Privacy Policy (Product)

Privacy policy for the stashcat messenger service

Introduction

The stashcat¬ģ Messenger is a communication service offered by stashcat GmbH, based in Hannover, Germany. The service is aimed at companies and public authorities that can use the messenger internally within the organization and across departments. All relevant data protection regulations, in particular the regulations of the German Telemedia Act (TMG) and the General Data Protection Regulation (EU-DSGVO) are observed. In the following, we would like to inform you about the type, scope and purpose of the processing of personal data within stashcat¬ģ. With regard to the terminology used, e.g. “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (DSGVO).

1. Who is responsible for data processing within the stashcat messenger?

¬†The provider of this offer (hereinafter “provider”) is responsible for data protection:

 

stashcat GmbH
Schiffgraben 47
30175 Hannover
Germany

Phone: 0511/675190
Email: hello@stashcat.com

 

In the case of data protection concerns, please contact stashcat GmbH directly, naming them sufficient information to identify you personally (e.g. name, e-mail address, name of your institution).

 

You can contact the provider for data protection issues at this email: datenschutz@stashcat.com

The stashcat GmbH is supported and advised by an external data protection officer for the optimal implementation of the legal data protection requirements. This is:

 

Sebastian von der Au
IT management consultancy Floß GmbH
Hopfengarten 10
33775 Versmold

 

Telephone 05423 / 96490-0
Fax 05423 / 96490-60
Email: info@floss-consult.de

 

stashcat GmbH uses the services of processors to provide the stashcat¬ģ Messenger.

A list of the processors and the processing activities can be found under point 6.

2. How is data processed within the stashcat messenger?

The Provider provides a software (hereinafter “stashcat¬ģ”) accessible via the Internet (web application/desktop application/mobile applications for iOS and Android), which enables direct messenger communication between users. The following explains who is affected by this data processing and in what way, to what extent and for what purposes this data processing takes place. The persons affected by the data processing are the users of the stashcat¬ģ communication platform (hereinafter “Users”). These are usually:

 

  • Administrative members of the company/authority using the Messenger.
  • Employees of the company/authority using the Messenger
  • Guests on the client’s side who are granted stashcat¬ģ access

 

The Messenger stashcat¬ģ is available as a web interface in the browser, as a desktop application for Windows or Mac as well as a mobile app for iOS and Android. With the integrated real-time messenger, direct communication is possible via the platform. There is an integrated file storage that can be used by each user as a personal cloud. A separate account is created for each user with the appropriate authorization level, which entitles them to use the platform. Voice and video telephony is also possible. There is no recording of voice and video calls. Messages can be translated or provided with a location.

The following types of personal data are processed:

 

  • Name, first name
  • e-mail address
  • User role (administrator, user, guest)
  • Photo (optional)
  • Video image and sound (optional)
  • Location data (optional)
  • Communication data: As soon as a user interacts or communicates on the platform, communication data is generated that is required to use the platform. This includes information about the user’s activity on the platform (e.g., information about membership in a channel), which is stored in the system. The storage of this data is necessary because otherwise the use would not be possible. The communication data also includes the entry and exit date.
  • Visited channels: For the purpose of communication exchange and submission of protocols in electronic form, visited channels are formed by course participants, through which information is exchanged. In addition, tasks or information can be distributed to individual persons in such channels.
  • Required metadata (mostly device information) for the use of stashcat¬ģ:

 

Web server log files

  • time
  • IP address
  • request URI
  • HTTP response code
  • HTTP response size in bytes
  • User agent string
  • Push tokens (Apple/Google)

 

E-mail log files

  • Time
  • Type of e-mail sent
  • Recipient
  • Sender

 

When using the map service from Mapbox:

  • IP address (will be deleted after 30 days)
  • Device and browser information
  • Operating system
  • Content of the query
  • Date and time of the query
  • Limited usage data
  • For mobile devices, limited location data and volatile ID.

