Privacy Policy

Information on the use and protection of data related to the use of https://flow.andugo.io

Published on: 22.01.2024

1. Preamble

The handling of your personal data complies with the provisions of the EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG"), as well as other legal requirements, as the basis for a trusting business relationship between andugo GmbH (hereinafter "we," "andugo") and the visitors of our website, our customers, and business partners. Ensuring the confidentiality of your personal data is of the utmost priority for us, and we ensure the protection of your personal data through technical and organizational security measures that comply with current security standards and legal requirements.

Below, we inform you about the type, scope, and purpose of the collection and use of your personal data in the context of using our services on the website https://flow.andugo.io.

Controller pursuant to Art. 4 No. 7 GDPR is:

andugo GmbH

Hagsdorfer Str. 1c

85368 Wang

Germany

Phone: 089 74077569

Email Address: [email protected]

Represented by:

Dirk Engelbrecht

Further information about us can be found on the flow.andugo.io homepage under the "Imprint" menu (https://flow.andugo.io/imprint).

2. Definitions

2.1 "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2.2 "Processing" is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3. Type of Data

We process the following personal data:

3.1 Personal information such as name, identification number, date of birth, documents for customer identification (including a copy of your ID card or passport), contact details you provide to us, and all details about our business relationship, such as contract data, customer identifiers, customer number, and banking information (IBAN, BIC, bank, account holder) and payment information.

3.2 Data when accessing our website, transmitted by your browser and automatically collected by our server, such as the date and time of your visit, your IP address, data about the input device with which you interact with the customer portal (e.g., browser settings; browser type, operating system, device ID), the name of the accessed file, and the amount of data transmitted. Additional data is only collected if you actively disclose it, e.g., during registration or filling out an inquiry form.

4. Legal Basis for Processing Your Data

We process your personal data only when there is a legal basis under the GDPR or based on your consent:

a) Consent: Based on your previously given explicit and voluntary consent. You have the right to revoke your consent at any time with effect for the future.

b) Fulfillment of a contract / pre-contractual measures: To initiate and execute your contractual relationship with the company (Art. 6 para. 1 sentence 1 lit. b) GDPR)

c) Legitimate interests: To protect our legitimate interests, provided that your interests do not override (Art. 6 para. 1 sentence 1 lit. f) GDPR)

We only disclose your personal data to third parties if:

a) You have expressly consented to it

b) The disclosure is necessary for the assertion, exercise, or defense of legal claims, and there is no reason to believe that you have an overriding legitimate interest in not disclosing your personal data, and in case there is a legal obligation to disclose

c) This is legally permissible and necessary for the processing of contractual relationships with you.

5. Purpose of Data Processing

We always process your personal data for a specific purpose and only process the personal data relevant to achieve that purpose (data minimization principle). We process personal data, in particular, for the following purposes:

a) To fulfill the contract concluded with you and to manage our business relationship, including communication with you, handling customer service-related questions and complaints, and facilitating debt collection.

b) To learn more about you as a prospect or customer, the products, features, and services you have used, and other products and services you may be interested in.

c) For measures to improve our products, features, and services and our technologies, including reviewing and updating our systems and processes, and for market research purposes to understand how we can improve our existing products and services or offer other products and services.

d) Marketing and advertising, e.g., to contact you regarding products and services offered by us that we believe may be of interest to you and to conduct marketing campaigns.

e) To carry out measures to improve and develop services and products to provide you with personalized offers and products.

f) Purposes for which you have given us prior consent, for example, when subscribing to a newsletter.

g) In consultation and data exchange with credit agencies (e.g., Schufa, Creditreform) to determine credit or default risks, especially when the conditions of § 31 BDSG are met.

h) Assertion, exercise, or defense of legal claims.

i) Ensuring IT security and IT operations and managing risks.

If we intend to further process your personal data for a purpose other than that for which the personal data was collected, we will provide you with information about this other purpose and all other relevant information according to this data protection information before such further processing.

6. Deletion, Retention Period of Your Data

An operational deletion concept ensures that all your personal data is deleted in accordance with the principle of data minimization and Art. 17 GDPR.

We only keep your personal data in accordance with Art. 17 GDPR for as long as necessary for the respective purposes for which we process your personal data. If we process personal data for multiple purposes, they will be automatically deleted or blocked as soon as the last specific purpose has been fulfilled, unless deletion is opposed by legal, statutory, or contractual retention periods.

