Policies and legal docs

We respect your right to privacy — isn't that what everybody is saying? Privacy is hard. We aim for a good balance between privacy, security, business needs, usability and legal regulations.

The source of this document is here: github.com/fortrabbit/legal/blob/master/privacy-policy.md. This is a translated version and is provided for your convenience "as is". The original legally binding German version can be found here: github.com/fortrabbit/legal/blob/master/datenschutzerklaerung.md

Privacy statement by fortrabbit, translated

last modified: 1st of April 2019.

1. Name and address of the responsible

The legal responsible, hereinafter also "we", "our" or "operator", within meaning of the General Data Protection Regulation and other national data laws of the member states as well as other data protection regulations, is the:

fortrabbit GmbH
Görlitzer Str 52
10997 Berlin
info@fortrabbit.com
+49 30 609 80 784 0

The following "websites" refer to the internet addresses: www.fortrabbit.com, help.fortrabbit.com, blog.fortrabbit.com and dashboard.fortrabbit.com.

2. General information about data processing

1. Scope of processing of personal data

  1. In principle, we process personal data of our users only insofar as this is necessary to provide a functional website and our content and services.
  2. The processing of personal data of our users takes place regularly only with the consent of the user.
  3. An exception applies in cases in which prior consent is not possible for reasons of fact and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

  1. Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) as legal basis.
  2. In the processing of personal data necessary for the performance of a contract of which the data subject is a party, Art. 6 para. 1 lit. b DSGVO as legal basis. This also applies to processing operations required to carry out pre-contractual actions.
  3. If processing of personal data is required to fulfill a legal obligation that is subject to our company, Art. 6 para. 1 lit. c DSGVO as legal basis.
  4. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d DSGVO as legal basis.
  5. If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interest, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 lit. f DSGVO as legal basis for processing.

3. Data deletion and storage duration

  1. The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage is removed.
  2. It may also be stored if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject.
  3. A blocking or deletion of the data takes place even if a prescribed by the standards mentioned storage period expires, unless there is a need for further storage of the data for a contract or fulfillment of the contract.

3. Providing the website and creating logfiles

1. Description and scope of data processing

  1. Whenever our website is accessed, our system automatically collects data and information from the computer system of the calling computer.
  2. The following data is collected here: information about the browser type and the version used, the user's operating system, the IP address of the user, the date and time of access, websites from which the user's system accesses our website, websites, which are accessed by the user's system through our website.
  3. The data is also stored in the log files of our system.

2. Legal basis for data processing

  1. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f DSGVO.

3. Purpose of the data processing

  1. The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session.
  2. Storage in log files is done to ensure the functionality of the website.
  3. In addition, the data is used to optimize the website and to ensure the security of our information technology systems.
  4. An evaluation of the data for marketing purposes does not take place in this context.
  5. In these purposes, our legitimate interest in the processing of data according to Art. 6 para. 1 lit. f DSGVO.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection.
  2. In the case of the collection of data for the provision of the website, this is the case when the respective session is completed.
  3. In the case of storing the data in log files, this is the case after no more than seven days, unless legal or technical reasons or the need for security make longer storage necessary.
  4. Further storage is possible.
  5. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5. Removal possibility

  1. The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website.
  2. There is consequently no contradiction on the part of the user.

4. Use of cookies

1. Description and scope of data processing

  1. Our websites use cookies. Cookies are text files that are stored in the browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system.
  2. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.
  3. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break.
  4. The cookies store and transmit data such as currency, session and account information, selection in ordering systems, CSRF tokens and potentially other metadata.

2. Legal basis for data processing

  1. The legal basis for the processing of personal data using cookies is Article 6 (1) lit. f DSGVO.

3. Purpose of the data processing

  1. The purpose of using technically necessary cookies is to facilitate the use of websites for users.
  2. Some features of our website can not be offered without the use of cookies.
  3. For this it is necessary that the browser is recognized even after a page break.
  4. For these purposes, our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f DSGVO.

