Privacy policy for the StampLab app

General information

Edited: 15.06.2022

The old version, valid for existing users until 27.06.2022, can be viewed here: Old version (DE only)

Protecting your personal data when using our app is important to us. Here you can find out what data is collected and used. This privacy policy informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") within our app and its associated services, functions and content.

Personal data is any data with which you can be personally identified. With regard to the terminology used, such as "processing" or "controller", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Exclusion

We cannot accept any liability for links to third-party content or third-party services.

Contact details of the responsible party

The provider of the application and responsible under data protection law is:

l3montree UG (limited liability). Managing Director: Tim Bastin & Sebastian Kawelke Professor-Neu-Allee 1 53225 Bonn Germany

You can reach our data protection officer at the following e-mail address: datenschutz@l3montree.com

Statutory data protection officer

Sebastian Kawelke Professor-Neu-Allee 1, 53225 Bonn Germany

Data collection when using our app

When using our app, data inevitably accumulates that must be stored or processed in order to be able to offer the basic functions of the app at all. An analysis of your user behavior for advertising purposes does not take place.

If we collect data, this is so-called usage, meta and communication data. Basically, when you use our app (e.g. open it without having registered), there is data that our IT systems have to process automatically (e.g. IP address and port of the connection). These mainly technical data are processed by us only during the connection, but in principle not stored for a long time.

In the following, we explain which data we collect, process and possibly also store for a longer period of time.

Types of data collected - overview:

• Inventory data (e.g. name)
• Contact data (e.g. e-mail)
• Content data (e.g. text entries, profile pictures, plans)
• Meta/communication data (e.g. IP address, device information, crash/error information)
• Analysis data (optional)

Reasons for collection - Overview:

• Provision of our offer, functions and content.
• Responding to contact requests and communicating with users.
• Security measures
• Improvement of our offers

Indirect data collection (server logs)

In addition to this data processed in normal operation, our servers may collect and store so-called server log files. However, only accesses that are not legitimate, i.e. do not represent a normal use of our service, are stored longer. This is done to avert danger and to ensure the IT security of our systems.

**Specifically, such data could be: **

• operating system used
• app version used
• date and time of the server request
• IPv4 address and subnet, IPv6 address and prefix

A combination of this data with other data sources is not made.

The collection of this technical data is absolutely necessary for the provision of our app and for the operation of the offer, so that you as a user have no possibility to object. Of course, this does not affect your right of inspection as well as deletion (see "Your rights").

The legal basis for the collection of this data and its storage in log files is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest here is to ensure the smooth operation of our offer to provide you with a good experience with our product.

Collection of personal data when using our app.

In addition to the technical data mentioned above, we collect so-called inventory, content and contact data. This data includes all data that you generate and store yourself as a user with us. For example, your email address when registering or the data representing your input (such as layers, roles, etc.).

When using our offer with an account (when registering an account and continuing to use our app), the following data is collected by us:

• Your name
• Your email address
• Your profile picture
• Your affiliation to a workplace
• Your roles in your workplace (e.g. service worker)
• Your shifts
• The times you have entered (incl. descriptions and ratings (also viewable by managers))
• Your surveys
• Your tasks
• The work plans you have created (with descriptions)
• Your settings
• Your staff number (if a manager has entered it)
• Your date of birth (if you have entered it yourself, a manager cannot enter it)
• Your telephone number (if you have entered it yourself, a manager cannot enter it)
• Your address (if you have entered it yourself, a manager cannot make this entry)
• Your availabilities (on which days of the week and at which times you are usually available on these days)
• The absences you enter (category, status of request, media files (these are stored fully encrypted, these files may be shared with your managers or timekeepers as part of the time export), period of absence)
• Feedback/suggestions you send us from the app
• The version of the app you use and your device IDs (e.g. for push messages)
• IDs of your social account if you use the social login feature
• Your payment method (if you're using a paid plan)
• Your address (if you use a paid plan)
• Your company name (if you use a paid plan)
• Your tax number (if you use a paid plan)
• Your paid plan (if you use a paid plan)
• Your payment status (if you use a paid plan)

We only use this data to provide our service.

