Personal data are individual information about personal or factual circumstances of a certain or determinable natural person. This includes information such as name, address, telephone number and date of birth.
Please note that, while using Microsoft Teams, personal information will be also processed by Microsoft. We do not have any influence nor any responsibility for this data processing. Further information on how Microsoft may process your data is available under: https://www.microsoft.com/en-us/trust-center/privacy.
1. Who is responsible for data processing in the app?
|Address||Lärchenweg 13, 40669 Erkrath, Germany|
2. To what end and on what basis do we process your data?
2.1 Providing the app and its services
Kudozza can be installed for your team and all users in this team. If you do not actively use Kudozza, for example not giving or receiving “kudos” or otherwise providing personal information about yourself, we do not store and/or use any personal information except for the information that your browser, Microsoft teams or Kudozza submit or that we receive from these applications to enable you to use the app.
For the purpose of technical provision of the app, information is collected by our IT systems when the app is used. The collection and storage of this data in server log files takes place automatically when you start/use Kudozza. The following information is processed:
- Browser type and browser version;
- Operating system used;
- Time of the server request;
- IP address;
- Browser language (e.g. German).
Following information of a team owner installing Kudozza is processed:
- TenantID of the organisation,
- TeamID and teamname,
- ID and name of the user who installed Kudozza into the team.
Kudozza receives automatically data/notifications from Microsoft Teams in case a User is added to a team, but does not store or otherwise actively use this data/notifications and therefore such data/notification is deleted immediately after receipt.
This data is not combined with other data sources. Furthermore, this data is used to optimize Kudozza (e. g. for correcting errors and troubleshooting) and to ensure the security of our information technology systems (e.g. attack detection).
We process your personal data for the technical provision of Kudozza on the basis of the following legal basis:
- To protect our legitimate interests in accordance with Art. 6 para. 1 lit. f GDRP, in order to make the app technically available to you, to optimize it and to ensure the security of the app, its IT systems and the data processed.
2.2 Active use of the app
Besides the non-active use of Kudozza, you can also use it actively, for example to use the Kudos system via Microsoft Teams or to make request or get in contact. In addition to the processing of your personal data for purely informational purposes and providing the app itself, we may also process other personal data about you that we need to process for your request and/or your use of the “Kudos” system.
2.2.1 “Kudos” system
We process your data within the app primarily for the purpose of making the Kudos system available, which enables the giving, receiving, collecting and displaying of Kudos as well as reacting to Kudos via the chat of Microsoft Teams. For giving Kudos, it is necessary to either use the kudos message extension or mention the Kudozza bot in a message. Only messages sent this way will be stored in Kudozza. No other messages or chat history will be sent to or stored by Kudozza. The Kudos given and received as well as other information may be aggregated and analyzed to generate reports for the members of a team or organization and/or a ranking of participants and Kudos. Based on this data, the Kudozza bot may proactively support users with practical advice as well as incentives for more interaction. Users may choose to opt-out of the data processing for reports and then will not be included in any report or proactively contacted by the Kudozza bot.
For the provision of our Kudos system to the users, we process the following data:
- Conversation ID (identifier of messages in teams),
- User IDs and names of the author of the Kudos and all participants,
- Team ID and Teamname of the team the Kudos were given in,
- Channel ID of the channel the Kudos were given in,
- Tenant ID of the organization,
- Messagetext (sent directly to the Kudozza bot),
- Kudos given and received
- Reactions (e. g. emojis, teams reactions, etc.)
- In case kudos are given in external systems and Kudozza is configured to match the users via email, the email adress is also processed.
In case you use Kudozza via your employer or another organisation, the aforementioned data may be transferred to and processed by the employer or organization for other purposes than mentioned in this section 2.2.1. Please refer to your employer or organization as responsible entity for more in-formation.
It is possible that, in some cases, Kudozza may store cookies on your device to enable authentication via Microsoft Azure AD on websites of Kudozza which are not a direct part of Microsoft Teams. These cookies usually only contain a user ID, name and the tenant ID and are only stored for your web session.
Furthermore, users have the possibility to upload icons for Kudozza, provided they own all necessary intellecutal property rights in the icon. In this case, data regarding the image/icon as well as the User ID and User name of the uploading user is processed.
