Privacy

Table of contents

  1. Contact information
  2. Data processing on the DocDroid platform
  3. Your rights
  4. Log files
  5. Cookies
  6. Email contact
  7. Contact form
  8. Company social profiles
  9. Hosting
  10. Geotargeting
  11. Registration
  12. Payment and credit check
  13. Content delivery networks

Change to our privacy policy

We reserve the right to change our Privacy Policy and other terms stated below at any time. If we make changes, we’ll clearly indicate them at the top of this page with the date of modification.

April 4, 2023: We have reworked our privacy policy with our new data protection officer.


1. Contact Information

Contact details of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

Lunaweb GmbH
Nördliche Münchner Straße 14a
DE-82031 Grünwald
Germany
info@docdroid.net

Contact details of the data protection officer

The data protection officer of the data controller is:

DataCo GmbH
Nymphenburger Str. 86
DE-80636 Munich
Germany
+49 89 7400 45840
www.dataguard.de


2. Data processing on the DocDroid platform

Scope of processing personal data

In general, we only process the personal data of our users to the extent necessary to provide a functioning website with our content and services. The regular processing of personal data only takes place with the consent of the user. Exceptions include cases where prior consent cannot be technically obtained and where the processing of the data is permitted by law.

Legal basis for the processing

Where consent is appropriate for processing personal data, Art. 6 (1) (1) (a) GDPR serves as the legal basis to obtain the consent of the data subject for the processing of their data.

As for the processing of personal data required for the performance of a contract of which the data subject is party, Art. 6 (1) (1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual activities.

When it is necessary to process personal data in order to fulfil a legal obligation to which our company is subject, Art. 6 (1) (1) (c) GDPR serves as the legal basis.

If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (1) (d) GDPR serves as the legal basis.

If the processing of data is necessary to safeguard the legitimate interests of our company or that of a third party, and the fundamental rights and freedoms of the data subject do not outweigh the interest of the former, Art. 6 (1) (1) (f) GDPR will serve as the legal basis for the processing of data.

Data removal and storage duration

The personal data of the data subject will be erased or restricted as soon as the purpose of its storage has been accomplished. Additional storage may occur if this is provided for by the European or national legislator within the EU regulations, law, or other relevant regulations to which the data controller is subject. Restriction or erasure of the data also takes place when the storage period stipulated by the aforementioned standards expires, unless there is a need to prolong the storage of the data for the purpose of concluding or fulfiling the respective contract.

Your documents are deleted irreversible from our servers within 7 days when use the "Delete" button. Documents are deleted automatically after 60 days without view (Does not apply to Pro accounts).

If you delete your account, all personal data and all your documents will be permanently deleted within 7 days.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. When you delete your account, all associated data is permanently deleted within 7 days. Deleting your account also deletes all data stored at payment provider Stripe and ticket system Freshdesk (if there is any). Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you.


3. Your rights

Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

  • If your personal data is processed, you have the right to obtain information from the controller about the data stored about you (Art. 15 GDPR).
  • If incorrect personal data is processed, you have a right to rectification (Art. 16 GDPR).
  • If the legal requirements are met, you may request the deletion or restriction of processing (Art. 17 and 18 GDPR).
  • If you have consented to the data processing or if a contract for data processing exists and the data processing is carried out with the help of automated procedures, you may have a right to data portability (Art. 20 GDPR).
  • If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to processing of the personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.(Art. 21 GDPR)

Furthermore, there is a right of appeal to a supervisory authority (Art. 77 GDPR).

The supervisory authority responsible for us is:

The Bavarian State Office for Data Protection Supervision (BayLDA)
Postal address: P.O. Box 1349, 91504 Ansbach, Germany
Phone: 0981/ 180093-0
Fax: 0981/ 180093-800
E-mail: poststelle@lda.bayern.de
Web: www.lda.bayern.de


4. Log files

Description and scope of data processing

Each time our platform is called up, our system automatically collects data and information from the operating system of the calling device.

The following data is collected:

  • Browser type, browser version and operating system
  • Referrer URL of the user
  • IP address and broad location based on the IP address
  • Date and time of access

This data is stored in the log files of our system. This data is not stored together with other personal data of the user.

Purpose of the processing

The temporary storage of the IP address by the system is necessary to enable delivery of the platform to the user's device. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the platform and to prevent abuse. In addition, we use the data to optimise the platform and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 (1) (f) GDPR.

