Open-Xchange Privacy Policy

 

(Last updated: April 2022

We are pleased that you have chosen to visit this website and are interested in our products. The protection of your personal information during your visit to our website is important to us. We undertake to protect your privacy and to treat your data confidentially and in accordance with applicable law, particularly the EU General Data Protection Regulation (GDPR). 

With this Privacy Policy, we would like to inform you which categories of your personal data will be collected and processed by Open-Xchange during your visit. We also would like to share the purposes these data will be used for. Changes of legal circumstances or internal corporate processes can make it necessary to adjust this privacy policy (rights are accordingly reserved) from time to time. If possible, please re-read this Privacy Policy each time you visit our website.

 

1. Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Although you can basically use this website without disclosing your identity to us, during your visit to this website some personal data will be collected in order to provide you with certain features and functionalities of the website. The collected data is described in detail in the respective sections below. For example, in the event that you register for one of our personalized services or would like to send us a message (e.g., via our contact form) we will ask you for your name and your e-mail-address in order to be able to respond to your requests. In such case, Art. 6 par. 1 lit. b EU General Data Protection Regulation (GDPR) is the general legal basis which allows us the processing.

In any case, the decision on whether you want to provide this information to us is in your sole discretion. Please be aware that without providing this information some of the services offered on our website will not be working (see below for details). In the event that you do decide to disclose personal data to us during your visit to our website, Art. 6 par. 1 lit. a EU – General Data Protection Regulation (GDPR) will be the general legal basis.

The following processing activities can be found on our website:

 

1.1 Logfiles

On the occasion of your visit and use of this website and every time you request a file, our web server saves data about these accesses in a report file. The set of data could contain the following information:

  1. domain name or IP-address of the remote host,
  2. result of the access (file transferred; file not found etc.)
  3. date and time of the access
  4. amount of transferred data
  5. browser type and version
  6. operating system
  7. used language and name of the internet service provider
  8. website from which the file was accessed
  9. saved cookies for the accessed domain
  10. device identifier
  11. UserID
  12. IP address
  13. user password

We collect these logfiles solely to provide the service (website functionalities, e.g., retention of your session) and due to legitimate interests, such as system security, troubleshooting, to optimize our web presence and job offers on our landing pages. The legal basis for this processing activity can be seen in Art. 6 par. 1 lit. f EU General Data Protection Regulation (GDPR).

 

1.2 Contact 

If you contact us via one of our contact forms, you have to provide the information marked with an asterix in order to be able to use the feature.

This information is required in order to process the contact request. 

Your consent in accordance with Art. 6 par. 1 lit. a EU General Data Protection Regulation (GDPR) is the general legal basis.

In the event that you decide to disclose further personal data within the contact form, Art. 6 par. 1 lit. a EU – General Data Protection Regulation (GDPR) will be the general legal basis.

Regarding the contact form process on our website, our landing pages for marketing campaigns and for mobile phone campaigns, we are working together with our supplier Hubspot lnc. Learn more below section 1.5. of this Policy.

Regarding contact forms for mobile campaigns, we are furthermore working together with our supplier Juxo LLC; Woodway Dr; Houston, Texas 77056, USA. Juxo is a consultant company which supports us in marketing campaigns.

Data may be transferred to the USA as part of processing by Juxo. A data protection agreement was concluded with Juxo, outlining the technical and organizational means for data security. 

 

1.3. Job Application Form

When using the job application form, we collect the following information:

  1. first- and last name
  2. email address
  3. title
  4. CV information

Your consent in accordance with Art. 6 par. 1 lit. a EU General Data Protection Regulation (GDPR) is the general legal basis.

 

Furthermore, you can provide additional information at your discretion:

  1. street
  2. zip code
  3. city
  4. mobile phone number
  5. picture
  6. desired salary
  7. certificates
  8. cover letter

Your consent in accordance with Art. 6 par. 1 lit. a EU General Data Protection Regulation (GDPR) is the general legal basis.

Regarding the application process, we work together with our supplier SAP Deutschland SE & Co. KG,Hasso-Plattner-Ring 7, 69190 Walldorf, Germany, who offers an adequate level of data protection and data security. 

Our job application form runs on a landing page operated for us by SAP. As part of your application via this landing page, due to legitimate interest log files are also tracking from which website you accessed the job application form. This helps us to improve our job advertisements. The legal basis for this processing activity can be seen in Art. 6 par. 1 lit. f EU General Data Protection Regulation (GDPR). Further information can also be found under point 1.1. within this Privacy Policy.

