LT
Išbandykite nemokamai

Privacy policy

Paskutinį kartą atnaujinta:

A. General provisions on data processing

1. Subject matter of this Privacy Policy

We, Forstify Digital GmbH, are pleased about your interest in Forstify. This Privacy Policy informs you about the processing of personal data when you use

  • our website forstify.com,
  • our apps for mobile devices and desktop (iOS, Android, Windows, macOS), and
  • our online platform Forstify.

The protection of your personal data is important to us. The processing of personal data – such as name, address or email address – is always carried out in accordance with the General Data Protection Regulation (GDPR) and the applicable national provisions. Below we inform you about the nature, scope and purpose of the data we collect and process, as well as the accompanying technical and organisational protective measures.

Although we have implemented numerous technical and organisational measures, internet-based data transmission can in principle have security gaps, so that absolute protection cannot be guaranteed.

2. Definitions

This Privacy Policy uses terms defined by the legislator in the General Data Protection Regulation (GDPR). You can access the full text of the GDPR here:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

3. Name and address of the controller

The controller within the meaning of data protection law is:
Forstify Digital GmbH
Adessoplatz 1
44269 Dortmund, Germany
Phone: +49 2931 8482979
Email: info@forstify.de
Managing Director: Christian Kaulich

4. Our role in processing – controller and processor

For processing that we carry out for our own purposes – in particular the operation of the website, the management of user accounts, the performance of contracts, invoicing and communication with you – we act as the controller within the meaning of Art. 4(7) GDPR.

Insofar as you, as a business user, enter your own content into the platform – in particular measurement data, photos, uploaded documents and the optional name fields (e.g. forest owner, buyer, forester or contractor) – such content may contain personal data of third parties. With regard to this content we act as a processor pursuant to Art. 28 GDPR and process the data exclusively on your instructions in order to provide you with the contractually agreed functions. You are the controller of this content; you are responsible for ensuring that a legal basis exists for entering and processing personal data of third parties. Upon request, we will provide you with a data processing agreement (DPA).

5. Erasure and restriction / storage period

Unless otherwise stipulated for the respective processing in Part B, the data stored by us is erased as soon as it is no longer required for its purpose and no statutory retention obligations preclude erasure. Where data is not erased because it is required for other and legally permissible purposes, its processing is restricted (blocked). In accordance with statutory requirements, retention is regularly for six years pursuant to Section 257(1) of the German Commercial Code (HGB) and for ten years pursuant to Section 147(1) of the German Fiscal Code (AO). A summary overview of the storage periods can be found in Part B, Section 4.

6. Rights of the data subject

6.1 Right to confirmation

Every data subject has the right granted by the European legislator to obtain from the controller confirmation as to whether personal data concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they may contact us at any time.

6.2 Right of access

Every data subject has the right to obtain from the controller, free of charge at any time, information about the personal data stored concerning them and a copy of this information. Furthermore, the data subject is entitled to information about the following:

  • the purposes of processing
  • the categories of personal data being processed
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
  • where possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period
  • the existence of a right to rectification or erasure of the personal data concerning them, or to restriction of processing by the controller, or a right to object to such processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • where the personal data is not collected from the data subject: any available information as to the source of the data
  • the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

The data subject also has the right to obtain information as to whether personal data has been transferred to a third country or to an international organisation. Where this is the case, the data subject has the right to be informed of the appropriate safeguards relating to the transfer. If a data subject wishes to exercise this right of access, they may contact us at any time.

6.3 Right to rectification

Every data subject has the right to obtain the rectification, without undue delay, of inaccurate personal data concerning them. Furthermore, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement. If a data subject wishes to exercise this right to rectification, they may contact us at any time.

6.4 Right to erasure

Every data subject has the right to obtain from the controller the erasure, without undue delay, of personal data concerning them, where one of the following grounds applies and insofar as the processing is not necessary:

  • The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
  • The data subject withdraws the consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
  • The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) GDPR.
  • The personal data was processed unlawfully.
  • The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data was collected in relation to information society services offered pursuant to Art. 8(1) GDPR.

Where one of the above grounds applies and a data subject wishes to arrange for the erasure of personal data stored by Forstify Digital GmbH, they may contact us at any time. We will ensure that the erasure request is complied with without undue delay.

Where the personal data has been made public by Forstify Digital GmbH and our company, as controller pursuant to Art. 17(1) GDPR, is obliged to erase the personal data, Forstify Digital GmbH will, taking account of available technology and the cost of implementation, take reasonable measures, including technical measures, to inform other controllers processing the published personal data that the data subject has requested the erasure of any links to, or copies or replications of, such personal data, insofar as processing is not required. We will arrange what is necessary in each individual case.

