Privacy policy

Last status: 24.09.2022

1. Introduction

The protection of your personal data is of particular concern to us. Consequently, we treat your personal data in accordance with the applicable legal provisions on the protection, lawful handling and confidentiality of personal data, in particular in accordance with the Data Protection Act (hereinafter "DPA") and the General Data Protection Regulation (hereinafter "GDPR"). From the following information you can see how we process your personal data when you use our web application ( https://sign.sproof.io ) (hereinafter "webapp").
This privacy policy applies to the web application sign.sproof.io. The website sproof.io is technically separate and there is no automated data exchange between the pages.

2. Name and contact details of the responsible person

The sproof GmbH (hereinafter "sproof") is responsible for the data processing.

sproof GmbH
Schlossallee 7/1
A-5412 Puch near Hallein
privacy@sproof.io

3. Data processing

In the provision of our services, in particular our website and the offers made available on our website, we process personal data of users of our website as well as of users who use our online offer. The specific data processing operations are shown below:

3.1 Data processing website use

The following personal data is automatically processed when you visit our website:

• Log data;
• IP address;
• Type and version of your web browser;
• Data about your terminal device (device ID);
• Date and time of your visit to our website or sub-pages;
• Website from which you reach our website (referrer URL).
  The purpose of the processing is to provide you with the offers on our website, to ensure security for the IT infrastructure used, to carry out marketing and analyses for advertising purposes and to enable informational use of our website.
  The log data is generally stored for 30 days. In the event of a security-relevant event, the data is stored until the event is resolved.
  The legal basis for the processing of your personal data is our legitimate interest pursuant to Article 6 para 1 lit f DSGVO. Our legitimate interest is to design our website in a user-friendly manner and to continuously improve it, to provide you with the content you have accessed, to ensure the security of our IT infrastructure (in particular for the purpose of defending against attacks, detecting, eliminating and documenting malfunctions) and to manage the cookie consents granted.
  The provision of your data is not mandatory; however, without the provision it is not possible for us to provide you with the accessed content.
  You can find more details on cookies under point 3.5.

3.2 Data processing webapp account

The following personal data is processed by us when you create and use an account as a customer:

• Name data;
• Birth data (only in case of identification to a qualified electronic signature);
• e-mail data;
• address data;
• Contact data (e-mail address, telephone number);
• company data;
• additional uploaded data (documents, images);
• Signatures/Signatures;
• Timestamps;
• IP address;
• Log data.
  The data is passed on to our IT service provider (order processor), which is based in the EU. If a customer invites other persons to sign, this requires the entry of the name and email address of the invitee.
  A login to the webapp can alternatively be done via existing accounts with Google, Facebook, LinkedIn, Windows Live, Advokat or under certain circumstances by means of single sign-on after integration via sproof. The following categories of data are processed:
• Name data;
• E-mail data;
• Profile pictures (from the relevant account).
  The personal data will generally be processed by us for the duration of the business relationship and in accordance with the legal requirements (retention obligations). The legal basis for the processing of your personal data is consent pursuant to Article 6 para 1 lit a DSGVO, the fulfillment of pre-contractual and contractual obligations pursuant to Article 6 para 1 lit b DSGVO and the fulfillment of legal obligations pursuant to Article 6 para 1 lit c DSGVO (in order to comply with legal retention obligations).
  The provision and processing of your data is necessary to provide you with the service of our webapp.

3.3. Data processing trust service provider

The following personal data is processed by us if customers wish to sign with a qualified signature using trust service providers (e.g. A-Trust, D-Trust, swisscom) or other providers necessary to provide the services of the trust service providers:

• Name data;
• Dates of birth;
• Contact data (e-mail address, telephone number);
  The personal data will generally be processed by us for the duration of the business relationship and in accordance with the legal requirements (retention obligations). The legal basis for the processing of your personal data is consent pursuant to Article 6 para 1 lit a DSGVO, the fulfillment of pre-contractual and contractual obligations pursuant to Article 6 para 1 lit b DSGVO and the fulfillment of legal obligations pursuant to Article 6 para 1 lit c DSGVO (in order to comply with legal retention obligations).
  The provision and processing of your data is necessary to provide you with the service of our webapp.

3.4. Data processing Stripe

We work with Stripe (Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland) as a payment service provider. On our webapp, payment transactions are therefore processed via Stripe. The following personal data is processed by us in this context:

• Name of the cardholder;
• Email address;
• Customer number;
• Order number;
• Bank details;
• Credit card details;
• Credit card validity period;
• Credit card verification number (CVC);
• Date and time of the transaction;
• Transaction amount;
• Name of the provider;
• Location.
  The provision and processing of your data is necessary to provide you with the service of our webapp, in particular payment transactions.
  Stripe has a dual role as a data controller and processor in data processing activities. As a controller, Stripe uses your submitted data to comply with regulatory obligations. This is in accordance with Stripe's legitimate interest (pursuant to Art. 6 (1) lit. f DSGVO) and serves the performance of the contract (pursuant to Art. 6 (1) lit. b DSGVO). We have no influence on this process.
  Stripe acts as an order processor in order to be able to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively according to our instructions and has been contractually obligated within the meaning of Art. 28 DSGVO to comply with the provisions of data protection law.
  Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs).
  For more information on opt-out and redress options against Stripe, please visit: https://stripe.com/privacy-center/legal

