Skip to content

Data Privacy Policy

Preamble

We, BAYOOSOFT GmbH together with our affiliated companies (hereinafter collectively: "the company", "we" or "us") take the protection of your personal data seriously and would like to inform you at this point about data protection in our company.

Within the scope of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") in order to ensure the protection of personal data of the data subject (we also refer to you as data subject hereinafter as "customer", "user", "you", "you" or "data subject").

Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and Art. 14 GDPR). With this declaration (hereinafter: "data protection information"), we inform you about the way in which your personal data is processed by us.

§ 1 Definitions

Following the example of Art. 4 of the GDPR, this data protection notice is based on the following definitions:

"Personal Data"
(Art. 4 (1) GDPR)
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).
"Processing"
(Art. 4 (2) GDPR)
means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Controller"
(Art. 4 (7) GDPR)
is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
"Third Party"
(Art. 4 (10) GDPR)
means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other legal entities belonging to the group.
"Processor"
(Art. 4 (8) GDPR)
means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (E.g., IT service provider). In the sense of data privacy law, a processor is in particular not a third party.
"Consent"
(Art. 4 (11) GDPR)
means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

§ 2 Current Status of this Policy

(1) In the context of the further development of the data privacy law as well as technological or organisational changes, our data privacy notices are regularly reviewed for the need for adaptation or additions. You will be informed of any changes.
(2) This data protection notice is current as of March 2023.

§ 3 No obligation to provide personal data

We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case in the context of the products we offer presented below, you will be informed of this separately.

(1) In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

  • Art. 6 (1) p. 1 lit. a GDPR ("consent"): Where the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that he or she consents to the processing of personal data relating to him or her for one or more specified purposes;
  • Art. 6 para. 1 p. 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject;
  • Art. 6 para. 1 p. 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to keep records), the processing must be carried out in compliance with the legal obligation;
  • Art. 5 para. 1 p. 1 lit. d GDPR: Where processing is necessary to protect the vital interests of the data subject or another natural person;
  • Art. 6 para. 1 p. 1 lit. e GDPR: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or

(2) Art. 6 para. 1 p. 1 lit. f DS-GVO ("Legitimate Interests"): Where processing is necessary for the purposes of legitimate (in particular legal or economic) interests of the controller or a third party, unless such interests are overridden by the conflicting interests or rights of the data subject (in particular where the data subject is a minor).
(3) For the processing operations carried out by us, we indicate below the applicable legal basis in each case. A processing operation may also be based on several legal bases.

§ 5 Collection of personnel data

(1) When you use our service, we collect personal data about you. We only collect this data if this is necessary for the fulfillment of the contract between you and us (Art. 6 para. 1 lit. b GDPR). Furthermore, we collect this data if this is necessary for the functionality of the application and your interest in the protection of your personal data does not outweigh this (Art. 6 (1) (f) GDPR) or if you consent to the collection and processing (Art. 6 (1) (a) GDPR).
(2) We collect and process the following data from you:

  • Device information: Access data includes the IP address, device ID, device type, device-specific settings and software settings as well as software properties, the date and time of the retrieval, time zone, the amount of data transferred and the message whether the data exchange was complete, software crash, browser type and operating system. This access data is processed to enable the operation of the application in technical terms.
  • A user account must be created in order to use the software. To do so, enter your first and last name.
  • Contact Form Data: When contact forms are used, the data transmitted through them are processed (e.g. gender, surname and first name, address, company, e-mail address and the time of transmission).

§ 6 Cookies

(1) We use cookies when operating our software. Cookies are small text files that are stored on the device memory of your end device and assigned to the software you are using and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make our software more user-friendly and effective overall, i.e. more pleasant for you.
(2) Cookies may contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user.
(3) A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:

  • Technical cookies: these are mandatory to move around within the application, use basic functions and ensure the security of the application; they do not collect information about you for marketing purposes nor do they store which web pages you have visited;
  • Performance cookies: these collect information about how you use our application, which pages you visit and, for example, whether errors occur when using the application; they do not collect information that could identify you - all information collected is anonymous and is only used to improve our application and find out what interests our users.

(4) Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your explicit and active consent pursuant to Section 25 (1) TTDSG in conjunction with Article 6 (1) sentence 1 lit. a GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data processed by cookies to third parties if you have given your express consent to do so in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
(5) For more information about which cookies we use and how you can manage your cookie settings and disable certain types of tracking, please see our Cookie Policy.