Commercial and tax retention periods are up to ten years for storage or documentation. In addition, the storage period also depends on the legal limitation periods according to § 195ff BGB, which can be up to 30 years, with the regular limitation period being 3 years if the data is needed to assert, exercise, or defend (civil) legal claims. The regular limitation period is 3 years.

Under certain circumstances, your data must be retained for a longer period due to official or court orders.

Storage may also occur if provided for by European or national legislators in Union regulations, laws, or other regulations to which the company is subject.

7. Technical and Organizational Measures to Protect Your Data

We process your personal data in accordance with the security requirements of Art. 32 GDPR. To achieve this, we have implemented appropriate technical and organizational measures that comply with recognized IT standards and are continuously reviewed. This ensures that your data is adequately protected against misuse or any other unauthorized data processing at all times. Personal data that you transmit to us via our website is encrypted during transmission; we use the Secure Socket Layers (SSL) encryption technology for this purpose.

8. Data Transmission to Third Parties

8.1 We transmit your personal data for the purposes outlined in this data protection information and, if necessary, within the scope of legal reporting and notification obligations, to third parties. These include companies and institutions in the following categories:

  • Tax consultancy/auditing companies
  • Authorities
  • Insurance companies
  • Debt collection agencies and lawyers
  • Suppliers
  • Public authorities and institutions (e.g., social insurance carriers, supervisory authorities, etc.) if there is a corresponding obligation/authorization

8.2 We transmit your personal data as part of fulfilling our business relationship to subcontractors (data processors) who assist us in handling our business processes. They process your data on our behalf based on a so-called contract for processing on behalf of the data controller in accordance with Art. 28 GDPR. We use subcontractors from the following categories:

  • Sales partners
  • Internet service providers
  • (IT) service providers
  • Support centers
  • IT providers
  • Logistics
  • Printing service providers
  • Archiving service providers
  • Credit agencies
  • Banks and payment service providers

8.3 Data Transmission to Non-EU Member States

If data is processed in countries outside the EU or the European Economic Area ("EEA"), the company will ensure that your personal data is processed in accordance with European data protection standards and relevant case law. If the third country does not have a level of data protection recognized as adequate by the European Commission, we will ensure, before the transfer, that the recipient can demonstrate an adequate level of data protection according to Art. 44 et seq. GDPR (e.g., through a self-certification by the recipient or by agreeing to so-called EU standard contractual clauses of the European Union with the recipient).

Within the framework of the contractual relationship and from a data protection perspective, you, as the customer, remain the general responsible party. If the customer processes personal data in connection with the contract (including collection and use), he ensures that he is permitted to do so in accordance with applicable data protection regulations. In the event of a violation, the customer indemnifies the provider from third-party claims.

The processing of personal data is subject to a data processing agreement (DPA), which we provide to you online in your account (https://flow.andugo.io/designer/dpa/en). This regulates the conditions and obligations related to the processing of data, particularly through the use of our software and services.

9. Individual Data Collection, Automated Decision-Making

We do not use automated decision-making according to Art. 22 GDPR. If we use these procedures in individual cases, we will inform you separately in accordance with legal provisions.

10. Data Collection on Our Websites

10.1 Visit to the Website

10.1.1 Data Categories: When you access our website, server statistics automatically store data (so-called server log files) that your browser automatically transmits to us. This information is temporarily stored in a so-called logfile. The following information is captured without your intervention and stored until automated deletion:

  • Date and time of access
  • IP address of the accessing device or server
  • Request details and target address
  • Name of the accessed file and transmitted data volume
  • Indication of whether the access was successful
  • Name of your internet service provider
  • Information about the browser type and version used
  • User's operating system

For data protection reasons, the IP address is anonymized in the log files, the log files containing this data.

10.1.2 Purpose of Processing: We process the mentioned data for the following purposes:

  • Ensuring a smooth connection setup for the website
  • Ensuring convenient use of our website
  • Evaluating system security and stability
  • For administrative purposes

10.1.3 Legal Basis for Data Processing according to Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest arises from the purposes of data collection listed above.