6.5 Right to restriction of processing

Every data subject has the right to obtain from the controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
  • The processing is unlawful, the data subject opposes the erasure of the personal data and requests instead the restriction of its use.
  • The controller no longer needs the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise or defence of legal claims.
  • The data subject has objected to processing pursuant to Art. 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.

Where one of the above conditions is met and a data subject wishes to request the restriction of personal data stored by Forstify Digital GmbH, they may contact us at any time. We will then arrange for the restriction of processing.

6.6 Right to data portability

Every data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, where the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, in exercising the right to data portability pursuant to Art. 20(1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others. To exercise the right to data portability, the data subject may contact us at any time.

6.7 Right to object

Every data subject has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them which is based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on those provisions. In the event of an objection, Forstify Digital GmbH will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defence of legal claims. Where Forstify Digital GmbH processes personal data for direct marketing purposes, the data subject has the right to object at any time to such processing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to Forstify Digital GmbH processing for direct marketing purposes, Forstify Digital GmbH will no longer process the personal data for these purposes. To exercise the right to object, the data subject may contact us directly.

6.8 Automated decision-making in individual cases, including profiling

Every data subject has the right granted by the European legislator not to be subject to a decision based solely on automated processing – including possible profiling – which produces legal effects concerning them or similarly significantly affects them, provided that the decision is not necessary for entering into, or performing, a contract between the data subject and the controller, is not authorised by Union or Member State law to which the controller is subject, and is not based on the data subject's explicit consent. If the data subject wishes to assert rights with regard to automated decision-making, they may contact us at any time.

6.9 Right to withdraw consent under data protection law

Every data subject has the right to withdraw consent to the processing of personal data at any time. If the data subject wishes to exercise the right to withdraw consent, they may contact us at any time. Every data subject may contact us directly at any time with all questions and suggestions regarding data protection.

6.10 Right to lodge a complaint with a supervisory authority

Every data subject has the right to lodge a complaint with a data protection supervisory authority about our processing of their personal data. The supervisory authority responsible for us is:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
https://www.ldi.nrw.de

7. Legal basis for processing

Unless otherwise stated in the description of the respective processing operation in Part B below, the following provisions apply. Art. 6(1)(a) GDPR serves Forstify Digital GmbH as the legal basis for processing operations for which we obtain consent for a specific purpose. Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, the processing is based on Art. 6(1)(b) GDPR. The same applies to processing operations necessary for the performance of pre-contractual measures, for example in the case of enquiries about our services and products. Where Forstify Digital GmbH is subject to a legal obligation requiring the processing of personal data, the processing is based on Art. 6(1)(c) GDPR. In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person; in that case the processing is based on Art. 6(1)(d) GDPR. Finally, processing operations may be based on Art. 6(1)(f) GDPR. This legal basis covers processing operations not captured by any of the aforementioned legal bases, where the processing is necessary to safeguard a legitimate interest of Forstify Digital GmbH or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override such interest.

8. Consideration of legitimate interests

Unless otherwise stipulated in the description of the respective processing operation in Part B of this Privacy Policy, and where the processing of personal data is based on Art. 6(1)(f) GDPR, our legitimate interest lies in conducting our business activities, the security and functionality of our services, and the associated economic interest.

9. Contacting us

If you use the contact details provided on our website (such as our email address or telephone number) to contact us, the personal data you transmit will be processed only for the purpose pursued with the contact. Where the reason for contacting us lies in your interest in our services or products, or in the performance of an existing contract with us, the legal basis is Art. 6(1)(b) GDPR. In all other cases of contact, we have a legitimate interest pursuant to Art. 6(1)(f) GDPR in processing the data on the basis of the communication initiated by you. The data required for contract processing is stored by us until the expiry of the statutory warranty periods and, where applicable, contractual guarantee periods. Data required under commercial and tax law is retained for the statutorily defined periods, regularly ten years (cf. Section 257 HGB, Section 147 AO). Personal data stored by us on the basis of a legitimate interest is stored until the purpose pursued with the contact has been achieved.

10. Job applications

We collect and process the personal data of applicants for the purpose of conducting the application procedure and thus on the basis of a pre-contractual measure within the meaning of Art. 6(1)(b) GDPR, or our legitimate interest pursuant to Art. 6(1)(f) GDPR in recruiting staff. Processing may also take place electronically, for example where an applicant submits application documents to us electronically, e.g. by email or via our contact form. If we conclude an employment contract with an applicant, the transmitted data is stored for the purpose of processing the employment relationship in compliance with statutory provisions. If no employment contract is concluded with the applicant, the application documents are automatically erased two months after notification of the rejection decision, unless other legitimate interests preclude erasure. A legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the German General Equal Treatment Act (AGG).

11. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy at any time with effect for the future, for example in the event of changes to our services or to the legal situation. The current version is always available on this page.

