you about which personal data we collect in the context of your use of scanbot.io and for which purposes your data is used.

You can access this Privacy Policy at any time under https://scanbot.io/en/privacy.html#web.

1. Controller/contact

The controller within the meaning of the data protection laws is:

doo GmbH
Joseph-Schumpeter-Allee 25
53227 Bonn
Germany

If you have any questions or suggestions concerning data protection, please email us at legal@scanbot.io.

2. Subject matter of data protection

The subject matter of data protection is personal data. Under Article 4(1) GDPR, this means any information relating to an identified or identifiable natural person; this comprises, for example, names or identification numbers.

3. Collection and use of your data

3.1. Automated data collection

When you access our website, your device will automatically transmit data for technical reasons. These data will be stored separately from other data that you may transmit to us:

- date and time of the access,
- browser type/version,
- operating system used,
- URL of the previously visited website,
- IP address (truncated by one octet)

This data is stored exclusively for technical reasons and will never be assigned to any specific person.

3.2. Support requests
If you contact our support, we will collect and store the personal data transmitted by you for the purpose of processing your request. You are not obligated to provide personal data in your request, and you may contact us with a pseudonym at any time.

We will store your support requests for a period of 120 days from completion of your request, in order to ensure that your request has been successfully processed, and to enable us to understand which problems may have occurred in the past in the event of subsequent requests that may help with solving your request.

We collect and process your data in order to answer your support request and in order to ensure defect-free operation of our product for you, Article 6(1) point (b) GDPR. If you contact us independently of a specific support request or a technical issue, we will collect and process your personal data based on our legitimate interest in being able to answer email queries and due to the fact that your interests are not overriding, Article 6(1) point (f) GDPR.

4. Newsletter

We offer a free newsletter. The newsletter will inform you about our company and the development of our products, as well as about subjects connected to our products and services.

In order to receive our newsletter, please enter your email address under the following link: https://scanbot.io/. After your registration, we will send you an email that you can use to confirm your registration. You will receive the newsletter only if you have confirmed your registration.

You can unsubscribe from the newsletter at any time. Every newsletter contains the information of how to unsubscribe from the newsletter effective for the future.

In such a case, the collection and processing of your personal data takes place in order to enable us to offer you the newsletter as ordered by you, Article 6(1) point (b) GDPR.

5. Cookies

We store so-called “cookies” in order to offer you all features of our website, and to make the use of our websites more convenient. Cookies are small files that are stored on your computer using your internet browser. If you do not want cookies to be used, you can prevent storage of cookies on your device by making the corresponding settings in your internet browser. Please note that the scope of features of our website may be restricted due to this.

We specifically use the following cookies:

- a cookie from Google Adwords (doubleclick.net) to measure success of Adwords ads;
- two cookies from Google Analytics for statistical evaluation of the use of the website and for improvement of our offer;
- a cookie to record whether you have already confirmed the cookie notice with OK;
- a cookie to determine whether the non-standard fonts that are used on the website have been loaded.

These cookies cannot identify you as a person. In any case, use of cookies is justified based on our legitimate interest in demand-oriented design, as well as statistical evaluation of our website, and the fact that your legitimate interests are not overriding, Article 6(1) point (f) GDPR.

To adjust your cookie settings click here.

6. Google Analytics

We use “Google Analytics”, a web analysis service of Google LLC (“Google”). Google Analytics uses so-called “cookies”, i.e. text files that are stored on your end device, and that permit analysis of your use of the website. The information regarding your use of the website (including your abbreviated IP address) is transferred to and stored on servers of Google in the United States of America. Google will use this information to evaluate your use of the website, in order to compile reports on the website activities for the website operators, and to provide further services connected to the use of our website and the internet. Google will also transfer this information to third parties if this is required by law or to the extent that third parties process these data on behalf of Google.

For more information on how Google uses your data, see Google’s Privacy Policy: https://www.google.com/policies/privacy/.

The data stored at Google Analytics are stored for a period of fourteen (14) months. After the end of this time, Google Analytics will only store aggregated statistics.

You can deactivate Google Analytics with a browser add-on if you do not accept website analysis. You can download such an add-on here: http://tools.google.com/dlpage/gaoptout?hl=de.