Detailed information on infrastructure and organizational security as well as data protection and compliance of SAP is available under

https://www.sap.com/germany/about/trust-center.html

Furthermore, we generally do not transfer any of the information mentioned above to third parties, unless we are required to do so by applicable law or have a valid legal basis for such transfer, such as your consent.

However, in certain cases we have to comply with inquiries made by third parties and transfer your information to them, e.g., transfer to the law enforcement authorities if a crime is suspected. For this purpose, Art. 6 par. 1 lit. c-e EU General Data Protection Regulation (GDPR) is the general legal basis since processing the data is either a legal obligation, mandatory to protect your vital interests (e.g., prevent data abuse) or the processing is carried out in the public interest or in the exercise of the public duties of an official authority.

 

1.4 Newsletter

You may register for our newsletter using our website or landing pages for marketing campaigns. This requires providing us with your email-address. After you signed up for the newsletter, we will send you an email in which you will be asked to verify your email address (double opt-in). After you confirmed your interest and the correctness of your data by clicking on the link that is sent with the double opt-in email, we will put your email address on our newsletter list. 

You can opt-out from the newsletter at any time by clicking the respective link provided at the bottom of each newsletter. In case you do not want to opt-out using the respective link, you may submit a message to one of the addresses stated below under No. 8.


For the newsletter registration and mailing list, we process the following data.

  1. e-mail address 
  2. name (not required)

We are not able to process your registration without collecting your email address. The legal basis is Art. 6 par. 1 lit. a EU General Data Protection Regulation (GDPR).

Regarding the newsletter process we are working together with our supplier Hubspot lnc. Learn more below section 1.5. of this Policy.

The data will be deleted as soon as you opt -out from the newsletter.

 

1.5 CRM/CMS by Hubspot

Concerning customer relationship and content management services we are working together with our supplier Hubspot lnc., 25 First Street, Cambridge, MA 02141 USA. Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. This includes contact form processes on our website and our landing pages as well as marketing campaigns, including mobile phone campaigns and newsletter shipping.

Data may be transferred to the USA as part of processing by Hubspot. The security of the transmission is ensured by the so-called Standard Contractual Clauses. If the Standard Contractual Clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 (1) a GDPR may provide the legal basis for the transfer to third countries. Please refer to the section "1.2. Contact" for more information. 

Furthermore, Hubspot offers numerous measures to secure data. Detailed information on infrastructure and organizational security as well as data protection and compliance of Hubspot is available under

https://legal.hubspot.com/security   (Here you can also download a Security Overview)

and under:  

http://legal.hubspot.com/de/privacy-policy

 

1.6 Cookies

Our website and landing pages use cookies in order to make visiting our website and landing pages attractive for you and to enable the use of certain functions (technically necessary cookies). Cookies are small text files that are stored on your computer or device. Most of the cookies used by us will be deleted from your hard disk after the end of the browser session (so-called session cookies).

We also use permanent cookies, which are primarily used to provide you, the visitor, with permanently recurring settings. Those cookies also allow us to analyze the visitor's user behavior, but only within the framework of the cookies' period of validity and if you comply.

Further information can be found under point 1.6.1 and point 1.6.2 within this Privacy Policy.

Following applicable law all data is saved exclusively in a pseudonymised form (at most) without any direct personal reference. This enables us to update our website to address your individual preferences. 
You can opt-out of future data collection and storage through cookies at any time.

You can prevent the storage of cookies on your computer or device by making the appropriate changes to your browser settings so that cookies are not accepted or so that you are notified before accepting cookies. However, this can limit functionality of our website and our services.

There is always a link present with which you can object to cookies from other providers or third parties. If you do not consent or declare your objection, the providers set an opt-out cookie that prevents any further data being recorded on your computer or device. If you would like to retain your right to objection, you should not delete the opt-out cookie. 

You will have to complete the opt-out process again if this cookie is deleted later, e.g., by deleting or clearing your browser settings.

Furthermore, you can manage data collection and storage by many other services. More details are cited here: www.networkadvertising.org/choices/ or http://www.youronlinechoices.com/de/praferenzmanagement.

 

1.6.1 PIWIK PRO

Our website uses the web analytics tool “Piwik Pro”. Piwik Pro uses cookies which are placed on the hard drive of your device. These enable us to analyze the visitor’s usage of our website. For this purpose, the generated information in the cookie (including the abbreviated anonymized IP-address) is transmitted to the PIWIK server and stored to enable us to optimize the usage of our website. In this process, your IP-address is being anonymized immediately, so that you remain fully anonymous to us. The information generated by the cookie about your use of this website will not be disclosed to third parties.