3.5. Data processing reCaptcha

We use Google reCaptcha (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) on our webapp. This is to ensure that no computer programs or bots use our webapp. Based on behavioral analysis (e.g. browser interaction of the user, mouse movements), probabilities are calculated whether it is a human or a machine; the so-called captcha score. The following personal data is processed by us in this context:

• IP address;
• Referrer URL;
• Information about the operating system;
• Cookies;
• Mouse movements and keyboard strokes;
• Time spent on the webapp;
• User device settings (e.g. language setting, location, browser).
  The legal basis for the processing of your personal data is our legitimate interest pursuant to Article 6 para 1 lit f DSGVO. Our legitimate interest is to make our website user-friendly and to protect it from inappropriate access or to maintain operability under data protection security.
  The processing of your data is necessary to provide you with the service of our webapp.
  For more information about reCaptcha, please visit: https://developers.google.com/recaptcha

3.6. Data processing social media plugins

We have not integrated any social media plugins on our webbapp. The social media buttons to the social networks (eg Instagram, Facebook, LinkedIn) have been integrated on our webapp only with a link (reference link to the social networks). Should you click on this link (button), you will be directly redirected to the respective website. Please note the privacy statements of the respective providers.

3.7 Data processing cookies

We use cookies on our website to provide our services. Cookies are small text files containing information that are stored on your terminal device when you visit our website.
For better use, it is advantageous to store cookies temporarily, which is why you will be asked for your consent when you first visit the website. However, you are not obliged to give this consent and you can also use the website without consent - albeit in a restricted manner under certain circumstances. Cookies that do not require your consent (so-called unconditional cookies), the purpose of which is to enable the transmission of a message via an electronic communications network, as well as cookies that are absolutely necessary to provide our services, are also processed by us without your consent.
A basic distinction must be made between the following types of cookies:

Consent-free and consent-requiring cookies.
Consent-free cookies are those cookies that we need to provide the applications and functions at all (so-called operationally necessary cookies). These cookies are generally only stored until you close your browser. All other cookies are cookies that require consent.

First- and Third-Party-Cookies
First-party cookies are cookies that are set and retrieved by us or our contracted processors. Third-party cookies are cookies that are set and retrieved by other controllers. Consequently, a distinction must be made here as to where a cookie originates.

Session and persistent cookies
Session cookies are cookies that are automatically deleted when you close the browser and persistent cookies are those cookies that remain stored on your computer/end device for a certain period of time after you close the browser.
We only use cookies that require consent if you have previously consented to their processing at our cookie notice (cookie banner). The cookie banner is displayed when you call up our website, you can select the desired cookies there and consent to the processing.

The following cookies are used on our website:

ph_opt_in_out_phc*
sproof GmbH
This cookie stores your consent for ph_phc*.
It expires after one week.
Optional

ph_phc_*
sproof Ltd.
This cookie records performance data and visitor behavior on the website.
It expires after one year.
Optional

connect.sid
sproof Ltd.
Used to manage HTTP sessions.
Essential

ingress-session
sproof GmbH
Used to manage sessions.
Essential

locale
sproof Ltd.
Saves the language setting.
Essential

mobile
sproof GmbH
Serves to optimize the display on mobile devices.

Essential
reCaptchaToken
Google, Inc.
Used to prevent automated access and for application security.
Essential

You can revoke the consent given to us for the use of cookies at any time without giving reasons here. However, we would like to point out that all processing/transfers carried out until the revocation remain lawful.

4. automated decision making / profiling.

No automated decision-making, including profiling, takes place.

5. your rights as a data subject.

We would also like to draw your attention to the following rights to which you are entitled as a data subject:

• Right of access by the controller to the personal data concerning you pursuant to Article 15 DSGVO.
• Right to rectification pursuant to Article 16 DSGVO
• Right to erasure pursuant to Article 17 DSGVO
• Right to restriction of processing pursuant to Article 18 DSGVO
• Right to data portability pursuant to Article 20 GDPR
• Right to object to processing pursuant to Article 21 GDPR
• Right to withdraw consent pursuant to Article 7(3) DSGVO

Furthermore, you also have the right to lodge a complaint with the competent supervisory authority (in Austria, the data protection authority based in Vienna). In this regard, we refer to the website of the Austrian data protection authority, which can be accessed via the link www.dsb.gv.at . However, if you have any complaints, you are also welcome to contact us directly at the e-mail address privacy@sproof.io .

6. Status

An update of this privacy policy may be necessary due to technical advancements and new legal requirements. We will inform you in this regard in advance. The German version alone shall be authoritative.