 

When using Apple’s map service (Apple Maps on iOS devices) as specified by the service provider at a minimum:

  • Random identifier
  • Only for user-reported issues: Apple ID (for notification troubleshooting)
  • Model information about the device used
  • Operating system version
  • Region and language
  • Time zone
  • Navigation settings
  • For navigation, start and end point of the route
  • Home or work address, if applicable
  • Search terms of the user, with history
  • In case of problem messages, a screenshot of the map as well as information of the user himself, which he sends in the message, including e-mail address if applicable
  • Camera position for image output

 

When using IBM Watson translators:

  • Device IDs
  • asset identifiers
  • usage-based identifiers
  • static IP address
  • online access and authentication data
  • online connection and network connection data – if it can be mcan be assigned to a person

 

stashcat GmbH does not use any purely automated processing processes to bring about decisions – mincluding profiling – with regard to users of the stashcat¬ģ Messenger service.

3. Purposes of the data processing

As already described above, the messenger stashcat¬ģ is mainly used in companies and public authorities. The purpose of providing this communication platform is to enable direct and secure communication between users and their organizations within closed communication areas. In addition, the complete company or authority structure can be mapped on the basis of channels. The goals are to accelerate communication paths, shorten service routes, cross-departmental collaboration, and simplify file management.

 

Usage metadata is used to enable fail-safety and other technically smooth service provision. We also use data collected from users to inform them about technical updates and security alerts, and to manage and process support and other user messages to us.

process. In addition, information is used, when appropriate, to detect, investigate and prevent fraudulent and other illegal activity. This includes violations of our Terms of Use and the protection of the rights and property of stashcat GmbH and others.

 

In addition, we inform users about other purposes of processing when collecting the respective data.

4. Legal basis for the data processing

Insofar as we obtain consent directly from the data subject for processing operations of personal data, Art. 6 (1) lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.

 

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. For example, in the case of its Messenger products, stashcat GmbH bases the processing on the legal basis of the contract if the service is to be used in an institution (company, school, public authority or similar) and the said institution concludes a contract processing agreement with stashcat GmbH for the purpose. In this case, consent to the processing of their personal data is obtained from the members, employees or other relatives of that institution in accordance with Art. 6 para. 1 lit. a DSGVO.

 

Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c DSGVO serves as the legal basis. Examples of this are the retention of data for tax purposes or if there is an obligation to hand over data due to police investigation procedures.

 

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) (d) DSGVO serves as the legal basis. An example of this would be if the protection of the physical integrity or life of a person makes data processing necessary.

 

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Article 6 (1) lit. f DSGVO serves as the legal basis for the processing. For the stashcat Messenger Service, stashcat GmbH processes your data, for example, on the basis of the legitimate interest to carry out measures for the improvement, development and for the security of the Messenger Service. Furthermore, stashcat GmbH has a legitimate interest in carrying out data processing, if necessary, in order to be able to assert legal claims or defend itself in the event of legal disputes.

5. Security measures

In accordance with legal requirements, stashcat GmbH as well as its processors implement and maintain a range of technical and organizational measures to protect the personal data of the users of the Messenger. These measures are taken in the sense of Art. 32 DSGVO, taking into account the state of the art, the cost of their implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These measures are intended to ensure a level of protection for the personal data of Messenger users that is appropriate to the risk.

 

The stashcat Messenger service is provided in a secure high-security data center in Germany. The users’ communication data usually remains within the jurisdiction of the EU’s General Data Protection Regulation (GDPR). Only with regard to the use of the translation service and the location service in Messenger can it not be completely ruled out that a data transfer to the USA takes place via our service provider IBM (as part of the IBM Watson Language Translator implemented at stashcat) or Apple Maps and Mapbox (as map service for the locations). More detailed information on this can be found under points 6 and 7. The data center has the highest standards for failure and access security.

6. Transfer of data to third parties

For the provision of stashcat¬ģ, stashcat GmbH uses the services of order processors. These are contractually bound and subject to the instructions of stashcat¬ģ. The processors of stashcat GmbH for the provision of the Messenger service are:

 