The Kudos system may be used with other systems as well, such as, but not limited to, wiki or code comments, social media platforms, e-mail or normal websites (“external systems”). For this, adapters will be provided by Kudozza. When an adapter is used, additional data of the system in which the Kudos were issued is stored to match the Kudos to the user. This data includes the system and resource location where the Kudos were given and the User ID within the external system.
We process your data for these purposes on the basis of the following legal principles:
- to fulfill the contract with you for the use of Kudozza according to Art. 6 para. 1 lit. b GDPR.
2.2.2 Uploaded images
Uploaded images are stored in a tenant specific bucket with non guessable links but without further authentication/authorisation. Every image is therefore publically accessible. It needs to be ensured by the uploading party to not upload confidential material or to not upload material to which it does not posses the right to expose publically.
2.2.3 Statistical Analysis
When you use Kudozza, your usage behavior can be statistically evaluated. This enables us to improve the quality of our app and its content. We learn how the app is used and can thus constantly optimize our offer.
We process your personal data according to the following legal principles:
- With your consent according to Art. 6 para. 1 lit. a GDPR;
- To protect our legitimate interests according to Art. 6 para. 1 lit. f GDPR, our legitimate interest is to analyze the traffic and the usage within our app, to optimize it and to be able to display it uniformly in order to constantly adjust our quality and our marketing and to protect our app from abusive automated spying and from spam.
Will be updated very soon.
2.2.5 Contact form/user requests
If you send us inquiries via contact form or e-mail, your data from your inquiry including the contact data you provided will be stored by us for the purpose of processing the inquiry and in case of follow- up questions.
We process your personal data according to the following legal principles:
- to fulfill the contract of use for our app with you and to carry out pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR, if the questions refer to the (planned) conclusion of such a contract of use for our app;
- in our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, our legitimate interest consists in the proper response to customer inquiries.
2.3 Compliance with legal regulations
We also process your personal data in order to fulfil other legal obligations. These may apply to us in connection with the processing of your order or with business communication. These include in particular retention periods under commercial, trade or tax law.
We process your personal data on the following legal basis:
- to fulfill a legal obligation to which we are subject to in accordance with Art. 6 para. 1 lit. c DSGVO in connection with commercial, tradeor tax law, insofar as we are obliged to record and store your data.
2.4 Enforcement of claims, law, etc.
We also process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent that is necessary to defend ourselves against or prosecute criminal actions.
We process your personal data for this purpose on the following legal basis:
- to safeguard our legitimate interests in accordance with Art. 6 sec. 1 lit. f GDPR, insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal actions.
Our app may contain links to third-party websites or apps (e. g. from users). These websites and apps are subject to their own privacy policies. We are not responsible for their operation, including data handling. If you send information to such third-party sites/apps, you should review their privacy policies before providing them with any personal data.
4. Categories of recipients
Initially, only our employees or members involved in data processing will process your personal data. Your data will then only be passed on to third parties if this is permitted or required by law or if you have given your consent. We also share your data to the extent necessary with the service providers we use to provide our services. We limit the transfer of data to what is necessary to provide our services to you. Some of our service providers receive your data as processors and are then strictly bound by our instructions when handling your data. In some cases, the recipients themselves handle the data that we transfer to them. In the following, we list the categories of recipients of your data:
- IT service providers who, among other things, store data, assist in the administration and maintenance of our systems, and file archivists and shredders;
- payment service providers and banks to collect outstanding payments from accounts or pay out refunds;
- collection agencies and legal advisors in the assertion of our claims,
- public authorities and institutions as far as we are legally obliged to do so.
5. Transfer of data to third countries
As part of our app we may transfer your data to Amazon Web Services (AWS) and/or Microsoft Azure. Although we only use services of AWS located in the EU/the EEA, we cannot rule out that AWS transfers data to countries outside the EU. The latter also applies to our use of Microsoft Azure. In case personal data is transferred outside the EU/the EEA, we will ensure that a level of data protection in accordance with Art. 44 ff. GDPR is observed (e. g. through conclusion of EU Standard Contractual Clauses).
Apart from that, we do not transfer your personal data to countries outside the EU or the EEA or to international organizations.
