Déclaration de confidentialité
PollUnit UG (haftungsbeschränkt) collects and processes your data as a responsible authority in the sense of the data protection laws.
PollUnit UG (haftungsbeschränkt)
Conrad-Schulz-Weg 3
D-82211 Herrsching
1. Scope
- This privacy policy clarifies the nature, scope and purpose of the collection and use of personal data by the PollUnit UG (haftungsbeschränkt) on this web application (PollUnit). Compliance with data protection regulations is self-evident to us. The basis for this is the EU General Data Protection Regulation (GDPR).
2. Collection of general information
-
When you access our web application, general information is collected automatically. This data is technically necessary to deliver our web application correctly. The data includes information such as: version and type of your web browser, your used operating system, your IP address, the domain name of your Internet service provider, and the time of your access to our web application. We do not use your data to draw conclusions about your person. In order to constantly improve our service, we evaluate this data statistically. For example, statistics are about which pages and features are most popular and most frequently visited or used.
Legal basis: Processing is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability, integrity and functionality of our website.
Recipients: If applicable, technical service providers (contract processors) receive data that are used for the operation and maintenance of our website. Further information can be found in Appendix 2.
Storage period: We delete this data as soon as it is no longer required for the purpose of collection.
A contradiction is excluded, since without this data the functionality of our website cannot be guaranteed.
3. Collection of data during registration
- We set up a password-protected direct access to the user data (user account) for each of our customers who registered accordingly. When creating user accounts, different personal data is collected. This data includes your first and last name, your e-mail address, and any other information you provide during registration.
- In addition, you can comfortably sign in or register with your Facebook / Github / Google account on our application. Click on the Facebook / Github / Google logo in the login dialog. This will open a log-in dialog from the provider, where you give PollUnit the permission to access your information from this provider. This includes basic information as well as your e-mail address. With this data we create your PollUnit account. During the process, the provider will not pass a password to our application.
- With a PollUnit user account or a completed registration, you can access content and services that we only offer to registered users. The data provided for the registration can be changed at any time in your user account ('My account') after a login. Here the user can also see his orders (subscriptions) and their statuses.
- You agree to treat your personal access data confidentially and not to make it accessible to unauthorized third parties. We can not accept liability for misuse of passwords, unless we represent the abuse.
- For any information, correction or deletion concerning the personal data we have stored about you, please contact us via the above address. Processing of this data is only possible if there are no statutory storage obligations.
-
Personal data will only be collected, used and passed on if this is legally permitted or if you have given your consent to the data collection.
Legal Basis: The data entered during registration are processed on the basis of the user's consent (Article 6(1)(a) GDPR).
If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Article 6(1)(b) GDPR.
Recipients: If applicable, technical service providers (contract processors) receive data that are used for the operation and maintenance of our website. Further information can be found in Appendix 2.
Storage period: You can delete your account yourself in your profile settings. We first mark your account as deleted for 30 days in order to be able to help you with any questions you may have. After that the data will be deleted as long as there are no legal obligations to store them. For an immediate deletion you can contact us at any time.
The provision of your personal data is voluntary, solely on the basis of your consent. Without the provision of your personal data, we can only grant you limited access to our services.
4. Collection of data when creating a survey
- If you are logged in with a PollUnit account, no further information about your person is necessary.
- Without PollUnit account, you must enter your name and e-mail address. We need this data to carry out your survey. For example, to inform you about the result.
- When creating a survey, we need different general information. These data are for example: title, description and location of the survey. We also need the options of your survey. These can be date, time, pictures or other infromations which you indicate during the creation.
- You have the option to send invitations to other users. To do this, you can specify a list of email addresses, or import your contacts from Google. PollUnit will only get access to your Google contacts when you are logged in to Google and PollUnit is authorized to read your contacts. We use these contacts exclusively to realize your survey. For example, to send your invitation or notify users about events in your poll.
- You have the possibility to specify a location for your PollUnit. For ease of use we use the Google Maps API for address suggestions based on user input.
-
You can create polls about images or other files. In addition, users can upload their own background images for their surveys. To ensure optimal delivery of these data, this data is stored in Digitalocean (cloud storage) and delivered to the users by Digitalocean.
