Last Updated: 31/08/2020 (Version 1.0.0)
1. General Information in Data Processing: Data Controller, Scope of Data Processing; Your Rights; Profiling and automated decision making; Data Security; Data Processing outside the EU; Contacting us
1.1 Collato as Data Controller
Data controller is Collato GmbH, Dunckerstraße 7 c/o Scherkamp, 10437 Berlin/Germany, registered with the commercial register at local court of Charlottenburg under HRB 215252 B, represented by the managing directors Ivo Scherkamp and Sebastian Bojahr, email: email@example.com, VAT-ID DE329214531 ("we/us" or "Collato").
We have appointed a data protection officer who can be reached at firstname.lastname@example.org.
1.2 Scope of Data Processing
Personal data are any information relating to an identified or identifiable natural person. Applicable legal provisions are in particular those of the regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, repealing the directive 95/46/EC, on the protection of individuals with regard to the processing of personal data, on the free movement of such data ("General Data Protection Regulation", GDPR) as well as in the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the German Telemedia Act (Telemediengesetz, TMG).
We as well as our external service partners process your data for the purpose of providing the Website and services, including providing hard- and software through such external service partners. You provide data if this is necessary for the aforementioned purposes. For more information please also refer to email@example.com.
In the event you refrain from providing such data you may face legal disadvantages, for example, limited or no possibility of using our Website or no answer to your email send to us.
1.3 Your Rights
In accordance with the statutory provisions, you as the data subject have the following rights:
- the right to access,
- the right to rectification or erasure,
- the right to restriction of processing,
- the right to data portability,
- If you have provided us with your personal data on the basis of a consent, you could withdraw the consent at any time with effect for the future,
- You may object to the processing of your personal data, if your personal data are processed for direct marketing purposes and/or on the basis of legitimate interests pursuant to Art. 6 (1) f GDPR insofar as there are reasons for this arising from your particular situation.
To exercise these rights named above you may contact us at any, for example via email to firstname.lastname@example.org.
You have also the right to lodge a complaint with a supervisory authority at your choice (for example: Berliner Beauftragte für Datenschutz und Informationsfreiheit https://www.datenschutz-berlin.de/kontakt.html). An overview of the Data Protection Authorities may be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html or http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
1.4 Storing and Deleting Data
1.5 Profiling and automated decision making
We do not use automated decision-making including profiling when processing data concerning our Website or Platform except as set forth herein. However, our third party providers may carry out such profiling in individual cases. We will inform you about such fact if possible.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effect on you or substantially impairs you in a similar manner.
1.6 Data Security
For a best possible security of user data our service through the Website is provided via a secured SSL connection between your server and the browser. That means that the data shall be transferred in encrypted form. We have implemented suitable technical and organizational measures.
1.7 Data Processing by Third Parties / Data Processing outside the EU
1.8 Contact Us
If you send us an e-mail or otherwise contact us, your details in this online form or request, including the contact data, name, email address and other data provided respectively, are processed by us in order to deal with your inquiry or to be able to contact you at a later time for follow up questions. These data are processed only on the basis of your consent (legal basis Art. 6 (1) a. GDPR) or on the basis of an initiating or existing business relationship with us (legal basis Art. 6 (1) b. GDPR or TMG).
2. Data processing on our website
2.1 Visiting the Website
We (or the webspace provider) collect data on each visit to our website collato.com ("Website") (so-called Server log files), which include:
Name of the Website visited, file, date and time of the visit, data amount transferred, information on a successful call, browser type as well as version, operating system of the user, referrer URL (the page visited before), IP address and the requesting provider
as well as the following, if a mobile end device is being used:
country code, language, name of device, name of operating system and version
We use these server log files only for statistical evaluations for the purpose of optimizing our services and in order to guarantee the stability and operational security of the Website. When personal data (such as the IP-address) are stored the legal basis for this is Art. 6 (1) c. GDPR or Art. 6 (1) f. GDPR based on our legitimate interest of quality assurance or TMG.
In our newsletter we inform you about our services and products also described on our Website.
