Privacy & Security
We keep data protection and the security of your data in mind!
Privacy and security
During StampLab development and with every update, we keep an eye on the privacy and security of your data!
Your trust is important to us, which is why we handle all your data responsibly.
Your data is yours!
Your information is your property and our team at l3montree is committed to protecting it. As long as we hold your data, we will do our best to protect it and make it accessible only to you.
We process your data, as a processor, only in the context of providing our software, services and on your instructions. We do not share, sell, or use your data for any purpose other than as described below.
As our customer, you are a data subject within the meaning of the GDPR - you are therefore responsible for protecting your data subject rights.
We have built a permission system into StampLab that is based on role types and individual permissions. So you can define which employees can see which data according to your own concept.
The default settings are always data protection friendly and meet your requirements and those of the DSGVO. In concrete terms, this means, for example, that when employees join your workplace, they cannot view any data except their own. Then, when they are assigned a role, they can only see information intended for that role.
The settings for even more sensitive access to data can be assigned in detail with individual permissions. Like for example the number of working hours of employees.
Access to your data
Only in case of errors in our systems, where access to your data is unavoidable, members of our team may access your data. We take care that our employees cannot see more of your data than is absolutely necessary.
In the case of support requests (on your part), you must first give us specific and unambiguous permission to process the request with your data. The processing is carried out internally only according to the "need-to-know principle".
Server in Germany
The servers on which your data is stored and processed by us are located in Germany. Our provider exclusively provides the hardware for the servers and ensures highly secure conditions in its data centers. The data centres are ISO 27001 certified, TÜV level 3 audited and PCI DSS compliant.
A bit of technical stuff
Protected transmission of your data
When data is sent from your device to our servers, it is protected with transport encryption (TLS/SSL) so that no one else can read it. Our servers support the latest variants and ciphersuites of these protocols.
When you create your account in StampLab with a password, we use so-called "hashing" to store your password in a protected way. Hashing is a cryptographic method that uses a one-way principle to change your input in such a way that your original input cannot be calculated. Even in case of data theft, your password is protected. We also strengthen the effectiveness of hashing by using so-called "salt".
When you leave StampLab
If at any time you no longer need or want to use our services, you can of course request an export of all data stored about you. We will then send you all your data in common formats.
This query of all your data, as well as the deletion, correction and your other rights under the GDPR, you can of course request at any time. An informal email to us is sufficient for this.
When our journey together ends, we will immediately delete all your data from our systems.
Our backups are deleted according to certain patterns, so it may take some time (maximum 3 months) until your data is completely deleted.
Documents on data protection and IT security
Here you will find the most important documents on data protection and IT security in StampLab and at l3montree:
The old version, valid for existing users until 27.06.2022, can be viewed here: Old version (DE only)
Personal data is any data with which you can be personally identified. With regard to the terminology used, such as "processing" or "controller", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
We cannot accept any liability for links to third-party content or third-party services.
Contact details of the responsible party
The provider of the application and responsible under data protection law is:
l3montree UG (limited liability). Managing Director: Tim Bastin & Sebastian Kawelke Professor-Neu-Allee 1 53225 Bonn Germany
You can reach our data protection officer at the following e-mail address: firstname.lastname@example.org
Statutory data protection officer
Sebastian Kawelke Professor-Neu-Allee 1, 53225 Bonn Germany
Data collection when using our app
When using our app, data inevitably accumulates that must be stored or processed in order to be able to offer the basic functions of the app at all. An analysis of your user behavior for advertising purposes does not take place.
If we collect data, this is so-called usage, meta and communication data. Basically, when you use our app (e.g. open it without having registered), there is data that our IT systems have to process automatically (e.g. IP address and port of the connection). These mainly technical data are processed by us only during the connection, but in principle not stored for a long time.
In the following, we explain which data we collect, process and possibly also store for a longer period of time.
Types of data collected - overview:
- Inventory data (e.g. name)
- Contact data (e.g. e-mail)
- Content data (e.g. text entries, profile pictures, plans)
- Meta/communication data (e.g. IP address, device information, crash/error information)
- Analysis data (optional)
Reasons for collection - Overview:
- Provision of our offer, functions and content.
- Responding to contact requests and communicating with users.
- Security measures
- Improvement of our offers
Indirect data collection (server logs)
In addition to this data processed in normal operation, our servers may collect and store so-called server log files. However, only accesses that are not legitimate, i.e. do not represent a normal use of our service, are stored longer. This is done to avert danger and to ensure the IT security of our systems.