Legal Basis: The data entered during registration are processed on the basis of the user's consent (Article 6(1)(a) GDPR).
Recipients: If applicable, technical service providers (contract processors) receive data that are used for the operation and maintenance of our website. Further information can be found in Appendix 2.
Storage period: You can delete your PollUnits at any time independently or contact us and instruct us to delete them.
The provision of your personal data is voluntary, solely on the basis of your consent. Without the provision of your personal data, we can only grant you limited access to our services.
5. Use of the data of your survey
- Access to your current, not additionally secured surveys and their contents, have all users that received the participant link or admin link from you or a third party. These are links to your survey. With the help of the adminlink, users can also edit your survey. You can also secure your poll with a password.
- Users with access to your survey can retrieve content such as title, description, location, and survey options. In addition, your users see the votes and names of you and other participants who have already voted.
- As a user with a PollUnit account, you can edit and delete your polls at any time at 'My PollUnits'.
6. Collection, processing and use of your data
- If you have provided us with personal data, we only use it to create your surveys, process your orders, answer your queries, for technical administration as well as for our own marketing purposes. When collecting, processing and using your personal data, we adhere strictly to the legal provisions of the EU General Data Protection Regulation (GDPR). Your personal data will only be passed on to third parties if this is necessary for the purpose of the contract processing or for the settlement and you have previously given your consent. For example, Stripe (payment service provider) will receive the necessary data to process your order. The provided data may be used by our service providers only to fulfill their tasks.
- Your e-mail address is required, so we can confirm your order and communicate with you. We can also use them for your identification (customer login). In addition, we use your account email address or address provided by the creation in surveys to inform you about events in your survey. These events can be, for example: the result of the survey, information about new options, the participation of participants.
- Depending on the type of survey, different information from the participants is recorded and made available to other participants. For example, other participants have access to the following information: your name, your chosen options or ratings, your comments and other information you specify in a survey. The aim of PollUnit is to shorten the communication between its users. Therefore all users who have access to the administration of a survey have the option to export, edit and save the results, votes, and e-mail addresses (if known) of the participants.
- Uploaded media such as photos, can contain metadata. Metadata could include personal data like EXIF GPS location. As administrator of a PollUnit, you can view this metadata and export, download and save media files. Personal data like location information can be removed before uploading to the PollUnit servers.
7. Provision of services at a charge
-
For the provision of paid services, additional data are requested by us, such as your payment details. To protect your data during transmission, we use the current state of the art encryption methods (e.g., SSL) over HTTPS.
Legal Basis: The processing of the data required for the conclusion of the contract is based on Article 6(1)(b) GDPR.
Recipients: If applicable, technical service providers (contract processors) receive data that are used for the operation and maintenance of our website. Further information can be found in Appendix 2.
Storage period: These data will be stored in our systems until the legal retention period expire.
The provision of your personal data is voluntary, solely on the basis of your consent. Without the provision of your personal data, we can only grant you limited access to our services.
8. Contact
-
When contacting PollUnit (for example via a contact form or e-mail), your data will be stored for the processing of the inquiry as well as for the case of further questions.
Legal Basis: The processing of the data entered in contact forms or in support requests is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest or to implement pre-contractual measures (Article 6(1)(b) GDPR).
Recipients: If applicable, technical service providers (contract processors) receive data that are used for the operation and maintenance of our website. Further information can be found in Appendix 2.
Storage period: The data will be deleted as soon as they are no longer required for our recording purposes.
The provision of your personal data is voluntary, solely on the basis of your consent. Without providing the necessary information of your request (such as e-mail address, name...) we can not process your request.
9. Posts and Comments
-
When you create posts, comments or other information, your IP address will be saved. This occurs to the security of the offerer, if someone writes illegal contents (insults, prohibited political propaganda, etc.) in comments and contributions. In this case, the provider itself may be prosecuted for the comment or contribution and is therefore interested in the author's identity.
Legal Basis: The data entered as comments or contributions will be processed in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest.
Recipients: If applicable, technical service providers (contract processors) receive data that are used for the operation and maintenance of our website. Further information can be found in Appendix 2.