You may preclude the usage of cookies by selecting the appropriate settings in your browser, in this case it may occur, however, that you may not be able to use all functions of this website.

The legal basis of the processing is your consent according to Art. 6 par. 1 lit. a EU General Data Protection Regulation (GDPR).


If you wish to opt out for the future, you may do so by clicking on the link below at any time. In this case a so called opt-out-cookie will be placed within your browser so that Piwik Pro will not collect any session data.


Opt-out from PIWIK PRO analytics

Please keep in mind that in the event that you delete your cookies, this opt-out-cookie will also be deleted, and you may have to reactivate it.
 
When you enter our website, you will see a pop-up banner asking for consent and explaining the use of our cookies. It also contains a link where you can change your cookie settings for our website. By clicking on this link, you will be shown an opt-out button for the PIWIK cookie. Please note that deleting your browser settings would lead to a reactivation of the PIWIK cookie as stated above. In case you visit the website again you will then be asked again for consent.

 

1.6.2. Hubspot

We use services of our supplier Hubspot Inc. (learn more below section 1.5. of this Policy) for analytical, functional, and marketing purposes on our website and our landing pages for marketing campaigns. In this context, a cookie is set which is stored on your computer and which enable us to analyse your use of the website or landing page. The information collected (e.g., IP address, geographical location, type of browsers, duration of the visit and the pages called up) are evaluated by Hubspot on behalf of us e.g., in order to generate reports about the visit and the pages of us visited, to personalize and optimize your experience as well as remember your chat history or make advertisements more engaging and valuable. You can find more information about cookies at any time by clicking on the cookie settings link below.

The legal basis of the processing is your consent according to Art. 6 par. 1 lit. a EU General Data Protection Regulation (GDPR).

If you wish to opt out for the future, you may do so by clicking on the button (Cookie Preferences) below at any time. In this case a so called opt-out-cookie will be placed within your browser so that Hubspot will not collect any session data.


 

 

The data will be only stored for as long as it is necessary for the purpose of the procession. The data will be deleted as soon as it is no longer needed for the processing purposes. 

 When you enter our website our landing pages, you will also see a pop-up banner explaining the use of our cookies and containing a link where you can change your cookie settings. Please note that deleting your browser settings would lead to a reactivation of the Hubspot cookie and consent will be asked again within the cookie banner during a further visit to the website or landing page as stated above.

 

 

2. Rights to information, rectification, erasure and restriction of processing
 

Upon request, we will confirm what kind of personal data of yours, if any, is currently stored on our servers, the purpose of storing as well as the envisaged period for which the personal data will be stored and, if any, the recipients to whom the personal data have been or will be disclosed. You will find our contact details below.

If your personal data we have stored on our servers is out-of-date or inaccurate, we will correct it promptly upon your request. Additionally, you have the right to have incomplete data completed.

If requested, we will promptly erase your personal data, unless prohibited by law, and then we will restrict the respective data. Besides we will delete your personal data if it is no longer necessary in relation to the purposes for which they were collected and stored, if you withdraw consent on which the processing is based or if the personal data have to be deleted for compliance with a legal obligation in Union or Member State law to which we are subject to.

Furthermore, you have the right to request restriction of processing if the accuracy of personal data is contested for a period enabling us to verify the accuracy of the personal data, if the processing is unlawful, if we do not need the personal data anymore for the purposes of the processing but they are required by you for the establishment, exercise or defense of legal claims or if you objected the processing as long as the verification if legitimate grounds of us override yours is pending.

 

3. Right to lodge a complaint with a supervisory authority

Furthermore, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

 

4. Right to object

You have the right to object at any time to processing of personal data on grounds relating to your particular situation which is based on point (e) or (f) of Article 6(1) of the EU General Data Protection Regulation (task carried out in public interest or processing in purpose of legitimate interest) or if the personal data is processed for direct marketing purposes.

If you have objected, we will no longer process the personal data unless on our side legitimate interest for the processing prevail your interests or for the purpose of establishment, exercise, or defense of legal claims. If you have objected to the processing of personal data due to direct marketing purposes, we will no longer process this personal data for those purposes. 

To declare your objection, you may submit a message to the addresses stated below under No.8.

 

5. Right to data portability

Upon request, we will provide you with the personal data you have provided to us in a structured commonly used and machine-readable format and ensure you will be able to transmit those data to another controller.

 

6. Links to other websites

Our website contains hyperlinks to websites of other parties. These websites may possibly use cookies or collect personal data. As we have no influence on whether these parties adhere to our privacy policy or not, we cannot point out the relevant aspects. This privacy policy is only valid for our website. Links to other websites from this site are not included.

