Data Privacy Policy App

Data collection in the context of app use

We take the protection of your data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

With our app, we offer our customers an interface to our digital energy services.

When you download our app, register or log in to the app and use the app, various personal data are processed.

Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

Access to and Storage of Information on Terminal Equipment

By using our app, information (e.g. IP address) may be accessed or information (e.g. cookies) may be stored in your end devices. This access or storage may involve further processing of personal data within the meaning of the GDPR.

In cases where such access to information or such storage of information is absolutely necessary for the technically error-free provision of our services, this is done on the basis of Section 25 (1) sentence 1, (2) no. 2 TTDSG.

In cases in which such a process serves other purposes (e.g. the needs-based design of our app), this is only carried out on the basis of Section 25 (1) TTDSG with your consent in accordance with Art. 6 (1) (a) GDPR. Consent can be revoked at any time for the future. The provisions of the GDPR and the German Federal Data Protection Act (BDSG) apply to the processing of your personal data.

Further information on the processing of your personal data and the relevant legal bases in this context can be found in the following sections on the specific processing activities in our app.

Information that is collected when the app is downloaded

When you download the app, certain required information is transmitted to the app store you have selected (Google Play Store, Apple App Store). In particular, the user name, email address, customer number of your account, the time of the download, payment information and the individual device identification number may be processed. We have no influence on this data collection and are not responsible for it. The contract is concluded with the respective store provider and is handled in accordance with their terms and conditions of business and use as well as their data protection provisions. As part of your use of the stores, we only process the reviews you have published about our app and the associated data and receive anonymous statistics via the stores, e.g. on download figures, uninstallations and crashes.

Hosting

We operate the app services in the EU. We use Microsoft Azure B2C for user identification. Azure AD B2C is a CIAM (Customer Identity Access Management) solution that supports millions of users and billions of authentications per day. It ensures the scaling and security of the authentication platform as well as the monitoring and automatic handling of threats such as denial of service, password spray or brute force attacks.

Data processing when using the app

When you use the app, we automatically collect certain data that is required for the provision and use of the app. The following data is processed for this purpose: Time of access, IP address, content of access.

This data is automatically transmitted to us in order to provide you with the service and the associated functions and to prevent and eliminate misuse and malfunctions.

This data processing is justified by the fact that the processing is necessary for the fulfilment of the contract between you as the data subject and us in accordance with Art. 6 para. 1 lit. b GDPR for the use of the app.

Technical functions of the app

The app requires the following authorisations for the full use of our services:

Internet access: This is required to save your entries on our servers.

Push notifications: This is required to send you targeted push notifications about company-relevant information and news.

The authorisations to access the above-mentioned functions are explicitly requested at the latest when the device is used for the first time and can be confirmed or rejected.

If you have granted the individual authorisations, the associated processing of your data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future. Any authorisation granted can normally be revoked at any time in the device settings (however, this depends on the device and the operating system, over which we have no influence). The legality of the data processing that has already taken place remains unaffected by the cancellation. Please note that authorisations that have not been granted may restrict the use of the app.

Creation of a user account (registration) and login

You can download our app from the app store without registering with us. We do not collect any personal data when you download the app. No personal data is passed on to us by the provider of the app store either. However, you can only use our app if you register via Microsoft Azure user identification. We use Microsoft Azure B2C for user identification. Azure AD B2C is a CIAM (Customer Identity Access Management) solution that supports millions of users and billions of authentications per day. It ensures the scaling and security of the authentication platform as well as the monitoring and automatic handling of threats such as denial of service, password spray or brute force attacks.

In addition, we require the following for registration: first and last name, company name and e-mail address with which the Microsoft Azure user account was linked.

The data entered during registration is processed for the fulfilment of a contract with the user or for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR). Additional voluntary information is processed on the basis of your voluntarily given consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time for the future. All you need to do is send an informal email to the contact details of the controller given above. The legality of the data processing that has already taken place remains unaffected by the revocation.

Furthermore, on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in ensuring the functionality, error-free operation of the app and the detection of misuse, the following data is collected and processed by us when using the app:

• Date of your registration
• Date of your last login

Contact us via contact form, e-mail or telephone

If you send us enquiries via the contact form, e-mail or telephone, your details from the enquiry form or your e-mail, including the personal data you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. Under no circumstances will we pass on this data without your consent. The legal basis for processing the data is our legitimate interest in responding to your enquiry in accordance with Art. 6 para. 1 lit. f GDPR and, if applicable, Art. 6 para. 1 lit. b GDPR if your enquiry is aimed at concluding a contract.

Your data will be deleted after your enquiry has been processed, provided there are no legal obligations to retain it. In the case of Art. 6 para. 1 lit. f GDPR, you can object to the processing of your personal data at any time.

Data Sharing and Recipients

Your personal data will not be transferred to third parties unless we have explicitly pointed this out in the description of the respective data processing, if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, if the transfer in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data, in the event that there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR and insofar as this is necessary for the processing of contractual relationships with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR.

We also use external service providers for the processing of our services, which we have carefully selected, commissioned in writing and with whom we have concluded order processing contracts in accordance with Art. 28 GDPR if necessary. These service providers are bound by our instructions and are regularly monitored by us. These include service providers for app hosting, sending emails and maintaining and servicing our IT systems. The service providers will not pass this data on to third parties.

Duration of the Storage of Personal Data

The duration of the storage of personal data is based on the relevant statutory retention periods (e.g. from commercial law and tax law). After expiry of the respective period, the corresponding data is routinely deleted. If data is required for contract fulfilment or contract initiation or if we have a legitimate interest in further storage, the data will be deleted if it is no longer required for these purposes or if you exercise your right of revocation or objection.

Your Rights

In the following, you will find information on which affected rights the applicable data protection law grants you regarding the responsible with regard to the processing of your personal data:

The right to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.

The right to request the correction of inaccurate or incomplete personal data stored by us without undue delay in accordance with Art. 16 GDPR.

The right to request the deletion of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

The right to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its deletion, and we no longer need the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR.

The right, pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller.

The right to complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of the federal state of our registered office stated above or, if applicable, that of your usual place of residence or workplace.

The right to revoke the consent given in accordance with Art. 7 (3) GDPR: You have the right to revoke consent to the processing of data once given at any time with effect for the future. In the event of revocation, we will delete the data concerned without delay unless further processing can be based on a legal basis for processing without consent. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Right of Objection

Insofar as your personal data is processed by us on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as this is done for reasons arising from your particular situation. Insofar as the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement to specify a particular situation.

If you would like to make use of your right of revocation or objection, it is sufficient to send an e-mail to: datenschutz@esforin.com

Legal Obligations

The provision of personal data for the decision on the conclusion of a contract, the fulfilment of the contract or for the implementation of pre-contractual measures is voluntary. However, we can only make the decision in the context of contractual measures if you provide such personal data that is required for the conclusion of the contract, the fulfilment of the contract or pre-contractual measures.

Automated decision-making / profiling

Automated decision making or profiling according to Art. 22 GDPR does not take place.

Changes and updates to this privacy policy

We reserve the right to amend or update this privacy policy if necessary in compliance with the applicable data protection regulations. In this way, we can adapt it to the current legal requirements and take into account changes to our services, e.g. when introducing new services. The latest version applies to your visit.

Status of this privacy policy: 9 November 2023