- Personal data
- Name and contact details of the controller and the data protection officer
- Responsible supervisory authority
- Purpose and legal basis for data processing
- Storage duration
- Recipients or categories of recipients
- Transfer to foreign countries
- Rights of the data subject
- Data security
Brabbler Secure Message and Data Exchange Aktiengesellschaft (hereinafter Brabbler AG) appreciates your interest in ginlo Business. We take your privacy seriously and have developed internal systems to ensure the privacy of your personal data during all stages of processing related to our business operations, including visits to our internet pages and the use of our services.
This document details which data we at Brabbler AG collect during your visit to the ginlo Business website and when you use the ginlo Business app, and how such data is used.
2. Personal data
'Personal data' means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes information such as proper names, address, telephone numbers and date of birth. Information that cannot be directly associated with a real identity — such as the total number of users of a site — is not considered personal data.
3. Name and contact details of the controller and the data protection officer
This data privacy notice applies to data processing at
Brabbler Secure Message and Data Exchange Aktiengesellschaft
Phone: +49 89 95 45 94 7-0
Please contact our data protection officer with any questions related to the processing of your personal data. The data protection officer is available to assist you with requests for information, comments or complaints.
Brabbler Secure Message and Data Exchange Aktiengesellschaft
- Data Protection Officer -
4. Responsible supervisory authority
Data Protection Authority of Bavaria for the Private Sector (Bayerisches Landesamt für Datenschutzaufsicht, BayLDA)
For more information, please refer to: https://www.lda.bayern.de/en/contact.html
You may also lodge a complaint with any other supervisory authority within the EU.
5. Purpose and legal basis for data processing
5.1 Visit of the website
Brabbler AG is obligated to protect the privacy of the users of our website. When you visit our websites, a certain amount of data must necessarily be collected and stored for connection, configuration, and security purposes. Accordingly, our web servers always temporarily store: the connection data of the computer connecting to our website; a list of which of our web pages you visit; the date and duration of your visit; the IP address of your device; identification data related to the browser and operating system you are using to visit us; and the website from which you were referred to our website. Beyond this, no personal data such as your name, address, telephone number or e-mail address is collected unless offered on a voluntary basis, such as to register for the website, to participate in a survey or prize sweepstakes or as required to perform a contract or informational query.
The legal basis for the processing of the aforementioned data categories is Art. 6 Paragraph 1(f) rev GDPR. For these reasons, and in particular to ensure safe and seamless connection, we have a legitimate interest in the processing of such data.
5.2 Use of ginlo Business
To provide ginlo Business for your use, certain pieces of your personal data are required. This data is required to perform the contract regarding the use of ginlo Business. The legal basis for the processing of the aforementioned data categories is Art. 6 Paragraph 1(b) rev GDPR, as it is related to the performance of a contract into which you have entered. The following sections provide additional information on this.
ginlo Business is an internet-based, platform-independent service for secure exchange of messages between users of mobile devices and desktop PCs. In this relation, the follow definitions shall apply:
- App Messenger: Messenger based on mobile apps for use of ginlo Business on smartphones.
- Messenger: Application for communication via ginlo Business as an app messenger or web messenger.
- Web Messenger: Messenger based on web browsers for use of ginlo Business on a desktop and tablet.
5.2.2 Collection and processing of data during registration
To register for a ginlo Business user account, the Messenger records the mobile phone number and/or email address and, where desired, profile name and profile image of the user. Beyond this, ginlo Business can optionally use the email directory feature. For this function, the user provides their first and last name and a business e-mail address. An activation code is then sent by e-mail to the provided address. The mobile phone number or e-mail address is then stored in hashed form on the ginlo server.
For the public address book, the domain part of the e-mail address is hashed with a specific value. This ensures that all users from the same domain will be visible to one another based on that domain hash. As the domain is the sole part shared among users, the domain is formed using an algorithm built around an AES key. This AES key is used to encrypt the user data (first and last name, e-mail address). Based on the shared domain, a directory containing users' first and last names is then created in verified Messenger apps.
You can also use ginlo Business without allowing access to your contacts. If you register with ginlo Business and explicitly approve access to the phone book contacts on your smartphone, these are then sent to the server for a hashed comparison and then deleted. Contacts who have saved your number in their telephone book and who are also using ginlo or ginlo Business are then informed about your registration when they search for other users.
5.2.3 Collection and processing of data during use of Messenger
ginlo Business stores your login data (profile name, mobile phone number, and/or e-mail address and password) locally in your Messenger app so that you can remain permanently connected. Your communications data is also stored locally in encrypted form within the messenger. Our servers, which are all based in Germany, solely receive your mobile phone number and/or e-mail address, your profile photo, and your profile name.
