Zaikio account data protection notice

This Data Protection Notice describes how Zaikio GmbH, Emmerich-Josef-Str. 1A, 55116 Mainz, Germany, +49 (0) 6131 617 1000, info@zaikio.com ("Zaikio" or "we" or "us" or "our") as controller processes the personal data and other information of the users ("you" or "your") in particular within the meaning of the General Data Protection Regulation ("GDPR") when creating and using a Zaikio account ("Zaikio Account") which can be used to access our cloud-based platform for the print media industry ("Zaikio Platform").

1. Categories of personal data, processing purposes and legal bases

When you create and use your Zaikio Account, we will process your personal data for the respective purposes as described below. We generally comply with the principle of data minimization and we only collect data in our products that are required for their functioning. We do not store data on stock for the sole purpose of data analysis. Providing your personal data for the purposes described below is voluntary. However, if you do not provide your personal data we will not be able to provide you with the respective services.

1.1. Creation of a Zaikio Account

If you create a Zaikio Account, you will be asked to provide the following personal data: Your name, email address, selected password. We processes such personal data for the purpose of creating your Zaikio Account. The legal basis for processing your personal data for such purposes is the contract on the use of the Zaikio Account concluded with you (Art. 6 (1) lit. b GDPR).

1.2. Log in and single-sign-on

If you log into your Zaikio Account, we process your login information (i.e., your email address and password) to identify you and provide you with access to the services on the Zaikio Platform. Your Zaikio Account will serve as a single-sign-on, i.e., you will not have to log into each service provided on the Zaikio Platform separately once your account has been authenticated. The legal basis for processing your personal data for these purposes is the contract on the use of the Zaikio Account concluded with you (Art. 6 (1) lit. b GDPR).

1.3. Use of apps

When you use your Zaikio Account to log into certain apps provided on the Zaikio Platform it may be required to share certain data stored in your Zaikio Account with the respective app. We will inform you of the respective data categories requested by the app and ask for your permission before allowing the app access to the respective information stored in your Zaikio Account. If you do not permit the exchange of data between your Zaikio Account and the respective app, you may not be able to log into the app. The legal basis for processing your personal data for these purposes is the contract on the use of the Zaikio Account concluded with you (Art. 6 (1) lit. b GDPR).

1.4. Newsletter registration

With your Zaikio Account, you may sign up for our newsletter, which we regularly send to you to inform you of our services and offers. To sign up for our newsletter you need to provide a valid email address. When you sign up for our newsletter, we also store your IP address and the date and time of registration. We only use these data for the purposes of the newsletter and do not share these data with third parties. You may unsubscribe form our newsletter at any time as described in the newsletter. The legal basis for the processing of your personal data for sending newsletters is your consent (Art. 6 (1) lit. a GDPR).

1.5. Passively collected information

In addition to the personal data that you actively provide, we may automatically collect, process and store certain information on a pseudonymous basis from you:

• Device and usage information - that may include (i) information specific to the used device when logging into the Zaikio Account (including, but not limited to, model, operating system, IP address, language, carrier and similar information) and (ii) information about the use of features, functions, or notifications on the device, to recognize you and to analyze trends; and
• analytics - such as how often you use the Zaikio Account, aggregated usage, performance data. We use analytics to allow us to better understand the functionality and use of the Zaikio Account.

The legal basis for this purpose are our legitimate interests (Art. 6 (1) lit. f GDPR) which are the following: to monitor and maintain the performance of the Zaikio Account and to analyze trends, usage and activities in connection with the Zaikio Account.

2. Encryption

All data send to and from the Zaikio Platform are encrypted in accordance with the state of the art (HTTPS/TLS). This applies in particular to all programming interfaces ("APIs"), as well as mobile applications on iPads and iPhones, as well as our internal tools. All our data bases including personal data are fully encrypted. If personal data are required on local computers for development purposes, they will also be encrypted there. We try to limit these cases to a minimum and work on techniques to use anonymized data also for testing purposes.

3. Recipients

3.1. Transfer to service providers

We may engage external service providers, who act as our data processors, to provide certain services to us. When providing such services, the external service providers may have access to and/or may process your personal data. In particular, we use the following service providers for the following purposes:

