Privacy Policy
Preamble
With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").The terms used are not gender-specific.
Last Update: 3. December 2024
Table of contents
Controller
iScience Research Group / University of KonstanzUniversitätsstraße 10
78464, Constance, GermanyAuthorised Representatives: Yury ShevchenkoE-mail address: yury.shevchenko@uni.knPhone: (49) 178 418 81 54Legal Notice: https://samply.uni-konstanz.de/docs/legalnotice
Overview of processing operations
The following table summarises the types of data processed, the purposes for which they are processed and the concerned data subjects.Categories of Processed Data
Categories of Data Subjects
Purposes of Processing
Legal Bases for the Processing
In the following we inform you about the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process personal data. Please note that, in addition to the regulations of the GDPR, the national data protection regulations may apply in your country or in our country of residence or domicile. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.Provision of mobile aplication Samply Research
User Provided Information: The application obtains the information you provide when you download and register the application. Registration with us is mandatory in order to be able to use the basic features of the application. When you register with us and use the application, you provide (a) your email address and password; (b) your smartphone's timezone and language; (c) timestamps for the following events: receving a notification in the app, tapping on the notification in the notification bar, opening a notification in the app, deleting a notification, completing a survey; (d) information you provide us when you contact us for help; (e) information you enter into our system when using the application, such as when joining a study; (f) your current location information and timestamps for geofencing events when using the application and when the application is closed, if you participate in a study that uses geofencing.
Using your current location at the background: Some of the studies may require sending you a link to online surveys when you enter or leave a particular location (e.g., workplace). For this reason, if you join a study that uses type of contact with participants, you will be asked to allow constant location tracking. If you agree, the application will continuously track your location even when the application is closed. The application will not share your location data with third party services or researchers. Your location information will be only used to trigger notifications with links to online surveys that are created by researchers. You can always enable or disable location tracking for a specific study within the application. If you do not want us to use your location for the above purposes, you should turn off the location services for the mobile application located in your account settings or in your mobile phone settings and/or within the mobile application. Data Retention Policy, Managing Your Information: You can stop all collection of information by the application by deleting your account (under the menu item "More", then "Settings", then "Delete my account") and uninstalling the application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.
Provision of online services and web hosting
In order to provide our online services at the Samply website (https://samply.uni-konstanz.de/), we use the infrastructure (web server, computing capacity, storage space, database services, security and technical maintenance services) of the University of Konstanz in Germany. The data processed within the framework of the provision of the website include all information relating to the users of the mobile application Samply Research and the Samply website that is collected in the course of use and communication. Participant data and timestamps of notifications are stored in the secure database and are only accessible to the researchers of the respective study that collected this data. Researchers can delete this data via the Samply website interface. E-mail Sending and Hosting: The web hosting services we use also include sending, receiving and storing e-mails. For these purposes, the addresses of the recipients and senders, as well as other information relating to the sending of e-mails (e.g. the providers involved) and the contents of the respective e-mails are processed. The above data may also be processed for SPAM detection purposes. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted during transport, but not on the servers from which they are sent and received (unless a so-called end-to-end encryption method is used). We can therefore accept no responsibility for the transmission path of e-mails between the sender and reception on our server.Collection of Access Data and Log Files: We, ourselves or our web hosting provider, collect data on the basis of each access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider.The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and optimal load balancing of the servers .Data Retention Policy, Managing Your Information: Website users (researchers and participants) can manage their accounts via the Samply website interface. Users can delete their account using the menu item "Account", then "Delete my account".Security Precautions
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.Masking of the IP address: In general, the IP addresses of researchers and participants are not recorded and stored. In the event that this should happen in the future, we will shorten your IP address or have it shortened. When the IP address is shortened, also known as "IP masking", the last octet, i.e. the last two numbers of an IP address, is deleted (the IP address in this context is an identifier individually assigned to an Internet connection by the online access provider). With the shortening of the IP address, the identification of a person on the basis of their IP address is to be prevented or made considerably more difficult.SSL encryption (https): In order to protect your data transmitted via our online services in the best possible way, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.Transmission and Disclosure of Personal Data
In the context of our processing of personal data, it may happen that the data is transferred to other places, companies or persons or that it is disclosed to them. Recipients of this data may include, for example, payment institutions within the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are embedded in a website. In such a case, the legal requirements will be respected and in particular corresponding contracts or agreements, which serve the protection of your data, will be concluded with the recipients of your data.Data Processing in Third Countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.Subject to express consent or transfer required by contract or law, we process or have processed the data only in third countries with a recognised level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission or if certifications or binding internal data protection regulations justify the processing (Article 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).Use of Cookies
