Privacy policy for Cigaro app and Cigaro website

I, Christian Fauner, owner of the company h-app-y and developer of the Cigaro app and Cigaro website, hereby explain below which personal data is (can) be collected in the course of using the Cigaro app or Cigaro website.
  1. Name and address of the responsible person

    h-app-y
    Christian Thomas Fauner
    Karl-Russell-Str. 30
    56070 Koblenz
    Germany
    Tel.: +49 (0) 178 697 4902
    E-Mail: kontakt@h-app-y.de

  2. Categories of data

    The following personal data may be processed in the course of using the Cigaro app and/or Cigaro website:

    • Contact details (e.g. email address)
    • Content data (e.g. user input within the Cigaro app)
    • Contract data (e.g. subject of contract, term, customer category)
    • Usage data (e.g. calls to app functions/websites, access times)
    • Meta/communication data (e.g. device information, IP addresses)
    • Inventory data (e.g. names, addresses)
    • Payment data (e.g. bank details, invoices)
  3. Affected persons

    Personal data is collected from the following persons.

    • Users of the Cigaro app, users of the Cigaro website
    • Customers (optional in-app purchases)
    • Interested people/parties
  4. Processing purposes

    • Provision of the Cigaro app/Cigaro website and user-friendliness.
    • Security measures
    • Provision of contractual services and customer service
    • Answering and managing requests
  5. Legal bases

    The processing of your data is based on the legal bases

    1. Art 6 par.1 GDPR b: The processing is necessary for the performance of the contract and pre-contractual requests.
    2. Art 6 para. 1 GDPR f: Legitimate interests. The collection of this data takes place, for example, for the purpose of the operation or optimization of the app or website. Without this data being collected, the operation of the app/website is not possible. The data is collected, for example, for the purpose of communicating with interested parties, customers.
  6. User account

    For the full use of the Cigaro app, the creation of a customer account is required.
    For this purpose, the following data is collected:

    • E-mail address of the user
    • IP address of the retrieving client (device of the user)
    • Registration date and time


    The user account can be deleted within the app. In this case all account data will be completely removed.
    I am not obliged to keep this data.

    • Types of data processed: inventory data (e.g. e-mail), contact data (e.g. e-mail), meta/communication data (e.g. IP addresses).
    • People affected: Cigaro app users.
    • Purposes of processing: Providing contractual services and customer service, security measures, administration and responding to requests.
    • Legal bases: Art 6 para.1 GDPR b: Contract performance and pre-contractual requests, Art 6 para.1 GDPR f: Legitimate interests. Without the collection of the data, no user accounts can be created and managed, which are absolutely necessary for the general, secure operation of the app.
  7. Provision of the app and website

    Communication with backend servers:

    The Cigaro app communicates with an API (programming interface) developed by me, which is provided on a server of the web hosting provider STRATO. The website you're actually visiting is also hosted by STRATO. Communication with the STRATO server takes place via SSL encryption (https). The data that is processed during communication with the STRATO server, is the IP address of the calling client (end device of the user) and, if applicable, entries made by the user within the Cigaro app.

    E-mail sending and receiving:

    Emails are sent to create and manage user accounts for the Cigaro app, which is also done by the server hosted by STRATO. The email addresses of Cigaro users are processed for this purpose.

    Server-Logs:

    My web hosting provider STRATO collects data with every server access (server log files). The following data is collected:

    • Name of the requested file
    • Date and time of the file request
    • anonymized IP address of the caller/user
    • Internet provider of the caller/user
    • Browser type and browser version of the caller/user
    • Operating system and name of the end device
    • Referrer URL (the previously visited page)

    Server log files may be used for security purposes to prevent server overload due to attacks and/or to ensure server stability.
    Deletion of data: Log file information is stored for a maximum of 42 days and then deleted, unless the retention of the data is necessary for evidentiary purposes.

    • Types of data processed: Content data (e.g. user input within the Cigaro app), contact data (email), usage data (e.g. API calls, web pages visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
    • Affected persons: Users of the Cigaro App, Users of the Cigaro website
    • Purpose of Processing: Providing the Cigaro app and the Cigaro website, user experience.
    • Legal basis: Art 6 para.1 GDPR f: Legitimate interests. For the provision of the Cigaro app and Cigaro website and for the optimization of the infrastructure and system security the cooperation with a hosting service and the logging and processing of the aforementioned data is unavoidable.

