Obligation to provide information under the General Data Protection Regulation (GDPR)

Version May 24th, 2018

Preamble

With this privacy policy we explain the visitors of our website as well as customers of our online and app-based time and mileage tracking solution timr.com (hereafter “Service”) about our handling of your data.

The protection of your privacy and data is very important to us and is always observed in all business transactions.

By using this website and our service, you consent to the use of your personal data (hereinafter “data”) as described in this privacy policy. All references to persons are understood to be gender-neutral.

You can always use our website without providing personal information. However, different provisions may apply to individual services, to which we refer you separately below.

General
Your personal data (hereinafter referred to as “data”) is processed on this website for the purpose of providing of information regarding our service. In this privacy policy, we inform you regarding e.g.

  • the name and contact details of the data controller
  • all purposes for which your data is processed
  • the legal basis on which processing activities are based, potentially including our legitimate interest in doing so
  • all recipients of your data
  • the possible transfer of your data to a third country and an explanation of the associated legal basis
  • the storage duration of your data or the criteria for determining the duration
  • the categories of your data which are processed
  • where your data originates
  • the rights of data subjects  
The data privacy controller

troii Software GmbH
Industriezeile 54
5280 Braunau am Inn
Austria

Full contact info can be found within our Imprint

Appointed data protection officer:
Dipl. Ing. Manuel Stadler
dpo@troii.com

Contact via email, chat, phone
Our website contains information that enables you to contact our company quickly and to communicate with us directly.

If you contact us, the personal data you provide will be automatically saved.

Such personal data transmitted by you to us on a voluntary basis will be stored for the purpose of processing or contacting us.

Registration
As far as you want to use our service timr.com, you must register yourself by providing your e-mail address, a password of your own choosing and your own user name.

We use the so-called double-opt-in procedure for registration, ie. Your registration is only completed if you have previously confirmed your registration via a confirmation email sent to you for this purpose by clicking on the link contained therein. This confirmation e-mail is used to check whether you, as the owner of the e-mail address, have authorized the registration. The purpose of the procedure is to prove your registration and, if necessary, to inform you about possible misuse of your personal data.

If your confirmation is not received within 7 days, your registration will be automatically deleted from our database.

Providing the aforementioned data is mandatory, all other information you can provide voluntarily by using our service.

When you use our service, we will store your contractual data, including payment details, until you finally delete your access.

Furthermore, we save the voluntary data you provided for the time of your use of the service, unless you delete them before. All information can be managed and changed in the protected customer area. The legal basis is Art. 6 (1) b GDPR.

Server log files, Usage data
Each time you access our website, an automated system captures a series of general data and information.

Data and information recorded include

  • the browser types and versions used
  • the operating system used by the accessing system
  • the website from which an accessing system reaches our website (“referrers”)
  • the sub-website controlled on our website via an accessing system
  • the date and time of access to the website
  • an Internet Protocol address (IP address)
  • the Internet Service Provider of the accessing system
  • other similar data and information used to avert danger in the event of attacks on our information technology systems
  • Information on actions esp. Errors that occurred while using our service

We draw no conclusions regarding your person when using this general data and information.

This information is required in order to

  • deliver the contents of our website correctly
  • optimize the content of our website and advertising for it
  • ensure the continued functioning of our information technology systems and the technology on our website and our service
  • provide law enforcement with the information necessary to process offenses in the event of a cyberattack

We statistically evaluate this anonymously collected data and information as well as use it to improve data protection and data security within our company in order to ultimately ensure the best possible level of protection for you. In all cases, we are permitted to process this data on the basis of our legitimate interest under Art. 6 (1) f GDPR.

The logs are stored separately from all personal data provided by you, and are also deleted after a maximum of 6 months.

App error reporting
For the optimization and real-time evaluation of errors, we continue to use the Crashlytics tool in the apps (see below). In addition to anonymous usage data such as operating system, device type, etc., we also receive information with personal data such as login and timr URL in case of errors.

We may process these data based on our legitimate interest in accordance with Art. 6 (1) (f) GDPR.

Cookies
Our website and our service are using the following types of cookies, whose scope and operation are explained below:

  • Transient Cookies
  • Persistent Cookies

Transient cookies are automatically deleted when you close your browser. These include in particular session cookies. These store what is known as a session ID, with which various requests from your browser can be assigned to the common session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.

Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

You can configure your browser setting according to your preferences and e.g. refuse to accept third-party cookies or all cookies. Please be aware that you may not be able to use all the features of our service if you do so.

We use cookies to identify you for follow-up visits if you have an account with us. Otherwise you would have to log in again for each visit.

Your rights / contacting us
You have the following rights vis-à-vis us with respect to personal data concerning you:

  • the right of confirmation
  • the right to information
  • the right to rectification or erasure
  • the right to restrict processing
  • the right to object to processing
  • the right to data portability
  • the right to withdraw your consent

You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us.

You can contact us at any time for further information on this and other questions regarding personal data.

Automated decisions in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – that will have legal effect or affect you in a similar manner, unless the decision (1) is taken for the purpose of concluding or fulfilling a contract (2) is permitted under any of the laws of the Union or the Member States to which we are subject, and where such legislation contains reasonable safeguards to protect your rights and freedoms and your legitimate interests; or (3) your express Consent is given.

If the decision (1) is required to conclude or fulfill a contract between you and us or (2) it is with your express consent, we shall take reasonable steps to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the person responsible, to state his own position and to contest the decision.

Right to revoke a data protection consent

You have the right to revoke your consent to the processing of personal data at any time. Your revocation does not affect the legality of the data processing until revocation.

Minors
Our website and services are not intended for use by minors and we expressly do not wish to collect information from minors. If a parent or legal guardian of a minor believes that his or her child may have provided personal information to us, please write to us at the contact address indicated below and we will delete the associated personal information, subject to applicable law and this policy.
Data security
We employ reasonable technical and organizational measures and safety precautions (TOMs) to prevent unauthorized access to, unlawful processing of, and unauthorized or accidental loss of your information.

This includes e.g. encrypting your communication with us via this website based on the Secure Socket Layer (SSL) encryption protocol.

For a complete list of our TOMs, see https://timr.com/en/p/toms

How do we collect your data?
At the present time you can enter data on our website or our service, send us an email, contact us via chat or by phone.

When you contact us, we will process the information you provide to answer your questions.

We delete the data that arises in this context after the storage is no longer required, or limit the processing if there are statutory retention requirements.

If we rely on contracted service providers for individual functions of our offer or if we wish to use your data for advertising purposes, we will inform you in detail below about the respective transactions. In doing so, we also name the specified criteria for the storage duration.

a. Contacting us via Email, Chat, Phone

If you contact us via e-mail, chat or telephone, your data will be processed by us and the recipients mentioned below.

Please note that unencrypted emails sent via the Internet are not adequately protected against unauthorized access by third parties.

b. Newsletter

Once you have given your consent, you can subscribe to our newsletter. The newsletter contains information about our current offerings of interest.

Our company’s newsletter can only be received by you if (1) you have a valid email address and (2) you have signed up to have the newsletter sent to you.

As part of the double opt-in process, a confirmation email will be sent to the email address you initially entered to receive the newsletter at and in which we ask you to confirm that you wish to receive the newsletter.

This confirmation email is used to verify that you, as the owner of the email address, have authorized the receipt of the newsletter.

The purpose of this procedure is to verify your registration and, if necessary, to inform you regarding the potential misuse of your personal data.

If you do not confirm your registration within 7 days, your information will be blocked and then automatically deleted periodically.

Why do we process your data?
When you contact us, e.g. just to obtain information from us, we process your data for this purpose.

If you contact us, e.g. to conclude a contract, we process your data for this purpose.

a. Processing your order, contract, including customer service

If you enter your order data on our website or via email, the data you provide, including your personal data, will be processed by us and the recipients mentioned below in order to (pre)process your order as part our business relationship with you, to process and manage your order, as well as to provide you with customer service.

b. Newsletter

We use a newsletter to inform our customers and business partners at regular intervals of offerings by the company. The advertised goods or services are designated in the declaration of consent.

The data collected in the course of your subscription to the newsletter will be used exclusively to send our newsletter.

Subscribers to the newsletter may also be informed by email should this be necessary to offer the newsletter service or the associated registration, e.g. in the event of changes to the newsletter or changes in technical conditions.

Why are we permitted to process your data?
When you contact us, e.g. just to obtain information from us, we may process your data on the basis of your consent pursuant to Art. 6 (1) a GDPR and Art. 6 (1) f GDPR.

