Privacy policy for the Lumiform Website and the Lumiform App

This privacy policy applies to data processing by Lumiform GmbH (“Controller”, “we” or “us”) when using the Lumiform app (“App”) and visiting our website https://lumiformapp.com (“Website”).

Lumiform offers software that helps companies digitize and automate workflows for their deskless teams (“Service”).

When you use our website, we process your personal data. Personal data is any information relating to an identified or identifiable natural person. When we process personal data, this means that we collect, store, transmit, delete, or otherwise use this data. We comply with the applicable data protection laws, in particular, the General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”).

The following data protection information informs you about the type, scope, and purposes of the collection, use, and other processing of personal data when using our Website.

If our data processing practices change, we will adapt our privacy policy. We ask that you regularly inform yourself about its content. If the change requires cooperation on your part, such as consent or other individual notification, we will inform you.

1. Data controller

Data controller is Lumiform GmbH;

Address: Torstraße 201, 10115 Berlin

Email: privacy@lumiformapp.com

2. Data protection officer

For all questions on the subject of data protection or to exercise your rights in accordance with Section 8 of this privacy policy in connection with the use of our Website or our App, you can contact our data protection officer at any time:

Name: Sebastian Schenk, working for simply Legal GmbH

Address: Burkaderstr. 36 in 97082 Würzburg

Phone: +49 931 90 87 95 20

Email address: info@dieter-datenschutz.de

3. Collection and storage of personal data as well as the nature and purpose of their processing and the relevant legal basis

In the following, we inform you about which personal data we process when you use our Website or App and/or make use of our Services. We will also explain the purpose for which we process your data and the legal basis on which we do so. To the extent that the processing of personal data is based on Art. 6 para. 1 sentence 1 lit. f) GDPR, the aforementioned purposes also represent our legitimate interests.

3.1. Calling up the Website

When you visit our Website for informational purposes, we collect, store and process so-called “log data”. We store these temporarily and anonymously as so-called server log files on our web server in order to guarantee the display of our Website and its stability and security.

This applies for example to:

  • Operating system and information on the internet browser used, including installed add-ons;
  • IP address (internet protocol address) of the end device from which the online offer is accessed;
  • Internet address of the website from which the online offer was accessed (so-called origin or referrer URL);
  • Name of the service provider used to access the online offer;
  • Name of the files or information retrieved;
  • Date and time as well as duration of the retrieval.

The processing is carried out on the basis of a balancing of interests in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR, which always also takes your interests into account.

3.2. Creating an account and taking out a subscription

If you wish to register for our Service, we will collect the following data from you:

  • Your first and last name
  • Your e-mail address
  • Your telephone number

If you decide to use a paid Service, we will collect the following additional data from you:

  • Your address
  • Your means of payment and your payment details

We process the data mentioned above to fulfill your contract for the services offered. The legal basis of the data processing is, therefore, Art. 6 para. 1 lit. b) of the GDPR.

3.3. Contact form

When you use our contact form on our Website, we collect the following data from you:

  • Your name;
  • Your company;
  • Your company email address;
  • Your telephone number

The data will only be used to answer your questions. The data will not be passed on to third parties unless this is expressly stated in this privacy policy. We process the aforementioned data in order to answer the questions or enquiries submitted via the contact form. The legal basis of the data processing is therefore our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR.

3.4. Website optimization, analysis, and marketing

(a) Functional cookies

Our Website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on your computer. The cookie contains a string of characters that allows your system to be uniquely identified when you return to the Website.

Most of the cookies we use (“Session Cookies”) and the data stored and transmitted in them are automatically deleted at the end of your visit. Other cookies (“Persistent Cookies”) remain stored on your end device until you delete them.

You can set your browser in such a way that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. You can delete cookies that have already been saved at any time. If you deactivate cookies, the functionality of the Website may be limited.

Some elements of our Website require that the calling browser can be identified even after a page change. Cookies may be stored for this purpose, which enable us to recognise your browser on your next visit.

If personal data are processed by the cookies, we process them on the basis of a balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, which always also takes your interests into account.

(b) Analysis and marketing cookies

When you visit our Website, cookies are also set that enable an analysis of your use of the Website for reach measurement and advertising purposes (“Analysis Cookies”).

