Effective May 25, 2018

Privacy policy

This privacy policy clarifies what personal data we process, how it is processed and why it is processed. Furthermore, persons whose personal data is being processed by us are informed about their legal rights.

Data protection in the European Union

This website is run from within the European Union. Your personal data is therefore protected by the General Data Protection Regulation (GDPR). Art. 4 defines several terms used in this privacy policy, such as personal data, processing, controller, processor, third party, consent, personal data breach and supervisory authority.

We refers to the controller within the meaning of Art. 4 (7) GDPR.

Tunaut refers to the website served under the domain tunaut.de.

Visitors are persons who visit Tunaut.

Users are persons who created a Tunaut account.

You refers to you as a visitor or user of Tunaut.

What personal data is processed, when and why

Visiting Tunaut

Request data

Personal data may be stored when a web page is requested and served. This includes date, time, type, result, amount of transferred data, web address, user agent (system information as reported by your web browser), referrer (web address of the referring web page) and IP address (network address assigned to your device) of the request.

Usage

• To protect Tunaut from abuse and fraud.

Deletion

• After six weeks unless data is still required in an ongoing investigation.

Legal basis

• Legitimate interests, Art. 6 (1) f) GDPR.

Requesting to be notified when you can create a Tunaut account

Email address

Usage

• To notify you when you can create a Tunaut account.

Deletion

• 90 days after being notified or when you request deletion.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

Creating a Tunaut account

Email address

Usage

• Sign in to Tunaut.
• Request resetting your password.
• Receive required emails, such as updates to the terms of service or privacy policy.
• Receive optional emails, such as a reminder of your current Tunaut tasks if you have been inactive for some time.

Deletion

• When you delete your Tunaut account.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

Regional settings and languages

Usage

• To show you Tunaut and send you emails in your chosen language.
• To show you experiences by other Tunaut users that are written in languages you speak.

Deletion

• When you delete your Tunaut account.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

Time of your last successful login

Usage

• To protect your account from abuse.

Deletion

• When you delete your Tunaut account.

Legal basis

• Legitimate interests, Art. 6 (1) f) GDPR.

Time of your last visit

Usage

• To send you optional emails with your current Tunaut tasks if you have been inactive for some time.

Deletion

• When you delete your Tunaut account.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

Executing Tunaut tasks

Feedback you provide about your tasks

This feedback includes, for example, how comfortable and challenging you found a task to be for you.

Usage

• To create a personality analysis that provides you insights into your personality.
• To select tasks for you that are beneficial to your personality.

Deletion

• When you delete your Tunaut account, all data about your tasks and your personality is anonymized and can no longer be linked to your person.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

An optional account of your experience doing a task

Usage

• Anonymously sharing your experience with other Tunaut users.

Deletion

• You can delete any of your written experiences by yourself using the website.
• When you request deletion of all your written experiences.
• When you delete your Tunaut account, your written experiences are anonymized and can no longer be linked to your person.
• Your written experiences may be deleted in certain cases, such as when it is considered spam, not on topic or in violation of German law.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

An optional comment about a task

Usage

• Allows you to provide feedback about a task. Your comment can only be read by us.

Deletion

• When you request deletion of your comment.
• When you delete your Tunaut account, your comments are anonymized and can no longer be linked to your person.
• Your comments may be deleted in certain cases, such as when it is considered spam, not on topic or in violation of German law.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

IP address when submitting experiences or comments

Usage

• In case the content of your written experience or comment is in violation of German law, we can be prosecuted. Storing your IP address to help identifying you is therefore in our interest.

Deletion

• After 30 days.

Legal basis

• Legitimate interests, Art. 6 (1) f) GDPR.

Buying a Tunaut subscription

Name, address, contract and payment details

Usage

• Required for billing and subscription fulfillment.

Deletion

• When the legal obligation to preserve business records ends.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.
• Legal obligation, Art. 6 (1) c) GDPR.

Contacting us

Personal data you provide when contacting us

This may include personal data such as your email address and the content of your email.

