Data Protection Information
1. Processing activities
Operation of a website for selling software for (registered) customers1
2. Controller
Royal Apps GmbH
VAT ID: ATU75476334
Grimmgasse 39/3, 1150 Vienna, Austria
3. Contact details of the controller
Royal Apps GmbH, c/o Controller
Grimmgasse 39/3, 1150 Vienna, Austria
Email: [email protected]
4. Purposes of data processing
on the legal basis of performance or preparation of contracts
a. Advertising and selling software solutions and services related to those software solutions to (registered) customers
b. Collection of user numbers and user conduct to document reach and to improve services
c. Provision of communication channels to the controller for servicing the contractual relationship
5. Legal basis for data processing
1. Online use: performance or preparation of the contract. Use of the website alone is based on a contract as defined in Art. 6 (1) (b) GDPR2
2. Direct marketing: overriding legitimate interests of [SERVICE PROVIDER] (see no. (6))
6. Description of (overriding) legitimate interests for the purposes
of direct marketing:
The controller will process customer data (except for data of children or special categories of personal data as defined in Art. 9 GDPR3 ("sensitive data")) also to use them for direct marketing purposes for (other) products of the controller (see also no. (5)). The controller has a legitimate interest in processing personal data for direct marketing purposes (last sentence of Recital 47, GDPR). Only customer data which the controller possesses under the contractual relationship and for which the storage period has not expired yet will be processed. This will not extend the storage period. The primary aim of data processing is to solicit customers with the aim of selling software solutions to customers. In this regard the controller relies on its freedom to communicate, which is protected by constitutional law and conventions (in particular Art. 10 of the European Convention on Human Rights (ECHR), which also protects advertising measures) and to the rights to
- send electronic mail upon consent;
- send electronic mail as defined in Section 107 (3) of the Austrian Telecommunications Act [TKG].
When using such data the controller shall meet the requirements under communication law, in particular Section 107 TKG.
of verifying the licence:
The controller will store IP addresses of licenced customers to verify the licence key and prevent misuse of the licence key. The controller has an overriding legitimate interest in such data processing for the purposes of verifying the licence.
of IT security:
The controller will store the IP addresses of its customers for a period of 7 days to defend against targeted attacks in the form of server overloads (Denial of Service attacks) or other damage to the systems. The controller has an overriding legitimate interest in such data processing for the purpose of maintaining the functionality of their services provided online (Recital 49 GDPR).
7. Obligation to provide data
The customer is under no obligation to provide data.
8. Automated decision-making
The customer is subject to no automated decision-making which would become legally effective vis-à-vis him.
9. Processed types of data
provided by the customer:
- Name/Company name
- Address(es)
- Phone and fax number(s)
- Email address(es)
additionally collected by the [SERVICE PROVIDER]:
- IP addresses (log files and licence verification)
- Information of the terminal device (e.g. operating system version, language, etc.)
- Browser used
- Equipment used
- Information on use of account and licence (e.g. date created, user name, computer name, number of logins, date of the last request, error reports)
- Information on newsletter subscription
- Communications protocol
10. Data sources (To the extent not provided by the customer)
Source:
SendInBlue
55 rue d’Amsterdam
75008 Paris - France
Types of data:
Click behaviour of the customer in email communication (e.g. receiving and opening of email messages, opening a link contained in email messages, etc.)
https://www.sendinblue.com/legal/privacypolicy
Source:
MyCommerce / shareit
Mariahilferstrasse 50/2/11
Entrance Kirchengasse 1
1070 Vienna - Austria
Types of data:
Customer data from the sale of licences by e- commerce providers / sales platforms.
https://www.mycommerce.com/corporate-policy
Source:
Fastspring
FastSpring B.V.
De Cuserstraat 91
11081 CN Amsterdam - Netherlands
Types of data:
Customer data from the sale of licences by e- commerce providers / sales platforms.
https://fastspring.com/privacy
Source:
Freshdesk
Freshworks
Alte Jakobstrasse 85/86
Hof 3, Haus 6
10179 Berlin - Germany
Types of data:
Email addresses of customers and content of support requests by email and via the website.
https://freshdesk.com/gdpr
11. External recipients of data
Processor:
SendInBlue
55 rue d’Amsterdam
75008 Paris - France
Types of data:
Email addresses of customers for email campaign mailing
https://www.sendinblue.com/legal/privacypolicy
Processor:
Azure
Microsoft
One Microsoft Way
Redmond, WA 98052-6399 - USA
Types of data:
Cloud provider stores visitor IP addresses accessing web servers and download sites in log files and for security purposes.
https://www.microsoft.com/en-us/TrustCenter/Privacy
Processor:
Freshdesk
Freshworks
Alte Jakobstrasse 85/86
Hof 3, Haus 6
10179 Berlin - Germany
Types of data:
Email addresses of customers and content of support requests by email and via the website.
https://freshdesk.com/gdpr
Processor:
Google
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043 - USA
Types of data:
G Suite for email communication
https://policies.google.com/privacy
Processor:
Netmonic
TIMEWARP IT Consulting GmbH
Diefenbachgasse 5/7
1150 Vienna - Austria
Types of data:
Cloud provider stores IP addresses accessing web servers and download sites in log files and for security purposes.
https://timewarp.at/impressum
All processors can be written to and contacted via the controller with regard to questions of data protection law.
