Effective date: November 17, 2022
Table of Contents
1. Introduction
2. Name and address of the controller
3. Contact details of the data protection officer
4. Data processed when you use Mapp Marketing Cloud
5. Data processed when you contact Mapp
6. Protection of personal data
7. Recipients of personal data
8. International processing of personal data
9. Deletion of personal data
10. Rights of data subject
11. Automated decision making
1. INTRODUCTION
With this notice, we would like to inform you about the types of personal data of our customers (hereinafter also referred to as “data” for short) that we process, for what purposes and to what extent in the context of providing the Mapp Marketing Cloud. This includes the data of registered users of the Mapp Marketing Cloud system for which Mapp remains the controller within the meaning of Art. 4 GDPR.
The notice does not cover the data that is processed by us as a processor in accordance with Art. 28 GDPR; for this data, the respective customers remain the controller within the meaning of Art. 4 GDPR; this means that the regulations of the contractual agreement (Data Processing Agreement) in place apply.
2. NAME AND ADDRESS OF THE CONTROLLER
Mapp Digital Germany GmbH
Sandstr. 3
80335 Munich
Germany
E-mail:
Website: https://mapp.com
3. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
E-mail:
4. DATA PROCESSED WHEN YOU USE MAPP CLOUD
Each time you access Mapp Marketing Cloud, our web servers automatically collect data from you. This includes Information about the browser type and the version used, the operating system of the user’s terminal device, the Internet Service Provider of the user, the IP address of the user, date and time of access, and the previous website from which the user accesses our website.
Additionally, essential cookies may be placed on your computer or device to allow our website to remember you during your visit, to ensure it is functioning properly, manage your session, to protect the confidentiality, integrity and availability of the website and your data, and for compliance purposes.
In order to log into Mapp Marketing Cloud, a user account must be created in the system, which usually includes your name and your company email address. All logins and actions of logged in users are logged for accountability and security reasons.
Processing this Information is necessary for Mapp to be able to run Mapp Marketing Cloud and to ensure its security in line with customer agreements and is therefore required for the “Performance of a Contract” in accordance with Art. 6.1 (b) and per our “Legitimate Interest” in accordance with Art. 6.1(f) of the GDPR.
The above-mentioned Information will be deleted as soon as it is no longer required for the purpose of its collection.
To better understand how you use our products, to ensure secure and stable operation, and to continuously improve our product offerings, we may use the following analytic tools within our product software based on this “Legitimate Interest” as per Art. 6.1(f):
Mapp Intelligence
We use our very own tool Mapp Intelligence on our website to create analyses of the use of our website to optimize our Mapp Marketing Cloud Services. Mapp Intelligence is operated by Mapp Digital c/o Webtrekk GmbH, Schönhauser Allee 148, 10435 Berlin, Germany and hosted in Germany.
Mapp Intelligence uses a script to load necessary cookies which are placed at your device unless you implemented controls to prevent this. This may include cookies for the following purposes, which are absolutely necessary in accordance with §25(2) No. 2 TTDSG:
- Session cookie for session recognition, lifetime: one session (simple flag with value “1”)
- Long-term cookie to recognize new/regular customers: 6 months
- Opt-out cookie in case of opposition to tracking, minimum lifetime: 60 months
The script then downloads a Tracking Pixel from a Mapp Intelligence server to the website. Each download of the Tracking Pixel involves a request of the client’s browser and contains the following data elements which are stored by us for 12 months:
- IP address – will be immediately anonymized and deleted
- Online Identifier
- Request (e.g. file name of the requested file)
- Browser type/version (e.g. Firefox 61.0)
- Browser language (e.g. German)
- Operating system used (e.g. Windows 10)
- Device type (e.g. iPhone)
- Internal resolution of the browser and window screen
- Referrer URL (the previously visited page)
- Time of access
You can stop the tracking at any time by using this opt-out link:
Gainsight
Gainsight (Aptrinsic) is a tool provided by Gainsight Inc, 655 Montgomery St, San Francisco, CA 94111, United States, which allows us to quantitatively analyze how you use our products and certain features (e.g. click path analysis, error tracking), and to allow you to provide valuable qualitative feedback which helps us to build the products you want. Therefore, Gainsight may set cookies which are absolutely necessary in accordance with §25(2) No. 2 TTDSG. The data collected will be linked to your account, i.e. your name and your email address as provided in the course of your account registration.
You can stop the tracking at any time by using this opt-out link:
5. DATA PROCESSED WHEN YOU CONTACT MAPP
If you contact us via contact form, support ticket or email, the Data you provide will be used to process your request. Your contact data may be transferred to our Support and CRM system. The Data you provide is necessary for processing and answering your enquiry – we cannot answer your enquiry without providing it, or we can only answer it to a limited extent.