We use Analysis Cookies exclusively on the basis of your consent in accordance with § 25 para. 1 TTDSG and Art. 6 para. 1 subpara. 1 lit. a GDPR via our cookie banner. You can also access further information about the cookies we use via our cookie banner. You can also use the cookie banner to revoke your consent to the processing of your data through analysis cookies at any time.

(c) Google Analytics

To analyse your use of our Website, we use “Google Analytics” a service provided by companies belonging to the Google LLC group, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), on the basis of a contract on commissioned data processing pursuant to Art. 28 GDPR.

Google Analytics uses cookies. The information generated by cookies about your use of our Website is usually transferred to a Google server in the USA and stored there. The storage of Google Analytics cookies and the use of this analysis tool are based on your express consent in accordance with Art. 6 para. 1 lit. a) GDPR. Your consent can be revoked at any time.

We have activated the IP anonymisation function. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Google will use this information on our behalf for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services relating to Website activity and internet usage to us.

You have the option to prevent the storage of cookies by changing the settings of your browser software accordingly. You can also prevent the collection of data generated by the cookie and related to your use of the Website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
For more information about the processing of user data by Google Analytics, please refer to Google’s privacy policy at: https://support.google.com/analytics/answer/6004245?hl=en.

(d) Mouseflow

We use the Mouseflow service provided by Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. Mouseflow helps us to better understand the needs of our users and optimize the offering and experience on our Website. Using Mouseflow’s technology, we gain insights into our users’ experiences (e.g., how much time users spend on which pages, which links they click on, what they like and don’t like, etc.), which helps us tailor our offerings to user feedback. Mouseflow uses cookies and other technologies to collect information about your behavior and devices, including your device’s IP address (collected and stored anonymously), screen size, device type (unique device identifiers), information about the browser you are using, location (country only), and preferred language for viewing our Website. Mouseflow stores this information in a pseudonymized user profile. The legal basis for this is your express consent pursuant to Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time. We have concluded an order processing agreement with Mouseflow pursuant to Art. 28 GDPR.

You can find more information on data protection at Mouseflow at: https://mouseflow.com/legal/privacy-policy/

(e) HubSpot

See section 4.6 below.

(f) Apollo.io

See section 4.3 below.

(g) Mixpanel

See section 4.5 below.

4. Data recipient

In order to process your personal data, we also use the services of external service providers (IT providers, transport companies, payment service providers) in addition to the service providers mentioned in section 3.4. In part, these third parties act as our own data protection controllers, in part they act in the function of a processor on our behalf and in accordance with our instructions pursuant to Art. 28 GDPR.

4.1. Aircall

For telephone communication, we use Aircall, a technology of Aircall, 42, rue du Faubourg Poissonniere, 75010, Paris, France. This involves processing your contact details. We have concluded an order processing agreement with Aircall in accordance with Art. 28 GDPR. The processing is based on our legitimate interest pursuant to Art. 6 para. 1 f) GDPR.

For more information on data protection at Aircall, please visit https://aircall.io/privacy/.

4.2. Amazon Web Services

We process the data we store on servers operated by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, Luxembourg, L-1855, Luxembourg (“AWS”). We store data that you enter yourself on our Website on the servers of AWS (registration data such as email address) as well as data that we automatically collect from you when you visit our Website (such as your IP address and your location). We have concluded an order processing agreement with AWS in accordance with Art. 28 GDPR. Your personal data is stored exclusively on servers in Frankfurt and is therefore not transferred to data recipients outside the European Union.

For more information on data protection at AWS, please visit https://aws.amazon.com/de/compliance/germany-data-protection/.

4.3. Apollo.io

We use the Apollo.io service provided by Apollo.io, Inc. to track website visitors and prioritize prospects. Apollo.io helps us understand user interactions on our Website, allowing us to optimize our offerings and improve user experience. By using Apollo.io’s technology, we can analyze user behavior such as time spent on pages, links clicked, and user preferences. Apollo.io uses cookies and other technologies to collect information about your behavior and devices, including your device’s IP address (collected and stored anonymously), screen size, device type (unique device identifiers), browser information, location (country only), and preferred language for viewing our Website. This information is stored in a pseudonymized user profile. The legal basis for this is your express consent pursuant to Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time. We have concluded a data processing agreement with Apollo.io under Art. 28 GDPR.