If you contact us to e.g. conclude a contract, we may process your data on the basis of Art. 6 (1) b GDPR and may save it on the basis of Art. 6 (1) 1 c GDPR.

a. Processing your order, contract

Your data, including the personal data provided by you, as well as any unsolicited and voluntarily furnished special categories of personal data, is processed by us and the recipients listed below on the legal basis set forth in Art. 6 (1) b and Art. 9 (2) a GDPR in order to be able to identify you as a customer, in order to be able to appropriately process the relevant order, as well as for correspondence with you. The data processing takes place at your request and is necessary to appropriately process your order for the cited purposes.

b. Marketing (general)

“Legitimate interest” pursuant to Art. 6 (1) f GDPR. The legitimate interest is our interest in initiating a business transaction and developing the business relationship with existing and potential customers.

c. Newsletter

The legal basis is your consent pursuant to Art. 6 (1) a GDPR.

For a. b. c. applies equally

We may contact you by email, phone or fax for the purposes listed below, based on the legal basis quoted.

By submitting your registration you further declare that all data provided by you is complete and correct.

You agree to notify us of any changes in your data immediately.

What data do we process?
a. Information

If you contact us solely to obtain information from us, we will process the data provided by you.

You provide information on a purely voluntary basis. However, we expressly ask that you not disclose any information that is likely to be of little or no relevance to your intended purpose. This applies in particular to specific categories of personal (“sensitive”) data.

b. Order, contract

Depending on the information you voluntarily provide us with, your data processed by us may include:

  • your contact details (name, address, telephone number, email address, etc.)
  • the content of the order
  • unsolicited and voluntarily provided special categories of personal data which you provide us with

c. Newsletter

Which personal data is transmitted to us when ordering the newsletter depends on the input screen that is used for this purpose.

The only information that must be entered in order for the newsletter to be sent is your email address.

Entering additional, separately provided data is voluntary and will be used to let us address you personally.

When registering for the newsletter, we also store the IP address assigned by the Internet Service Provider (ISP), the computer system you used at the time of registration, and the date and time of registration.

The collection of this data is necessary in order to be able to track the (possible) misuse of your email address at a later date, and therefore serves as legal protection for us.

Who is your data transferred to?
Your data can be passed on in whole or in part, but only to the extent necessary and, if necessary, to the following controllers:

  • Banks (payment transactions – Austria)
  • Tax consultants (accounting – Austria)
  • Collection agencies (debt collection – Austria)
  • Law enforcement representatives (law enforcement – Austria)
  • Courts (law enforcement – Austria)
  • Administrative authorities (Austria)

In addition, your data can be transferred to the following recipients acting as processors. We have concluded a data processing agreement with all of them and have verified the appropriate technical and organizational measures (TOMs):

Hetzner Online GmbH (Germany)
Hosting Website and Service

Google LLC (USA – privacy shield)
G-Mail, Fabric Crashlytics

Zendesk Ink. (USA – privacy shield)
Support – Email, Chat

AIRCALL SAS (France)
Phone support

SolarWinds Worldwide LLC, USA – privacy shield
Application-Logging (Errors, …)

New Relic, USA – Standard Contractual Clauses
Application-Monitoring (Performance, stability, …)

The Rocket Science Group LLC, USA – privacy shield
Newsletter, Emails

mPay24 GmbH, Österreich
Payment processing

How long do we process your data?
Your data will be stored in a form that will permit your identification only for as long as necessary for the purpose for which it is processed.

a. Information

By providing us with your data via this website or via email, you expressly agree that your data will be processed by us and the aforementioned recipients for the duration of the processing of this information, including the personal data provided by you and any unsolicited and voluntarily provided special categories of personal data.

Consequently, in the event that you contact us solely to obtain information from us, your information will either be deleted immediately or deleted after the appropriate period which corresponds to the content of the communication has elapsed.

Upon revocation of your consent, we will erase (or instruct the erasure of) all your data from all databases, including accumulated data.

b. Order, Contract

Due to commercial and tax regulations, we are obliged to save your address, payment and order data for a period of 7 years. In the event that you contact us to conclude a contract, your data will be deleted at the end of the 7th year after the last document (Section 132 Austria Fiscal Code – BAO) has been recorded. Therefore, in the event that you enter into a contract, all data from the contractual relationship is stored until the expiration of this period.

However, we limit such processing after 2 years, i.e. your data will only be used to comply with statutory obligations.

