With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").
We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.
The terms used are not gender-specific.
Status: 23 July 2024
Preamble
Person responsible
Contact Data Protection Officer
Overview of processing activities
Purposes of processing
Data categories
Legal basis
Safety measures
Transmission of data, international data transfers
Deletion of data
Rights of the data subjects
Use of cookies and similar technologies
Cookies and similar technologies
Protection of your privacy
Necessary data processing
Optional data processing
Special notes on the mobile application
Device permissions
Appstores
The processing activities in detail
Provision of the online offer and web hosting
Registration, login and user profiles
Community functions and contributions
Collaboration and communication tools
Notifications (push, in-app, e-mail)
Embedded partner content
Contact and enquiry management
Newsletter
Surveys and interviews
Usage analytics
Presence in social networks (social media)
The controller responsible for the processing of your personal data as explained in this privacy policy is
Holi Moli GmbH
Eifflerstrasse 43
22769 Hamburg
Germany
Authorised representative: Piet Mahler
E-mail address: support@holi.social
Imprint: https://holi.social/imprint
Our data protection officer, who you can contact with any questions about data protection, can be reached using the following contact details:
ISiCO Data Protection GmbH
Am Hamburger Bahnhof 4
10557 Berlin, Germany
E-mail address: holi.social@isico-datenschutz.de
Below you will find an overview of the data processing that takes place in our online offering with regard to the purposes, data categories and legal bases of the processing.
Provision of the online offer
Registration, login and user profiles
Community functions and contributions
Collaboration and communication tools
Contact and enquiry management
Newsletter
Notifications (push, in-app, e-mail)
Embedded partner content
Surveys and interviews
Usage analytics
Presence in social networks (social media)
Inventory data
Contact details
Content data
Contract data
Usage data
Meta, communication and process data
Image and/or video recordings
Relevant legal bases according to the General Data Protection Regulation (GDPR): Below you will find an overview of the legal bases of the GDPR on the basis of which we process your personal data.
Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given their consent to the processing of their personal data for one or more specific purposes. We will ask you whenever your consent is required for data processing in our online offering.
Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. When you register for our platform, a user relationship or contract is established between us - this forms the legal basis for most processing activities on our platform.
Fulfilment of legal obligations (Art. 6 para. 1 sentence 1 lit. c) GDPR) - The processing is necessary for the fulfilment of a legal obligation to which we are subject. For tax or commercial law reasons, we are obliged to store some of your data to fulfil legal retention obligations, even if you are no longer active on the platform.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. There are processing activities for which we - for various reasons - are convinced that you have no objection to them and therefore our interest in data processing prevails.
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to your rights and freedoms, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of your data. Furthermore, we have established procedures that guarantee the exercise of data subject rights and the deletion of data. We also take the protection of personal data into account when developing and selecting hardware and software.
We use TLS encryption to protect your data transmitted to our servers via our online offering. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.
As part of our processing of personal data, the data may be transferred to other bodies, companies, legally independent organisational units or persons or disclosed to them. The recipients of this data may include, for example, contracted IT service providers or providers of services and content that are integrated into a website/App. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your data. Information on the individual service providers can be found in the section on processing activities.
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is done in accordance with the legal requirements (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ). This means the following in particular:
Subject to express consent or transfer required by contract or law (Art. 49 GDPR), we only process or have the data processed in third countries with a recognised level of data protection within the framework of an adequacy decision (Art. 45 GDPR), in the presence of and compliance with contractual obligations through so-called standard protection clauses of the EU Commission (Art. 46 para. 2 lit. b) GDPR), in the presence of certifications (Art. 46 para. 2 lit. f) GDPR) or binding internal data protection regulations (Art. 46 para. 2 lit. b) GDPR).
In the particularly important case of data transfer to the USA, the so-called "EU-U.S. Data Privacy Framework" (DPF) applies, with which the EU Commission has issued an adequacy decision for certified companies from the USA. The list of certified companies as well as further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ . Information in English and other languages can be found on the website of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en . We will inform you in detail in the following section about the companies we use that are certified under the EU-U.S. Data Privacy Framework.
The data processed by us will be deleted in accordance with the legal requirements. This means that data will be deleted without a request from you if the purpose for processing this data no longer applies or if it is no longer required for the purpose. If data storage is subsequently required for other legally required or authorised purposes, processing will be restricted to these purposes, i.e. the data will be blocked for active processing and moved to an archive with restricted access rights. This applies, for example, to data that must be stored for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defence of legal claims or to protect the rights of another natural or legal person.
