What are personal data?
Personal data are data relating to an identified or identifiable natural person, e.g. relating to you. This includes, for example, your name, e-mail address, telephone number, postal address, credit card data and the IP address of your device.
What are IP addresses?
IP addresses are combinations of numbers used to identify devices that are connected to the internet. Each computer or other device connected to the internet is associated with a specific IP address.
What is a cookie?
Cookies are small text files which are set by many websites in your browser on your device. A cookie generally includes, inter alia, the name of the domain from where the cookie has been set, the “lifetime” of the cookie and a unique number assigned to the cookie. Cookies may, depending on the function of the individual cookie, also store device-related information on the terminal device, so that the websites recognise the user on its next visit, or store statistical data on the use of the respective websites and services.
- a) When you access our Services, data on this access are collected in so-called “server log files”. The data collected include: name of the website or file accessed, date and time of the retrieval, data volume transmitted, browser and operating system you use, the website visited before (so-called “referrer URL”), your IP address, your Internet provider and a confirmation on the successful retrieval of the respective website accessed.
The legal basis for data processing enabling the use of the website is Art. 6 (1) (f) of the General Data Protection Regulation (“GDPR”) or, if you are already registered for the Services, the legal basis is Art. 6 (1) (b) GDPR.
CloudRail will also make use of the data collected via the server log files for ensuring security and preventing misuse of the Services. CloudRail reserves the right to subsequently verify these data if, due to precise indications, there are reasonable grounds for suspecting an unlawful use of websites and services. The legal basis of this processing is Art. 6 (1) (f) GDPR, whereby our legitimate interest is providing the security of our Services.
In addition, CloudRail processes statistical data on the use of the Services to improve the Services and to detect and fix any occurring malfunctions, pursuant to Art. 6 (1) (f) GDPR. CloudRail’s legitimate interest is to provide user-friendly, fully functioning Services in line with the user’s preferences and interests.
You can generally set your browser in such a way that you are informed when cookies are set, that the setting of cookies is excluded for certain cases or generally or that the setting of cookies is only permitted in individual cases. You can also delete stored cookies in the settings of your browser. However, if you deactivate cookies, the functionality of CloudRail’s websites may be restricted.
Sec. 2 Use of personal data of registered users
- a) In order to use some of our Services, including parts of our websites, you must first register and create an account. Within the registration process we collect your contact information (such as name, email address) and the IP address of your device. The collection of these data is necessary for the provision of the Services and thus for the fulfilment of the contract with you regarding the use of our Services.
Within the use of parts of the Services you may be required to provide additional data.
The data entered for the registration as well as any additional data provided as part of the use of the Services will be used by CloudRail to provide the Services based on the user contract with you, pursuant to Art. 6 (1) (b) GDPR. This may also include informing you per e-mail on, e.g., changes in the scope of the Services and changes of technical circumstances. This processing may also include transferring the data to cloud services providers, insofar you set up such a transfer as part of your use of the Services, thereby instructing us to transfer the data accordingly.
- b) For processing any of your purchase orders, the above mentioned data as well as the payment information and any additional required information (e.g. delivery address) provided by you has to be processed.
For payment processing we use the services of Stripe Inc., 185 Berry Street, Suite 550, San Francisco, CA 94107, USA (“Stripe”). For this purpose the aforementioned data is transmitted to servers of Stripe in the United States.
We also use the services of Chargebee Inc., 340 S. Lemon Avenue, Suite #1537, Walnut, California 91789, USA (“Chargebee”) for billing and processing payments. The aforementioned data is transmitted to servers of Chargebee in the United States for this purpose.
The EU Commission has issued an adequacy decision (No. 2016/1250) for data transmissions to the United States, according to which companies that meet certain criteria guarantee an adequate level of protection, also known as “EU-US Privacy Shield”. These companies are included in the so-called Privacy Shield List. Stripe is one of the companies listed there. The data transmission to Stripe in connection with handling payments is based on Art. 45 and 28 GDPR. Chargebee is also one of the companies listed in the Privacy Shield List. Hence, the transmission of data to Chargebee in connection with processing payments and billing is based on Art. 45 and 28 GDPR.
The legal basis for the processing of payment data is Art. 6 (1) (b) GDPR, because this is necessary for carrying out the contract concluded with you.