You can also deactivate recording by Google Analytics by clicking here.

Google Analytics is used based on our legitimate interest in demand-oriented design, statistical evaluation and efficient marketing of our website, and the fact that your legitimate interests are not overriding, Article 6(1) point (f) GDPR.

7. Close.com

If you contact the Scanbot SDK B2B Sales Team, we will use the software Close.com, a service of Elastic Inc, in order to store and process your request. We use Close.com as a data processor. We store and process your request in order to work on it and to help you answer your question (Article 6(1) point (b) GDPR).

If you give your consent, we will also store your data in order to provide you with further information on Scanbot and the Scanbot SDK at a later time, and to contact you by email or phone if necessary. You may withdraw your consent at any time. Your data will remain stored until you withdraw your data. In such a case, we will store and process your data based on your consent (point (a) of Article 6(1) GDPR).

8. Transfer of data

In principle, your personal data will only be passed on without your explicit prior consent in the following cases:

8.1. If necessary, to investigate illegal use of our services, or for prosecution, personal data will be passed on to the law-enforcement authorities and potentially to harmed third parties. However, this will only be the case if there are any specific indications of illegal or abusive behavior. Data may also be passed on if this serves to enforce terms and conditions of use or other agreements. We are also legally required to provide information to certain public bodies on request. These are law-enforcement authorities, public authorities that pursue administrative offences subject to fines and the tax authorities.

These data are passed on based on our legitimate interest in fighting abuse, prosecuting criminal offences and the securing, assertion and enforcement of claims and that your rights and interests in protection of your personal data are not overriding, Article 6(1) point (f) GDPR or based on a legal obligation in accordance with Article 6(1) point (c) GDPR.

8.2. We depend on contractually bound third-party companies and external service providers for rendering our services (“Data Processors”). In such cases, personal data will be passed on to such Data Processors in order to permit further processing by them. We select our Data Processors with care and review them at regular intervals to ensure that your rights and freedoms are respected. The Data Processors must only use the data for the purposes specified by us, and are furthermore contractually obligated by us to treat your data only in accordance with this Privacy Policy, and the applicable data protection laws.

In detail, we use the following Data Processors:

- Zendesk, Inc. (support requests)
- Google LLC (Google Analytics, Google AdWords, reCaptcha v3)
- The Rocket Science Group (Mailchimp; newsletter dispatch)
- Slack Technologies, Inc. (internal communication tool or for explicit external requests)
- Leadfeeder (Sales)

Data is passed on to Processors based on Article 28(1) GDPR, alternatively based on our legitimate interest in economic and technical advantages connected to the use of specialized processors, and the fact that your rights and interests in protection of your personal data are not overriding, Article 6(1) point (f) GDPR.

8.3. We also process your data in states outside of the European Economic Area (“EEA”).

For the USA, the European Commission resolved by its decision dated 12 July 2016 that there is an adequate level of data protection under the provisions of the EU-U.S. Privacy Shield (adequacy decision, Article 45 GDPR). We use the following service providers that are certified under the EU-U.S. Privacy Shield:

- Google LLC
- Zendesk, Inc.
- The Rocket Science Group
- Slack Technologies, Inc.
- Close.com (B2B queries)

8.4. Within the scope of further development of our business, the structure of doo GmbH may be changed by amending the legal form or by founding, purchasing, or selling subsidiaries, company parts or components. In such transactions, the customer information will be passed on together with the part of the company to be transferred. Every time personal data are transferred to third parties in the scope described above, we will ensure that this is effected in compliance with this Privacy Policy and the relevant data protection laws.

Any passing on of the personal data is justified by our legitimate interest in adjusting our corporate form to the economic and legal conditions if required and by the fact that your rights and interests in protection of your personal data are not overriding, Article 6(1) point (f) GDPR.

9. Change of purposes

Processing of your personal data for any other purposes than those described shall only take place to the extent that this is permitted by law, or if you have consented to the changed purpose of the processing activities. In case of further processing for other purposes than those for which the data was initially collected, we will inform you about such other purposes before further processing, and provide you with all other information relevant for such.

