Privacy Policy

Privacy Policy NautilusLog GmbH

(Version of 2022/07/20)

This privacy policy applies to the data processing by NautilusLog GmbH in connection with the operation of NautilusLog Platform.

I. Name and address of controller

The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") and other national data protection laws of EU countries and other data protection laws is:

NautilusLog GmbH, represented by Otto Klemke (General Manager) c/o Digital Hub Logistics Hamburg St. Annenufer 2 20457 Hamburg

info@nautiluslog.com Telephone + 49 40 432 803 53

II. Collection and storage of personal data and the nature and purpose of their use

(1) If you wish to use the NautilusLog Platform, consisting of a web app, API and a mobile app (hereinafter individually and collectively referred to as "App"), you must register by entering your email address, first and last name and a password of your choice.

(2) In certain use cases, limited access to the NautilusLog Platform via a landing page can also be provided without a registered account. Access is via a time-limited access link or code.

(3) If you use our App, we store the data required for the fulfilment of the contract. We store the data provided by you for the time of your use of the App, as long as it is not deleted following your request of deletion You can manage and change all data via the NautilusLog Platform when registered and logged in. The legal basis is Art. 6 para. 1 lit. b GDPR.

(4) If you use the App, your data may become accessible to other users of the App in accordance with the contractual performance. The legal basis is Art. 6 para. 1 lit. b GDPR. If you provide your email address to another user of the App, that user will have the opportunity to invite you to join a team ("Team"). You may withdraw from the Team at any time. You may also create and manage a Team while using the App and in this context invite other users whose consent you have given to join the Team by providing their e-mail address.

(5) In a Team, activities can be planned, and other users of the Team or other Teams can be invited to collaborate or by providing an e-mail address. The data created by the users belongs to the inviting Team and serves to create a common result. Users can accept and decline invitations to activities. You may withdraw from an invitation to an activity at any time. For the coordination of activities, it is necessary to track and store the position of the user. Furthermore, position can also be used to validate certain data entries. For this purpose, position information is stored as part of the activity carried out and is available as a quality characteristic for the data of the activity.

(6) In order to prevent unauthorised access to personal data by third parties, data communication between the App and the server is encrypted via HTTPS/TLS. Our TLS certificates come from “Let's Encrypt”.

(7) When using the App, our system automatically collects installation-specific meta data. The following data is temporarily processed for this purpose:

  • Operating system version
  • App version
  • Device model and manufacturer

This data is only required for the technically correct operation of the App and for the analysis of any malfunctions and is anonymized within 180 days at the latest. The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. b GDPR. The collection of the data is mandatory for the operation of the App.

(8) As we are obliged to analyze your data in order to make you aware of potential services, in connection with the data, we conduct such analyzes on the basis of Art. 6 para 1 lit. b) GDPR.

III. Disclosure of data

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only pass on your personal data to third parties if:

  • you have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR,
  • the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
  • in the event that there is a legal obligation to pass on the data in accordance with Art. 6 para. 1 lit. c GDPR, and
  • this is legally permissible and required for the processing of contractual relationships with you in accordance with Art. 6 para. 1 lit. b GDPR.

Use of Cookies

Cookies are text files that are stored in or by the Internet browser on the user's computer system. When a user visits a website, a cookie can be stored on the user's operating system.

Our website uses so-called session or flash cookies, which are technically necessary for the operation of the website. These cookies contain characteristic strings of characters that enables the browser to be uniquely identified when the website is accessed again. Some functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized also after a page change. These purposes also include our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f DSGVO, which overrides your interest in not processing the data. The user data collected by technically necessary cookies are not used to determine your identity or to create user profiles.

In addition, we also use – if you allow this – so-called persistent cookies, which are used beyond the session (“session-cookies” or "session-spanning cookies"). In particular, these cookies serve to make the Internet offer of user-friendly, effective and secure. The legal basis for the processing of personal data by means of so-called persistent cookies is Art. 6 para. 1 lit. a) DSGVO. Our website uses a "session_token" cookie, which enables a user to be permanently logged into the App. Once this cookie expires, the user has to log in again with e-mail and password.