4. Duration of storage, objection and disposal options

  1. Cookies are stored on the computer of the user and transmitted by this on our side.
  2. Therefore, as a user, you have full control over the use of cookies.
  3. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies.
  4. Already stored cookies can be deleted at any time.
  5. This can also be done automatically.
  6. If cookies are disabled for our website, not all features can be fully used.

5. Registration

1. Description and scope of data processing

  1. On our website, we offer users the opportunity to register by providing personal information.
  2. The data is entered into an input mask and transmitted to us and stored.
  3. A transfer of the data to third parties does not take place.
  4. In addition to the data that the user enters in our input masks, the IP address of the user, location data and date and time of registration are also stored.
  5. As part of the registration process, the user's consent to the processing of this data is obtained.

2. Legal basis for data processing

  1. Legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR.
  2. If the registration serves the fulfillment of a contract of which the user is a party or the implementation of pre-contractual measures, an additional legal basis for the processing of the data is Art. 6 (1) lit. b DSGVO.

3. Purpose of the data processing

  1. User registration is required for the provision of certain content and services on our websites. In the case of registration for free trial offers, in particular the registration for the prevention of abuse is required.
  2. Registration of the user in connection with the ordering of paid services is required to fulfill a contract with the user or to carry out pre-contractual measures.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection.
  2. This is the case during the registration process for the performance of a contract or for the performance of pre-contractual measures if the data are no longer necessary for the performance of the contract.
  3. Even after conclusion of the contract, there may be a need to store personal data of the contracting party in order to comply with contractual or legal obligations, the latter in particular according to HGB and the tax law.

5. Opposition and removal possibility

  1. As a user, you have the option of canceling the registration at any time. You can change the data stored about you at any time.
  2. If the data are necessary for the fulfillment of a contract or for the execution of pre-contractual measures, a premature deletion of the data is only possible, as far as non-contractual or legal obligations preclude a deletion.

6. Product information

1. Description and scope of data processing

  1. We regularly contact our registered customers via e-mail for updates, such as scheduled maintenance, new releases and updates inform security-relevant changes.
  2. The data from the input mask are transmitted to us during registration.
  3. For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy.
  4. In connection with the processing of data for the shipment of product information, no transfer of the data to third parties takes place.
  5. The data will be used exclusively for sending the product information.

2. Legal basis for data processing

  1. Legal basis for the processing of the data after the user has registered for the newsletter is the consent of the user Art. 6 para. 1 lit. a GDPR.

3. Purpose of the data processing

  1. The collection of the user's e-mail address serves to provide the product information.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The e-mail address of the user is therefore (as all contract-related data) stored as long as the customer maintains an active user account.

5. Opposition and removal possibility

  1. You may object to storage for the future if you terminate your customer account at the same time.
  2. It is also possible to suspend the receipt of e-mails temporarily, but this does not end the storage of your e-mail address, which is required for the execution of the contract.

7. E-mail contact

1. Description and scope of data processing

  1. It is possible to contact the provided e-mail address.
  2. In this case, the user's personal data transmitted by e-mail will be stored.
  3. The data is used exclusively for the processing of the conversation.

2. Legal basis for data processing

  1. Legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR. The legal basis for the processing of the data transmitted in the course of sending an e-mail is Article 6 (1) lit. f DSGVO. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.

3. Purpose of the data processing

  1. In the case of contacting by e-mail, this also includes the necessary legitimate interest in the processing of the data.

4. Duration of storage

  1. The data will be deleted as soon as they are no longer necessary for the purpose of their collection.
  2. For the personal data sent via e-mail, this is the case when the respective conversation with the user has ended.
  3. The conversation ends when it can be inferred from the circumstances that the relevant facts have been finally clarified.
  4. Statutory regulations, such as the obligation to store business mail, may preclude premature cancellation.

5. Opposition and removal possibility

  1. The user has the opportunity to revoke his consent to the processing of personal data at any time.
  2. If the user contacts us by e-mail, he may object to the storage of his personal data at any time.
  3. In such a case, the conversation can not continue.

