1. General Information in Data Processing: Data Controller, Scope of Data Processing; Your Rights; Profiling and automated decision making; Data Security; Data Processing outside the US; Contacting us
1.1 Planflow as Data Controller
We have appointed a data protection officer who can be reached at email@example.com
1.2 Scope of Data Processing
We as well as our external service partners process your data for the purpose of providing the Website and services, including providing hard- and software through such external service partners. You provide data if this is necessary for the aforementioned purposes. For more information please also refer to firstname.lastname@example.org.
In the event you refrain from providing such data you may face legal disadvantages, for example, limited or no possibility of using our Website or no answer to your email send to us.
1.3 Your Rights
At Planflow, we apply the same data rights to all customers, regardless of their location. Currently some of the most privacy-forward regulations in place are the European Union’s General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”) in the US. Planflow recognizes all of the rights granted in these regulations, except as limited by applicable law. These rights include:
- Right of Access. This includes your right to access the personal information we gather about you, and your right to obtain information about the sharing, storage, security and processing of that information.
- Right to Correction. You have the right to request correction of your personal information.
- Right to Erasure / “To be Forgotten”. This is your right to request, subject to certain limitations under applicable law, that your personal information be erased from our possession and, by extension, all of our service providers. Fulfillment of some data deletion requests may prevent you from using Basecamp services because our applications may then no longer work. In such cases, a data deletion request may result in closing your account.
- Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the appropriate supervisory authority. To identify your specific authority or find out more about this right, EU individuals should go to https://edpb.europa.eu/about-edpb/board/members_en.
- Right to Restrict Processing. This is your right to request restriction of how and why your personal information is used or processed, including opting out of sale of personal information. (Again: we never have and never will sell your personal data).
- Right to Object. You have the right, in certain situations, to object to how or why your personal information is processed.
- Right to Portability. You have the right to receive the personal information we have about you and the right to transmit it to another party.
- Right to not be subject to Automated Decision-Making. You have the right to object and prevent any decision that could have a legal, or similarly significant, effect on you from being made solely based on automated processes. This right is limited, however, if the decision is necessary for performance of any contract between you and us, is allowed by applicable law, or is based on your explicit consent.
- Right to Non-Discrimination. This right stems from the CCPA. We do not and will not charge you a different amount to use our products, offer you different discounts, or give you a lower level of customer service because you have exercised your data privacy rights. However, the exercise of certain rights (such as the right “to be forgotten”) may, by virtue of your exercising those rights, prevent you from using our Services.
Many of these rights can be exercised by signing in and directly updating your account information.
If you have questions about exercising these rights or need assistance, please contact us at email@example.com. For requests to delete personal information or know what personal information has been collected, we will first verify your identity using a combination of at least two pieces of information already collected including your user email address. If an authorized agent is corresponding on your behalf, we will first need written consent with a signature from the account holder before proceeding.
If you are in the EU, you can identify your specific authority to file a complaint or find out more about GDPR, at https://edpb.europa.eu/about-edpb/board/members_en.
1.4 Storing and Deleting Data
1.5 Profiling and automated decision making
We do not use automated decision-making including profiling when processing data concerning our Website or Platform except as set forth herein. However, our third party providers may carry out such profiling in individual cases. We will inform you about such fact if possible.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effect on you or substantially impairs you in a similar manner.
1.6 Data Security
For a best possible security of user data our service through the Website is provided via a secured SSL connection between your server and the browser. That means that the data shall be transferred in encrypted form. We have implemented suitable technical and organizational measures.
1.7 Data Processing by Third Parties / Data Processing outside the EU
1.8 Contact Us
If you send us an e-mail or otherwise contact us, your details in this online form or request, including the contact data, name, email address and other data provided respectively, are processed by us in order to deal with your inquiry or to be able to contact you at a later time for follow up questions. These data are processed only on the basis of your consent (legal basis Art. 6 (1) a. GDPR) or on the basis of an initiating or existing business relationship with us (legal basis Art. 6 (1) b. GDPR or TMG).
2. Data processing on our website
2.1 Visiting the Website
We (or the webspace provider) collect data on each visit to our website planflow.io ("Website") (so-called Server log files), which include:
Name of the Website visited, file, date and time of the visit, data amount transferred, information on a successful call, browser type as well as version, operating system of the user, referrer URL (the page visited before), IP address and the requesting provider
as well as the following, if a mobile end device is being used:
country code, language, name of device, name of operating system and version
We use these server log files only for statistical evaluations for the purpose of optimizing our services and in order to guarantee the stability and operational security of the Website. When personal data (such as the IP-address) are stored the legal basis for this is Art. 6 (1) c. GDPR or Art. 6 (1) f. GDPR based on our legitimate interest of quality assurance or TMG.
