Date: January 2022
Your contact person for the capacities.io website and the app.capacities.io web application (“we”, “us”) is Capacities Labs GmbH (see imprint).
We are also the so-called controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of your personal data when you use Capacities. If you have any questions or concerns about this, our support team will be happy to assist you via email at firstname.lastname@example.org.
Contact details of the data protection officer
Our data protection officer is Steffen Bleher and you can reach him via our email address email@example.com.
When you use our website or the app, so-called usage data is temporarily transferred on our servers for technical and statistical purposes as well as for the detection and correction of errors. This is necessary for the website and app to function properly and to improve the quality of Capacities. This data set consists of:
the name and address of the requested content The date and time of the request, the amount of data transferred, the access status (content transferred, content not found), information about the web browser used and the operating system or type and version of your mobile device (e.g. “iPhone 6, iOS 8.1”) as well as the version of the app if applicable, the referral link indicating from which page you reached ours, the IP address of the requesting device, which is shortened so that a personal reference can no longer be established. The aforementioned log data is only evaluated anonymously.
In order to protect your data from unwanted access as comprehensively as possible, we take technical and organizational measures. We use an encryption at Capacities. Your data is transferred from your computer to our server and vice versa via the Internet using Transport Layer Security (TLS) encryption.
We do not use these necessary cookies for analysis, tracking or advertising purposes.
In some cases, these cookies only contain information about certain settings and are not personally identifiable. They may also be necessary to enable user guidance, security and implementation of the site.
We use these cookies on the basis of Art. 6 para. 1 p. 1 lit. f DSGVO.
The app may embed web content that is not stored on our servers. You must manually agree to each of these embeds. Without your consent, this content will not load. If you agree, accessing our pages with embedded content will result in content being reloaded from the respective third-party provider that provides the content. Through this, the third-party provider receives the information that you have called up our page as well as the usage data technically required in this context. We have no influence on the further data processing by the third-party provider. The embedding is based on Art. 6 para. 1 p. 1 lit. f DSGVO and in the interest of making our site as appealing and informative as possible.
Other order processors
We share your data with service providers who support us in the operation of Capacities and related processes as part of order processing pursuant to Art. 28 DSGVO. These are, for example, hosting service providers. Our service providers are strictly bound by instructions to us and are contractually obligated accordingly.
In the following, we name the order processors with whom we work, if we have not already done so in the preceding text of the data protection declaration. If data is transferred outside the EU or EEA in this context, we provide information on the appropriate level of data protection.
Amazon Web Services
We host all of our applications and services on Amazon Web Services. The provider is
Amazon Web Services EMEA SARL, 38 Avenue John F.Kennedy, 1855 Luxembourg
When you visit our website and application, your personal data is processed on Amazon Web Services servers. In this process, personal data may also be transmitted to the parent company of Amazon Web Services in the USA. The data transfer to the USA is based on the EU standard contractual clauses. Details can be found here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.
The use of Amazon Web Services is based on Art. 6 (1) lit. f DSGVO. We have a legitimate interest in ensuring that our applications and services function as reliably as possible.
We use Paddle.com from Paddle.com Market Limited, Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom to process all payments.
When opening a payment transaction, we share the following personal information with Paddle.com:
- Email address
Paddle.com is a recipient of your personal data and acts as a processor for us as far as the processing of payment transactions is concerned.
Your data will be processed as long as there is a corresponding consent. Apart from that, they will be deleted after the termination of the contract between us and Paddle.com, unless legal requirements make further storage necessary.
Paddle.com has implemented compliance measures for international data transfers. These apply to all global activities where Paddle.com processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://www.paddle.com/legal/privacy.
We use canny.io by Canny Inc, 831 N Tatnall St Suite M #140, Wilmington, DE 19801, USA to manage user feedback. This allows us to use feedback from our users to improve our product.
To do so, we share the following personal information with Canny Inc. after an explicit consent by you:
Canny Inc. is a recipient of your personal data and acts as a processor for us as far as the processing of feedback is concerned. The processing of the data provided under this section is not required by law or contract. Without your consent and the transmission of your personal data, we cannot accept your feedback.
Your data will be processed as long as we have your consent. Apart from that, they will be deleted after the termination of the contract between us and Canny Inc. unless legal requirements make further storage necessary.
Canny Inc. has implemented compliance measures for international data transfers. These apply to all global activities where Canny Inc. processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://canny.io/privacy
We use AI models for artificial intelligence (AI) product features from OpenAI, L.L.C., 3180 18th St, San Francisco, CA 94110. OpenAI is a company based in the USA. Data transfers to the US are based on the EU Standard Contractual Clauses (SCCs). Details can be found here:
The use of AI models from OpenAI requires that the following data be submitted to OpenAI:
- Contextually relevant content created for processing by the AI model.
- Request and chat history with the AI model.
This data is only transmitted to OpenAI after explicit consent has been given in the application settings and when AI product features are used.
If you decide to register with Capacities, you will be asked to provide us with the following personal information: Email address, first and last name. Without these data, registration is not possible and thus the use of Capacities is limited. The legal basis of the processing is Art. 6 para. 1 p. 1 lit. b DSGVO.
Furthermore, we store all personal data that you create on a voluntary basis as part of your profile (e.g. username, profile photo and name). The legal basis for the processing of profile data is Art. 6 para. 1 s.1 lit. a DSGVO.
The content (e.g. notes, texts and media) deposited and provided by you in the course of using Capacities will also be stored by us. The legal basis for the processing of the content data is Art. 6 para. 1 s.1 lit. a DSGVO.
Storage period of the data
In principle, we only store personal data for as long as is necessary for the fulfillment of contractual or legal obligations or for the assertion of claims under civil law.
Registration data and personal data are stored for up to four weeks after the deletion of your user account and then deleted. Public content data will be stored until your user account is deleted and then anonymized.
Your rights as a data subject
When processing your personal data, the GDPR grants you certain rights as a data subject:
Right of access (Art. 15 DSGVO).
You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have the right to access this personal data and to the information listed in detail in Art. 15 DSGVO.
Right to rectification (Art. 16 DSGVO).
You have the right to request without undue delay the rectification of any inaccurate personal data concerning you and, where applicable, the completion of any incomplete data.
Right to erasure (Art. 17 DSGVO).
You have the right to request that personal data concerning you be erased without delay, provided that one of the reasons listed in detail in Art. 17 DSGVO applies.
Right to restriction of processing (Art. 18 GDPR).
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 DSGVO applies, e.g. if you have objected to the processing, for the duration of the controller’s review.
Right to data portability (Art. 20 DSGVO).
In certain cases, detailed in Art. 20 DSGVO, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transfer of this data to a third party.
Right of withdrawal (Art. 7 DSGVO).
If the processing of data is based on your consent, you are entitled to revoke your consent to the use of your personal data at any time in accordance with Art. 7 (3) DSGVO. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.
Right of objection (Art. 21 DSGVO).
If data is collected on the basis of Art. 6 para. 1 sentence 1 lit. f DSGVO (data processing for the protection of legitimate interests) or on the basis of Art. 6 para. 1 sentence 1 lit. e DSGVO (data processing for the protection of public interest or in the exercise of official authority), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Right to lodge a complaint with a supervisory authority (Art. 77 DSGVO).
Pursuant to Art. 77 DSGVO, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of the data concerning you violates data protection provisions. In particular, the right to lodge a complaint may be exercised before a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.
Assertion of your rights
To assert your data subject rights, please contact Capacities Labs GmbH (see imprint).