As a user of our online offer and data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing for such marketing, which includes profiling to the extent that it is related to such direct marketing. Users can also declare their objection via their browser settings, e.g. by deactivating the use of cookies, JavaScript or images (although this may also limit the functionality of our online offering). An objection to the use of tools for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Right to withdraw consent (Art. 7 para. 3 GDPR): You have the right to withdraw your consent at any time with effect for the future.
Right to information (Art. 15 GDPR): You have the right to request confirmation as to whether the data in question is being processed and for information about this data as well as for further information and a copy of the data in accordance with the legal requirements.
Right to rectification (Art. 16 GDPR): In accordance with the legal requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR): In accordance with the legal requirements, you have the right to demand that data concerning you be deleted immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the legal requirements.
Right to data portability (Art. 20 GDPR): You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
Complaint to a supervisory authority (Art. 77 GDPR): In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, for example a supervisory authority in the Member State in which you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
To assert your rights described here, you can contact us or our data protection officer at any time using the contact details above.
Tools used by us can use technologies to store information on your device or read information from your device. This serves, for example, to ensure the functionality, registration and authentication, the security and convenience of our online offer or to analyse your use. The following technologies may be used, for example:
Cookies - only in the browser: small text files stored on the device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session (e.g. by closing the browser), while so-called permanent cookies remain stored beyond this and are only deleted after the specified expiry date. Cookies can also be removed manually.
Web storage (local storage / session storage) - only in the browser: information stored on the device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with a time entry). Information in local and session storage can also be deleted manually.
JavaScript: Programming codes (scripts) embedded or called up in the service that can, for example, set cookies and web storage, execute certain functions for the delivery of content, actively read information from the device or record the usage behaviour of visitors. JavaScript can be blocked by a setting in the browser, although most services will then no longer work.
Pixel: tiny graphic automatically loaded by a service, which can make it possible to determine, for example, the visit to a service and the opening of an e-mail by automatically transmitting the usual connection data (in particular IP address, information about the browser, operating system, language, address called up and time of the call). The use of pixels can be prevented, for example, by blocking images, such as in e-mails, although the display is then severely restricted;
Software Development Kits (SDK): a package of various development tools for creating programmes in a specific programming language and for a specific operating system, which also uses programming interfaces (API) to integrate other software.
Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you can usually adjust your browser settings so that all or certain cookies are rejected or scripts and graphics are blocked. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services may not work or may not work properly.
We use tools in accordance with the statutory provisions (Section 25 of the German Telemedia and Telecommunications Data Protection Act - TTDSG). We therefore generally obtain prior consent from the users (hereinafter: Optional data processing); exceptionally, consent is not required if the storage and reading of the information is absolutely necessary in order to provide the users with a telemedia service expressly requested by them (i.e. our online offering) (hereinafter: Necessary data processing). The absolutely necessary tools generally include functions that serve the display and operability of the online offer, load balancing, security, storage of the user's preferences and selection options or similar purposes related to the provision of the main functions of the online offer requested by the user. The revocable consent is clearly communicated to the users and contains the information on the respective tool use.
The cookies and similar technologies we use are listed in detail below.
Currently, the following necessary information is stored on your device, which does not require consent:
Cookies (browser): We use cookies in the context of user logins and single sign-on for our self-hosted services (session cookies, Oauth cookies, CSRF cookies). CSRF = Cross-Site Request Forgery (a security mechanism used in the context of the login process). These include
‘csrf_token_{ID}’ (365 days): CSRF protection - Ory;
‘ory_session_{ID}’ (session): Login, authentication - Ory.
‘requireCameraPermission’ (session): Saving the camera access permission
‘onboarding_swipe_*’ (1 year): Saves information on whether users have seen the initial information on using the Challenges area.
‘lastDaySeenSubmissions’ (1 day): Saves the information on when the last report on successful participation in Challenges was submitted.
‘SESSION / JSESSIONID’ (1 year): Saves the logged-in session in the Challenges area to avoid having to log in again.
Local Storage (browser): The following entries are created in the Local Storage when using the web browser:
‘i18nextLng’ (unlimited): Recognise and save language - i18next;
‘onboarding_state_value’ (unlimited): Saves the information as to whether users have already seen the initial information required to use the platform or whether it should be displayed;
‘space_join_is_onboarded’ (unlimited): Saves the information as to whether users have already seen the initial information required to use Spaces or whether it should be displayed.