**Specifically, such data could be: **
- operating system used
- app version used
- date and time of the server request
- IPv4 address and subnet, IPv6 address and prefix
A combination of this data with other data sources is not made.
The collection of this technical data is absolutely necessary for the provision of our app and for the operation of the offer, so that you as a user have no possibility to object. Of course, this does not affect your right of inspection as well as deletion (see "Your rights").
The legal basis for the collection of this data and its storage in log files is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest here is to ensure the smooth operation of our offer to provide you with a good experience with our product.
Collection of personal data when using our app.
In addition to the technical data mentioned above, we collect so-called inventory, content and contact data. This data includes all data that you generate and store yourself as a user with us. For example, your email address when registering or the data representing your input (such as layers, roles, etc.).
When using our offer with an account (when registering an account and continuing to use our app), the following data is collected by us:
- Your name
- Your email address
- Your profile picture
- Your affiliation to a workplace
- Your roles in your workplace (e.g. service worker)
- Your shifts
- The times you have entered (incl. descriptions and ratings (also viewable by managers))
- Your surveys
- Your tasks
- The work plans you have created (with descriptions)
- Your settings
- Your staff number (if a manager has entered it)
- Your date of birth (if you have entered it yourself, a manager cannot enter it)
- Your telephone number (if you have entered it yourself, a manager cannot enter it)
- Your address (if you have entered it yourself, a manager cannot make this entry)
- Your availabilities (on which days of the week and at which times you are usually available on these days)
- The absences you enter (category, status of request, media files (these are stored fully encrypted, these files may be shared with your managers or timekeepers as part of the time export), period of absence)
- Feedback/suggestions you send us from the app
- The version of the app you use and your device IDs (e.g. for push messages)
- IDs of your social account if you use the social login feature
- Your payment method (if you're using a paid plan)
- Your address (if you use a paid plan)
- Your company name (if you use a paid plan)
- Your tax number (if you use a paid plan)
- Your paid plan (if you use a paid plan)
- Your payment status (if you use a paid plan)
We only use this data to provide our service.
In principle, all data that is no longer necessary for our task fulfillment is deleted at regular intervals.
The basis for data processing is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.
Videos such as instructions can be presented in the application. These are loaded from a storage service of T-Systems International GmbH (Open Telekom Cloud) as soon as you press the "View instructions" button and the view of the instructions opens. Through this retrieval, information about your use of our service (such as your IP address) is transmitted to servers of T-Systems International GmbH (located in Germany) and may be processed there.
The storage service of T-Systems International GmbH is used exclusively to be able to provide you with instructions in the form of videos in a fail-safe and high-performance manner and thus to improve our service for you (legitimate interest).
More detailed and further information on the purpose, scope, type and use of your data by the operator of the service can be found here: open-telekom-cloud.com
We cite Art. 6 (1) (f) DSGVO (and Art. 6 (1) (b) DSGVO) as the legal basis for this.
Push - notifications
If you want to agree to the option of receiving so-called push - notifications, you must give us permission to do so (request by the operating system during initial installation). Notifications can be subsequently enabled or disabled in the app settings. We use the services Firebase Cloud Messaging from Google (for Android) and Apple Push Notifications (for iOS) for push notifications. In order to deliver the notifications correctly, Apple and Firebase generate keys, which consist of the identifier of your device and the identifier of the app. These are stored with us and linked to your individual notification settings. Firebase and Apple always act as intermediaries, but do not receive any information about the content of the requests or notifications.
We store and process this data only to be able to offer you the benefits of push notifications. We cite Art. 6 (1) lit. f DSGVO and Art. 6 (1) lit. b DSGVO as the legal basis here.
Social Log In
Our app offers you the option of a so-called social log in. If you use this function, we receive from the provider of the social network, for example, profile information, such as your name or the e-mail address specified there. We use this data exclusively for the provision of our offer.
In order to use this function, you must establish a connection with the social network. In the process, other personal data of yours may also be transmitted to the provider of the network, such as your current IP address.
More detailed and further information on the purpose, scope, type and use of your data by the operator of the social network can be found in the individual privacy statements of the providers.
We store and process this data only to be able to offer you the benefits of the social log in. As a legal basis, we cite here Art. 6 para. 1 lit. f DSGVO and Art. 6 para. 1 lit. b DSGVO.
