PRIVACY POLICY – AT A GLANCE

  • We only collect data that is important for the functioning or improvement of our products.
  • Whenever possible we refrain from collecting individual-related data.
  • We strive to protect all information we have about our users.
  • We do not sell individual-related data.

Thoughtfish (Thoughtfish GmbH, Karlsruher Str. 8, 10711 Berlin) takes the protection of your personal data very seriously and handles them with great care, complying with German data protection law. The following Privacy Policy will provide you with information about the personal data that is collected and how it is processed and used.

Thoughtfish will alter the Privacy Policy from time to time. Please note that the valid version is the updated one.

FULL PRIVACY POLICY

I. General information

1. Controller

In the following, we explain to you which personal data is collected and processed by us when you make use of our services or use our offers.

We are:

Thoughtfish GmbH
Karlsruher Str. 8
10711 Berlin

Tel.: 030 84422644
Fax: 030 56002328
datenschutz@thoughtfish.de

Personal data is individual information about personal or factual circumstances of an identified or identifiable natural Iperson, therefore all information that can be related to a person.

2. Legal basis

Insofar as legal bases are mentioned in this privacy policy, these are those in accordance with the GDPR (“Datenschutz-Grundverordnung”). 

We collect and process personal data based on the legal bases mentioned below: 

  • Consent pursuant to Article 6(1)(a) of the General Data Protection Regulation (GDPR). Consent is any voluntary expression of will in the form of a declaration or other unambiguous affirmative action, given in an informed and unambiguous manner for a specific case, by which the person affected indicates that he or she consents to the processing of personal data relating to him or her.
  • Necessity for the performance of a contract or the execution of preparatory measures pursuant to Article 6(1)(b) of the GDPR, i.e. the data is necessary for us to be able to fulfill our contractual obligations towards you or we need the data to prepare for the conclusion of a contract with you. 
  • Processing for the fulfillment of legal obligations pursuant to Article 6(1)(c) GDPR, i.e. that, for example, processing of the data is required by law or other regulations.
  • Processing for the protection of legitimate interests pursuant to Article 6 (1)(f) GDPR, i.e. that the processing is necessary to protect legitimate interests on our part or on the part of third parties, unless such interests are overridden by the interests or fundamental rights and freedoms of you which require the protection of personal data.

3. Rights of the Data Subject

You are entitled to the following rights with regard to data processing by us in accordance with the articles of the General Data Protection Regulation (GDPR) listed in each case:

  • Right to information pursuant to Art. 15 GDPR
  • Right to rectification in accordance with Art. 16 GDPR
  • Right to erasure (“right to be forgotten”) pursuant to Art. 17 GDPR
  • Right to restriction of processing pursuant to Art. 18 GDPR
  • Right to data portability pursuant to Art. 20 GDPR
  • Right of objection according to Art. 21 GDPR

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

4. Data erasure and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other regulations to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

II. Concrete data processing

1. Visit of the website

i. Scope of data processing

We operate several websites, namely the websites:

  • www.thoughtfish.de
  • www.coala.world

When visiting these websites, the following data is collected and stored by our web server:

  • The IP address of the user
  • Date and time of access
  • Indication of the time difference between the requesting host and the web server
  • Content of the request or information about the requested file that was transmitted to the user
  • Amount of data transmitted
  • Access status (successful transmission, error, etc.)
  • Websites from which the user’s system accesses our website
  • Information about the browser type, browser language, operating system, browser version and interface used. 

The data is stored in the log files of our system. This data is not stored together with other personal data of the user. The servers are rented from our one hosting partner located in Germany.

ii. Legal basis

The legal basis for the processing of the data is Art. 6 (1) (f) GDPR. The legitimate interest within the meaning of Art. 6 (1) (f) GDPR is therefore the functionality of our website and its availability.

The legal basis for the transfer of data to the hosting provider is Art. 28 (3) GDPR.  

iii. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. In addition, the IP address is recorded to prevent attacks on the website. 

The data is stored to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. 

iv. Duration of storage

The log files are deleted after seven days at the latest, unless there is a need to keep the data for the aforementioned purpose due to specific events. The IP address is anonymized in the log file.

v. Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation and protection of the website. Consequently, there is no possibility for the user to object.

2. Contact by e-mail or contact form

i. Scope of data processing

You can contact us via the e-mail addresses provided on the web pages. In this case, your personal data that you send to us by e-mail will be stored.

The data is processed and stored by an e-mail provider we have commissioned with headquarters in Ireland, but the data is also stored outside the European Union in the United States of America.

ii. Legal basis

The legal basis for the processing of data transmitted in the course of sending an e-mail or a contact request via the contact form is Art. 6 (1) (f) GDPR. If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) (b) and (c) GDPR. 