‘force_oauth2_logout’ (session, max. 24 hours): Saves the login status after manual logout from the cloud storage within Spaces.
‘EXPO_CONSTANTS_INSTALLATION_ID’ (unlimited) Random and unique ID of a device or browser profile, which is retained for the entire lifetime of the app installation / browser data. This ID does not allow any conclusions to be drawn about personal data and is not read or otherwise used by holi.
‘user_session’ (3 months): Login, authentication - Ory.
‘HOLI_TRACKING_CONSENT’ (unlimited): Saves the consent/refusal status for tracking for various purposes if the user is not logged in.
‘ph_opt_in_out_<our posthog key>’ (unlimited): Posthog-internal opt-in or opt-out status
‘ph_<our posthog key>_posthog.$active_feature_flags’ (unlimited): Is used to cache on the client side which feature flags are present.
‘ph_<our posthog key>_posthog.$enabled_feature_flags’ (unlimited): Is used to temporarily store on the client side which feature flags are enabled.
‘ph_<our posthog key>_posthog.$feature_flag_payloads’ (unlimited): Used for client-side caching of feature flag configurations.
‘ph_<our posthog key>_posthog.$autocapture_disabled_server_side’ (unlimited): Informs the Posthog client if the ‘automatic capture’ of e.g. clicks on the server side is activated (only if prior consent to Analytics tracking is granted).
‘ph_<our posthog key>_posthog.$device_id’ (unlimited): randomly generated UUID for the user's device, is only sent to Posthog for analysis purposes if the user consents to product analytics tracking.
‘ph_<our posthog key>_posthog.$heatmaps_enabled_server_side’ (unlimited): Informs the Posthog client which Posthog products/features are enabled server-side.
‘ph_<our posthog key>_posthog.$replay_minimum_duration’ (unlimited): Set to zero, as the Posthog ‘Replay’ product is not used
‘ph_<our posthog key>_posthog.$replay_sample_rate’ (unlimited): Set to zero, as the posthog ‘replay’ product is not used.
‘ph_<our posthog key>_posthog.$sesid ’ (unlimited): a randomly generated UUID to identify a session. It is only sent to Posthog for analysis purposes if the user consents to product analytics tracking.
‘ph_<our posthog key>_posthog.$session_recording_canvas_recording’ (unlimited): Set to zero, as Posthog product ‘Session Recording’ is not used.
‘ph_<our posthog key>_posthog.$session_recording_enabled_server_side’ (unlimited): Set to zero, as Posthog product ‘Session Recording’ is not used.
‘ph_<our posthog key>_posthog.$session_recording_network_payload_capture’ (unlimited): Set to zero, as Posthog product ‘Session Recording’ is not used.
‘ph_<our posthog key>_posthog.$user_state’ (unlimited): Contains the UUID of the user if they have given consent to Analytics tracking and are logged in. Is anonymous if the user has never logged in or has refused consent to analytics tracking or has given consent to analytics tracking but is not logged in.
‘ph_<our posthog key>_posthog.$web_vitals_enabled_server_side’ (unlimited): Set to zero, as the Posthog product ‘Web Analytics’ is not used.
‘ph_<our posthog key>_posthog.distinct_id’ (unlimited): a randomly generated UUID to identify the user if he/she has never logged in. Is only sent to Posthog for analysis purposes if the user consents to product analytics tracking. Corresponds to the user's UUID if the user has consented to analytics tracking and has logged in.
Async Storage (App): The following entries are created in the Async Storage when our apps are used:
‘theme’ (unlimited): saves which UI design users use (‘light’ or ‘dark’).
‘onboarding_state_value’ (unlimited): Saves information on whether users have already seen the initial information required to use the platform or whether it should be displayed.
‘HOLI_TRACKING_CONSENT’ (unlimited): Saves the consent/refusal status for tracking for various purposes if the user is not logged in.
‘mx_user_id’ (unlimited): User ID for the holi chat server to speed up re-authentication.
‘mx_sso_token’ (unlimited): Current authentication token for the holi chat server.
‘mx_client_login’ (unlimited): Current login status to the holi chat server to control authentication.
‘mx_device’ (unlimited): Identifier of the user device at the holi chat server, which is required for parallel support of multiple devices.