8. Data collection by third party companies

We are using third party sub processors to improve our service offerings. That might also include sharing some personal data. See a list of services in use and their application here: fortrabbit.com/sub-processors

9. Rights of data subjects

1. Right to information

  1. You may ask the person in charge to confirm if personal data concerning you is processed by us.
  2. If such processing is available, you can request information from the person responsible about the following information:
    1. the purposes for which the personal data are processed;
    2. the categories of personal data that are processed;
    3. the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
    4. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
    5. the right of rectification or deletion of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to such processing;
    6. the existence of a right of appeal to a supervisory authority;
    7. all available information on the source of the data if the personal data are not collected from the data subject;
    8. the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.
  3. You have the right to request information about whether the personal data concerning you are transmitted to a third country or to an international organization. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.
  4. In the case of data processing for scientific, historical or statistical research purposes: This right of access may be restricted to the extent that it is likely that the realization of the research or statistical purposes is impossible or seriously impaired and the restriction is necessary for the performance of research or statistical purposes.

2. Right to rectification

  1. You have a right to rectification and / or completion to the controller, if the personal data you process is incorrect or incomplete.
  2. You can correct many data yourself as a registered and registered customer. Incidentally, the responsible person must make the correction without delay.
  3. In the case of data processing for scientific, historical or statistical research purposes: Your right of rectification may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes.

3. Right to restriction of processing

  1. Under the following conditions, you may request the restriction of the processing of your personal data:
    1. if you deny the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
    2. the processing is unlawful and you refuse the deletion of the personal data and instead demand the restriction of the use of the personal data;
    3. the person responsible no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defense of legal claims, or
    4. if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible prevail over your reasons.
  2. If the processing of personal data concerning you has been restricted, these data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for important reasons the public interest of the Union or of a Member State.
  3. Has the restriction of processing been applied to the o.g. If conditions are restricted, you will be informed by the person in charge before the restriction is lifted.
  4. In the case of data processing for scientific, historical or statistical research purposes: Your right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of research or statistical purposes is.

4. Right to cancellation

1. Obligation to delete

  1. You may require the controller to delete the personal information concerning you without delay and the controller shall immediately erase that information provided that any of the following is true:
    1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
    2. You revoke your consent, to which the processing acc. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. DSGVO and there is no other legal basis for processing.
    3. You place acc. Art. 21 para. 1 DSGVO objection to the processing and there are no prior justifiable reasons for the processing, or you lay gem. Art. 21 para. 2 DSGVO Opposition to processing.
    4. Your personal data have been processed unlawfully.
    5. The deletion of personal data concerning you is required to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
    6. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

2. Information on third parties

  1. If the person responsible has made the personal data relating to you public and is in accordance with. Article 17 (1) of the GDPR, it shall take appropriate measures, including technical means, to inform data controllers who process the personal data that you have been identified as being affected, taking into account available technology and implementation costs Persons requesting deletion of all links to such personal data or of copies or replications of such personal data.

3. Exceptions

  1. The right of erasure does not exist if the processing is necessary:
    1. to exercise the right to freedom of expression and information;
    2. to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of official authority delegated to the controller;
    3. for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
    4. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
    5. to assert, exercise or defend legal claims.

5. Right to information

  1. If you have asserted the right of rectification, erasure or restriction of the processing to the controller, the latter is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing because, this proves to be impossible or is associated with a disproportionate effort. You have a right to the person responsible to be informed about these recipients.

