The controller within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the EU member states and other data protection regulations is: 
XignSys GmbH
Bochumer Straße 110
45886 Gelsenkirchen
Germany

Ust.-ID DE 308 760 457
Managing Director: Markus Hertlein, Pascal Manaras

The protection of your personal data is one of the declared goals of XignSys GmbH. Therefore we comply with the relevant data protection laws and would like to inform you comprehensively about the handling and processing of your data by the following data protection information.

Personal data is any information relating to an identified or identifiable natural person. This includes information such as name, address, telephone number, e-mail address. The processing of this information is always in accordance with the requirements of the GDPR as well as with other data protection regulations applicable to XignSys GmbH.
In principle, it is not necessary for you to disclose personal data in order to use our website. In certain cases, personal data may be processed, for example to provide a requested service or in our legitimate interest.
The same applies, for example, to sending information material or answering individual questions. Where this is necessary, we will point this out to you.
If there is no legal basis for the processing of your personal data, we will obtain the appropriate consent from you.
Furthermore, we only save and process data that we automatically collect when you visit our website (e.g. your IP address, data and time of access, search engine used).

If you have given us your consent to process your personal data for a specific purpose, the processing will be carried out on the basis of Art. 6 para. 1 a GDPR. If such processing is necessary to fulfil a contract with you or to initiate such a contract, the processing is based on Art. 6 para. 1 b DSGVO. In some cases, e.g. to fulfil tax obligations, we may be subject to a legal obligation to process personal data. The legal basis for this in such cases is Art. 6 para. 1 c GDPR. In rare cases, processing may also take place to protect vital interests of you or another natural person. In this exceptional case, processing is carried out on the basis of Art. 6 para. 1 d GDPR. Finally, processing may also be based on Art. 6 para. 1 f DSGVO. This is the case if the processing is carried out to protect a legitimate interest for our company or a third party, provided that your interests, fundamental rights and freedoms do not prevail. Such a legitimate interest can already be assumed if you are one of our customers. If the processing of personal data is based on Art. 6 para. 1 f GDPR, our legitimate interest is the performance of our business activities.

As the controller for processing, XignSys GmbH has taken technical and organizational security measures to protect your personal data from loss, destruction, manipulation and unauthorized disclosure. All our employees and all persons involved in data processing are obliged to comply with the general data protection regulation and other laws relevant to data protection and to handle personal data confidentially.
In the case of the collection and processing of personal data, the information is stored and transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in accordance with technical developments.

To secure our technology, XignSys GmbH logs events and information triggered by user actions, such as error messages, authentication attempts, deletion actions, and the like. These are then processed in an internal log management system (ELK Stack). This is done within the framework of Art. 13 DSGVO of the legitimate interest and the measures required by the DSGVO to demonstrate compliance and maintain security (EG 82, EG 83 DSGVO). No statistical, personal information is collected here for the purposes of advertising or market research. By agreeing to this privacy policy, the user declares his consent to the collection, use and disclosure of the required attributes: Name, first name, street, house number, postal code, city, place of birth, date of birth, email address, account ID.

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transfer it to them or otherwise grant them access to the data, this will only take place on the basis of a legal authorization (e.g. if a transfer of the data to third parties, such as payment service providers, is required in accordance with Art. 6 para. 1 lit. b GDPR for the performance of the contract), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). 
If we commission third parties to process data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR.

The website of XignSys GmbH is hosted by an external service provider (Hoster). The personal data collected on this website is stored on the servers of the hoster. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated by the website. The use of the hoster is for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). Our hoster will only process your data to the extent necessary to fulfill its performance obligations and will follow our instructions with regard to this data.
In order to guarantee data protection compliant processing, we have concluded a contract for order processing with our hoster.

Hoster:
1&1 Telecommunication SE
Elgendorfer Str. 57
56410 Montabaur
Germany
+49 (0) 721 96 00
info@1und1.de

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer the data in a third country if the special requirements of Art. 44 ff. GDPR are fulfilled. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

To exercise any of the rights mentioned below, you may contact our data protection officer or any other employee directly.

E-Mail: datenschutz@xignsys.com

You have the following rights with respect to the personal data concerning you:

• Right to information (Art. 15 GDPR),
• Right of correction or deletion (Art. 16 and 17 GDPR),
• Right to limit processing (Art. 18 GDPR),
• Right to withdraw your consent (Art. 7 GDPR),
• Right to data transferability (Art. 20 GDPR), and
• Right of objection within the framework of the legal requirements (Art. 21 GDPR).

