Data Privacy Policy of Evulu App

1. Preamble

This service (hereinafter referred to as "App") is provided by Evulu GbR with its registered office at Neustädter Neuer Weg 20, 20459 Hamburg, Germany (hereinafter referred to as "we" or "us") as the responsible party within the meaning of the applicable data protection law.

When using Evulu, personal data is processed. Personal data means any information related to an identified or identifiable natural person. As protecting your privacy when using our app is very important to us, we would like to inform you about which personal data we process by providing the following information. In addition, we inform you about the legal basis for processing your data and our legitimate interests associated with this process.

Profile data

  • First name, last name
  • Gender
  • Email address
  • Company
  • Position
  • Free personal data (About me)
  • Time zone
  • Language
  • Picture
  • Password (encrypted)

User generated content

  • Challenges
  • Ideas
  • Comments
  • Reviews

2. Information on the processing of your data

Certain information is already processed automatically as soon as you use the app. We have listed below exactly what personal data is processed:

2.1 Information that is collected automatically

As part of you using the App, we automatically collect certain data that is necessary for us to provide the service we offer. This includes: (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of an access to the App, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information.

This data is automatically transmitted to us, but not stored, (1) to provide you with the Service and related features; (2) to improve the functions and performance features of the App; and (3) to prevent and remedy misuse and malfunctions. This data processing is justified by the fact that (1) the processing is necessary for the performance of the contract between you as the data subject and us pursuant to Art. 6 (1) lit. b) DSGVO for the use of the App and / or (2) we have a legitimate interest in ensuring the functionality and error-free operation of the App and to be able to offer a service that is in line with the market and interests, which here outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) lit. f) DSGVO.

2.2 Creation of a user account (registration) and login

When you create a user account or log in, we use your access data to grant you access to and manage your user account ("mandatory data"). Mandatory data in the context of registration are marked with an asterisk and are required for the conclusion of the user contract. If you do not provide this information, you will not be able to create a user account.

We use the mandatory data to authenticate you when you log in and to follow up on requests to reset your password. We process and use the data you provide during registration or login to (1) verify your eligibility to manage the User Account; (2) enforce the App's Terms of Use and any rights and obligations related thereto; and (3) contact you to send you technical or legal notices, updates, security messages, or other communications, such as those related to the management of the User Account. This data processing is justified by the fact that (1) the processing is necessary for the performance of the contract between you as a data subject and us pursuant to Art. 6 (1) b) DSGVO for the use of the App, or (2) we have a legitimate interest in ensuring the functionality and error-free operation of the App, which here outweighs your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) f) DSGVO.

2.3 Use of the app

Within the app, you can enter, manage and edit various information like, images, files, comments, ideas and challenges. The app also requires the following permissions:

  • Internet access: this is required in order to transfer the collected data to our servers via an encrypted connection. Here, a unique key is used as an identifier that can only be assigned to the respective user on the server side. The processing and use of usage data is carried out to provide the service. This data processing is justified by the fact that the processing is necessary for the fulfillment of the contract between you as the data subject and us pursuant to Art. 6 (1) lit. b) DSGVO for the use of the app.

3. Disclosure and transfer of data

In addition to the cases explicitly mentioned in this data protection declaration, your personal data will only be passed on without your express prior consent if it is legally permissible or required. This may be the case, among other things, if the processing is necessary to protect vital interests of the user or another natural person.

3.1 Common disclosure of data

If it is necessary to clarify unlawful or abusive use of the app or for legal prosecution, personal data will be forwarded to law enforcement agencies or other authorities and, if necessary, to injured third parties or legal advisors. However, this only happens if there are indications of unlawful or abusive behavior. A transfer may also take place if this serves the enforcement of terms of use or other legal claims. We are also legally obligated to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offenses subject to fines, and the tax authorities.

Any disclosure of personal data is justified by the fact that (1) the processing is necessary for compliance with a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. f) DSGVO in conjunction with. national legal requirements to disclose data to law enforcement authorities, or (2) we have a legitimate interest in disclosing the data to the aforementioned third parties if there are indications of abusive behavior or to enforce our terms of use, other conditions or legal claims and your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) f) DSGVO do not override.

We rely on contractually affiliated companies and the following third-party companies and external service providers to provide our service:

  • DigitalOcean, LLC (Cloud infrastructure provider).
  • Pendo.io, Inc. (Software experiences)

Any disclosure of personal data is justified by the fact that (1) we have carefully selected our third-party companies and external service providers as processors within the scope of Article 28 (1) of the GDPR, regularly reviewed them and contractually obligated them to process all personal data exclusively in accordance with our instructions.

In the course of the further development of our business, it may happen that the structure of our company changes, by changing the legal form, founding, buying or selling subsidiaries, parts of companies or components. In such transactions, customer information may be transferred along with the part of the business being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Policy and applicable data protection law.
Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) f) DSGVO are not overridden.