Sec. 3 Newsletter
We would, of course, like to provide you with our informative newsletter if you are interested in CloudRail and the services we offer.
If you wish to receive the newsletter, CloudRail needs a valid e-mail address. In addition, CloudRail needs to verify that you are the holder of the e-mail address indicated and indeed agree to receive the newsletter. Hence, upon registration of the newsletter subscription your IP address and the date of registration will be stored. Once you have registered, you will receive an e-mail containing a link to activate the newsletter service. Only after you have activated the newsletter service by clicking the link will your registration be effective and the selected newsletter will be sent to you. This serves, in particular, evidential purposes in case a third party misuses an e-mail address to register for the newsletter without the authorised person’s knowledge. Further data are not collected. Such data are only used for dispatch of the newsletter.
Of course, should you no longer wish to receive the newsletter, you can unsubscribe from it any time and revoke your consent. For this, you can click at the link for unsubscribing at the end of each newsletter. Please click here if you wish to unsubscribe. Apart from that, you can also revoke your consent any time in writing (for example by e-mail to firstname.lastname@example.org).
To dispatch the newsletter we use the “MailChimp” service, a newsletter mailing platform offered by the provider The Rocket Science Group LLC d/b/a MailChimp, 675 Ponce De Leon Ave NE Suite 5000, Atlanta, GA 30308, USA (hereinafter: “MailChimp”). For this purpose, your email address and the fact that you have subscribed to our newsletter as well as any other personal data required for the respective newsletter dispatch will be transmitted to MailChimp and stored on the servers of MailChimp in the United States. MailChimp only uses this information to send and evaluate the newsletter on our behalf.
We strictly adhere to the GDPR including the requirements for IT and data security. MailChimp also strictly observes these requirements. MailChimp is certified under the EU-US Privacy Shield, which is based on an adequacy decision of the EU Commission, and thus committed to comply with EU data protection regulations. The transfer of data to MailChimp is based on Art. 28 and 45 GDPR.
The legal basis for data processing in connection with the newsletter is your consent pursuant to Art. 6 (1) (a) GDPR.
Sec. 4 Contacting us
If you contact CloudRail for example by means of a contact form or via e-mail, your details shall be stored for the purpose of processing your request. The same applies in case you have further questions.
The legal basis for this processing of your personal data is Art. 6 (1) (b) GDPR, in case you enter your personal data for the purpose of initiating a contract. Otherwise, the legal basis of this processing is Art. 6 (1) (f) GDPR. Our legitimate interest is the processing of and responding to your request.
Sec. 5 Disclosure of data and technical third party service providers
If we pass on data to service providers within the scope of our processing, we strictly comply with the requirements of the GDPR, as do our service providers. Of course, before disclosing your personal data, we ensure that our service providers have taken the necessary technical and organisational measures to ensure an appropriate level of protection. The scope of the data disclosure is limited to the minimum required for the processing purpose.
The disclosure of data to governmental institutions and authorities entitled to receive information only takes place within the scope of the statutory duties to provide information or if we are obliged to provide information by a judicial or official decision. In this case, the disclosure of your data is necessary to fulfil a legal obligation to which we are subject, pursuant to Art. 6 (1) (c) GDPR.
Further, CloudRail may disclose data relating to you as user of its Services to third parties, to whom have been assigned CloudRail claims against you, insofar as this is necessary for the assertion of such claims. Upon request, CloudRail shall provide you with the name of the third party. Should CloudRail cooperate with third parties for the provision of services, CloudRail will insist on these third parties complying with valid data protection laws and ensuring sufficient data protection. The legal basis of this processing is Art. 6 (1) (f) GDPR, whereby the legitimate interests are the assertion of the claims against you.
Sec. 6 Google Analytics
In its Services CloudRail uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”).
Google Analytics sets a cookie on your devices to collect data on your use of the Services and helps us analyse how you use the Services. The cookie is used to store personal information, such as the access time, the location from which an access originated and the frequency of visits to our website by you.
The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
We use the extension “anonymizeIP()”. By activating this extension for our website, your IP address will be shortened within the Member States of the European Union or other states agreeing to the Agreement on the European Economic Area, before being sent to a Google server in the United States.
Google will use this information on our behalf for the purpose of evaluating your use of the Services, compiling reports on activity on our website and providing other services relating to the website activity and usage to us. Google will not link your IP address to any other data stored by Google.
