SaaS App - Data Protection

State March 2022

Table of contents

Name and address of the responsible persons
Contact details of the data protection officer
General information on data processing
Rights of the data subject
Provision of the app and creation of the log files
Use of cookies
Email contact
Plugins used
Use of Software Development Kits (SDK)
Telemetry data

I. Name and address of the responsible entity

The controller within the meaning of the General Data Protection Regulation (DSGVO) and other data protection regulations is:

Palturai GmbH

Reifenberger Str. 1

65719 Hofheim

Germany

+49 (0) 6192 / 956 999 0

datenschutz@palturai.com

https://palturai.com/

II. Contact details of the data protection officer

The data protection officer of the controller is:

DataCo GmbH

Dachauer Straße 65

80335 München

Germany

+49 89 7400 45840

www.dataguard.de

III. General information on data processing

On this page, we inform you about the data protection provisions applicable in the “Palturai Web App” (later on “Palturai”, “App” or “Web App”). The App is an offer of Palturai GmbH, Reifenberger Str. 1, 65719 Hofheim, Germany (“Palturai GmbH”, “we” or “us”).

It is a web application in the business segment and allows customers to take advantage of the following functionalities:

· Visualization of a network of public, international company and decision-maker data.

· Integration of customer’s own business partner data via upload and tagging functions.

· Provision of network insights, determined with algorithms and analytics, for various use cases from the areas of Sales & Marketing, Risk & Fraud, Compliance and Research.

The provision of these functionalities is in line with the purposes of the processing. In addition, personal data is processed to contact us for support and information purposes, and to ensure continuous improvement and security of the system, as well as error-free functioning of the Palturai Web App.

1. Purposes and scope of the processing of personal data

We process personal data of our users for the purpose of contract performance and to the extent necessary to provide a functional app and our content and services. In addition, the processing of personal data of our users is carried out after the consent of the user, if there is a legitimate interest of the processing or a processing of personal data is necessary for the performance of a contractual relationship. By using our app, the following personal data may be processed:

User management:

· Name

· First name

· Email address

· Company affiliation

Customer upload and tagging:

· Name

· First name

· Place of residence, country

· Date of birth

· Company affiliation

Data displayed in the web app:

· Last name

· First name

· Place of residence, country

· Date of birth

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 para. 1 p. 1 lit. a DSGVO serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 p. 1 lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 para. 1 p. 1 lit. f DSGVO serves as the legal basis for the processing.

3. Recipients of personal data

The personal data of the Palturai web app are primarily made available to the users of the web app. These are customers of Palturai GmbH or its subsidiaries.

Thereby, the types of personal data mentioned in point 1 are partly provided to different recipients within the customers.

User Management:

The Palturai web app works with a client-based user management. This allows the administrator of the respective client to view the personal data of the client’s users.

Client upload and tagging:

The raw data is viewable only by Palturai. For users, only a flag is visible in the database when a Palturai record matches a client record. Again, this is only visible within a client.

Data displayed in the web app:

This data is visible to all users.

In addition, various processors may be recipients of personal data if they provide a partial service of the processing operation. Categories of recipients of personal data are in particular:

· Hosting service providers

· Other processors engaged to provide and improve our app.

In addition, it is possible that personal data will be transferred to partner companies of Palturai GmbH as part of the service provision and provision of the app. Recipients within the Palturai group of companies are in particular:

· Palturai Austria GmbH

· Palturai Inc.

· Palturai sp. z o.o.

If recipients of personal data are located outside the EU or the EEA, Palturai GmbH actively creates suitable guarantees for legally compliant data transfer to third countries, e.g. by concluding standard data protection clauses in accordance with Art. 46 para. 2 lit. c DSGVO.

4. Datenlöschung und Speicherdauer

The personal data of the data subject shall be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Blocking or deletion of the data will also take place at the latest when a storage period prescribed by the aforementioned standards expires, unless there is a necessity for further storage of the data for the conclusion or fulfillment of a contract.

5. Possibility of objection and elimination

You can object to the processing of your personal data at any time by sending an informal email to datenschutz@palturai.com. All other rights for you as a data subject, you can also address to this email address. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

IV. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning DSGVO and you have the following rights vis-à-vis the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data concerning you are being processed by him.