In principle, all data that is no longer necessary for our task fulfillment is deleted at regular intervals.

The basis for data processing is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

Videos

Videos such as instructions can be presented in the application. These are loaded from a storage service of T-Systems International GmbH (Open Telekom Cloud) as soon as you press the "View instructions" button and the view of the instructions opens. Through this retrieval, information about your use of our service (such as your IP address) is transmitted to servers of T-Systems International GmbH (located in Germany) and may be processed there.

The storage service of T-Systems International GmbH is used exclusively to be able to provide you with instructions in the form of videos in a fail-safe and high-performance manner and thus to improve our service for you (legitimate interest).

More detailed and further information on the purpose, scope, type and use of your data by the operator of the service can be found here: open-telekom-cloud.com

We cite Art. 6 (1) (f) DSGVO (and Art. 6 (1) (b) DSGVO) as the legal basis for this.

Push - notifications

If you want to agree to the option of receiving so-called push - notifications, you must give us permission to do so (request by the operating system during initial installation). Notifications can be subsequently enabled or disabled in the app settings. We use the services Firebase Cloud Messaging from Google (for Android) and Apple Push Notifications (for iOS) for push notifications. In order to deliver the notifications correctly, Apple and Firebase generate keys, which consist of the identifier of your device and the identifier of the app. These are stored with us and linked to your individual notification settings. Firebase and Apple always act as intermediaries, but do not receive any information about the content of the requests or notifications.

We store and process this data only to be able to offer you the benefits of push notifications. We cite Art. 6 (1) lit. f DSGVO and Art. 6 (1) lit. b DSGVO as the legal basis here.

Social Log In

Our app offers you the option of a so-called social log in. If you use this function, we receive from the provider of the social network, for example, profile information, such as your name or the e-mail address specified there. We use this data exclusively for the provision of our offer.

In order to use this function, you must establish a connection with the social network. In the process, other personal data of yours may also be transmitted to the provider of the network, such as your current IP address.

More detailed and further information on the purpose, scope, type and use of your data by the operator of the social network can be found in the individual privacy statements of the providers.

Facebook

Google

We store and process this data only to be able to offer you the benefits of the social log in. As a legal basis, we cite here Art. 6 para. 1 lit. f DSGVO and Art. 6 para. 1 lit. b DSGVO.

Google Calendar Integration

If you choose to connect StampLab to your Google Calendar, your shifts will be synchronised with your Google Calendar. This means that when you pick up or drop off a shift, a calendar entry is automatically created or removed from your Google Calendar. StampLab uses the link to your Google Calendar exclusively for this purpose. We do not process any other data from your calendar.

In order to be able to offer this function, we primarily process access tokens from Google, which technically enable us to create and remove calendar entries in your Google calendar. We do not process or store other information, e.g. about other calendar entries.

We only store and process data that arises during processing in order to be able to offer you the benefits of calendar synchronisation. As a legal basis, we cite here Art. 6 para. 1 lit. a GDPR (optional function, consent by you), Art. 6 para. 1 lit. b GDPR, Art. 6 para. 1 lit. f GDPR.

Information from Google on data protection

Collection, processing and use of data with Firebase Analytics

To analyze user behavior, our app uses the services of Firebase Analytics. This analysis is optional and only takes place after your active consent (opt-in) during registration or by activating it in the app settings.

The Firebase SDK (Software Development Kit) collects information about the app version, device type, operating system version, when the app was installed, and the age, gender, and interest groups of users. Furthermore, the Firebase SDK collects information through other activities while using the app. The Firebase SDK's event-driven data collection is triggered by activities such as installing and launching the app, updates, reinstalling, updating the operating system, deleting app data, app crashes, and in-app purchases, as well as receiving, swiping, and opening push messages and opening and updating the app using a dynamic link. For each of these events, the number of visits, the number of users triggering the event, and, if available, the value of the event is recorded. To identify the devices, Firebase-SDK uses a device-specific ID.