 

7. Data security

We are always seeking to process your personal data by taking all technical and organisational possibilities in a way so that it is not accessible to third parties. If you contact us e.g. via e-mail or our contact form, full data security cannot be guaranteed. We recommend sending confidential information by letter post only.

 

8. Contact

We are always seeking to process your personal data by taking all technical and organisational possibilities in a way so that it is not accessible to third parties. If you contact us e.g., via e-mail or our contact form, full data security cannot be guaranteed. We recommend sending confidential information by letter post only.

 

You may contact the data protection department under:


Open-Xchange AG
Datenschutz
Hohenzollernring 72
50672 Cologne
Germany
E-Mail: datenschutz(at)open-xchange.com

You can also contact our Data Protection Officer:

Dr. Sebastian Heep
Deputy: Ariane Jung

Planit//Legal Rechtsanwaltsgesellschaft GmbH
Jungfernstieg 1
20095 Hamburg
gdpr@open-xchange.com

Open-Xchange Privacy Policy for the OX Drive App

 

(Last updated: September 2021) 

 

We are pleased that you have chosen to download and install our OX Drive App (hereinafter referred to as “App”). The protection of your personal data is an important topic for us and we will protect your privacy and treat your data confidentially and in accordance with the General Data Protection Regulation (GDPR) and other applicable law.

With this Privacy Policy we inform you about the types of your personal data we collect and the purposes it will be used for. Since changes of the laws, jurisdiction or our corporate procedures may require an adjustment of this Privacy Policy, we reserve the right to change it without further notice. This makes it necessary for you to regularly re-read this document to keep track of the changes. Possible changes will not affect the legal basis of any data processing and collection.

 

1. Scope of the data collection and processing

As a rule, we collect personal data within the use of the App only to the extent you have voluntarily provided us information, e.g. your e-mail-address or other credentials. Although providing us with these data is voluntary, without these we partly cannot provide you the respective service. You will find specific details about mandatory personal data which is required to perform our services and non-mandatory personal data in the respective sections of this document below.

Please generally keep in mind while using the App that you are connecting to a service that is most likely not run by the developer of this App. The App itself does not provide a cloud storage service – it only helps you access or upload files on a compatible cloud storage service of your choice, which provides you with digital storage space to store your personal files (“Service Provider”).

Please also refer to the Service Provider’s data protection policy for information on which data they process for which purpose on server side.

We generally do not transfer personal data to any third parties other than your Service Provider. Please be aware that we have no influence on where your Service Provider processes your personal data. The laws of the USA and other countries outside of the European Ecomomic Area (EEA) may not protect your data to the same level as the laws of the EEA, or give you the same rights that you would have in the EEA. Please check with your Service Provider where they process your personal data, and if they process it outside the EEA only in compliance with mandatory legal requirements.

 
2. Personal Data

„Personal Data“ is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The App processes some personal data itself. Please find below a detailed description and the corresponding purpose of every single personal data collection and processing activity of the App itself:


2.1 Log-In Data

During setup, the App might ask you for a Server-URL which is being used to connect you to the remote service installation of your Service Provider where your account data is being stored. On providing this information the App will try to connect to the URL to check whether the server runs an installation of OX Drive. This connection attempt will most likely leave an entry in the log file of the server you are trying to connect to. Please refer to the data protection policy of the Service Provider behind the URL to find out what data they collect and process regarding this connection attempt. However, on a successful connection the App stores the URL as part of the log-in data, as stated below. 

The App also asks you for your log-in credentials consisting of a user name or e-mail address and a password. Most likely, but still depending on the Service Provider you are connecting to, the user name equals your e-mail address. This data is being stored on your device and is also part of the log-in data. You can always delete the log-in data in the settings of your device’s operating system. The log-in data is also deleted when you manually log-out from the App.

The log-in data is only accessible from this App. If you own several devices, the account details can be synchronized between these devices by the operating system if your device supports this. This setting can be found in your device’s system settings. Please see the manual of your device on how to activate it or delete the saved data. Please refer to the data protection policy of the synchronization Service Provider and your device’s software provider for information about their processing and storage of data.

The storage and processing of this Log-In Data is required to enable the core functionality of the App by providing access to the cloud storage service (Art. 6 Par. 1 (b) GDPR) without having to provide the log-in data again each time you open the App. It therefore also follows a legitimate interest of us (Art. 6 Par. 1 (f) GDPR) to provide you with a pleasant and convenient user experience.