• We do not operate our own servers. Instead, we use the "Heroku" platform as a service by Salesforce Inc., USA. The service is technically based on Amazon AWS. All data, including back-ups, are encrypted and stored and processed in data centers within the EU.
• We use "Amazon S3" by Amazon Inc., USA, to store documents of different kinds. Personal data are protected by security mechanisms and cannot be publicly accessed.
• We use "Amazon AWS Cloudfront" by Amazon Inc., USA, for fast delivery of data. These data are usually neither personal data, nor publicly available.
• To send emails we use the email service "Postmark" provided by Wildbit LLC, USA. Consequently, this service provider processes personal data, such as email addresses and sender/recipient information. Emails are stored for a period of 45 days for purposes of error analysis. Afterwards, all emails are irretrievably deleted.
• When you sign up for our newsletter, we will send and store your personal data collected in this regard (i.e., email address, IP address, date and time of registration) on a server of The Rocket Science Group, LLC, USA.
• For direct customer contact we use the chatting tool "Intercom" by Intercom Inc., USA. In customer service we provide your name and email address as well as your IP address (where applicable) to Intercom.
• We use the tool "Slack" by Slack Inc., Ireland to communicate internally and with some of our customers. To a small extent, personal data might be stored here if included in the chat messages. We retain chats and files for a period of 5 years to protect us in case of disputes. Afterwards, they are irretrievably deleted.
• We use logging tools such as "AppSignal" by AppSignal B.V., Netherlands, and "Papertrail" by SolarWinds Worldwide, LLC, USA. Here, every access to our products is logged to allow error analyses in case of incidents. Our products ensure that personal data are filtered already when the log messages are created. Only the IP address of incoming enquiries is stored if necessary. Otherwise, we store the date and time of your access and the website or API end point that you visit. All log data are deleted after 7 days.
• To measure road distance between two locations, we use the "Google Maps" API by Google Inc., USA. We thereby transmit the start and destination of a shipment in anonymous form, i.e., we transfer the name of the street, postal code, city and country. Neither the name of the sender, nor of the recipient, nor house numbers are not transferred. Google states that it does not store data from API queries.
• We use Stripe Payments Europe Ltd. as payment services platform provider to facilitate payment transactions in connection with your use of the Zaikio Account. However, we do not share your personal data with Stripe; any transfer of your personal data to Stripe will be done by yourself in connection with payments made via our payment form.

Those external service providers will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data and to process the personal data only as instructed.

3.2. Other recipients

Some of our colleagues administering the Zaikio Account may be employees of our group companies. When administering the Zaikio Account, our colleagues may have access to and/or may process your personal data. The respective transfer of your personal data is based on our legitimate interests. Our legitimate interests are the transmission of personal data within the group of companies for internal administrative and support purposes. The access is limited to colleagues with a need to know. More information on the balancing test is available upon request. We may also transfer your personal data to law enforcement agencies, governmental authorities, legal counsel and external consultants in compliance with applicable data protection law. The legal basis for such processing is compliance with a legal obligation to which we are subject or legitimate interests, such as our legitimate interest in exercise or defense of legal claims. More information on the balancing test is available upon request.

3.3. International transfers of personal data

The personal data that we collect or receive about you may be transferred to and processed by recipients which are located inside or outside the European Economic Area ("EEA") and which do not provide for an adequate level of data protection. The countries that are recognized to provide for an adequate level of data protection from an EU law perspective (Art. 45 GDPR) are Andorra, Argentina, Canada, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and the Eastern Republic of Uruguay. Recipients in the US may partially be certified under the EU-U.S. Privacy Shield and thereby deemed to provide for an adequate level of data protection from an EU law perspective (Art. 45 GDPR). To the extent your personal data are transferred to countries that do not provide for an adequate level of data protection from an EU law perspective, we will base the respective transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission (Art. 46 (2) GDPR), to the extent this is required. You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 6. The access is limited to recipients with a need to know. Salesforce Inc., Amazon Inc. Amazon Webs Services, Inc., Wildbit LLC, The Rocket Science Group LLC, Intercom Inc., SolarWinds Worldwide, LLC, and Google, Inc. are all privacy shield certified.

4. What rights do you have and how can you assert your rights?

If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. Pursuant to applicable data protection law you may have the right to: request access to your personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights please refer to the Exhibit Your Rights. You also have the right to lodge a complaint with a data protection supervisory authority. To exercise your rights please contact us as stated in Section 6.

5. How long do we keep your personal data?

Your personal data will be retained as long as necessary to provide you with the services requested. When we no longer need to use your personal data to comply with contractual or statutory obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your information, including personal data, to comply with legal or regulatory obligations to which we are subject, e.g. statutory retention periods which can result from the Commercial Code or Tax Code and usually contain retention periods from 6 to 10 years, or if we need it to preserve evidence within the statutes of limitation, which is usually 3 years but can be up to 30 years. If you close your Zaikio Account in one of our products, your personal data associated with your Zaikio Account will be deleted within 7 days (unless a longer deletion period applies, see above). Since we retain data base backups for up to 30 days, a permanent and irretrievable deletion of all data under our control will take place after 37 days. As soon as a Zaikio Account is deleted within our products, the respective data are no longer available. In web interfaces as well as in our APIs, it is addressed as "deleted user". Specific other retention periods, e.g. concerning log files, are stated in the context of the respective provision above.

6. Contact us

If you have concerns or questions regarding this Data Protection Notice, please contact us as follows:

Mein-Datenschutzbeauftragter.de
Herr Philipp Herold
Tel.: +49 451 1608 5213
E-Mail: privacy@zaikio.com

Exhibit
Your Rights

1. Right of access

You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access. The right of access is limited pursuant to Section 34 FDPA. The right of access does e.g. not apply if the data (a) were recorded only because they may not be erased due to legal or statutory provisions on retention, or (b) only serve the purposes of monitoring data protection or safeguarding data, and providing information would require a disproportionate effort, and appropriate technical and organizational measures make processing for other purposes impossible. You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

2. Right to rectification

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure ("right to be forgotten")

Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data. Such right to erasure does pursuant to Section 35 FDPA, for instance, not apply if in the case of a non-automated processing erasure would be impossible or would involve disproportionate effort due to the specific mode of storage and if your interest in erasure can be regarded as minimal. In such case, you may have the right to restriction of processing.

4. Right to restriction of processing

Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

5. Right to data portability

Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

6. Right to object

Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.