Privacy Policy
We, coneno GmbH, (hereinafter: "the company", "we" or "us") take the protection of your personal data seriously and would like to inform you at this point about data protection in our company. Within the scope of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") in order to ensure the protection of personal data of the person affected by a processing operation (we also address you as data subject hereinafter with "customer", "user", "you", "you" or "data subject"). Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and Art. 14 GDPR).
With this statement (hereinafter: "Privacy Policy"), we inform you about the manner in which your personal data is processed by us.
B. General
1. Definitions
Following the example of Art. 4 of the GDPR, this privacy notice is based on the following definitions:
- "Personal data" (Art. 4 No. 1 GDPR means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).
- "Processing" (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- "Third Party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the Data Subject, the Controller, the Processor and the persons who are authorized to process the Personal Data under the direct responsibility of the Controller or Processor; this also includes other groupaffiliated legal entities.
- A "processor" (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
- "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Amendment of the data protection notice
(1) In the context of the further development of data protection law as well as technological or organizational changes, our data protection information is regularly reviewed for the need for adaptation or additions and amended/adapted as necessary.
(2) This privacy notice is current as of October 2024.
3. No obligation to provide personal data
For you as a customer, there is basically no legal or contractual obligation to provide us with your personal data. However, we can only enable you to use our app if you provide us with the necessary data.
C. Information about the processing of your data
1. The collection of personal data concerning you and its legal basis in general
(1) When you use our app, we collect personal data about you.
(2) Personal data is any data that relates to your person (see above under General). For example, your name, location data, IP address, device ID, SIM card number, address and email address are personal data, your fingerprint, images, movies, audio recordings, but also your user behaviour falls into this category.
2. The legal bases of data processing
(1) By law, in principle, any processing of personal data is prohibited and permitted only if the data processing falls under one of the following justifications:
- Art. 6 (1) sentence 1 lit. a GDPR ("consent"): Where the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
- Art. 6 (1) sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of precontractual measures taken at the request of the data subject;
- Art. 6 (1) sentence 1 lit. c GDPR: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to keep records);
- Art. 6 (1) sentence 1 lit. d GDPR: If the processing is necessary to protect the vital interests of the data subject or another natural person;
- Art. 6 (1) sentence 1 lit. e GDPR: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
- Art. 6 (1) sentence 1 lit. f GDPR ("Legitimate Interests"): When processing is necessary to protect the legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject override (in particular if the data subject is a minor).
Storing information in the end user's terminal equipment or accessing information already stored in the terminal equipment is only permitted if it is covered by one of the following justifications:
- Section 25 (1) TTDSG: If the end user has consented on the basis of clear and comprehensive information. The consent has to be given according to Art. 6 (1) sentence 1 lit. a GDPR;
- Section 25 (2) no. 1 TTDSG: If the sole purpose is to carry out the transmission of a message via a public telecommunications network, or
- Section 25 (2) no. 2 TTDSG: If the storage or access is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user.
(2) For the processing operations carried out by us, we indicate below the applicable legal basis in each case. A processing operation may also be based on several legal bases
3. The data collected during the download
(1) When downloading this app, the email address, username, customer number of the downloading account, individual device identification number, payment information, and time of download are transmitted to the Apple App Store, which is operated by Apple Inc, One Apple Park Way, Cupertino, California, USA, 95014, www.apple.com.
(2) We have no influence on the collection and processing of this data, which is carried out exclusively by the Apple App Store selected by you. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the Apple App Store. You can find more information in the privacy policy of the Apple App Store.
4. Data collected when using the app, including purpose and legal basis
(1) We can inevitably only provide you with the benefits of our app if we collect certain personal data about you that is required for the operation of the app when you use it.
(2) We collect and process the following personal data from you:
-
Device information: Access data includes the IP address, device ID, device type, devicespecific settings and app settings and app properties, the date and time of the retrieval, time zone the amount of data transferred and the message whether the data exchange was complete, crash of the app, browser type and operating system. This access data is processed to enable the operation of the app technically.
-
Information with your consent: We process other information (e.g. GPS location data) if you allow us to do so.
-
Contact data: In the case of use of contact forms, physical or digital communication, the data transmitted thereby are processed (e.g. gender, surname and first name, address, company, email address and the time of transmission).
