Privacy Policy for Groupsheets

Last Updated: 13 April 2024

This privacy policy pertains to the groupsheets platform operated by Contaction AG. This application can be accessed via the web address https://groupsheets.com.

Privacy is of utmost importance to the management of Contaction AG. The use of groupsheets is generally possible without any provision of personal data. However, if an individual wishes to utilize specific services of our company through our website, the processing of personal data may become necessary. If the processing of personal data is required and there is no legal basis for such processing, we always seek the consent of the individual concerned.

The processing of personal data, such as the name, address, email address, or telephone number of an individual, always complies with the General Data Protection Regulation (GDPR) and aligns with country-specific data protection regulations applicable to Contaction AG. Through this privacy statement, our company intends to inform the public about the nature, extent, and purpose of the personal data we collect, use, and process. Furthermore, individuals are informed about their rights through this privacy statement.

As the entity responsible for the processing, Contaction AG has implemented a number of technical and organizational measures to ensure the most complete protection possible for personal data processed via this website. However, data transmissions over the internet may in general have security gaps, so absolute protection cannot be guaranteed. For this reason, every individual is free to transmit personal data to us via alternative methods, for example, by telephone.

1. Definitions

The privacy statement of Contaction AG is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our privacy statement is intended to be easily readable and understandable for the public, as well as our customers and business partners.

2. Name and Address of the Data Controller

In accordance with the General Data Protection Regulation, other data protection laws applicable in Member states of the European Union and other provisions with a data protection character, the controller is:

Contaction AG
Oberbühl 45
9487 Gamprin
Liechtenstein

Phone: +423 78 403 63
E-mail: info@contaction.li
Website: https://contaction.li

3. Cookies and Other Techniques for Storing Data on Your Device

Groupsheets uses cookies and two other techniques for storing certain data on the device that you use to access groupsheets (e.g., your mobile phone, tablet, or laptop). The other two techniques are IndexedDB and Local Storage.

Purposes of Storage

Each type of local data storage serves one of the following purposes:

a. Facilitate Access to groupsheets
b. Enable Secure Login
c. Speed Up and Simplify Your Interaction with Groupsheets

For this purpose, the application stores content that you have previously loaded or entered onto your device and may want to access later. The main examples are:

This type of local storage ensures that you can immediately access previously visited groupsheets in the way you prefer as soon as you open the application, without waiting for a server response, even when you currently have no internet connection.

What We Do Not Use Locally Stored Data For

Third parties cannot access the data stored locally on your device. We use these data only in the manner described above. In particular, we do not share them with third parties and do not use them for advertising purposes.

4. Collection of General Data and Information

Every time the Contaction website is accessed by an individual or an automated system, some general data and information is captured and stored in the server's log files. It can include the (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (the so-called referrer), (4) the sub-pages accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information used for threat prevention in case of attacks on our information technology systems.

When using this general data and information, Contaction AG does not draw any conclusions about the individual involved. Instead, this information is necessary to (1) correctly deliver the content of our website, (2) optimize the content of our website and the advertising for it, (3) ensure the lasting functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the necessary information for criminal prosecution in the event of a cyberattack. Therefore, this anonymously collected data and information is evaluated statistically and also with the aim of increasing data protection and data security in our company, ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data from the server log files are stored separately from all personal data provided by an individual.

5. Signing In

To visit a groupsheets project where access is restricted to specific individuals, you must sign in with your Contaction account. If you have linked your account to your Google or Microsoft account, the privacy policy of the company in question must be observed. the The groupsheets software, however, has no access to data stored by the other company except for your first and last name and the email address and avatar associated with that account.  Moreover, the other company knows nothing about your use of groupsheets except for the fact that you have registered via your account with them and are logged in during certain periods of time. In particular, the other company cannot know which groupsheets you have visited or what content you may have inserted.

6. Routine Deletion and Blocking of Personal Data

The data controller processes and stores the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject.

If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.

7. Rights of the Data Subject

a) Right to Confirmation

Every person affected by the processing of personal data has the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning them are being processed. If a data subject wishes to avail themselves of this right of confirmation, they may, at any time, contact any employee of the controller.

b) Right to Information

In addition, every person affected by the processing of personal data has the right granted by the European legislator to obtain from the data controller free information about their personal data stored at any time and a copy of this information. Furthermore, the European legislator has granted the data subject access to the following information:

c) Right to Rectification

Every person affected by the processing of personal data has the right granted by the European legislator to obtain the immediate rectification of inaccurate personal data concerning them. Furthermore, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement, considering the purposes of the processing.