Storage period: Comments and posts in PollUnits are automatically deleted when the PollUnit to which the comments and posts belong is deleted. The deletion of contributions in our support forum can be requested by contacting us.
The provision of your personal data is voluntary, solely on the basis of your consent. Without the provision of your personal data, we can only grant you limited access to our services.
10. Integration of third-party services and content
- It may happen that third parties are involved in our application. For the technical delivery of the content to your browser, the providers need and use your IP address. We have no influence on the further processing of your IP address with these providers. As far as we know, we will clarify our users about this. Third party content might be: videos from YouTube, GoogleMaps map material, RSS feeds, Digitalocean graphics, and advertisings
- You can share your surveys and our application across different social networks. The buttons are marked accordingly with the logo and name of the network. Clicking on the button will take you to the offer or the website of the respective network. We have no influence on the processing of your data with these providers.
- To invite friends or colleagues to a PollUnit, You can find your Google Contacts through the Google People API. Once you've permitted PollUnit to access the Google People API, you can search the email addresses of your contacts and select those to which you want to send the invitation.
- When you create a video contest, you and your participants can add YouTube and Vimeo videos. When the video contest is accessed, the videos are retrieved from YouTube or Vimeo. The YouTube videos will be integrated into PollUnit with extended privacy mode, so that no YouTube cookies are set to analyze the usage behavior.
11. Secure data transmission
- By encrypting, your personal data will be transferred securely. The secure transfer applies to your orders and also to your customer login. We use the encryption system SSL (Secure Socket Layer). Our website is protected by technical and organizational measures against loss, destruction, access, alteration or distribution of your data by unauthorized persons.
12. Claim for information, revocation and correction of your data
- According to the EU General Data Protection Regulation (GDPR), you have the right to receive free of charge information about your stored personal data (Article 15 GDPR). Likewise, you have the right to correct (Article 16 GDPR), block (Article 18 GDPR) or delete (Article 17 GDPR) your personal data. Except for this is the prescribed data storage for business processing. Du kannst Widerspruch gegen die You may object to the processing of your data (Article 21 GDPR) and to the transferability of your data, if you have not consented to any data processing or concluded a contract with us (Article 20 GDPR). Excluded from this is the prescribed data storage for business transactions.
- In order to ensure that data can be blocked at any time, these data must be kept in a lock file for control purposes. You may also request the deletion of the data if there is no legal obligation to archive. If such an obligation exists, we will lock your data on request.
- You may make changes or revoke a consent by means of a corresponding notice to us with effect for the future.
- You can complain to a supervisory authority at any time, e.g. to the competent supervisory authority of the federal state in which you live or to the authority responsible for us: supervisory authorities and their addresses.
13. Questions to the Data Protection Supervisor
- If you have any questions about the privacy policy, please send your inquiry by e-mail or by mail, clearly identifying your person to the above address.
14. Privacy policy updates
- We reserve the right to update our privacy policy if necessary. This is necessary in order to ensure that data protection is always in accordance with current legal requirements and to make changes to our services. When revisiting our website, the new updated privacy policy applies.
15. Cookies
-
A cookie is a text file that we store on the hard disk via the user's web browser. It is possible to configure the settings of the web browser so that the storage of cookies on the computer is no longer possible. This affects the functionality of our website. We use cookies to extend the functionality of our website and to make it easier for our users to use them. We need cookies to identify users and enable them to log on to our website.
Timezone Cookie: We use this cookie to store your time zone and show you date fields and times in the correct time for you. This cookie is automatically deleted by your browser (unless otherwise configured) when you end your session.
Session Cookie: We use this cookie to store an identification code. This code does not contain any personal data and is used to link you to your account or settings. This cookie is stored for 2 months.
PollUnit-Cookie-Check: We use this cookie to easily find out if your browser can store cookies.
16. Digital wallets
- When a Stripe account is linked to PollUnit, the Stripe account can receive donations and charges. The link is stored in PollUnit as a wallet. In the process, payment data is made available to the payment provider Stripe. The owner of the Stripe account, who becomes the responsible merchant by linking with PollUnit, can access data necessary for billing via the Stripe Platform.
