Last Updated: 04.01.2023
The company responsible within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is the:
COREDINATE GmbH
Ringstraße 25
97215 Uffenheim
Germany
Tel.: +49 9842 80491 - 0
Email: privacy@coredinate.de
Website: www.coredinate.de
The contact details of the data protection officer of the company:
DataCo GmbH
Dachauer Straße 65
80335 München
Germany
Tel.: +49 89 7400 45840
Website: www.dataguard.de
The following Privacy statement applies to the product COREDINATE of the COREDINATE GmbH, Ringstraße 25, 97215 Uffenheim, Germany ("COREDINATE", "we" or "us"). Unless specifically different, this Privacy Statement applies to both the portal and the app.
COREDINATE GmbH, as operator of the software, makes this available to your employer within the scope of order processing within the meaning of Art. 28 GDPR. The basis for the processing of personal data by us is a contract processing contract concluded between your employer and COREDINATE GmbH.
On behalf of your employer, COREDINATE GmbH processes personal data of its employees for employment purposes in accordance with Art. 88 GDPR and § 26 BDSG. As a rule, the legal basis is Article 6 (1) sentence 1 lit. b GDPR the establishment or implementation of an employment relationship or with Art. 6 para. 1 sentence 1 lit. c GDPR a legal obligation.
This applies to the platform-side data processed by COREDINATE GmbH for maintenance and optimization purposes. COREDINATE GmbH is entitled to process the personal data covered by the order processing contract for the purpose of quality assurance and for the development of new or further development of existing products.
Exempted from this are the processing operations by the user of the COREDINATE platform, which are done in own responsibility. COREDINATE GmbH has no influence on the type of data processing by the user.
We attach great importance to transparency and security of the data. Therefore, in the following we will concretely list which data we process in the context of the provision of the software and which security precautions we have taken.
To use all features of the COREDINATE app, some system permissions are required. These authorizations are requested once when the app is started for the first time, or only when the respective function is used.
Location
To fulfill the minimum requirements of DIN VDE V0825-11 2016/08 regarding wireless personal emergency signal systems for hazardous solo work, the COREDINATE App requires the ability to determine the whereabouts of security personnel with the highest possible degree of detail. It is also possible to specify GPS checkpoints that are considered visited when the employee has entered the radius of the point. The location of the employee is determined via the GPS module and the Google Maps API.
NFC
Employees must scan an NFC tag with their device at specified checkpoints. This serves to monitor the tour and to document the presence of the employee at the designated control point. This requires access to the NFC functionality of the device.
Bluetooth
Employees must alternatively scan a Bluetooth beacon with their device at specified control points. This serves to monitor the tour and to document the presence of the employee at the designated control point. This requires access to the Bluetooth functionality of the device.
Camera
To allow security agents to capture events during their tour and attach them to the report as evidence photos and transfer them to the portal, the app needs access to the device’s camera.
Storage privilege
In order for security staff members to take pictures during their tour and thus save recorded events on the end device, subsequently attach them to the report and transfer them to the portal, the app needs access to the device’s memory.
Execution of calls
If the security officer does not respond for a defined period of time, an alarm is triggered. For this purpose, the app establishes a voice connection to the alarm center via a phone number predefined by the security service. For this, the app needs access to the execution of calls.
Unlock device & screen
This permission is required to allow the app to independently establish a voice connection to the alarm center.
Call status
In the event of an alarm, the device emits an audible alarm to facilitate the detection of the security guard. This alarm signal is interrupted for the duration of the call with the alarm center. For this, the app needs access to the call status of the device.
Volume Control
In order for the alarm signal to be clearly audible and to enable the security staff to be located, the volume of the device is set to the maximum. For this, the app needs access to the volume control of the device.
Background Mode
According to DIN VDE V0825-11 2016/08, the app must not be terminated by the operating system if it is kept in the background. As a result, functionalities such as the alarm, the tour monitoring and the reception of messages could be prevented. Therefore, the app needs the permission to stay active in the background.
Network information
To ensure the offline capability of the app and the triggering of the alarm in accordance with DIN VDE V0825-11 2016/08, the app needs access to the network information of the device.
Push notifications
To display messages from the COREDINATE portal, the app needs the permission to display them.
COREDINATE processes your personal data from your login and installation of the COREDINATE App especially in the context of the provision of contractual services. The extent of the collection, processing and use of the data depends on the services you use. These are in particular
· Names of employees
· Address of the employees
· Telephone number of the employees
· Email address of the employees
· Working hours of employees
· Contact person for the zones with name and telephone number
· Location data of the security officer
· Task and tour executions
· Activity data of control point scans
· Events
· Key handovers
· Comments and read receipts in the notification system
· Feedback about bugs with error log
· Telemetry data
· IP address of the device
· Operating system of the device
· Model number of the device
· Screen size of the device
· APP version of the device
· IMEI of the device
· UID of the device
· License number of the device
COREDINATE attaches great importance to the security of your data. In particular, this concerns the protection of personal data during the transfer and the protection against gaining knowledge by third parties. For this purpose, COREDINATE keeps the technical measures up to date. All data is transmitted via an encrypted SSL connection.