Messages are end-to-end encrypted and are only stored temporarily on our servers. All messages are deleted from the server after 90 days. Messages available on the server during that 90-day window are synchronized between multiple devices logged in with the same ginlo Business user account so that those messages can be accessed on any devices the account holder uses. User accounts and all related data can be completely deleted from our servers by the user from within the profile settings.
5.2.4 Importance and use of the password
When creating a ginlo Business user account, an RSA key pair is generated on your device. The private key is encrypted based on the device password you select and can only be decrypted using that same device password. In addition, the user can select to create a "recovery code" when first creating the key pair. This code is then stored to the device in encrypted form. No one – including Brabbler AG – knows your private key other than you.
If you forget your device password and have activated the relevant function in Messenger, then you can have the "Recovery Code" sent from your device via a separate, previously defined secure communication channel. Once received, the code can be used to unlock the application and assign a new device password. The recovery code is calculated using a secure process and is only issued by your device when you specifically request it. If you did not activate the relevant function in your app's settings, then your current app profile can no longer be used and any stored messages are no longer accessible. As such, your ginlo Business password is highly important. Even if you allow the app to remain logged in permanently, you must always know your password in case you need to delete your profile or make changes to the password settings.
5.2.5 Collection and processing of data in the Management Cockpit
To order Business licenses using the website, the following business customer information is required for billing purposes: name, street, house number, postal code, city, country and VAT ID. The Management Cockpit is a web application protected for security reasons (2-factor authentication) with a personal browser certificate and a password login.
Certain additional information is required to issue a certificate for the administrator. This includes: Last name, first name, e-mail address (login), mobile number (SMS verification), domain name (address directory) and finally the client certificate. The aforementioned data are stored in unencrypted form in the Management Cockpit. The administrator can also update individual pieces of data (such as the address) and order new licenses.
The application server has access to the corporate data in the ginlo database, as this is needed to provide the web application for the Management Cockpit. The ginlo database contains the name of the company and the hashed domain. In addition to the licenses, credit codes are anonymously assigned to the Management Cockpit. For a more efficient management, the administrator can analyze anonymized data about the users and messages in individual chats, group chats, or distribution channels via the Management Cockpit dashboard. It is the responsibility of the administrator to define groups of a sufficient size (at least 7 users) to ensure compliance with the data protection laws by preventing the behavior of any individual user from being identifiable.
5.2.6 Collection and processing of data for quality assurance purposes
6. Storage duration
Your personal data is deleted or locked as soon as the purpose of storage is no longer applicable. Storage may also be extended to meet legal storage requirements. Locking or deletion of the data then occurs once the legally specified storage period has expired, unless further storage of the data is required to conclude or perform a contract.
7. Recipients or categories of recipients
Brabbler AG does not and will not forward your personal data to third parties, except where required by law, or to fulfill a contractual requirement, or where you have expressly given your consent for it to do so.
External service providers processing the data on our behalf have offered sufficient guarantees that they are working with suitable technical and organizational measures to process the data in compliance with the requirements of the EU General Data Protection Regulation. As per Art. 28 GDPR, they are obligated to strict confidentiality. In this case, Brabbler AG remains responsible for the protection of your personal data. The external service providers process personal data only upon documented instruction to do so by Brabbler AG.
8. Transfer to foreign countries
Transfer to foreign countries means that data is forward to a state outside the European Economic Area (EEA), or access from within such a state is allowed. Your ginlo Business-related data will never be processed in such a foreign country.
9. Rights of the data subject
You as data subject have the following rights:
- to receive information about your data that we have stored,
- to obtain rectification if inaccurate data is stored about you,
- deletion or – where storage obligations exist – limitation of processing to only that specific data necessary for the denoted purpose,
- to receive data that you have provided in a structured format that is current and can be read electronically,
- the right to revoke consent if the processing of your data affects a justified interest / against the use of data for advertising purposes / against a decision based solely on automated processing, including profiling.
- to lodge a complaint with the responsible supervisory authority if you have any doubts that the processing of your data is in compliance with data protection law.
Should you wish to enforce your rights, please contact the following office: by postal mail at Brabbler Secure Message and Data Exchange Aktiengesellschaft, Ria-Burkei-Straße 26, 81249 München/Germany or by e-mail to firstname.lastname@example.org. Insofar as you provided consent for a specific type of processing, you can revoke this at any time at the address provided to you at the time of consent.
10. Data security
Brabbler AG uses all necessary technical and organizational security measures to protect your personal data against loss and misuse. For example, your data is stored in a secure environment that is not accessible to the public. In some cases, your personal data is encrypted during transmission using Secure Socket Layer (SSL) technology. This means that communication between your computer and Brabbler AG servers is handled using an accredited encryption process, presuming your browser supports SSL. The content of email messages can be intercepted and read by third parties. We therefore recommend that you send us any confidential information solely via postal mail.
Brabbler AG reserves the right to change its data privacy statement at any time and without prior warning. Please visit regularly to inform yourself about any changes. This declaration was last updated in June 2019.