Privacy Policy | VELLAP Diagnostics

Privacy Policy

As of: May 31, 2023

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Table of Contents

Person Responsible

VELLAP Diagnostics GmbH

Industriestraße 8

99427 Weimar

Email address: info@vellap.de

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed:

Inventory data, Payment details, Location data, Contact details, Content data, Contract data, Usage data, Meta, communication and procedural data, Applicant data.

Categories of data subjects:

Customers, Employees, Interested parties, Communication partner, Users, Applicants, Members, Business and contractual partners.

Purposes of processing:

Provision of contractual services and customer service, Contact requests and communication, Security measures, Direct marketing, Reach measurement, Tracking, Office and organizational procedures, Conversion measurement, Managing and responding to inquiries, Application process, Feedback, Marketing, Profiles with user-related information, Provision of our online offering and user-friendliness.

Below you will find an overview of the GDPR legal bases on which we process personal data. Please note that in addition to the GDPR regulations, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Article 6 (1) (a) GDPR): The data subject has given his or her consent to the processing of personal data concerning him or her for a specific purpose or several specific purposes.
  • Contractual performance and pre-contractual inquiries (Article 6 (1) (b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject.
  • Legal obligation (Article 6 (1) (c) GDPR): Processing is necessary to fulfill a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6 (1) (f) GDPR): Processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail.
  • Application procedure as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR): Special provisions apply for the processing of special categories of personal data (Art. 9 GDPR) within the application process, including those for employment law, social security, and vital interests, or consent.
  • National Data Protection Regulations in Germany: In addition to the GDPR, the Federal Data Protection Act (**BDSG**) and state data protection laws apply, including special provisions on the right to information, deletion, objection, and data processing for employment relationships (Section 26 BDSG).

Security Measures

In accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the **confidentiality, integrity, and availability of data** by controlling physical and electronic access, and by establishing procedures for exercising data subjects' rights, deletion of data, and responses to data threats. We implement data protection by design and by default.

Transmission of Personal Data

Data may be transmitted to other bodies, companies, legally independent organizational units, or individuals, such as service providers commissioned with IT tasks or content providers. We comply with legal requirements and conclude appropriate contracts or agreements to protect your data.

Data transfer within the organization: We may transfer personal data to other departments for administrative purposes, based on our legitimate business and operational interests, to fulfill contractual obligations, or if permitted by law.

Deletion of Data

Data will be deleted in accordance with legal requirements as soon as consent is revoked or other permissions no longer apply (e.g. purpose of processing ceases). If data is required for other legally permissible purposes (e.g., commercial or tax law retention), its processing will be **limited** (data is blocked and not processed for other purposes).

Business Services

We process data of our contractual and business partners (e.g. customers and interested parties) for fulfilling contractual obligations, including service provision, updates, and warranty. We also process data for administrative tasks, company organization, and security measures against misuse.

  • Retention period: Generally after statutory warranty and similar obligations expire (e.g., **four years**), or **ten years** for tax-relevant documents, and **six years** for received commercial letters.
  • Legal basis: Contractual performance (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing procedures, methods and services:

Customer account:

We process data required for registration, subsequent logins, and use of the customer account. IP addresses along with access times are stored to verify registration and prevent misuse. Upon termination, customer account data is deleted, unless required for legal reasons (e.g. invoices). Customers are responsible for securing their data upon termination; legal basis: Contractual performance (Art. 6 (1) (b) GDPR).

Economic analyses and market research:

We analyze available data on business transactions, contracts, and inquiries to identify market trends and wishes. The analyses are carried out for business evaluations, marketing, and market research, using pseudonymized or anonymized data where possible; legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Shop and e-commerce:

We process customer data for product selection, purchase, payment, and delivery/execution. We use service providers (e.g., shipping companies, banks, payment service providers) to fulfill orders. Required information is marked as such in the order process; legal basis: Contractual performance (Art. 6 (1) (b) GDPR).