Legal basis for the processing

The legal basis for the temporary storage of the data and the log files is Art. 6 (1) (f) GDPR.

Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the platform, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after 14 days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

Possibility of objection and removal

The collection of data for the provision of the platform and the storage of the data in log files is mandatory for the operation of the platform.


5. Cookies

Description and scope of data processing

Our platform uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's device. When a user calls up a platform, a cookie may be stored on the user's operating system. This cookie contains a characteristic character string that enables the device to be uniquely identified when the platform is called up again.

We use cookies to make our platform more user-friendly. Some elements of our platform require that the calling device can be identified even after a platform change.

The following data is stored and transmitted in the cookies:

  • Language settings
  • Entered search terms
  • Functionality of the website
  • Identifiers of uploaded documents

Purpose of the processing

The purpose of using technically necessary cookies is to simplify the use of the platform for users. Some functions of our platform cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.

We need cookies for the following functionality of the application:

  • Access of previously uploaded files
  • Applying language settings
  • Log-in functionality

The user data collected through technically necessary cookies are not used to create user profiles.

Legal basis for the processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) (f) GDPR.

The legal basis for the use of technically necessary cookies is § 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (f) GDPR.

Duration of storage,
Possibility of objection and elimination

Cookies are stored on the user's computer and transmitted from it to our platform. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our platform, it may no longer be possible to use all functions of the platform to their full extent.

If you use a Safari browser from version 12.1, cookies are automatically deleted after seven days. This also applies to opt-out cookies that are set to prevent tracking measures.


6. Email contact

Description and scope of data processing

Within our platform, it is possible to contact us via the email address provided. In this case, the user's personal data transmitted with the email will be stored. The following data is transmitted to us:

  • E-mail address
  • Name
  • Pseudonym
  • IP address of the calling computer
  • Date and time of the call

By contacting us via e-mail, the data processed is transferred to the service provider:

Freshworks Inc., 2950 S. Delaware Street, Suite 201. San Mateo, California, USA (hereinafter referred to as: Freshdesk).

The data is transferred to Freshworks servers in the USA. Part of the order processing contract with Freshworks are so-called EU standard contractual clauses ((Art. 46 (2) (c) GDPR)). These are to be classified as a safeguard for the protection of the transfer and processing of personal data outside the EU.

For more information, please visit: https://www.freshworks.com/data-processing-addendum/

Freshdesk is a web-based customer relationship management (CRM) platform and ticket management solution that enables us to plan and monitor our customer support activities.

Further information on the collection and storage of data by Freshworks can be found here: https://www.freshworks.com/privacy/ and https://www.freshworks.com/gdpr/company/

The data is used exclusively for processing the conversation.

Purpose of the processing

In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

Legal basis for the processing

The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 (1) (f) GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The additional personal data collected during the sending process will be deleted after a period of 14 days at the latest .

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. When you delete your account, all associated data is permanently deleted within 7 days. Deleting your account also deletes all data stored at payment provider Stripe and ticket system Freshdesk (if there is any). Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you.

In such a case, the conversation cannot be continued.

All personal data stored in the course of contacting us will be deleted in this case.


7. Contact form

Description and scope of data processing

A contact form is available on our platform, which can be used for electronic contact. If a user uses this option, the data entered in the input mask is transmitted to us and stored.

  • E-mail address
  • Name
  • Pseudonym
  • IP address of the calling computer
  • Date and time of the call

In connection with the data processing through the contact forms, the data is transferred to the following service provider:

Freshworks Inc., 2950 S. Delaware Street, Suite 201. San Mateo, California, USA (hereinafter referred to as: Freshdesk).

The data is transferred to Freshworks servers in the USA. Part of the order processing contract with Freshworks are so-called EU standard contractual clauses ((Art. 46 (2) (c) GDPR)). These are to be classified as a safeguard for the protection of the transfer and processing of personal data outside the EU.

For more information, please visit: https://www.freshworks.com/data-processing-addendum/

Freshdesk is a web-based customer relationship management (CRM) platform and ticket management solution that enables us to plan and monitor our customer support activities.

Further information on the collection and storage of data by Freshworks can be found here: https://www.freshworks.com/privacy/ and https://www.freshworks.com/gdpr/company/

The data is used exclusively for processing the conversation.

