We attach great importance to data protection and would like to explain to you below how we collect and process your personal data. In doing so, we comply with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).
As the controller for the collection, processing and use of your personal data pursuant to Art. 4 No. 7 GDPR applies:
E-mail address: email@example.com
2 What data we process and why
In the following, we explain to you which personal data we use for which purpose and on which legal basis. As far as we speak of "website" or "service", we refer to our product "heylogin" with the associated components, specifically the heylogin apps for Android/iOS, the extensions and the web application at heylogin.app.
We use hosting services to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we need to operate the service.
In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta data and communication data based on our legitimate interest in the efficient and secure provision of our website or service in accordance with Art. 6 (1) p. 1 f) GDPR.
2.2 Access data in server log files
When you visit our website, we collect information about you. We automatically record things like your activity on the site and how you interact with us. We also record information about your device, whether it is a computer or a cell phone. This information helps us better understand and improve our website.
The data we collect includes:
- The name and the Internet address of the file you have accessed
- Date and time when you visited the page
- How much data was sent back and forth
- Whether the access was successful (this is called HTTP response code).
- Which internet browser and version you use
- What operating system is running on your device
- The page from which you came to us (this is called referrer URL)
- Other websites you have visited through our site
- Information about your Internet provider
- Your IP address and from which provider you have your internet connection
We use this collected data to make our website safer and better. This helps us find and fix bugs and improve our service. We only use this data for general statistical analysis and not to identify you personally. This is important for the safe operation of our website.
Sometimes we also check this data more closely if we suspect that someone is using our website in an unauthorized way. We store your IP address for a short period of time when it is necessary for security reasons or when billing is involved. After you leave the site or a payment is made, we delete the IP address when we no longer need it. We also keep IP addresses if we think someone is using our website for criminal activity.
2.3.1 What are cookies?
A cookie is a small text file that we store on your hard drive or device when you visit our website. This file contains various information that enables our website to offer you a pleasant visit, e.g. by "remembering" certain information or preferences you have made.
When the cookie is activated, it is assigned an identification number. Your personal data is not assigned to this identification number. Your name, your IP address or similar data that would allow the cookie to be assigned to you are not stored in the cookie. With the help of the cookie technology, we only receive pseudonymized information, e.g. about visited pages or viewed offers.
2.3.2 What cookies do we use?
On the one hand, we use technically necessary cookies that enable certain core functions of our service. This can be, for example, the storage of certain data or settings.
The use of technically necessary cookies is based on our legitimate interest pursuant to Art. 6 (1) p. 1 f) GDPR. Our service is designed to be user-friendly and functional, and the use of these cookies does not usually affect your interests as a data subject. Therefore, a case-by-case consideration is usually not necessary. Insofar as a cookie is necessary to provide you with our service (password manager), the legal basis is Art. 6 para. 1 p. 1 b) GDPR.
2.4 Data for the fulfillment of our contractual obligations
We process personal data that we need to establish a contractual relationship with you and to fulfill our contractual obligations under an existing contractual relationship, such as name, address, e-mail address, ordered services, billing and payment data.
The legal basis for the processing of this data is Art. 6 para. 1 p. 1 b) GDPR, because this data is needed so that we can fulfill our contractual obligations to you or initiate a contract with you.
2.5 E-mail or telephone contact
If you contact us (e.g. by phone, contact form or e-mail), we process your information to process your request and in case further questions arise.
If the data processing is carried out for the implementation of pre-contractual measures, which are carried out on your request, or if you are already our customer, for the implementation of the contract, the legal basis for this data processing is Art. 6 para. 1 p. 1 b) GDPR. Otherwise, we process your personal data based on our legitimate interest to answer your questions according to Art. 6 para. 1 p. 1 f) GDPR.
3 Storage duration
Unless specifically stated, we will only store your personal data for as long as is necessary to fulfill our purposes.
We delete your personal data after the storage is no longer necessary (e.g. after final response to your request, for the duration of our contractual relationship until its final termination), or - in the case of legal retention obligations - we restrict the processing. Please note that further processing is required in particular for:
- Fulfillment of statutory retention obligations, which may arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), for example. The periods specified therein are up to ten years.
- Preservation of evidence within the framework of statutory limitation provisions. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.
- In some cases, the legislator stipulates the retention of personal data, for example in tax or commercial law. In these cases, we store the data only for these legal purposes, but do not process them in any other way and delete them after the legal retention period has expired. The legal basis for this processing is Art. 6 para. 1 p. 1 c) GDPR.