In our newsletter we inform you about our services and products also described on our Website.
When registering for the newsletter, you have to provide an email address. This email address will be transmitted to and stored by us (or a provider as specified below). After registration, the user will receive an email to confirm the registration ("double opt-in"). Via clicking the registration link you have given your consent to the processing of your personal data for receiving our newsletter and we may process such data accordingly. In case of registration for the newsletter we (or our provider as specified below) also store the IP address, the device name, the mail provider as well as the user's first and last name and the date of registration.
We use the mail provider "Customer.io" at 921 SW Washington Street
Suite 820 Portland, Oregon, 97205 who receives and processes on our behalf the data necessary for the mailing, in particular email address, IP address, device name. These data are processed on servers in the USA. Customer.io is a service with which the dispatch of emails can be organized and analyzed. With the help of customer.io we can analyze our emails. When you open an email sent with customer.io, a file contained in the email (so-called web beacon) connects to the customer.io servers in the USA. This allows you to determine whether a message has been opened and which links have been clicked on. In addition, technical information is recorded (e.g. time of registration, IP address, browser type and operating system). This information cannot be assigned to the respective email recipient. They are used exclusively for statistical analysis of our emails. The results of these analyses can be used to better adapt future emails to the interests of the recipients. Mailchimp is certified according to "privacy shield". The "privacy shield" is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA. For more information please refer to customer.io.
The data processing for sending and analyzing our newsletters as described above is based on your consent (Art. 6 (1) f. GDPR) and/or on Art. 6 (1) f. GDPR with our legitimate interest of quality assurance and marketing.
OPT-OUT: If you do not want to receive any newsletters by us in the future and/or wish to object to the analysis of your data through such newsletters please use the "unsubscribe" link contained in each newsletter or send us an email to firstname.lastname@example.org.
2.3 Careers Section on our Website
We process your personal data for fulfilling our contractual or pre contractual obligations (based on Art. 6 (1) b. GDPR) or -- as applicable -- for the purpose of the employment relationship with you (Section 26 BDSG), in particular, we use your data:
To get in touch with you, communicate with you, update you and to facilitate your application,
To offer an online-application system that is connected to our website,
To respond to your questions or concerns,
To carry out vetting of staff members (where required); this may involve our collection and use of sensitive personal information including information obtained from criminal background checks about offences or alleged offences and information relating to any proceedings for offences committed or allegedly committed,
When necessary and for the purposes of our legitimate interests to maintain adequate records, we may collect and handle information related to medical information, ethnic origin or criminal records,
To assist in any disputes, claims or investigations relating to your application, or
To comply with our legal, regulatory and professional obligations.
We may also use your data with your explicit consent (based on Art. 6 (1) a. GDPR or Section 26 BDSG), for example to keep you informed about other opportunities if you wish us to do so. If you do not provide your personal data, you may face certain disadvantages, for example we will not be able to provide you with our recruiting processes or keep you informed about future opportunities.
A list of the data processors processing data (outside the EU) and corresponding information is available by request via email to email@example.com.
With your explicit consent, we will keep your information in case any other opportunities become available which you might be interested in; we will only keep your information for a limited period and your details will be deleted on a general basis after 12 months of inactivity on your account latest. You may withdraw such consent with effect for the future at any time via email to firstname.lastname@example.org.
3. Cookies and Third Party Providers on the Website
Our Website uses so-called cookies. Cookies do not cause any harm to your device and do not contain any viruses. Cookies serve the purpose of making our service more user-friendly, more effective and safer. Cookies are small text files which are stored on your device and in your browser.
Most of the cookies we use are so-called session cookies. After the end of the session these cookies will be deleted automatically. The session cookies are used in order to associate successive page requests with the individual users, who at the same time access our Website. Other cookies will be stored on your device until you delete them. These cookies enable us to recognize your browser during your next visit.
By clicking "I agree" in the cookie banner appearing on your screen when visiting planflow.io for the first time you agree that all cookies set out in this clause will be set. This applies both to regular cookies and essential cookies; essential cookies are such cookies which are necessary to correctly display the Website and/or carry out its basic functionalities. If you, however, choose to not agree with our usage of those non-essential cookies – either by ignoring the banner or by clicking the top right "X" – only essential cookies will be set. Your decision will be stored in one cookie which is used to recognize your browser during your next visit, so you will not be asked again until you decide to delete this cookie. Please find information on how to opt-out in connection with cookies in general in the following paragraph and in particular in the respective subsection of this clause.