3.2 Specific disclosure of data to Pendo

We use Pendo to better understand the behavioral patterns of our users and continuously optimize the experience of our app. All data is stored and processed on servers in Europe. To operate effectively, Pendo requires a unique identifier for each user. To meet the security requirements of our customers, we generate an ID code for each profile stored on our platform, which we use instead of names or email addresses. No personal information is shared. Pendo does not collect any user-entered text or information within form fields in your application. By default, the names of fields, buttons, and other elements within the page are captured with the application data which makes for easier tracking, but no user-supplied information is included. Pendo's application and data are hosted and stored in Google's AppEngine where they share the same infrastructure as Google's primary services. The AppEngine enables Pendo to operate in a robust, fully multi-tenant infrastructure with the same reliability, performance, and security features as Google's own offerings. Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant, and Google conducts multiple independent security audits annually. All application data collected by Pendo is transmitted over SSL, encrypted at rest, and stored in separate AppEngine namespaces for each customer to ensure no data is commingled. By default, access to Pendo Services requires a combination of email address and password. Users can alternatively request that Pendo disable password-based logins and require authentication via (a) SAML-based authentication (e.g., Okta, Azure AD, Duo) or (b) Google-based logins or if their Google email and Pendo login addresses match. Both (a) and (b) support two-factor authentication via the chosen identifier provider. Pendo also conducts independent security audits annually and has passed rigorous internal security audits of all companies upon request. We can provide the results of our latest audit upon request. Pendo's javascript files are hosted and deployed on Amazon's Cloudfront CDN, using state-of-the-art edge caching. The Javascript file is minimized and compressed to about 100 KB and loaded asynchronously. Data is transferred securely over SSL from the user's browser to our server every two minutes and when the user exits a page. The data is compressed before it is sent and each transmission is less than 2 KB. The JavaScript code is hosted and deployed on Amazon's Cloudfront Content Distribution Network (CDN), which has an extremely wide network of servers and edge caching to ensure fast load times. Amazon's service level agreements guarantee 99.9% uptime for the agent deployment. Guides are loaded with the Pendo agent. They are not displayed until the current page has finished loading. The typical response time for guides is less than one second. 99% of guides are delivered in less than half a second.

4. Changes of purpose

Processing of your personal data for purposes other than those described above will only take place if permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.

5. Period of data storage

We will delete or anonymize your personal data as soon as it is no longer necessary for the purposes for which we collected or used it in accordance with the preceding paragraphs. As a rule, we store your personal data for the duration of the usage or contractual relationship via the app plus a period of 30 days, during which we keep backup copies after deletion, unless this data is needed longer for criminal prosecution or to secure, assert or enforce legal claims.
Specific statements in this privacy policy or legal requirements for the retention and deletion of personal data, in particular those that we must retain for tax reasons, remain unaffected.

6. Your rights as a data subject

6.1 Right to information

You have the right to receive information from us at any time, upon request, about the personal data we process that concerns you within the scope of Art. 15 DSGVO. For this purpose, you can submit a request by mail or e-mail to the address given below.

6.2 Right to rectify inaccurate data.

You have the right to request that we correct the personal data concerning you without delay if it should be incorrect. To do so, please contact us at the contact addresses provided below.

6.3 Right to deletion

You have the right, under the conditions described in Art. 17 DSGVO, to demand that we delete the personal data concerning you. These conditions provide in particular for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject. For the period of data storage, please also see section 5 of this Privacy Policy. To exercise your right to erasure, please contact us at the contact addresses below.

6.4 Right to restrict processing

You have the right to demand that we restrict processing in accordance with Article 18 DSGVO. This right exists in particular if the accuracy of the personal data is disputed between the user and us, for the duration that the verification of the accuracy requires, as well as in the event that the user requests restricted processing instead of erasure in the case of an existing right to erasure; furthermore, in the event that the data is no longer necessary for the purposes pursued by us, but the user requires it for the assertion, exercise or defense of legal claims, as well as if the successful exercise of an objection is still disputed between us and the user. To exercise your right to restrict processing, please contact us at the contact addresses below.

6.5 Right to data transferability

You have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Article 20 DSGVO. To exercise your right to data portability, please contact us at the contact addresses below.

7. Right to object

You have the right, on grounds relating to your particular situation, to object at any time to against the processing of personal data concerning you, which is carried out, among other things, on the basis of Art. 6 para. 1 lit. e) or f) DSGVO, to object in accordance with Art. 21 DSGVO. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, Rights and freedoms, or if the processing serves the assertion, Exercise or defense of legal claims.

8. Contact

Evulu GbR
Neustädter Neuer Weg 20
20459 Hamburg
Germany