§7 Data retention period

(1) We delete your personal data as soon as they are no longer required for the purposes for which we collected or used them according to the data protection laws. As a rule, we store your personal data for the duration of the usage or contractual relationship for the software. In principle, your data is only stored on servers in Western Europe, subject to data processing by third parties.
(2) However, storage may take place beyond the specified time in the event of a ( imminent) legal dispute with you or other legal proceedings.
(3) Third parties engaged by us will store your data on their system for as long as is necessary in connection with the provision of the service for us in accordance with the respective order.
(4) Legal requirements for the storage and deletion of personal data remain unaffected by the above. If the retention period prescribed by the statutory provisions expires, the personal data will be blocked or deleted, unless further retention by us is necessary and there is a legal basis for this.

§ 8 Data security

(1) We use appropriate technical and organizational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
(2) We will be happy to provide you with more detailed information on request. Please contact our Data Protection Officer for this purpose.

§ 9 Change of Purpose

(1) Processing of your personal data for purposes other than those described will only take place if a legal provision permits this or you have consented to the changed purpose of the data processing.
(2) In the event of further processing for purposes other than those for which the data were originally collected, we will inform you of these other purposes prior to further processing and provide you with all further relevant information for this purpose.

§ 10 Responsible person and Data Protection Officer

(1) We are the controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:

BAYOOSOFT GmbH
Lise-Meitner-Straße 10
D-64293 Darmstadt
Phone: +49 (0) 6151 – 86 18 – 700
Fax: +49 (0) 6151 – 86 18 – 150
info@bayoosoft.com

(2) Our company data protection officer is available at all times to answer any questions you may have and to act as your contact person on the subject of data protection at our company. His contact details are:

dataprivacy@bayoocare.com

If you have any questions or comments about the collection and processing of your personal data, and in particular if you wish to exercise your rights, please contact the Data Protection Officer.

§ 11 Data Processing

(1) It may happen that commissioned service providers are used for individual functions of our application. As with any larger company, we also use external domestic and foreign service providers to process our business transactions (e.g. for the areas of IT, logistics, telecommunications, sales and marketing). These service providers are only active according to our instructions and are contractually obligated to comply with data protection regulations in accordance with Art. 28 GDPR.
(2) The following categories of recipients, which are usually processors, may receive access to your personal data:

  • Service providers for the operation of our app and the processing of data stored or transmitted by the systems (e.g. for data centre services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, insofar as these are not order processors;
  • Government agencies/authorities, insofar as this is necessary to fulfil a legal obligation. The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. c GDPR;
  • Persons engaged in the conduct of our business (e.g. auditors, banks, insurance companies, legal advisors, regulators, parties involved in acquisitions or the formation of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 p. 1 lit. b or lit. f GDPR.

(3) In addition, we will only pass on your personal data to third parties if you have given your express consent to do so in accordance with Art. 6 Para. 1 Sentence 1 lit. a GDPR.

§ 12 Transfer of personal data to third countries

(1) In the course of our business relationships, your personal data may be passed on or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), in other words in third countries. Such processing takes place exclusively for the fulfillment of contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit b or lit f in each case in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer in the following at the relevant points.
(2) Some third countries are certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called adequacy decisions. However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 Para. 1, 2 lit. c GDPR, certificates or recognized codes of conduct. Please contact our data protection officer if you would like to receive more detailed information on this.

§ 13 Data Subjects' Rights

(1) You have the following rights in relation to your personal data:

  • Information: You have the right to receive access to your personal data within the scope of Art. 15 GDPR.
  • Objection to data processing: In accordance with Art. 21 GDPR, you have the right to object to the processing of your personal data at any time. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.
  • Revoking consent: Pursuant to Art. 7 (3) GDPR, you have the right to revoke your consent - i.e. your voluntary, informed and unambiguous will, made understandable by a declaration or other clear affirmative action, that you agree to the processing of the personal data in question for one or more specific purposes - at any time towards us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent in the future.
  • Right to rectification: Insofar as personal data concerning you is incorrect, you have the right to demand that we correct it without delay in accordance with Art. 16 GDPR.
  • Right to erasure: Under the conditions set out in Article 17 of the GDPR, you have the right to request the erasure of personal data concerning you. In particular, you have the right to erasure if the data in question are no longer necessary for the purposes for which they were collected or processed, if the data storage period has expired, if there is an objection or if there is unlawful processing.
  • Restriction of processing: In accordance with Article 18 of the GDPR, you have the right to demand that we restrict the processing of your personal data. You have the right to restriction of processing in particular if the accuracy of the personal data is disputed between you and us; in this case, you have the right for a period of time required to verify the accuracy. The same applies if the successful exercise of a right of objection is still disputed between you and us. You also have this right in particular if you have a right to erasure and instead of erasure you request limited processing.
  • Right to data portability: Pursuant to Art. 20 GDPR, you have the right to obtain from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with the following provisions.
  • In accordance with Art. 77 GDPR, you have the right to complain about the collection and processing of your personal data to the competent supervisory authority.

(2) If you wish to exercise any of the above rights, please contact the Data Protection Officer.