If a data subject wishes to exercise this right to rectification, they may, at any time, contact any employee of the controller.

d) Right to Deletion (Right to Be Forgotten)

Every person affected by the processing of personal data has the right, granted by the European directive and regulatory authority, to demand that the controller promptly delete the personal data concerning them, provided one of the following reasons applies and as long as processing is not necessary:

e) Right to Restriction of Processing

Every person affected by the processing of personal data has the right has the right, granted by the European directive and regulatory authority, to demand that the controller restrict processing if one of the following conditions applies:

f) Right to Data Portability

Every person affected by the processing of personal data has the right, granted by the European directive and regulatory authority, to receive the personal data concerning them, which have been provided by the person concerned to a controller, in a structured, common and machine-readable format. They also have the right to transmit these data to another controller without hindrance from the controller to whom the personal data were provided, provided that the processing is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and the processing is carried out using automated procedures, provided that the processing is not necessary for the performance of a task that is in the public interest or in the exercise of official authority, which was transferred to the controller.

In addition, in exercising their right to data portability pursuant to Art. 20 Para. 1 GDPR, the person concerned has the right to have the personal data transferred directly from one controller to another, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other people.

To assert the right to data portability, the person concerned can contact an employee of Contaction AG at any time.

g) Right to Object

Every person affected by the processing of personal data has the right, granted by the European directive and regulatory authority, to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them which is based on Article 6 paragraph 1 letters e or f GDPR. This also applies to profiling based on these provisions.

Contaction AG will no longer process personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

In addition, the data subject has the right, for reasons arising from their particular situation, to object to the processing of personal data concerning them that is carried out by Contaction AG for scientific or historical research purposes or for statistical purposes in accordance with Article 89 paragraph 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

To exercise the right to object, the data subject may directly contact any employee of Contaction AG. The data subject is also free to exercise their right to object in connection with the use of information society services, irrespective of Directive 2002/58/EC, by means of automated procedures using technical specifications.

h) Right to Withdraw Data Protection Consent

Every person affected by the processing of personal data has the right, granted by the European directive and regulatory authority, to withdraw consent to the processing of personal data at any time.

If the data subject wishes to exercise their right to withdraw consent, they can do so at any time by contacting an employee of the data controller.

8. Payment Method: Data Protection Provisions for PayPal as a Payment Method

The data controller has integrated components of PayPal into the groupsheets platform. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. In addition, PayPal offers the option to process virtual payments via credit cards if a user does not maintain a PayPal account. A PayPal account is managed via an e-mail address, which is why there is no classic account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also performs trustee functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.

When the data subject selects "PayPal" as the payment option during the ordering process in our online shop, data of the data subject will be automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transmission of personal data necessary for payment processing.

The personal data transmitted to PayPal usually include first name, last name, address, email address, IP address, telephone number, mobile phone number or other data necessary for payment processing. Personal data related to the respective order are also necessary for the processing of the purchase contract.

The purpose of the data transmission is payment processing and fraud prevention. The data controller will transmit personal data to PayPal, in particular if there is a legitimate interest in the transmission. The personal data exchanged between PayPal and the data controller may be transmitted by PayPal to credit reporting agencies. This transmission is intended for identity and creditworthiness checks.

PayPal may pass on personal data to affiliated companies and service providers or subcontractors as far as this is necessary to fulfill contractual obligations or the data are to be processed on behalf of a third party.

The data subject has the possibility to revoke the consent to the handling of personal data at any time towards PayPal. A revocation does not affect personal data that must be processed, used, or transmitted for (contractual) payment processing.

The current data protection provisions of PayPal can be accessed at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

9. Legal Basis for Processing

Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations necessary for the supply of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, for example, in cases of inquiries about our products or services. If our company is subject to a legal obligation which requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and their name, age, health insurance data, or other vital information had to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d GDPR. Finally, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis is used for processing operations that are not covered by any of the aforementioned legal grounds, if the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He expressed the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 sentence 2 GDPR).

10. Legitimate Interests in Processing Pursued by the Controller or a Third Party

If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is to carry out our business activities for the benefit of the well-being of all our employees and any shareholders.

11. Duration for Which the Personal Data Will Be Stored

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data will be routinely deleted, provided they are no longer required for the fulfillment of the contract or the initiation of a contract.

12. Legal or Contractual Regulations for the Provision of Personal Data; Necessity for the Conclusion of the Contract; Obligation of the Data Subject to Provide the Personal Data; Possible Consequences of Non-Provision

We inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may also result from contractual regulations (e.g., information about the contractual partner). Occasionally, it may be necessary for a contract to be concluded that a data subject provides us with personal data that must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company concludes a contract with them. The non-provision of personal data would mean that the contract with the person concerned could not be concluded. Before any such personal data is provided by the data subject, the data subject must contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what consequences the non-provision of personal data would have.

13. Existence of Automated Decision Making

Techniques of automated decision making can be used with the exclusive aim of making your interaction with groupsheets more effective. Here are two examples: