Privacy Policy

Preamble

The controller within the meaning of the GDPR is

UNOVY UG (haftungsbeschränkt)
Solkowskyweg 9
22885 Barsbüttel
Germany
Phone: +49 40 604 393 35
Email: [ Javascript not enabled ]
Web: https://www.unovy.com/
Represented by the managing director Florian Gärber.

This privacy policy covers the use of the Auftrag.app service by UNOVY, which includes the following domains:

  • auftrag.app
  • auftrag.art
  • auftrag.space
  • auftr.ag
  • auftragapp.com
  • auftragusercontent.com
  • commissionsmadesimple.com

Data processing by UNOVY UG (haftungsbeschränkt)

§ 1 Collection of personal data when using Auftrag.app

  1. When visiting Auftrag.app as a guest, without logging in, we will collect access log details as well as a sampling of performance metrics:

    • Your IP address and its assigned country code
    • Timestamp of the request and timezone of your device
    • Viewed page URL, content length, and HTTP status code
    • Device details, like your browser and OS versions, and your language preference
    • Performance metrics, including DNS, TCP, request and response times, load time, and time until the page was interactive for you.

    The retention period is 30 days.

  2. If you want to use Auftrag.app, for example to submit a commission request or create a maker page, you will need to create a user account. In order to provide the service, we will collect the following personal data:

    • Your name or nickname
    • Your email address and hashed password
    • Your country (to identify your VAT rate)
    • If you register a hardware authenticator: Your hardware authenticators name and public key
    • If you participate in a commission request: Request contents, messages, files, package tracking numbers, statuses, shipment details, and activity details
    • If you make a payment: Your payment information, billing address, and tax ID if applicable
    • If you download a commission file: Your IP address and IP country, User-Agent, Origin and Referer headers, and a timestamp of when the file was downloaded.
  3. If you want to create a maker page at Auftrag.app, we will additionally collect the following personal data:

    • Your name, date of birth, address, and valid identity documents, as well as any other details or documents requested by our identity verification process
    • If the maker page is created for a company: The name, date of birth, address, and valid identity documents of yourself as well as the CEO, and shareholders with stakes larger than or equal to 25%, as well as any other details or documents requested by our identity verification process
    • Merchant category code, tax identification numbers and banking information for payouts
    • You may also provide your public phone number, email address and website during the identity verification process
    • Public Maker page details, such as name, vanity URL, public page contents, external links, and public media.
  4. The identity verification and payment processing is performed by Stripe (see sub-processors below). Sensitive personal or payment data from Stripe never reaches us.
  5. Personal data listed under 1. is collected because it is necessary in order to provide our service (Art. 6 Abs. 1f DSGVO). We have a legitimate interest in this purpose that outweighs your potential contrary interest not to process this information.
  6. Personal data listed under 2. and 3. is collected to perform our contract with you to provide our service (Art. 6 Abs. 1b DSGVO).

§ 2 Deletion of Data, storage period

  1. We will delete or block a data subject’s personal data as soon as the purpose of storing the data has been achieved. Personal data can be stored for longer periods if prescribed by a European or national legislator in EU regulations, laws or other regulations that govern the data controller. The data is also blocked or deleted at the end of a retention period prescribed by one of the above regulations, unless the data is required to be stored for a longer period for the purpose of performing or entering into a contract.

§ 3 Your rights

  1. You have the following rights in relation to the personal data concerning you:
    1. Right to information disclosure
    2. Right to correction or deletion
    3. Right to restrict processing
    4. Right to object to the processing
    5. Right to data portability
    6. Right not to be object of automated decision, inclunding profiling
  2. You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

    The competent data protection authority is

    Unabhängiges Landeszentrum für Datenschutz
    Holstenstraße 98
    24103 Kiel
    Germany
    Phone: +49 431 988-1200
    Email: [ Javascript not enabled ]

§ 4 Use of Cookies, Local Storage and Session Storage

  1. The use of cookies, local storage, session storage and similar technologies is governed by our Cookie Policy below.
  2. You can find detailed lists of used cookies, local storage and session storage keys, their purposes and retention times below. You will also be able to clear any local and session storage keys. Local storage keys are retained indefinitely. Session storage keys and session cookies are retained until you start a new browsing session. Cookies with a specified expiration will last until they expire or are removed.

Data processing by Sub-processors

This is a list of our sub-processors. For your convenience, we have compiled a "List of sub-processors" table that includes the name, address and country, a short purpose description as well as link to the privacy policy of all our sub-processors.