Your data may continue to be stored due to statutory/legal retention obligations or contractual obligations, e.g. vis-a-vis customers in relation to warranty or compensation or vis-a-vis contractual partners (Art. 6 (1) c GDPR, Art. 17 (3) e GDPR).

The data categories name, address, purchased goods and date of purchase are also stored until the end of product liability (10 years).

c. Newsletter

The consent to process your personal data which you have given us in connection with the newsletter can be revoked at any time. Consequently, you can unsubscribe from the newsletter at any time.

You can notify us of your revocation by clicking on the link provided in each newsletter email or by sending a message to the contact point provided in the site legal notice.

Email Tracking
Our emails may contain so-called counting pixels.

A counting pixel is a miniature graphic that is embedded in such emails that are sent in HTML format to enable log file recording and log file analysis.

This allows a statistical evaluation of the success or failure of online marketing campaigns.

The embedded pixel lets us know if and when an e-mail has been opened by you and which links in the e-mail you have accessed.

Such personal data collected via the counting pixels contained in the emails are stored and evaluated by us in order to optimize the e-mail dispatch and to adapt the content of future emails even better for you.

Blog Features
You can post public comments on our blog, where we post various contributions to topics related to our service.

Your comment to a post will be posted with your given username. You can also use a pseudonym instead of your real name.

Providing a username and e-mail address is required, all other information is optional.

We need your e-mail address to contact you if a third party objected to your comment as unlawful.

Legal bases are Art. 6 (1) 1 b and f GDPR.

The comments will be reviewed before publication. We reserve the right to delete comments.

Webshop
If you want to order in our webshop (shop.tourapp.io), it is necessary for the conclusion of the contract that you provide your personal information that we need for the processing of your order.

Mandatory information required for processing the order is marked separately, other details are optional.

We process the data provided by you only to process your order.

These data are required to fulfill the contract or to carry out pre-contractual measures. Without this data we can not conclude the contract with you.

Legal basis is Art. 6 (1) 1 b GDPR.

A transfer of data to third parties does not take place, with the exception of the transfer of the credit card data to the processing bank / payment service provider for the purpose of debiting the purchase price, to the transport company / shipping company commissioned by us to deliver the goods and to our tax advisor to fulfill our tax obligations.

Due to commercial and tax regulations, we are obliged to store your address, payment and order data for a period of 7 years. In the case of a contract, therefore, all data from the contractual relationship are stored until the expiration of this period.

Beyond that the data categories name, address, purchased goods and date of purchase are stored until the end of product liability (10 years).

To prevent unauthorized access by third parties to your personal data, in particular financial data, the order process is encrypted using TLS technology.

Google Analytics and Google Tag Manager
Our websites and services use Google Analytics, a web analytics service provided by Google LLC (“Google”).

This website uses Google Analytics with the extension “_anonymizeIp ()”. As a result, IP addresses are processed shortened, a person-relatedness can be excluded. Insofar as the data collected about you is assigned a personal reference, it will be immediately excluded and the personal data will be deleted immediately.

We use Google Analytics to analyze and regularly improve the use of our website. With the statistics we can improve our offer and make it more interesting for you as a user.

For the exceptional cases in which Personal Information is transferred to the US, Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

The legal basis for the use of Google Analytics is Art. 6 (1) 1 f GDPR.

Third-party information: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of Use: http://www.google.com/analytics/terms/gb.html, Privacy Policy: http://www.google.com/intl/de/analytics/learn/privacy.html, and the Privacy Policy: http://www.google.com/intl/en/policies/privacy.

YouTube
We have included YouTube videos in our online offering, which are stored on http://www.YouTube.com and are directly playable from our website.

By visiting the website, YouTube receives the information that you have accessed the corresponding sub-page of our website.

This happens regardless of whether YouTube provides a user account that you are logged in to, or if there is no user account.

When you’re logged in to Google, your data will be assigned directly to your account.

If you do not wish to be associated with your profile on YouTube, you must log out before activating the button.

YouTube stores your data as usage profiles and uses them for purposes of advertising, market research and / or custom design of its website.

Such an evaluation is done in particular (even for users who are not logged in) to provide appropriate advertising and to inform other users of the social network about your activities on our website.

You have a right to object to the creation of these User Profiles. You have to address your objection directly to YouTube.