File system (app): When the app is used, the following entries are created in the .posthog-rn.json file in the file system of the mobile device until it is uninstalled:
‘anonymous_id’: A randomly generated anonymous UUID that is used for identification as long as the user is not logged in.
‘distinct_id’: See local storage for web
‘session_id’: See local storage for web
‘session_timestamp’: Timestamp when the last active session began
‘installed_app_build’: Technical identifier of the app version
‘installed_app_version’: Human-readable identifier of the app version
‘opted_out’: See local storage for web
‘queue’ contains tracking events that are to be sent as a ‘packet’ but have not yet been sent.
To personalise the offer and analyse platform performance, the following information is also stored on your device after you have given your consent. Further information on this can be found below.
Cookies (Browser): Currently no optional cookies are set
Local Storage (Browser):
‘ph_<our posthog key>_posthog.$flag_call_reported ’ saves which feature flags have been evaluated, for example to control A/B tests.
Below you will find information on the special features of data processing when using our mobile application (hereinafter: app).
The use of our app may require user authorisations for access to certain functions of the devices used or to the data stored on the devices or accessible with the help of the devices. By default, these permissions must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions depends on the device and the user's software. Users can contact us if they require clarification. We would like to point out that the denial or revocation of the respective authorisations may affect the functionality of our app.
Access to camera functions and saved recordings: As part of the use of our app, image and/or video recordings (including audio recordings) of users (and of other persons covered by the recordings) may be processed by the app's access to the camera functions or to saved recordings. Access to the device camera is required, for example, to add a profile photo to the user profile or to publish contributions (posts or challenges). Access to the camera functions or saved recordings requires authorisation from the user, which can be revoked at any time. The processing of image and/or video recordings only serves to provide the respective functionality of our application, as described to users, or its typical and expected functionality.
Access to the calendar: To save event dates in the user's calendar, the corresponding calendar entries can be downloaded and imported into the user's own calendar. Access to the user's calendar is required for this. This is only requested when a specific event is to be downloaded for the first time and can be cancelled at any time in the settings.
Our app is obtained via special online platforms operated by other service providers (so-called "app stores"). In this context, the data protection notices of the respective app stores apply. This applies in particular with regard to the procedures used on the platforms to measure reach and for interest-based marketing as well as any obligation to pay costs. The processing is carried out under the sole responsibility of the operators of the app stores. The specific data processed, the purposes of the processing and the legal bases can be found in the corresponding data protection notices of the respective app stores:
Apple App Store
Service provider: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA;
Website: https://www.apple.com/de/ios/app-store/ ;
Privacy Policy: https://www.apple.com/legal/privacy/en-ww/ .
Google Play
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Website: https://play.google.com/store/apps?hl=en ;
Privacy policy: https://policies.google.com/privacy .
We collect and process personal data in particular for the purpose of providing and improving our online offering. Third-party providers store and process data exclusively on our behalf. Data processing that is not absolutely necessary, such as access to the photo library to optionally upload a photo/video, or the evaluation of click behaviour to analyse and personalise the offer, only takes place with your prior consent.
A detailed description of which data is collected and processed for which purposes can be found below.
We process personal data in order to provide you with a user-friendly and high-performance online service. The processed data includes technical data collected during use, communication and metadata as well as consent information for the use of cookies and similar technologies. In detail, we distinguish between the following processing operations:
Cloud storage: To provide our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from corresponding server providers (also referred to as "web hosting providers"); with the aim of minimising the CO² emissions of the servers and computing capacity we use, we have chosen Finland as the storage location for the service provider named below.
Google Cloud services: cloud storage, content delivery network
Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland
Website: https://cloud.google.com/
Content management; fonts: We use software and font libraries from the following service providers to optimise the presentation of our online offering.