By actively opting-in, you consent to Firebase processing your data and collecting data for the purposes described above. To prevent the collection and use of data by Firebase Analytics in this app, please object by not selecting the option "Send anonymous usage data" during your registration or by deactivating the option in the settings of your profile in the app.

As a legal basis, we cite Art. 6 (1) a DSGVO (optional function, consent by you) and Art. 6 (1) f DSGVO.

Code Push

In order to provide you with technically necessary updates as quickly as possible, e.g. if a basic functionality of the app should not work or there is a security problem, we use the Code Push service from Microsoft. This will automatically update your app in the background and you can use the app as usual. To use this service we need to send your device ID and the version of the app to Microsoft. We do not pass on other data such as your e-mail address. Information about the purpose, scope, nature and use of your data by the operator of the service can be found at the following address:

Microsoft

We only share this data with this third party in order to offer you a good experience with our product and to ensure a smooth operation. As legal basis we cite here Art. 6 para. 1 lit. f DSGVO and Art. 6 para. 1 lit. b DSGVO.

Usage and diagnostic data

If you have agreed to the collection and transmission of usage and diagnostic data such as crash reports, certain data will be sent to Apple or Google. We receive this data in anonymized and aggregated form, making it impossible for us to identify individuals.

We only use this data to improve our app, features and services.

Apple: Information collected may include details about hardware, operating system, speed statistics, and device and app usage (Apple Privacy). Apple's collection of usage and diagnostic data applies device-wide. You can turn it off at any time: Apple Support

Google: Google collects information such as battery level, how often you use your apps, and the quality and duration of your network connections (cellular, Wi-Fi, and Bluetooth). The setting whether you want to send usage and diagnostic data to Google applies device-wide. You can change it at any time: Google Support

Sentry: In addition to collecting diagnostic data from Google or Apple, we use a service called Sentry (sentry.io/privacy). Sentry is a service that helps us notice serious and critical errors in the app (e.g. errors that result in an app crash). To do this, your device may send error messages to Sentry in the background. We use these error messages solely to improve the app. These error messages contain data such as your app version, information about your device (e.g. Android version) and a unique anonymous ID generated per error (usage data such as your name or your entered times are never transmitted). Before a message is sent, we remove your email address, IP address or other personal data from the message on your device.

We collect this data only to provide you with a good experience with our product and to ensure smooth operation. As a legal basis, we cite here Art. 6 para. 1 lit. a DSGVO and Art. 6 para. 1 lit. b DSGVO.

Collection of further data when visiting stamplab.app

In addition to the above data, we collect other data when you visit our web version (https://stamplab.app). We use the service Umami, an open-source analytics application, to collect data about the behaviour of our users. We run our own instance of this service on our own servers - so no data is passed to third parties. We may collect the following data:

• the browser used (e.g. Google Chrome)
• the type of device (e.g. laptop or mobile)
• the screen resolution
• the language used
• the operating system (e.g. Android)
• an anonymous session ID (to avoid duplicating your website visit)
• which URLs you visit (which subpages)
• from which URL you came to our website (referrer)
• how long you were on our site

We collect this data in order to be able to improve our website and to offer you a good experience when visiting it, as well as to be able to guarantee smooth operation. We cite Art. 6 Para. 1 lit. f DSGVO as the legal basis for this.

Cookies

When you visit stamplab.app, we set cookies solely to operate the site and provide features:

• Social Log-in (log in with Google/ Facebook).
• Payment services (Stripe)

As a legal basis, we cite here Art. 6 (1) lit. f DSGVO and the ECJ ruling (01.10.2019 (Az. C-673/17)). We refrain from setting other cookies respectively for other purposes.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website by installing special browser plug-ins.

