General contractual terms of Equinox FinTech Solutions GmbH
– AV Equinox –
1. Remuneration, payment, service protection, deadlines
1.1 Unless agreed otherwise, remuneration is calculated according to expenditure at the provider’s prices generally applicable at the time of contract conclusion. Remuneration essentially comprises net prices plus statutory value-added tax incurred.
The provider can invoice monthly. If services are remunerated according to expenditure, the provider shall document the nature and duration of the activities and submit this documentation with the invoice.
1.2 All invoices must be paid no later than 14 calendar days after receipt, free of charges for the recipient and without any deductions.
1.3 The customer may offset or withhold payments due to defects only insofar as said customer is actually entitled to payment claims based on material defects or defective titles related to services. For other claims arising out of defects, the customer may withhold payments only proportionately, taking the defect into consideration. Item 4.1 applies correspondingly. The customer has no right of retention if their claim arising out of defects has lapsed. Furthermore, only claims which are undisputed or established in a legally valid way allow the customer to offset or exercise a right to withhold.
1.4 The provider reserves the right to retain title and due rights regarding services until full payment of the owed remuneration, authorized retention due to defects being as per item 1.3. Clause 2 is taken into consideration. Furthermore, the provider reserves the right to retain title until fulfilment of all their claims arising from the business relationship with the customer. The provider is entitled to prohibit the customer from further use of services for the duration of the customer’s default of payment. The provider can assert this right only for a reasonable period of time, usually a maximum of 6 months. This does not constitute withdrawal from the contract. § 449 Paragraph 2 of the German Civil Code remains unaffected.
If a customer or their buyers return services, receipt of these services does not constitute withdrawal by the provider unless they have expressly declared withdrawal. The same is true for seizure of goods subject to retention of title or rights to such goods on the provider’s part. The Customer may neither pledge nor assign as collateral items which are subject to retention of title or legal reservations. The customer is only authorized as a reseller to resell items in the ordinary course of business, under the condition that claims against the customer’s buyers in connection with the resale have been validly assigned to the provider, and the customer transfers ownership to their buyers subject to payment. By concluding this contract, the customer assigns their future claims regarding such sales vis-à-vis their buyers as a security to the provider, who hereby accepts this assignment.
If the value of the provider’s collateral rights exceeds the value of the secured claims by more than 20%, the provider shall release a corresponding portion of the security rights at the customer’s request.
1.5 In the event of a permissible transfer of usage rights pertaining to deliveries and services, the customer is obliged to impose the contractually agreed restrictions on the recipient.
1.6 If the customer fails to settle due claims wholly or partially by the contractual payment date, the provider can revoke agreed payment terms for all claims. Furthermore, the provider is entitled to render other services only against advance payment or security through performance guarantee of a credit institute or
credit insurer authorized in the European Union. The advance payment is to cover the respective billing period or – in the case of one-time services – their remuneration.
1.7 If the customer is economically unable to fulfil their obligations vis-à-vis the provider, the provider may terminate existing exchange agreements with the customer through withdrawal, and continuing obligations through cancellation without notice, also in the event of an insolvency application by the customer. § 321 of the German Civil Code and § 112 of the German Insolvency Law remain unaffected.
The customer shall give the provider timely, written notification of any impending insolvency
1.8 Fixed service deadlines must exclusively be agreed expressly in documented form. Agreement of a fixed service deadline is subject to the proviso that the provider receives services from their respective suppliers in a timely and contractually compliant manner.
2. Collaboration, obligations to cooperate, confidentiality
2.1 The customer and provider shall each appoint a responsible contact person. Communication between the customer and provider is to take place via these contact persons, unless agreed otherwise. The contact persons shall promptly make all decisions related to contract execution. The decisions must be documented in a binding form.
2.2 The customer is obliged to support the provider as necessary and create all the conditions necessary in their sphere of operations for proper execution of the contract. For this, they shall provide, in particular, the necessary information and enable remote access to the customer’s system as far as possible. If remote access is not possible for security-related reasons or other reasons, relevant deadlines shall be extended appropriately; as concerns further effects, the contractual partners will agree on suitable provisions. The customer shall furthermore ensure that qualified staff are available for supporting the provider.
Insofar as the contract contains agreements that services can be provided at the customer’s site, the customer shall provide adequate workstations and work equipment free of charge at the provider’s request.
2.3 The customer shall immediately report defects in an understandable and detailed manner in writing, including all information useful for defect identification and analysis. To be described here, in particular, are the work steps which led to occurrence of the defect, as well as the manifestation and effects of the defect. The provider’s relevant forms and procedures shall be used for this purpose, unless agreed otherwise.
2.4 The contractual partners are committed to maintain silence about business and trade secrets as well as other details identified as confidential, which become known in the context of executing the contract. Disclosure of such information to persons not involved in conclusion, execution or handling of the contract is permitted only with the written consent of the other contractual partner. Unless agreed otherwise, this commitment ends after a period of five years following announcement of the information, but for continuing obligations not before they end. The contractual partners shall also impose these commitments on their employees and any involved third parties.
2.5 The contractual partners are aware that electronic and unencrypted communication (e.g. via e-mail) is laden with security risks. For this type of communication, they will therefore assert no claims based on a lack of encryption, unless encryption was previously agreed.