Google Calendar Integration
If you choose to connect StampLab to your Google Calendar, your shifts will be synchronised with your Google Calendar. This means that when you pick up or drop off a shift, a calendar entry is automatically created or removed from your Google Calendar. StampLab uses the link to your Google Calendar exclusively for this purpose. We do not process any other data from your calendar.
In order to be able to offer this function, we primarily process access tokens from Google, which technically enable us to create and remove calendar entries in your Google calendar. We do not process or store other information, e.g. about other calendar entries.
We only store and process data that arises during processing in order to be able to offer you the benefits of calendar synchronisation. As a legal basis, we cite here Art. 6 para. 1 lit. a GDPR (optional function, consent by you), Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR.
Collection, processing and use of data with Firebase Analytics
To analyze user behavior, our app uses the services of Firebase Analytics. This analysis is optional and only takes place after your active consent (opt-in) during registration or by activating it in the app settings.
The Firebase SDK (Software Development Kit) collects information about the app version, device type, operating system version, when the app was installed, and the age, gender, and interest groups of users. Furthermore, the Firebase SDK collects information through other activities while using the app. The Firebase SDK's event-driven data collection is triggered by activities such as installing and launching the app, updates, reinstalling, updating the operating system, deleting app data, app crashes, and in-app purchases, as well as receiving, swiping, and opening push messages and opening and updating the app using a dynamic link. For each of these events, the number of visits, the number of users triggering the event, and, if available, the value of the event is recorded. To identify the devices, Firebase-SDK uses a device-specific ID.
By actively opting-in, you consent to Firebase processing your data and collecting data for the purposes described above. To prevent the collection and use of data by Firebase Analytics in this app, please object by not selecting the option "Send anonymous usage data" during your registration or by deactivating the option in the settings of your profile in the app.
As a legal basis, we cite Art. 6 (1) a DSGVO (optional function, consent by you) and Art. 6 (1) f DSGVO.
In order to provide you with technically necessary updates as quickly as possible, e.g. if a basic functionality of the app should not work or there is a security problem, we use the Code Push service from Microsoft. This will automatically update your app in the background and you can use the app as usual. To use this service we need to send your device ID and the version of the app to Microsoft. We do not pass on other data such as your e-mail address. Information about the purpose, scope, nature and use of your data by the operator of the service can be found at the following address:
We only share this data with this third party in order to offer you a good experience with our product and to ensure a smooth operation. As legal basis we cite here Art. 6 para. 1 lit. f DSGVO and Art. 6 para. 1 lit. b DSGVO.
Usage and diagnostic data
If you have agreed to the collection and transmission of usage and diagnostic data such as crash reports, certain data will be sent to Apple or Google. We receive this data in anonymized and aggregated form, making it impossible for us to identify individuals.
We only use this data to improve our app, features and services.
Apple: Information collected may include details about hardware, operating system, speed statistics, and device and app usage (Apple Privacy). Apple's collection of usage and diagnostic data applies device-wide. You can turn it off at any time: Apple Support
Google: Google collects information such as battery level, how often you use your apps, and the quality and duration of your network connections (cellular, Wi-Fi, and Bluetooth). The setting whether you want to send usage and diagnostic data to Google applies device-wide. You can change it at any time: Google Support
Sentry: In addition to collecting diagnostic data from Google or Apple, we use a service called Sentry (sentry.io/privacy). Sentry is a service that helps us notice serious and critical errors in the app (e.g. errors that result in an app crash). To do this, your device may send error messages to Sentry in the background. We use these error messages solely to improve the app. These error messages contain data such as your app version, information about your device (e.g. Android version) and a unique anonymous ID generated per error (usage data such as your name or your entered times are never transmitted). Before a message is sent, we remove your email address, IP address or other personal data from the message on your device.
We collect this data only to provide you with a good experience with our product and to ensure smooth operation. As a legal basis, we cite here Art. 6 para. 1 lit. a DSGVO and Art. 6 para. 1 lit. b DSGVO.
Collection of further data when visiting stamplab.app
In addition to the above data, we collect other data when you visit our web version (https://stamplab.app). We use the service Umami, an open-source analytics application, to collect data about the behaviour of our users. We run our own instance of this service on our own servers - so no data is passed to third parties. We may collect the following data:
- the browser used (e.g. Google Chrome)
- the type of device (e.g. laptop or mobile)
- the screen resolution
- the language used
- the operating system (e.g. Android)
- an anonymous session ID (to avoid duplicating your website visit)
- which URLs you visit (which subpages)
- from which URL you came to our website (referrer)
- how long you were on our site
We collect this data in order to be able to improve our website and to offer you a good experience when visiting it, as well as to be able to guarantee smooth operation. We cite Art. 6 Para. 1 lit. f DSGVO as the legal basis for this.