When registering for the newsletter, you have to provide an email address. This email address will be transmitted to and stored by us (or a provider as specified below). After registration, the user will receive an email to confirm the registration ("double opt-in"). Via clicking the registration link you have given your consent to the processing of your personal data for receiving our newsletter and we may process such data accordingly. In case of registration for the newsletter we (or our provider as specified below) also store the IP address, the device name, the mail provider as well as the user's first and last name and the date of registration.
We use the mail provider "Mailchimp" by Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA who receives and processes on our behalf the data necessary for the mailing, in particular email address, IP address, device name. These data are processed on servers in the USA. Mailchimp is a service with which the dispatch of emails can be organized and analyzed. With the help of Mailchimp we can analyze our emails. When you open an email sent with Mailchimp, a file contained in the email (so-called web beacon) connects to the Mailchimp servers in the USA. This allows you to determine whether a message has been opened and which links have been clicked on. In addition, technical information is recorded (e.g. time of registration, IP address, browser type and operating system). This information cannot be assigned to the respective email recipient. They are used exclusively for statistical analysis of our emails. The results of these analyses can be used to better adapt future emails to the interests of the recipients. Mailchimp is certified according to "privacy shield". The "privacy shield" is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA. For more information please refer to https://mailchimp.com/legal/privacy/.
The data processing for sending and analyzing our newsletters as described above is based on your consent (Art. 6 (1) f. GDPR) and/or on Art. 6 (1) f. GDPR with our legitimate interest of quality assurance and marketing.
OPT-OUT: If you do not want to receive any newsletters by us in the future and/or wish to object to the analysis of your data through such newsletters please use the "unsubscribe" link contained in each newsletter or send us an email to email@example.com.
2.3 Careers Section on our Website
We process your personal data for fulfilling our contractual or pre contractual obligations (based on Art. 6 (1) b. GDPR) or -- as applicable -- for the purpose of the employment relationship with you (Section 26 BDSG), in particular, we use your data:
To get in touch with you, communicate with you, update you and to facilitate your application,
To offer an online-application system that is connected to our website,
To respond to your questions or concerns,
To carry out vetting of staff members (where required); this may involve our collection and use of sensitive personal information including information obtained from criminal background checks about offences or alleged offences and information relating to any proceedings for offences committed or allegedly committed,
When necessary and for the purposes of our legitimate interests to maintain adequate records, we may collect and handle information related to medical information, ethnic origin or criminal records,
To assist in any disputes, claims or investigations relating to your application, or
To comply with our legal, regulatory and professional obligations.
We may also use your data with your explicit consent (based on Art. 6 (1) a. GDPR or Section 26 BDSG), for example to keep you informed about other opportunities if you wish us to do so. If you do not provide your personal data, you may face certain disadvantages, for example we will not be able to provide you with our recruiting processes or keep you informed about future opportunities.
A list of the data processors processing data (outside the EU) and corresponding information is available by request via email to firstname.lastname@example.org.
With your explicit consent, we will keep your information in case any other opportunities become available which you might be interested in; we will only keep your information for a limited period and your details will be deleted on a general basis after 12 months of inactivity on your account latest. You may withdraw such consent with effect for the future at any time via email to email@example.com.
3. Cookies and Third Party Providers on the Website
Our Website uses so-called cookies. Cookies do not cause any harm to your device and do not contain any viruses. Cookies serve the purpose of making our service more user-friendly, more effective and safer. Cookies are small text files which are stored on your device and in your browser.
Most of the cookies we use are so-called session cookies. After the end of the session these cookies will be deleted automatically. The session cookies are used in order to associate successive page requests with the individual users, who at the same time access our Website. Other cookies will be stored on your device until you delete them. These cookies enable us to recognize your browser during your next visit.
By clicking "I agree" in the cookie banner appearing on your screen when visiting collato.com for the first time you agree that all cookies set out in this clause will be set. This applies both to regular cookies and essential cookies; essential cookies are such cookies which are necessary to correctly display the Website and/or carry out its basic functionalities. If you, however, choose to not agree with our usage of those non-essential cookies – either by ignoring the banner or by clicking the top right "X" – only essential cookies will be set. Your decision will be stored in one cookie which is used to recognize your browser during your next visit, so you will not be asked again until you decide to delete this cookie. Please find information on how to opt-out in connection with cookies in general in the following paragraph and in particular in the respective subsection of this clause.