10. Erasure of your data

We erase or anonymise your personal data as soon as we no longer need them for the purposes for which we have collected or used them according to the above items. As a rule, we store your personal data for the duration of the usage or contractual relationship concerning the website, plus a period of sixty (60) days in which we keep backup copies after erasure. In particular, we will erase your data after the periods described below in the following cases:

- Support requests to Zendesk: 120 days.
- Google Analytics: 14 months.

After the end of these periods, the data will be deleted, except if the data is needed for a longer period due to statutory archiving periods, for criminal prosecution or to secure, assert or enforce legal claims. In such a case, the data will be blocked and is no longer available for further use.

11. Automated individual decision-making or measures for profiling

We do not use any automated processing processes to procure a decision, including profiling.

12. Your rights as data subject

12.1. Right of access
Upon request, you have the right to obtain from us at any time access to information on the personal data concerning you that are processed by us at the scope of Article 15 GDPR. For this purpose, you can send your request to the above address by mail or email.

12.2. Right to rectification of inaccurate data
You have the right to obtain from us without undue delay the rectification of the personal data concerning you if they are inaccurate. For this purpose, please contact the addresses named above.

12.3. Right to erasure
You have the right to obtain from us the erasure of the personal data concerning you under the prerequisites described in Article 17 GDPR. These prerequisites specifically stipulate an erasure right if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, and in cases of unlawful processing, upon objection or where there is an erasure obligation under European law or the law of the member state to which we are subject. In order to assert your above right, please contact the above addresses.

12.4. Right to restriction of processing
You have the right to request restriction of processing as contemplated by Article 18 GDPR. This right applies in particular when the accuracy of the personal data is disputed between the user and us, for the duration required to verify the accuracy, and if the user demands restricted processing instead of erasure if there is a right to erasure; furthermore, this right shall apply if the data is no longer required for the purposes pursued by us, but the user still needs them to establish, exercise or defend legal claims as well as if the successful exercise of the right to object is still disputed between us and the user. In order to assert your above right, please contact the above addresses.

12.5. Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format as contemplated by Article 20 GDPR. In order to assert your above right, please contact the above addresses.

12.6. Right to object
You have the right to object on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based, inter alia, on points (e) or (f) of Article 6(1) GDPR, as contemplated by Article 21 GDPR. We shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

12.7. Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority is:

North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information
(Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen)
Kavalleriestr 2-4
40213 Düsseldorf
Germany
Phone: 0211/38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de

Privacy Policy – App

Effective date: January 16, 2019

In this Privacy Policy, we inform you about which personal data we collect in the context of your use of the Scanbot App for iOS and Android, and for which purposes your data is used.

You can access this Privacy Policy at any time under https://scanbot.io/en/privacy.html#app.

1. Controller/contact

The controller within the meaning of the data protection laws is:

doo GmbH
Joseph-Schumpeter-Allee 25
53227 Bonn
Germany

If you have any questions or suggestions concerning data protection, please email us at legal@scanbot.io.

2. Subject matter of data protection

The subject matter of data protection is personal data. Under Article 4(1) GDPR, this means any information relating to an identified or identifiable natural person; this comprises, for example, names or identification numbers.

3. Support requests

If you contact our support, we will collect and store the personal data transmitted by you for the purpose of processing your request. You are not obligated to provide personal data in your request, and you may contact us with a pseudonym at any time.

We will store your support requests for a period of 120 days from completion of your request, in order to ensure that your request has been successfully processed, and to enable us to understand which problems may have occurred in the past in the event of subsequent requests to help us with solving your request.

If you email us with a support request from our app, your email will contain some technical information concerning your device and your Scanbot app that will assist us in helping you with technical issues. You may delete this information from your email if you do not want it to be transmitted to us. However, please note that we may then be unable to help you with technical issues.

We collect and process your data in order to answer your support request and in order to ensure defect-free operation of our product for you, Article 6(1) point (b) GDPR. If you contact us independently of a specific support request or a technical issue, we will collect and process your personal data based on our legitimate interest in being able to answer email queries and due to the fact that your interests are not overriding, point (f) of Article 6(1) GDPR.

4. Newsletter

We offer a free newsletter. The newsletter will inform you about our company and the development of our products, as well as about subjects connected to our products and services.