V. Ownership of data

You have sovereignty over the data that you transmit within the framework of the app, we do not assert any rights. In order to be able to to detect errors we analyze the data you submit. We do not use any third-party providers, we carry out the analysis ourselves. We base this processing on Art. 6 para. 1 lit. f) GDPR. Our interest in fixing bugs and removing defects in our services outweighs the interest of the person concerned. It is not sensitive data and only the result of the analysis is recorded, which itself no longer contains any personal data.

VI. Rights of data subjects

If we process your personal data, you will be a data subject within the meaning of the GDPR and you will have the following rights against the controller:

1. Right to information

You may demand that the controller confirm whether or not personal data about you are processed by us.

If we do process such data, you may demand the following information from the controller:

  1. (1) the purposes for which your personal data are processed;
  2. (2) the categories of personal data that are processed;
  3. (3) the recipients or categories of recipients to whom your personal data have been or will be disclosed;
  4. (4) how long we plan to store your personal data or, if that time period cannot be ascertained yet, the criteria used to determine how long we will store your personal data;
  5. (5) whether you have a right to rectification or erasure of your personal data, a right to restricted processing by the controller, or a right to object to such processing;
  6. (6) whether you have a right to lodge a complaint with a supervisory authority;
  7. (7) any available information about the origin of data if they were not collected directly from the data subject; and
  8. (8) whether your personal data will be transferred to any third country or international organization; in connection with such transfers you may demand to be informed of appropriate safeguards within the meaning of Art. 46 GDPR.

2. Right to rectification

You have a right against the controller to have incorrect personal data rectified and/or to have incomplete personal data completed if the personal data we process are incorrect or incomplete. The controller must rectify data without undue delay.

3. Right to restricted processing

Under the following conditions you may demand restricted processing of your personal data:

  1. (1) if you dispute the correctness of your personal data for a time period that allows the controller to review whether your personal data are correct;
  2. (2) if processing is unlawful and you decline to have your personal data erased and instead demand restricted use of your personal data
  3. (3) if the controller no longer needs your personal data for the purposes for which they are processed, but you need such data to assert, exercise, or defend legal rights or claims, or
  4. (4) if you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and it has not yet been determined whether there are overriding legitimate reasons of the controller.

If processing of your personal data is restricted, such data may – except for their storage – be processed only with your consent, or to assert, exercise, or defend legal rights or claims, to protect the rights of another natural person or legal entity, or for reasons related to an important public interest of the European Union or any member state.

If processing of your personal data has been restricted under the aforementioned conditions, you will be notified by the controller before the restriction is lifted.

4. Right to erasure

a) Erasure obligation

You may demand that the controller erase your personal data without undue delay and the controller has an obligation to do so if one of the following reasons applies:

  1. (1) your personal data are no longer needed for the purposes for which they were collected or are otherwise processed;
  2. (2) you have revoked your consent on which the processing of your data is based in accordance with Art. 6 para. 1 let. a) or Art. 9 para. 2 lit. a) GDPR, and there is no other legal basis for processing your personal data;
  3. (3) you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for processing your personal data, or you object to processing in accordance with Art. 21 para. 2 GDPR;
  4. (4) your personal data have been processed unlawfully;
  5. (5) erasing your personal data is necessary to comply with a legal obligation under European law or member state law to which the controller is subject; or
  6. (6) your personal data were collected with respect to offered information society services within the meaning of Art. 8 para. 1 GDPR.

b) Information to third parties

Where the controller has made personal data public and has an obligation under Art. 17, para. 1 to erase such personal data, the controller, taking into account available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copies or duplicates of, such personal data.

c) Exceptions

There is no right to erasure if processing personal data is necessary

  1. (1) to exercise the right to freedom of expression and information;
  2. (2) to comply with a legal obligation which requires processing of your personal data under EU or member state law to which the controller subject, or to perform a task that is in the public interest, or to exercise official authority vested in the controller;
  3. (3) for reasons of the public interest in the area of public health within the meaning of Art. 9 para. 2 let. f) and i) and Art. 9 para. 3 GDPR; or
  4. (4) to assert, exercise, or defend legal rights or claims.