You can adjust your browser to notify you, before you receive a cookie or to decide to accept cookies on a case-by-case basis, to completely or partly exclude all incoming cookies and to activate the deletion of cookies automatically when the browser is closed. You may manage many online advertisement cookies provided by companies via the American web page http://www.aboutads.info/choices/ or the web page of the European Union http://www.youronlinechoices.com/uk/your-ad-choices/. We would like to inform you that the usage and especially the convenience of usage without using any cookies may be limited.
In the event personal data are processed such processing is based on Art. 6 (1) a. GDPR.
3.2 Google Analytics
The service offered here uses Google Analytics, a web analytics tool offered by Google LLC, Mountain View, CA, USA ("Google"). This analysis service uses so-called "cookies". For analysis, text files will be stored on your device. The information stored in the corresponding files about the use of this website are generally transmitted and stored in Google server in the USA. As the IP anonymization is active on this Website, your IP address will be shortened by Google within the member states of the European Union (EU). This information will be used to evaluate your use of the services offered here and enable the operator of this website to analyze your website activity and provide other services associated with the website service. The IP address transmitted from your browser, as part of Google Analytics will not be merged with other data from Google.
We point out that an automated decision making ("profiling") can take place when integrating Google and an existing Google account.
Google LLC, USA is certified according to the EU-US agreement "Privacy Shield". The "Privacy Shield" is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA.
Should you use the Google Analytics integration in Collato, we will have the ability to view your Google Analytics data, the public information of your Google account, and your Gmail address. Analytics data authorization is granted on a per-user basis and can be revoked when the user deauthorizes Collato in their Google Account Settings. We only use this data to import Google Analytics data in Collato (legal basis: Art. 6 (1) a GDPR). You can find further information about the processing of your data by Google under the following link: https://developers.google.com/terms/api-services-user-data-policy.
3.3 Google Fonts
Our Website uses the "Google Fonts" service of Google LLC, Mountain View, CA, USA to integrate and display text on the Website. For this purpose Google may process your data (including the IP address) on servers located in the USA.
When the IP address is processed this is based on our legitimate interests of technical functionality of the Website based on Art. 6 (1) f. GDPR or TMG.
3.4 Google Tag Manager
You can always opt-out from the data collection by visiting: https://www.hotjar.com/legal/compliance/opt-out
You can object to the data collection and storage by AddThis at any time with effect for the future by setting a so-called Opt-Out Cookie. Please refer to http://www.addthis.com/privacy/opt-out.
Amplitude by Amplitude, Inc., 501 2nd Street, Suite 100, San Francisco, CA 94107, USA: The service analyzes your usage data of the service on our behalf based on our legitimate interest of improving our product (legal basis: Art. 6 (1) f. GDPR). To show compliance with EU data protection standards Amplitude Inc. is certified according to the EU-US-Privacy-Shield (see: https://www.privacyshield.gov). For further information please also refer to https://amplitude.com/privacy#customer-end-user-data.
Our Website uses the tool “Typeform” which is a service of TYPEFORM SL, C/Bac de Roda, 163 (Local), 08018 – Barcelona (Spain) (“Typeform”). We use the Typeform survey tool to create, display and process website-embedded surveys related to our products. When completing a survey on our Website, Typeform receives both your entered mail-address and your entered answers. (legal basis: Art. 6 (1) a. GDPR). You can find further information about the processing of your data by Typeform under the following link: https://admin.typeform.com/to/dwk6gt.
3.9 Google People API
Should you access our Service using Google Sign-In, we will have the ability to view your list of contacts via the Google “People API”. The sole use of this data is to populate the auto-completion of your colleagues when inviting users to your Collato workspace. (legal basis: Art. 6 (1) a GDPR). You can find further information about the processing of your data by Google under the following link: https://developers.google.com/terms/api-services-user-data-policy.
To facilitate the messaging and customer service functionalities in our Service, we use Intercom, a tool by Intercom, Inc., Intercom R&D Unlimited Company, 55 2nd Street, 4th Floor, San Francisco, California 94105 (“Intercom”). For this purpose, when using the message or customer service function in our Service, your data such as your name, mail address, operating system, browser page, referrer and IP address as well as the content of your message will be transferred to Intercom and such data may be stored on Intercom servers in the US. Intercom submits the collected data to us so that we can address your request.