You can find more information on data protection at Apollo.io at: https://apollo.io/company/privacy-center.

4.4. Chartmogul

To evaluate the subscription data and duration of customer subscriptions, we use Chartmogul, a technology of Chartmogul CMTDE GmbH & Co. KG, Oberwallstraße 6, 10117 Berlin. The following data is passed on in this process: customer ID, amount, date of purchase, date of termination. We have concluded an order processing agreement with Chartmogul pursuant to Art. 28 GDPR. The processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 f) GDPR.

For more information on data protection at Chartmogul, please visit: https://www.atlassian.com/trust/data-protection?tab=privacy.

4.5. Mixpanel

We use the analytics tool “Mixpanel” from Mixpanel, Inc., 405 Howard St., Floor 2, San Francisco, CA 94105, USA. The tool allows us to analyse how you use the App and interact with the features in the App. The analysis helps us to better understand the needs of our customers and to continuously improve our Service. We have concluded an order processing agreement with Mixpanel in accordance with Art. 28 GDPR, which can be accessed at https://mixpanel.com/legal/dpa/.
The processing of user data is pseudonymised, i.e. no personal clear data (such as names) is processed and your IP address is only stored in a shortened form.
Further information on Mixpanel’s data protection can also be found here: https://mixpanel.com/legal/privacy-policy/

Data processing is carried out exclusively on the basis of your express consent in accordance with Art. 6 para. 1 lit. a) GDPR.

4.6. Hubspot

We use the service HubSpot for various purposes. HubSpot is a technology of Hubspot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland.

Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. These include: email marketing, social media publishing & reporting, reporting, contact management (e.g. user segmentation & CRM), and live chat. The following of your information may be stored on servers of our software partner HubSpot when tracked by HubSpot or when you enter your data in this process, among other information: contact details, IP address, device identifier, operating system, geographical location. We may use this information to contact visitors to our Website and to determine which of our company’s services are of interest to them. We have concluded an order processing agreement with HubSpot pursuant to Art 28 GDPR. The legal basis for this is your express consent pursuant to Art. 6 para. 1 a) for tracking and Art. 6 para. 1 f) GDPR for the legitimate interest in using a CRM system. You can revoke your consent at any time.

For more information on HubSpot’s data protection, please visit: https://legal.hubspot.com/de/privacy-policy.

4.7. Twilio

For sending our emails, we use the Sendgrid by Twilio service, and for the possibility of calling our customers in HubSpot, we use the Twilio service, both services of Twilio Inc., 889 Winslow Street, Redfort City, California 94063, USA (“Twilio”) on the basis of a commissioning agreement according to Art. 28 GDPR. Twilio receives both the email addresses of our users and the content of the messages to be sent. Twilio also receives the telephone number of our users. This processing is based on our legitimate interest pursuant to Art. 6 para. 1 f) GDPR.

Further information on data protection at Sendgrid and Twilio can be found at: https://sendgrid.com/en-us/resource/general-data-protection-regulation-2/ and https://www.twilio.com/en-us/legal/privacy.

4.8. Slack

To enable us to process your data for the stated purposes, we use the services of Slack Technologies LLC, 500 Howard Street, San Francisco, CA 94105, USA. The data processing takes place on the basis of a contract on commissioned data processing pursuant to Art. 28 GDPR. Your name and e-mail address are processed. The processing is based on our legitimate interest pursuant to Art. 6 para. 1 f) GDPR.

For more information about Slack’s applicable privacy policy, please visit https://slack.com/intl/de-de/trust/privacy/privacy-policy.

4.9. Chargebee

When you order a paid Service from Lumiform, payment is processed through the payment service provider Chargebee Inc. We transmit to Chargebee the information you provide during the ordering process along with information about your order (name, address, payment information, invoice amount, currency, and transaction number). Your data will only be shared for the purpose of processing payment with Chargebee and only to the extent necessary for this purpose. The data entered is processed and stored by Chargebee. This means we do not receive any account or credit card related information, but only confirmation or negative information of the payment.

The transmission of your data to Chargebee is necessary for the processing of the purchase agreement with you and thus takes place on the basis of Art. 6 para. 1 lit. b) GDPR.

For more information on Chargebee’s privacy policy, please visit: https://www.chargebee.com/privacy/.

