1. Introduction
Below we provide information about the processing of personal data when using
- our website coachbrio.com
- our profiles on social media platforms.
Personal data is any data that can be related to a specific natural person, e.g. their name or IP address.
This Privacy Policy applies exclusively to our website coachbrio.com. The processing of personal data within the scope of our SaaS product Brio is governed by individual Data Processing Agreements (DPAs) which we conclude with our customers. Information on our subprocessors as well as on technical and organisational measures is made available to our customers, upon request, through our Trust Center.
1.1. Contact Details
The controller pursuant to Art. 4(7) of the EU General Data Protection Regulation (GDPR) is Cuinti GmbH, Schlossstraße 24, 52066 Aachen, Germany, e-mail: hello@coachbrio.com. We are legally represented by Allegro Piero Sprute and Jan Jérôme Bau.
Our Data Protection Officer can be reached via heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany, www.heydata.eu, e-mail: datenschutz@heydata.eu.
1.2. Scope of Data Processing, Purposes of Processing, and Legal Bases
The scope of data processing, the purposes of processing, and the legal bases are described in detail below. The following legal bases generally apply to data processing:
- Art. 6(1) sentence 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent.
- Art. 6(1) sentence 1 lit. b GDPR is the legal basis where the processing of personal data is necessary for the performance of a contract, e.g. when a website visitor purchases a product from us or where we provide a service to them. This legal basis also applies to processing required for pre-contractual measures, such as enquiries about our products or services.
- Art. 6(1) sentence 1 lit. c GDPR applies where we are subject to a legal obligation requiring the processing of personal data, as may be the case under tax law, for example.
- Art. 6(1) sentence 1 lit. f GDPR serves as the legal basis where we can rely on legitimate interests for the processing of personal data, e.g. for cookies that are necessary for the technical operation of our website.
1.3. Data Processing Outside the EEA
Insofar as we transfer data to processors or other third parties outside the EEA, adequacy decisions of the EU Commission pursuant to Art. 45(3) GDPR guarantee the security of the data during transfer, where such decisions exist, as is the case, for example, for the United Kingdom, Canada and Israel.
For data transfers to processors in the USA, the legal basis for the transfer is an adequacy decision of the EU Commission, provided that the processor is additionally certified under the EU-US Data Privacy Framework.
In other cases (e.g. where no adequacy decision exists), the legal basis for the data transfer is generally — unless we provide an indication to the contrary — Standard Contractual Clauses. These are a set of rules adopted by the EU Commission and form part of the contract with the respective third party. Pursuant to Art. 46(2) lit. b GDPR, they ensure the security of the data transfer. Many providers have given contractual guarantees beyond the Standard Contractual Clauses that protect the data over and above the Standard Contractual Clauses. These include, for example, guarantees regarding the encryption of data or regarding an obligation of the third party to notify data subjects if law enforcement authorities seek access to the data.
1.4. Storage Period
Unless expressly stated otherwise within this Privacy Policy, the data we store is deleted as soon as it is no longer required for its intended purpose, provided no statutory retention obligations conflict with deletion. Where data is not deleted because it is required for other and legally permissible purposes, its processing is restricted, i.e. the data is blocked and not processed for any other purposes. This applies, for example, to data we are required to retain for commercial or tax law reasons.
1.5. Rights of Data Subjects
Data subjects have the following rights against us in respect of the personal data relating to them:
- Right of access,
- Right to rectification or erasure,
- Right to restriction of processing,
- Right to object to processing,
- Right to data portability,
- Right to withdraw consent at any time.
Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. Contact details of the German data protection supervisory authorities can be found at bfdi.bund.de.
1.6. Obligation to Provide Data
Within the framework of a business relationship or other relationship, customers, prospective customers or third parties are only required to provide us with such personal data as is necessary for the establishment, performance and termination of the business or other relationship, or which we are required to collect by law. Without this data, we will generally not be able to enter into a contract or provide a service, or continue to perform an existing contract or other relationship.
Mandatory information is marked as such.