-
The payee is obligated to comply with all applicable laws and regulations related to the processing of personal data collected in connection with the payments they accept. This includes compliance with the General Data Protection Regulation (GDPR) and other applicable laws for the protection of personal data.
Legal Basis: The processing of the data entered during the payment is based on the consent of the user and serves the execution of the payment (Article 6(1)(a) GDPR).
The processing of data entered when linking a Stripe and PollUnit account is based on our legitimate interest and serves the execution of the contract (Article 6(1)(b) GDPR).
Recipients: PollUnit, Stripe, and the payee can view payers' payment and contact information. Credit card numbers of payers are kept secure and used only for processing payments. PollUnit as well as the payee does not have access to the complete credit card number.
For more information, please see Appendix 2.
Storage period: You can delete your wallets from PollUnit on your own at any time or contact us and ask us to delete them.
Version: 02.2023
Appendix 1
Technical and organisational measures
1. Privacy
Measures to prevent unauthorised persons from having access to personal data:
Server passwords are only known to selected persons.
The password to the administration interface is assigned by the controller himself.
Encrypted transmission of authentication secrets.
Measures that are suitable to prevent unauthorized person from gaining access to personal data:
Through regular security updates, the Processor ensures that unauthorized access is prevented.
Personal data is processed automatically, so that no data storage in the offices of the Processor is necessary. Exceptions to this is manual processing of the Controller's enquiries and temporary copies for error analysis.
Implementation of access restrictions.
Measures that are suitable for denying unauthorized persons access to data processing systems in which personal data is processed or used:
Digital Ocean's server site is ISO 27001 certified, among others.
Measures designed to ensure that data collected for different purposes can be processed separately:
Data records from different PollUnits are specially marked with a PollUnitID and a UserID.
Test and productive data are stored in independent systems. The PollUnit test and development systems are strictly separated from the production system.
The production system has its own domain and SSL certificates.
The Controller is responsible for the pseudonymisation.
2. Integrity
Measures that are suitable for ensuring that no personal data is passed on to unauthorised persons:
Secure data transmission between server and client.
The Controller can control the access to his PollUnits himself.
All employees and developers are obliged to maintain confidentiality and are subject to a confidentiality obligation.
Measures that are suitable so that personal data can be checked:
Personal data is entered by the Controller himself and can be checked in his user settings.
3. Availability control and resilience of the systems
Measures that are appropriate to protect personal data against accidental destruction or loss:
Digital Ocean's data centres are equipped with appropriate safeguards.
The PollUnit servers are redundant.
Automatic backup copies and backups are made on a regular basis.
Monitoring of critical systems.
4. Review, Assessment, and Evaluation
Processes for regular review, assessment, and evaluation of the effectiveness of technical and organizational measures:
We conduct regular reviews to ensure that the software used, including plugins, is continuously updated to the latest versions, and all necessary security updates are implemented.
Through automated security and code analyses, we ensure continuous monitoring of our systems. This allows us to identify potential vulnerabilities early and proactively address them.
In addition to automated analyses, we rely on the expertise of our developers. Through pair programming and code reviews, we conduct targeted manual security analyses to ensure that even subtle risks are recognized and addressed.
Our monitoring systems enable real-time monitoring of our services, their availability, and speed. Continuous monitoring allows us to react immediately and proactively take measures.
Full-stack monitoring is employed to monitor all components or layers (stacks) of our application architecture, ranging from the user interface to the underlying infrastructure.
Real-time error tracking enables us to detect errors in real-time and respond immediately.
Version control ensures traceability and allows for a detailed review of all code changes over time.
Appendix 2
Subcontractors
1. Digital Ocean
Our service runs on the servers of Digital Ocean LLC (New York, USA). The server is located in Frankfurt, Germany and is ISO 27001, SOC2 and PCI DSS certified. In addition, we have concluded a »Data Processing Agreement« with Digital Ocean which contains Digital Ocean's obligation to comply with the GDPR and the standard contract clauses (SCC) based on the European Commission Decision 2021/914 (EU) of June 4, 2021. All data except uploaded files are stored here.