When you visit stamplab.app, we set cookies solely to operate the site and provide features:
- Social Log-in (log in with Google/ Facebook).
- Payment services (Stripe)
As a legal basis, we cite here Art. 6 (1) lit. f DSGVO and the ECJ ruling (01.10.2019 (Az. C-673/17)). We refrain from setting other cookies respectively for other purposes.
In order to use StampLab, you may need a paid subscription. As part of taking out such a subscription, we use various payment service providers to offer you different payment methods. We use the following service providers:
The basis for data processing is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the performance of a contract or pre-contractual measures.
If you enter into a business relationship with us by making payment transactions, we are required by various legal requirements, for example, to store invoices for 10 years (Art. 6 para. 1 lit. c DSGVO allows us this storage to fulfill our obligations to government agencies such as the tax office). We would like to point out that in such a case it is not possible for us to delete all your data, e.g. upon your request. All data that does not fall under such retention periods, we delete of course immediately upon your request.
Contact by e-mail
When contacting us, e.g. by e-mail, we collect your contact data until the reason for the contact loses its relevance and e.g. a reply from our side is no longer necessary. Of course, this does not affect your right of access and deletion (see "Your rights"). When contacting us by e-mail, it should be noted that the confidentiality of e-mails or other electronic forms of communication on the Internet is generally not guaranteed. For confidential information, we recommend contacting us in encrypted form (email@example.com) or by mail.
Kontakt per WhatsApp
Um uns über WhatsApp kontaktieren zu können, musst du bei WhatsApp registriert sein und den Datenschutzbestimmungen von WhatsApp zugestimmt haben. Wir bitten dich uns, wenn möglich, per E-Mail zu kontaktieren, da WhatsApp aus Datenschutzperspektive nicht unbedenklich ist. Wir sind über WhatsApp erreichbar, da wir dir einen einfachen und für dich komfortablen Weg der Kontaktaufnahme anbieten wollen. Wir nutzen den WhatsApp Dienst unter den folgenden Bedingungen: https://www.whatsapp.com/legal/business-data-processing-terms-20210927
Kontakt per Telegram
Um uns über Telegram kontaktieren zu können, musst du bei Telegram registriert sein und den Datenschutzbestimmungen von Telegram zugestimmt haben. Wir bitten dich uns, wenn möglich, per E-Mail zu kontaktieren, da Telegram aus Datenschutzperspektive nicht unbedenklich ist. Wir sind über Telegram erreichbar, da wir dir einen einfachen und für dich komfortablen Weg der Kontaktaufnahme anbieten wollen.
How we protect your data
This app uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests you send to our server. This method is implemented for all communication between the app and our servers.
When TLS encryption is enabled, the data you transmit to us cannot be read by third parties.
In addition to encryption during transmission, we also protect your data on our servers, within the framework of current procedures.
Furthermore, our employees are also obligated to maintain the confidentiality of your data.
Even if we use all available security mechanisms, we point out that data transmission on the Internet can have security gaps. A complete protection of data against access by third parties is not possible.
If you create your account in StampLab with a password, we use so-called "hashing" to store your password in a protected manner. Hashing is a cryptographic process that uses a one-way principle to change your input in such a way that your original input cannot be calculated. Even in case of data theft, your password is protected. We also strengthen the effectiveness of hashing by using so-called "salt".
Revocation of your consent to data processing
By using our offer, you agree to the processing of the data collected for the provision of the offer. There is no direct possibility for you to object. However, you can of course request the deletion of all data.
Many data processing operations are only possible with your express consent. You can revoke your consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right of appeal to the competent supervisory authority
In the event of violations of data protection law, the data subject has a right of appeal to the competent supervisory authority. The competent supervisory authority in matters of data protection law is the state data protection commissioner of the federal state in which our company is based. A list of data protection officers and their contact details can be found in the following link.
Right to data portability
You have the right to have data that we process on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
Information, blocking, deletion and correction
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction, blocking or deletion of this data. For this and other questions on the subject of personal data, you can contact us at any time at the address given in the imprint.
You can request a data export in the app as well as the deletion of your account.
Criteria for determining storage periods
Your personal data will be stored by us until the contractual relationship is finally terminated, no further mutual claims can arise from it and also the statutory or internal retention periods have expired.