linkedin-px
en
Log in
Get in touch
Sign up
Menu

Privacy Policy

With this Privacy Policy, we inform you about the scope of the processing of your personal data (hereinafter referred to as "data") when using our website, web portal and the apps we provide there.

1. Introduction

We care about your privacy and are committed to the security of your personal data. Cofinity-X will comply with all legal obligations regarding the processing of personal data and will ensure that the rights of data subjects are respected and timely adressed.

The following policy outlines the standards we follow when processing your data. You will find information on what data we collect, how we process it and what rights you have. It applies to all visitors and customers to our Website, Web Portal and the Services and Applications offered by and through us.  Please read this Privacy Policy carefully. By accessing or using any part of the Website, Web Portal or Services and Applications, you acknowledge you have been informed of and consent to our practices with regard to your personal information and data.

2. Definitions

  • Personal Data: Personal Data means any information relating to an identified or identifiable natural person (hereinafter data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Data Subject: Data Subjects are persons identified or identifiable by data processing activities of Cofinity-X.
  • Data Controller: Data Controller is the individual or organization that determined the purposes and the means for processing personal data, and has the responsibility for ensuring compliance with relevant data protection laws.
  • Cooperation Partners: who provide services for you or in connection with xternal entity involved in processing personal data alongside a data controller to achieve a specific purpose that involves the processing of personal data.

3. Controller for data processing

The controller for data processing in accordance with the provisions of the General Data Protection Regulation (GDPR) is:

Cofinity-X GmbH

Breslauer Platz 4

50668 Cologne

Germany

Web: www.cofinity-x.com

4. General information on data processing

We process data as part of our business and website operations.

‍This also includes disclosure by transmission to third parties and, if applicable, to so-called third countries outside the European Union ("EU") and the European Economic Area ("EEA"). Insofar as we transfer data outside the EU or the EEA, we have marked this accordingly below.

5. Data processing

a) Log file when visiting the website:

We log your website visit. In doing so, we process

• Name(s) of our accessed website(s),

⦁ Date and time of retrieval,

⦁ the amount of data transferred,

⦁ the browser type and version,

⦁ the operating system you are using,

⦁ the referrer URL (the previously visited website),

⦁ Your IP address,

⦁ the requesting provider.

‍The legal basis for data processing is our overriding legitimate interest in the continuous provision and security of our website in accordance with Art. 6 (1) f) GDPR.

The log file is erased after three years unless it is required to prove or clarify specific legal violations that have become known within the retention period.

b) Hosting via Webflow

To provide our online presence, we use the services of web hosting providers who process the above-mentioned data and all data to be processed in connection with the operation of this website (log file when visiting the website) on our behalf.

‍The legal basis for data processing is our overriding legitimate interest in the provision of our website in accordance with Art. 6 (1) f) GDPR.

‍For our hosting, we use the Webflow service. It is possible that data may also be transferred to Webflow in the USA. Webflow is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA.

c) Contacting us

If you contact us, we process the following data from you for the purposes of the processing and handling of your request: Name, contact details - if provided by you - and your message.

‍The legal basis for data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your request pursuant to Art. 6 (1) f) GDPR.

d) Intercom

We use Intercom, a messaging and communication platform, on our website. The service provider is the American company Intercom, Inc, 55 2nd Street, 4th Floor, San Francisco, CA 94105, USA.

‍The legal basis for data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your request pursuant to Art. 6 (1) f) GDPR.

‍Intercom may processes your data in the USA. Intercom is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA.

Intercom also uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Through the EU-US Data Privacy Framework and the standard contractual clauses, Intercom undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. The Intercom Data Processing Terms (Data Protection Agreement), which corresponds to the Standard Contractual Clauses, can be found at Data Processing Agreement | Intercom.

e) Microsoft Bookings

You can easily book appointments with our employees yourself via the booking platform MS Bookings. When you make an online appointment booking on our website, we use the Microsoft Bookings service provided by Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.

‍When you book an appointment online, we process the personal data contained in the booking form. This includes: Title, name, telephone number, email address and, if applicable, the company and additional notes or messages.