  • myLoc managed IT AG, Am Gatherhof 44, 40472 D√ľsseldorf, Germany.
    myLoc managed IT AG is responsible for the provision (hosting) of the stashcat platform in the high security center.
  • 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
    1&1 IONOS SE is responsible for distributing updates for the desktop client and hosting video conferences
  • secunet Security Networks AG
  • Kurf√ľrstenstrasse 58, 45138 Essen, Germany
    secunet AG is responsible for invoicing.
  • IBM Deutschland GmbH, IBM-Allee 1, 71139 Ehningen, Germany
    IBM Deutschland GmbH provides the translation service IBM Watson Language Translator, which is implemented in stashcat to enable customers with different language backgrounds to communicate with each other. As far as stashcat customers do not want to use this translation service, they can deactivate it themselves.
  • Mapbox Inc, 740 15th Street NW, 5th floor, Washington DC 20005, USA
    Mapbox Inc. provides a map service that is integrated into stashcat via API.
  • Apple Distribution International Limited, Hollyhill Industrial Estate Hollyhill Cork, Ireland
    Apple Distribution International Limited provides a map service for iOS devices that is integrated with stashcat via API (MapKit).
  • Pipedrive O√ú, Mustam√§e tee 3a, 10615 Tallinn, Estonia
    Pipedrive O√ú provides stashcat GmbH with a CRM for customer support.

 

Furthermore, data transfers to third parties only take place insofar as stashcat GmbH is required to comply with laws, legal procedures or a justified request from authorities or third parties. Other data transfers to third parties do not take place.

7. Cross-border data transfers outside the EU

All data collected in stashcat is processed on hosting servers located in Germany to ensure trouble-free use of the platform. As a rule, there are no data transfers to foreign countries, neither to companies nor to private individuals. Only when using the translation service from IBM, as well as when using the map service from Mapbox or Apple, as well as Pipedrive CRM (customer management), it cannot be completely ruled out that a transfer of personal data to third countries (primarily the USA) takes place. The use of these services is optional.

 

In the event of data transfer to the USA, IBM Deutschland GmbH relies on the EU standard contractual clauses with regard to the parent company and sub-processors. In addition, supplementary safeguards of a technical, organizational and contractual nature, such as encryption, access controls and assurances of notification of the data controller in the event of a request from an investigative authority, are also implemented. This is set forth in the December 2020 Update to the Appendix on Additional Safeguards to EU Standard Contractual Clauses (EU SCCs): https://www.ibm.com/support/customer/csol/terms/?id=dpl#detail-document. For this reason the use of the IBM Watson Language Translator is considered provisionally applicable after a risk assessment by stashcat GmbH.

applicable for the time being, whereby the legality aspects are subject to repeated review.

 

Mapbox relies on the EU standard contractual clauses for third country transfers. Neither in the privacy policy nor in the DPA does Mapbox explicitly provide for supplementary safeguards in the sense of the ECJ judgment. However, the service provider has referenced various technical and organizational measures in the DPA (https://www.mapbox.com/platform/security/), which may constitute such supplementary guarantees. These include, for example, TLS transport encryption, rights and role concept for employees of the company, logging of data access, and audits/certifications (SOC 2, SOC3, etc.). As a result of the very limited collection of personal data, it was therefore decided after a risk assessment that the protection of personal data was sufficiently ensured and consequently the service could be used.

 

Apple relies on the EU standard contractual clauses for third country transfers. These are available at https://www.apple.com/legal/enterprise/data-transfer-agreements/datatransfer-de.pdf. Neither in the privacy policy nor in the appendices to the standard contractual clauses does Apple explicitly provide for additional guarantees in the sense of the ECJ ruling. However, the service provider has referenced various technical and organizational measures both in Appendix 2 to these standard contractual clauses and in the information about data protection features on its own website (https://www.apple.com/de/privacy/features/ m DPA. Specifically for map services, these include end-to-end encryption, local processing on the user’s device, random identifiers, location fuzzing, and sandboxing of map extensions.

 

After the risk assessment has been carried out, it is therefore assumed that these measures can be assessed as complementary safeguards in the sense of the Schrems II judgment. Consequently, the protection of personal data is currently considered to be sufficiently ensured and the service can be used in compliance with the law.

 

At Pipedrive O√ú, reference is also made to EU standard contractual clauses with regard to possible data exchange with the parent company or with subcontracted processors. Further supplementary guarantees are currently being examined to determine whether they can be implemented. For this reason, the use of IBM Watson Language Translator as well as Pipedrive CM is deemed provisionally applicable after a risk assessment has been carried out by stashcat GmbH, with the legality aspects being subject to repeated review.