(3) Purpose and legal basis of data processing
We process the personal data described in more detail above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 (1) sentence 1 lit. f GDPR, the aforementioned purposes also represent our legitimate interests. In the event that you have given your consent to data processing, the legal basis for data processing is Art. 6 (1) sentence 1 lit a) DSGVO. The processing of the log data serves statistical purposes and the improvement of the quality of our app, in particular its stability and security (legal basis is Art. 6 (1) sentence 1 lit. a or lit. f GDPR). Contact data is processed for the purpose of handling customer inquiries (legal basis is Art. 6 (1) sentence 1 lit. b or lit. f GDPR). If the processing of the data requires the storage of information in your terminal equipment or access to information already stored in the terminal equipment, Section 25 (1), (2) TTDSG is the legal basis for this.
5. Use of cookies
Cookies are small text files that are stored on the device memory of your mobile device and assigned to the mobile app you are using, and through which certain information flows to the entity that sets the cookie. We do not use cookies when operating our app.
6. Data storage period
(1) We delete your personal data as soon as they are no longer required for the purposes for which we collected or used them according to the (see C. 3., 4.). As a rule, we store your personal data for the duration of the usage or contractual relationship via the app. In principle, your data is only stored on our servers in Germany, subject to a possible transfer in accordance with the regulations in F. 1., 2. and 3..
(2) However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings.
(3) Third parties engaged by us (see E. 1.) will store your data on their system for as long as it is required in connection with the provision of the service for us in accordance with the respective order.
(4) Mandatory legal requirements for the storage and deletion of personal data remain unaffected by the above (e.g. § 257 HGB or § 147 AO). If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
7. Data security
(1) We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties, taking into account the state of the art, implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
(2) We will be happy to provide you with more detailed information on request. Please contact our data protection officer (see D. 1.).
8. No automated decision making (including profiling)
We do not intend to use any personal data collected from you for any automated decision making process (including profiling).
9. Change of purpose
(1) Processing of your personal data for purposes other than those described will only take place if a legal provision permits this or you have consented to the changed purpose of the data processing.
(2) In the event of further processing for purposes other than those for which the data were originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.
D. Responsibility for your data and contacts
(1) The controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is:
| Name and address of the controller | |
|---|---|
| Company name: | coneno GmbH |
| Controller/legal representative: | Mr. Marco Hirsch |
| Street, house number: | Trippstadter Str. 122 |
| Postal code, city: | 67663 Kaiserslautern |
| Phone number: | +49631627991-0 |
| Email address: | info@coneno.com |
(2) Our company data protection officer is available at all times to answer any questions you may have and to act as your contact person on the subject of data protection at our company. Her contact details are:
Katja Schneider
coneno GmbH
Trippstadterstr. 122
67663 Kaiserslautern
(3) Please contact this contact point in particular if you wish to assert the rights to which you are entitled, as explained in Chapter G, against us.
(4) If you have any further questions or comments regarding the collection and processing of your personal data, please also contact the aforementioned contacts.
E. Data processing by third parties within and outside the EU (third countries)
1. Commissioned processing of personal data by third parties
(1) It may happen that commissioned service providers are used for individual functions of our app. As with any larger company, we also use external domestic and foreign service providers to handle our business transactions (e.g. for the areas of IT, logistics, telecommunications, sales and marketing). These service providers only act on our instructions and are contractually obligated to comply with the data protection provisions pursuant to Art. 28 GDPR.
(2) The following categories of recipients, which are usually processors, may receive access to your personal data:
- service providers for the operation of our app and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 (1) sentence 1 lit. b or lit. f GDPR, insofar as they are not order processors;
- Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the disclosure is then Art. 6 (1) sentence 1 lit. c GDPR;
- Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 (1) sentence 1 lit. b or lit. f GDPR.
(3) Details of disclosure to third parties
a) Microsoft Email Support
We use Microsoft Exchange for our email support. The potential data transfer includes your email address as well as any personal data that may be present in the support request.
The provider of this product is the US company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
(4) Consent
In addition, we will only disclose your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 (1) sentence 1 lit. a GDPR.