For more information on the purpose and scope of your data collection and processing through YouTube, please read the privacy policy. You’ll also get more information about your rights and privacy settings here: https://www.google.com/intl/en/policies/privacy. Google also processes your personal information in the US and has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Google Web Fonts
This site uses so-called web fonts, provided by Google, for the uniform representation of fonts. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. If your browser does not support web fonts, a default font will be used by your computer. For more information about Google Web Fonts, visit https://developers.google.com/fonts/faq and Google’s Privacy Policy: https://www.google.com/policies/privacy/
Google Adwords
We use the offerings of Google Adwords to draw attention to our attractive offers with the help of advertising materials (so-called Google Adwords) on external websites.

In relation to the data of the advertising campaigns, we can determine how successful the individual advertising measures are.

We are interested in showing you advertisements that are of interest to you, to make our website more interesting to you and to achieve a fair calculation of advertising costs.

These advertising materials are supplied by Google via so-called “ad servers”.

To do this, we use ad server cookies, which measure certain performance metrics such as ads or user clicks.

If you access our website through a Google ad, Google Adwords will store a cookie on your PC.

These cookies usually lose their validity after 30 days and are not intended to identify you personally. With this cookie the unique cookie ID, number of ad impressions per placement (Frequency), last impression (relevant to post-view conversions), and opt-out information (mark that the user would not like to be addressed any more) will be typically saved as analysis values.

These cookies allow Google to recognize your Internet browser.

If a user visits certain pages of an Adwords customer’s website and the cookie stored on their computer has not expired, Google and the customer will be able to detect that the user clicked on the ad and was redirected to that page. Each Adwords customer is assigned a different cookie.

Cookies cannot be tracked via the websites of Adwords customers.

We ourselves do not collect and process any personal data in the aforementioned advertising measures.

We receive only statistical evaluations provided by Google.

On the basis of these evaluations, we can identify which of the advertising measures used are particularly effective.

We do not receive any further data from the use of the advertising material, in particular we cannot identify the users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server.

We have no control over the extent and the further use of the data, which are raised by the employment of this tool by Google and inform you therefore according to our knowledge level: By the incorporation of AdWords conversion Google receives the information that you accessed the appropriate part of our Internet appearance or clicked on an ad from us.

If you are registered with a service provided by Google, Google may associate the visit with your account.

Even if you are not registered with Google or have not logged in, there is a chance that the provider will find and store your IP address.

You can prevent participation in this tracking process in several ways:

a) By setting your browser software accordingly, in particular, the suppression of third party cookies will prevent you from receiving any third party advertisements;

b) by disabling the cookies for conversion tracking by setting your browser to block cookies from the domain “www.googleadservices.com”, https://www.google.com/settings/ads, however, this setting will be deleted when you delete your cookies;

c) by deactivating the interest-based advertisements of the providers that are part of the “About Ads” self-regulation campaign via the link http://www.aboutads.info/choices, this setting being deleted when you delete your cookies;

d) by permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome under the link http://www.google.com/settings/ads/plugin. We point out that in this case you may not be able to use all the features of this offer in full.

The legal basis for the processing of your data is Art. 6 (1) 1 f GDPR.

You will find more information about privacy at Google here: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/en.html. Alternatively, you can visit the Network Advertising Initiative (NAI) website http://www.networkadvertising.org. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Google Remarketing
In addition to Adwords Conversion, we use the Google Remarketing application.

This is a process by which we would like to address you again.

This application allows you to see our ads after visiting our website as you continue to use the Internet.

This is done by means of cookies stored in your browser, through which your usage behavior when visiting various websites is recorded and evaluated by Google.

This is how Google determines your previous visit to our website.

A combination of the data collected during the remarketing with your personal data, which may be stored by Google, does not occur according to Google.

In particular, according to Google, pseudonymization is used in remarketing.

A/B-Testing
This website analyses user behaviour through A / B testing.

In doing so, we can show you our websites with slightly varied contents, depending on a profile assignment.

This allows us to analyze our offer, improve it regularly and make it more interesting for you as a user.

The legal basis for A/B Testing is Art. 6 (1) 1 f GDPR.

For this evaluation cookies are stored on your computer.

You can prevent the evaluation by deleting existing cookies and preventing the storage of cookies.

If you prevent the storage of cookies, we point out that you may not be able to use our website to the full extent.

The prevention of the storage of cookies is possible through the setting in your browser.

Before the analyzes are carried out, the IP addresses are processed in shortened form, so that direct personal reference can be excluded.

The IP address provided by your browser will not be merged with other data collected by us.

Hotjar
We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device’s IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.