 

2.1.1. Automatic Configuration Assistance (Windows only)

 

In order to help you with your initial setup of the App, the OX Drive Windows App tries to automatically configure itself. After you entered your email address and proceed with the login, the App sends the domain part of your email address (the part after the "@" sign) to a server that is hosted by Open-Xchange. The server answers with configuration information if the domain part is known. By logging into the OX Drive Windows App, you also declare your consent according to Art. 6 Par. 1 (a) GDPR.

 

2.2 Cookies 

In our App we may also use a session cookie in order to keep you logged in after closing the App. This cookie is a small text file that is stored in your device’s storage also containing the session token. It is deleted as soon as you manually log out or after a certain time out (if used by your Service Provider) or when your Service Provider resets your server side sessions. This cookie corresponds with the functionality and matches the purpose of the log-in data as stated above in 2.1 to provide our services (Art. 6 Par. 1 (b) GDPR) with a pleasant and convenient user experience which follows a legitimate interest of us (Art. 6 Par. 1 (f) GDPR).

The App does not use any other cookies. It also does not use or support any other tracking technology.


2.3 User Generated Content

The main function of the App is the capability to interact with a compatible cloud storage service by voluntarily uploading, downloading and viewing personal files you have created, modified or received to your Service Provider’s web storage space. These personal files may contain personal data of you or other persons, e.g. on photos, in text documents, spreadsheets or presentation and the like. If files are made available offline either by an explicit user action or automatically by the app or the operating system, the app saves it in in its assigned space on the device you are using.

You will then be able to view or edit the file without having to connect the Service Provider over the internet. Please refer to the data protection policy of your device’s manufacturer and the operating system developer for information about security, collection and processing of data in the assigned App storage spaces. 

The App collects the data on the device’s storage only to provide offline access. Please bear in mind that the App does not have any influence on the content of the files, so it is your very own decision on which personal data you upload or download. The files will be deleted from your device as soon as you decide to exclude them from offline access by de-selecting them accordingly.

Depending on the platform, you may also grant the App access to the photo and video storage space on your device on a voluntary basis. This function enables the synchronization of photo and video files between different devices manually or even automatically. You can always withdraw the grant of access to these file spaces by changing the respective settings in your device’s operating system settings. Please refer to the user manual or support documentation of your device’s operating system for guidance on how to manage App’s access rights.

The legal basis for the collection of these files as your personal data is your consent by using the respective functions described above (Art. 6 Par. 1 (a) GDPR.


2.4 Opening and Sharing files

The App enables you to open any file if supported, e.g. a photo, video or music file, stored in either the App or in your connected cloud storage. If you choose to do so, the corresponding file will be transferred to the third-party app you choose from the context menu. Please refer to the data protection policy of the respective app developer for information about their collection and processing of the data transferred to their apps.

The App also enables you to share your files using different third-party apps on your device, e.g. instant messaging services, e-mail services, other cloud storage services. As on opening a file, the App will transfer the selected file to the third-party app you choose from the context menu. The context menu opens as you select the commonly known “Sharing Button”, of which design and/or inscription alter on different operating systems. Please refer to the data protection policy of the respective app developer for information about their collection and processing of the data transferred to their apps. Also, think carefully about the data you share with other persons in general to avoid sensitive personal information being published without your consent.

The App itself does not collect any personal data on how often and who you share any files with. It only provides the third-party app with the file in a one-directional manner without receiving information about the activities of the third-party app.

The App also provides access to an internal sharing function of your Service Providers server software enabling you to invite persons to view, change, upload or download files from your cloud storage via a sharing link. Using this function will have your Service Provider generate a hyperlink giving anyone who receives this link access to the selected files or folders. Please refer to the data protection policy of the respective Service Provider for information about their collection and processing of the data while accessing the shared file.

However, you may grant the App access to address book storage space on your device on a voluntary basis, which most likely contains personal data of your contacts. You can then select e-mail addresses from your device’s address book which are being transmitted to your Service Provider. The server software will then generate e-mail messages to the selected contacts providing the sharing link. Please refer to the data protection policy of the respective Service Provider for information about their collection and processing of the submitted data. The App itself does not store the address book data but only accesses them on your demand. As stated above, you can always revoke access to this storage space in the settings of your device’s operating system.

The opening and sharing functions of the App are provided to give you a greater choice of handling your files and therefore are implemented to provide you with a convenient user experience, which follows a legitimate interest of us (Art. 6 Par. 1 (f) GDPR). The use of these functions is at your sole discretion. By using these functions you also declare your consent according to Art. 6 Par. 1 (a) GDPR.