You may refuse the setting of cookies by selecting the appropriate settings on your browser as explained in the sections before. Such settings would also affect the cookies set by Google Analytics.
Furthermore, you can object to the processing of your data in Google Analytics and prevent future processing of your data by Google Analytics by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en. Google considers the installation of the browser add-on as objection to the data processing related to Google Analytics. Please note that you will need to reinstall the browser add-on to disable Google Analytics again if your browser or your device is later deleted, formatted, or reinstalled.
The EU Commission has issued an adequacy decision (No. 2016/1250) for data transmissions to the United States, according to which companies that meet certain criteria guarantee an adequate level of protection, also known as “EU-US Privacy Shield”. These companies are included in the so-called Privacy Shield List. Google is one of the companies listed there. The data transmission to Google in connection with Google Analytics is based on Art. 45 and 28 GDPR.
Sec. 7 Third party implementations
Third party content, including YouTube videos, graphics or RSS feeds, can be integrated within our services from other websites.
The YouTube platform and its content areoperated by the YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), a subsidiary of Google.
If you visit parts of our website which include YouTube videos and play one of the videos, the information that you accessed the specific video is sent directly to YouTube. If you are logged in to your YouTube account, this information can also be attributed directly to your personal profile. You can prevent this by logging out of your YouTube account before accessing these parts of our website.
Our data processing in connection with the use of YouTube videos is based on Art. 6 (1) (f) GDPR. The implementation of YouTube content is in the interest of an appealing and informative presentation of our website. This constitutes our legitimate interest within the meaning of Art. 6 (1) (f) GDPR.
The transmission to Google in connection with YouTube videos is based on Art. 45 and 6 (1) (f) GDPR. As mentioned before, Google is listed in the EU-US Privacy Shield List so that the data transmission to Google and its subsidiaries is within the scope of an adequacy decision of the EU commission (No. 2016/1250).
Sec. 8 Deletion of personal data
CloudRail processes your personal data only for as long as is necessary to provide our Services or to achieve the processing purposes or is justified by legitimate interests, including any statutory obligation to store the data.
The personal data concerning you will be deleted as soon as the purpose of the data processing no longer applies. If there are reasons within the meaning of Art. 17 (3) GDPR opposing the deletion, such as statutory storage or storage obligations, the processing of this data will be restricted. In such case, the data will be deleted when the reason for further storage no longer applies, e.g. the legally prescribed storage period expires.
Sec. 9 Your right to object
Insofar the basis for data processing is Art. 6 (1) (f) GDPR (legitimate interests), you have the right to object to the processing of your personal data at any time in accordance with Art. 21 GDPR if there are reasons for doing so which arise from your particular situation or if the objection is directed against data processing for purposes of direct marketing. In the latter case, you have a general right of objection, with which we will comply accordingly without you needing to state any reasons which arise from your particular situation (Art. 21 (2) GDPR).
If you object for reasons arising from your particular situation, we will no longer process your personal data unless we can prove compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims (Art. 21 (1) GDPR).
Sec. 10 Your further rights
- a) Right of access
You also have the right to access from CloudRail, in writing and free of charge, the personal data concerning you which is processed by CloudRail, the purposes of the processing, the information on the source of the data, the recipients or categories of recipients to whom the data has been disclosed, the envisaged storage period and your relevant rights at your disposal.
- b) Right to rectification, erasure and/or restriction of data processing
You have the right to request at any time the rectification of incorrect data, the erasure and/or restriction of the processing of personal data stored about you unless CloudRail is legally obligated to retain such data or there is another, opposing legitimate reason as defined in Art. 17 (3) GDPR. Insofar as this includes personal data required for the provision of services to you, the deletion or restriction of the processing of such data can only take place when you no longer use CloudRail’s services.
- c) Right to data portability
If you provided data concerning you and CloudRail processes such data based on your consent or in order to fulfil a contract, you may request to receive such data in a structured, commonly used and machine-readable format from CloudRail or that CloudRail transmits such data to another controller to the extent technically possible.
- d) Right to withdraw consent
You can freely withdraw any consent you give regarding the use of personal data at any time with effect for the future.
- e) Right to lodge a complaint to a supervisory authority
You may also lodge a complaint with a supervisory authority against a data processing which, in your opinion, violates the statutory provisions.
Sec. 11 Third party websites / Links