If there is such processing, you may request information from the controller about the following:

· the purposes for which the personal data are processed;

· the categories of personal data which are processed;

· the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;

· the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage period;

· the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;

· the existence of a right of appeal to a supervisory authority;

· any available information about the origin of the data, if the personal data are not collected from the data subject;

· the existence of automated decision-making, including profiling, pursuant to Art. 22 para. 1 and para. 4 DSGVO and, at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information about whether personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 DSGVO in connection with the transfer.

2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

3. Right to restriction of processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

· you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

· the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;

· the controller no longer needs the personal data for the purposes of processing, but you need it for the assertion, exercise or defense of legal claims; or

· if you have objected to the processing pursuant to Art. 21 para. 1 DSGVO and it is not yet clear whether the legitimate grounds of the controller outweigh your grounds.

Where the processing of personal data concerning you has been restricted, such data may be processed, with the exception of storage, only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to erasure

You may request the controller to erase the personal data concerning you without undue delay, and the controller is obliged to erase such data without undue delay, if one of the following reasons applies:

· The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

· You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 p. 1 lit. a or Art. 9 para. 2 lit. a DSGVO and there is no other legal basis for the processing.

· You object to the processing pursuant to Art. 21 para. 1 DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 DSGVO.

· The personal data concerning you has been processed unlawfully.

· The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

· The personal data concerning you has been collected in relation to information society services offered in accordance with Art. 8 para. 1 DSGVO.

b) Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 para. 1 DSGVO, it shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to or copies or replications of such personal data.

c) Exceptions

The right to erasure does not exist insofar as the processing is necessary to

· to exercise the right to freedom of expression and information.

· to comply with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

· for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 DSGVO;

· for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89 para. 1 DSGVO, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or

· for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right against the controller to be informed about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, if

· the processing is based on consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 p. 1 lit. b DSGVO and

· the processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 p. 1 lit. e or f DSGVO; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to processing of the personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects vis-à-vis you or similarly significantly affects you. This does not apply if the decision

· is necessary for the conclusion or performance of a contract between you and the controller,

· is permissible on the basis of legal provisions of the Union or the Member States to which the controller is subject and these legal provisions contain appropriate measures to protect your rights and freedoms as well as your legitimate interests, or

· is made with your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 DSGVO, unless Art. 9 para. 2 lit. a or b DSGVO applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in 1. and 3. above, the controller shall take reasonable measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express his own point of view and to contest the decision.

10. right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the DSGVO.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 DSGVO.

V. Deployment of the app and creation of the log files

1. Description and scope of data processing

Each time our app is called up, our system automatically collects data and information from the computer system of the calling computer.

The following data is collected in this context:

· Information about the browser type and version used.

· The operating system of the user

· Date and time of access

· IP address

This data is stored in the log files of our system. Storage of this data together with other personal data of the user does not take place.

The app is hosted using computing capacity provided by the service provider:

T-Systems International GmbH

Hahnstrasse 43d

60528 Frankfurt am Main

Germany

The service provider may gain access to the above-mentioned data. The server locations of the service provider are in Germany (Biere / Magdeburg) should EU citizens use our app.

2. Purpose of data processing

The temporary processing of the IP address by the system is necessary to enable delivery of the app to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the app. In addition, we use the data to optimize the app and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 p. 1 lit. f DSGVO.

3. Legal basis for data processing

The legal basis for the temporary storage of data is Art. 6 para. 1 p. 1 lit. f DSGVO.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the app, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5. Possibility of objection and elimination

The collection of data for the provision of the app and the storage of the data in log files is mandatory for the operation of the app. Consequently, there is no possibility of objection on the part of the user.

VI. Use of cookies

1. Description and scope of data processing

Our app uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user calls up our app, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string that enables the browser to be uniquely identified when the app is called up again.

We use cookies to make our app more user-friendly. Some elements of our app require that the calling browser can be identified even after a page change.

In the process, the following data is stored and transmitted in the cookies:

· Language settings

The user data collected in this way is pseudonymized by technical precautions. Therefore, an assignment of the data to the calling user is no longer possible. The data is not stored together with other personal data of the users.

2. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of App for users. Some functions of our App cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

We require cookies for the following applications:

· Acceptance of language settings.

The user data collected through technically necessary cookies are not used to create user profiles.

3. Legal basis for data processing

The legal basis for the use of technically necessary cookies and related data processing is § 25 para. 2 TTDSG in conjunction with Art. 6 para. 1 lit. f) DSGVO. The processing serves to facilitate your use of our app and to be able to offer you our services as desired. Some functions of our app also do not work without the use of these cookies and could therefore not be offered. Our legitimate interest in processing the cookies results from the aforementioned purposes.