Google Fonts: Provision of fonts
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Framer: Content management system for providing the website https://holi.social/ or https://www.holi.social/ and associated subpages
Provider: Framer B.V., Rozengracht 207, 1016 LZ, Amsterdam, Netherlands
Website: https://www.framer.com
Consent management: We use the following service provider to collect and manage your consent information and cookie preferences on our website
Usercentrics: Management of consent information
Provider: Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany
Website: https://usercentrics.com/
Optimisation and delivery of image and video files: We would like to provide users with image and video files in suitable formats and sizes. We use the following service provider for this purpose
ImageKit iO:
Provider: ImageKit Private Limited, Caddie Commercial Tower5th floor, Aerocity, New Delhi, Delhi 110037, India; ImageKit Inc Christiana Corporate Business Centre, 200 Continental Drive, Suite 401, Newark, DE, 19713, USA
Website: https://imagekit.io/
Optimisation and delivery of functions: We use feature flags to monitor and control the delivery of product components. These are technical information that allow certain contents of our application to be activated or deactivated on the user device. This control is necessary, for example, to temporarily deactivate faulty elements while they are being revised or to test different versions. The necessary information is loaded from the server when the application is started and temporarily stored on the user device (see section Use of cookies and similar technologies )
We use the following service provider for this purpose
PostHog:
Provider: PostHog Inc, 2262 Market Steet #4008, San Fransisco, CA 94114, USA
Website: http://www.posthog.com
We process personal data in order to register users for our online services and to create a user account for them in which they can log in. Registration and login are necessary in order to use services such as Spaces or to participate in the community functions described below. The data processed includes login information (user name, password and an e-mail address). In order to make profitable use of the community functions described below, we also ask users to create a meaningful user profile and provide some personal information, such as voluntarily entering a surname, selecting relevant interests from a selection of social and ecological topics, as well as the matching SDGs (Sustainable Development Goals of the UN), specifying suitable skills, and specifying the location of use at the level of a city/town.
A profile picture can also be created, for which access to the photo library must be granted in the app. The holi.social app only uses images or photos from users' image libraries if users decide to use certain functions, such as displaying their photo/avatar on their profile, setting an avatar or cover image for their space, publishing posts or managing tasks and appointments. It should be emphasised that the provision of images for these functions is entirely in the hands of the user. Nevertheless, this improves the user experience and makes it possible to gain more benefits from our services, such as better visibility for making connections, sharing posts, participating in events and finding volunteers and partners for projects. If users have cancelled their user account, their data with regard to the user account will be deleted, subject to legal permission, obligation or consent of the users. With regard to the deletion of contributions, see "Community functions".
We use the following service provider for the provision and registration.
Ory.sh: Management of user data, authentication and authorisation of users
Provider: Ory Corp 132-A Veterans Lane, Suite 128 Doylestown, PA 18901, USA
Website: https://www.ory.sh
We process personal data in order to provide users with the community functions and to display posts. The community functions we provide allow users to enter into conversations or otherwise interact with each other. For example, they can publish their own contributions (text, images, link posts), submit reactions and comments on posts or articles or publish video contributions on social and ecological challenges. User contributions are generally public, i.e. visible and accessible to all other users. However, users can use settings to determine the extent to which the posts and content they create are visible or accessible to the public or only to certain people or groups.
Please always note that the use of the community functions is only permitted in compliance with the applicable legal situation, our terms and conditions and guidelines as well as the rights of other users and third parties. In the event of illegal posts (e.g. insults, prohibited political propaganda, etc.), these, as well as technical data such as IP address and access times, are stored for evidence purposes. This is done in order to be able to take appropriate measures to protect other users and the community. In addition, the posts are deleted or removed from visibility for all other users.
We process personal data in order to provide users with collaboration and communication tools. One aim of our platform is to make it easier for groups and initiatives to plan and organise projects together in the context of social and ecological transformation. We provide digital collaboration spaces for this purpose. Within these spaces, we offer participants various collaboration and communication tools. The aim of these offerings is in particular to ensure and simplify work organisation measures for the joint work of users, groups of people, teams and initiatives as well as communication management.
In detail, we distinguish between the following processing operations:
Chat: We offer our users a chat solution hosted in the Google Cloud environment (see section "Provision of the online service and web hosting") based on the Matrix protocol. Matrix is an open, decentralised communication service for real-time communication. The first name and surname details from the registration on our platform are used as the display name. However, as the Matrix protocol also enables decentralised federated use (use of the account created on our chat server on other chat servers or use of accounts created on other Matrix chat servers on our chat instance (both currently deactivated), the creation of a unique user name (Matrix ID) is necessary. This technical user name is created when a user account is created. Users can choose the name when registering, but cannot change it later. The open Matrix chat protocol and open-source implementation solutions for creating your own Matrix server are provided by The http://Matrix.org Foundation, https://matrix.org/ .
Cloud storage: Each Space is provided with cloud storage for shared access to files and documents. The files are stored in encrypted form on rented storage space in the Google Cloud environment, which is also used to operate the platform (see section "Provision of the online offering and web hosting").