 

2.5. Automatic Updates

The Service Provider can enable automatic updates for the App. A push message informs the App about changes of your files on the server.

If you log into the App, the App reads a token from your device. This token is a large random number that is unique per user, app and device. This token is then sent to the Service Provider. If a push message is to be sent, the server sends the file name and file path together with the token to FCM servers from Google (more information can be found here) or APN servers from Apple (more information can be found here). These servers then send a small data package containing the file name and file path to your device.

The legal basis for providing this functionality is Art. 6 Par. 1 (b) GDPR to provide a pleasant and convenient user experience.

 


2.6. External Hyperlinks 

The App may contain hyperlinks to external websites which might use cookies and/or collect and process your personal data. We have no influence and can not notify you about such activities. This data protection policy only aims at the services provided by the App itself, excluding external websites and services.

 
3. Rights to information, revocation, rectification and deletion

Please keep in mind, that the files you upload are not stored on the App developer’s servers, but on the servers of your Service Provider. Most likely the App developer will not have any of your personal data stored on their server. The App developer also does not have any access to the files contained in the App.

However, upon request, we will confirm what kind of personal data of yours, if any, is currently stored on our servers, the purpose of storing as well as the envisaged period for which the personal data will be stored and, if any, the recipients to whom the personal data have been or will be disclosed. You will find our contact details below (Art. 15 GDPR).

If your personal data we have stored on our servers is out-of-date or inaccurate, we will correct it promptly upon your request. Additionally, you have the right to have incomplete data completed (Art. 16 GDPR).

If requested, we will promptly delete your personal data, unless prohibited by law, and then we will restrict the respective data. Besides we will delete your personal data if it is no longer necessary in relation to the purposes for which they were collected and stored, if you withdraw consent on which the processing is based or if the personal data have to be deleted for compliance with a legal obligation in Union or Member State law to which we are subject to (Art. 17 GDPR).

Furthermore you have the right to request restriction of processing if the accuracy of personal data is contested for a period enabling us to verify the accuracy of the personal data, if the processing is unlawful, if we do not need the personal data anymore for the purposes of the processing but they are required by you for the establishment, exercise or defence of legal claims or if you objected the processing as long as the verification if legitimate grounds of us override yours is pending (Art. 18 GDPR).

If you delete the App from your mobile device, the data saved locally on your mobile device in the App will be deleted as well. Data that you have saved somewhere else on your mobile device, e.g. in photo or video storage, or have transferred to other applications (e.g. e-mail app, instant messenger) will not be deleted by this.

 

4. Right to object

You have the right to object to the processing of your personal data which is based on point (e) or (f) of Article 6 (1) (task carried out in public interest or processing in purpose of legitimate interest) at any time. You can base your objection on grounds relating to your particular situation.

If you have objected we will no longer process the personal data unless our legitimate interests for the processing override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

To declare your objection, you may submit a message to the address stated below under No. 8.

 
5. Complaint to supervisory authority

Furthermore, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

 
6. Right to data portability

Upon request, we will provide you with the personal data we store about you in a structured commonly used and machine-readable format and ensure you will be able to transmit those data to another controller (Art. 20 GDPR).

 
7. Data security

We are always seeking to process your personal data by taking all technical and organizational possibilities in a way so that it is not accessible to third parties. If you contact us e.g. via e-mail or our contact form, full data security cannot be guaranteed. We recommend sending confidential information by mail only.

 
8. Contact

Please feel free to address data protection related questions or suggestions at any time. Please find our contact details below. There you can confirm, which of your personal data is stored on our servers, receive further information and exercise your rights to revocation, deletion or rectification.

You may contact the data protection department under:

 

Open-Xchange AG
Data Protection
Hohenzollernring 72
50672 Cologne
Germany
E-Mail: privacy(at)open-xchange.com

You can also contact our Data Protection Officer:

Dr. Sebastian Heep
Deputy: Ariane Jung

Planit//Legal Rechtsanwaltsgesellschaft GmbH
Jungfernstieg 1
20095 Hamburg
gdpr@open-xchange.com

 

Open-Xchange Privacy Policy for the OX Sync App

We are pleased that you have chosen to download and install our OX Sync App (hereinafter referred to as “App”). The protection of your personal data is an important topic for us and we will protect your privacy and treat your data confidentially and in accordance with the General Data Protection Regulation (GDPR) and other applicable law.