You can adjust your browser to notify you, before you receive a cookie or to decide to accept cookies on a case-by-case basis, to completely or partly exclude all incoming cookies and to activate the deletion of cookies automatically when the browser is closed. You may manage many online advertisement cookies provided by companies via the American web pagehttp://www.aboutads.info/choices/or the web page of the European Unionhttp://www.youronlinechoices.com/uk/your-ad-choices/. We would like to inform you that the usage and especially the convenience of usage without using any cookies may be limited.
In the event personal data are processed such processing is based on Art. 6 (1) a. GDPR.
3.2 Google Analytics
The service offered here uses Google Analytics, a web analytics tool offered by Google LLC, Mountain View, CA, USA ("Google"). This analysis service uses so-called "cookies". For analysis, text files will be stored on your device. The information stored in the corresponding files about the use of this website are generally transmitted and stored in Google server in the USA. As the IP anonymization is active on this Website, your IP address will be shortened by Google within the member states of the European Union (EU). This information will be used to evaluate your use of the services offered here and enable the operator of this website to analyze your website activity and provide other services associated with the website service. The IP address transmitted from your browser, as part of Google Analytics will not be merged with other data from Google.
We point out that an automated decision making ("profiling") can take place when integrating Google and an existing Google account.
Google LLC, USA is certified according to the EU-US agreement "Privacy Shield". The "Privacy Shield" is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA.
3.3 Google Tag Manager
You can always opt-out from the data collection by visiting: https://www.hotjar.com/legal/compliance/opt-out
Amplitude by Amplitude, Inc., 501 2nd Street, Suite 100, San Francisco, CA 94107, USA: The service analyzes your usage data of the service on our behalf based on our legitimate interest of improving our product (legal basis: Art. 6 (1) f. GDPR). To show compliance with EU data protection standards Amplitude Inc. is certified according to the EU-US-Privacy-Shield (see: https://www.privacyshield.gov). For further information please also refer to https://amplitude.com/privacy#customer-end-user-data.
To facilitate the messaging and customer service functionalities in our Service, we use Intercom, a tool by Intercom, Inc., Intercom R&D Unlimited Company, 55 2nd Street, 4th Floor, San Francisco, California 94105 (“Intercom”). For this purpose, when using the message or customer service function in our Service, your data such as your name, mail address, operating system, browser page, referrer and IP address as well as the content of your message will be transferred to Intercom and such data may be stored on Intercom servers in the US. Intercom submits the collected data to us so that we can address your request.
We use Segment.io, provided by Segment.io, Inc. (101 15th St., San Francisco, CA 94103, USA) (“Segment”), a data analysis service that aggregates usage data from our Website and our App. According to Segment, the recorded usage data is only processed in pseudonymised form; IP addresses are shortened accordingly after their collection and the data is not used to combine user profiles with your personal data. According to Segment, the information about the use of our website is usually transmitted to and stored by Segment on a server in the United States. To show compliance with EU data protection standards Segment.io. is certified according to the EU-US-Privacy-Shield (see:https://www.privacyshield.gov). We have concluded a Data Processing Agreement (DPA) with Segment.io.
To facilitate the messaging and customer service functionalities in our Service, we use Hubspot, a tool by Hubspot, Inc., 25 First Street, 2nd Floor, Cambridge, Massachusetts 02141 (“Hubspot”). For this purpose, when using the message or customer service function in our Service, your data such as your name, mail address, operating system, browser page, referrer and IP address as well as the content of your message will be transferred to Hubspot and such data may be stored on Hubspot servers in the US. Hubspot submits the collected data to us so that we can address your request.
3.12 Integration of Services by Third Parties
When using this online service, contents of third parties, like for instance, links to Instagram, YouTube videos, map material provided by Google Map, RSS feeds or graphics are integrated from other websites. This always requires that the providers of this content ("Third Party Providers") use the IP address. Without this IP address these Third Party Providers would not be able to send the content to your browser. Consequently, the IP address is required in order to display the content. We make every effort to only use such content by Third Party Providers which use the IP address for the delivery of content only.
Such data are used in order to guarantee the stability and operational security of the websites of the Third Party Providers as well as for the purpose of optimizing our services via quality assurance. If the IP address is stored such processing is basedon Art. 6 (1) b., c. GDPR, Art. 6 (1) a. GDPR or TMG.
