Privacy Policy of aqua cloud GmbH regarding the use of drivt.net

With drivt.net (hereinafter also referred to as the “Platform”), aqua cloud GmbH (“we”) offers an online browser-based platform for the successful launch and implementation of projects, in particular for software development, with a focus on quality assurance. As „Project Owner“, drivt.net enables you to initiate your projects and to carry them out efficiently and pursuant to the highest quality standards. As a „Project Participant“, drivt.net allows you to efficiently contribute to a project’s success in a dynamic and structured environment (Project Owner and Project Participant jointly and severally „you“ or „User“). Regarding the different functions of drivt.net, a distinction must be drawn as follows: 

1. To the extent Project Owners use drivt.net (as a software tool) for the implementation of their projects, they act for their own purposes and are thus the controller of personal data (in particular of Project Participants) processed through drivt.net. With regard to such data processing, we make reference to the privacy policy of the respective Project Owner.
2. To the extent Project Participants use drivt.net to participate in a particular project, the functions of drivt.net are made available to them on behalf of the respective Project Owner. 
3. Furthermore, aqua Cloud GmbH processes data through drivt.net for its own purposes, e.g. for services provided by aqua cloud GmbH directly to you, as a drivt.net user. Therefore, to such extent, we are the controller of your personal data.

This privacy policy relates to the processing activities, which we carry out as a controller of your personal data as described in the preceding para. (c).

• Name and contact Details of the Controller

With this privacy policy, we, aqua cloud GmbH, Scheidtweilerstr. 4, 50933 Cologne, Germany, would like to provide you with the information on how we process your personal data when you use the Platform as required pursuant to Art. 13, 14 GDPR.

You can also reach us at privacy@drivt.net. 

• What information we collect about you

Personal data is any information about you or any other identified or identifiable natural person that you share with us or that is collected by us in other ways, including:

Registration Data: When you register with drivt.net, you need to create a user account. As part of your registration, you must enter your name, contact details (e.g. address, telephone number, e-mail address), and set a personal password. We collect payment and billing information when you register for paid features of drivt.net.  In particular, we might require you to provide payment information, such as payment card details, which we collect via secure payment processing services.

Content Data: When you use drivt.net, we collect and store content that you provide us with in the course of your interaction with the Platform. This content includes any information you post, send, receive and/or share using the Platform’s features. In particular, we collect and store personal data on the content of a message you send to other Users using the Platform’s messaging feature, feedback you provide to us, files, images and links you upload, as well as created, edited or deleted items.

Usage Data: We further automatically collect and store data on specifics of your usage of the Platform. This includes the projects you create or work on, features of drivt.net you use, links you click on, the type, size and filenames of attachments you upload to drivt.net. We also collect information about the teams and Users you collaborate with and the way you collaborate with them.

Server Log Data: We collect and temporarily store further data about your usage of the Platform as log files on our servers. This includes the date and time of each visit, pages accessed, and files requested, type and version of the web browser you are using, type and operating system of the device you are using, your IP address, and the associated Country or Region.

Information Collected From Other Sources

Drivt.net offers you the functionality of using your social media credentials such as Google Authentication, Facebook Authentication, Github Authentication to use single-sign-on to enter our Site, and in that manner, we may also collect certain information from you as you log on. We will not collect more information from you when using your social media credentials beyond the information such third parties disclose to us. 

Access to your data by these third parties is not governed by this Privacy Policy.

By authorizing us to connect with a third-party service, you authorize us to access and store your name, email address(es), country, current city, profile picture URL, and other personal information that the third-party service makes available to us, and to use and disclose it in accordance with this Policy. You should check your privacy settings on these third-party services to understand and change the information sent to us through these services.

• Purposes of the processing, legal bases, and storage period

1. 1. We process the Registration Data in order to set up and manage your user account. Via your account, you can access (by means of your e-mail address and your freely chosen password) your personal settings and are able the view projects you have set up as a Project Owner or projects you are currently participating as a Project Participant. We process your login data to authenticate you when you log in and to respond to requests to reset your password. We further process your Registration Data to enforce the terms of use of drivt.net and all rights and obligations associated therewith and to contact you in order to send you technical or legal notices, updates, security messages or other messages regarding the management of the user account. 

