Zaikio account data protection notice

This Data Protection Notice describes how Zaikio GmbH, Emmerich-Josef-Str. 1A, 55116 Mainz, Germany, +49 (0) 6131 617 1000, info@zaikio.com ("Zaikio" or "we" or "us" or "our") as controller processes the personal data and other information of the users ("you" or "your") in particular within the meaning of the General Data Protection Regulation ("GDPR") when creating and using a Zaikio account ("Zaikio Account") which can be used to access our cloud-based platform for the print media industry ("Zaikio Platform").

1. Categories of personal data, processing purposes and legal bases

When you create and use your Zaikio Account, we will process your personal data for the respective purposes as described below. We generally comply with the principle of data minimization and we only collect data in our products that are required for their functioning. We do not store data on stock for the sole purpose of data analysis. Providing your personal data for the purposes described below is voluntary. However, if you do not provide your personal data we will not be able to provide you with the respective services.

1.1. Creation of a Zaikio Account

If you create a Zaikio Account, you will be asked to provide the following personal data: Your name, email address, selected password. We processes such personal data for the purpose of creating your Zaikio Account. The legal basis for processing your personal data for such purposes is the contract on the use of the Zaikio Account concluded with you (Art. 6 (1) lit. b GDPR).

1.2. Log in and single-sign-on

If you log into your Zaikio Account, we process your login information (i.e., your email address and password) to identify you and provide you with access to the services on the Zaikio Platform. Your Zaikio Account will serve as a single-sign-on, i.e., you will not have to log into each service provided on the Zaikio Platform separately once your account has been authenticated. The legal basis for processing your personal data for these purposes is the contract on the use of the Zaikio Account concluded with you (Art. 6 (1) lit. b GDPR).

1.3. Use of apps

When you use your Zaikio Account to log into certain apps provided on the Zaikio Platform it may be required to share certain data stored in your Zaikio Account with the respective app. We will inform you of the respective data categories requested by the app and ask for your permission before allowing the app access to the respective information stored in your Zaikio Account. If you do not permit the exchange of data between your Zaikio Account and the respective app, you may not be able to log into the app. The legal basis for processing your personal data for these purposes is the contract on the use of the Zaikio Account concluded with you (Art. 6 (1) lit. b GDPR).

1.4. Newsletter registration

With your Zaikio Account, you may sign up for our newsletter, which we regularly send to you to inform you of our services and offers. To sign up for our newsletter you need to provide a valid email address. When you sign up for our newsletter, we also store your IP address and the date and time of registration. We only use these data for the purposes of the newsletter and do not share these data with third parties. You may unsubscribe form our newsletter at any time as described in the newsletter. The legal basis for the processing of your personal data for sending newsletters is your consent (Art. 6 (1) lit. a GDPR).

1.5. Passively collected information

In addition to the personal data that you actively provide, we may automatically collect, process and store certain information on a pseudonymous basis from you:

The legal basis for this purpose are our legitimate interests (Art. 6 (1) lit. f GDPR) which are the following: to monitor and maintain the performance of the Zaikio Account and to analyze trends, usage and activities in connection with the Zaikio Account.

2. Encryption

All data send to and from the Zaikio Platform are encrypted in accordance with the state of the art (HTTPS/TLS). This applies in particular to all programming interfaces ("APIs"), as well as mobile applications on iPads and iPhones, as well as our internal tools. All our data bases including personal data are fully encrypted. If personal data are required on local computers for development purposes, they will also be encrypted there. We try to limit these cases to a minimum and work on techniques to use anonymized data also for testing purposes.

3. Recipients

3.1. Transfer to service providers

We may engage external service providers, who act as our data processors, to provide certain services to us. When providing such services, the external service providers may have access to and/or may process your personal data. In particular, we use the following service providers for the following purposes:

Those external service providers will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data and to process the personal data only as instructed.