§ 1 Ably Real-Time Ltd., Great Britain

  1. Auftrag.app uses Ably to provide realtime messaging and notification services. While you are logged in to your Auftrag.app, your device will establish a realtime connection with Ably servers to receive event notifications in realtime, such as when you receive a new message or regarding commission status updates.
  2. Data sent over the Ably-service includes internal IDs, and you are uniquely identified to Ably by your internal user ID. Your IP address and device details may be stored for up to 14 days. Data transferred over the realtime connection is usually held for 2 minutes or less, but up to 24 hours as necessary to provide the service.

§ 2 Exoscale Object-Storage (Akenes SA, Switzerland)

  1. Auftrag.app uses Exoscale Object-Storage to store files you upload to Auftrag.app, such as profile pictures or commission files.
  2. Which country or datacenter a commission file is uploaded to depends on the commissioned maker's configuration. You can see which country files for a commission are stored in by checking the "Zone" near the commission cloud storage volume indicator.
  3. Due to an adequacy decision of the European Commission, Switzerland has an adequate level of data-protection in terms of Art. 45 GDPR.

§ 3 AWS (Amazon Web Services EMEA SARL, Luxemburg)

  1. Auftrag.app uses AWS S3 to store files you upload to Auftrag.app, such as profile pictures or commission files.
  2. Which country or datacenter a commission file is uploaded to depends on the commissioned maker's configuration. You can see which country files for a commission are stored in by checking the "Zone" near the commission cloud storage volume indicator.
  3. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 4 Cloudflare, Inc., USA

  1. Auftrag.app uses Cloudflare to protect it's services and securely serve content through Cloudflare's content delivery network (CDN). Cloudflare may collect log data (such as your IP address, device details like browser and OS version, as well as DNS logs, and website performance data) to provide its service. All requests to the Auftrag.app API are made through Cloudflare.
  2. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 5 DigitalOcean, LLC, USA

  1. Auftrag.app uses DigitalOcean to host its application and database servers. The database servers store your personal data collected by Auftrag.app for the purpose of providing its service and are encrypted at rest.
  2. Auftrag.app uses DigitalOcean Spaces to store files you upload to Auftrag.app, such as profile pictures or commission files.
  3. Which country or datacenter a commission file is uploaded to depends on the commissioned maker's configuration. You can see which country files for a commission are stored in by checking the "Zone" near the commission cloud storage volume indicator.
  4. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 6 Freshworks, Inc., USA

  1. Auftrag.app uses Freshdesk by Freshworks to provide customer support. Support requests submitted to Auftrag.app either via the website or via email are processed and stored by Freshdesk. Support contact data may include for example your email address, name, social media handles, phone number, website or company information. Support ticket data may include for example your support contact data, request contents, and any replies or files you may attach to the ticket.
  2. Auftrag.app uses Freshcaller by Freshworks to provide its call center. When you call an Auftrag.app support phone number, your call will be routed through Freshcaller and may be recorded for training and quality-control purposes. Calling Auftrag.app via Freshcaller will result in the creation of a support contact in our Freshdesk instance, which will include your phone number. Data collected by Freshcaller may also phone call timestamps, duration, and call recordings, for the purpose of providing its service.
  3. Auftrag.app uses Freshchat by Freshworks to provide realtime customer support. Chat logs and device information are stored by Freshchat and converted to support tickets at Freshdesk.
  4. Auftrag.app uses Freshping by Freshworks to provide its uptime stats page.
  5. Auftrag.app uses Freshstatus by Freshworks to provide its service status page. You may subscribe to service status updates by entering your email address. You will then receive service status updates until you unsubscribe or are removed from the mailing list. Your email address entered on the status page isn't used for other purposes.
  6. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 7 Sentry (Functional Software Inc., USA)

  1. Auftrag.app uses Sentry to improve application stability by collecting detailed error reports. Collected information includes, for example device information (such as Browser and OS version), steps taken that caused the error (including which buttons you pressed), and application-internal error tracing information. Collected information is anonymized and cleared of potentially identifying information before sending and again after it is received by Sentry.
  2. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 8 LexOffice (Haufe Service Center GmbH, Germany)

  1. Auftrag.app uses LexOffice for tax accounting. If you make or receive payments at Auftrag.app, your relevant tax information is stored here according to our legal obligations.