6. Duration of storage
6.1 Use of the app for information purposes
When using our app for purposes of passive “use” (e. g. only to get to know its functions without using them), we store your personal data on our servers exclusively for the duration of this use/your installation of the app. After you cease using our app and deinstallation, your personal data is deleted within 90 days.
6.2 Active use of the app
The data processed and stored regarding the installation form the Microsoft Appstore is deleted upon deinstallation of Kudozza.
When you actively use Kudozza, we store your personal data for the duration of the use/installation of the app or business relationship with you and to answer your inquiries. This also includes the potential future and actual initiation of a contract (pre-contractual legal relationship) and the processing of a contract. Kudos and related data are deleted 90 days after Kudozza is deinstalled in any team in the respective organization.
In case you use the free version of Kudozza, your Kudos and Users connected with those Kudos will be deleted after one (1) calendar year.
For security reasons and for support requests, the log files for the app are stored for 90 days and then deleted.
In addition, we store your personal data until the expiry of the statute of limitations of any legal claims arising from the relationship with you, in order to use them as evidence if necessary. These periods are usually between 1 and 3 years, but can also be up to 30 years.
When the statute of limitations comes into effect, we will delete your personal data, unless there is a legal obligation to retain it, for example, under the German Commercial Code (§§ 238, 257 para. 4 HGB) or the German Fiscal Code (§ 147 para. 3, 4 AO). These storage obligations can amount to two to ten years.
7. What are your rights regarding your data?
If your personal data is processed, you are a “data subject” in the sense of the GDPR. You are entitled to the following rights against us as the controller:
7.1 Right to access information
You can request information about whether we process your personal data. If this is the case, you have the right to access to this personal data and other information related to the processing (Art. 15 GDPR). Please note that this right of information may be restricted or excluded in certain cases.
7.2 Right to rectification
In the event that personal data regarding yourself is not (or no longer) correct or is incomplete, you can request that this data be corrected and, if necessary, completed (Art. 16 GDPR).
7.3 Right to erasure and restriction of processing
If the legal requirements are met, you can request the erasure of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure in accordance with Art. 17 sec. 1 and 2 GDPR does not exist, among other things, if the processing of personal data is necessary to fulfil a legal obligation (Art. 17 sec. 3 subsect. b DSGVO).
7.4 Right to object
For reasons arising from your particular situation, you can also object to the processing of your personal data by us at any time (Art. 21 GDPR). If the legal requirements are met, we will not process your personal data any longer.
7.5 Right to data portability
If the legal requirements of Art. 20 GDPR are met, you are entitled to demand that we provide you with the personal data concerning you that you have provided us with in a structured, common and machine-readable format.
7.6 Withdrawal of consent
In case you have given us your consent to process data, you have the right to withdraw your consent at any time. The withdrawal is only effective for the future, i.e. the lawfulness of the processing carried out on the basis of the consent until the withdrawal is not affected by the withdrawal.
7.7 Right to lodge a complaint with the supervisory authority
Without prejudice to any other administrative or judicial remedy, a data subject (you) has the right to complain to a supervisory authority - in particular in the member state where you are located - if you believe that the processing of your personal data by us is in breach of the DSGVO.
The supervisory authority responsible for us is:
- Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
However, we recommend that you always send a complaint to the contact details mentioned in section 1 before you contact the supervisory authority.
Your requests to exercise your rights should, if possible, be addressed in writing to the address given above.
8. Scope of your obligation to provide data
In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to provide you with our app and its functions and will not be able to answer your questions.
9. Profiling / Automatic decision making
We do not carry out profiling and do not use automated individual decision-making procedures in accordance with Article 22 GDPR. If we should use further procedures in individual cases in the future, we will inform you accordingly.
Right of objection Art. 21 GDPR
You have the right to object to the processing of your data, which is carried out on the basis of Art. 6 sec. 1 f GDPR (data processing on the basis of legitimate interests) or Art. 6 sec. 1 e GDPR (data processing in the public interest), at any time if you have a reason that arises from your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.
If you file an objection, we will no longer process your personal data unless we can prove compelling reasons for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
The objection can be filed without specific formal requirements and should be sent to the address mentioned under section 1.
Last updated in March 2021