In order to receive our newsletter, please enter your email address in “Settings”, under “Receive the newsletter”. After your registration, we will send you an email that you can use to confirm your registration. You will receive the newsletter only if you have confirmed your registration.

You can unsubscribe from the newsletter at any time. Every newsletter contains the information of how to unsubscribe from the newsletter effective for the future.

In such a case, the collection and processing of your personal data takes place in order to enable us to offer you the newsletter as ordered by you, Article 6(1) point (b) GDPR.

5. Google Analytics

We use “Google Analytics”, a web analysis service of Google LLC (“Google”). Google Analytics enables us to analyze of your use of our app. For this purpose, Google collects information on your use of the app (including your abbreviated IP address). Such will be transferred to and stored on servers of Google in the United States of America. Google will use this information to evaluate your use of the app, in order to compile reports on the activities within the app for us, and to provide further services connected to the use of our app and the internet. Google will also transfer this information to third parties if this is required by law or to the extent that third parties process these data on behalf of Google.

For more information on how Google uses your data, see Google’s Privacy Policy: https://www.google.com/policies/privacy/.

The data stored at Google Analytics are stored for a period of fourteen (14) months. After the end of this time, Google Analytics will only store aggregated statistics.

You can deactivate Google Analytics for Scanbot for iOS by turning off the switch “Analytics” in the area “iOS > Settings > Scanbot”.

You can deactivate Google Analytics for Scanbot for Android by turning off the switch “Analytics” in the area “Scanbot > Settings > Advanced settings”.

Google Analytics is used based on our legitimate interest in demand-oriented design, statistical evaluation and efficient marketing of our app, and the fact that your legitimate interests are not overriding, Article 6(1) point (f) GDPR.

6. Crashlytics

We use Crashlytics, a service of Google LLC. Crashlytics transmits certain technical information to us concerning your device and your app installation if your app crashes. We use this data only in order to determine the reason for the crash and to remove errors in our app. This data is usually not personal data.

Crashlytics is used based on our legitimate interest in recognizing errors in our app, examining them and remedying them, and to thus be able to offer our app in its contractually stipulated form, and the fact that your legitimate interests are not overriding, Article 6(1) point (f) GDPR.

7. Firebase Analytics

We collect pseudonymised usage statistics concerning your use of our app using Google Firebase, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. General, non-personal statistics are collected based on your iOS IDFA or your Android advertising ID, on how and by which user groups our app is used.

You can deactivate Firebase Analytics for Scanbot for iOS by turning off the switch “Analytics” in the area “iOS > Settings > Scanbot”.

You can deactivate Firebase Analytics for Scanbot for Android by turning off the switch “Analytics” in the area “Scanbot > Settings > Advanced settings”.

Firebase Analytics is used based on our legitimate interest in demand-oriented design, statistical evaluation and efficient marketing of our app, and the fact that your legitimate interests are not overriding, Article 6(1) point (f) GDPR.

8. Transfer of data

In principle, your personal data will only be passed on without your explicit prior consent in the following cases:

8.1. If necessary, to investigate illegal use of our services, or for prosecution, personal data will be passed on to the law-enforcement authorities and potentially to harmed third parties. However, this will only be the case if there are any specific indications of illegal or abusive behavior. Data may also be passed on if this serves to enforce terms and conditions of use or other agreements. We are also legally required to provide information to certain public bodies on request. These are law-enforcement authorities, public authorities that pursue administrative offences subject to fines and the tax authorities.

These data are passed on based on our legitimate interest in fighting abuse, prosecuting criminal offences and the securing, assertion and enforcement of claims and that your rights and interests in protection of your personal data are not overriding, Article 6(1) point (f) GDPR or based on a legal obligation in accordance with Article 6(1) point (c) GDPR.

8.2. We depend on contractually bound third-party companies and external service providers for rendering our services (“Data Processors”). In such cases, personal data will be passed on to such Data Processors in order to permit further processing by them. We select our Data Processors with care and review them at regular intervals to ensure that your rights and freedoms are respected. The Data Processors must only use the data for the purposes specified by us, and are furthermore contractually obligated by us to treat your data only in accordance with this Privacy Policy, and the applicable data protection laws.