    More about the privacy policy of the hosting provider used by the API of the Cigaro app Hosting provider STRATO AG, Berlin, Germany

    https://www.strato.de/datenschutz/

    There is an order data processing agreement between h-app-y and STRATO, which obligates STRATO to handle the data responsibly. The processing of your data is based on the legal grounds.

  8. Payment methods for in-app products

    In the case of in-app purchases, the Cigaro app itself does not collect any personal data. This data, in particular data for electronic payment processing, are only collected and processed directly by the relevant app store. Please refer to the privacy statements of the respective app stores/payment providers:

    Google Play Store: https://policies.google.com/privacy

    Apple App Store: https://www.apple.com/de/legal/privacy/data/de/app-store/

    PayPal: https://www.paypal.com/webapps/mpp/ua/privacy-full

    • Types of data processed: Inventory data (e.g., names, addresses), Payment data (e.g. bank details, invoices, payment history), Contract data (e.g. subject matter of contract, term, customer category). Usage data (e.g. websites visited, interest in content, access times) meta/communication data (z.B. Device info, IP adresses) Contact data (e.g. e-mail, telephone numbers).
    • Affected Persons: Customers: Users of the Cigaro app who make in-app purchases.
    • Purposes of processing: Provision of contractual services and customer service.
    • Legal basis: Art 6 para.1 GDPR b: Contract performance and pre-contractual requests.
  9. Contact requests

    If you contact me via email or phone, your request, including your resulting personal data (name, phone number, request, etc.) will be stored and processed for the purpose of communication with customers and prospects. The data will be stored until you request me to delete it, revoke your consent to store it, or the purpose of storing the data no longer applies. The data will not be passed on without your consent. Unless I am required by law to do so.

    • Types of data processed: Contact data (e.g. email, phone number), Content data (e.g. your request
    • People affected: Prospective customers, clients.
    • Purposes of processing: Customer service, administration and response to requests.
    • Legal bases: Art 6 para.1 GDPR f: Legitimate interests. The data is needed to process the request of the interested party.
  10. Safety measures

    As already mentioned under VII. all communication with the backend server will be SSL-encrypted.

    In addition, to ensure the technical functionality, JSON JSON Web Tokens (JWT) are used for authentication.

    JWT is an open standard (RFC 7519) that enables compact and self-contained information exchange between parties via a JSON object. This information is digitally signed. JWTs are encrypted to ensure secrecy between the exchanging parties.

    The passwords for the user accounts are stored exclusively in encrypted form.

  11. Advertisement

    Advertising banners are displayed for non-subscribers. In the course of displaying these advertising banners, no personal data or user tracking is transmitted.

  12. Photographs

    Any photos taken in the course of a smoking protocol (feature of the Cigaro app) will not be transmitted to my server or any other third parties and are not viewable by anyone except the user himself. They are only stored on the end device (smartphone/tablet, etc.) of the user.

    Since Cigaro version 1.6 you can upload the pictures to my server afterwards. However, the pictures are only visible to your user account, and are not accessible to others.

  13. Rights of the affected persons

    • Right of access under Art 15 GDPR:
      You have the right to obtain confirmation about whether and which of your data are being processed.
      You have the right to be informed about the purpose of the processing, the origin and nature of the data, the storage period, the use of profiling, security measures during storage, as well as forwarding to third countries.
    • Right to rectification according to Art 16 GDPR:
      You have the right to correct any incorrect, personal data that we have about you.
    • Right to erasure in accordance with Article 17 GDPR:
      You have the right to have your personal data held by us deleted.
    • Right to restriction of processing according to Art 18 GDPR:
      You have the right to request the suspension of the processing of all your personal data temporarily or permanently.
    • Right to information according to Art 19 GDPR:
      You have the right to obtain that we communicate to all recipients to whom personal data have been disclosed any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves a disproportionate effort. We will inform you of these recipients if you request so.
    • Right to data portability according to Art 20 GDPR:
      You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided.
      (1) the processing is based on consent pursuant to Art 6(1) GDPR a or Art 9(2) GDPR a or on a contract pursuant to Art 6(1) GDPR b and
      (2) the processing is carried out with the help of automated procedures. In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one controller to another controller, where technically feasible. Freedoms and rights of other persons shall not be affected thereby.
    • Right to object under Art 21 GDPR:
      You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Article 6(1) GDPR e or f; this also applies to profiling based on these provisions.
      The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
      If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
      If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
      You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures involving the use of technical specifications.
    • Automated individual decision-making, including profiling pursuant to Article 22 of the GDPR:
      You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you
    • Right to lodge a complaint with a supervisory authority pursuant to Art 77 GDPR:
      Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the requirements of the GDPR.