Usage

• To process your inquiry.

Deletion

• When the legal obligation to preserve business records ends.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

Cookies

When a web page is requested and served, Tunaut may store small, encrypted files on your computer (so-called cookies).

Usage

• To store your regional settings. This allows showing you Tunaut in your language and using appropriate date formats, for example.
• To identify you while you are signed in to your Tunaut account.

Deletion

• When you sign out, the identifying information is removed from the cookie.
• When you clear cookies in your browser.
• Common web browsers delete expired cookies.

Legal basis

• Performance of a contract, Art. 6 (1) b) GDPR.

Third party data processors

We use third party services that may process your personal data for us in accordance with Art. 6 (1) f) GDPR. Data Processing Agreements have been entered with each party (Art. 28 GDPR). The following services may be provided by third parties:

• Web hosting to operate the Tunaut website. This includes related tasks, such as data backups. Web hosts will process any personal data the Tunaut website collects.
• Email hosting to operate our email accounts. Email hosts may process personal data, such as your name or email address.
• Payment processing to conduct transactions between you and us. To make transactions using a payment processor, you must agree to its terms of service and privacy policy, which will be accessible during checkout. Payment processors will process the required personal data to fulfill the transaction, such as your name, address and payment details. Which data is processed depends on the chosen payment method and may include, for example, bank account numbers, credit card numbers, passwords or TANs. Payment processors will not share sensitive payment information with us, such as your bank account details or credit card information. After your subscription ended, we will initiate the removal of your payment method by the payment processor. A longer, possibly legally obligated retention of this data is possible.

Our current payment processor is Stripe (privacy policy, Privacy Shield Framework).

Your rights regarding your personal data

• Right to withdraw consent to processing your personal data (Art. 7 (3) GDPR).
• Right of access, which includes requesting confirmation whether your personal data is being processed and information about how it is being processed as well as requesting a copy of your personal data (Art. 15 GDPR).
• Right to rectification of your personal data (Art. 16 GDPR).
• Right to erasure of your personal data (Art. 17 GDPR). Personal data that is no longer necessary for the purpose it was collected for is deleted unless legal obligations for retention apply.
• Right to restriction of processing of your personal data (Art. 18 GDPR).
• Right to data portability, which includes receiving your personal data and its transfer to another controller (Art. 20 GDPR).
• Right to object to processing of your personal data (Art. 21 GDPR).
• Right to lodge a complaint with a supervisory authority if you consider the processing of your personal data infringes the GDPR (Art. 77 GDPR).

Impact assessment of behavioral data

The required personal data you provide when completing Tunaut tasks, that is how comfortable or challenging they were for you, may indicate certain characteristics of your personality and behavior. This data is based on your subjective evaluation and does not give an objective or standardized assessment. The data may allow to draw certain conclusions, such as whether you are more comfortable with extroverted or introverted behaviors as presented to you in your personality analysis.

Consequently, we deem this data to present low risks to the rights and freedoms of natural persons within the meaning of Art. 35 GDPR.

Security

In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure adequate security of your personal data. Some of our security measures are:

• Regular security updates of all systems.
• Encryption of all web (HTTPS) and email (TLS) traffic.
• Security measures, such as Content Security Policies, cross-origin resource sharing and HTTP Strict Transport Security.
• Login details (e.g. for web or email hosting) are saved in an encrypted format, secured with a strong password and multi-factor authentication is used if possible.
• Passwordless login to all servers.
• Usage of firewalls on all systems.
• Creation of multiple, encrypted data backups, which are stored at different locations.
• Not storing users’ passwords (only salted hashes are stored).
• Keeping up to date with developments in website and server security.

Data breach notification

In case of unauthorized access to or processing of your personal data, we will inform you about the incident and, if possible, which data of yours is affected. Furthermore, we will notify the supervisory authority if required according to Art. 33 GDPR.

Contact information

Markus Weimar
Weiherxgarten 16
72x147 Nexhren
Germany
+49 74573 91599961
mailx@xtunaut.de