4.10. Usercentrics

We use the Usercentrics Consent Management Platform as a consent management tool as part of the analytics activities on our Website. The Usercentrics Consent Management Platform is a technology of Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich and collects log file and consent data using JavaScript. This JavaScript makes it possible to inform users about their consent to certain tags on our Website and to obtain, manage and document this consent. Consent data, device data and user data (email, ID, browser information, SettingsID, changelog) are stored. We have concluded an order processing agreement with Usercentrics in accordance with Art. 28 GDPR. The use of Usercentrics is based on Art. 6 para. 1 lit. f) GDPR in order to ensure the legally compliant use of cookies.

For more information on data protection at Usercentrics, please visit: https://usercentrics.com/de/datenschutzerklaerung/.

5. Website security

5.1. We use appropriate technical and organisational security measures to protect stored personal data against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data is stored exclusively on servers hosted in the EU that are certified in accordance with DIN ISO/IEC 27001 (as amended).

5.2. We use various service providers to maintain a high level of system security on our platform and to prevent and remedy faults. It is our legitimate interest to continuously monitor and maintain the security and performance of our platform. This is also in the interest of our customers. The legal basis for data processing for this purpose is Art. 6 para. 1 subpara. 1 lit. f GDPR.

(a) Sentry

We use the error analysis service Sentry from Functional Software Inc, 132 Hawthorne Street, San Francisco, California 94107, USA (“Sentry”). To ensure the technical stability of our services, system errors are logged with the help of Sentry. Your IP address, MAC address, web logs and information about your web browser may be transmitted to Sentry. The processing is carried out on the basis of an order processing agreement in accordance with Art. 28 GDPR. You can find more information on data protection at Sentry at: https://sentry.io/trust/privacy/

(b) Datadog

In addition, we integrate the functions of the Datadog service of Datadog, Inc., 620 8th Ave, 45th Floor, New York, NY, 10018 USA, on our Website. The service notifies us of possible technical complications or functional impairments in connection with the operation of our Website. For this purpose, server information as well as your IP address, the browser you are using, timestamps and the URL accessed may be transmitted to Datadog. The service is used on the basis of an order processing agreement in accordance with Art. 28 GDPR. Further information on the collection and use of data by Datadog can be found at www.datadoghq.com/legal/privacy/.

(c) LogRocket

We use the session replay and analytics service LogRocket from LogRocket, Inc., 87 Summer Street, Boston, MA 02110, USA (“LogRocket”). This service helps us to understand user interactions with our mobile application to improve user experience and troubleshoot issues. Information such as your IP address, browser type, operating system, and usage data may be transmitted to LogRocket. The processing is carried out on the basis of an order processing agreement in accordance with Art. 28 GDPR. More information on data protection at LogRocket can be found at: https://logrocket.com/privacy/

6. Will your data be transferred to third countries or international organizations?

6.1. In the course of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. This applies to the use of the following services:

  • Apollo.io: 318 Cambridge Ave, Palo Alto, CA 94306, USA.
  • Chargebee: 340 S Lemon Ave #1537, Walnut, CA 91789, USA.
  • Datadog: 620 8th Ave, 45th Floor, New York, NY, 10018 USA.
  • Google: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
  • LogRocket: 87 Summer Street, Boston, MA 02110, USA.
  • Mixpanel: 405 Howard St., Floor 2, San Francisco, CA 94105, USA.
  • Twilio: 889 Winslow Street, Redfort City, California 94063, USA.
  • Sentry: 132 Hawthorne Street, San Francisco, California 94107, USA.
  • Slack: 500 Howard Street, San Francisco, CA 94105, USA.

6.2. In the context of the transfer of personal data to a third country, we will regularly ensure through appropriate guarantees, for example by concluding the standard contractual clauses of the European Commission, that a transfer of data to a third country only takes place on the basis of a level of protection that complies with the GDPR.

6.3. To the extent that, when using the data mentioned in section 6.1, data is transferred to a third country, in particular the USA, for which there is no adequacy decision by the Commission, this is done on the basis of standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR in conjunction with appropriate technical and organizational measures to protect your data.

6.4. A copy of the standard contractual clauses or further information on the standard contractual clauses used can be downloaded from the respective websites of the service providers we use:

7. When do we delete your data?

We delete your data when it is no longer needed for the purposes for which it was originally collected.

