The controller within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the EU member states and other data protection regulations is:

XignSys GmbH 
Neidenburger Str. 43 
45897 Gelsenkirchen
Germany
 
Ust.-ID DE 308 760 457 
Managing Director: Markus Hertlein, Pascal Manaras

The protection of your personal data is one of the declared goals of XignSys GmbH. Therefore we comply with the relevant data protection laws and would like to inform you comprehensively about the handling and processing of your data by the following data protection information.

Personal data is any information relating to an identified or identifiable natural person. This includes information such as name, address, telephone number, e-mail address. The processing of this information is always in accordance with the requirements of the GDPR as well as with other data protection regulations applicable to XignSys GmbH.

In principle, it is not necessary for you to disclose personal data in order to use our website. In certain cases, personal data may be processed, for example to provide a requested service or in our legitimate interest.

The same applies, for example, to sending information material or answering individual questions. Where this is necessary, we will point this out to you.

If there is no legal basis for the processing of your personal data, we will obtain the appropriate consent from you.

Furthermore, we only save and process data that we automatically collect when you visit our website (e.g. your IP address, data and time of access, search engine used).

If you have given us your consent to process your personal data for a specific purpose, the processing will be carried out on the basis of Art. 6 para. 1 a GDPR. If such processing is necessary to fulfil a contract with you or to initiate such a contract, the processing is based on Art. 6 para. 1 b DSGVO. In some cases, e.g. to fulfil tax obligations, we may be subject to a legal obligation to process personal data. The legal basis for this in such cases is Art. 6 para. 1 c GDPR. In rare cases, processing may also take place to protect vital interests of you or another natural person. In this exceptional case, processing is carried out on the basis of Art. 6 para. 1 d GDPR. Finally, processing may also be based on Art. 6 para. 1 f DSGVO. This is the case if the processing is carried out to protect a legitimate interest for our company or a third party, provided that your interests, fundamental rights and freedoms do not prevail. Such a legitimate interest can already be assumed if you are one of our customers. If the processing of personal data is based on Art. 6 para. 1 f GDPR, our legitimate interest is the performance of our business activities.

As the controller for processing, XignSys GmbH has taken technical and organizational security measures to protect your personal data from loss, destruction, manipulation and unauthorized disclosure. All our employees and all persons involved in data processing are obliged to comply with the general data protection regulation and other laws relevant to data protection and to handle personal data confidentially.

In the case of the collection and processing of personal data, the information is stored and transmitted in encrypted form to prevent misuse of the data by third parties. Our security measures are continuously revised in accordance with technical developments.

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transfer it to them or otherwise grant them access to the data, this will only take place on the basis of a legal authorization (e.g. if a transfer of the data to third parties, such as payment service providers, is required in accordance with Art. 6 para. 1 lit. b GDPR for the performance of the contract), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called 'order processing agreement', this is done on the basis of Art. 28 GDPR.

The website of XignSys GmbH is hosted by an external service provider (Hoster). The personal data collected on this website is stored on the servers of the hoster. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated by the website. The use of the hoster is for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). Our hoster will only process your data to the extent necessary to fulfill its performance obligations and will follow our instructions with regard to this data.

In order to guarantee data protection compliant processing, we have concluded a contract for order processing with our hoster.

Hoster: 
1&1 Telecommunication SE 
Elgendorfer Str. 57 
56410 Montabaur
Germany
+49 (0) 721 96 00 
info@1und1.de

In order to provide our authentication services, it is necessary to host our products and the associated infrastructure via external service providers, especially external cloud providers.

Our cooperation partners process personal data exclusively on behalf of XignSys GmbH and based on order data processing agreements. Any use beyond this, especially for purposes of advertising or market research, does not occur.

When selecting our service providers, we always ensure that the processing takes place in secure data centers in Germany or the EU. The requirements of our cooperation partners are also considered.

Within the scope of the authentication services offered by XignSys GmbH, by the App Servicekonto.Pass, it is necessary to collect, process or use personal data. This data can include, depending on the procedure agreed upon with the cooperation partner, the following data:

• Name
• First name(s)
• E-mail address
• Street
• House number
• Zip code
• Place
• Place of birth
• Date of birth
• User ID

The type and scope of the respective processing or use of personal data depends on the relevant legal regulations and the contractual agreements with our cooperation partners regarding our authentication services. XignSys GmbH acts as an order data processor according to Art. 28 lit. f GDPR.