Your data will be treated confidentially. A transfer to third parties does not take place, unless they are directly involved in the provision of services.
Employees of COREDINATE GmbH who come into contact with your data as part of support services or securing our services have made a corresponding confidentiality agreement with COREDINATE GmbH.
COREDINATE GmbH processes the personal data included in the order processing contract for the purposes of quality assurance and for the development of new or further development of existing products.
With the consent of you, COREDINATE may, in accordance with Art. 6 para. 1 lit. a GDPR use and process the data for maintenance and optimization purposes.
COREDINATE processes your personal data as long as it is necessary for the fulfillment of the contractual and legal obligations or until you have deleted your account in the app.
At the end of the contractual relationship, all data associated with your company will be deleted within 30 days, unless otherwise requested e.g. to allow a subsequent continuation of the contract.
GPS position data and the login/logout protocol will be automatically deleted after 30 days to protect the person concerned.
The data stored locally on the device is completely removed from the device when the COREDINATE app is uninstalled.
You can revoke your consent at any time with effect for the future.
Please contact your employer or send us an informal e-mail at privacy@coredinate.de.
Please note that a complete deletion of all data associated with your account is only possible if there are no contractual relationships between you or your company and COREDINATE GmbH and COREDINATE GmbH can not make any claims against you or your company.
The app is installed locally on the user's device, but the data is hosted on servers owned by a service provider.
Our service provider is:
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany
The servers automatically collect and store information in so-called server log files, which are automatically transmitted through the use of the app. The stored information is:
· The browser type used and the browser version
· The operating system
· Date and time of the server request
· The number of visits
· The length of stay on the website
· The previously visited website
· The IP address (will be anonymized before it is saved)
There is no merge of this data with other data sources. The collection of this data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the technically error-free presentation and the optimization of the app - for this the server log files must be recorded.
We have concluded a contract processing contract with the relevant service provider by obliging the respective service provider to protect user data and not to disclose it to third parties.
Your data will be processed and stored exclusively on servers in Germany. The data are subject to the privacy regulations of the Federal Republic of Germany. The transmission of the data is encrypted.
More information about our provider's privacy policy can be found here.
We use the Internet Storage Service S3 of Amazon Web Service Inc., 410 Terry Avenue North, Seattle WA 98109, USA (hereafter referred to as Amazon S3). We use Amazon S3 through an interface (API) to store and retrieve data.
It can be personal data stored in server log files and evaluated, especially the activity of the user (e.g. which pages have been visited) and device and browser information (e.g. the IP address and the operating system).
Data can be transferred to Amazon servers in the USA. Amazon has submitted to the Privacy Shield Agreement between the European Union and the United States and certified. As a result, Amazon agrees to comply with the standards and regulations of European data protection law. You can find further information in the following linked entry:
https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active
For more information about collecting and storing data through Amazon S3, please visit: https://aws.amazon.com/de/privacy/
We use Amazon S3 to store data and make it accessible to users on the Internet, anytime, anywhere.
The legal basis lies in our legitimate interests in a safe and efficient provision of images e.g. for incidents and user profiles and the optimization of our app gem. Art. 6 para. 1 lit. f. GDPR in c. w. Art. 28 GDPR.
Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Statement or as required by law.
The users have the option of an objection and request the deletion of their personal data by e-mail. Please send an e-mail to: privacy@coredinate.de
For more information about Amazon's opposition and removal options, see:
https://aws.amazon.com/de/privacy/
We use features of HubSpot Inc., 2nd Floor, 25 First Street, Cambridge, MA 02141, USA (hereafter: HubSpot). This is an integrated software solution that covers various aspects of our online marketing. These include: email marketing (newsletters and automated mailings, for example, to provide downloads), social media publishing & reporting, reporting (especially traffic sources, traffic, etc. ...), contact management (especially user segmentation & CRM), Landing pages, contact forms and chats. HubSpot sets a cookie on your computer. It can be stored and evaluated personal data, especially the activity of the user (in particular which pages have been visited and which elements have been clicked), device and browser information (in particular the IP address and the operating system). The data can be transmitted to Hubspot servers in the USA. HubSpot has submitted to the Privacy Shield Agreement between the European Union and the United States and is certified. As a result, HubSpot is committed to complying with the standards and regulations of European data protection law.
https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active
For more information about HubSpot's collection and storage, please visit:
https://legal.hubspot.com/de/privacy-policy
Using the HubSpot plug-in is only for the purpose of optimizing our support (Chat) and to implement customer satisfaction surveys.