Mapp has the “Legitimate Interest” as per Art. 6.1(f) of the GDPR to provide ways to be contacted and to process the Data transmitted in the course of sending a request. If the purpose of the request is to conclude a service contract or process a technical support request, the additional legal basis of the processing is “Performance of a Contract” in accordance with Art. 6.1(b) of the GDPR.
Data processed in this context will be deleted when no longer necessary to achieve the original purpose and defined retention periods expired.
6. PROTECTION OF PERSONAL DATA
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk. In doing so, we comply with the requirements of ISO 27001.
7. RECIPIENTS OF PERSONAL DATA
In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.
We may transfer personal data to other entities within our organization or grant them access to such data. Where this transfer is for administrative purposes, the transfer of data is based on our legitimate business and operational interests or is made where it is necessary to fulfill our contract-related obligations or where we have the consent of the data subjects or legal permission.
8. INTERNATIONAL PROCESSING OF PERSONAL DATA
If we process data in a third country (i.e., outside the European Union (EU)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this is done only in accordance with the legal requirements.
Subject to express consent or contractually or legally required transfer, we process or have the data processed only in third countries with a recognized level of data protection, contractual obligation by so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations.
9. DELETION OF PERSONAL DATA
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not required for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
Our data protection notices may also contain further details on the retention and deletion of data, which have priority for the respective processing operations.
10. RIGHTS OF DATA SUBJECT
The General Data Protection Regulation (GDPR) provides for extensive rights for data subjects in Chapter III, which we explain to you accordingly below with regard to the processing of your personal data:
Right to information
This requirement concerns in particular information on the following details of data processing:
- Processing purposes
- Data categories
- Recipients or categories of recipients, if applicable
- If applicable, the planned storage duration or the criteria for determining this duration.
- Note on the respective right of correction, deletion, restriction or objection
- Existence of the right to complain to a supervisory authority
- If applicable, origin of the data (if not collected from you)
- If applicable, existence of automated decision-making including profiling, including meaningful information about the logic involved, the scope and the effects to be expected
- If applicable, (planned) transfer to a third country or international organization
Right to rectification
We will correct any erroneous data immediately, provided that you inform us of the circumstance accordingly.
Right to erasure (right to be forgotten)
Provided that the processing is no longer necessary and one of the following conditions is met:
- Discontinuation of the purpose of processing
- Withdrawal of their consent and absence of any other legal basis for processing
- Objection to processing without an important reason to the contrary
- Unlawful processing
- Required to fulfill a legal obligation
- Data collection was carried out in accordance with Art. 8 (1) GDPR
Right to restriction of processing
Provided that one of the following conditions is met:
- You dispute the accuracy of your data (restriction can be made for the duration of the review on our side)
- In the event of unlawful processing and if the data is not to be deleted, restriction of processing shall take the place of deletion
- If the processing purposes cease to apply, at the same time you need your data for the assertion, exercise or defense of legal claims
- After you have lodged an objection pursuant to Art. 21 (1) GDPR and for the duration of the examination as to whether our legitimate reasons outweigh yours.
Right to data portability
If it is technically possible and does not affect the rights and freedoms of other persons, we will – at your request – transfer your data to another recipient (responsible party).
Right to object
If we collect or have collected and process personal data from you (on the basis of Art. 6 (1) e or f or Art. 9 (2) a GDPR), you have the right to object to the data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be ineffective, e.g. if we can demonstrate compelling interests worthy of protection for the processing that outweigh your interests or processing serves the assertion, exercise or defense of legal claims. If we process your personal data for the purpose of direct marketing, you have the right to object to such processing at any time. This also applies to profiling, insofar as it is related to such direct advertising. You also have the right to object to processing of your data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Automated decisions in individual cases including profiling
If we collect or have collected and process personal data from you, you have the right not to be subject to any decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. Exceptions to this requirement apply if the decision is necessary for the conclusion or performance of a contract between you and us or you have expressly consented to the processing. In any case, we will take reasonable steps to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain the intervention of a person on our part, to express our own point of view and to contest the decision.
Right to revoke consent under data protection law
You have the right to revoke consent to the processing of personal data at any time.
Right to complain to a supervisory authority
A list of the supervisory authorities responsible in Germany can be found on the website of the Federal Commissioner for Data Protection or at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
11. AUTOMATED DECISION MAKING
We do not carry out automated decision-making using profiling methods.