Privacy Policy

Latest update: November 04, 2024

We attach great importance to data protection and would like to explain to you below how we collect and process your personal data. In doing so, we comply with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).

1 Contact data

As the controller for the collection, processing and use of your personal data pursuant to Art. 4 No. 7 GDPR applies:

heylogin GmbH
Sophienstr. 40
38118 Braunschweig

heylogin GmbH has appointed an external data protection officer:

Steffen Lüning
Brandeis Digital GmbH
Im Hagedorn 34
45701 Herten
Email address: privacy@heylogin.com

If you wish to object to the collection, processing or use of your data in accordance with this Privacy Policy, either in its entirety or for specific measures, you may address your objection to the data controller.

You can save and print this privacy policy at any time.

2 What data we process and why

In the following, we explain to you which personal data we use for which purpose and on which legal basis. As far as we speak of "website" or "service", we refer to our product "heylogin" with the associated components, specifically the heylogin apps for Android/iOS, the extensions and the web application at heylogin.app.

A separate privacy policy exists for our marketing website heylogin.com.

2.1 Hosting

We use hosting services to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we need to operate the service.

In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta data and communication data based on our legitimate interest in the efficient and secure provision of our website or service in accordance with Art. 6 (1) p. 1 f) GDPR.

2.2 Access data in server log files

When you visit our website, we collect information about you. We automatically record things like your activity on the site and how you interact with us. We also record information about your device, whether it is a computer or a cell phone. This information helps us better understand and improve our website.

The data we collect includes:

  • The name and the Internet address of the file you have accessed
  • Date and time when you visited the page
  • How much data was sent back and forth
  • Whether the access was successful (this is called HTTP response code).
  • Which internet browser and version you use
  • What operating system is running on your device
  • The page from which you came to us (this is called referrer URL)
  • Other websites you have visited through our site
  • Information about your Internet provider
  • Your IP address and from which provider you have your internet connection

We use this collected data to make our website safer and better. This helps us find and fix bugs and improve our service. We only use this data for general statistical analysis and not to identify you personally. This is important for the safe operation of our website.

Sometimes we also check this data more closely if we suspect that someone is using our website in an unauthorized way. We store your IP address for a short period of time when it is necessary for security reasons or when billing is involved. After you leave the site or a payment is made, we delete the IP address when we no longer need it. We also keep IP addresses if we think someone is using our website for criminal activity.

2.3 Cookies

We use cookies to establish the functionality of our service. Only technically necessary cookies are stored for this purpose. Since sensitive data is processed in the components of the product, especially on heylogin.app, we explicitly do not use technically non-essential cookies here.

2.3.1 What are cookies?

A cookie is a small text file that we store on your hard drive or device when you visit our website. This file contains various information that enables our website to offer you a pleasant visit, e.g. by "remembering" certain information or preferences you have made.

When the cookie is activated, it is assigned an identification number. Your personal data is not assigned to this identification number. Your name, your IP address or similar data that would allow the cookie to be assigned to you are not stored in the cookie. With the help of the cookie technology, we only receive pseudonymized information, e.g. about visited pages or viewed offers.

Without the use of cookies, websites cannot save your preferences or registration information for your next visit.

2.3.2 What cookies do we use?

On the one hand, we use technically necessary cookies that enable certain core functions of our service. This can be, for example, the storage of certain data or settings.

The use of technically necessary cookies is based on our legitimate interest pursuant to Art. 6 (1) p. 1 f) GDPR. Our service is designed to be user-friendly and functional, and the use of these cookies does not usually affect your interests as a data subject. Therefore, a case-by-case consideration is usually not necessary. Insofar as a cookie is necessary to provide you with our service (password manager), the legal basis is Art. 6 para. 1 p. 1 b) GDPR.

2.4 Data for the fulfillment of our contractual obligations

We process personal data that we need to establish a contractual relationship with you and to fulfill our contractual obligations under an existing contractual relationship, such as name, address, e-mail address, ordered services, billing and payment data.

The legal basis for the processing of this data is Art. 6 para. 1 p. 1 b) GDPR, because this data is needed so that we can fulfill our contractual obligations to you or initiate a contract with you.

2.5 E-mail or telephone contact

If you contact us (e.g. by phone, contact form or e-mail), we process your information to process your request and in case further questions arise.

If the data processing is carried out for the implementation of pre-contractual measures, which are carried out on your request, or if you are already our customer, for the implementation of the contract, the legal basis for this data processing is Art. 6 para. 1 p. 1 b) GDPR. Otherwise, we process your personal data based on our legitimate interest to answer your questions according to Art. 6 para. 1 p. 1 f) GDPR.