The legal basis for data processing is Art. 6 (1) S.1 lit. f GDPR. Our legitimate interest lies in the purposes of the data processing mentioned under 2. above.
Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Statement or as required by law, e.g. for tax and accounting purposes.
You can prevent HubSpot from collecting and processing your personal information by stopping the storage of third-party cookies on your computer, using the "Do Not Track" feature of a supporting browser, disabling the execution of script code in your browser or install a script blocker such as NoScript ((https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
For more information on appeal and removal options over HubSpot, see:
https://legal.hubspot.com/de/privacy-policy
We use the online map service Google Maps of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, and the representative in the Union Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (Hereinafter referred to as Google), We use the Google Maps plugin to visualize geographic data and embed it on our online presence. By using Google Maps on our online presence, information about the use of our online presence, your IP address and addresses entered during the route plan function will be transmitted to a Google server in the USA and stored there. Google has submitted to the Privacy Shield Agreement between the European Union and the United States and certified. As a result, Google agrees to comply with the standards and regulations of European data protection law. You can find further information in the following linked entry:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
For more information about Google's collection and storage of data, please visit:
https://policies.google.com/privacy?gl=DE&hl=de
The use of the Google Maps plug-in is intended to improve the user-friendliness and an appealing presentation of our online presence.
The legal basis for the processing is Art. 6 (1) S.1 lit. f GDPR. Our legitimate interest lies in the purposes of the data processing mentioned under 2. above.
Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Statement or as required by law.
You can prevent the collection and processing of your personal data by Google by blocking the storage of third-party cookies on your computer, using the "Do Not Track" feature of a supporting browser, disabling the execution of script code in your browser or install a script blocker such as NoScript ((https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
Use the link below to opt-out of Google's use of your personal information:
For more information about disapproval and removal options with Google, see:
https://policies.google.com/privacy?gl=DE&hl=de
We use the open-source tracking tool Matomo (https://matomo.org/) to analyze the surfing behavior of our users. Matomo sets a cookie on your computer. Personal data can thereby be stored and evaluated, above all the activity of the user (in particular which pages have been visited and which elements have been clicked), device and browser information (in particular the IP address and the operating system).
The software is set so that the IP addresses are not completely stored, but are masked for anonymization 2 bytes of the IP address (example: 192.168.xxx.xxx). In this way, an assignment of the shortened IP address to the calling computer is no longer possible. The data is stored in our MySQL database, logs or report data are not sent to Matomo servers.
For more information on how Matomo collects and stores data, please visit:
https://matomo.org/privacy-policy/
The processing of users' personal data enables us to analyze the surfing behavior of our users. By analyzing the obtained data, we are able to compile information about the use of the individual components of our online presence. This helps us to constantly improve our online presence and its user-friendliness.
For these purposes, our legitimate interest lies in the processing of data according to Art. 6 para. 1 lit. f GDPR. By anonymizing the IP address, the interest of the users in the protection of their personal data is sufficiently taken into account.
Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Statement or as required by law, eg for tax and accounting purposes.
You can prevent Matomo from collecting or processing your personal information by blocking the storage of third-party cookies on your computer, using the "Do Not Track" feature of a supporting browser, disabling the execution of script code in your browser or install a script blocker such as NoScript ((https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
Use the link below to disable Matomo's processing of your personal information:
https://matomo.org/privacy-policy/
For more information on appeal and removal options for Matomo see:
https://matomo.org/privacy-policy/
We use Google Webfonts from Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, and the Union Representative Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereafter referred to as Google). The Webfonts are transferred when the page is called into the cache of the browser in order to use them for the visually improved display of various information. If the browser does not support Google Webfonts or prohibits access, the text will be displayed in a standard font. When the page is accessed, no cookies are stored at the visitor. Data submitted in connection with the pageview will be based on resource-specific domains such https://fonts.googleapis.com or https://fonts.gstatic.com. It can be stored and evaluated personal data, especially the activity of the user (in particular, which pages have been visited and which elements has been clicked) and device and browser information (in particular the IP address and the operating system).
Data can be transferred to Google servers in the USA. Google has submitted to the Privacy Shield Agreement between the European Union and the United States and certified. As a result, Google agrees to comply with the standards and regulations of European data protection law. You can find further information in the following linked entry:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
The data will not be associated with any data collected or used in connection with the parallel use of authenticated Google services such as Gmail.
For more information about Google's collection and storage of data, please visit:
https://policies.google.com/privacy?gl=DE&hl=de
The use of Google Webfonts is an appealing presentation of our texts. If your browser does not support this feature, a default font will be used by your computer for viewing.
The legal basis for data processing is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the purposes of the data processing mentioned under 2. above.
Your personal information will be stored for as long as necessary to fulfill the purposes described in this Privacy Statement or as required by law, e.g. for tax and accounting purposes.
You can prevent the collection and processing of your personal data by Google by blocking the storage of third-party cookies on your computer, using the "Do Not Track" feature of a supporting browser, disabling the execution of script code in your browser or install a script blocker such as NoScript ((https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
Use the link below to opt-out of Google's use of your personal information:
For more information about disapproval and removal options with Google, see:
https://policies.google.com/privacy?gl=DE&hl=de
You can use backup services to back up settings and data from apps on your device. Secured information is transferred to servers of the backup service used and stored there and can thus be restored to the original device or another device. The extent of the data collection depends on the backup service used, but in particular it can handle settings and data of apps, the username, the email address, the customer number of your account, the time of the backup and the individual device code. The processing of this data is done exclusively by the provider of the used backup service and is beyond our control.
If personal data is processed by you, you are the person concerned within the meaning of the GDPR and you have the following rights towards the responsible person:
You may ask COREDINATE as the person responsible for confirming that personal data concerning you is being processed by COREDINATE.
If such processing is available, you can request information from the person responsible about the following information:
· The purposes for which the personal data are processed;
· The categories of personal data that are processed;
· The beneficiaries or categories of beneficiaries to whom the personal data relating to you have been disclosed will still be disclosed;
· The planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
· The right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
· The existence of a right of appeal to a supervisory authority;
· All available information on the origin of the data if the personal data are not collected from the data subject;
· The existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
You have the right to request information about whether the personal data relating to you are transferred to a third country or an international organization. In this regard, you can request the appropriate warranties in accordance with. Art. 46 GDPR to be informed in connection with the transfer.
You have a right to rectification and / or completion to the controller, if the personal data you process is incorrect or incomplete. The person in charge must make the correction without delay.
You may request the restriction of the processing of your personal data under the following conditions:
· If you deny the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
· The processing is unlawful and you reject the deletion of personal data and instead request the restriction of the use of personal data;
· The person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims; or
· If you have filed an objection to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest Union or a Member State.
If processing has been restricted in accordance with the above conditions, the person responsible will inform you before the restriction is lifted.
You may require the controller to delete your personal information without delay, and the controller is required to delete that information immediately if one of the following is true:
· The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
· You revoke your consent, to which the processing acc. Art. 6 para. 1 sentence 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
· You place acc. Art. 21 para. 1 GDPR objection to the processing and there are no prior justifiable reasons for the processing, or you lay gem. Art. 21 para. 2 GDPR objection to the processing.
· Your personal data has been processed unlawfully.
· The deletion of personal data concerning you is required to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
· The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.
If the person in charge has made the personal data relating to you public and is in accordance with. Article 17 (1) of the GDPR, it shall take appropriate measures, including technical ones, to inform data controllers who process the personal data that you have been identified as being affected, taking into account available technology and implementation costs, that you requested to delete all links to such personal data or to make copies or replicas of such personal data.
The right to erasure does not exist if the processing is necessary
· To exercise the right to freedom of expression and information;
· To fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task of public interest or in the exercise of public authority delegated to the controller;
· For reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
· For archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
· To assert, exercise or defend legal claims.
If you have the right of rectification, erasure or restriction of processing to the controller, he / she is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing, unless: this proves to be impossible or involves a disproportionate effort.
You have the right to be informed about these recipients.
You have the right to receive personally identifiable information you provide to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that
· The processing on a consent acc. Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract acc. Art. 6 para. 1 sentence 1 lit. b GDPR is based and
· The processing is done using automated procedures.
In exercising this right, you also have the right to obtain that your personal data relating to you are transmitted directly from one person responsible to another person responsible, as far as this is technically feasible. Freedoms and rights of other persons may not be affected.
You have the right at any time, for reasons arising from your particular situation, to object against the processing of your personal data, which, pursuant to Art. 6 para. 1 sentence 1 lit. e or f GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.
If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, of exercising your right to opt-out by means of automated procedures that use technical specifications.
You have the right to revoke your consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
You have the right not to be subjected to a decision based solely on automated processing - including profiling - that will have legal effect or similarly affect you in a similar manner. This does not apply if the decision to conclude or to execute a contract between you and the controller is required by Union or Member State legislation to which the controller is subject, and that legislation is adequate to safeguard your rights and freedoms as well as your legitimate interests or with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in paragraphs 1 and 3 above, the person responsible shall take reasonable steps to uphold the rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person by the controller, to express his or her own position and to challenge it heard of the decision.
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you is against the GDPR violates.
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.