Data Privacy Policy

For best GDRP compliance and for customers in the European Union, we do provide for a full data processing agreement which can be examined here and, if needed, signed electronically.

Last change: January 1, 2024

Derdack GmbH (in the following also “Derdack” or “we”) appreciates your interest in the service “SIGNL4” (in the following also “SIGNL4” or “Service”, including all related apps, e.g. the SIGNL4 mobile app). We attach great importance to protecting your privacy. In the following we provide detailed information on how your data is handled.

1. DATA CONTROLLER

The data controller is:
Derdack GmbH
Konrad-Zuse-Ring 12b, 14469 Potsdam
Managing director: Matthes Derdack
Email: [email protected]

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

You can reach our data protection officer at [email protected]

3. REGISTRATION

3.1 The Service is an alerting service for companies that monitors processes and procedures and allows alarms to be sent and tracked. The Service supports and automates alerting and communication processes. For this it is necessary that each user first registers for the use of the Service.

3.2         As part of the registration for the app, we collect the following (personal) access data:

  • Your email address
  • If you don’t sign in using Google SignIn, Microsoft SignIn or your Apple ID: Your password
  • Your system language, so that logon windows and notifications can be displayed correctly,
  • Your system time zone so that alarm data can be displayed correctly.

Unless you sign in using GoogleSignIn, Microsoft SignIn or your Apple ID, your password will first be generated by us and may then be changed by you.

3.3         Alternatively, you can use the “Sign in with Google” or “Sign in with Microsoft” buttons or register with your Apple ID if you have an identity account with one of these two providers. Google, Microsoft and Apple offer the possibility to log in to other websites via their API with your log-in data, if available. These are services over which we have no control.

3.4         SignIn with Google: Provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: “Google”). An additional registration or login is therefore not necessary. If you decide to register with Google SignIn and click on the “Login with Google” / “Connect with Google” button, you will automatically be redirected to the Google platform. There you can log in with your usage data. This will link your Google profile to our website or services. This link gives us access to your data stored by Google. This is currently:

  • the e-mail address stored with Google

The integration of the Google SignIn takes place on the basis of Art. 6 (1) (f) GDPR. This data is used to simplify the registration of your account. This makes it easier to use our services. This is in our legitimate interest. For more information about Google Sign In and Google’s privacy policy, please see the following links: https://policies.google.com/terms and http://www.google.de/intl/de/policies/privacy

In case Google Ireland transfers personal data to the U.S., the following legal framework applies, which indicates that Google relies on the EU Commission’s Standard Contractual Clauses: https://policies.google.com/privacy/frameworks?hl=en-US

3.5         SignIn with Microsoft: If you have a Microsoft account, you can alternatively register via Microsoft. This service is provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter “Microsoft”). If you click the “Log in with Microsoft” button, you will automatically be redirected to a Microsoft page where you can enter your Microsoft e-mail address or telephone number. This will link your Microsoft account to our website or services. This link gives us access to your data stored with Microsoft. This is currently:

  • the e-mail address stored with Microsoft

The integration of Microsoft is based on Art. 6 (1) (f) GDPR. This data is used to simplify the registration of your account.

For more information about Microsoft and Microsoft’s privacy statements, see the following links: https://privacy.microsoft.com/en-us/privacystatement 

Microsoft also processes your personal data in the United States.  The following general conditions apply to this, which show that Microsoft relies on the standard contractual clauses of the EU commission: https://docs.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses

3.6         SignIn with Apple ID: If you have an Apple ID, you can alternatively register with it. This service is provided by Apple Inc., Invinite Loop, Cupertino, CA 95014. If you sign in with Apple, your Microsoft account will be linked to our app. This link gives us access to your data stored with Apple. This is currently:

  • the email address you have registered with Apple

The integration of the SignIn via the Apple ID is based on Art. 6 (1) (f) GDPR. This data is used to simplify the registration of your account.

For more information about Apple and Apple’s privacy policies, please see the following link: https://www.apple.com/legal/privacy/en-ww/

Apple also processes your personal data in the United States. The following general conditions apply to this, which show that Apple relies on the standard contractual clauses of the EU commission: https://www.apple.com/legal/procurement/docs/ADI_TERMS_COND-0164.pdf

3.7         If at the end of the trial period you decide to subscribe to upgrades of the app with additional functionality, we will also collect the following data:

  • Name and address (usually this will be the company name and address you work for),
  • Your name as contact person / contact person or the name of another person as contact / contact person,
  • Payment details.

