Last Modified: May 16, 2018
- Scope of this policy
- General Information
- Which information we collect about you and why
- How we use the information we collect
- Who may receive information about you
- How we store and secure information we collect
- How to access and control your information
- Overview of the rights you have
We are very delighted that you have shown interest in our enterprise. Speexx, a brand of digital publishing AG (“Speexx”; “we”, “us”, “our”), is offering online language testing and learning solutions to organizations and individuals using web applications via the Speexx Portal on https://portal.speexx.com (the “Service”) and we operate websites on https://www.speexx.com (the “Websites”) to market for the subscription to the Service. We are committed to protecting the privacy of individuals who visit our Websites (“Visitors”) and individuals who register to use the Service (“Users”) (collectively “you” or “your”).
Our Data Protection Principals
Speexx follows these principals to protect the privacy of your personal data:
- We do not collect personal information other than is necessary to provide the Service or the Websites.
- We do not keep your personal information if it is no longer needed.
- Where we provide our Service under contract with an organization (for example your employer) that organization controls the personal information processed by the Service. For more information, please see “Data Processing on Behalf of Customer”.
We, digital publishing AG and its affiliates, assume the role of controller as per the EU General Data Protection Regulation (GDPR). In other words, we are the legal entity that shall determine the purposes and means of the processing of personal data. If you have questions or concerns about how your information is handled, please direct your inquiry to: Tumblingerstraße 32, 80337 Munich, Germany, Tel.: +49 89 74 74 82 0, Fax: +49 89 74 79 23 08, E-mail: email@example.com
Data Protection Officer
Our Data Protection Officer is Felix Frankenberger, Tumblingerstraße 32, 80337 Munich, Germany, E-mail: firstname.lastname@example.org
Processing for another purpose
Data processing on behalf of customer
Many products of our Service are intended for use by organizations. Where the Service is made available to you through an organization (e.g. your employer), that organization is the controller of your personal information and we are the processor of data in accordance with Article 28 (3) of the EU GDPR. In such cases, the data processing is subject to a dedicated data processing agreement between the organization and Speexx. If you have any questions or requests related to your personal data for such managed Service User accounts, please get in touch with your organization.
If you are an organization and you would like to ensure your compliance with the EU-GDPR when using Speexx as a provider, you can use our Data Processing Agreement template available here. Please return the completed and signed agreement to email@example.com.
Which information we collect about you and why
The main reason we process personal data is to fulfil our contractual obligations towards the Users of our Service. The processing of data is required, for example, for us to be able to provide our language training services to you. In addition to this, we process your data to preserve our justifiable interests while taking your interests into account (e.g. when you sign up for our newsletters). In some cases, we are legally obliged to process data (e.g. to pass the data on to any investigative authorities). In all other cases we will ask for your consent to process your data (e.g. when you sign up for one of our online webinars or conferences).
Information you provide when you use our Service or visit our Websites.
Information you provide as User of the Service: We collect information about you when you register as a User for the Service, create or modify your profile, set preferences, sign-up for or make purchases through the Service. For example, you provide your contact information (name, address, contact telephone number, email address) so that we can identify you and interact with you. You are also asked to add a nick name to ensure that you do not have to reveal your real identity when interacting with us or other Users of the Service and your time zone to ensure the booking and calendar features of the Service to your profile. We keep track of your preferences when you select settings within the Service (e.g. about the language training topics you are interested in)
Content you provide through the Service: The Service includes the Speexx products you use, where we collect and store content that you post, send, receive and share. This content includes any information about you that you may choose to include. Examples of content we collect, and store include: the comments you add in our Forum, the answers you provide in our Skill Training, the messages and information you exchange with our trainers as part of the language training Service, and any feedback you provide to us. Content also includes the files and links you upload to the Service.
Information you provide as Visitor of our Websites: The use of our Websites is possible without entering personal data. However, if you wish to access content such as white papers, infographics, eBooks or participate in a webinar or Speexx conference, we will ask you to enter personal data, such as name, surname, work email and company name via our Websites. By entering your data, you consent to the processing of your data and to the use of your email address for sending you Speexx contents or event invitations. You can change mailing / content preferences in the dedicated subscription center – linked to at the bottom of the emails you receive from us – at all times.
Information you provide through our customer service channels: The Service and the Websites include our customer support services via a help desk system, where you may choose to submit a question about the Service or information regarding a problem you are experiencing with the Service. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our customer service team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful to answering your request, via our help desk.
Payment Information: We collect certain payment and billing information when you register for a paid Service. For example, we may ask you to designate a billing representative, including name and contact information, upon registration. You might also provide payment information, such as payment card details, which we collect via secure payment processing services.