The legal basis for the processing of your Registration Data is Art. 6 para. 1 lit. b) GDPR (performance of the contract with you on the basis of the Terms of Use of drivt.net). If you do not provide us with the Registration Data, we will not be able to conclude this contract with you and cannot provide access to drivt.net. 

The pertaining personal data will be deleted if you deactivate your account or if you do not use your account for a period of 3 years and do not react to a request to confirm the validity of your account.

In certain circumstances, you have the right to request the deletion of Personal Data held about you by contacting us at privacy@drivt.net. 

Please note that we may ask you to verify your identity before responding to such requests.

When we confirm your identity we will edit or delete your Drivt account, including all your projects, files, and personal data. This cannot be undone.

We may not be able to delete all of your data from some of our databases and that, if such is the case, we will then mark such data as permanently inaccessible.

1. We process your Content Data and Usage Data on behalf of the Project Owner in order to provide you with all features the Platform has to offer. For example, we can only facilitate collaboration with regard to a project if we process the content you upload to the Platform to store it, process it and make it available to other Project Participants and the Project Owner. Furthermore, data will be processed for the reporting functions offered by the Platform and in order to enable you to use the messaging function on drivt.net, we collect and store the content of the message you would like to send. We can only reply to your feedback if we process its content.

The legal basis for such processing of your Content Data is Art. 6 para. 1 lit. b) GDPR (performance of the contract with you on the basis of the Terms of Use of drivt.net).

1. We process Content Data and Usage Data for research and development, in particular in order to correct defects, improve our services and develop new value-added-services.

We will pseudonymize such data and process it on an aggregate level in order to gain general insights on our Platform. The legal basis for the processing of the User Data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is based on our mission to offer a state-of-the-art online project platform and to help you to successfully collaborate for effective project implementation.

The pertaining personal data will remain stored until a deletion is requested.

1. The processing of Server Log Data is technically necessary for the provision of the platform (particularly for error analyses and the prevention of abusive or fraudulent behaviour) and to ensure system security. 

The legal basis for the processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest follows from the purposes of the processing listed above. 

The pertaining personal data will remain stored for 30 days.

1. We obtain tracking analyses regarding your use of drivt.net from  

• Google Analytics 
• Google Tag Manager
• Facebook
• Hotjar
• Propellerads
• Google Doubleclick
• Amplitude
• Maxbounty
• Userflow

The legal basis for such processing activities is your consent, Art. 6 para. 1 lit. a) GDPR. Please note that you are entitled to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. 

The pertaining personal data will remain stored for 30 days.

1. Through drivt.net you may subscribe to our direct marketing offers, in particular the drivt.net newsletter, which is free of charge. In such case, we will process the personal data you provide us with and your Usage Data for direct marketing purposes. In such case, drivt.net will contact you by email or push notification with personalized information regarding the project and other services. In this context, drivt.net will also process data on your use of direct marketing information (e.g. click behaviour).

The legal basis for such processing activities is your consent, which you have provided us with upon subscribing, Art. 6 para. 1 lit. a) GDPR and our legitimate interests in marketing our and our customer’s products (Art. 6 para. 1 lit. f) GDPR, where applicable. Please note that you are entitled to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. 

This data will be deleted by drivt.net following your objection, respectively withdrawal of any consents given, or otherwise upon the end of your use at the latest, respectively it will only be stored in aggregated, anonymised form. To the extent necessary, drivt.net will store the fact that you have objected in order to prevent you being contacted further.

• Recipients in third countries

1. 1. We use the following categories of service providers who process your personal data on the basis of commissioned data processing sub-agreements in compliance with Art. 28 GDPR:

• Amplitude Inc. (Amplitude Privacy Statements & GDPR Compliance)

“The Amplitude platform does not require personally identifiable information or personal data to perform product analytics”

“Amplitude’s privacy team has reviewed our architecture, data flows, vendor capabilities and agreements to ensure that our platform is GDPR compliant.”

Amplitude is ISO27001 certified. (Amplitude ISO 27001 Certification)

“Amplitude is an ISO 27001 certified organization and has elected to adopt the ISO 27001 standard as the baseline for security governance and our Information Security Management System (ISMS). Complying with ISO 27001 provides all of our customers with the assurance that we manage information security according to a “gold standard”.”