10.1.4 Deletion of Your Data: The log file information is anonymized and kept by the provider for security reasons (e.g., to investigate misuse) for a short period and deleted when no longer necessary.

10.2 Activities on the Website

10.2.5 Data Categories: When you register on our website, sign up for an event, subscribe to our newsletter, submit an application, or use one of our web contact forms, you will be asked to provide some of your personal data.

In addition to the data collected when accessing the website and during registration, the processed data includes:

  • First and last name
  • Email address
  • User's IP address
  • Date and time of registration
  • Phone number
  • Address

10.2.2 Purpose of Processing: The processing of the personal data you provide is necessary to handle your request, communicate with you, and operate our business, enabling registered members' business contacts with each other.

10.2.3 Legal Basis for Data Processing: Your consent according to Art. 6 para. 1 sentence 1 lit. a) GDPR.

Inquiries: For data processing, your consent is obtained through an opt-in, referring to this privacy policy. By activating the checkbox and submitting the contact form or inquiry, you agree, according to Art. 6 para. 1 lit. a GDPR, to the transmission and storage of your personal data and IP address.

Newsletter: For the newsletter, the double-opt-in procedure is applied. This means that after your registration, we will send an email to the provided email address containing a link for final registration. Your confirmation ensures that the newsletter was also ordered by you. Your data will only be stored for newsletter delivery for the duration of using our newsletter service after confirming the link in the email.

Events: When registering for an event via our event form, we collect, store, and process your personal data for organizing and conducting the event. By submitting the registration, you give your consent.

10.2.4 Deletion Periods for Inquiries: We only store your data to process your request. Deletion occurs after its completion, at the latest after four weeks, unless new processing purposes (e.g., a contractual relationship) arise with other legal retention periods.

Newsletter: If you do not confirm the newsletter registration in the double-opt-in procedure, your data will be deleted after 48 hours.

Events: Your data will be deleted no later than 30 days after the visit.

You can unsubscribe at any time using the links provided in our communications or by sending an email to [email protected] with the subject "UNSUBSCRIBE."

10.3 First and Third-Party Cookies

10.3.1 Functional Cookies

Cookies are small text files that your browser automatically creates and stores on your device (PC, laptop, tablet, smartphone, etc.) when you visit our site.

First-party cookies are cookies set directly by our website.

10.3.2 Data Categories: Our website uses so-called session cookies.

The use of session cookies, which are technically necessary cookies (functional cookies) for our internet services, aims to make the use of our offer more pleasant for you. Session cookies store data about your visit to the website and thus increase its user-friendliness: when you visit our site again, your entries and settings from the first visit are automatically applied so that you do not have to enter them again.

The cookies store and transmit the following data:

  • Language settings
  • Login information
  • Shopping cart information

10.3.3 Purpose of Processing: The purpose of using technically necessary cookies is to simplify the use of websites for users.

10.3.4 Legal Basis for Data Processing: The data processed by session cookies is necessary for the mentioned purposes to safeguard our legitimate interests according to Art. 6 para. 1 sentence 1 lit. f GDPR, namely to provide our services in a way that enables a user-friendly perception of the online offering and to provide certain functions such as the shopping cart function. Storing log files serves the integrity and security of the website.

10.3.5 Duration of Storage

Session cookies are temporary cookies and are automatically deleted when you close the browser.

10.3.6 Objection and Removal Option (Opt-Out)

Most browsers accept cookies automatically. You can object to the use of cookies at any time with future effect by changing the settings in your browser so that it does not accept certain cookies or notifies you as soon as cookies are sent. Already stored cookies can be deleted at any time. This can also be done automatically. Each browser differs in how it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings.

You can find instructions for managing cookie settings for the respective browsers at the following links:

Internet Explorer™:

http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies

Safari™:

https://support.apple.com/de-de/guide/safari/sfri11471/mac

Chrome™:

http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647

Firefox™:

https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen

Opera™:

http://help.opera.com/Windows/10.20/de/cookies.html

If cookies are deactivated for our website, not all functions of the website may be fully available. If you use our website with multiple devices, you must object to the use for each device.

10.3.7 Legal Basis for Data Processing is your consent according to Art. 6 para. 1 sentence 1 lit. a) GDPR, which we obtain from you before using the website via opt-in.