A self-hosted instance of the ownCloud software is used as the file management system for managing the storage space. The software used is provided by ownCloud GmbH. As this is a self-hosted instance, no data is forwarded to ownCloud GmbH. The ownCloud instance is hosted in the Google Cloud (see section "Provision of the online offer and web hosting"), see https://owncloud.com/de/ .
Link list: Within a Space, a list of important links can be created and organised in the so-called link hub. All contributors to a space can make, edit and delete entries. Link entries are displayed without reference to the person creating them and are only visible within the respective space.
Tasks, appointments and update posts: Update posts, appointments and tasks/requests can be published within a space. Normal users can create these for viewing within the relevant collaboration space. Administrators of a space can also create publicly visible updates, appointments and tasks. The respective entries show the profile information (user name and, if available, profile photo) of the creator.
Users can transfer appointments to their calendars and download the necessary files (.ics. files). Access to the user's calendar is required to insert the appointments directly into the calendars of the mobile app users (Google Calendar or iCalendar). The application requests the necessary authorisation to read and write when the function is actively executed for the first time at the user's request.
Document editing with OnlyOffice: We have integrated a self-hosted instance of the open source software OnlyOffice so that contributors of Spaces can (jointly) create and edit digital documents. This can be opened and used via the cloud storage that is also provided. The open-source community version of OnlyOffice used is provided by Ascensio System SIA. As this is a self-hosted instance, no data is forwarded to Ascensio System SIA. The ownCloud instance is hosted in the Google Cloud (see section "Provision of the online offer and web hosting"), see https://www.onlyoffice.com/ .
Video conferences: We offer users the opportunity to hold video conferences within the Spaces using the open source video conferencing solution Jitsi-Meet. Our Jitsi instance is hosted by the following service provider:
Provider: netcup GmbH Daimlerstraße 25D, 76185 Karlsruhe
Website: https://jitsi.org/jitsi-meet/ and https://www.netcup.de/
Users of our platform are notified or informed about content and news relevant to them personally via various channels. Different channels can be used depending on the urgency of the notification. While most information is transmitted via the information centre contained in the app (or website), information that requires a response from the user, for example, is also transmitted by email. With prior consent, we can also send users so-called "push notifications" to draw their attention to particularly important information. These are messages that are displayed on users' screens, end devices or browsers, even if our online service is not currently being actively used.
To register for the push notifications, users must confirm the request from their browser or device to receive the push notifications. This consent process is documented and saved. The storage is necessary to recognise whether users have agreed to receive the push notifications, to be able to send the push notifications and to be able to prove their consent. Users can change the receipt of push notifications at any time using the notification settings of their respective browsers or devices.
A pseudonymous identifier (so-called "push token" or "push key"), the app installation ID and/or the device ID of a device are used and stored for the purpose of sending the notifications. These help us to assign the push messages to your device and your app and to send them to the correct device.
The following service providers are used to send the notifications.
http://Novu.co notification infrastructure: Control of the various notification channels (push notification, e-mail notification and in-app notifications in the notification centre).
Provider: Noti-Fire Apps Ltd, Derech Ben Gurion 132, Ramat Gan, Israel
Website: https://novu.co/
Firebase Cloud Messaging (FCM): Notification service from Google - Google processes the Firebase installation ID and an authentication token to send push notifications for Android devices. The Firebase installation ID serves as an identifier for the specific app installation, while the authentication token is reassigned for each notification and ensures that the notification is sent and received securely. Data at rest and data transport are encrypted using point-to-point encryption.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Website: https://firebase.google.com/docs/cloud-messaging?hl=en
Deactivate the push notification: https://support.google.com/android/answer/9079661?hl=en#zippy=%2Cbenachrichtigungen-f%C3%BCr-bestimmte-apps-aktivieren-oder-deaktivieren ;
Apple Push Notification service (APNs): Notification service from Apple - Apple processes the APNs ID to send push notifications for iOS devices. The APNs ID is reassigned for each notification and ensures that the notification is sent and received securely. The data transport is encrypted. If data is transferred to the USA when using APNs, this transfer is regulated by the standard contractual clauses of the European Commission.
Supplier: Apple Distribution International Limited, Hollyhill Industrial Estate, Hollywill, Cork, Ireland
Deactivating the push notification: https://support.apple.com/en-gb/guide/iphone/iph7c3d96bab/ios
We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content"). The integration always presupposes that the third-party providers of this content process the IP address of the users on their own responsibility, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content or function.