3.2. Other recipients

Some of our colleagues administering the Zaikio Account may be employees of our group companies. When administering the Zaikio Account, our colleagues may have access to and/or may process your personal data. The respective transfer of your personal data is based on our legitimate interests. Our legitimate interests are the transmission of personal data within the group of companies for internal administrative and support purposes. The access is limited to colleagues with a need to know. More information on the balancing test is available upon request. We may also transfer your personal data to law enforcement agencies, governmental authorities, legal counsel and external consultants in compliance with applicable data protection law. The legal basis for such processing is compliance with a legal obligation to which we are subject or legitimate interests, such as our legitimate interest in exercise or defense of legal claims. More information on the balancing test is available upon request.

3.3. International transfers of personal data

The personal data that we collect or receive about you may be transferred to and processed by recipients which are located inside or outside the European Economic Area ("EEA") and which do not provide for an adequate level of data protection. The countries that are recognized to provide for an adequate level of data protection from an EU law perspective (Art. 45 GDPR) are Andorra, Argentina, Canada, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and the Eastern Republic of Uruguay. Recipients in the US may partially be certified under the EU-U.S. Privacy Shield and thereby deemed to provide for an adequate level of data protection from an EU law perspective (Art. 45 GDPR). To the extent your personal data are transferred to countries that do not provide for an adequate level of data protection from an EU law perspective, we will base the respective transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission (Art. 46 (2) GDPR), to the extent this is required. You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 6. The access is limited to recipients with a need to know. Salesforce Inc., Amazon Inc. Amazon Webs Services, Inc., Wildbit LLC, The Rocket Science Group LLC, Intercom Inc., SolarWinds Worldwide, LLC, and Google, Inc. are all privacy shield certified.

4. What rights do you have and how can you assert your rights?

If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. Pursuant to applicable data protection law you may have the right to: request access to your personal data, request rectification of your personal data; request erasure of your personal data, request restriction of processing of your personal data; request data portability, and object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights please refer to the Exhibit Your Rights. You also have the right to lodge a complaint with a data protection supervisory authority. To exercise your rights please contact us as stated in Section 6.

5. How long do we keep your personal data?

Your personal data will be retained as long as necessary to provide you with the services requested. When we no longer need to use your personal data to comply with contractual or statutory obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your information, including personal data, to comply with legal or regulatory obligations to which we are subject, e.g. statutory retention periods which can result from the Commercial Code or Tax Code and usually contain retention periods from 6 to 10 years, or if we need it to preserve evidence within the statutes of limitation, which is usually 3 years but can be up to 30 years. If you close your Zaikio Account in one of our products, your personal data associated with your Zaikio Account will be deleted within 7 days (unless a longer deletion period applies, see above). Since we retain data base backups for up to 30 days, a permanent and irretrievable deletion of all data under our control will take place after 37 days. As soon as a Zaikio Account is deleted within our products, the respective data are no longer available. In web interfaces as well as in our APIs, it is addressed as "deleted user". Specific other retention periods, e.g. concerning log files, are stated in the context of the respective provision above.

6. Contact us

If you have concerns or questions regarding this Data Protection Notice, please contact us as follows:
Zaikio GmbH
Address: Emmerich-Josef-Str. 1A, 55116 Mainz, Germany
Phone: +49 (0) 6131 617 1000
E-Mail: info@zaikio.com

The contact details of our data protection officer are as follows:
Christian Weyer
Address: Emmerich Josef Straße 1a, 55116 Mainz, Germany
E-Mail: privacy@zaikio.com 

Exhibit
Your Rights

1. Right of access

You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access. The right of access is limited pursuant to Section 34 FDPA. The right of access does e.g. not apply if the data (a) were recorded only because they may not be erased due to legal or statutory provisions on retention, or (b) only serve the purposes of monitoring data protection or safeguarding data, and providing information would require a disproportionate effort, and appropriate technical and organizational measures make processing for other purposes impossible. You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

2. Right to rectification

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure ("right to be forgotten")

Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data. Such right to erasure does pursuant to Section 35 FDPA, for instance, not apply if in the case of a non-automated processing erasure would be impossible or would involve disproportionate effort due to the specific mode of storage and if your interest in erasure can be regarded as minimal. In such case, you may have the right to restriction of processing.

4. Right to restriction of processing

Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

5. Right to data portability

Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

6. Right to object

Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.