3 Storage duration

Unless specifically stated, we will only store your personal data for as long as is necessary to fulfill our purposes.

We delete your personal data after the storage is no longer necessary (e.g. after final response to your request, for the duration of our contractual relationship until its final termination), or - in the case of legal retention obligations - we restrict the processing. Please note that further processing is required in particular for:

  • Fulfillment of statutory retention obligations, which may arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), for example. The periods specified therein are up to ten years.
  • Preservation of evidence within the framework of statutory limitation provisions. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.
  • In some cases, the legislator stipulates the retention of personal data, for example in tax or commercial law. In these cases, we store the data only for these legal purposes, but do not process them in any other way and delete them after the legal retention period has expired. The legal basis for this processing is Art. 6 para. 1 p. 1 c) GDPR.

4 Your rights as a person affected by data processing

According to the applicable laws, you have various rights regarding your personal data. If you wish to exercise these rights, please send your request by e-mail or by post, clearly identifying yourself, to the address mentioned in section 1.

Below you will find an overview of your rights.

4.1 Right to confirmation and information

You have the right to receive clear information about the processing of your personal data.

In detail:

You have the right to receive confirmation from us at any time as to whether we are processing your personal data. If this is the case, you have the right to request from us free information about the personal data stored about you, together with a copy of this data. Furthermore, you have the right to the following information:

  • the purposes of processing;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
  • if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
  • the existence of a right to rectification or erasure of personal data concerning you or to restriction of processing by the controller or a right to object to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • if the personal data is not collected from you, any available information about the origin of the data;
  • the existence of automated decision-making including profiling pursuant to Article 22(1) and (4) of the GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for you.

If personal data is transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

4.2 Right to rectification

You have the right to request us to correct and, if necessary, complete personal data concerning you.

In detail:

You have the right to request that we correct any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.

4.3 Right to erasure ("right to be forgotten")

In a number of cases, we are required to delete your personal data.

In detail:

You have the right under Article 17(1) of the GDPR to request that we delete your personal data without undue delay, and we are obliged to delete personal data without undue delay if one of the following reasons applies:

  • Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You revoke your consent on which the processing was based pursuant to Art. 6 (1) p. 1 a) GDPR or Art. 9 (2) a) GDPR and there is no other legal basis for the processing.
  • You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
  • Your personal data has been processed unlawfully.
  • The deletion of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.
  • Your personal data was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

If we have made your personal data public and we are obliged to erase it pursuant to Article 17(1) of the GDPR, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform the data controllers that process your personal data that you have requested that they erase all links to or copies or replications of that personal data.

4.4 Right to restriction of processing

In a number of cases, you are entitled to request that we restrict the processing of your personal data.

In detail:

You have the right to request us to restrict processing if:

  • the accuracy of your personal data is contested by you for a period of time that allows us to verify the accuracy of your personal data,
  • the processing is unlawful and you have refused the erasure of the personal data and instead requested the restriction of the use of the personal data;
  • we no longer need the personal data for the purposes of processing, but you require the data for the assertion, exercise or defense of legal claims, or
  • you have objected to the processing pursuant to Art. 21 (1) GDPR, as long as it has not yet been determined whether the legitimate reasons of our company outweigh yours.

4.5 Right to data portability

You have the right to receive your personal data in machine-readable form, to transmit it or to have it transmitted by us.

In detail:

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that

  • the processing is based on consent pursuant to Art. 6 (1) p. 1 a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) p. 1 b) GDPR and
  • the processing is carried out with the help of automated procedures.

When exercising your right to data portability pursuant to paragraph 1, you have the right to obtain that the personal data be transferred directly from us to another controller, to the extent that this is technically feasible.

4.6 Right of objection

You also have the right to object to lawful processing of your personal data by us if this is based on your particular situation and our interests in the processing do not outweigh yours.

In detail:

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 e) or f) GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If we process personal data for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

You have the right to object, on grounds relating to your particular situation, to the processing of your personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.

4.7 Automated decisions including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Automated decision-making based on the personal data collected does not take place.

4.8 Right to revoke consent under data protection law

You have the right to withdraw consent to the processing of personal data at any time.

4.9 Right to complain to a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you is unlawful.

5 Data security

We make every effort to ensure the security of your data within the framework of the applicable data protection laws and technical possibilities.

To secure your data, we maintain technical and organizational measures (TOMs) in accordance with Art. 32 GDPR, which we continually adapt to the state of the art. You can find the current measures at https://www.heylogin.com/en/toms.