XignSys GmbH processes and uses your personal data exclusively for the purpose agreed upon with the cooperation partners, as far as this is necessary for the legally compliant provision of our authentication service and for compliance with security standards.

XignSys GmbH does not directly collect personal data for the provision of its authentication services. It receives the data within the scope of data processing contracts with its cooperation partners. Any use beyond this, especially for purposes of advertising or market research, does not occur.

By agreeing to this privacy policy, the user declares his consent to the collection, use and disclosure of the required identity attributes within the scope of the authentication.

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer the data in a third country if the special requirements of Art. 44 ff. GDPR are fulfilled. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU or compliance with officially recognized special contractual obligations (so-called 'standard contractual clauses').

To exercise any of the rights mentioned below, you may contact our data protection officer or any other employee directly.
E-Mail: datenschutz@xignsys.com

You have the following rights with respect to the personal data concerning you:

• Right to information (Art. 15 GDPR),
• Right of correction or deletion (Art. 16 and 17 GDPR),
• Right to limit processing (Art. 18 GDPR),
• Right to withdraw your consent (Art. 7 GDPR),
• Right to data transferability (Art. 20 GDPR), and
• Right of objection within the framework of the legal requirements (Art. 21 GDPR).

You have the right to revoke any consent given to us at any time, with effect for the future. We will no longer carry out the processing based on this consent in the future.
Should the data processing by us be based on a legitimate interest, you have the right to object to the processing of your data at any time for reasons arising from your particular life situation.

To make use of your right of revocation and objection, please send us an informal notification.

We process personal data of affected persons only if it is necessary to achieve the underlying purpose or as long as it is required by legal regulations to which XignSys GmbH is subject. If the purpose of storage ceases to apply or if a legal storage period provides for this, personal data will be deleted in accordance with the legal regulations, unless the XignSys GmbH is legally obliged to store this data. In these cases the data will be blocked.

XignSys GmbH is only liable for intent or gross negligence. We are not able to control or permanently observe the behavior of social networks (e.g. Facebook, XiNG, LinkedIn) or their providers.

Due to legal regulations, our website contains information that enables quick electronic contact with us and direct communication with us. This includes the indication of an e-mail address as well as a contact form if necessary.

If you contact us by e-mail or via a contact form, the personal data you provide will be stored automatically. This data, which you provide to us on a voluntary basis, is stored for the purpose of processing your request or contacting you. Your data will not be passed on to third parties.

We delete your requests and the associated personal data in accordance with our deletion concept.

In order to improve the stability and reliability of our apps, we rely on anonymized crash reports. For this purpose, we use 'Firebase Crashlytics', a service of Google Ireland Ltd, Google Building Gordon House, Barrow Street, Dublin 4, Ireland.

In case of a crash, anonymous information is transferred to Google's servers in the USA (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the cell phone, last log messages). This information does not contain any personal data.

Crash reports are sent only with your explicit consent. When using iOS apps, you can give consent in the app settings or after a crash. For Android apps, when setting up the mobile device, you have the option to generally consent to sending crash notifications to Google and app developers. The legal basis for the data transfer is Art. 6 para. 1 lit. a GDPR.

You can revoke your consent at any time by deactivating the 'Crash reports' function in the settings of the iOS apps.

The Android apps can be deactivated in the Android settings. To do this, open the Settings app, select the 'Google' item and then the 'Usage & diagnostics' menu item in the three-point menu at the top right. Here you can deactivate the sending of the corresponding data. You can find more information in the help for your Google account.

For more information about privacy, please see Firebase Crashlytics' privacy policy at https://firebase.google.com/support/privacy and https://docs.fabric.io/apple/fabric/data-privacy.html#data-collection-policies.

We reserve the right to adapt this data protection declaration so that it always meets the current legal requirements or to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection declaration then applies to your renewed visit.

If you have any questions regarding data protection, simply send us an e-mail to the above address.

Status: January 2022