Privacy policy for the stashcat messenger service

Introduction

The stashcat messenger is a communication service offered by stashcat GmbH, headquartered in Hanover. The service is aimed at companies and public authorities that can use the messenger internally and across departments. All relevant privacy regulations, in particular the regulations of the Telemedia Act (Telemediengesetz, TMG) and the General Data Protection Regulation (GDPR) are adhered to. In the following, we would like to give you some information on the type, scope and purpose of the processing of personal data within stashcat. With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

1. Who is responsible for data processing within the stashcat messenger?

Responsible controller in terms of personal data protection is the Provider of this service (hereinafter the “Provider”):


stashcat GmbH 
Hamburger Allee 2-4 
30161 Hanover 
Germany 
Tel.: +49 (511) 898 40100
Email: hello@stashcat.com

If you have any privacy concerns, please contact stashcat GmbH directly, providing sufficient information to identify yourself (e. g. name, email address or name of your institution). 


You can contact the provider on privacy questions at this email address: datenschutz@stashcat.com


For the purpose of optimal implementation of the statutory privacy requirements, stashcat GmbH is supported and advised by an external Data Protection Officer. He is:


Sebastian von der Au
EDV-Unternehmensberatung Floß GmbH
Hopfengarten 10
33775 Versmold
Tel +49 (5423) 96490-0
Fax +49 (5423) 96490-60
Email: info@floss-consult.de

 

For the provision of the stashcat messenger, stashcat GmbH uses the services of data processors. A list of the data processors and their processing activities can be found under point 6.

2. How is data processed within the stashcat messenger?

The provider makes available software (hereinafter “stashcat”) over the internet (web application/desktop application/mobile applications for iOS and Android), which enables direct messenger communication between users. The next section explains who is affected by this data processing, and in which way, to which extent and for which purposes this data processing takes place.


Data subjects are the users of the stashcat communication platform (hereinafter the “Users”). They are usually:

 

  • Administrative members of the company/authority using the messenger 
  • Employees of the company/authority using the messenger
  • Guests on the side of the principal, who are given access to stashcat

 

The stashcat messenger is available as a web browser interface, as a desktop app for Windows or Mac, as well as a mobile app for iOS and Android. With the integrated real-time messenger, direct communication over the platform is possible. There is an integrated file storage that can be used by each user as a personal cloud. A separate account is created for each user with the appropriate permission level, which entitles them to use the platform. Voice and video telephony are also possible. Voice and video calls are not recorded.


The following types of personal data are processed:

 

  • Surname and first name 
  • Email address 
  • User role (administrator, user, guest) 
  • Photo (optional) 
  • Video image and sound (optional)
  • Location data (optional)
  • Communication data: As soon as a user interacts or communicates on the platform, communication data is generated, which is required for the use of the platform. This includes information about the user’s activity on the platform (e. g. information about membership in a channel), which is stored in the system. The storage of this data is necessary because otherwise, it would not be possible to use the messenger. The communication data also includes the entry and departure date. 
  • Visited channels: For the purpose of communication exchange and submission of protocols in electronic form, visited channels are formed by course participants, through which information is exchanged. In addition, tasks or information can be distributed to individual persons in such channels.  
  • Required metadata (mostly device information) for using stashcat: 
    • Web server log files
      • Time
      • IP address
      • Request URI
      • HTTP response code
      • HTTP response size in bytes
      • User-agent string
      • Push tokens (Apple/Google)
    • Email log files
      • Time
      • Type of email sent
      • Receiver
      • Sender

 

Stashcat GmbH does not use purely automated processing to take decisions – including profiling – about users of the stashcat messenger service.

3. Purposes of the data processing

As described above, the stashcat messenger is mainly used in companies and public authorities. The provision of this communication platform serves to enable direct and secure communication between users and their organisations within closed communication areas. In addition, the complete company or authority structure can be mapped, using channels. The goals are the acceleration of communication paths, shortening of official channels, promoting cross-departmental collaboration and simplified file management.  
Usage metadata is used to enable resilience and otherwise technically smooth service provision. In addition, we use data collected from users to inform them about technical updates and security warnings, as well as to manage and process support and other user messages to us. We also use information, on a given occasion, to detect, investigate and prevent fraudulent and other illegal activities. This includes breaches of our terms of use and protecting the rights and property of stashcat GmbH and others. 

 

In addition, we inform the users about further purposes of the processing when collecting the respective data.

4. Legal basis for the data processing

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.


When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.


Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Article 6(1)(d) GDPR serves as the legal basis.


If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.

5. Security measures

Both stashcat GmbH and its data processors implement and maintain a range of technical and organisational measures to protect the personal data of the messenger users in accordance with the statutory requirements. These measures are taken in accordance with Article 32 of the GDPR, taking into account the state of the art of the technology, the costs of their implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These measures are intended to ensure a level of protection for the personal data of messenger users that is appropriate to the risk.


The stashcat messenger service is provided in a protected high-security data centre in Germany. The communication data of the users usually remain within the jurisdiction of the EU General Data Protection Regulation (GDPR). Only with regard to the use of the translation service in the messenger, it cannot be completely ruled out that a data transfer to the USA will take place through our service provider IBM (in the context of the IBM Watson Language Translator implemented within stashcat). More detailed information is available on this under points 6 and 7. The data centre has the highest standards for failure and access protection.