You have the right to revoke any consent given to us at any time, with effect for the future. We will no longer carry out the processing based on this consent in the future.

Should the data processing by us be based on a legitimate interest, you have the right to object to the processing of your data at any time for reasons arising from your particular life situation.

To make use of your right of revocation and objection, please send us an informal notification.

We process personal data of affected persons only if it is necessary to achieve the underlying purpose or as long as it is required by legal regulations to which XignSys GmbH is subject. If the purpose of storage ceases to apply or if a legal storage period provides for this, personal data will be deleted in accordance with the legal regulations, unless the XignSys GmbH is legally obliged to store this data. In these cases the data will be blocked.

XignSys GmbH is only liable for intent or gross negligence. We are not able to control or permanently observe the behavior of social networks (e.g. Facebook, XiNG, LinkedIn) or their providers.

Due to legal regulations, our website contains information that enables quick electronic contact with us and direct communication with us. This includes the indication of an e-mail address as well as a contact form if necessary.

If you contact us by e-mail or via a contact form, the personal data you provide will be stored automatically. This data, which you provide to us on a voluntary basis, is stored for the purpose of processing your request or contacting you. Your data will not be passed on to third parties.

We delete your requests and the associated personal data in accordance with our deletion concept.

We use the consent management service Cookiebot, of Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (Cybot). This allows us to obtain and manage the consent of website users for data processing. The processing is necessary for compliance with a legal obligation (Art. 7(1) DSGVO) to which we are subject (Art. 6(1) p. 1 lit. c DSGVO). For this purpose, the following data is processed with the help of cookies:

• The IP address of the website visitor (the last three digits are set to '0')
• Date and time of consent
• Browser information
• An anonymous, random and encrypted key
• The consent status of the end user

The key and consent status are stored in the browser for 12 months using the "CookieConsent" cookie. This preserves your cookie preference for subsequent page requests. With the help of the key, their consent can be proven and tracked.

If you enable the "Collective Consent" service feature to enable consent for multiple web pages through a single end-user consent, the service will also store a separate, random, unique ID with your consent. If all of the following criteria are met, this key is stored in the third-party cookie "CookieConsentBulkTicket" in your browser in encrypted form: you enable the collective consent feature in the service configuration. You allow third-party cookies via browser settings. You have disabled "Do not track" via browser settings. You accept all or at least certain types of cookies when you give consent.

The functionality of the website is not guaranteed without the processing.

Cybot is a recipient of your personal data and acts as a processor for us.

The processing takes place in the European Union. You can find more information about objection and removal options vis-à-vis Cybot at: www.cookiebot.com/de/privacy-policy/.

This website uses Matomo, an open source, self-hosted software to analyze anonymous user data generated by the use of this website.

Scope of processing:

Data on visitors' behavior is collected in order to detect any problems such as pages not found, search engine problems or unpopular pages. Once this data has been processed, Matomo generates reports that allow the website operator to take appropriate measures to improve the website.

During your website visit, the following data is collected, among others:

• IP address (anonymized)
• User-defined variables
• User location (anonymized)
• Form interactions
• Media interaction

Basis of processing:

The processing of personal data using Matomo is based on our legitimate interest, Art. 6 (1) lit. f DSGVO.

The processing of your personal data, helps us to identify what works on our website and what does not. For example, we can determine whether the way we communicate is appealing or not, and how we can better design the structure of the website. Our team benefits from processing your personal data. By processing your personal data, we can continuously improve our website for you.

Without the data, we would not be able to provide you with the service we currently offer. Your data will only be used to improve the user experience on our website and to help you find the information you are looking for.

Recipients:

The recipient of the data is the marketing department of XignSys GmbH.

Transfer to third countries and storage period:

A transfer of data to third countries is practically excluded due to the hosting of Matomo on European servers.

We store the personal data collected by Matomo for a period of 180 days.

We use Google reCAPTCHA on our websites. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

The purpose of reCAPTCHA is to verify whether data entry on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The data processing is based on our legitimate interest, Art. 6 para. 1 lit. f DSGVO. We have a legitimate interest in protecting our website from abusive automated spying and from SPAM.

For more information about Google reCAPTCHA and Google's privacy policy, please see the following links:
www.google.com/intl/de/policies/privacy/ and www.google.com/recaptcha/intro/android.html.

For the uniform display of fonts, we use so-called web fonts, which are provided by Adobe. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. For this purpose, the browser you use must connect to the Adobe servers. This enables Adobe to know that our website was accessed via your IP address. The use of Adobe TypeKit fonts is in the interest of a uniform and appealing presentation of our online offers. The legal basis is Art. 6 para. 1 lit. f GDPR.