We use Segment.io, provided by Segment.io, Inc. (101 15th St., San Francisco, CA 94103, USA) (“Segment”), a data analysis service that aggregates usage data from our Website and our App. According to Segment, the recorded usage data is only processed in pseudonymised form; IP addresses are shortened accordingly after their collection and the data is not used to combine user profiles with your personal data. According to Segment, the information about the use of our website is usually transmitted to and stored by Segment on a server in the United States. To show compliance with EU data protection standards Segment.io. is certified according to the EU-US-Privacy-Shield (see: https://www.privacyshield.gov). We have concluded a Data Processing Agreement (DPA) with Segment.io. To learn more visit: collato.com/dpa. The legal basis for our use of Segment is Art. 6 (1) a. GDPR.
We use Zapier provided by Zapier, Inc. (548 Market St. #62411. San Francisco, CA 94104-5401) (“Zapier”), a web-based, application integration and data linking service. To show compliance with EU data protection standards Zapier is certified according to the EU-US-Privacy-Shield (see:https://www.privacyshield.gov). We have concluded a Data Processing Agreement (DPA) with Zapier. The legal basis for our use of Zapier is Art. 6 a. GDPR. For more information visit: zapier.com/privacy.
3.17 Google Sheets
Should you use the Google Sheets integration in Collato, we will have the ability to view the Google Sheet files you add to Collato, the public information of your Google account, and your Gmail address. File authorization is granted on a per-user basis and can be revoked when the user deauthorizes Collato in their Google Account Settings. We only use this data to import Google Sheets in Collato (legal basis: Art. 6 (1) a GDPR). You can find further information about the processing of your data by Google under the following link: https://developers.google.com/terms/api-services-user-data-policy.
3.18 Integration of Services by Third Parties
When using this online service, contents of third parties, like for instance, links to Instagram, YouTube videos, map material provided by Google Map, RSS feeds or graphics are integrated from other websites. This always requires that the providers of this content ("Third Party Providers") use the IP address. Without this IP address these Third Party Providers would not be able to send the content to your browser. Consequently, the IP address is required in order to display the content. We make every effort to only use such content by Third Party Providers which use the IP address for the delivery of content only.
Such data are used in order to guarantee the stability and operational security of the websites of the Third Party Providers as well as for the purpose of optimizing our services via quality assurance. If the IP address is stored such processing is basedon Art. 6 (1) b., c. GDPR, Art. 6 (1) a. GDPR or TMG.
In the event of displayed content by Third Party Providers your data may be processed outside the EU.
4. Data Processing on our Social Media Pages
We operate pages on the following social media channels:
- LinkedIn: linkedin.com or mobile app by LinkedIn Corporation, Legal Department -- Privacy, 1000 W. Maude Ave, Sunnyvale, CA 94085, USA / LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, please also refer to: https://www.linkedin.com/legal/privacy-policy / https://www.linkedin.com/psettings/privacy
When you visit our social media pages, data is processed both by us and by the responsible social media provider as the responsible party.
The respective provider of social media assumes the data protection obligations towards you as the user, such as information on data processing, and is the contact person for your rights. This follows from the fact that such provider has direct access to the relevant information on the social media page and the processing of your data. However, you are also welcome to contact us if this should become necessary and we will then forward the request to them.
When using Facebook, Instagram, Twitter or LinkedIn data may also be processed outside the EU. The US companies of Facebook/Instagram, Twitter and LinkedIn are certified in accordance with the EU-US Privacy Shield agreement, which guarantees compliance with data protection regulations in the EU. For more information please refer to: https://www.privacyshield.gov
4.1 Data Processing and Legal Basis
With our social media pages, we can communicate with you and provide you with interesting information. We may receive further data from you through your comments, shared images, messages and reactions, which we then process to answer or communicate with you. If you use social media on several end devices, a cross-device analysis of the data can take place.
Data processing takes place with your consent or for the purpose of answering your enquiry (Art. 6 (1) a, b GDPR) or on the basis of legitimate interests in improving the services and presentation to the outside world (Art. 6 (1) f GDPR).