‍The legal basis for data processing is our overriding legitimate interest in providing a simple appointment booking system in accordance with Art. 6 (1) f) GDPR.

‍Microsoft Ireland Operations Limited is a subsidiary of the Microsoft Group with headquarters in the USA. Data may therefore be forwarded to Microsoft Online Inc. based in the USA and processed there. Microsoft is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA.

f) User account

In connection with the opening and use of an account, we process your surname, first name, your company e-mail address and your location. This serves the purpose of identifying you as a user. The recording of your location is necessary as the use of our portal from the territory of the Federative Republic of Brazil is not permitted.

The legal basis for this data processing is our obligation to fulfill the contract and to fulfill our pre-contractual obligations in accordance with Art. 6 (1) b) GDPR.

g) Newsletter

When you subscribe to our newsletter, we store the name and email address you provide and other information you submit via the form in order to send you our newsletter.

Your personal data may have been provided to us by one of our cooperation partners from whom you downloaded our whitepaper or other content and gave your consent to receive our newsletter.

The legal basis for the processing of personal data is your consent pursuant to Article 6 (1) a) GDPR, which is declared when you subscribe to our newsletter and which you can revoke at any time. The data will be stored until you unsubscribe from the newsletter.

For our newsletter we use the services of Hubspot Inc, 25 First Street, 2nd floor, Cambridge, MA 02141, USA. Hubspot is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA.

h) Contract processing

We process your order data to handle the contractual relationship between you and us.

The legal basis for data processing is the fulfillment of our contractual obligations in accordance with Art. 6 (1) b) GDPR and, in individual cases, the fulfillment of our legal obligations in accordance with Art. 6 (1) c) GDPR.

For this purpose, we use the services of Hubspot. It is possible that data may also be transferred to Hubspot Inc, 25 First Street, 2nd floor, Cambridge, MA 02141, in the USA. Hubspot is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA.

i) Marketplace

If you submit a subscription request to an app or service provider via our marketplace, we will transmit your name and email address to them to enable them to contact you and fulfill your request.

The legal basis for data processing is the fulfillment of our contractual obligations in accordance with Art. 6 (1) b) GDPR.

j) Cofinity-X apps on the marketplace

We provide you with apps on our marketplace, for which we need in particular your surname, first name and email address.

The legal basis for data processing is the fulfillment of our contractual obligations in accordance with Art. 6 (1) b) GDPR.

Please note that we also offer you access to third party apps or service providers on our marketplace, for which we are not controller under data protection law. In this case, please note the information under i) Marketplace, and observe the supplementary data protection notices of the respective providers.

k) Jira (Atlassian)

As part of our customer support, we use the Jira ticket system from Atlassian, Inc. 350 Bush Street, Level 13, San Francisco, California 94104, USA.

We process your data via our ticket system in order to respond to support requests. We process all data that you provide to us via a request, in particular your surname, first name, email address and the content of the request.

If you have entered into a pre-contractual relationship or contractual relationship with us, the legal basis for data processing is the effective performance of the contract pursuant to Art. 6 (1) b) GDPR.

We only use data centers that are located within the European Union. In the context of the use of Atlassian, third country transfers to the USA may occur. However, Atlassian is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA.

l) User research

Our in-house UX team conducts interviews to learn about user experiences with our products and services. Customers may occasionally be contacted to take part in various research activities, such as surveys, interviews or usability tests.

Participation in each survey or interview is voluntary and it may be decline each time.

The legal basis for data processing is our overriding legitimate interest in the improvement of our products and services in accordance with Art. 6 (1) f) GDPR or your consent pursuant to Article 6 (1) a) GDPR.

Interviews will be audio or videorecorded with the proper consent. Cofinity-X researchers or stakeholders may observe the responses during the interviews. They may also view session recordings or notes at a later date.

Research reports may be published internally including comments and experiences in an anonymized way. If any information from a research activity is used for any reason, Cofinity-X will not provide any details that could allow a third party to identify the participants, nor will we use this information in any way that could cause them harm.

6. Use of cookies

We use so-called cookies on our website. Cookies are small text files that are stored on your end device (PC, smartphone, tablet, etc.) and saved by your browser.