We currently use services from the following third-party providers:

Akamai Technologies International AG

Grafenauweg 8,

6300 Zug,

Switzerland

10.4 Google Maps

On our website, a Google Maps mapping service is integrated to display interactive maps and provide directions. The company that provides the service in the European Economic Area and Switzerland is Google Ireland Limited, an Irish registered and operated company, with its registered office at Gordon House, Barrow Street, Dublin 4 (hereinafter "Google Ireland").

Google Maps services are integrated in "extended data protection mode." This means that maps are only loaded when you click a confirmation button. Only then is a connection established between your browser and a server of the operator in the USA.

  • By using Google Maps, information about the visit to this website, including your IP address and the entered address data, is transmitted to Google, also to Google servers located in the USA. Google then collects the following data:
  • Date and time of access
  • IP address of the accessing device or server
  • Request details and destination address
  • Information about the browser type and version used
  • Operating system of the user
  • Addresses entered as part of route planning

Data transmission occurs regardless of whether you have a user account with Google. If you have a user account and are logged in to Google, your data will be directly associated with your account. To avoid this, you must log out before activating the button or activate the so-called incognito mode at https://support.google.com/maps/answer/9430563?co=GENIE.Platform%3DAndroid&hl=de. This has the effect that all data collected until the incognito mode is terminated is not associated with your user account and will not be stored there.

Google otherwise stores your data as usage profiles. However, you have the right to object, which you must exercise with Google.

Since the conditions of the EU-US Privacy Shield no longer comply with the GDPR and have been replaced by the EU-US Data Privacy Framework, Google has changed its terms accordingly. You can find these at: https://policies.google.com/privacy

To the extent that Google acts as a data processor of personal data, Google claims to make the legal conditions of data processing available, which, according to their own statements, take into account the relationship between data controller and data processor when necessary.

For more information on the processing of personal data by Google Maps and your options for protecting your privacy, please refer to the terms of use at https://www.google.com/intl/de_de/help/terms_maps/ as well as the privacy information at https://policies.google.com/privacy/update?hl=de.

10.5 YouTube-Videos

On some of our websites and the content provided by our partner, we also embed YouTube videos. The company that provides the service on de.youtube.com in the European Economic Area and Switzerland is Google Ireland Limited.

The videos are integrated in "extended data protection mode." This means that a connection between your browser and a server of the operator in the USA is only established when you play the videos. The following information about your visit and your IP address is stored there:

  • Date and time of access
  • IP address of the accessing device or server
  • Request details and destination address
  • Page called up
  • Information about the browser type and version used
  • Operating system of the user

Data transmission occurs regardless of whether you have a user account with Youtube or Google. If you have a user account and are logged in to Youtube or Google, your data will be directly associated with your account. To avoid this, you must log out before activating the button. Google stores your data as usage profiles. However, you have the right to object, which you must exercise with Google.

For data protection and data security, we refer to the explanations regarding Google Maps.

11. Your Rights according to GDPR

11.1 As data subjects affected by the processing of your personal data, you can assert the following rights with us under the GDPR and the BDSG ("data subject rights"):

  • Right to information regarding the personal data concerning you,
  • Right to correction of the data concerning you,
  • Right to erasure (Art. 17 GDPR),
  • Right to restriction of processing of your personal data,
  • Right to data portability (Art. 20 GDPR),
  • Right to object to the processing of personal data concerning you,
  • Modification and deletion of data ("right to be forgotten")

11.2 You also have the right according to Art. 77 GDPR to lodge a complaint with a supervisory authority. In general, you can contact the supervisory authority at your usual place of residence or work for this purpose.

11.3 We generally respond to requests within one month. However, this period may be extended due to the specific data subject right or the complexity of your request. In such cases, we will inform you of the reasons for the extension within the one-month period.

12. Questions about Data Privacy and Right to Information

For further questions regarding data privacy, please contact the representatives of andugo as specified in the imprint (https://flow.andugo.io/imprint). You can also assert your statutory rights to information there.

You can reach them via the email address [email protected] or by mail at the address specified in the imprint (https://andugo.io/imprint).

This privacy policy can be printed and/or saved at any time. We reserve the right to change or adapt the privacy policy to reflect the further development of the Andugo.io platform and the expansion and optimization of our services. In doing so, we will comply with the data protection requirements.