The cookies are deleted after the session ends, after the expiration of a specified duration or after manual deletion in the browser.

The legal basis for the use of technically unnecessary cookies is your consent, which you give us via the cookie banner in accordance with § 25 para. 1 TTDSG in conjunction with Art. 6 para. 1 lit. a) DSGVO. For these services, you can revoke your consent at any time with effect for the future or subsequently grant it again by accessing your cookie and privacy settings online via our privacy information and configuring them accordingly. Alternatively, you can prevent the storage of cookies by selecting the appropriate settings on your browser software. Please note that the browser settings you make only ever apply to the browser you are using.

4. Duration of storage, possibility of objection and removal

Cookies are stored on the user’s computer and transmitted from it to our app. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our app, it may no longer be possible to fully use all functions of the app.

If you use a Safari browser from version 12.1, cookies are automatically deleted after seven days. This also applies to opt-out cookies, which are set to prevent tracking measures.

VII. Email contact

1. Description and scope of data processing

On our app, it is possible to contact us via the email address provided. In this case, the user’s personal data transmitted with the email will be stored.

The data is used exclusively for processing the conversation.

2. Purpose of data processing

In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

3. Legal basis for data processing

The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 para. 1 lit. f DSGVO. If the email contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The data is stored to ensure the fulfillment of the agreed contractual relationship. The data will be deleted upon request or after the end of the contractual relationship (the earlier occurring).

5. Revocation and elimination possibility

The user has at any time the possibility to revoke his consent to the processing of personal data. If the user contacts us by email to datenschutz@palturai.com, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored in the course of contacting us will be deleted in this case.

IX. Plugins used

Use of Hotjar

1. Scope of the processing of personal data

We use the web analytics service Hotjar provided by Hotjar Ltd, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (hereinafter: Hotjar). Among other things, Hotjar uses cookies, i.e. small text files that are stored locally in the cache of your web browser on your terminal device and that enable an analysis of your use of our online presence. This allows personal data to be stored and analyzed, in particular the user’s activity (especially which pages have been visited and which elements have been clicked on), device and browser information (especially the IP address and operating system) and a tracking code (pseudonymized user ID). The information collected in this way is transmitted by Hotjar to a server in Ireland and stored there in anonymized form. Further information on the processing of data by Hotjar can be found here:

https://www.hotjar.com/legal/policies/privacy

2. Purpose of data processing

The use of the Hotjar plug-in serves to better understand the needs of our users and to optimize the offer on this online presence.

3. Legal basis for the processing of personal data

The legal basis for the processing of users’ personal data is basically the user’s consent pursuant to Art. 6 para. 1 p.1 lit. a DSGVO.

4. Duration of storage

Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

5. Revocation and removal option

You can prevent the collection as well as the processing of your personal data by Hotjar by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, disabling the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

You can deactivate the use of your personal data by Hotjar using the following link: https://www.hotjar.com/legal/compliance/opt-out.

For more information on objection and removal options vis-à-vis Hotjar, please visit: https://www.hotjar.com/legal/policies/privacy

X. Use of Software Development Kits (SDK)

1. Description of the use of SDK

We use Software Development Kits to provide functional modules. For this purpose, the code used is embedded in the SDK.

Third-party libraries used:

· Angular

· yWorks

· Angular Material

XI. Telemetry data

1. Description and scope of data processing

We collect telemetry data on our app. We implement this without the use of third-party tools.

2. Purpose of data processing

The data is processed for the following purposes:

· Infrastructure monitoring

· Application monitoring

· Resource optimization

· Troubleshooting

· Log analysis

3. Legal basis for data processing

The collection of this data is based on Art. 6 para. 1 lit. f DSGVO. The app operator has a legitimate interest in the technically error-free presentation and optimization of its app.

4. Duration of storage

Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

5. Objection and removal options

You may object to the processing of your personal information at any time by sending an informal email to datenschutz@palturai.com. All other rights for you as a data subject, you can also address to this email address.

We reserve the right to make changes to this privacy policy at any time. The Privacy Policy will be updated regularly and any changes will be automatically posted on the Palturai web app.

This privacy policy was created with the support of DataGuard.

SaaS App – Data Protection