3.8         On a voluntary basis, you may provide the following additional information when registering or using the App:

  • Your cell phone number,
  • Location data: For the purpose of providing the service, we collect your location data on a voluntary basis using GPS (accurate to the meter). At the beginning of the use of the App and at certain intervals during the use of the App, Derdack asks for your permission to use this location data. If you do not want to grant us this permission, we will not access or use the location data. In this case, you can continue to use the app with restrictions. You can grant or revoke permission at any time later in the settings of your terminal device. Your location data will only be transferred to us if you have activated the app. They are not used by us to create motion profiles beyond your current location.
  • an e-mail address for sending invoices for the paid version of the app.

3.9         You can revoke the voluntary information (Section 3.3) at any time with effect for the future by deleting the relevant information in your profile or changing the Setting of the App accordingly.

3.10       We use the data listed under Sections 3.1 to 3.3 exclusively for the purpose of enabling you to use the SIGNL4 App (Art. 6 (1) (a) GDPR).

3.11       If you have given us your consent to send you our e-mail newsletter (Art. 6 (1) (a) GDPR), we will use your e-mail address to send you the newsletter. You can withdraw your consent at any time with effect for the future.

4. DATA COLLECTION IN THE CONTEXT OF USING THE SERVICE

4.1         Which data we collect during the use of the app depends on which version of the app you have installed or which additional functionalities you have subscribed to. Below we inform you which data can be collected depending on the installed or subscribed function:

  • Your Android ID/Device Identifier for Vendor number to recognize the current App installation,
  • Device type (Android/iOS) for the correct delivery of notifications,
  • System language for displaying notifications
  • System time zone for correct display of alarm data,
  • Push address for notifications when you allow notifications,
  • location data, if you allow access to it
  • Mobile phone number, if you specify it,
  • Photo gallery to personalize your profile when you upload photos or share the camera and create photos,
  • Email addresses when you enter them to invite team members or allow the app to access your address book;
  • Username, if you create one,
  • the source or content of the alarm trigger,
  • the date and time when you received an alarm, if and when you acknowledged the alarm and if and when you closed the alarm; depending on the function, this data is visible in the app to other members of your team or is shared with other members of your team by Derdack,
  • the time of your subscriptions and unsubscriptions to the Service or to the shift; depending on the function, this data will be visible in the App to other members of your team as your status or will be communicated by us to the other members of your team,
  • Messages sent and received by you to/from members of your team (alarm messages and alarm related notes).

4.2         We use the data mentioned under 4.1 for the following purposes:

  • to enable you and your team colleagues to use the app with the respective installed / subscribed functionalities (fulfillment of contract),
  • in the case of subscription to paid upgrades of the app to bill the usage fees (contract processing),
  • to evaluate the use of the app and the associated services and to improve the services; however, these evaluations are carried out anonymously only.

4.3         Depending on the installed / subscribed functions, the data mentioned under 4.1. are used within a certain period of time to determine the reaction times within a team, to classify the alarms and their relevance and to evaluate the distribution of alarm acknowledgements to the users of a team. These evaluations are person-related and are also visible to all users of a team or are communicated to them by us.

4.4         We store your data to the extent and as long as legal and/or offered retention period exist.

5 INTEGRATION OF GOOGLE MAPS TO DISPLAY LOCATION DATA

5.1         If you have moved the slider to the right under the button “(i) About”, next to the text “Transmit location with manual SIGNL”, we can access your location data. To display your location data, we use Google Maps, a service provided by Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, “Google”).

We have a legitimate interest in this (Art. 6 (1) (f) GDPR), as it allows us to extend this App with functionalities that are also based on the recording of your location. You can, however, move the slider to the left at any time and thus prevent the acquisition of location data.

By using Google Maps, information about the use of our app (including your IP address) may be transmitted to and stored by Google on servers in the United States. If you do not want data to be transferred to Google through the use of the map, you cannot give or revoke your consent to access location data in the settings as described above. Then you will not be able to use the SIGNL4 functions where your location is shared.