The legitimate interest within the meaning of Art. 6 (1) (f) GDPR is to respond to a customer inquiry or to respond to a contact inquiry on other topics. 

The processing by our email provider is based on Art. 28 (3), (6) and (7), Art. 46 (2) (c) GDPR. The standard data protection clauses of the EU Commission are used in the contractual relationship with the provider with additional safeguards for European Union data subjects.

iii. Purpose of the data processing

The purpose of the data storage is to contact you at your request, in particular for the purpose of contract initiation or customer service

iv. Duration of storage

The data will be stored for as long as is necessary to process the inquiry. Insofar as these are commercial letters that must be retained in accordance with commercial and tax law, they will also be stored in accordance with the statutory retention periods.

v. Possibility of objection and removal

You have the option to object to further use at any time. You can declare your objection by e-mail to datenschutz@thoughtfish.de.

Data can only be deleted if there is no legal obligation to retain it; in this case, however, the data will be blocked for any other use. In the event of an objection, the conversation cannot be continued.

3. Newsletter

i. Scope of data processing

On our websites we offer the possibility to register for a newsletter, where registered persons will receive regular e-mails from us with current information. An input mask is available on the website for the registration. The registration requires the entry of your e-mail address. By clicking on the registration button, the data entered in the input mask is transmitted to us. In addition, the date and time of registration for the newsletter and the IP address used are stored. When confirming the newsletter registration as part of the so-called double opt-in procedure, the date and time at which you click on the confirmation link for the newsletter registration and the IP address used are also stored. 

The newsletter is sent by an external service provider. For this purpose, your e-mail address will be passed on to the external service provider, who will send the newsletter on our behalf. The service provider does not make any further use of your data. The service provider is based in the United States of America.

ii. Legal basis

The legal basis for the processing of data when registering directly for the newsletter is Art. 6 (1) (a) GDPR.

The legal basis for the transfer of data to the shipping service provider is Art. 28 (3), (6) and (7), Art. 46 (2) c) GDPR. The standard data protection clauses of the EU Commission are used in the contractual relationship with the provider with additional safeguards in favor of European data subjects.

iii. Purpose of the data processing

The purpose of storing the e-mail address is the possibility of electronic contact for information purposes. The date and IP address of the registration as well as the confirmation of the registration are recorded in order to document the consent to the newsletter dispatch in an evidence-proof manner and to exclude misuse. The transfer to the service provider takes place for the purpose of sending the newsletter in bulk.

iv. Duration of storage

If you have expressly consented to receive the newsletter, we will delete or block the e-mail address for sending advertising only if you revoke your consent. The data of the confirmation of the newsletter order will be stored for the same period of time.

The sent e-mails, as far as they are business letters, are stored for the duration of the retention periods of the tax code or the commercial code. The other e-mails are deleted as soon as the user is no longer expected to be contacted.

v. Possibility of objection and removal

You can object to the use of the e-mail address for the newsletter dispatch at any time or revoke the consent without incurring costs that exceed the fees of your communication tariff. In every e-mail sent to you as part of the newsletter, you can object to its use with effect for the future by clicking on a link provided there. You can also object to the use of your data for sending newsletters with effect for the future by sending an e-mail to datenschutz@thoughtfish.de.

4. Visit of COALA Backend

i. Scope of data processing

Access to the COALA backend can be obtained from the following website:

www.backend.coala.thoughtfish.de

When visiting these websites, the following data is collected and stored by our server:

  • Information about the browser type and version used.
  • The operating system of the user
  • The user’s Internet service provider
  • The IP address of the user
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Websites that are accessed by the user’s system via our website
  • Amount of data transferred
  • Version of the http protocol
  • The currently selected project
  • Date and time of the last login

The data is stored in the log files of our system. This data is not stored together with other personal data of the user. The data is stored on servers of a hosting partner based in the United States of America.

ii. Legal basis

The legal basis for the processing of the data is Art. 6 (1) (f) GDPR. The legitimate interest within the meaning of Art. 6 (1) (f) GDPR is therefore the functionality of our website and its availability.

The processing by our provider is based on Art. 28 (3), (6) and (7), Art. 46 (2) c) GDPR. The standard data protection clauses of the EU Commission are used in the contractual relationship with the provider with additional protective measures for data subjects from the European Union.

iii. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. In addition, the IP address is recorded to prevent attacks on the website. 