Information about the specific cookies we use, their providers and purposes can be found in our consent Banner . Through it you give your consent to the respective services as required under Section 25 (1) of the German Data Protection Act (TTDSG). You can withdraw your consent or adapt your settings at any time with effect for the future by modifying the cookie settings.

a) Our consent banner

We use a consent banner to document your selection of certain data processing procedures and to fulfill our data protection obligations. When you visit our website, your cookie preferences are consulted via a banner. We then set a cookie in which data on consents given or withdrawn is stored. The data processing is carried out to fulfill our legal obligations in accordance with Art. 6 para. 1 c) GDPR.

b) Google Analytics, Google Ads and Google Conversion Tracking

In order to analyse the use of our website and to regularly improve our services, we use Google Analytics. We also use Google Ads (formerly Google AdWords) to draw attention to our attractive offers by placing ads on external websites. Furthermore, we measure the conversion of the ads (“conversion tracking”). However, we only get information on the anonymous total number of users who clicked on our ad and were redirected to a page marked with a so-called “conversion tracking tag”. We ourselves do not receive any information with which users can be identified.

These services are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The legal basis for the use of these tools is Art. 6 (1) a) GDPR. You give your consent for some or all of these services via the cookie banner.

Personal data is stored by Google Analytics for a maximum of 14 months.

Google is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA. Insofar as Google also processes your data in a third country without adequate data protection, the standard contractual clauses updated by the European Commission will apply in this respect, which can be accessed at https://business.safety.google/adsprocessorterms/sccs/eu-p2p-intra-group/.

c) Hubspot

We use HubSpot on our website to support our marketing activities. HubSpot is a software company based in the USA, with a branch office located at 2nd Floor 30 North Wall Quay, Dublin 1, Ireland.

This comprehensive software solution assists us in managing various marketing and customer service processes. These include email marketing for sending newsletters and automated emails, publishing and analyzing social media content, contact management including user segmentation and CRM, and creating landing pages and contact forms. The legal basis for the use of these tools is Art. 6 (1) a) GDPR. You give your consent via the cookie banner.

Hubspot is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA. For potential transfers to other third countries outside the EU and EEA, for which there is no adequacy decision by the EU Commission, standard data protection clauses according to Art. 46 Para. 2 lit. c GDPR are agreed upon. These clauses oblige the recipient of the data in the third country to process the data in accordance with the European level of protection.

d) Hotjar

In order to optimize the functionality and user-friendliness of our website, we use the web analysis service Hotjar, of Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Silema SLM 1640, Malta, Europe ("Hotjar").

Hotjar works with cookies and other technologies to collect statistical information about the behavior of our users and their end devices. Hotjar processes the following data: User behavior (clicks, mouse movements, scroll heights, etc.), IP address of your device, (collection and storage in an anonymized format), name and email address (if provided), screen size of the device, device type and browser functions and geographical location (country) to determine the preferred language when displaying the website. This data is transmitted to Hotjar's servers. Hotjar stores this information in a pseudonymized user profile. The information is not used by Hotjar or by us to identify individual users or merged with other data about individual users.

The legal basis for data processing is your prior consent in accordance with Art. 6 para. 1 a) GDPR.

e) External content

We use dynamic content ("content") from third parties to optimize the presentation and offer of our website. When you visit the website, a request is automatically sent to the server of the respective content provider via an interface, during which certain log data (e.g. the user's IP address) is transmitted. The dynamic content is then transmitted to our website and displayed there.

We use external content in connection with the following functionalities:

Integration of YouTube videos

We have integrated videos from the "YouTube" portal of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") on our website. Google does not store any cookies in your browser.

The legal basis for processing is your prior consent in accordance with Art. 6 (1) a) GDPR.

It cannot be ruled out that data will be transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google is certified under the EU-US Data Privacy Framework and is therefore subject to the EU adequacy decision for the USA.

f) PostHog

We use the PostHog analysis tool on our website, offered by PostHog Inc, 2261 Market Street 4008, San Francisco, CA 94114, USA. PostHog enables us to analyze user behavior in order to continuously improve our online offering.