12. Applicable law and binding language version

German law applies to this Privacy Policy and to the processing of personal data, subject to the GDPR. The German version of this Privacy Policy is authoritative and legally binding; translations into other languages are provided for your information only.

B. Specific provisions on data processing

B.1 Website (forstify.com)

1.1 Hosting and server log files

Our website is hosted as a static site by Vercel Inc. With each access, the hosting service collects the technically necessary access data that your browser automatically transmits: IP address, date and time of the request, the page accessed, the HTTP status code, the volume of data transferred, the website from which the request originates, and the browser type and operating system. This processing is necessary for the stable and secure provision of the website; the legal basis is Art. 6(1)(f) GDPR. The log files are stored only for a short period in accordance with the hosting provider's standard settings.

1.2 Cookies

Our website does not use any cookies requiring your consent and no tracking that would require a cookie banner. At most, technically necessary information required for the operation of the site is processed (Art. 6(1)(f) GDPR).

1.3 Reach measurement with Umami

To statistically evaluate the use of our website, we use Umami – a cookieless analytics software that we host ourselves. Umami does not create personal profiles and does not set cookies; only anonymised usage data is evaluated in aggregated form. The legal basis is our legitimate interest in the needs-based design and improvement of our website pursuant to Art. 6(1)(f) GDPR.

1.4 Videos (YouTube in enhanced privacy mode)

On individual pages we embed videos via YouTube. The videos are loaded only after a click and in enhanced privacy mode (youtube-nocookie.com); no data is transmitted to YouTube before playback. When you start a video, your browser establishes a connection to Google's servers. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis for loading the video is your consent pursuant to Art. 6(1)(a) GDPR, which you give with the click. Further information: https://policies.google.com/privacy.

1.5 Contact form

You can send us a message via our contact form. The mandatory fields are your name, your email address, a subject/topic and your message; providing a telephone number is optional. The information is used exclusively to process your enquiry. Sending is carried out via our email service provider (see Section B.3). The legal basis is Art. 6(1)(b) GDPR insofar as your enquiry serves the initiation of a contract, otherwise our legitimate interest in responding to your enquiry pursuant to Art. 6(1)(f) GDPR. To protect against spam, we use a hidden form field ("honeypot").

1.6 Social plugins

No "social plugins" (e.g. buttons of social networks that transmit data to third parties when the page is loaded) are used on our website. Any references to our profiles on social networks are plain links; data is transmitted to the respective networks only when you actively click the link.

B.2 App and platform

2.1 Registration and user account

To use the platform, you create a user account. In doing so, we process the account data required for the performance of the contract (e.g. name, email address, company and login credentials). The legal basis is Art. 6(1)(b) GDPR. You can delete your account and the associated data at any time in the "My Account" area or in your profile (see Section 2.12).

2.2 Login via third-party providers (social login)

Optionally, you can log in via a third-party provider – currently via "Sign in with Google" and "Sign in with Apple"; further providers (e.g. Microsoft) may be added in the future. If you choose this option, we exchange the data required for login (e.g. name, email address and a provider identifier) with the respective provider. The legal basis is Art. 6(1)(b) GDPR (provision of the login method you have chosen). The providers are Google Ireland Limited and Apple Inc.; their privacy notices apply in addition.

2.3 Content created by the user: measurement data, photos and documents

As part of using the service, you create and manage your own content – in particular timber measurements, photos and uploaded documents (e.g. delivery notes or invoices). Insofar as you fill in optional name fields (forest owner, buyer, forester, contractor) or upload documents containing personal data of third parties, we process this as a processor on your behalf (see Part A, Section 4). The content is stored in encrypted form within the European Union (Microsoft Azure, EU region). Your photos and measurements are accessible only to you, unless you choose to share a measurement via a team or a share link (see Section 2.5).

For offline use, the app additionally stores your data locally on your device (e.g. synchronised measurement data and personal settings). This locally stored data remains within your control and is synchronised with our servers as soon as a connection is available; you can remove it by deleting the app or the app data in your device's system settings.

2.4 Location data

If you permit it, the app processes precise location data exclusively for the purpose of recording the location of a measurement or log pile when you trigger this. No location tracking or movement analysis beyond this takes place. The legal basis is Art. 6(1)(b) GDPR. You can revoke access to your location at any time in your device's system settings.

2.5 Sharing, teams and invitations

You can share measurements with other Forstify users via a share link or within a team. You decide for yourself which data is shared. For content shared within a team, control over the shared data lies with the team owner; data you have entered into a team may therefore remain with the team owner even after you delete your account. If you invite a person to a team, we store their email address to send and manage the invitation; invitations that are not accepted expire automatically after a period of time. The legal basis is Art. 6(1)(b) GDPR or our legitimate interest in providing the collaboration features pursuant to Art. 6(1)(f) GDPR.