Purpose of the processing

The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the submission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

Legal basis for the processing

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. Our legitimate interest results from the purpose of the data processing. If the e-mail contact is aimed at the conclusion or implementation of a contractual relationship, the additional legal basis for the processing is Art. 6 (1) (b) GDPR.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The additional personal data collected during the submission process will be deleted at the latest after the end of the contractual relationship or the end of the general use of the platform.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. When you delete your account, all associated data is permanently deleted within 7 days. Deleting your account also deletes all data stored at payment provider Stripe and ticket system Freshdesk (if there is any). Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you.

In such a case, the conversation cannot be continued.


8. Company social profiles

Use of social networks

We use different networks for our company websites. When using some networks, personal data may be transferred to servers in the USA. In order to ensure appropriate guarantees for the protection of the transfer and processing of personal data outside the EU, the transfer of data to and processing of data by the networks listed below is carried out on the basis of appropriate guarantees pursuant to Art. 46 et. seq. GDPR, in particular by concluding so-called standard data protection clauses pursuant to Art. 46 (2) (c) GDPR.

Twitter

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland

On our company website, we provide information and offer Twitter users the opportunity to communicate. If you carry out an action on our Twitter company website (e.g. comments, posts, likes, etc.), it may be that you make personal data (e.g. clear name or photo of your user profile) public. However, since we generally or to a large extent have no influence on the processing of your personal data by Twitter, the company jointly responsible for the Lunaweb GmbH company website, we cannot make any binding statements about the purpose and scope of the processing of your data.

Our corporate presence in social networks is used for communication and information exchange with (potential) customers. In particular, we use the corporate presence to present the company and its services.

In this context, publications about the company's appearance may contain the following contents:

  • Information about products
  • Information about services
  • Customer contact

Every user is free to publish personal data through activities. The legal basis for data processing is Art. 6 (1) (a) GDPR. The data generated by the company website is not stored in our own systems.

You can object at any time to the processing of your personal data that we collect in the context of your use of our Twitter corporate presence and assert your data subject rights as stated under IV. of this privacy policy. To do so, send us an informal email to info@cloudconvert.com. You can find more information about the processing of your personal data by Twitter and the corresponding objection options here:

For more information, please visit: https://twitter.com/de/privacy


9. Hosting

Use of service providers

The platform is hosted on servers of a service provider commissioned by us.

Our service providers is:

  • OVH GmbH, Christophstraße 19, 50670 Köln, Germany

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the platform. The information stored is:

  • Browser type, browser version and operating system
  • Referrer URL of the user
  • IP address and broad location based on the IP address
  • Date and time of access

This data is not merged with other data sources. The collection of this data is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - for this purpose, the server log files must be collected.

The location of the website's server is geographically in Germany.


10. Geotargeting

Use of geotargeting

We use the IP address and other information provided by the user (in particular postcode in the context of registration or ordering) for regional targeting (so-called "geotargeting").

Regional targeting is used, for example, to automatically show you regional offers or advertisements that are often more relevant to users. The legal basis for the use of the IP address and, if applicable, other information provided by the user (in particular postcode) is Art. 6 (1) (f) GDPR, based on our interest in ensuring more precise targeting and thus providing offers and advertising with higher relevance for users.

In the process, part of the IP address and the additional information provided by the user (in particular postcode) are merely read out and not stored separately.

You can prevent geotargeting by using, for example, a VPN or proxy server that prevents precise localisation. In addition, depending on the browser used, you can also deactivate location localisation in the corresponding browser settings (insofar as this is supported by the respective browser).

We use geotargeting on our platform for the following purposes:

  • Determination of the value added tax
  • Platform functions such as customer targeting
  • Geoblocking

11. Registration

Description and scope of data processing

On our platform, we offer users the opportunity to register by providing personal data. The data is entered in an input mask and transmitted to us and stored.

Registration allows the user to use the extended service functionality and access the previously converted files.

The data will not be passed on to third parties. The following data is collected as part of the registration process:

  • Email address
  • Pseudonym
  • Profile picture
  • IP address of the calling computer
  • Date and time of registration

You can also register/create a customer account via your Facebook, Google or Twitter account. In this case, you do not have to enter your data manually and we receive your data (Pseudonym, e-mail address, profile picture ) from Facebook, Google or Twitter, which we need to create a customer account for you. The personal data transmitted to us in this way will be used to the extent and for the purposes specified in your account settings on Facebook or in your Google or Twitter account.

As part of the registration process, the user's consent to the processing of this data is obtained.

Purpose of the processing

Registration of the user is necessary for the fulfilment of a contract with the user or for the implementation of pre-contractual measures.