Amplitude is SOC 2 Type 2 certified. (Amplitude Certifications)

“Amplitude undergoes an annual SOC2 (Service Organization Control 2) Type 2 review by a qualified auditor, covering all the trust principles (Security, Confidentiality, and Availability) that apply to our operations. This ensures that our practices across all aspects of the business maintain security and confidentiality of customer data. All of our audit reports are made available to all of our customers under NDA.”

Motivation:
We use Amplitude to track user actions on Login/Sign up pages and inside DrivT platform to analyze the users’ interaction with the app. Based on the gathered data we identify the blockers, bottlenecks or issues inside the application and this information helps us to improve overall user experience with DrivT.

• Google Ireland Limited (Google Privacy Policy, Google Data Safety)

       We use Google Analytics in conjunction with Google Tag Manager.
Necessary cookies for these analytics are only used if you consent to them on drivt.net

     Google Analytics which is a web analytics service. It tracks and reports website traffic such as session duration, pages per session, bounce rate etc. of individuals using the site, along with the information on the source of the traffic. It is integrated with Google Ads with which users can create and review online campaigns by tracking landing page quality and conversions (goals). Goals might include sales, lead generation, viewing a specific page, or downloading a particular file. 

Google Analytics is implemented with Google Analytics Tracking Code, which is a snippet of JavaScript code that the website owner adds to every page of the website. The tracking code runs in the client browser when the client browses the page (if JavaScript is enabled in the browser) and collects visitor data and sends it to a Google data collection server as part of a request for a web beacon.

The tracking code loads a larger JavaScript file from the Google web server and then sets variables with the user’s account number. The larger file (currently known as ga.js) was typically 40 kB as of May 2018.

The file does not usually have to be loaded, however, due to browser caching. Assuming caching is enabled in the browser, it downloads ga.js only once at the start of the visit. Furthermore, as all websites that implement Google Analytics with the ga.js code use the same master file from Google, a browser that has previously visited any other website running Google Analytics will already have the file cached on their machine.

In addition to transmitting information to a Google server, the tracking code sets a first party cookie (If cookies are enabled in the browser) on each visitor’s computer. This cookie stores anonymous information called the ClientId. 

Google Analytics can be blocked by browsers, browser extensions, firewalls and other means.

• Help Scout PBC (HelpScout GDPR Compliance, HelpScout Privacy Policy)

Help Scout has “have solid security and privacy practices in place that go beyond the requirements of” the GDPR Requirements according to Help Scout GDPR Compliance.

Help Scout does „process personal data in accordance with EU Data Protection Laws including EU’s General Data Protection Regulation (“GDPR”), ‘and the United Kingdom (UK) Data Protection Act 2018 to the extent applicable’. We also process personal data in accordance with Non-EU Data Protection Laws governing the handling of various types of personal data including the California Consumer Privacy Act (“CCPA”), Health Insurance Portability and Accountability Act (“HIPAA”), and Payment card industry compliance (“PCI”).“ according to Help Scout Data Processing Amendment 

Motivation:

We use HelpScout to provide an instant help to the users whenever they need it though the emails or via the chat. We collect users’ information in order to:

– personalize the support service, 

– ability to get back to the right user with the answer or solution,

– store the history of conversations.

• HotJar (HotJar Privacy Statement)

Motivation:

We use Hotjar to track users’ interaction with the website on the different devices. Grounding on the collected information we can spot the bugs, pain points, performance issues and identify what draws their attention, where the engagement with the app is smooth and where the biggest drop rate is.  By analyzing the gathered data, we can improve the overall user experience with the website. 

The data is required for the improvement and analysis of our website. By anonymizing the data, this statistical collection is only used to improve our services. You can find more information in Hotjar’s privacy policy at https://www.hotjar.com/legal/policies/privacy.

• Microsoft Corporation (Azure )

“Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area, United Kingdom, and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.”

From Microsoft Online Services Data Protection Addendum

“Microsoft will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Those measures shall be set forth in a Microsoft Security Policy. Microsoft will make that policy available to Customer, along with descriptions of the security controls in place for the Online Service and other information reasonably requested by Customer regarding Microsoft security practices and policies. 

