Data protection provisions for the sproof sign web application

This privacy policy is only relevant for our web application sproof sign. The privacy policy for our webpage sproof.io can be found here .

1. introduction

The protection of your personal data is of particular concern to us. Consequently, we treat your personal data in accordance with the applicable legal provisions for the protection, lawful handling and confidentiality of personal data, in particular in accordance with the Data Protection Act (hereinafter "DPA") and the General Data Protection Regulation (hereinafter "GDPR"). The following information explains how we process your personal data when you use our web application sproof sign (hereinafter "webapp"). This privacy policy applies to the sign.sproof.io web application. The sproof.io website is technically separate and there is no automated data exchange between the pages.

2. name and contact details of the controller

sproof GmbH (hereinafter "sproof") is responsible for data processing.

sproof GmbH Urstein Süd 19/2 A-5412 Puch bei Hallein privacy@sproof.io

3. data processing

When providing our services, in particular our website and the offers made available on our website, we process personal data of users of our website and of users who use our online offer. The specific data processing operations are described below:

3.1 Data processing website use

The following personal data is processed automatically when you visit our website

• Log data;
• IP address;
• Type and version of your web browser;
• Data about your end device (device ID);
• Date and time of accessing our website or sub-pages;
• Website from which you access our website (referrer URL).

The processing serves to provide you with the offers on our website, to ensure the security of the IT infrastructure used, to carry out marketing and analyses for advertising purposes and to enable informational use of our website. The log data is generally stored for 30 days. In the event of a security-related incident, the data is stored until the incident is resolved. The legal basis for the processing of your personal data is our legitimate interest in accordance with Article 6(1)(f) GDPR. Our legitimate interest is to make our website user-friendly and to continuously improve it, to provide you with the content accessed, to ensure the security of our IT infrastructure (in particular to defend against attacks, detect, eliminate and document malfunctions) and to manage the cookie consents granted. The provision of your data is not mandatory; however, without the provision it is not possible for us to provide you with the content accessed. You can find more information on cookies under point 3.5.

3.2 Data processing web app account and use

We process the following personal data when you create and use an account as a customer or use the web app for sending or signing::

• Name data;
• Date of birth (only for identification for a qualified electronic signature);
• e-mail data;
• Cell phone number (only when using an SMS-TAN);
• Address data;
• Contact data (e-mail address, telephone number);
• Company data;
• additional uploaded data (documents, images);
• Signatures/signatures;
• time stamps;
• IP address;
• Log data;

The data is forwarded to our IT service provider (processor), which is based in the EU. If a customer invites other people to sign, it is necessary to enter the name and email address of the invitee. Alternatively, registration for the web app can take place via existing accounts with Google, Facebook, LinkedIn, Windows Live, Advokat or, under certain circumstances, via single sign-on after integration via sproof.

The following data categories are processed:

• Name data;
• E-mail data;
• Profile pictures (from the relevant account).

The personal data is generally processed by us for the duration of the business relationship and in accordance with the legal requirements (retention obligations). The legal basis for the processing of your personal data is consent pursuant to Article 6(1)(a) GDPR, the fulfilment of pre-contractual and contractual obligations pursuant to Article 6(1)(b) GDPR and the fulfilment of legal obligations pursuant to Article 6(1)(c) GDPR (to comply with legal retention obligations). The provision and processing of your data is necessary to provide you with the service of our web app.

3.3 Data processing by trust service providers

We process the following personal data if customers wish to sign with a qualified signature using trust service providers (e.g. A-Trust, D-Trust, swisscom) or other providers that are necessary to provide the services of the trust service providers:

• Name data;
• Date of birth;
• Contact details (e-mail address, telephone number);

The personal data will generally be processed by us for the duration of the business relationship and in accordance with the legal requirements (retention obligations). The legal basis for the processing of your personal data is consent pursuant to Article 6(1)(a) GDPR, the fulfillment of pre-contractual and contractual obligations pursuant to Article 6(1)(b) GDPR and the fulfillment of legal obligations pursuant to Article 6(1)(c) GDPR (to comply with legal retention obligations). The provision and processing of your data is necessary to provide you with the service of our web app.

3.4 Stripe data processing

We work with Stripe (Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland) as a payment service provider. Payment transactions on our web app are therefore processed via Stripe. The following personal data is processed by us in this context

• Name of the cardholder;
• e-mail address;
• customer number;
• order number;
• bank details;
• Credit card details;
• Credit card expiry date;
• Credit card verification number (CVC);
• Date and time of the transaction;
• Transaction amount;
• Name of the provider;
• location.