Information we collect automatically when you use the Service or the Websites
Your use of the Service: We keep track of certain information about you when you use and interact with our Service. This information includes the features you use, the content you click on and you upload to the Service, and how you interact with our trainers and with other Users of the Service, e.g. when using our virtual classroom.
Device and connection information: We collect information about your computer, phone, tablet, or other devices you use to access the Service or the Websites. This device information includes your connection type and settings when you install, access, update, or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Service or the Websites.
How we use the information we collect
How we use the information we collect depends on which Service or Websites you use or visit, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you.
To provide the Service and personalize your experience: We use information about you to provide the Service to you, including to process transactions with you, authenticate you when you log in, provide customer support, and operate and maintain the Service. Our Service includes tailored features that personalize your experience by automatically analyzing your activity to provide activity feeds, notifications and recommendations that are most relevant for you.
For research and development: We are always looking for ways to make our Service smarter, faster, secure, integrated, and useful to you. We use collective learnings about how people use our Service and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for integration and improvement of the Service.
To communicate with you about the Service: We use your contact information to send transactional communications via email and within the Service, including confirming your purchases, responding to your questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages. We also provide tailored communications based on your activity and interactions with us. These communications are part of the Service and in most cases, you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or in the settings of your Service account.
To market and promote the Service on our Websites: We use your contact information you provide on our Websites to send promotional communications that may be of specific interest to you, including by email and by displaying Speexx ads on other companies’ websites and applications, as well as on platforms like Facebook and Google. These communications are aimed at driving engagement and market the Service, including information about industry trends and news, new features, survey requests, newsletters, and events we think may be of interest to you. You can control whether you receive these communications as described below under “Opt-out of communications.”
For safety and security: We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.
To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
With your consent: We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may send you promotional newsletters or invitations to online webinars when you sign up for these.
Who may receive information about you?
Your data can only be viewed by you and Speexx employees who are delivering parts of the Service to you. If you are using the Service through an organization (e.g. your employer, please see “Data processing on behalf of customer” above), this organization may also have access to your personal data.
We only pass your personal data on to third parties when this is required to fulfil our business purposes (i.e. for payment processing or providing customer service via our help desk), when you have given your consent to this by using our Websites or agreeing on the collection of personal information on our Websites, or when we are obliged to on legal grounds, by court order, or at the request of another official authority.
In cases where we work together with external service providers for our data processing (e.g. for payment processing or providing customer service), this is usually carried out on an order processing basis, whereby we remain responsible for data processing. We review each of these service providers beforehand with regard to the measures they have undertaken to ensure data protection and data security, thereby safeguarding the contractual provisions as stipulated by law for the protection of the personal data.
In cases where we use third-party providers on our Websites who will receive personal information about you, you will find the details on how we use those providers and to which extent they receive information about you in the section “Which type of technologies to we use” of our Cookies and Tracking Notice.
We use our help desk provider Zendesk for managing our customer support services. Zendesk is an online help desk service provider and provides a system for tracking, prioritizing and solving customer support requests across multiple channels, bringing customer information and interactions into one place. The operating company of the Zendesk is Zendesk Inc., 1019 Market Street, San Francisco, CA 94103-1612, USA.
If you choose to contact our customer service, your personal information will be transmitted automatically to Zendesk. By using our customer service channels, you agree to the transmission of personal information required for answering your service request. The personal information exchanged with Zendesk is your name, e-mail address and any additional information you choose to provide as part of your service request.
The legal basis for using Zendesk for our customer service is a data processing agreement pursuant to Art. 6(1)(b) GDPR between Speexx and Zendesk, which in turn is EU-US Privacy Shield certified.
We use the payment provider Stripe for processing payment when you register for a paid Service. Stripe is an online payment service provider. Payments are made via a Stripe plugin. Stripe also offers the possibility to make virtual payments via credit cards. Stripe makes it possible to trigger online payments to third parties or to receive payments. The operating company of Stripe is Stripe, Inc., 185 Berry Street, Suite 550, San Francisco, CA 94107, USA
If you choose “Credit Card payment” as the payment option during the ordering process of a paid Service, the payment information will be transmitted automatically to Stripe. By selecting this payment option, you agree to the transmission of personal information required for payment processing. The personal information exchanged with Stripe is the purchase sum and your e-mail address, which are both necessary for payment processing. If necessary, Stripe will pass on personal information to affiliates and service providers or subcontractors to the extent necessary to fulfill contractual obligations or to process the data in the order.
You have the possibility to revoke the consent to the handling of personal data at any time from Stripe. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
Regarding the provision of our Service, we collect information globally and store that information in Germany and the European Union. We may transfer, process and store your information outside of your country of residence, to where we operate for the purpose of providing you the Service. Whenever we transfer your information, we take steps to protect it.