In addition, those measures shall comply with the requirements set forth in ISO 27001, ISO 27002, and ISO 27018. Each Core Online Service also complies with the control standards and frameworks shown in the table in Attachment 1 to the OST (or successor location in the Use Rights) and implements and maintains the security measures set forth in Appendix A for the protection of Customer Data.

Microsoft may add industry or government standards at any time. Microsoft will not eliminate ISO 27001, ISO 27002, ISO 27018 or the standards or frameworks in the table in Attachment 1 to the OST (or successor location in the Use Rights), unless it is no longer used in the industry and it is replaced with a successor (if any).”

From Microsoft Online Services Data Protection Addendum

Motivation:

We use the Microsoft Azure platform to host DrivT itself. The geolocation of the hosting is always guaranteed to be within the EU.

• Stripe, Inc. ( Stripe Privacy Policy, Stripe Privacy Center, Stripe Security Center)

“Where applicable law requires us to ensure that an international data transfer is governed by a data transfer mechanism, we use one or more of the following mechanisms: EU Standard Contractual Clauses with a data recipient outside the EEA or the UK, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US and Swiss-US Privacy Shield Framework.“
“Stripe continues to have appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the EEA and Switzerland. Stripe’s existing measures include the EU Commission’s approved Standard Contractual Clauses (SCCs) to accommodate international data transfers.

Stripe respects the privacy of everyone that engages with our products and services, and we are committed to being transparent about our privacy processes and policies. We enable millions of businesses, and in order to provide our services to our users, we collect and process personal data. To learn more about our commitment to privacy and data security, please see our Privacy Policy, the Stripe Privacy Center, and the Stripe Security Center.

“Stripe maintains and enforces a security program that addresses the management of security and the security controls employed by Stripe. We also perform risk assessments and implement and maintain controls for risk identification, analysis, monitoring, reporting, and corrective action. Stripe maintains and enforces an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle. In addition, Stripe employees, agents, and contractors acknowledge their data security and privacy responsibilities under Stripe’s policies.

Stripe applies technical and organizational measures that include the following:

• Physical access control to prevent unauthorized persons from gaining access to the data processing systems available at premises and facilities (including databases, application servers, and related hardware), where Personal Data are processed.

• Virtual access control to prevent data processing systems from being used by unauthorized persons.

• Data access control to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization.

• Disclosure control to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed.

• Entry control to audit whether data have been entered, changed or removed (deleted), and by whom, from data processing systems.

• Availability control to ensure that Personal Data are protected against accidental destruction or loss (physical/logical).

• Separation control to ensure that Personal Data collected for different purposes can be processed separately.

By default, Stripe encrypts data at rest and data in transit. We further protect your data with tools like audit logs, access management policies and certifications as described on our Payments page in the section “Security and compliance at the core”.“

Motivation:

We share your data with our payment service providers in order to offer you convenient options to pay for paid features of the Platform. We use stripe to facilitate payment options for DrivT customers.

• Twilio Inc. Sendgrid (Twilio GDPR Compliance, Twilio Data Processing Addendum)

Twilio has a “a data protection core team comprised of senior members of the Legal, Data, Security, and Architecture teams, dedicated to ensuring that Twilio is GDPR-compliant.” and “made a new addendum part of our Terms of Service, which reflects GDPR standards.” 

Twilio uses Binding Corporate Rules (Twilio BCRS) to ensure GDPR compliance.

“Binding Corporate Rules (BCRs) are binding data protection policies that are approved by European data protection authorities after significant consultation with those authorities and enable multinational businesses, such as Twilio, to make intra-organisational transfers of personal data across borders in compliance with EU data protection law. BCRs function as a code of conduct for Twilio’s data protection practices, based on strict principles established by EU data protection authorities.“

“Twilio agrees to impose data protection terms on any sub-processor it appoints that require it to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.“

Motivation:

We use Twilio Sendgrid in order to send emails to DrivT users during the sign-up process, notifications and password reset requests. Email notifications can be configured and turned off by DrivT users.

• UAB MailerLite (MailerLite Data Processing Addendum)

“MailerLite maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Data.