We do not use third-party cookies or cookies for statistics, marketing and personalisation. We only use necessary (essential) cookies that are required for the operation of a website (e.g. user authentication). Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie is primarily used to store information about a user during or after his visit within an online service. The information stored can include, for example, the language settings on a website, the login status, a shopping basket or the location where a video was viewed. The term "cookies" also includes other technologies that fulfil the same functions as cookies (e.g. if user information is stored using pseudonymous online identifiers, also referred to as "user IDs").The following types and functions of cookies are distinguished:Commercial Services
The following information on commercial services only applies to researchers who wish to pay participants via the integration of the Samply platform with Stripe.We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the context of contractual and comparable legal relationships as well as associated actions and communication with the contractual partners or pre-contractually, e.g. to answer inquiries.We process this data in order to fulfil our contractual obligations, safeguard our rights and for the purposes of the administrative tasks associated with this data and the business-related organisation. We will only pass on the data of the contractual partners within the scope of the applicable law to third parties insofar as this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of data subjects concerned (e.g. telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). The contractual partners will be informed about further processing, e.g. for marketing purposes, as part of this privacy policy.Which data are necessary for the aforementioned purposes, we inform the contracting partners before or in the context of the data collection, e.g. in on-line forms by special marking (e.g. colors), and/or symbols (e.g. asterisks or the like), or personally.We delete the data after expiry of statutory warranty and comparable obligations, i.e. in principle after expiry of 4 years, unless the data is stored in a customer account or must be kept for legal reasons of archiving (e.g., as a rule 10 years for tax purposes). In the case of data disclosed to us by the contractual partner within the context of an assignment, we delete the data in accordance with the specifications of the assignment, in general after the end of the assignment.If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.Customer Account: Contractual partners can create a customer or user account. If the registration of a customer account is required, contractual partnerswill be informed of this as well as of the details required for registration. The customer accounts are not public and cannot be indexed by search engines. In the course of registration and subsequent registration and use of the customer account, we store the IP addresses of the contractual partners along with the access times, in order to be able to prove the registration and prevent any misuse of the customer account.If customers have terminated their customer account, their data will be deleted with regard to the customer account, subject to their retention is required for legal reasons. It is the responsibility of the customer to secure their data upon termination of the customer account.The required details are identified as such in the course of the ordering or comparable purchasing process and include the details required for delivery, or other way of making the product aviable and invoicing as well as contact information in order to be able to hold any consultation.Project and Development Services: We process the data of our customers and clients (hereinafter uniformly referred to as "customers") in order to enable them to select, acquire or commission the selected services or works as well as associated activities and to pay for and make available such services or works or to perform such services or works.The required information is indicated as such within the framework of the conclusion of the agreement, order or equivalent contract and includes the information required for the provision of services and invoicing as well as contact information in order to be able to hold any consultations. Insofar as we gain access to the information of end customers, employees or other persons, we process it in accordance with the legal and contractual requirements.Software and Platform Services: We process the data of our users, registered and any test users (hereinafter uniformly referred to as "users") in order to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our offer and to develop it further. The required details are identified as such within the context of the conclusion of the agreement, order or comparable contract and include the details required for the provision of services and invoicing as well as contact information in order to be able to hold any further consultations.
Registration, Login and User Account
Users can create a user account. Within the scope of registration, the required mandatory information is communicated to the users and processed for the purposes of providing the user account on the basis of contractual fulfilment of obligations. The processed data includes in particular the login information (name, password and an e-mail address). The data entered during registration will be used for the purposes of using the user account and its purpose.Users may be informed by e-mail of information relevant to their user account, such as technical changes. If users have terminated their user account, their data will be deleted with regard to the user account, subject to a statutory retention obligation. It is the responsibility of the users to secure their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.Within the scope of using our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.Contacting us
When contacting us (e.g. by contact form, e-mail, telephone or via social media), the data of the inquiring persons are processed insofar as this is necessary to answer the contact enquiries and any requested activities.The response to contact enquiries within the framework of contractual or pre-contractual relationships is made in order to fulfil our contractual obligations or to respond to (pre)contractual enquiries and otherwise on the basis of the legitimate interests in responding to the enquiries.Erasure of data
The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose).If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.Further information on the erasure of personal data can also be found in the individual data protection notices of this privacy policy.Changes and Updates to the Privacy Policy
We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.Rights of Data Subjects
As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:Terminology and Definitions
This section provides an overview of the terms used in this privacy policy. Many of the terms are drawn from the law and defined mainly in Article 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended above all for the purpose of comprehension. The terms are sorted alphabetically.