We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The third-party providers are responsible for the associated data processing. In this respect, we refer to the data protection notices of the respective providers.
Among other things, content from the following third-party providers is regularly integrated into our online offering:
VOLTASTICS (SocialTrek UG): We obtain data (offer texts, images and links to the respective providers) from VOLTASTICS, a service of SocialTrek UG, for the integration of volunteering offers.
Third-party provider: VOLTASTICS is a service of SocialTrek UG (haftungsbeschränkt), Mathiaskirchplatz 10, 50968 Cologne, Germany
Website: https://voltastics.com/
Privacy policy: https://app.voltastics.com/privacy.html .
http://betterplace.org (http://gut.org ): For the integration of donation options, we obtain data (offer texts, images and links to the respective providers) from http://betterplace.org , a service of http://gut.org gAG.
Third-party provider: http://gut.org gemeinnützige Aktiengesellschaft, Schlesische Straße 26, D-10997 Berlin
Website: https://www.betterplace.org/de
Privacy policy: https://www.betterplace.org/c/regeln/datenschutz .
http://GoodNews.eu (GOOD Impact Foundation c/o NOAH Foundation via Contentful GmbH): For the integration of positive news, we obtain data (texts, images and links to the respective providers) from https://goodnews.eu , a service of the GOOD Impact Foundation c/o NOAH Foundation.
Third party provider: GOOD Impact Foundation c/o NOAH Foundation Joachimstraße 10, 10119 Berlin, Germany via: Contentful GmbH, Max-Urich-Straße 3, 13355 Berlin, Germany
Website: https://goodnews.eu and https://www.contentful.com
Privacy policy: https://goodnews.eu/datenschutz/ and https://www.contentful.com/legal/privacy-at-contentful/privacy-notice/ .
We process personal data when you contact us (e.g. by post, contact form, email, telephone or via social media). Technical data and the information you provide yourself will be processed insofar as this is necessary to respond to the enquiry.
We use the following service provider for this purpose:
HubSpot: Provision of contact form, management of user enquiries from various channels as well as analysis and feedback functions
Provider: HubSpot, Inc, 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA
Website: https://www.hubspot.de
Certification for the Data Privacy Framework (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active .
We process personal data to send our newsletter by email about new features of our online offering, promotions, events and offers. We also measure the opening and click rates of the newsletter to improve the technical quality and content of our newsletter. For this purpose, the emails contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from the server when the newsletter is opened. As part of this retrieval, information about the browser and operating system, your IP address and the time of retrieval are collected. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. Registration for our newsletter takes place in a so-called double opt-in procedure, i.e. after registration you will receive an e-mail in which you will be asked to confirm your registration. This confirmation is necessary so that no-one can register with other people's email addresses. To subscribe to our newsletters, it is generally sufficient to enter your e-mail address. However, we ask you to provide a name so that we can address you personally in the newsletter, or other information if this is necessary for the purposes of the newsletter. In the event of obligations to permanently observe revocations, we reserve the right to store the e-mail address in a block list for this purpose alone.
We use the following service provider for data processing in connection with the newsletter:
HubSpot: Provision of contact form, management of user enquiries from various channels as well as analysis and feedback functions
Provider: HubSpot, Inc, 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA
Website: https://www.hubspot.de
Certification for the Data Privacy Framework (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active .
We process personal data in connection with occasional surveys and interviews. The surveys and questionnaires we conduct are analysed anonymously. Personal data is only processed to the extent that this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address to display the survey in the user's browser or to enable the survey to be resumed with the help of a cookie).
We use the following service providers for the surveys:
Typeform: Creation of forms and surveys and administration of participant contributions
Supplier: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain
Website: https://www.typeform.com/
Tally: Creation of forms and surveys and administration of participant contributions
Supplier: Tally, August van Lokerenstraat 71, 9050 - Ghent, Belgium
Website: https://tally.so
We process personal data with your prior consent in order to record and analyse your use. The purpose of the evaluation is to analyse and continuously improve the use of our platform. In detail, we distinguish between the following processing operations:
Analysing usage activity: We record your use of the various areas and objects of the app or website. This involves analysing and recording pages, elements, posts, actions and reactions that are displayed and clicked on, as well as filter settings or search entries. Based on the information obtained, we improve the product experience by, for example, pre-sorting list items (donations, volunteer activities, etc.) based on user interests or offering customised suggestions for suitable projects. This data is also used to analyse the visibility and use of various elements and placements and to optimise them if necessary, for example by learning how far users scroll in the home page feed or which placements are seen and/or clicked on particularly frequently. This helps us to offer more people content that is as relevant as possible and to increase awareness of social or environmental issues. If you opt out of tracking for analysis purposes, the individualised content on offer will no longer be available and no usage data relating to your personal data will be processed, but there will be no other disadvantages in terms of usage.