With this Privacy Policy we inform you about the types of your personal data we collect and the purposes it will be used for. Since changes of the laws, jurisdiction or our corporate procedures may require an adjustment of this Privacy Policy, we reserve the right to change it without further notice. This makes it necessary for you to regularly re-read this document to keep track of the changes. Possible changes will not affect the legal basis of any data processing and collection. In case the legal basis changes, we will inform you proactively in the respective situation while using the App, asking for your consent. 
 

1. Scope of the data collection and processing

As a rule, we collect personal data within the use of the App only to the extent you have voluntarily provided us the information, e.g. your e-mail-address or other credentials. Although providing us with these data is voluntary, without these we partly cannot provide you the respective service. You will find specific details about mandatory personal data which is required to perform our services and non-mandatory personal data in the respective sections of this document below. We generally do not transfer personal data to any third parties other than the services you want to link the App to (e.g. calendar services, contact management services) and your internet service provider (altogether “Service Provider”).  Please be aware that we have no influence on where your Service Provider process your personal data. The laws of the USA and other countries outside of the European Economic Area (EEA), may not protect your data to the same level as the laws of the EEA or give you the same rights that you would have in the EEA. Please check with your Service Provider where he processes your personal data, and if he processes it outside the EEA only in compliance with mandatory legal requirements.

Please generally keep in mind while using the App that you are connecting to a service that may not be run by the developer of this App. The App’s purpose is to enable you to connect to a compatible Service Provider. The App itself helps you to sync contacts, calendars and tasks with a compatible service of your choice. Please also refer to your Service Provider’s data protection policy for information on which data they process for which purpose on their server’s side.


2. Personal Data

„Personal Data“ is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The App processes some personal Data itself. Please find below a detailed description and the corresponding purpose of every single Personal Data collection and processing activity of the App itself:


2.1 Log-In Data

As you first open the App, it asks you for a Server-URL which is being used to connect you to the remote service installation of your Service Provider where your account data is being stored. On providing this information the App will try to connect to the URL to check the login credentials and whether the server is supporting the OX Sync functions. This connection attempt will most likely leave an entry in the log file of the server you are trying to connect to. Please refer to the data protection policy of the service provider behind the URL to find out what Data they collect and process regarding this connection attempt. However, on a successful connection the App stores the URL as part of the log-in data, as stated below. 

In the next step, after providing the URL of your Service Provider, the App asks you for your log-in credentials consisting of a user name and a password. Most likely, but still depending on the service provider you are connecting to, the user name equals your e-mail address. This data is being stored on your device and is also part of the log-in data. You can always delete the log-in data in the settings of your device’s operating system. It is also deleted when the server rejects connection to the saved session using the saved token. This happens after a certain time out (if used by your Service Provider), when you manually log-out or when your Service Provider resets your server side sessions.

The log-in data is saved by the App in encrypted form in the account manager of the device. The log-in data is only accessible from this App. If you own several devices, the account details can be synchronized between these devices by the operating system if your device supports this. This setting can be found in your device’s system settings. Please see the manual of your device on how to activate it or delete the saved data. Please refer to the data protection policy of the synchronization service provider and your device’s software provider for information about their processing and storage of data.

The storage and processing of this Log-In Data is required to enable the core functionality of the app by providing synchronization with the linked services (Art. 6 Par. 1 (b) GDPR) without having to provide the log-in data again each time you open the app. It therefore also follows a legitimate interest of us (Art. 6 Par. 1 (f) GDPR) to provide you with a pleasant and convenient user experience.


2.2 Sync Information, Contact Details and Usage Data

The Purpose of the App is to sync your contacts, appointments and calendars on your devices. Therefore, it is necessary to process certain information within those sections.

Contact Details and Contact Data

The App processes e-mail addresses, names, telephone and fax numbers, birthdays and physical addresses from and to the services you link to the App as well as other personal information you want to link to your contacts or your contacts have shared with you. If the contacts contain pictures, those will be processed by the App as well in order to be able to display them with the specific contact information.

Since the App will sync calendar information, it may process sensitive personal information depending on how much information you or another originator share/s within the appointment descriptions. This may include and is not limited to names, addresses, telephone numbers, portions of personal conversations, medical appointments and so on. Please be aware that the level of sensitivity depends on the aforementioned input from you or the originator of the appointment.

Usage Data and Meta/Communication Data

Details like IP-addresses and access times are being processed for error analysis and statistics (like runtime information) to ensure the proper functionality of the App and to access the linked services. The legal basis is Art. 6 Par. 1 (b) GDPR.