1.7. No Automated Decision-Making in Individual Cases
We generally do not use fully automated decision-making within the meaning of Article 22 GDPR for the establishment and performance of a business or other relationship. Should we use such procedures in individual cases, we will provide separate information about this where required by law.
1.8. Contacting Us
When you contact us, e.g. by e-mail or telephone, the data you provide (e.g. name and e-mail address) is stored by us in order to answer questions. The legal basis for the processing is our legitimate interest (Art. 6(1) sentence 1 lit. f GDPR) in answering enquiries directed to us. We delete the data arising in this context once storage is no longer necessary, or restrict the processing if statutory retention obligations exist.
1.9. Customer Surveys
From time to time, we conduct customer surveys in order to better understand our customers and their needs. In doing so, we collect the data requested in each case. It is our legitimate interest to better understand our customers and their needs, so the legal basis for the associated data processing is Art. 6(1) sentence 1 lit. f GDPR. We delete the data once the results of the surveys have been evaluated.
2. Data Processing on Our Website
2.1. Notice for Website Visitors from Germany
Our website stores information on the terminal equipment of website visitors (e.g. cookies) or accesses information that is already stored on the terminal equipment (e.g. IP addresses). Specific details of this information can be found in the following sections.
This storage and access takes place on the basis of the following provisions:
- Insofar as such storage or access is strictly necessary for us to provide the service expressly requested by website visitors (e.g. to ensure the IT security of our website), this is carried out on the basis of Section 25(2) no. 2 of the German Telecommunications and Digital Services Data Protection Act (TDDDG).
- Otherwise, such storage or access takes place on the basis of consent of the website visitors (Section 25(1) TDDDG).
The downstream data processing takes place in accordance with the following sections and on the basis of the provisions of the GDPR.
2.2. Informational Use of the Website
When using the website for informational purposes only, i.e. when website visitors do not separately transmit information to us, we collect the personal data which the browser transmits to our server in order to ensure the stability and security of our website. This is our legitimate interest, so the legal basis is Art. 6(1) sentence 1 lit. f GDPR.
This data comprises:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Volume of data transferred in each case
- Website from which the request originates
- Browser
- Operating system and its interface
- Language and version of the browser software.
This data is also stored in log files. It is deleted when its storage is no longer necessary, at the latest after 14 days.
2.3. Web Hosting and Provision of the Website
Our website is hosted by Namecheap. The provider is Namecheap, Inc., 4600 East Washington Street, Suite 300, Phoenix, AZ 85034, USA. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication or contact data, in the USA. Further information can be found in the provider's privacy policy at namecheap.com/legal/general/privacy-policy.
It is our legitimate interest to provide a website, so the legal basis for the data processing described is Art. 6(1) sentence 1 lit. f GDPR.
The legal basis for the transfer to a country outside the EEA is the Standard Contractual Clauses pursuant to Art. 46(2) lit. c GDPR, which we have agreed with the provider. The security of the data transferred to the third country is ensured by standard data protection clauses adopted in accordance with the procedure under Art. 93(2) GDPR.
2.4. Job Postings
We publish job vacancies in our company on our website, on websites linked to our website, or on websites of third parties.
The processing of the data provided in the application takes place for the purpose of carrying out the application procedure. Insofar as such data is required for our decision to establish an employment relationship, the legal basis is Art. 88(1) GDPR in conjunction with Section 26(1) of the German Federal Data Protection Act (BDSG). Data required for carrying out the application procedure is marked as such or indicated to applicants accordingly. If applicants do not provide this data, we will not be able to process the application.
Other data is voluntary and not required for an application. If applicants provide further information, the basis is their consent (Art. 6(1) sentence 1 lit. a GDPR).
We ask applicants to refrain from providing information about political opinions, religious beliefs and similarly sensitive data in their CV and cover letter. Such information is not required for an application. If applicants nevertheless provide such information, we cannot prevent its processing in the course of processing the CV or cover letter. Its processing is then also based on the applicants' consent (Art. 9(2) lit. a GDPR).
We also process applicants' data for further application procedures if they have given us their consent to do so. In this case, the legal basis is Art. 6(1) sentence 1 lit. a GDPR.