2. Conditions for the transfer of personal data to third parties in third countries
In the course of our business relationships, your personal data may be transferred or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively for the fulfillment of contractual and business obligations and for the maintenance of your business relationship with us (legal basis is Art. 6 (1) lit b or lit f in each case in conjunction with Art. 44 ff. GDPR). We will inform you about the respective details of the transfer in the following at the relevant points.
Some third countries are certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be obtained here). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding company regulations, standard data protection clauses of the European Commission for the protection of personal data pursuant to Art. 46 1 , 2 lit. c GDPR (the standard data protection clauses of 2021 are available here), certificates or recognized codes of conduct. Please contact our data protection officer (see D. 1.) if you would like more information on this.
3. Details of the transfer to third countries
a) Microsoft Email Support
We use Microsoft Exchange for our email support. The potential data transfer includes your email address as well as any personal data that may be present in the support request. The provider of this product is the US company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Despite the settings we have made that provide for data processing within the EU, it cannot be ruled out that Microsoft may also process your personal data in America. Since the European Court of Justice declared the EU-US Privacy Shield decision invalid in its ruling of 15.07.2020 in the Schrems II case (C-311/18), no adequate level of protection may currently be assumed for a data transfer to the USA. Therefore, the basis of data processing at Microsoft in the U.S. can only take place via standard data protection clauses prepared by the EU Commission, which are intended to ensure that your personal data is also processed outside the EU in accordance with European data protection regulations.
Find more information about the standard data protection clauses included by Microsoft and about data processing when using Microsoft products.
In order to act in a data protection-compliant manner when using Microsoft products, we have taken further measures in the product settings to increase the level of data protection.
Processing location: United States
4. Legal obligation to transmit certain data
We may be subject to a specific legal or regulatory obligation to disclose the lawfully processed personal data to third parties, in particular public bodies, (Art. 6 (1) sentence 1 lit. c GDPR).
F. Your rights
1. Right to information
(1) You have the right vis-à-vis us within the scope of Art. 15 GDPR to obtain information about the personal data concerning you.
(2) This requires an application from you to be sent either by e-mail or by post to the addresses given above (see D. 1.).
2. Right to object to data processing and revoke consent
(1) In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.
(2) Pursuant to Article 7 (3) of the GDPR, you have the right to revoke your consent given once (also before the GDPR came into force, i.e. before 25.5.2018) - i.e. your voluntary will, made understandable in an informed manner and unambiguously by means of a declaration or other unambiguous confirming action, that you agree to the processing of the personal data in question for one or more specific purposes - at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent for the future.
(3) In this regard, please contact the contact point indicated above (see D. 1.).
3. Right to rectification and cancellation
(1) Insofar as personal data concerning you is incorrect, you have the right pursuant to Art. 16 GDPR to demand that we correct it without delay. With a request in this regard, please contact the contact point indicated above (see D. (1)).
(2) Under the conditions set out in Art. 17 GDPR, you have the right to request the deletion of personal data concerning you. With a request in this regard, please contact the contact point indicated above (see D. (1)). In particular, you have the right to erasure if the data in question is no longer necessary for the collection or processing purposes, if the data storage period (see C. 7.) has elapsed, if there is an objection (see G. 2.), or if there is unlawful processing.
4. Right to restriction of processing
(1) In accordance with Art. 18 GDPR, you have the right to demand that we restrict the processing of your personal data.
(2) With a request in this regard, please contact the contact point indicated above (see D. (1)).
(3) You have the right to restrict processing in particular if the accuracy of the personal data is disputed between you and us; in this case, you have the right for a period of time that is required to verify the accuracy. The same applies if the successful exercise of a right of objection (see G. 2.) is still disputed between you and us. You are also entitled to this right in particular if you are entitled to a right to erasure (see G. 3.) and you request restricted processing instead of erasure.
5. Right to data portability
(1) Pursuant to Art. 20 GDPR, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, common, machine-readable format in accordance with.
(2) With a request in this regard, please contact the contact point indicated above (see D. (1)).
6. Right to complain to the supervisory authority
(1) In accordance with Art. 77 GDPR, you have the right to complain about the collection and processing of your personal data to the competent supervisory authority.
(2) You can reach the competent supervisory authority under the following contact details:
Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Prof. Dr. Dieter Kugelmann
Hintere Bleiche 34
55116 Mainz