The provision and processing of your data is necessary to provide you with the service of our web app, in particular payment transactions. Stripe assumes a dual role as controller and processor for data processing activities. As the controller, Stripe uses your transmitted data to fulfill regulatory obligations. This corresponds to Stripe's legitimate interest (pursuant to Art. 6 para. 1 lit. f GDPR) and serves the performance of the contract (pursuant to Art. 6 para. 1 lit. b GDPR). We have no influence on this process. Stripe acts as a processor in order to be able to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively in accordance with our instructions and has been contractually obliged to comply with the data protection regulations within the meaning of Art. 28 GDPR. Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information on how to object to and opt-out from Stripe, please visit: Stripe Privacy Center

3.5 Data processing of social media plugins

We have not integrated any social media plugins on our web app. The social media buttons for the social networks (e.g. Instagram, Facebook, LinkedIn) have only been integrated on our web app with a link (reference link to the social networks). If you click on this link (button), you will be forwarded directly to the respective website. Please note the data protection declarations of the respective providers.

3.6 Data processing cookies

4.1 Scaleway S.A.S

Name: Scaleway S.A.SAddress: 8 rue de la Ville l'Evêque, 75008 Paris, FranceName, function and contact details of the contact person:

• Scaleway's DPO: dpo@iliad.fr.
• Scaleway's Privacy Team: privacy@scaleway.com
• Notification of a data breach: security@scaleway.com

Object of processing: Data center, i.e. the provision of infrastructure. The data is processed and stored there.Type of processing: See above for categories (i) to (vi)Duration of processing: See above for categories (i) to (vi)

Name Swisscom (Switzerland) Ltd Address Alte Tiefenaustrasse 6, 3050 Bern, Switzerland Name, function and contact details of the contact person

4. sub-processors

4.1 Scaleway S.A.S

Name: Scaleway S.A.SAddress: 8 rue de la Ville l'Evêque, 75008 Paris, FranceName, function and contact details of the contact person:

• Scaleway's DPO: dpo@iliad.fr.
• Scaleway's Privacy Team: privacy@scaleway.com
• Notification of a data breach: security@scaleway.com

Object of processing: Data center, i.e. the provision of infrastructure. The data is processed and stored there.Type of processing: See above for categories (i) to (vi)Duration of processing: See above for categories (i) to (vi)

4.2 Swisscom (Switzerland) Ltd

Name: Swisscom (Switzerland) LtdAddress: Alte Tiefenaustrasse 6, 3050 Bern, SwitzerlandName, function and contact details of the contact person:

• Email: datenschutz@swisscom.com
• Post: Swisscom (Switzerland) Ltd, Dr Nicolas Passadelis,
• LL.M., Data Protection Officer Swisscom Ltd and Swisscom (Switzerland) Ltd, P.O. Box, 3050 Bern

Object of processing: Creation and generation of qualified electronic signatures **Type of processing: **See above for categories (i), (ii), (iii) and (v)Duration of processing: See above for categories (i), (ii), (iii) and (v)

4.3 Sendinblue GmbH

Name: Sendinblue GmbHAddress: Köpenicker Straße 126, 10179 Berlin, Germany **Name, function and contact details of the contact person: ** datenschutz@sendinblue.comPurpose of processing: Mail server, i.e. sending emails for invitations to digitally sign a document, other transactional emails such as reminders, setting passwords, etc. or information about our services.Type of processing: See above for category (ii)Duration of processing: See above for category (ii)

4.4 OVH GmbH

Name: OVH GmbHAddress: Christophstraße 19, 50670 Cologne, GermanyName, function and contact details of the contact person: kundendienst@ovh.dePurpose of processing: Data center, i.e. the provision of infrastructure. The data is processed and stored there.Type of processing: See above for categories (i) to (vi)Duration of processing: See above for categories (i) to (vi)

4. automated decision making / profiling

No automated decision making, including profiling, takes place.

5 Your rights as a data subject

We would also like to draw your attention to the following rights to which you are entitled as a data subject:

• Right of access by the controller to personal data concerning you in accordance with Article 15 GDPR
• Right to rectification in accordance with Article 16 GDPR
• Right to erasure in accordance with Article 17 GDPR
• Right to restriction of processing pursuant to Article 18 GDPR
• Right to data portability pursuant to Article 20 GDPR
• Right to object to processing pursuant to Article 21 GDPR
• Right to withdraw consent in accordance with Article 7 (3) GDPR

Furthermore, you also have the right to lodge a complaint with the competent supervisory authority (in Austria, the data protection authority based in Vienna). In this regard, we refer you to the website of the Austrian Data Protection Authority available at www.dsb.gv.at . However, you can also contact us directly at the e-mail address privacy@sproof.io if you have any complaints.

6. status

An update of this privacy policy may be necessary due to technical developments and new legal requirements. We will inform you in advance in this regard.