4.2. MailerLite’s data storage centers are in the European Union and have information storage security certificates (ISO 27001) as well as certificates of IT service management (ISO 20000) that ensure safety of Customer Data. “

“MailerLite shall at all times provide an adequate level of protection (within the meaning of Data Protection Laws) for the Customer Data Processed, in accordance with the requirements of Data Protection Laws. In the case of a transfer of Customer Personal data to a country not providing an adequate level of protection pursuant to the Data Protection Laws, the parties shall cooperate to ensure compliance with the applicable Data Protection Laws.”

“Sub-Processors used by MailerLite to Process any Customer Data protected by Data Protection Laws and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) will provide an adequate level of protection for Personal Data and have SCC integrated in their Data Processing Agreements”

“MailerLite will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Data have agreed to appropriate obligations of confidentiality.”

Motivation: 

We use MailerLite to organize email groups in order to make sure that only relevant mails are send to the right DrivT users (for example User notifications of changes in their Drivt projects). Email notifications can be configured and turned off by DrivT users.

• Userflow (Userflow GDPR Compliance, Userflow Data Processing Addendum)

“Userflow shall treat Personal Data as confidential information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions“ 

“Userflow shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security and Privacy Documentation. Userflow regularly monitors compliance with these measures.”

“Userflow uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, and require the same of them. List of Userflow subprocessors“ 

Motivation: 

We use Userflow to personalize users’ onboarding flow and guide through the main features of the platform. Userflow helps Drivt newcomers to sort out the main benefits of the app for them without spending much time on learning the tool’s functionality. We track users’ data to make sure that a particular user will see only those flows that are most relevant for his case.

• Links to websites/platforms of third parties

The Platform may contain links to other websites and services of third parties, e.g. to social media channels such as Facebook, Linkedin, Twitter or youtube. These third parties are exclusively responsible for the data processing on their websites/platforms. We refer to the privacy policies of the respective third party.

• No Automated Decision Making

We do not include any feature with automated decision-making in the sense of Art. 22 GDPR.

• Security

We take technical and organisational security measures to protect your personal data managed by drivt.net against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our data processing and our security measures are improved on a constant basis according to the technical developments. 

During the transfer of your personal data to drivt.net it is encrypted with Secure Socket Layer (SSL). Personal data that is exchanged between you and drivt.net or other participating enterprises is fundamentally transmitted via encrypted connections which meet the latest technical standards. 

Our employees and our retained service providers are naturally obliged to maintain confidentiality.

• Your rights to information, correction, blocking or deletion 

Every natural person whose personal data is processed by us has, in principle (i.e. depending on the respective requirements), the following rights: 

1. Should you have questions regarding our processing of your personal data, we would be pleased to provide you at any time and at no charge with information on the data stored about you (Art. 15 GDPR). 
2. You have a right to the correction of incorrect data as well as completion of incomplete data (Art. 16 GDPR).
3. You have a right to the blocking/limitation of the processing or to deletion of personal data concerning you which is no longer required or stored on grounds of legal obligations (Art. 17, 18 GDPR).
4. You have a right to the transfer of the data in a structured, standard and machine-readable format, insofar as you have provided drivt.net with the data on grounds of a consent or contract between drivt.net and you (Art. 20 GDPR). 
5. You have the right to object at any time to the processing of your data for marketing purposes (cf. Section 3.8 above; Art. 21 para. 2 and 3 GDPR).
6. You have the right to object to the processing of your personal data to the extent this is based on Art. 6 para. 1 lit. f) GDPR (legitimate interest), in which case we are only entitled to continue if we are able demonstrate compelling reasons in favor of such processing (Art. 21 para. 1 GDPR). 
7. Insofar as you have consented to a data processing, you can withdraw such consent at any time with effect for the future, i.e. the legality of the data processing remains unaffected until the date of the revocation. After a revocation of consent, you may no longer be able to use our services.

Please address your concerns in writing or by e-mail to the contact details mentioned in sections 1 and 10 of this privacy policy. Please note that we have to verify your identity to ensure that your personal data is not disclosed to unauthorised persons.

Furthermore, you are entitled to file a complaint with the competent data protection authority.

• Data protection officer 

You can contact our data protection officer at: privacy@drivt.net

• Amendments

From time to time, this privacy policy may need an update. We therefore reserve the right to amend it at any time. When you revisit drivt.net, you should therefore regularly check the privacy policy for updates.