2.6 Marketplace

Via the marketplace you can post offers and requests and trade with other users. Only once two users have agreed on a price are the contact details of the two parties required to complete the transaction disclosed to each other, so that the deal can be concluded. The legal basis is Art. 6(1)(b) GDPR.

2.7 Map display (Google Maps)

Within the app we use Google Maps to display locations on a map. In doing so, data (e.g. your IP address and the location/search queries required for the map display) is transmitted to Google. The provider is Google Ireland Limited; a transfer to the USA is possible. Use is for the provision of the map function you have called up, on the basis of Art. 6(1)(b) GDPR or our legitimate interest in a functional map display pursuant to Art. 6(1)(f) GDPR.

2.8 Push notifications

Our apps can send you push notifications. You receive these only if you have granted permission via the standard system dialog of iOS or Android; you can revoke the permission at any time in your device's system settings. For delivery, we process a device identifier (push token) via the Firebase Cloud Messaging service of the Google group. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR (system dialog).

2.9 Crash diagnostics

To ensure the stability and troubleshooting of our apps, we use Firebase Crashlytics of the Google group. In the event of an error, diagnostic data (e.g. device and crash information) is transmitted. The legal basis is our legitimate interest in stable and secure operation pursuant to Art. 6(1)(f) GDPR.

2.10 Payment processing (Stripe)

For paid services, we process payments via the payment service provider Stripe. The entry of payment or card data takes place exclusively on the pages hosted by Stripe; card data is not processed or stored on our servers. The data required for payment processing (e.g. name, email address, invoice and transaction data) is transmitted to Stripe. The provider is Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. The legal basis is Art. 6(1)(b) GDPR and our legitimate interest in secure and efficient payment processing pursuant to Art. 6(1)(f) GDPR. Further information: https://stripe.com/privacy.

2.11 Emails to our users

We send you emails that relate directly to your use of Forstify – in particular transaction-related messages (e.g. regarding operations you have triggered) and information about important functional and product updates to our app. This is not a general newsletter. The legal basis for transaction-related emails is Art. 6(1)(b) GDPR. For information about our own similar products to existing customers, we rely on Section 7(3) of the German Unfair Competition Act (UWG) in conjunction with our legitimate interest pursuant to Art. 6(1)(f) GDPR. You may object to receiving these emails at any time, without incurring any costs other than the transmission costs at the basic rates; every email contains an unsubscribe link. Sending is carried out via our email service provider (see Section B.3).

2.12 Deletion of your account

You can delete your user account yourself at any time in your profile or in the "My Account" area. Upon deletion, your profile and account data is erased. Excepted from this are invoice and payment records, which we are required to retain for the statutorily prescribed periods due to commercial and tax law obligations (see Section 4), as well as data you have entered into a team, which is subject to the control of the team owner (see Section 2.5).

B.3 Processors and transfers to third countries

To provide our services, we use carefully selected service providers with whom we have – where necessary – concluded data processing agreements pursuant to Art. 28 GDPR. Insofar as personal data is transferred to a third country (in particular the USA), this is carried out on the basis of the EU-US Data Privacy Framework and/or the EU Standard Contractual Clauses (SCC) in order to ensure an adequate level of data protection. The main recipients are:

  • Microsoft Azure – hosting of the platform, storage of account and content data (incl. photos); storage location: EU region.
  • Vercel Inc. – hosting of the website and the contact form; USA (DPF/SCC).
  • Stripe Payments Europe Ltd. – payment processing; EU / USA (DPF/SCC).
  • Google Ireland Ltd. / Google LLC – push notifications (Firebase Cloud Messaging), crash diagnostics (Crashlytics), map display (Google Maps), "Sign in with Google" login; USA (DPF/SCC).
  • Apple Inc. – "Sign in with Apple" login; EU / USA (DPF/SCC).
  • Intuit (Mailchimp / Mandrill) – sending of emails (contact form, transaction- and product-related emails); USA (DPF/SCC).

We host our cookieless reach measurement (Umami) ourselves; no transfer to third parties takes place in this respect.

B.4 Overview of storage periods

The following overview summarises the storage periods by data category:

  • User account and content created by you (measurements, photos, documents): for the duration of the contract or until you delete it.
  • Invoice and payment records: 6 or 10 years (Section 257 HGB, Section 147 AO).
  • Server log files (website/hosting): short-term, in accordance with the hosting provider's standard settings.
  • Crash reports: short-term.
  • Contact form enquiries: until your enquiry has been dealt with.
  • Team invitations: until acceptance or automatic expiry.
  • Product/update emails: until your objection or unsubscription.

B.5 Security measures

We take organisational, contractual and technical security measures in line with the state of the art to protect the data we process against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. This includes in particular the encrypted transmission of data between your device and our servers, as well as storage within the European Union.