 

2.3 Cookies 

In the App we may use a session cookie in order to keep you logged in after closing the App. This cookie is a small text file that is stored in your device’s storage also containing the session token. It is deleted as soon as you manually log out or after a certain time out or when your Service Provider resets your server side sessions. This cookie corresponds with the functionality and matches the purpose of the log-in data as stated above in 2.1 to provide our services (Art. 6 Par. 1 (b) GRPR).

We also process for the overall assessment the number of active users per month as a basis for billing. For that it is necessary to convey the pseudonymized user name to our processor dmfs GmbH, dmfs GmbH, Schandauer Straße 34, 01309 Dresden/ Germany.

The legal basis is Art. 6 Par. 1 (f) GDPR.

The App does not use any other cookies. It also does not use or support any other tracking technology.


2.4 User Generated Content

As stated above, one of the features of the App is the capability to interact with different compatible calendar and contact services by voluntarily syncing stored information you or others have created, modified or received to your mobile device. These information may contain personal data of you or other persons, e.g. on photos, in text portions, birthday dates, locations, phone numbers and the like. If you choose to sync the compatible accounts with the App, the App saves it in its assigned space on the device you are using. Please refer to the data protection policy of your device’s manufacturer and the operating system developer for information about security, collection and processing of data in the assigned App storage spaces. 

The legal basis for the collection of these files as your personal data is your consent by using the respective functions described above (Art. 6 Par. 1 (a) GDPR).

 
3. External Hyperlinks 

The App may contain hyperlinks to external websites which might use cookies and/or collect and process your personal data. We have no influence and can not notify you about such activities. This data protection policy only aims at the services provided by the App itself, excluding external websites and services.


4. Rights to information, revocation, rectification and deletion

Upon request, we will confirm what kind of personal data of yours, if any, is currently stored on our servers, the purpose of storing as well as the envisaged period for which the personal data will be stored and, if any, the recipients to whom the personal data have been or will be disclosed. You will find our contact details below (Art. 15 GDPR).

If your personal data we have stored on our servers is out-of-date or inaccurate, we will correct it promptly upon your request. Additionally, you have the right to have incomplete data completed (Art. 16 GDPR).

If requested, we will promptly delete your personal data, unless prohibited by law, and then we will restrict the respective data. Besides we will delete your personal data if it is no longer necessary in relation to the purposes for which they were collected and stored, if you withdraw consent on which the processing is based or if the personal data have to be deleted for compliance with a legal obligation in Union or Member State law to which we are subject to (Art. 17 GDPR).

Furthermore you have the right to request restriction of processing if the accuracy of personal data is contested for a period enabling us to verify the accuracy of the personal data, if the processing is unlawful, if we do not need the personal data anymore for the purposes of the processing but they are required by you for the establishment, exercise or defence of legal claims or if you objected the processing as long as the verification if legitimate grounds of us overide yours is pending (Art. 18 GDPR).

If you delete the App from your mobile device, the data saved locally on your mobile device in the App will be deleted as well. Data that you have saved somewhere else on your mobile device, e.g. in photo or video storage, or have transferred to other applications (e.g. e-mail app, instant messenger, calendars, contact managers) will not be deleted by this.

 

5. Right to object

You have the right to object to the processing of your personal data which is based on point (e) or (f) of Article 6 (1) (task carried out in public interest or processing in purpose of legitimate interest) at any time. You can base your objection on grounds relating to your particular situation.

If you have objected we will no longer process the personal data unless our legitimate interests for the processing override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

To declare your objection, you may submit a message to the address stated below under No. 9.

 

6. Complaint to supervisory authority

Furthermore, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). 

 

7. Right to data portability

Upon request, we will provide you with the personal data we store about you in a structured commonly used and machine-readable format and ensure you will be able to transmit those data to another controller (Art. 20 GDPR).

 

8. Data security

We are always seeking to process your personal data by taking all technical and organizational possibilities in a way so that it is not accessible to third parties. If you contact us e.g. via e-mail or our contact form, full data security cannot be guaranteed. We recommend sending confidential information by mail only.

 

9. Contact

Please feel free to address data protection related questions or suggestions at any time. Please find our contact details below. There you can confirm, which of your personal data is stored on our servers, receive further information and exercise your rights to revocation, deletion or rectification. 

You may contact the data protection department under:

Open-Xchange AG
Datenschutz
Hohenzollernring 72
50672 Cologne
Germany
E-Mail: datenschutz(at)open-xchange.com

You can also contact our Data Protection Officer:

Dr. Sebastian Heep
Deputy: Ariane Jung

Planit//Legal Rechtsanwaltsgesellschaft GmbH
Jungfernstieg 1
20095 Hamburg
gdpr@open-xchange.com