8. Duration of storage and deletion of data

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 DSGVO. Unless expressly stated within the scope of this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.

 

If a user leaves the organization and deletes his or her stashcat¬ģ account, all personal data will be deleted at the same time. Basically, personal data will be deleted accordingly upon request/instruction of the user/organization/administrator. The users themselves have the possibility to delete their uploaded files in the personal file storage independently.

 

An anonymization of the account cannot be made by the users themselves, because otherwise the assignment of the users on the platform would not be possible. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

User data will be deleted after deletion of the account. Chat content can be deleted automatically by the user himself or by deletion deadlines defined by the school.

 

  • Web server log files:
    Automatic deletion of old logs after 14 days.
  • Mail server log files:
    Automatic deletion of old logs after 30 days.
  • Endpoints:
    Automatic deletion of devices that are no longer active/used after 30 days.

 

When using the map service from Mapbox, the IP address is deleted by this service provider after 30 days. Only random longer storage up to 36 months for the purpose of usage analysis for the improvement of the API.

 

The data collected by the Apple map service is subject to a standard deletion period of two years.

9. Changes and updates to this privacy policy

This Privacy Policy is subject to future changes and updates to its content. This may happen because either the legal requirements or the way we process data from our users changes. To the extent that such changes will require the consent of users, we will contact them directly and individually.

10. Rights of the data subjects

Users of the stashcat messenger service have rights as data subjects of the processing of their personal data, which they are entitled to in particular according to Art. 15-21 DSGVO. They can assert these as individual users against stashcat GmbH. However, if another organization (public authority, company, school, or similar) establishes stashcat Messenger as a communication platform within the organization, stashcat GmbH is usually the processor of this organization. In this case, you can assert these rights directly with this organization.

 

Your data subject rights as a user of the Messenger are:

 

Right to information

In accordance with the legal requirements, you have the right to request confirmation free of charge as to whether and which personal data relating to you is being processed. Furthermore, you may request a copy of the data in accordance with the legal requirements.

 

Right to rectification of your data

You have the right to request the correction of inaccurate personal data concerning you in accordance with the legal requirements. Likewise, you have the right to request the completion of incomplete data in accordance with the legal requirements.

 

Right to erasure and restriction of processing

They have the right to demand the immediate deletion or at least the blocking of their personal data in accordance with the legal requirements.

 

Right to data portability

You have the right to obtain the personal. Data in accordance with the legal requirements in a structured, common and machine-readable format or to request the transfer of this data to another responsible party.

 

Right to revoke your given consent

Insofar as the processing of your personal data is based on your consent, you have the right to revoke this consent at any time. Please note here that the revocation of your consent may mean a complete deletion of your user account, depending on the reference.

 

Right to object

Where data processing is based on legitimate interest pursuant to Article 6(1)(f) DSGVO, you have the right to object at any time to the processing of personal data relating to you on grounds relating to your particular situation. In the event of an objection, the controller will check whether interests worthy of protection for the processing outweigh your interests, rights and freedoms, e.g. in the assertion, exercise or defense of legal claims. In the event of an objection relating to direct marketing, the objection will always be met immediately and processing will cease.

 

If you wish to exercise your data protection rights directly against stashcat GmbH or have other data protection-related concerns in the context of stashcat Messenger, you can reach us at the e-mail datenschutz@stashcat.com. Otherwise, contact your organization (public authority, company, school or similar) directly, provided that it has established our Messenger as a communication platform. stashcat GmbH will then support the organization concerned in implementing the data subject rights in accordance with the legal requirements.

11. Right to complain to the competent supervisory authority

In the event of violations of data protection law, the data subject shall have a right of appeal to the competent data protection supervisory authority. The competent supervisory authority is usually the one in the federal state in which the data processing company has its registered office. The supervisory authority responsible for our company in matters of data protection law is:

 

The State Data Protection Commissioner of the Federal State of Lower Saxony.
Prinzenstrasse 5
30159 Hanover

Telephone: 0511 120-4500
E-mail: poststelle@lfd.niedersachsen.de

Website: www.lfd.niedersachsen.de/startseite

Bookmarks