4 Your rights as a person affected by data processing
According to the applicable laws, you have various rights regarding your personal data. If you wish to exercise these rights, please send your request by e-mail or by post, clearly identifying yourself, to the address mentioned in section 1.
Below you will find an overview of your rights.
4.1 Right to confirmation and information
You have the right to receive clear information about the processing of your personal data.
You have the right to receive confirmation from us at any time as to whether we are processing your personal data. If this is the case, you have the right to request from us free information about the personal data stored about you, together with a copy of this data. Furthermore, you have the right to the following information:
- the purposes of processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to rectification or erasure of personal data concerning you or to restriction of processing by the controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- if the personal data is not collected from you, any available information about the origin of the data;
- the existence of automated decision-making including profiling pursuant to Article 22(1) and (4) of the GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for you.
If personal data is transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
4.2 Right to rectification
You have the right to request us to correct and, if necessary, complete personal data concerning you.
You have the right to request that we correct any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.
4.3 Right to erasure ("right to be forgotten")
In a number of cases, we are required to delete your personal data.
You have the right under Article 17(1) of the GDPR to request that we delete your personal data without undue delay, and we are obliged to delete personal data without undue delay if one of the following reasons applies:
- Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You revoke your consent on which the processing was based pursuant to Art. 6 (1) p. 1 a) GDPR or Art. 9 (2) a) GDPR and there is no other legal basis for the processing.
- You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
- Your personal data has been processed unlawfully.
- The deletion of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.
- Your personal data was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.
If we have made your personal data public and we are obliged to erase it pursuant to Article 17(1) of the GDPR, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform the data controllers that process your personal data that you have requested that they erase all links to or copies or replications of that personal data.
4.4 Right to restriction of processing
In a number of cases, you are entitled to request that we restrict the processing of your personal data.
You have the right to request us to restrict processing if:
- the accuracy of your personal data is contested by you for a period of time that allows us to verify the accuracy of your personal data,
- the processing is unlawful and you have refused the erasure of the personal data and instead requested the restriction of the use of the personal data;
- we no longer need the personal data for the purposes of processing, but you require the data for the assertion, exercise or defense of legal claims, or
- you have objected to the processing pursuant to Art. 21 (1) GDPR, as long as it has not yet been determined whether the legitimate reasons of our company outweigh yours.
4.5 Right to data portability
You have the right to receive your personal data in machine-readable form, to transmit it or to have it transmitted by us.
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that
- the processing is based on consent pursuant to Art. 6 (1) p. 1 a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) p. 1 b) GDPR and
- the processing is carried out with the help of automated procedures.
When exercising your right to data portability pursuant to paragraph 1, you have the right to obtain that the personal data be transferred directly from us to another controller, to the extent that this is technically feasible.
4.6 Right of objection
You also have the right to object to lawful processing of your personal data by us if this is based on your particular situation and our interests in the processing do not outweigh yours.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 e) or f) GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If we process personal data for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
You have the right to object, on grounds relating to your particular situation, to the processing of your personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.
4.7 Automated decisions including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Automated decision-making based on the personal data collected does not take place.
4.8 Right to revoke consent under data protection law
You have the right to withdraw consent to the processing of personal data at any time.
4.9 Right to complain to a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you is unlawful.
5 Data security
We make every effort to ensure the security of your data within the framework of the applicable data protection laws and technical possibilities.
To secure your data, we maintain technical and organizational measures (TOMs) in accordance with Art. 32 GDPR, which we continually adapt to the state of the art. You can find the current measures at https://www.heylogin.com/en/toms.
6 Disclosure of data to third parties, data transfer to non-EU countries
In principle, we only use your personal data within our company.
If and to the extent that we involve third parties in the performance of contracts (such as logistics service providers), they will only receive personal data to the extent that the transfer is necessary for the corresponding service.
In the event that we outsource certain parts of data processing ("commissioned processing"), we contractually oblige commissioned processors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of your rights.
All processors with whom we currently work can be found at https://www.heylogin.com/en/subprocessors.
Insofar as a data transfer to controllers or processors in the USA takes place, the legal basis is the adequacy decision between the USA and the EU of July 10, 2023 pursuant to Art. 45 (1) GDPR in conjunction with the certification of the respective service (certification list: https://www.dataprivacyframework.gov/s/participant-search).
Only in cases where a controller or processor outside the EU is not covered by an adequacy decision, the following legal bases come into consideration:
- Special consent pursuant to Art. 49 of the GDPR, provided that we obtain your special consent for a specific transfer of personal data to a third country, or
- the standard contractual clauses (SCC) provided by the EU Commission in accordance with Art. 46 GDPR in conjunction with an individual risk assessment for the respective data recipient in the third country.