6. Right to data portability

  1. You have the right to receive personally identifiable information relating to you provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that:
    1. the processing on a consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a DSGVO or on a contract acc. Art. 6 para. 1 lit. b DSGVO is based and
    2. the processing is done using automated procedures.
  2. In exercising this right, you also have the right to obtain that personal data concerning you are transmitted directly from one person responsible to another person responsible, as far as this is technically feasible. Freedoms and rights of other persons may not be affected.
  3. The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

7. Right to object

  1. You have the right at any time, for reasons arising from your particular situation, to prevent the processing of your personal data, which pursuant to Art. 6 para. 1 lit. e or f DSGVO takes an objection; this also applies to profiling based on these provisions.
  2. The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.
  3. If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.
  4. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
  5. Regardless of Directive 2002/58 / EC, you have the option, in the context of the use of information society services, of exercising your right to opt-out by means of automated procedures that use technical specifications.
  6. In the case of data processing for scientific, historical or statistical research purposes: You also have the right, for reasons arising from your particular situation, to process personal data relating to you for scientific or historical research purposes or for statistical purposes. Art. 89 para. 1 GDPR is to be contradicted. Its right of objection may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes, and that the restriction is necessary for the performance of the research or statistical purposes.

8. Right to revoke the data protection consent declaration

  1. You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

9. Automated decision on an individual basis including profiling

  1. You have the right not to be subject to a decision based solely on automated processing - including profiling - that will have legal effect or similarly affect you in a similar manner. This does not apply if the decision:
    1. is required for the conclusion or performance of a contract between you and the controller,
    2. is permitted by Union or Member State legislation to which the controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or
    3. with your express consent.
  2. However, these decisions may not be based on specific categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g DSGVO applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.
  3. With regard to the cases referred to in (1) and (3), the person responsible shall take reasonable measures to uphold the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by the person responsible Position and contesting the decision.

10. Right to complain to a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, employment or the place of the alleged infringement, if you believe that the processing of your personal data relates to you Data violates the GDPR.
  2. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
Print and download a PDF of this

Do you like our policies, or wonder about changes, or found a typo? See the fortrabbit legal repo on GitHub.

Platform privacy rules

In addition to the official legal privacy policy — which is mostly about website usage — we also have the following additional informal ruleset in place, further defining platform usage:

Code peeking

Techincally, fortrabbit staff is able to view and even edit all uploaded files and databases. Our aim is to be involved as little as possible. There is an internal policy for that. In many support cases knowledge about configuration or code is essential to find a solution. Where possible and acceptable we will ask for permission to look into your code upfront. In other security related cases, for instance fighting phishing attempts, it is required that we examine code pro-activly. This can take place in suspicion.

Deleting data

When deleting Apps or Accounts with us, we delete as much and as complete as possible. For some clients this comes as an surprise as they expect that we just hide data away, until they pay their open invoices.

Web server logs

You can interact with fortrabbit services on various transport protocols. We are storing connection data in log files with each access. This may include the request time, the IP address of the requestor, the protocol and version used, URL called, response status, the number of bytes delivered, a referrer and a user agent (browser and OS). We are doing so for security reasons — to avoid malicious and unauthorized access. We reserve the right to analyze and blacklist certain IPs from our services based on these access logs. We will delete those logs as soon as possible. Certain logs might kept for analysis and fraud protection.

TLS encryption

fortrabbit Apps can be accessed via a TLS encrypted connection in various ways. All have in common that fortrabbit is not the Cerificate Authority and that the service is provided "as is". See our dedicated HTTPS & TLS help article for more.

Data Subject Access Requests

This page here and our third party transpareny page are outlining what we store and share about our clients. In addition you have various rights on the data we store on you:

Access

You can see, explore and edit the data we store on you in the fortrabbit Dashboard, visit your Apps, Account, Companies, Billing Contacts.

Rectification

You can correct the informations on you by editing your Account, Company and Billing Contact details in the Dasboard.

Erasure

You can make use of your right to be forgotten by deleting your Apps, Companies and Account in the fortrabbit Dashboard. Deletion will be final, irreversible and permanent. Note that App backups will be deleted after retention period and that we still need to keep some billing related data for legal resons.

Restriction

Sorry, there is no self-service tool to automatically restrict access on personal informations so far. But we are happy to help you with that. Please contact us.

Portability

Sorry, there is no self-service tool to automatically download the data we store on you. But we will happily fulfill your requests. Please contact us.

Opt-out of analytics