Providers and Services Used in the Course of Business Activities

We use additional third-party services (e.g., platforms, interfaces) based on our legitimate interest in the proper, lawful, and economical management of our business operations.

DATEV:

Software for accounting, communication with tax advisors and authorities, and document storage.

Service provider: **DATEV eG**, Paumgartnerstr. 6-14, 90429 Nuremberg, Germany.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Privacy policy.

Lexware:

Software for invoicing, accounting, banking, and tax filing with receipt storage.

Service provider: **Haufe Service Center GmbH**, Munzinger Straße 9, 79111 Freiburg, Germany.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Privacy policy.

Also noted: **WaWi program DEVIDIA** (Information not detailed in the text provided).

Payment Methods

We use payment service providers (e.g., banks, credit institutions) for efficient and secure payment options. The data processed includes inventory data, bank details, passwords, and transaction information. We only receive confirmation or rejection of payment, not account details. Payment transactions are subject to the respective provider's terms and conditions and privacy policy.

PayPal:

Payment services (technical connection of online payment methods) (e.g. PayPal, PayPal Plus, Braintree).

Service provider: **PayPal (Europe) S.à rl et Cie, SCA**, 22-24 Boulevard Royal, L-2449 Luxembourg.

Legal basis: Contractual performance (Art. 6 (1) (b) GDPR). Privacy policy.

Contact and Inquiry Management

When you contact us (e.g. by post, contact form, email, telephone), the information provided will be processed to answer the inquiries and any requested measures.

  • Types of data: Contact data, content data, usage data, meta, communication, and procedural data.
  • Purposes: Contact requests and communication, administration and response to requests, feedback, provision of online services.
  • Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR), Contractual performance (Art. 6 (1) (b) GDPR).

Application Process

Applicants must provide necessary information (name, address, qualifications) for assessment and selection. Applications can be submitted via online form (using state-of-the-art encryption) or email (note: generally unencrypted during transit).

Processing of special categories of data:

Special categories of personal data (Art. 9 (1) GDPR, e.g., health data) are processed in accordance with legal rights arising from employment and social security law, or based on voluntary consent.

Deletion of data:

Data of unsuccessful applicants is deleted no later than **six months** after the job offer, subject to justified revocation. Successful applicants' data is retained for the employment relationship. Invoices for travel expenses are archived according to tax law.

Inclusion in an applicant pool:

Inclusion is based on **voluntary consent** and data is stored for **6 months**.

Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR).

Newsletters and Electronic Notifications

We send newsletters only with the recipient's **consent** or legal permission, containing information about our services, promotions, and offers.

Double opt-in process:

Registration requires confirmation via email to prevent misuse. Registration and confirmation times, as well as the IP address, are logged for evidence.

Deletion and restriction of processing:

Unsubscribed email addresses may be stored for up to **three years** to prove previously given consent, with processing limited to the defense against claims. A block list is used to permanently respect objections.

Legal basis: Consent (Art. 6 (1) (a) GDPR).

Advertising Communication via Email, Post, Fax or Telephone

We process personal data for advertising communication in accordance with legal requirements. Recipients can **revoke consent** or **object** at any time. Data required to prove authorization or to permanently respect the objection is stored for up to **three years**.

Legal basis: Consent (Art. 6 (1) (a) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR).

Web Analysis, Monitoring and Optimization

Web analytics (reach measurement) is used to evaluate visitor traffic, behavior, and interests to optimize our online offering. This may involve A/B testing and the creation of pseudonymized usage profiles. IP addresses are stored using an **IP masking process** to protect users. Generally, no real user data is stored for these purposes; instead, pseudonyms are used.

The provided text ends here, with the continuation likely detailing specific web analysis services used.

Customer Reviews and Rating Processes

Content related to customer reviews and rating processes is missing from the provided text.

Plugins and Embedded Functions and Content

Content related to plugins and embedded functions/content is missing from the provided text.

Changes and Updates to the Privacy Policy

Content related to changes and updates to the privacy policy is missing from the provided text.