5.2         The Google Maps Terms of Use can be found at: https://www.google.com/intl/en_us/help/terms_maps/

You can find further information on data protection at Google at: https://policies.google.com/privacy?hl=en&gl=de

Google Inc. also processes your personal data in the United States. The following general conditions apply to this, which show that Google Maps relies on the standard contractual clauses of the EU commission: https://support.google.com/adspolicy/answer/10042247?hl=en

6 TRACKING WITH FIREBASE

6.1         We use various services from Firebase, a service from Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, “Google”), specified in more detail below. Firebase uses so-called “Instance IDs” to memorize individual settings of the mobile app. Because each instance ID is unique to a mobile app and the mobile device you are using, Firebase can evaluate and respond to specific events within the mobile app. The information generated by the instance ID about your use of this mobile app on your mobile device is usually transferred to a Google server in the USA and stored there. The legal basis for the use of Firebase is Art. 6 (1) (f) GDPR.  The evaluations and analysis allow us to make our offer more attractive.

However, in the settings of your app under the menu item “(i) About”, you can move the shift lever “Send anonymous usage and error logs” to the left: then no further usage data will be transmitted to us.

6.1.1           We use the Firebase Analytics service, which provides us with analytical and device-related information when you use a mobile device with an Android operating system. Firebase Analytics collects so-called “Mobile Ad IDs”, IDs related to the mobile device and so-called “Analytics App Instance IDs”. Firebase Analytics stores this ID-related information for 60 days and stores summary and action-related data without automatic deletion until PIM makes an appropriate setting in Analytics or deletes its project.

6.1.2           We use the Firebase Cloud Messaging service if you are using a mobile device with an Android operating system to determine which mobile device to send messages to by using instance IDs. The instance IDs transmitted are stored by Firebase until we ask Firebase to delete them. Firebase then deletes the data within 180 days.

6.1.3           We use the Firebase Crashlytics service if you are using a mobile device with Android operating system that informs us if a malfunction has occurred in your mobile app. The instance IDs and malfunction reports transmitted are stored by Firebase until we ask Firebase to delete them. Firebase then deletes the data within 180 days.

6.1.4           We use the Firebase Performance Monitoring service, which uses instance IDs to monitor the performance of the mobile app and respond to specific incidents within the app. The findings on these specific processes are stored by Google for 30 days. Instance IDs are stored by Google until we request Google to delete them. Google then deletes the data within 180 days.

6.2         For more information about Google’s use of data over Firebase, see:

https://firebase.google.com/terms/data-processing-terms

https://firebase.google.com/terms/

https://firebase.google.com/support/privacy/manage-iids

https://firebase.google.com/support/privacy/

6.3         In Case Google  transfers personal data to the U.S., the following legal framework applies, which indicates that Google relies on the EU Commission´s Standard Contractual Clauses: https://policies.google.com/privacy/frameworks?hl=en-US

6.4       If you use the SIGNL4 app, you can object to the use of Firebase at any time by setting the slider for anonymous statistics in the app under the button “(i) About” so that anonymous usage and error logs are not collected. Then an analysis of your use of the mobile app by Firebase and the transfer of the data to Google will not take place.

7. ANALYTICS WITH PROFITWELL (ONLY FOR ACCOUNT OWNERS/TEAM LEADERS)

  • We use the analytics service Profitwell by the provider 200 OK, LLC (109 Kings-ton Street, Fourth Floor, Boston, Massachusetts 02111, USA, “Profitwell”) to compile statistics regarding the use of our service. For that purpose, the service processes the e-mail address of the respective account owner/team leader, to which all users of SIGNL4 in his team are connected, so that a direct conclusion on the behavior of an individual user is only possible in the rare case that a team has only one member and only that member uses the SIGNL4 App. For reasons of data protection, we only use Profitwell in cases where a team has several members.
  • Profitwell brings together the use of SIGNL4 by the entire team with the e-mail address of the account owner/team leader. This data will then be analyzed by Profitwell and the analysis will be forwarded to us. This process has the purpose of gaining an insight into the way our service is used. If you do not wish your E-Mail address to be part of the analysis by Profitwell, you can declare an opt-out under the e-mail address [email protected].
  • The legal basis for the use of the service Profitwell is Article 6 (1) (f) GDPR. It serves our legitimate interest to analyze the use of our service and to improve the service on that basis.
  • For more information on data protection at Profitwell, see https://www.profitwell.com/privacy-policy and https://www.profitwell.com/gdpr.