5. Right to notification

If you have exercised your right to rectification, erasure, or restricted processing against the controller, the controller has an obligation to notify all recipients to whom your personal data have been disclosed of such rectification, erasure, or restricted processing, unless this proves impossible or would be associated with unreasonable expense.

You have a right to be informed of all such recipients by the controller.

6. Right to data portability

You have a right to receive personal data you have made available to the controller in a structured, standard, and machine-legible format. You also have the right to transfer your personal data to another controller without any interference by the controller to whom the personal data were made available, if

  1. (1) processing is based on consent within the meaning of Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 let. a) GDPR or on a contract within the meaning of Art. 6 para. 1 lit. b) GDPR, and
  2. (2) data processing is automated.

In exercising the right to data portability you further have the right to have your personal data transferred directly from one controller to another controller, if and to the extent that this is technically feasible. No rights or freedoms of any other persons may be infringed thereby.

The right to data portability does not apply to processing of personal data that is necessary to perform a task that is in the public interest or to processing of personal data in the exercise of official authority vested in the controller.

7. Right of objection

You have the right for reasons related to your particular situation to object to processing of your personal data at any time based on Art. 6 para. 1 lit. e) or f) GDPR; the same applies to any profiling based on the aforementioned provisions.

If you object, the controller will no longer process your personal data, unless the controller can show that there are compelling protected reasons for processing your personal data that override your interests, rights and freedoms, or if your data are processed to assert, exercise, or defend legal rights or claims.

If your personal data are processed for direct advertising purposes, you have a right to object to processing of your personal data for purposes of such advertising at any time; the same applies to any profiling associated with such direct advertising. If you object to processing of your personal data for purposes of direct advertising, your personal data will no longer be processed for such purposes.

In connection with use of information society services you may exercise your right of objection – regardless of Directive 2002/58/EC – by using automated processes for which technical specifications are used. For this purpose you may send an email to us.

8. Right to revoke consent to data processing

You have a right to revoke your consent to data processing at any time. If you exercise your right of revocation, the lawfulness of data processing that occurs before revocation based on your consent will remain unaffected.

9. Automated decision in a particular case, including profiling

You have a right not to be subjected to a decision that is made exclusively by means of automated processing – including profiling – if such a decision has legal consequences for you or otherwise substantially impairs your interests. This does not apply if the decision

  1. (1) is necessary to enter into or perform a contract between you and the controller,
  2. (2) is permitted under EU or member state law to which the controller is subject and such law provides for appropriate safeguards to protect your rights, freedoms, and legitimate interests, or
  3. (3) is made with your express consent.

However, such decisions may not be made with respect to special categories of personal data within the meaning of Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a) or g) GDPR applies and appropriate safeguards have been implemented to protect your rights, freedoms, and legitimate interests.

In cases 1) and 3) above the controller must implement appropriate safeguards to protect your rights, freedoms, and legitimate interests, which must include, at a minimum, a right to have a person acting on behalf of the controller take action, a right to present your own point of view, and a right to contest the decision.

10. Right to lodge complaint with supervisory authority

Without prejudice to any other available administrative or judicial remedies, you have a right to lodge a complaint with a supervisory authority, in particular a supervisory authority located in the member state of your habitual residence, at your workplace, or at the place of the purported infringement, if in your opinion the processing of your personal data violates the GDPR.

The supervisory authority where the complaint is lodged will then notify the complainant of the progress and outcome of the complaint, including judicial remedies available under Art. 78 GDPR.