Irrespective of this, we store your data processed when you purchase our products or use our Services until the expiry of the statutory or possible contractual warranty rights. After expiry of this period, we retain the information of the contractual relationship required by commercial and tax law for the periods determined by law. For this period, the data will be processed again solely in the event of an audit by the tax authorities.

8. Your rights

In relation to our processing of your personal data, you have the following rights free of charge:

8.1. Right to information pursuant to Art. 15 GDPR

You have the right to receive information from us about whether and what data we process about you. This includes information on how long and for what purpose we process the data, the source of the data and the recipients or categories of recipients to whom we pass on the data. We can also provide you with a copy of this data.

8.2. Right to rectification pursuant to Art. 16 GDPR

You have the right to request that we correct information about you that is not or no longer accurate without delay. In addition, you can request that we complete your incomplete personal data. If required by law, we will also inform third parties of this correction if we have disclosed your personal data to them.

8.3. Right to erasure pursuant to Art. 17 GDPR

You have the right to request that we delete your personal data without delay in one of the following cases:

  • your data is no longer necessary for the purposes for which it was collected or otherwise processed or the purpose has been achieved;
  • you withdraw your consent and there is no other legal basis for the processing;
  • you object to the processing and there are no overriding legitimate grounds for the processing; where personal data is used for direct marketing, a mere objection by – you to the processing is sufficient;
  • your personal data have been processed unlawfully;
  • the erasure of your personal data is necessary for compliance with a legal obligation under European Union law or the law of a member state to which we are subject.

Your right to erasure may be restricted on the basis of statutory provisions. This includes in particular the restrictions listed in Art. 17 GDPR and section 35 BDSG.

8.4. Right to restriction of processing pursuant to Art. 18 GDPR

You have the right to request us to restrict the processing of your personal data if one of the following reasons applies:

  • you contest the correctness of your personal data for a period of time which allows us to verify the correctness of the personal data;
  • the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of your personal data;
  • we no longer need your personal data for the purposes of processing; however, you need it for the assertion, exercise or defence of legal claims; or
  • You have objected to the processing as long as it has not yet been determined whether our legitimate grounds outweigh yours.

If you have obtained a restriction on processing under the above list, we will inform you before the restriction is lifted.

8.5. Right to data portability pursuant to Art. 20 GDPR

You have the right to obtain personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to others. The exercise of this right does not affect your right to erasure.

8.6. Right to object pursuant to Art. 21 GDPR

According to Art. 21 GDPR, you have in particular the right to object to the processing of your data at any time for reasons arising from your particular situation, if we base this processing on legitimate interests pursuant to Art. 6 para. 1 lit. (f) GDPR. If you object, we will no longer process your personal data, except in two cases:

  • we can prove compelling legitimate reasons for the processing which override your interests, rights and freedoms, or
  • the processing serves the assertion, exercise or defence of legal claims.

In particular, if we process your personal data for direct marketing, you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for this purpose.

8.7. Right to revoke consent pursuant to Art. 7 GDPR

You can revoke your consent given to us at any time with effect for the future. This revocation can be made in the form of an informal communication to the above contact addresses. If you revoke your consent, the legality of the data processing carried out up to that point will not be affected.

8.8. Right to complain to the supervisory authority

If you believe that the processing of your data by us violates applicable data protection law, you have the right to lodge a complaint with one of the competent supervisory authorities. The supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information (“Berliner Beauftragte für Datenschutz und Informationsfreiheit”)

Friedrichstr. 219

10969 Berlin

Phone: 030 13889-0

Fax: 030 2155050

Email: mailbox@datenschutz-berlin.de

In addition, you can complain to the data protection supervisory authority responsible for you at your place of residence. You can find an overview of data protection supervisory authorities at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

9. Automated decisions in individual cases including profiling pursuant to Art. 22 GDPR

We do not process your data for automated decisions in individual cases, including profiling within the meaning of Art. 22 GDPR.

Last updates

Date of changeChangeNotes
November 26, 2024Changed data protection officer

Added: Apollo.io, Chargebee LogRocket, Mouseflow.
Removed: Intercom, Stripe, Hotjar, Jira, Vonage.
Changed: Sendgrid to Twilio (acquired by Twilio).		Update notice