6. Transfer of data to third parties

For the provision of stashcat, stashcat GmbH uses the services of data processors. They are contractually bound and are subject to the instructions of stashcat. The data processors of stashcat GmbH for the provision of the messenger service are:

 

  • MIVITEC GmbH, Wamslerstr. 4, 81829 Munich 
    • Mivitec GmbH is responsible for the provision (hosting) of the stashcat platform in the high security centre.
  • 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur 
    • 1&1 IONOS SE handles the distribution of updates for the desktop client and the hosting of videoconferences
  • heinekingmedia GmbH, Hamburger Allee 2-4, 30161 Hanover 
    • the heinekingmedia GmbH handles the answering of support requests in customer contact
  • IBM Deutschland GmbH, IBM-Allee 1, 71139 Ehningen 
    • IBM Deutschland GmbH provides the translation service IBM Watson Language Translator, which is implemented in stashcat, so customers with different language backgrounds can also communicate with each other. If stashcat customers do not wish to use this translation service, they can deactivate it themselves.
  • Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia 
    • Pipedrive OÜ provides stashcat GmbH with a CRM for customer support.

 

In addition, data is only transferred to third parties if stashcat GmbH is required to do so in order to comply with the law, legal procedures, or a justified request from authorities or third parties.


There are no other transfers of data to third parties.

7. Cross-border data transfers outside the EU

All data collected in stashcat is processed on hosting servers located in Germany to ensure trouble-free use of the platform. As a rule, there is no data transfer to foreign countries, neither to companies nor to private individuals. Only with regard to the IBM translation service and Pipedrive CRM (customer management), it can it not be completely ruled out that personal data is transferred to third countries (primarily the USA). In the event of data transfer to the USA, IBM Deutschland GmbH relies on the EU standard contractual clauses with regard to the parent company and sub-processors. In addition, supplementary safeguards of a technical, organisational and contractual nature such as encryption, access controls and assurances of notification of the data controller in the event of a request from an investigative authority will also be implemented. This is set out in the December 2020 Update to the Annex on Additional Safeguards to EU Standard Contractual Clauses (EU SCCs): www.ibm.com/support/customer/csol/terms/. Pipedrive OÜ also relies on EU standard contractual clauses with regard to any data exchange with the parent company or sub-processors. Further supplementary guarantees are currently being examined to determine whether they can be implemented. For this reason, the use of the IBM Watson Language Translator, as well as the Pipedrive CM is considered to be provisionally acceptable after a risk assessment has been carried out by stashcat GmbH, although the aspects of legality will be subject to a repeated review.

8. Storage duration and deletion of data

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated within the scope of this privacy declaration, the data stored by us will be deleted as soon it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention duties.


If a user leaves the organisation and deletes his stashcat account, all personal data will be deleted at the same time. In principle, personal data will be deleted appropriately on request/instruction of the user/the organisation/the administrator. The users themselves have the possibility to delete their uploaded files in the personal file storage independently.


Anonymisation of the account cannot be carried out by the users themselves, as the assignment of the users on the platform would otherwise not be possible. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

9. Changes and updates to this privacy policy

This privacy policy is subject to future content changes and updates. This may happen because either the statutory requirements, or the way in which we process data of our users, changes. Insofar as such changes require the consent of the users, we will contact them directly and individually.

10. Rights of the data subjects

Users of the stashcat messenger service have data subject rights regarding the processing of their personal data, to which they are entitled to exercise in particular under Art. 15-21 GDPR. They can assert these rights as individual users against stashcat GmbH. However, if another organisation (public authority, company, school, or similar) establishes stashcat messenger as a communication platform within this organisation, stashcat GmbH is usually the data processor of this organisation. In this case, it is possible to assert these rights directly with this organisation.


Your data subject rights as a user of the messenger are:

 

Right of access

You have the right to request confirmation free of charge, in accordance with the statutory requirements, as to whether and which personal data relating to you is being processed. In addition, you can request a copy of the data in accordance with the statutory requirements.

 

Right to rectify your data

You have the right to demand the correction of inaccurate personal data in accordance with the statutory requirements. Similarly, you have the right to request the completion of incomplete data in accordance with the statutory requirements.

 

Right to deletion and restriction of processing

You have the right to demand the immediate deletion, or at least the blocking of your personal data in accordance with the statutory requirements. 

 

Right to data portability

You have the right to receive the personal data concerning you in a structured, common and machine-readable format in accordance with the statutory requirements, or to demand the transfer of this data to another controller.

 

Right to revoke the consent you have given

If the processing of your personal data is based on your consent, you have the right to revoke this consent at any time. Please note that the revocation of your consent may mean a complete deletion of your user account, depending on the context.

 

Right to object

Insofar as data processing is based on the legitimate interest under Art. 6 (1) f) GDPR, you have the right to object to the processing of personal data concerning you at any time on grounds relating to your particular situation. In the event of an objection, the controller will check whether interests worthy of protection for the processing outweigh your interests, rights and freedoms, e. g. in the case of assertion, exercise, or defence of legal claims.

 

If you wish to exercise your privacy rights directly against stashcat GmbH, or if you have other privacy-related concerns in the context of stashcat messenger, you can reach us at the following email address privacy@stashcat.com. Otherwise, please contact your organisation (public authority, company, school or similar) directly, provided that it has established our messenger as a communication platform. stashcat GmbH will then support the organisation concerned in safeguarding the data subject rights in accordance with the statutory requirements.

11. Right to complain to the competent supervisory authority

In the event of infringement of the data protection law, the data subject has a right to complain to the competent data protection supervisory authority. As a rule, the competent authority is the Data Protection Officer/Commissioner in the federal state, in which the data processing company has its registered office. The supervisory authority responsible for our company in matters of data protection law is:


Landesbeauftragte für den Datenschutz Niedersachsen
(translated: Data Protection Commissioner of the Federal State of Lower Saxony)
Prinzenstrasse 5 
30159 Hanover 
Tel: 0511 120-4500


Email: poststelle@lfd.niedersachsen.de
Website: lfd.niedersachsen.de/startseite/

Bookmarks