We pass on applicants' data to the responsible employees in the HR department, to our processors in the area of recruiting, and to the other employees involved in the application procedure.
If we enter into an employment relationship with the applicant following the application procedure, we delete the data only after the end of the employment relationship. Otherwise, we delete the data no later than six months after rejection of an applicant. If applicants have given us their consent to use their data for further application procedures, we delete their data one year after receipt of the application.
2.5. Appointment Booking
Website visitors can book appointments with us via our website. For this purpose, in addition to the data entered, we process meta or communication data. We have a legitimate interest in offering prospective clients a user-friendly way to schedule appointments. The legal basis for the data processing is therefore Art. 6(1) sentence 1 lit. f GDPR. For the scheduling, we use a third-party tool; details are provided under "Third-Party Providers".
2.6. Third-Party Providers
2.6.1. Cal.eu
We use Cal.eu for appointment booking. The provider is Cal.com, Inc., 2261 Market Street #4382, San Francisco, CA 94114, USA. The provider processes content data (e.g. entries in booking forms such as name, e-mail address, appointment request) and meta/communication data (e.g. device information, IP addresses) exclusively on servers located within the European Union (Cal.eu EU data residency).
The legal basis for the processing is Art. 6(1) sentence 1 lit. f GDPR. We have a legitimate interest in offering prospective clients a user-friendly way to schedule appointments.
Insofar as personal data may be transferred to the USA in the course of maintenance or support activities, the legal basis is the Standard Contractual Clauses pursuant to Art. 46(2) lit. c GDPR, which we have agreed with the provider.
The data is deleted when the purpose of its collection no longer applies and no retention obligations exist. Further information can be found in the provider's privacy policy at cal.com/privacy.
2.6.2. Google Analytics
We use Google Analytics for analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
The legal basis for the processing is Art. 6(1) sentence 1 lit. a GDPR. The processing takes place on the basis of consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our Privacy Policy. The withdrawal does not affect the lawfulness of the processing up to the point of withdrawal.
The legal basis for the transfer to a country outside the EEA is the Standard Contractual Clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is ensured by standard data protection clauses adopted in accordance with the procedure under Art. 93(2) GDPR (Art. 46(2) lit. c GDPR), which we have agreed with the provider.
The data is deleted when the purpose of its collection no longer applies and no retention obligations exist. Further information can be found in the provider's privacy policy at policies.google.com/privacy.
2.6.3. heyData
We have embedded a data protection seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g. IP addresses) in the EU.
The legal basis for the processing is Art. 6(1) sentence 1 lit. f GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with active contracts use its seals, which is why a mere image copy of the certificate is not a viable alternative for the confirmation.
The data is masked after collection so that no personal reference remains. Further information can be found in the provider's privacy policy at heydata.eu/datenschutzerklaerung.
3. Data Processing on Social Media Platforms
We are present on social media networks in order to introduce our organisation and our services there. The operators of these networks regularly process data of their users for advertising purposes. Among other things, they create user profiles from their online behaviour, which are used, for example, to display advertising on the network's websites and elsewhere on the internet that corresponds to the users' interests. To this end, the operators of the networks store information about user behaviour in cookies on the users' devices.
It is also not possible to rule out that the operators combine this information with other data. Further information and instructions on how users can object to processing by the network operators can be found in the privacy policies of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries, with the result that they process data there. This may give rise to risks for users, e.g. because the enforcement of their rights is made more difficult or government authorities may access the data.
When users of these networks contact us via our profiles, we process the data provided to us in order to respond to enquiries. This is our legitimate interest, so the legal basis is Art. 6(1) sentence 1 lit. f GDPR.
3.1. LinkedIn
We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy can be accessed here: linkedin.com/legal/privacy-policy.
A way to object to data processing is available via the advertising settings: linkedin.com/psettings/guest-controls/retargeting-opt-out.
4. Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy with effect for the future. The current version is available here at any given time.
5. Questions and Comments
For questions or comments regarding this Privacy Policy, please contact us using the contact details provided above.