6 Disclosure of data to third parties, data transfer to non-EU countries

In principle, we only use your personal data within our company.

If and to the extent that we involve third parties in the performance of contracts (such as logistics service providers), they will only receive personal data to the extent that the transfer is necessary for the corresponding service.

In the event that we outsource certain parts of data processing ("commissioned processing"), we contractually oblige commissioned processors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of your rights.

Insofar as a data transfer to controllers or processors in the USA takes place, the legal basis is the adequacy decision between the USA and the EU of July 10, 2023 pursuant to Art. 45 (1) GDPR in conjunction with the certification of the respective service (certification list: https://www.dataprivacyframework.gov/list).

Only in cases where a controller or processor outside the EU is not covered by an adequacy decision, the following legal bases come into consideration:

  • Special consent pursuant to Art. 49 of the GDPR, provided that we obtain your special consent for a specific transfer of personal data to a third country, or
  • the standard contractual clauses (SCC) provided by the EU Commission in accordance with Art. 46 GDPR in conjunction with an individual risk assessment for the respective data recipient in the third country.

We currently work with the following processors and subprocessors:

6.1 Hosting infrastructure subprocessors

During the provision of the heylogin service, heylogin processes personal data on behalf of the respective customer. In doing so, heylogin uses the following subprocessors, in particular to store/host/collect personal data or provide other infrastructures.

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Contract: Provisioning of servers & standby systems to operate the platform heylogin.app. Personal data in the form of customer data, such as contract information, is processed on these systems.

IONOS SE
Elgendorfer Str. 57
56410 Montabaur
Germany

Contract: S3 cloud storage for backups

6.2 Service-specific subprocessors

heylogin works with third-party providers to provide certain functions or features within the heylogin service. These providers have access to relevant personal information (in both identifiable and anonymous form) to provide their respective functions. Use of the information is limited to the purposes listed below.

n8n GmbH
Borsigstr. 27
10115 Berlin
Germany

Contract: Workflow automation between technical systems

Heinlein Hosting GmbH (mailbox.org)
Schwedter Straße 8/9A
10119 Berlin
Germany

Contract: For sending the transactional and non-transactional emails

6.3 Processors in marketing, sales and billing

heylogin does not process certain personal data on behalf of the respective customer but for its own purposes and on its own responsibility, in particular in order to be able to carry out marketing analyses, implement sales processes and handle billing. For this purpose, heylogin uses the following processors.

Plausible Insights OÜ
Västriku tn 2
50403, Tartu
Estonia

Contract: Marketing evaluation of new customers in aggregated form

Pipedrive OÜ
Mustamäe tee 3a
10615 Tallinn
Estonia

Contract: Customer Relationship Management (CRM) for maintaining customer contacts

sevDesk GmbH
Hauptstraße 115
77652 Offenburg
Germany

Contract: Creation and dispatch of invoices if heylogin is purchased directly from heylogin GmbH

Yousign SAS
Rue De Suède Av Pierre Berthelot
14000 - CAEN
France

Contract: Creation of eIDAS-& GDPR-compliant digital signatures

Paddle.com Market Limited
Judd House
18-29 Mora Street
London
EC1V 8BT
United Kingdom

Contract: Payment processing for heylogin as a reseller when heylogin is purchased in self-service via credit card or PayPal; collection of subscription statistics

6.4 Additional integrations

The following companies are third parties with whom we offer optional integrations. When you enable these integrations, including the exchange of account data, any data that heylogin.app retrieves from these integration partners is subject to heylogin's privacy policy.

These third-party integrations are contracted directly by you, the customer. You can enable or disable these integrations in your account at any time.

Microsoft Corporation
‍‍One Microsoft Way
Redmond
WA 98052-6399
USA

Contract: Synchronization with Azure Active Directory. When enabled, our integration will only synchronize the data required to run this integration. No other information is requested or transmitted.

Google Ireland Limited
‍Gordon House
Barrow Street
Dublin 4
Ireland

Contract: Synchronization of user data with Google Workspace. Our App's use of information received, and App's transfer of information to any other app received from Google APIs will adhere to Google API User Data Policy, including the Limited Use Requirements.

Superlative Enterprises Pty Ltd
Level 11/2 Corporate Ct
Bundall QLD 4217A
Australia

Contract: Superlative Enterprises Pty Ltd operates the “Have I Been Pwned” service. This can be used to check data leaks based on domain verification. No personal data is transferred to the service for this integration, data is only received.