Facebook and we use the Page Insights function to process statistical data from users of our Facebook pages (see also the agreement at: https://www.facebook.com/legal/terms/page_controller_addendum). This involves the processing of data in the form of so-called 'page insights', which are described in more detail at https://www.facebook.com/business/a/page/page-insights.
Evaluations and statistics are generated in the form of page insights from the usage data of the Facebook pages, which support us in improving our marketing activities and our external presence. We may also learn about users and their behavior who interact with or use our Facebook Pages to display relevant content and develop features that may be of interest to them. These page statistics show us, for example, which people from certain target groups interact most with our Facebook Page or which content on the Facebook Page was visited, shared or licked when and how often. When classifying people into target groups, demographic data or data about the location of a person is also included in order to place targeted advertisements with these people. If you use Facebook on several end devices, a cross-device analysis of the data can take place. The data collected in this way is statistically processed and usually anonymous, i.e. we cannot establish any reference to the individual person.
Information on these page insights and data processing can be found, for example, in Facebook's data protection statement at https://www.facebook.com/policy.php or at https://www.facebook.com/business/a/page/page-insights.
As a Facebook user, you can at any time influence how your user behavior is recorded when you visit Facebook pages. To do this, you can manage the settings for advertising preferences in your Facebook account or at https://www.facebook.com/ads/preferences, or the Facebook settings in your account or at https://www.facebook.com/settings. Facebook also provides opportunities to contact or exercise rights at https://www.facebook.com/help/contact/2061665240770586 or https://www.facebook.com/help/contact/308592359910928.
When using Instagram and you have an account there, Instagram can assign your activities to your profiles there. Instagram and we use the Instagram Insights function to process statistical data from users of our Instagram pages (see also for Facebook which is connected to the provider of Instagram the agreement at: https://www.facebook.com/legal/terms/page_controller_addendum). This involves the processing of data in the form of so-called 'Instagram Insights' which are described in more detail at https://help.instagram.com/788388387972460?helpref=faq_content.
Evaluations and statistics are generated in the form of Instagram Insights from the usage data of the Instagram pages, which support us in improving our marketing activities and our external presence. Instagram Insights lets us learn more about our users and the performance of our content with you as audience. For this purpose Instagram provides us with statistics on specific posts and stories created to find out how users interacted with them. When classifying people into target groups, demographic data or data about the location of a person is also included in order to place targeted advertisements with these people. If you use Instagram on several end devices, a cross-device analysis of the data can take place. The data collected in this way is statistically processed and usually anonymous, i.e. we cannot establish any reference to the individual person.
As an Instagram user, you can at any time influence how your user behavior is recorded when you visit Instagram pages. To do this, you can manage the settings for advertising preferences in your Instagram account or under https://www.instagram.com/accounts/privacy_and_security/. Instagram also provides opportunities to contact or exercise rights at https://help.instagram.com/contact/1845713985721890 or http://instagram.com/about/legal/privacy/.
As Twitter user, you can at any time influence how your user behavior is recorded when you visit Twitter pages. To do this, you can manage the settings for advertising preferences in your Twitter account or under https://twitter.com/personalization or https://twitter.com/de/privacy#overlay-chapter2.10.1 or without an account under https://pscp.tv/account/settings. Twitter also provides opportunities to contact or exercise rights at https://help.twitter.com/forms/privacy.
LinkedIn and we may use your data for careers and recruiting services for our LinkedIn pages (see also the data processing agreement: https://legal.linkedin.com/dpa). Data on how you use LinkedIn may be shared with us and certain third parties as described in detail here: https://www.linkedin.com/legal/privacy-policy#share
As LinkedIn user you can at any time influence how your user behavior is recorded when you visit LinkedIn pages. To do this, you can manage the advertising and general settings in your account under https://www.linkedin.com/psettings/privacy. LinkedIn also provides opportunities to contact and exercise rights under https://www.linkedin.com/legal/privacy-policy, https://www.linkedin.com/legal/cookie-policy and for individual messages online via https://www.linkedin.com/help/linkedin/ask/TSO-DPO.
For further information you may contact us any time, for example via email to firstname.lastname@example.org.