Your data is processed on the basis of our legitimate interest in accordance with Art. 6 (1) f) GDPR.

PostHog uses cookies to recognize returning users and analyze their behavior. The processing serves to analyze user behavior on our website in order to make our offer more user-friendly and to identify malfunctions, technical errors or bottlenecks and to rectify them in a targeted manner.

PostHog collects the following data, among others:

⦁ IP address (in anonymized form)

⦁ Device information (e.g. browser type, operating system)

⦁ Usage data (e.g. pages visited, click behaviour, time spent)

⦁ Timestamp and language settings

The data is processed anonymously and is not merged with other personal data.

PostHog stores data on servers within the EU (Frankfurt am Main) by default. In exceptional cases, data may be transferred to the USA. PostHog Inc. is certified under the EU-US Data Privacy Framework and is therefore covered by the EU adequacy decision for the USA. We have also concluded a Data Processing Agreement with PostHog, which ensures compliance with data protection requirements.

Further information on data protection at PostHog can be found in PostHog's privacy policy: PostHog & GDPR compliance - Docs - PostHog

7. Duration of data storage

We only store personal data for as long as necessary for the purposes for which it is processed, or until the data subjects withdraw their consent. To the extent that certain legal retention obligations must be complied with, the storage period for some data may be up to 10 years, regardless of the purposes of the processing.

8. Your rights as a data subject

Data subjects have specific rights regarding the personal data that an organization collects and processes and they may exercise these rights at any time. Any and all requests will be handled whithin the specified timeframe of 30 days.

In addition to the general information obligations under Arts. 12-14 of the General Data Protection Regulation (GDPR), data subjects have the following rights:

Right to Access (Art. 15 GDPR)

Data subjects have the right to request access to the personal data an organization holds about them. This includes information on the purposes of processing, the categories of data, and recipients of the data. If no personal data of the data subject has been processed, the data subject will be informed accordingly.

Right to Rectification (Art. 16 GDPR)

Data subjects have the right to request rectification, completion or updating of their personal data when it is inaccurate, incomplete or outdated.

Right to Erasure (Art. 17 GDPR)

Data subjects have the right to request the deletion of their personal data, as long as the respective requisites are met and no exceptions to the deletion obligation are in place. For example, when the personal data is no longer necessary for the purposes for which it was collected consent has been withdrawn, personal data has been processed unlawfully and/or the data subject objects the processing of their personal data and there are no overriding legitimate grounds for further processing.

Right to Restriction of Processing (Art. 18 GDPR)

Data subjects have the right to request the restriction of processing of their personal data if they believe the data is inaccurate, the processing is unlawful, or they object to the processing.

Right to Data Portability (Art. 20 GDPR)

Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and to have their data transmitted to another data controller.

Right to Object (Art. 21 GDPR)

Data subjects have the right to object to the processsing of their data. Data subjects must provide a particular situation that warrants the objection.

Right not to be subject to automated individual decision-making (Art. 22 (3) GDPR)

Data subjects have the right to not be subject to decisions based solely on automated processing, including profiling.

Right to Withdraw Consent (Art. 7 (3) GDPR)

Data subjects have the right to withdraw the consent given for personal data processing at any time. This shall not affect the lawfulness of any processing that took place with the consent up until its withdrawal. The processing of personal data will be discontinued immediately once consent has been withdrawn.

9. Contacting us, exercising your rights and lodging a complaint

If you have any questions regarding the processing of your personal data, information, rectification, blocking, objection or deletion of data or if you wish to transfer the data to another enterprise, please contact our Data Protection Officer at privacy@cofinity-x.com.

In case of data protection breaches or misconduct, you have the option of raising an anonymus complaint through our Whistleblowing Hotline.

You may also complain to a supervisory authority about your rights as a data subject, in particular in the Member State where you have your habitual residence or place of work or where the alleged infringement took place.

Our local authority:

State Commissioner for Data Protection and Freedom of Information Nordrhein-Westfalen

Kavalleriestr. 2-4

40213 Düsseldorf

https://www.ldi.nrw.de/.