The data is stored to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

iv. Duration of storage

The log files are deleted after seven days at the latest, unless there is a need to retain the data for the aforementioned purpose due to specific events. The IP address is retained for 7 days for the purpose of defending against attacks on the website and then deleted.

Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment to a specific user is no longer possible.

v. Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation and protection of the website. Consequently, there is no possibility for the user to object.

5. Login for the use of COALA

i. Scope of data processing

The use of COALA requires registration as a customer. The following data will be collected:

  • Name
  • e-mail address
  • Password (stored in encrypted form)
  • Creation date
  • Update date

Optional:

  • Company name
  • Phone number

Additional data will be collected from the customer when creating their own customer project:

  • Project name
  • Creation date
  • Update date
  • Company name
  • Street address
  • City
  • Postal Code
  • Invoice data
  • Data of incoming payments 
  • Data on reminders, if any
  • Number of requests sent to the COALA server and any other data from the requests that are necessary to prove the service.

Optional:

  • VAT ID

Data will be stored on the servers as in point 4, in this respect what has been stated there applies respectively.

ii. Legal basis

The legal basis for the data processing is Art.6 (1) (b), (c) and (f) GDPR, namely the initiation and implementation of a contractual relationship and the retention of data on the basis of tax and commercial law provisions. In addition, Thoughtfish has a legitimate interest in the use of the requests to the servers for system maintenance and ensuring system security.

iii. Purpose of the data processing

The purpose of the processing is the handling of the contractual relationship and the recording of the performance of Thoughtfish for billing purposes as well as for the proof of performance towards the client. Furthermore, the server requests received from the client are recorded for the purposes of system security and system maintenance.

iv. Duration of storage

The data will be stored for the duration of the contractual relationship and after the conclusion of the contractual relationship until the expiry of the regular limitation period for contractual claims. Thereafter, the data will be stored exclusively for statutory retention periods in accordance with the provisions of tax and commercial law.

Data collected for the purposes of system security or system maintenance will be deleted after 3 weeks, unless the data is required for the elimination of errors or security gaps.

v. Possibility of objection and removal

There is no possibility to object.

6. Payment: Stripe

i. Scope of data processing

Thoughtfish works with the external payment service provider “Stripe” to process payments for the use of COALA. 

Stripe Technology Europe, Limited,

The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland. 

The data required for payment processing (card number, validity and verification number, IBAN, etc.) are sent directly to the payment provider in encrypted form and are not visible to us. Stripe is certified according to the Payment Card Industry Data Security Standard Level 1. The payment provider transfers, processes and stores personal data outside the EU. Stripe is solely responsible for the processing of this data and Stripe acts as the responsible party. 

At Thoughtfish, only encrypted data about the payment method and the customer’s user ID at Stripe are stored.

Stripe’s privacy policy can be viewed here: https://stripe.com/de/privacy.

ii. Legal basis

The legal basis for enabling data collection by Stripe when using COALA is Art. 6 (1) (a) and (b) GDPR. 

Stripe does not act as an order data processor, but is itself responsible for the payment processing.

iii. Purpose of the data processing

The purpose is to process payments for the use of COALA, to use the data for fraud prevention and to allow the user to identify the payment method.

iv. Duration of storage

The data stored by Thoughfish will be kept until the end of the contractual relationship or until the Client changes the payment data.

v. Possibility of objection and removal

You can change the payment data yourself at any time for the future or initiate a change by sending an email to datenschutz@thoughtfish.de.

Regarding the processing by Stripe, it must be revoked towards Stripe itself.

7. Cookies & locale.storage when accessing the COALA backend

Cookies and local storage are “storage areas” for data on your computer. Content providers often access files stored there via the web browser or store information there for later access. This can be, for example, the language settings for a website, the contents of a shopping cart or settings data for video playback. 

In detail, the following data packages in the form of cookies or local storage files can be accessed on our website. You have the option of rejecting or accepting this when loading the website. Once you have given your consent, you can revoke it at any time. Practically, you can do this by blocking cookies in your browser.

Name Responsible Website Type Storage duration Purpose
XSRF-TOKEN backend.coala.thoughtfish.de Session cookie Stored for the duration of the login session and expires after 4h without interaction with the backend Needed to authenticate requests to the COALA framework.
Coalabackend_session backend.coala.thoughtfish.de Session cookie 1 Hour Needed to authenticate requests to the COALA framework.
Laravel_cookie_consent backend.coala.thoughtfish.de Cookie 20 Years Necessary for the cookie consent request.
Thoughtfish-Coala-Distribution-Channel backend.coala.thoughtfish.de Cookie 1,5 Days Used to track from which store or marketplace the customer was directed to COALA.

Last updated 09.02.2023