In detail, we use the following Data Processors:

- Zendesk, Inc. (support requests)
- Google LLC (Crashlytics, Google Analytics, Firebase)
- The Rocket Science Group (Mailchimp, email dispatch)

Data is passed on to Processors based on Article 28(1) GDPR, alternatively based on our legitimate interest in economic and technical advantages connected to the use of specialized processors, and the fact that your rights and interests in protection of your personal data are not overriding, Article 6(1) point (f) GDPR.

8.3. We also process your data in states outside of the European Economic Area (“EEA”).

For the USA, the European Commission resolved by its decision dated 12 July 2016 that there is an adequate level of data protection under the provisions of the EU-U.S. Privacy Shield (adequacy decision, Article 45 GDPR). We use the following service providers that are certified under the EU-U.S. Privacy Shield:

- Zendesk, Inc.
- Google LLC
- The Rocket Science Group

8.4. Within the scope of further development of our business, the structure of doo GmbH may be changed by amending the legal form or by founding, purchasing, or selling subsidiaries, company parts or components. In such transactions, the customer information will be passed on together with the part of the company to be transferred. Every time personal data are transferred to third parties in the scope described above, we will ensure that this is effected in compliance with this Privacy Policy and the relevant data protection laws.

Any passing on of the personal data is justified by our legitimate interest in adjusting our corporate form to the economic and legal conditions if required and by the fact that your rights and interests in protection of your personal data are not overriding, Article 6(1) point (f) GDPR.

9. Change of purposes

Processing of your personal data for any other purposes than those described shall only take place to the extent that this is permitted by law, or if you have consented to the changed purpose of the processing activities. In case of further processing for other purposes than those for which the data was initially collected, we will inform you about such other purposes before further processing, and provide you with all other information relevant for such.

10. Erasure of your data

We erase or anonymize your personal data as soon as we no longer need them for the purposes for which we have collected or used them according to the above items. In particular, we will erase your data after the periods described below in the following cases:

- Support requests to Zendesk: 120 days.
- Statistical data at Firebase: 120 days.
- Google Analytics: 14 months.

After the end of these periods, the data will be deleted, except if the data is needed for a longer period due to statutory archiving periods, for criminal prosecution or to secure, assert or enforce legal claims. In such a case, the data will be blocked and is no longer available for further use.

11. Automated individual decision-making or measures for profiling

We do not use any automated processing processes to procure a decision, including profiling.

12. Your rights as data subject

12.1. Right of access
Upon request, you have the right to obtain from us at any time access to information on the personal data concerning you that are processed by us at the scope of Article 15 GDPR. For this purpose, you can send your request to the above address by mail or email.

12.2. Right to rectification of inaccurate data
You have the right to obtain from us without undue delay the rectification of the personal data concerning you if they are inaccurate. For this purpose, please contact the addresses named above.

12.3. Right to erasure
You have the right to obtain from us the erasure of the personal data concerning you under the prerequisites described in Article 17 GDPR. These prerequisites specifically stipulate an erasure right if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, and in cases of unlawful processing, upon objection or where there is an erasure obligation under European law or the law of the member state to which we are subject. In order to assert your above right, please contact the above addresses.

12.4. Right to restriction of processing
You have the right to request restriction of processing as contemplated by Article 18 GDPR. This right applies in particular when the accuracy of the personal data is disputed between the user and us, for the duration required to verify the accuracy, and if the user demands restricted processing instead of erasure if there is a right to erasure; furthermore, this right shall apply if the data is no longer required for the purposes pursued by us, but the user still needs them to establish, exercise or defend legal claims as well as if the successful exercise of the right to object is still disputed between us and the user. In order to assert your above right, please contact the above addresses.

12.5. Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format as contemplated by Article 20 GDPR. In order to assert your above right, please contact the above addresses.

12.6. Right to object
You have the right to object on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based, inter alia, on points (e) or (f) of Article 6(1) GDPR, as contemplated by Article 21 GDPR. We shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

12.7. Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority is:

North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information
(Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen)
Kavalleriestr 2-4
40213 Düsseldorf
Germany
Phone: 0211/38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de