12. Transfer to third countries
In the course of data processing the following data will be transmitted to countries outside the EU:
Country: USA
Application: Google LLC (EU-US Privacy Shield)
Types of Data: Email communication
Country: USA
Application: Microsoft
Types of Data: IP addresses
13. Social media presence
The controller advises that it keeps available separate online presences in social media channels for advertising purposes and for communicating with customers. In these online presences customer data may be processed outside the European Union, which increases the risk for a data protection breach. To the extent that they are resident in the USA the providers of social media channels have submitted to the EU-US Privacy Shield.
Those online presences are kept available in the technical environment of the relevant social media operator. The social media operator will then use the customer's visit to the online presence for his own purposes, in particular for sending out (interest-based) advertising. The social media operators use the visit to store cookies on the customer's terminal device, to retrieve existing cookies/identifiers, to draw conclusions from the user behaviour regarding the customer's interests and thus to enhance the user profile which has been established for the customer or the identifier. The aim is to send out interest-based advertising to the customer, which may also be done on websites of third-party providers visited at a later point in time.
Processing personal data of the customer is based on the overriding legitimate interests of the controller in advertising measures and communication with the customer, which is protected by conventions and constitutional law through the freedom to carry on a business (Art.6 of the Austrian Basic Law [Staatsgrundgesetz/StGG]) and the freedom to communicate (in particular Art. 10 ECHR, which also protects advertising measures). If the customers are users of social media channels, data processing may also be covered by the customer's consent.
The controller advises that it has no access whatsoever to the customer's data. Thus, the controller recommends customers contact the social media channel directly if they want to assert their rights to access, rectification, erasure, restriction, objection and data portability. Users of social media channels may also make changes in their privacy settings themselves. If necessary, the controller will provide assistance to the customer.
Additional information is available to the customer at:
Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Privacy statement: https://www.facebook.com/about/privacy
Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Privacy statement: https://policies.google.com/privacy
Opt-out: https://adssettings.google.com/authenticated
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Privacy statement: https://twitter.com/de/privacy
Opt-out: https://twitter.com/personalization
14. Storage period
Non-registered users: Personal data (in particular the IP address) of (non- registered) visitors to the website will be stored for purposes of IT security for a period of 7 days.
Registered customers: Generally, data of registered customers will be processed by the controller on the legal basis stated above for another 40 months after termination of the contract (= 36 months for potential contractual claims for damages + a service period of a maximum of 4 months for service of a claim) and then deleted (in any case, the reference to a person).
15. Rights of the data subject
Basis: Art 15 GDPR "Access"
Contents: The customer shall have the right to obtain confirmation as to whether or not his personal data is being processed.
Basis: Art 16 GDPR "Rectification"
Contents: The customer shall have the right to obtain without undue delay the rectification of inaccurate personal data or to have it completed.
Basis: Art 17 GDPR "Erasure"
Contents: The customer shall have the right to obtain the erasure of personal data without undue delay as long as the reasons stated in Art 17(1) GDPR are fulfilled.
Basis: Art 18 GDPR "Restriction"
Contents: The customer shall have the right to obtain restriction of processing of personal data as long as the reasons stated in Art 18(1) GDPR are fulfilled.
Basis: Art 21 GDPR "Objection"
Contents: The customer shall have the right to object to processing of his personal data at any time to the extent that the processing of personal data is based on an overriding legitimate interest of the controller.
Basis: Art 20 GDPR "Data portability"
Contents: The customer shall have the right to receive the personal data concerning him, which he has provided, in a structured, commonly used and machine-readable format.
16. Right to lodge a complaint
Basis: Art 77 GDPR
Contents: Each customer shall have the right to lodge a complaint with the supervisory authority if he considers that the processing of personal data relating to him infringes this Regulation.
17. Supervisory authority
Austrian Data Protection Authority [Österreichische Datenschutzbehörde]
Wickenburggasse 8-10
A-1080 Vienna
Phone: +43 1 52 152-0
Email: [email protected]
1 If only the masculine form is used to describe natural persons in this data protection information, it shall refer to both women and men equally. If a term is used for a specific person, the respective gender-specific form shall be used. The term customer refers to both consumers and entrepreneurs.
2 Kühling/Buchner DS-GVO [GDPR] 2017, Art 6 (59)
3 General Data Protection Regulation, which may be retrieved from https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679