Thank you for your interest in our service ListaFlow. With this privacy policy, we inform you how and why we process personal data when you user our service (hereinafter only "ListaFlow" or the “Service”) and your rights as a data subject. We also inform you about how we process your data when we add you to our contact and customer database and when you use our profiles on social networks. With this privacy policy we are at the same time fulfilling our obligation under Article 13 of the General Data Protection Regulation (GDPR).
I. Contact Details of the Controller and Data Protection Officer
The controller of the data processing is: Flouzo SARL dba OpenCraft, 78 allée Primavera, Centre Ubidoca, 74370 Annecy, France
Email: contact@opencraft.com
We have appointed a data protection officer who can also be contacted under the postal contact details and under the following email address: privacy@opencraft.com.
II. Processing of Personal Data
1. Visiting ListaFlow’s Website
Purposes: You can visit and use ListaFlow’s website without having to provide personal data to us. However, when you use the website (and the Service as well), some technical data is collected that can legally be qualified as personal data (esp. your IP address). Additionally, we store certain data in so-called log files. A log file consists of:
Browser type/version,
operating system used,
Referrer URL (the previously visited page),
host name of the accessing computer (IP address),
time of the server request,
the URL you visited.
The processing of your IP address during the connection is done so that we can provide you with our website. The log files are stored to ensure the security and integrity of our systems, the technical administration of the network infrastructure and the optimization of our website, as well as for internal statistical purposes. The IP address is only evaluated in the event of attacks on our network infrastructure.
Recipients: The hosting of the website is carried out on our instructions by DigitalOcean LLC, 101 6th Ave New York, NY 10013. Digital Ocean is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection. We have concluded a data processing agreement with siteground in accordance with Art. 28 GDPR.
Legal basis: The processing is based on Art. 6 para. 1 lit. f) GDPR. Our legitimate interest here lies in the aforementioned purposes.
Storage period: Our log files are stored for 90 days and then deleted.
2. Subscribing for ListaFlow and Provision of ListaFlow’s Functions
Purpose: To use ListaFlow, you have to subscribe and register for an account. The subscription is subject to a fee. During subscription we will ask you for some information, such as your email address and your name. We may also ask you for proof that you use the service commercially and not as a consumer. We will use this information to subscribe you, create an account and provide you with access to ListaFlow.
The payment is handled by our payment provider Stripe and we will transfer all necessary information for the performance of the payment process to Stripe. In turn we will receive the information if payment was successful. We will not receive your credit card number or similar information on your means of payment.
During your use of ListaFlow we will process the information mentioned above and any other information you give us (such as lists, tasks etc.) to provide you with ListaFlow’s functions.
Recipient:
Stripe Payments Europe Limited, 1 Grand Canal Street Lower. Grand Canal Dock. Dublin. D02 H210. Irland
DigitalOcean LLC, 101 6th Ave New York, NY 10013. Digital Ocean is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.
Freshbooks provides accounting software as a service and stores our Users information. Freshbook's DPA is part of the Service Agreement. Freshbooks processes personal data in Canada. Canada is subject to an adequacy decision of the European Commission so that an adequate level of data protection is ensured.
New Relic provides performance monitoring services on our hosted systems. We have concluded a DPA with New Relic as well as Standard Contractual Clauses. New Relic is also certified under the Data Privacy Framework so that an adequate level of data protection is ensured.
Sentry offers an application monitoring solution designed to identify, monitor, and alert developers to errors, bugs, and other performance issues that are occurring in their applications. We have concluded a DPA with sentry.io as well as Standard Contractual Clauses. Sentry.io is also certified under the Data Privacy Framework so that an adequate level of data protection is ensured.
Tarsnap We currently store backups of all our systems and client data on Tarsnap. Here is their DPA.
Legal basis: The legal basis is Art. 6 para. 1 lit. b) GDPR.
Storage period: We process your personal data for the duration of the contract. After its end, we process the data for 3 years, starting from the end of the year in which you terminated the contract, in order to be able to defend ourselves against legal claims or to assert such claims.
3. Contacting us via Email or Contact form
Purpose: You can contact us either via the email address available on our website or our contact form. During our communication, we process at least your email address and furthermore all information that you send us with your message. The processing of your personal data is carried out exclusively to respond to your enquiry.