To use the extended services of CloudConvert, it is necessary to register to clearly distinguish the user and allocate the desired resources.

Legal basis for the processing

The legal basis for the processing serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures. Therefore, the additional legal basis for the processing of the data is Art. 6 (1) (b) GDPR.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

This is the case for the data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. When you delete your account, all associated data is permanently deleted within 7 days. Deleting your account also deletes all data stored at payment provider Stripe and ticket system Freshdesk (if there is any). Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you.

If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.


12. Payment and credit check

Description and scope of data processing

We offer our customers various payment options for processing costs incurred through the provision of our service. For this purpose, we forward customers to the platform of the corresponding payment service provider, depending on the payment option. After completion of the payment process, we receive the payment data of the customers from the payment service providers or our house bank and process them in our systems for the purpose of invoicing and accounting.

Payment by credit card

It is possible to complete the payment process by credit card.

If you have selected payment by credit card, payment data will be passed on to payment service providers for payment processing. All payment service providers comply with the specifications of the "Payment Card Industry (PCI) Data Security Standards" and have been certified by an independent PCI Qualified Security Assessor.

Within the framework of payment by credit card, the following data are regularly transmitted:

  • Purchase amount
  • Date and time of purchase
  • First name and surname
  • Address
  • Email address
  • Credit card number
  • Period of validity of the credit card
  • Security code (CVC)
  • IP address
  • VAT ID

Payment data is passed on to the following payment service providers:

  • Sripe Inc.

Further information on the data protection guidelines as well as revocation and removal options vis-à-vis the payment service providers can be found here: https://stripe.com/en-gb-de/privacy

Payment by SEPA direct debit mandate

Your data will be processed for the purpose of carrying out the SEPA direct debit procedure for the settlement of costs incurred through the use of our services.

The personal data that Lunaweb GmbH collects from you for the above-mentioned purpose results from the "SEPA direct debit mandate". As soon as we have received the SEPA direct debit mandate signed by you, the data provided by you therein will be stored for the debiting of costs incurred. The data will be transferred to the participating banking institutions ( Stripe Inc., house bank of Lunaweb GmbH and the banking institution specified by you) within the framework of the direct debit procedure.

Purpose of the data processing

The transmission of payment data to payment service providers serves to process the payment, e.g. when you purchase a product and/or use a service, as well as to carry out direct debit procedures.

Legal basis for the data processing

The legal basis for the data processing is Art. 6 (1) (b) GDPR, as the processing of the data is necessary for the execution of the concluded purchase contract.

Duration of the storage

All payment data as well as data on possible chargebacks will only be stored for as long as they are needed for payment processing and possible processing of chargebacks and debt collection as well as for combating misuse.

Furthermore, payment data may be stored beyond this if and as long as this is necessary to comply with statutory retention periods or to prosecute a specific case of misuse.

Your personal data will be deleted upon expiry of the statutory retention obligations, i.e., after 10 years at the latest.

Possibility of objection and removal

You can revoke your consent to the processing of your payment data at any time by deleting your account, notifying the responsible party or the payment service provider used. However, the payment service provider used may still be entitled to process your payment data if and as long as this is necessary for the contractual processing of payments.


13. Content delivery networks

Description and scope of data processing

On our website we use functions of the content delivery network OVHcloud of OVH GmbH (Hereinafter referred to as OVHcloud). A Content Delivery Network (CDN) is a network of regionally distributed servers connected via the Internet to deliver content, especially large media files such as videos. OVHcloud offers web optimization and security services that we use to improve the load times of our website and to protect it from misuse. When you visit our website you will be connected to the servers of OVHcloud, e.g. to retrieve content. This allows personal data to be stored and evaluated in server log files, the user's activity (e.g. which pages have been visited) and device and browser information (e.g. IP address and operating system). Further information on the collection and storage of data by OVHcloud can be found here: https://www.ovhcloud.com/de/personal-data-protection/

Purpose of the processing

The use of OVHcloud features serves to deliver and accelerate online applications and content.

Legal basis for the processing

The collection of this data is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - for this purpose, the server log files must be collected.

Duration of storage

Your personal information will be retained for as long as is necessary to fulfil the purposes described in this Privacy Policy or as required by law.

Possibility of objection and removal

Information about objection and removal options regarding OVHcloud can be found at: https://www.ovhcloud.com/de/personal-data-protection/