If we do this to fulfill our contractual obligation, this does not require either an adequacy decision pursuant to Article 45 of the EU GDPR or appropriate safeguards pursuant to Article 46 of the EU GDPR.
In cases where the transfer does not serve the fulfilment of our contractual obligations, we have not received consent from you, the transfer is not necessary for the establishment, exercise or defense of legal claims, and no other exemption clause applies, we shall only transfer your data when an adequacy decision pursuant to Article 45 of the EU GDPR or appropriate safeguards pursuant to Article 46 of the EU GDPR are in place.
One of these adequacy decisions is the so-called “Privacy Shield” for the USA. For transfers to companies certified in accordance with the Privacy Shield, the level of data protection is deemed in principle as adequate, pursuant to Article 45 of the EU GDPR. Generally speaking we do not rely on the Privacy Shield alone however. Instead we provide for appropriate safeguards by closing standard data protection clauses as decreed by the European Commission with the recipient body pursuant to Article 46 of the EU GDPR, as well as an adequate level of data protection.
How we store and secure information we collect
Information storage and security
We use our own servers, as well as data hosting and housing service providers in Germany and the European Union to host the information we collect, and we use technical measures to secure your data.
How long we keep information
How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.
Service User account information: We retain your account information as User of the Service for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Service. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Service. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Service, not to specifically analyze personal characteristics about you.
Managed Service User accounts: If the Service is made available to you through an organization (e.g., your employer), we retain your information as long as required by and agreed on by the organization who manages your account. For more information, see “Data processing on behalf of customer” above.
Marketing information: If you have chosen to receive marketing content information from us (e.g. via email), we retain information about your marketing content preferences for a reasonable period of time from the date you last expressed interest in our Service, such as when you last opened an email from us. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
How to access and control your information
You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.
You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format. Below, we describe the tools and processes for making these requests. As a User of the Service you can exercise some of the choices by logging into the Service and using settings available within the Service or your account. Where the Service is provided to you via an organization (e.g. your employer), you may need to contact your responsible organization to assist with your requests first (please also notice the section “Data processing on behalf of customer” above). For all other requests, you may contact us to request assistance.
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we or your organization are permitted by law or have compelling legitimate interests to keep.
Access and update your information: Our Service gives you the ability to access and update certain information about you from within the Service. For example, you can access and update your profile information from your User account.
Deactivate your Service account: If you no longer wish to use our Service, you or the responsible organization may be able to deactivate your Service account. If you can deactivate your own account, that setting is available to you in your account settings. Otherwise, please contact the responsible organization (e.g. your employer). If you are an administrator of an organization and are unable to deactivate an account through your administrator settings, please contact Speexx support. Please be aware that deactivating your account does not delete your information; your information remains available in case you want to reactivate your User account at a later stage. For more information on how to delete your information, see below.
Delete your Service information: Our Service gives you the ability to delete certain information about you from within the Service. For example, you can remove certain profile information within your profile settings. If you want to completely delete your Service account, you may contact us or get in touch with the responsible organization (e.g. your employer) to request deletion.
Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
Request that we stop using your information: In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don’t have the appropriate rights to do so. For example, if you believe a Service account was created for you without your permission or you are no longer an active user of the Service, you can request that we delete your account as provided in this policy.
Where you gave us consent to use your information for a limited purpose as Visitor of our Websites, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by contacting us, as provided below. When you make such requests, we may need time to investigate and facilitate your request. If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved, provided your responsible organization does not object (where applicable, see section “Data processing on behalf of customer” above).
Opt out of communications related to the use of our Websites: You may opt out of receiving promotional communications from us by using the unsubscribe link within each email or by contacting us as provided below to have your contact information removed from our promotional email list. Even after you opt out from receiving promotional messages from us, you will continue to receive messages or notifications from us regarding the use of the Service. You may be able to opt out of some notification messages in your Service account settings.
Turn off Cookie Controls: Relevant browser-based cookie controls are described in our Cookies & Tracking Notice.
Send “Do Not Track” Signals: Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Websites do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.
Data portability: Data portability is the ability to obtain some of your information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier). Depending on the context, this applies to some of your information, but not to all of your information. Should you request it, we will provide you with an electronic file of your basic account information.
Data protection for job applications and the application procedures
We may collect and process personal data of job applicants for the purpose of the processing of the application procedure. The processing is carried out using our third-party provider BambooHR. If we conclude an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant and Speexx, the application data shall be automatically erased two months after notification of the refusal decision, provided that the applicant hasn’t agreed otherwise, or no other legitimate interests are opposed to the erasure. Other legitimate interest in this relation is, e.g. a burden of proof in a procedure under the German General Equal Treatment Act (AGG).