Recipients:
DigitalOcean LLC, 101 6th Ave New York, NY 10013. Digital Ocean is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.
Google provides workspace applications that might be used to store PII. Information on signing the DPA can be found here.
Legal basis: The legal basis is Art. 6 para. 1 lit. f) or b) GDPR. Our legitimate interest lies in the purpose mentioned above.
Storage period: We delete the data processed for this purpose as soon as we have processed your request. Insofar as it is not a one-off enquiry, but a business contact arises as a result and/or we include you in our contact database, we retain the data for as long as there is active communication between us. If there is no contact for a period longer than 3 years, we will delete your information.
4. Statutory Retention Obligations
Purpose: We have to comply with statutory retention obligations. These obligations require us to keep certain documents and information (and all included personal data) and make them accessible to agencies and/or auditors.
Recipients:
Governmental agencies,
Auditors,
Legal and Tax Advisers.
Legal basis: The legal basis for this processing is Article 6 (1) lit. c) GDPR.
Storage period: 3, 5 or 10 years, depending on the kind of document.
5. Analytics
Purpose: We collect certain information on your usage of ListaFlow and analyze it to improve our Services. We may create profiles with the usage data; however, the analysis is carried out pseudonymously and serves statistical purposes only.
Recipients: DigitalOcean LLC, 101 6th Ave New York, NY 10013. Digital Ocean is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.
Legal basis: Art. 6 par. 1 lit. f) GDPR.
Storage period: We store the collected data for a period of 2 years and delete them thereafter.
III. Storage of and/or Access to Information on Terminal Equipment
When you use our site, information may be stored on your terminal equipment or we may access information already stored on it if this is absolutely necessary for providing our service (Section 25 para. 2 TTDSG). Otherwise, we will only store information on your terminal equipment or access such information if you have given us your prior informed consent.
IV. General Information on Categories of Recipients and Storage Period
Unless explicitly stated otherwise in this data protection information, only persons within our company will have access to your personal data. Furthermore, these persons must be responsible for processing the requests and have appropriate access to the IT system. In addition, we only use external service providers, apart from those explicitly mentioned, insofar as we cannot or cannot reasonably perform services ourselves. Data is only transferred to third countries if we inform you in this data protection declaration that your data will be passed on.
As a matter of principle, we only process data for as long as it is required for the respective purpose. If the data is then no longer processed for any other purpose, we generally delete it immediately.
V. Data Subject Rights
The General Data Protection Regulation guarantees you certain rights that you can assert against us - insofar as the legal requirements are met.
Art. 15 GDPR - Right of Access by the Data Subject: You have the right to request confirmation from us as to whether personal data relating to you is being processed and, if so, what that data is and the circumstances under which it is being processed.
Art. 16 GDPR - Right to Rectification: You have the right to demand that we correct any inaccurate personal data relating to you without undue delay. You also have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data - also by means of a supplementary statement.
Art. 17 GDPR - Right to Erasure: You have the right to demand that we delete personal data concerning you without delay.
Art. 18 GDPR - Right to Restriction of Processing: You have the right to demand that we restrict processing.
Art. 20 GDPR - Right to Data Portability: You have the right, in the case of processing based on consent or for the performance of a contract, to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and to transfer this data to another controller without hindrance from us, or to have the data transferred directly to the other controller, insofar as this is technically feasible.
Art. 21 GDPR - Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is necessary for a legitimate interest on our part or for the performance of a task carried out in the public interest, or which is carried out in the exercise of official authority.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising, or defending legal claims.
Insofar as we process your personal data for the purpose of direct marketing, you have the right to object to the processing at any time. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Art. 77 GDPR in Conjunction with Sec. 19 BDSG – Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates applicable law.
Right to Withdraw your Consent You can revoke a given consent at any time with effect for the future via one of the contact addresses known to you.
VI. No Obligation to Provide Data
You have no contractual or legal obligation to provide us with personal data. However, without the data you provide, we may not be able to offer you all of our services.
VII. Existence of Automated Decision-Making (including Profiling)
When visiting our website, you will not, at any time, be subject to automated decision-making that would have legal effect in relation to you or otherwise adversely affect you in relation to the processing of personal data.
VIII. Changes to this Privacy Policy
We will occasionally adapt and change this Privacy Policy. We will notify you of changes by posting the updated version here or by other appropriate means.