The use of Adobe TypeKit fonts does not exclude the possibility of data transfer to the USA. Provider of these services is the

• Adobe Systems Incorporated: 345 Park Avenue, San Jose, California 95110-2704, USA
• Adobe Systems Software Ireland Limited: 4-6 Riverwalk, City West Business Campus, Saggart, Dublin 24, Ireland

With regard to the use of Adobe TypeKit fonts, an adequate level of data protection is guaranteed by Adobe Inc. and the measures taken by Adobe on data protection and data security in the EU. Please also see the following information on Adobe TypeKit Fonts.

For more information about Adobe TypeKit Fonts, please see Adobe's privacy policy: www.adobe.com/de/privacy/policies/typekit.html

You can set your browser so that the fonts are not loaded from the Adobe servers (e.g. by installing add-ons like Ghostery). If your browser does not support the Adobe fonts or if you prevent access to the Adobe servers, the text will be displayed in the default font of the system.

We reserve the right to adapt this data protection declaration so that it always meets the current legal requirements or to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection declaration then applies to your renewed visit.

If you have any questions regarding data protection, simply send us an e-mail to the above address.

In order to provide our Xign.Me service and other services based on XignIn technology, it may be necessary to process further personal data. Therefore, the following points apply in addition to the privacy policy above:

In order to provide our authentication services, it is necessary to host our products and the associated infrastructure via external service providers, especially external cloud providers.

Our cooperation partners process personal data exclusively on behalf of XignSys GmbH and based on order data processing agreements. Any use beyond this, especially for purposes of advertising or market research, does not occur.

When selecting our service providers, we always ensure that the processing takes place in secure data centers in Germany or the EU. The requirements of our cooperation partners are also considered.

Within the scope of the authentication services offered by XignSys GmbH, through the app Xign.Me and other services based on XignIn technology, it is necessary to collect, process or use personal data. This data can include, depending on the procedure agreed upon with the cooperation partner, the following data:

• Name
• first name(s)
• E-mail address
• Street
• House number
• Zip code
• Place
• Place of birth
• Date of birth
• User ID
• IP address

The type and scope of the respective processing or use of personal data depends on the relevant legal regulations and the contractual agreements with our cooperation partners regarding our authentication services. XignSys GmbH acts as an order data processor according to Art. 28 lit. f GDPR.

XignSys GmbH processes and uses your personal data exclusively for the purpose agreed upon with the cooperation partners, as far as this is necessary for the legally compliant provision of our authentication service and for compliance with security standards.

XignSys GmbH does not directly collect personal data for the provision of its authentication services. It receives the data within the scope of data processing contracts with its cooperation partners. Any use beyond this, especially for purposes of advertising or market research, does not occur.

By agreeing to this privacy policy, the user declares his consent to the collection, use and disclosure of the required identity attributes within the scope of the authentication.

In order to improve the stability and reliability of our apps, we rely on anonymized crash reports. For this purpose, we use "Firebase Crashlytics", a service of Google Ireland Ltd, Google Building Gordon House, Barrow Street, Dublin 4, Ireland.

In case of a crash, anonymous information is transferred to Google's servers in the USA (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the cell phone, last log messages). This information does not contain any personal data.

Crash reports are sent only with your explicit consent. When using iOS apps, you can give consent in the app settings or after a crash. For Android apps, when setting up the mobile device, you have the option to generally consent to sending crash notifications to Google and app developers. The legal basis for the data transfer is Art. 6 para. 1 lit. a GDPR.

You can revoke your consent at any time by deactivating the "Crash reports" function in the settings of the iOS apps.

The Android apps can be deactivated in the Android settings. To do this, open the Settings app, select the "Google" item and then the "Usage & diagnostics" menu item in the three-point menu at the top right. Here you can deactivate the sending of the corresponding data. You can find more information in the help for your Google account.

For more information about privacy, please see Firebase Crashlytics' privacy policy at firebase.google.com/support/privacy and docs.fabric.io/apple/fabric/data-privacy.html.

For the use of the scan function we use a Software Development Kit (SDK). This is a collection of programming tools and program libraries for developing a software. Specifically, we use the Google Play service "MLKIT" (Machine Learning Kit) from Google. Due to the specific nature of the implementation, no personal data is passed on to third parties.

Provider:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company:
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).
Data protection outside the EU/ EEA
We have agreed to standard data protection clauses of the European Commission with Google
Privacy policy of Google
For more information, please see Google's privacy policy: safety.google/privacy/data/

Status: September 2023