Payment transactions

In order to use StampLab, you may need a paid subscription. As part of taking out such a subscription, we use various payment service providers to offer you different payment methods. We use the following service providers:

• Google Pay
• Apple Pay
• Stripe
• Paypal

The basis for data processing is Art. 6 (1) lit. b DSGVO, which permits the processing of data for the performance of a contract or pre-contractual measures.

If you enter into a business relationship with us by making payment transactions, we are required by various legal requirements, for example, to store invoices for 10 years (Art. 6 para. 1 lit. c DSGVO allows us this storage to fulfill our obligations to government agencies such as the tax office). We would like to point out that in such a case it is not possible for us to delete all your data, e.g. upon your request. All data that does not fall under such retention periods, we delete of course immediately upon your request.

Contact by e-mail

When contacting us, e.g. by e-mail, we collect your contact data until the reason for the contact loses its relevance and e.g. a reply from our side is no longer necessary. Of course, this does not affect your right of access and deletion (see "Your rights"). When contacting us by e-mail, it should be noted that the confidentiality of e-mails or other electronic forms of communication on the Internet is generally not guaranteed. For confidential information, we recommend contacting us in encrypted form (info@l3montree.com) or by mail.

Kontakt per WhatsApp

Um uns über WhatsApp kontaktieren zu können, musst du bei WhatsApp registriert sein und den Datenschutzbestimmungen von WhatsApp zugestimmt haben. Wir bitten dich uns, wenn möglich, per E-Mail zu kontaktieren, da WhatsApp aus Datenschutzperspektive nicht unbedenklich ist. Wir sind über WhatsApp erreichbar, da wir dir einen einfachen und für dich komfortablen Weg der Kontaktaufnahme anbieten wollen. Wir nutzen den WhatsApp Dienst unter den folgenden Bedingungen: https://www.whatsapp.com/legal/business-data-processing-terms-20210927

Kontakt per Telegram

Um uns über Telegram kontaktieren zu können, musst du bei Telegram registriert sein und den Datenschutzbestimmungen von Telegram zugestimmt haben. Wir bitten dich uns, wenn möglich, per E-Mail zu kontaktieren, da Telegram aus Datenschutzperspektive nicht unbedenklich ist. Wir sind über Telegram erreichbar, da wir dir einen einfachen und für dich komfortablen Weg der Kontaktaufnahme anbieten wollen.

How we protect your data

This app uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests you send to our server. This method is implemented for all communication between the app and our servers.

When TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

In addition to encryption during transmission, we also protect your data on our servers, within the framework of current procedures.

Furthermore, our employees are also obligated to maintain the confidentiality of your data.

Even if we use all available security mechanisms, we point out that data transmission on the Internet can have security gaps. A complete protection of data against access by third parties is not possible.

If you create your account in StampLab with a password, we use so-called "hashing" to store your password in a protected manner. Hashing is a cryptographic process that uses a one-way principle to change your input in such a way that your original input cannot be calculated. Even in case of data theft, your password is protected. We also strengthen the effectiveness of hashing by using so-called "salt".

Your rights

Revocation of your consent to data processing

By using our offer, you agree to the processing of the data collected for the provision of the offer. There is no direct possibility for you to object. However, you can of course request the deletion of all data.

Many data processing operations are only possible with your express consent. You can revoke your consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right of appeal to the competent supervisory authority

In the event of violations of data protection law, the data subject has a right of appeal to the competent supervisory authority. The competent supervisory authority in matters of data protection law is the state data protection commissioner of the federal state in which our company is based. A list of data protection officers and their contact details can be found in the following link.

Right to data portability

You have the right to have data that we process on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

Information, blocking, deletion and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction, blocking or deletion of this data. For this and other questions on the subject of personal data, you can contact us at any time at the address given in the imprint.

You can request a data export in the app as well as the deletion of your account.

Further information

Criteria for determining storage periods

Your personal data will be stored by us until the contractual relationship is finally terminated, no further mutual claims can arise from it and also the statutory or internal retention periods have expired.