Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Status: May 24, 2023

Controller

Plexify GmbH
Lenbachallee 12
85521 Ottobrunn

Authorized representatives: Philipp Kang, Maik Tran, Jonas Leeb

Email address: info@plexify.io

Imprint: https://plexify.io/en/impressum/

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

Inventory data.
Payment data.
Contact data.
Content data.
Contract data.
Usage data.
Meta, communication, and process data.

Categories of Data Subjects

Prospective customers.
Communication partners.
Users.
Business and contractual partners.

Purposes of Processing

Provision of contractual services and customer service.
Contact requests and communication.
Security measures.
Direct marketing.
Office and organizational procedures.
Managing and responding to inquiries.
Feedback.
Provision of our online offering and user-friendliness.
Information technology infrastructure.

Applicable Legal Bases

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR regulations, national data protection requirements in your or our country of residence or registered office may apply. If, in individual cases, more specific legal bases are relevant, we will inform you of these in the privacy policy.

Consent (Art. 6(1)(a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection regulations of the GDPR, national regulations on data protection in Germany apply. This includes, in particular, the Act on Protection Against Misuse of Personal Data in Data Processing (Bundesdatenschutzgesetz – BDSG). The BDSG contains, in particular, special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making, including profiling. Furthermore, it regulates data processing for purposes of the employment relationship (§ 26 BDSG), especially with regard to the establishment, performance, or termination of employment relationships as well as the consent of employees. Moreover, state data protection laws of the individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, assurance of availability, and their separation. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, erasure of data, and responses to data breaches. Moreover, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, according to the principle of data protection by design and by privacy-friendly default settings.

TLS encryption (https): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of Personal Data

In the course of our processing of personal data, it may happen that the data is transmitted to other bodies, companies, legally independent organizational units, or persons, or that it is disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing or transmitting data to other persons, bodies, or companies, this will only be done in accordance with legal requirements. Subject to explicit consent or contractually or legally required transmission, we process or have data processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en ).

Erasure of Data

The data processed by us will be erased in accordance with legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data has ceased or they are not necessary for the purpose).

If the data is not erased because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

Our privacy notices may also contain further information on the retention and erasure of data, which takes precedence for the respective processing operations.

Business Services

We process data of our contractual and business partners, e.g., customers and prospective customers (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to answer inquiries.

We process this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any updating obligations, and remedies in case of warranty and other service disruptions. Furthermore, we process the data to safeguard our rights and for the purposes of administrative tasks associated with these obligations as well as business organization.

Furthermore, we process the data based on our legitimate interests in proper and business-like management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities).

Within the scope of applicable law, we only disclose data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or during data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We erase the data after the expiry of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons. The statutory retention period for tax-relevant documents as well as for commercial books, inventories, opening balances, annual financial statements, the work instructions required to understand these documents, and other organizational documents and accounting records is ten years, and for received commercial and business letters and reproductions of dispatched commercial and business letters, six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance, the annual financial statement or the management report was drawn up, the commercial or business letter was received or dispatched, or the accounting record originated, furthermore the recording was made or the other documents originated.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between users and providers.

Processed Data Types:

Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject of contract, term, customer category).

Data Subjects:

Prospective customers; Business and contractual partners.

Purposes of Processing:

Provision of contractual services and customer service; Contact requests and communication; Office and organizational procedures; Managing and responding to inquiries.

Legal Bases:

Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing, Procedures, and Services:

Agency Services: We process our customers' data as part of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training services; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Project and Development Services: We process the data of our customers and clients (hereinafter uniformly referred to as "customers") to enable them to select, purchase, or commission the chosen services or works as well as related activities, and their payment and provision or execution or performance. The required information is marked as such within the scope of the order, purchase, or comparable contract conclusion and includes the information necessary for service provision and billing as well as contact information for any necessary consultations. Insofar as we receive access to information from end customers, employees, or other persons, we process this in accordance with legal and contractual requirements; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Provision of Software and Platform Services: We process the data of our users, registered and potential trial users (hereinafter uniformly referred to as "users"), to provide them with our contractual services and, based on legitimate interests, to ensure the security of our offering and to further develop it. The required information is marked as such within the scope of the order, purchase, or comparable contract conclusion and includes the information necessary for service provision and billing as well as contact information for any necessary consultations; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Provision of Online Offering and Web Hosting

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

Processed Data Types:

Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status); Content data (e.g., entries in online forms).

Data Subjects:

Users (e.g., website visitors, users of online services).

Purposes of Processing:

Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures.

Legal Bases:

Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing, Procedures, and Services:

Provision of Online Offering on Rented Storage Space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also "web hoster"); Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and their stability; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Erasure of data: Log file information is stored for a maximum of 30 days and then erased or anonymized. Data whose further retention is required for evidentiary purposes is excluded from erasure until the final clarification of the respective incident.

Email Dispatch and Hosting: The web hosting services we use also include the dispatch, receipt, and storage of emails. For these purposes, the addresses of the recipients and senders, as well as further information concerning email dispatch (e.g., the providers involved) and the contents of the respective emails, are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails on the internet are generally not sent encrypted. As a rule, emails are encrypted during transport, but (unless an end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore assume no responsibility for the transmission path of emails between the sender and receipt on our server; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to answer the contact requests and any requested measures.

Processed Data Types:

Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).

Data Subjects:

Communication partners.

Purposes of Processing:

Contact requests and communication; Managing and responding to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online offering and user-friendliness.

Legal Bases:

Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further Information on Processing, Procedures, and Services:

Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the stated request; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Promotional Communication via Email, Post, Fax, or Telephone

We process personal data for purposes of promotional communication, which can take place via various channels, such as email, telephone, post, or fax, in accordance with legal requirements.

Recipients have the right to revoke consents given at any time or to object to promotional communication at any time.

After revocation or objection, we store the data required to prove previous authorization for contact or dispatch for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on the legitimate interest to permanently observe the revocation or objection of users, we also store the data necessary to avoid renewed contact (e.g., depending on the communication channel, the email address, telephone number, name).

Processed Data Types:

Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers).

Data Subjects:

Communication partners.

Purposes of Processing:

Direct marketing (e.g., by email or post).

Legal Bases:

Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Amendment and Update of the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting them.

Rights of Data Subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw your consent at any time.
Right of access: You have the right to obtain confirmation as to whether or not data concerning you is being processed, and, where that is the case, access to this data and further information and a copy of the data in accordance with legal requirements.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to demand that data concerning you be erased without undue delay or, alternatively, to demand restriction of the processing of the data in accordance with legal requirements.
Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with legal requirements, or to demand its transmission to another controller.
Complaint to supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the requirements of the GDPR.