BambooHR is an online human resources (HR) software service. BambooHR uses information, if you apply for a job with us. BambooHR will collect, process and store the information you provide to us for recruitment purposes. The operating company of BambooHR is Bamboo HR LLC, 335 South 560 West, Lindon, UT 84042-191, USA.
The legal basis for using BambooHR for our job application procedures is a data processing agreement pursuant to Art. 6(1)(b) GDPR between Speexx and BambooHR, which in turn is EU-US Privacy Shield certified.
Overview of the rights you have
You have legal rights available to you with regard to data access, rectification, erasure, restriction of processing and objection to processing, as well as the right to data portability, amongst others. In addition, you can withdraw any consent you may have given to data processing at any time and have the right to lodge a complaint with a supervisory authority.
Right to object
General: You have the right to object at any time to the processing of personal data concerning you, pursuant to Article 6 (1) f) of the EU GDPR. This shall also apply to any profiling carried out on the basis of these provisions. Please use our contact us to submit any objection.
Direct marketing / newsletters: If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. This includes profiling to the extent that it is related to such direct marketing. You can unsubscribe to our newsletters at any time in your e-mails by clicking on the link provided at the end of the respective newsletter.
Right of access
You have the right to demand confirmation as to whether we process your personal data. If this is the case, you are entitled to receive information about this personal data. Please contact us to request information about your personal data.
If personal data is passed on to a third country or an international organization, you have the right as the person affected to be informed about the respective guarantees (pursuant to Article 46 of the EU GDPR) regarding this sharing of data.
Right to rectification
You have the right to demand that we correct any incorrect personal data concerning you with immediate effect. Taking the purposes of processing into account, you have the right to demand the completion of any incomplete personal data – including by means of a supplementary explanation.
Right to erasure (“Right to be forgotten”)
You are entitled to demand that we delete your personal data without delay if one of the following applies: The personal data is no longer required for the purposes for which it was collected or processed in some other way. You withdraw your consent that the processing was based on pursuant to Article 6 (1) a) or Article 9 (2) a) of the EU GDPR, and there are now no valid legal grounds for processing. You submit an objection to the processing of your data pursuant to Article 21 (1) of the EU GDPR and there are no overriding justifiable grounds for the processing, or you submit an objection to the processing of your data pursuant to Article 21 (2) of the EU GDPR. The personal data was processed unlawfully. The deletion of the personal data is required to fulfil a legal obligation in accordance with EU law or the law of individual member states. The personal data was recorded in relation to the offer of information society services directly to a child, pursuant to Article 8 (1) of the EU GDPR. Once you have made your request we are obliged to delete the data with immediate effect. The lawfulness of the data processing for the period between the consent and the withdrawal of this consent shall remain unaffected.
In case you are a User of the Service through an organization (e.g. your employer), we are not the controller, but only the processor of your personal data. Please get in touch with the administrator of your organization in case want your personal data deleted from the Service.
Right to restriction of processing
You are entitled to demand a restriction to the processing of your personal data in cases where you dispute the correctness of the personal data, for a period of time that allows the controller to review the correctness of that personal data. If the processing is unlawful and you reject the erasure of the personal data in favour of demanding a restriction to the use of the personal data we will fulfill this request. Processing will also be restricted if we no longer require your personal data for the purposes of processing but do require it for the establishment, exercise or defence of legal claims. Or if you have objected to processing pursuant to Article 21 (1) of the EU GDPR, for as long as is not yet ascertained whether the justifiable grounds of the controller outweigh your grounds. You will be informed in advance by us should the restriction be revoked.
Right to data portability
You have the right to receive personal data concerning you that you have made available to us in a structured, conventional and machine-readable format, and you also have the right to transfer this data to another controller without being impeded by us to whom the personal data has been made available. The condition is that a) processing is based on consent pursuant to Article 6 (1) a) of the EU GDPR or Article 9 (2) a) of the EU GDPR or on a contract pursuant to Article 6 (1) b) of the EU GDPR, and b) the processing is conducted with the help of automated processes. When exercising your right to data portability you have the right to demand that the personal data is transferred directly from us to another controlling body, provided this is technically viable.
Right to withdraw consent
If processing is subject to your consent you have the right to withdraw this consent at any time. This shall not affect the lawfulness of any processing that took place with your consent up until its withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with the supervisory authority responsible for our company. That authority is: Landesamt für Datenschutzaufsicht, Promenade 27, 91522 Ansbach, Tel.: +49 981 53-1300, Fax: +49 981 53-981300, E-Mail: firstname.lastname@example.org, https://www.lda.bayern.de