§ 9 Heroku, Inc. - A Salesforce Company, USA

  1. Auftrag.app uses Heroku to host its application and database servers. The database servers store your personal data collected by Auftrag.app for the purpose of providing its service and are encrypted at rest.
  2. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 10 LogDNA, Inc., USA

  1. Auftrag.app uses LogDNA to aggregate log files that accrue from the operation of the service. Log files may include your IP address, device details (such as browser and OS version), and viewed URL. Log files may be analysed to improve the operation and security of the service and are stored for up to 7 days.
  2. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 11 Mailgun Technologies, Inc., USA

  1. Auftrag.app uses Mailgun to send transactional emails regarding your account, such as account security notifications, login links, and payments. In order to provide its service, Mailgun will receive the email address, as well as message contents, of incoming and outgoing emails.
  2. Emails you send to the Auftrag.app support email addresses are received by Mailgun and forwarded to Freshdesk.
  3. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 12 Netlify, Inc., USA

  1. Auftrag.app uses Netlify to host its website (www.auftrag.app). Netlify may collect access logs (including your IP address, device details like browser and OS version viewed pages and timestamps) and store them for up to 30 days in order to provide its service.
  2. By concluding EU Standard Contractual Clauses, we have provided appropriate safeguards for adequate data protection within the meaning of Art. 46 para. 2 let. c GDPR.

§ 13 Stripe Payments Europe Ltd., Ireland

  1. Auftrag.app uses Stripe to process payments on behalf of the makers. Stripe will collect and store billing information, such as card details, billing addresses, as well as other legally required information.
  2. Auftrag.app includes "Stripe.JS" on all pages only while you are logged in. While "Stripe.JS" is active, it performs advanced fraud detection through pattern observation. Stripe may collect device information and usage data. The collected data is not shared or sold by Stripe.
  3. When making a payment at Auftrag.app, you may be redirected to a Stripe-hosted payment page where advanced fraud detection is also enabled.
  4. If you own a maker page, your Stripe Connect identity verification and payout details will be collected through Stripe. Identity verification may include for example your full name, address, date of birth, tax identification number, and company information (if the maker page was created for a company). Payout details may include for example your bank account and routing number.
  5. Auftrag.app will never see any sensitive information such as your full credit card or bank account numbers from Stripe. Please also refer to the Stripe Privacy Policy which you can find a link to in the list of sub-processors below.

List of sub-processors

NameLocationPurposePrivacy Policy
Ably Real-Time Ltd.
Techspace Shoreditch, 25 Luke St, London EC2A 4DS
United Kingdom
Real-time & push notificationsPrivacy Policy
Akenes SA
Boulevard de Grancy 19A, 1006 Lausanne
Switzerland
Cloud servicesPrivacy Policy
Amazon Web Services EMEA SARL
Ave J.-F. Kennedy 38, 1855 Luxembourg
Luxembourg
Cloud servicesPrivacy Policy
Cloudflare, Inc.
101 Townsend St., San Francisco, CA 94107
United States of America
CDN, performance & securityPrivacy Policy
DigitalOcean, LLC
101 Avenue of the Americas, 10th Floor, New York, NY 10013
United States of America
Cloud servicesPrivacy Policy
Freshworks, Inc.
2950 S. Delaware Street, Suite 201, San Mateo, CA 94403
United States of America
User support managementPrivacy Policy
Functional Software, Inc.
132 Hawthorne St, San Francisco, CA 94107
United States of America
Error reportingPrivacy Policy
Haufe Service Center GmbH
Munzinger Straße 9, 79111 Freiburg
Germany
AccountingPrivacy Policy
Heroku, Inc.
Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
United States of America
Cloud servicesPrivacy Policy
LogDNA, Inc.
274 Castro St., 2nd Floor, Mountain View, CA 94041
United States of America
Application LogsPrivacy Policy
Mailgun Technologies, Inc.
548 Market St. #43099 San Francisco, CA 94104
United States of America
Transactional emailPrivacy Policy
Netlify, Inc.
2325 3rd Street, Suite 215, San Francisco, CA 94107
United States of America
Web hostingPrivacy Policy
Stripe Payments Europe, Ltd.
1 Grand Canal Street Lower, Grand Canal Dock, 8QQ4+XQ Dublin
Ireland
Payment processingPrivacy Policy

List of cookies

Cookie namePurposeDurationFunctional
_cfduidUsed by Cloudflare to identify individual visitors with the same IP address privately30 days
__stripe_midUsed by Stripe to prevent fraud through pattern observation1 year
__stripe_sidUsed by Stripe to prevent fraud through pattern observation30 minutes

List of local storage keys

KeyPurposeFunctional
ab.segmentRandom number between 1 and 1000, assigned on your first visit. Ensures that you will receive a consistent experience during A/B testing.
ably-transport-preferenceUsed to determine the preferred technology for realtime connection features in your browser.
auth.device_tokenA token to uniquely identify a device during login attempts; prevents trusted devices from being locked out by excessive login attempts from unkown devices.
localeYour selected language preference.
oauth2.access_tokenYour session login token, automatically removed when logging out.
oauth2.refresh_tokenYour persistent login token, automatically removed when logging out.

List of session storage keys

KeyPurpose
create.nameTo remember your name during maker page creation.
create.vanityTo remember your vanity URL during maker page creation.
create.typeTo remember your business type during maker page creation.