Further data protection information from Digital Ocean can be found at Digital Ocean - Trust Platform.
2. Amazon Web Services
All files you upload such as images, PDFs and MP3s are encrypted and stored by our file storage service provider »AWS« Amazon Web Services, Inc, (Seattle, USA). The server location Frankfurt, Germany and is ISO 27001, ISO 27017, ISO 27018, SOC1, SOC2, SOC3, and PCI DSS Level 1 certified. In addition, we have concluded a »Data Processing Agreement« with AWS which contains AWS's obligation to comply with the GDPR as well as the standard contractual clauses based on the European Commission Decision 2021/914 (EU) of June 4, 2021.
Further data protection information from AWS can be found at GDPR - Amazon Web Services (AWS).
3. Mailgun
All system e-mails from PollUnit are sent by our service provider Mailgun Technologies Inc. (San Francisco, USA) on our behalf from a server within the European Union. Mailgun's service is built on AWS. Mailgun is ISSAE-16 SOC I und II, HIPAA and ISO27001 certified. In addition, we have concluded a »Data Processing Agreement« with Mailgun which contains Mailgun's obligation to comply with the GDPR as well as the standard contractual clauses based on the European Commission Decision 2021/914 (EU) of June 4, 2021.
Further privacy information from Mailgun can be found at https://www.mailgun.com/privacy-policy and https://www.mailgun.com/gdpr
The legal basis for this is Article 6(1)(b) GDPR.
4. Stripe
Payments can be processed via the payment service provider Stripe (Ireland). Additionally, creators of PollUnits can link their own Stripe account with PollUnit to create a PollUnit Wallet (digital wallet) to receive payments. These payments are processed through Stripe. Stripe is PCI DSS Level 1 certified. In addition, we have concluded a »Data Processing Agreement« with Stripe which contains Stripe's obligation to comply with the GDPR as well as the standard contractual clauses based on the European Commission Decision 2021/914 (EU) of June 4, 2021.
Stripe processes the cardholder's name, email address, customer number, order number, bank details, credit card details, credit card validity period, credit card verification number (CVC), date and time of transaction, transaction amount, provider name and location. Information provided to Stripe is not under our control and is subject to Stripe's privacy policy. Further privacy information from Stripe can be found at https://stripe.com/privacy-center/legal.
The legal basis for this is Article 6(1)(b) GDPR.
5. BunnyWay d.o.o. (bunny.net)
To optimize the loading times of PollUnit, we utilize the Content Delivery Network (CDN) provided by bunny.net. Creators of PollUnit video contests can upload videos or prompt participants to upload their own videos. These videos are stored, transcoded, and delivered (streaming) by BunnyWay d.o.o. (Slovenia). Personal data is anonymized and not shared with third parties. bunny.net does not collect, store, or distribute any information that could be used to identify a user or disclose their personal data. If the contents of the uploaded videos/files contain such information, it will not be anonymized. In addition, we have concluded a »Data Processing Agreement« with BunnyWay d.o.o.. Further data protection information from BunnyWay d.o.o. can be found at https://bunny.net/privacy/.
The legal basis for this is Article 6(1)(b) and (f) GDPR.
Appendix 3
Individuals authorised to issue instructions
The following individuals are authorised to issue and receive instructions.
Philipp Großelfinger
Co-Founder PollUnit
philipp@pollunit.com
Markus Huber
Co-Founder PollUnit
markus@pollunit.com
Appendix 4
Data protection officer
The data protection officer is responsible for all issues relating to the protection of personal data, including data security.
Markus Huber
markus@pollunit.com
Appendix 5
Requirements of the California Consumer Privacy Act (CCPA)
To comply with the requirements of the California Consumer Privacy Act of 2018, this agreement is supplemented by the following points:
The Processor will not...
a) collect, retain, use, disclose or otherwise process any personal information processed in connection with the Services for any purpose other than as necessary for the specific purpose of performing Services on behalf of Controller;
b) collect, retain, use or disclose the Controller Data for a commercial purpose other than providing the Services on behalf of the Controller;
c) sell the Controller Data.