Recording the source of the visit: If your use of our online offering has come about through an advertising medium (for example, an advert on other websites or the scanning of a QR code from advertising posters), we will link the information about the source of the visit to your user profile after you have given your consent. The aim of this combination of data is to determine how successful different advertising placements are and to analyse whether user behaviour differs based on the source of the visit. If you refuse tracking for marketing purposes, information about your visit source will not be processed with reference to your personal data and will therefore not be taken into account in analyses, but there will be no disadvantages in terms of use.
Crash reporting: We process personal data to monitor system stability and to identify code errors (crash reporting). Processing is limited to technical data that is absolutely necessary for this purpose. This processing enables us to check and improve the availability of our online offering.
QR code tracking: To draw the attention of interested users to our offers by means of posters or posts, we sometimes use QR codes that contain the URLs of our web offers. These codes can be scanned with the camera of a mobile phone to read the web address (URL) they contain and enable the URL to be visited using a mobile web browser. In order to measure how successful the various placements are, we record the views of the various placements and analyse them.
We use the following service providers for the aforementioned processing operations:
PostHog: Recording and analysing user activity, source of visits
Provider: PostHog Inc, 2262 Market Steet #4008, San Fransisco, CA 94114, USA
Website: www.posthog.com
Sentry: Monitoring system stability and detecting code errors
Provider: Functional Software Inc, Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA
Website: https://sentry.io
QR-Track: recording and analysing the use of QR codes
Provider: QR-Track - Michael Hack Software e.K., Heimbachstr. 5, 86836 Graben
Website: https://www.qrtrack.de
The personal data processed in the aforementioned processing operations will not be passed on for any purposes other than those stated and will not be processed by recipients for their own purposes.
We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us. We would like to point out that user data may be processed by the operators of social networks outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights.
Access to aggregated statistics
As part of the operation of our online presences, we may have access to information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presence (e.g. likes, subscriptions, shares, viewing of images and videos) and the posts and content distributed via it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information can also be used by us to adapt the design and our activities and content on the online presence and to optimise it for our audience. Details and links to the social networks on which we are present can be found in the list below. The collection and use of these statistics is generally subject to joint responsibility. Where this applies, the relevant contract is listed below.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f) GDPR, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 sentence 1 lit. b) GDPR, in order to stay in contact with our customers and inform them and to carry out pre-contractual measures with interested parties.
Communication via the social network:
In addition, the social network may allow us to get in touch with you. This can take place, for example, via direct messages or posted contributions. The content of communication via the social network and the processing of content data is the responsibility of the social network as a messenger and platform service. This is then the telecommunications provider.
Processing for market research and advertising purposes:
Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts inside and outside the networks that presumably correspond to the interests of the users. For these purposes, information is usually also read or stored on the user's device. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
Processing for market research and advertising purposes is carried out by the social networks under their own responsibility. You can find the legal basis for this in the data protection information for the respective social network. For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.
Assertion of your rights as a data subject:
In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers of the social networks. Only the providers have access to the users' data and can take appropriate measures and provide information directly. You can also contact us with your request. In this case, we will process your enquiry and forward it to the provider of the social network.
We are active on the following social networks:
Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Website: https://www.instagram.com
Privacy policy: https://instagram.com/about/legal/privacy
Contract on joint responsibility: https://www.facebook.com/legal/terms/page_controller_addendum
Certification for the DPF (adequacy decision): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active
Option to object (opt-out): https://de-de.facebook.com/help/instagram/2885653514995517?locale=en_GB.
Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Website: https://www.linkedin.com
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Contract on joint responsibility: https://legal.linkedin.com/pages-joint-controller-addendum
Option to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
X
Service provider: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Website: https://twitter.com/
Privacy policy: https://twitter.com/de/privacy
Option to object (opt-out): https://twitter.com/personalization .
Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
Website: https://www.xing.de
Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung
Possibility of objection (opt-out):
https://privacy.xing.com/de/datenschutzerklaerung