8 DATA TRANSFER TO THIRD PARTIES

As this is an alerting app for teams, the collected data is passed on within the team (see point 4). This includes superiors, if they are part of the team.

9 OTHER DATA TRANSFER TO NON-EU COUNTRIES

Your billing and credit card information will be forwarded to Recurly Inc. for the purpose of user account administration and with Stripe Inc. for the purpose of processing payments. Both companies are located in the USA.

We have a legitimate interest in using these services, as we would not be able to provide our services in full or at all without them (Art. 6 (1) (b) GDPR).

Recurly: https://support.recurly.com/hc/en-us/articles/360050344231-EU-July-2020-Privacy-Shield-Ruling and https://go.recurly.com/rs/439-LSC-903/images/Recurly-EU-Personal-Data-Processing-Agreement.pdf

Stripe: https://stripe.com/de/privacy, and https://stripe.com/privacy-center/legal#data-transfers

Upon your request, you can receive a SMS or a call via your mobile phone number in addition to the alert via the app if you configure SIGNL4 accordingly. We work with the company Twilio Inc. for the associated telecommunications services. The SMS or the voice call will then be sent via Twilio, an offer by the company Twilio Inc. (hereinafter “Twilio”), 645 Harrison St # 3rd Floor, San Francisco, CA 94107 USA.

To do this, we transmit your mobile phone number and the content of your message to Twilio, where it is saved until you delete your user account. Upon deletion of your SIGNL4 user account, we will also ensure the deletion of your mobile phone number from Twilio within 60 days.

For the transfer to Twilio, we use the EU infrastructure of Twilio. For any transfer of personal data outside the EU, Twilio’s Binding Corporate Rules apply: https://www.twilio.com/legal/binding-corporate-ruleshttps://www.twilio.com/legal/binding-corporate-rules

We have a legitimate interest in using Twilio, as we would otherwise not be able to provide the service you have chosen at all or not to its full extent (Art. 6 (1)(b) GDPR).

For more information about Twilio’s privacy policy, see:

https://www.twilio.com/legal/privacy

10 CONSENTS GIVEN

10.1       The following consent(s) you may have given us expressly and we have your consent logged.

  • I agree that Derdack may use my e-mail address to send me your newsletter.

According to the German Telemedia Act, we are obliged to keep the content of consents available for retrieval at all times.

10.2       You can revoke your consent(s) at any time with effect for the future.

11 DATA SECURITY

In order to ensure data security and the protection of your personal data, Derdack GmbH takes technical protective measures, in particular to prevent third parties from accessing your data. Derdack GmbH shall adapt the technical protective measures in accordance with the current state of the art technology.

12 RIGHT TO INFORMATION, CORRECTION, DELETION AND BLOCKING OF YOUR DATA

12.1       You have the right to obtain information about the personal data stored about you by Derdack and, if applicable, the right to correct, delete or block such data. In order to assert your rights, please contact the responsible body mentioned under point 1.

12.2       You can view and change the data stored in your profile at any time. You can also delete your profile at any time. In the cases of § 35 Para. 3 BDSG (Bundesdatenschutzgesetz, German Data Protection Act), the deletion shall be replaced by the blocking.

12.3       Derdack points out that Derdack is entitled, by order of the competent authority in individual cases, to provide information on data insofar as this is necessary for the purposes of criminal prosecution, to avert danger by the police authorities of the Länder, to fulfil the statutory duties of the Federal and Länder Office for the Protection of the Constitution, the Federal Intelligence Service or the Military Counter-Intelligence Service or to enforce intellectual property rights.

13 CHANGE

13.1       In the course of technical development, Derdack will also continuously adapt its data protection declaration. Derdack will incorporate changes on this page in good time and, if necessary, obtain your renewed consent.

13.2       Irrespective of this, you should visit this page regularly in order to inform yourself about the current status of the data protection information.