In the event of displayed content by Third Party Providers your data may be processed outside the EU.
4. Data Processing on our Social Media Pages
We operate pages on the following social media channels:
- LinkedIn: linkedin.com or mobile app by LinkedIn Corporation, Legal Department -- Privacy, 1000 W. Maude Ave, Sunnyvale, CA 94085, USA / LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, please also refer to: https://www.linkedin.com/legal/privacy-policy / https://www.linkedin.com/psettings/privacy
When you visit our social media pages, data is processed both by us and by the responsible social media provider as the responsible party.
The respective provider of social media assumes the data protection obligations towards you as the user, such as information on data processing, and is the contact person for your rights. This follows from the fact that such provider has direct access to the relevant information on the social media page and the processing of your data. However, you are also welcome to contact us if this should become necessary and we will then forward the request to them.
When using Facebook, Instagram, Twitter or LinkedIn data may also be processed outside the EU. The US companies of Facebook/Instagram, Twitter and LinkedIn are certified in accordance with the EU-US Privacy Shield agreement, which guarantees compliance with data protection regulations in the EU. For more information please refer to: https://www.privacyshield.gov
4.1 Data Processing and Legal Basis
With our social media pages, we can communicate with you and provide you with interesting information. We may receive further data from you through your comments, shared images, messages and reactions, which we then process to answer or communicate with you. If you use social media on several end devices, a cross-device analysis of the data can take place.
Data processing takes place with your consent or for the purpose of answering your enquiry (Art. 6 (1) a, b GDPR) or on the basis of legitimate interests in improving the services and presentation to the outside world (Art. 6 (1) f GDPR).
Facebook and we use the Page Insights function to process statistical data from users of our Facebook pages (see also the agreement at: https://www.facebook.com/legal/terms/page_controller_addendum). This involves the processing of data in the form of so-called 'page insights', which are described in more detail at https://www.facebook.com/business/a/page/page-insights.
Evaluations and statistics are generated in the form of page insights from the usage data of the Facebook pages, which support us in improving our marketing activities and our external presence. We may also learn about users and their behavior who interact with or use our Facebook Pages to display relevant content and develop features that may be of interest to them. These page statistics show us, for example, which people from certain target groups interact most with our Facebook Page or which content on the Facebook Page was visited, shared or licked when and how often. When classifying people into target groups, demographic data or data about the location of a person is also included in order to place targeted advertisements with these people. If you use Facebook on several end devices, a cross-device analysis of the data can take place. The data collected in this way is statistically processed and usually anonymous, i.e. we cannot establish any reference to the individual person.
Information on these page insights and data processing can be found, for example, in Facebook's data protection statement at https://www.facebook.com/policy.php or at https://www.facebook.com/business/a/page/page-insights.
As a Facebook user, you can at any time influence how your user behavior is recorded when you visit Facebook pages. To do this, you can manage the settings for advertising preferences in your Facebook account or at https://www.facebook.com/ads/preferences, or the Facebook settings in your account or at https://www.facebook.com/settings. Facebook also provides opportunities to contact or exercise rights at https://www.facebook.com/help/contact/2061665240770586 or https://www.facebook.com/help/contact/308592359910928.
As Twitter user, you can at any time influence how your user behavior is recorded when you visit Twitter pages. To do this, you can manage the settings for advertising preferences in your Twitter account or under https://twitter.com/personalization or https://twitter.com/de/privacy#overlay-chapter2.10.1 or without an account under https://pscp.tv/account/settings. Twitter also provides opportunities to contact or exercise rights at https://help.twitter.com/forms/privacy.
LinkedIn and we may use your data for careers and recruiting services for our LinkedIn pages (see also the data processing agreement: https://legal.linkedin.com/dpa). Data on how you use LinkedIn may be shared with us and certain third parties as described in detail here: https://www.linkedin.com/legal/privacy-policy#share
As LinkedIn user you can at any time influence how your user behavior is recorded when you visit LinkedIn pages. To do this, you can manage the advertising and general settings in your account under https://www.linkedin.com/psettings/privacy. LinkedIn also provides opportunities to contact and exercise rights under https://www.linkedin.com/legal/privacy-policy, https://www.linkedin.com/legal/cookie-policy and for individual messages online via https://www.linkedin.com/help/linkedin/ask/TSO-DPO.
For further information you may contact us any time, for example via email to email@example.com.
Version 0.1 (08/30/2020)
© Copyright 2020 Planflow LLC.
All rights reserved.