3. Disruptions in service provision
3.1 If a factor for which the provider is not responsible, including strikes and lockouts, affects adherence to a deadline (“disruption”), the deadline is to be postponed by the duration of the disruption, in addition to a reasonable restart phase if necessary. Each contractual partner is to immediately notify the other partner about the cause of any disruption occurring in their sphere, as well as length of the postponement.
3.2 If expenditure rises due to a disruption, the provider may request remuneration of the additional expenditure, unless the customer is not liable for the disruption and its cause lies outside the scope of said customer’s responsibility.
3.3 If the customer can withdraw from the contract due to improper service rendition by the provider and/or demand damage compensation instead of service or affirms this, they are to declare in writing on the provider’s request within a reasonable, set period whether they will assert these rights or whether they still desire a provision of the service. In the event of withdrawal, the customer will reimburse the provider with the value of the previously existent utilization options; the same applies to deterioration through proper use.
If the provider is delayed in rendering services, the customer’s compensation for damages and expenditure due to the delay is limited, for each completed week of delay, to 0.5% of the price for the part of the contractual service which cannot be utilized due to the delay. Liability for delays is limited to a maximum of 5% of the remuneration for all contractual services affected by the delay; in the case of continuing obligations, it is based on remuneration for the relevant services for the full calendar year. Applicable as a supplement with priority is a percentage of the remuneration agreed on contract conclusion. This does not apply to delays due to gross negligence or wilful intent on the provider’s part.
3.4 If service provision is delayed, the customer has a right of withdrawal in the context of legal provisions only if the provider is responsible for the delay. If the customer rightfully raises a claim for compensation of damages or expenditure instead of service due to a delay, said customer is entitled to charge, for every full week of the delay, 1% of the price for the part of the contractual service which cannot be utilized due to the delay, but no more than 10% of this price; serving as a basis in case of continuing obligations is the remuneration for the affected services for the full calendar year. Applicable as a supplement with priority is a percentage of the remuneration agreed on contract conclusion.
4. Material defects and reimbursement of expenditure
4.1 The provider guarantees the contractually owed quality of services. Claims regarding material defects do not arise if the provider’s services deviate just negligibly from the contractual quality. Nor do claims regarding defects arise in case of excessive or improper use, natural wear and tear, failure of components in the system environment, software errors which cannot be reproduced or otherwise proven by the customer, or damage due to special external influences which are not a prerequisite under the contract. This also applies in case of subsequent alteration or repair by the customer or third parties, unless this does not hinder analysis and removal of the material defect.
Item 6 applies as a supplement to claims for compensation of damages and expenditure.
4.2 The limitation period for claims based on material defects is one year from the statutory beginning of limitation. The statutory periods for recourse according to § 478 of the German Civil Code remain unaffected. The same applies insofar as longer periods are prescribed, pursuant to § 438 Paragraph 1 Item 2 or § 634a Paragraph 1 Item 2 of the German Civil Code, in case of intentional or grossly negligent breach
of duty by the provider, fraudulent concealment of defects, harm to life, body or health, as well as claims based on the product liability act.
The provider’s processing of a notice of a material defect from the customer only retards the limitation period insofar as the statutory prerequisites for this are present. The limitation period does not newly begin as a result.
Supplementary performance (new delivery or reworking) can only influence the limitation period for the defect which triggered supplementary performance.
4.3 The provider can demand remuneration for their expenditure insofar as
(a) they act on a report without there actually being a defect, unless the customer could not recognize with reasonable effort that no defect existed, or
(b) a reported fault is not reproducible or otherwise demonstrable as a defect by the customer, or (c) additional expenditure is incurred due to improper fulfillment of the customer’s obligations (also refer to Items 2.2, 2.3, 2.4 and 5.2).
5. Defects of title
5.1 The provider is liable for infringement of third-party rights by said provider’s service only insofar as the service is utilized unmodified in accordance with the contract and, in particular, in the contractually agreed or otherwise intended environment.
The provider is liable for infringements of third party rights only within the European Union and the European Economic Area, and at the location of service utilization as per the contract. Item 4.1, clause 1 applies accordingly.
5.2 If a third party asserts vis-à-vis the customer that a service from the provider violates their rights, the customer shall promptly notify the provider. The provider and, if applicable, their suppliers are authorized but not obliged to ward off the asserted claims, to the extent permitted, at their own expense. The customer is not authorized to recognize third-party claims before giving the provider an adequate
opportunity to avert the third-party rights in other ways.
5.3 If third-party rights are breached by one of the provider’s services, the provider, at their own expense and discretion, shall
(a) supply the customer with the right to use the service, or
(b) organize the service such that it is free of legal breaches, or
(c) take back the service and refund the remuneration paid by the customer (minus a reasonable reimbursement for use) if the provider cannot achieve any other remedy with reasonable effort. The customer’s interests are to be considered adequately here.
5.4 Claims of the customer regarding defects in title lapse according to Item 4.2. Item 6 applies additionally to the customer’s claims for damage and expenditure compensation; Item 4.3 applies accordingly to the provider’s additional expenditures.
6. The provider’s general liability
6.1 The provider is always liable to the customer
a) for damage caused by the provider or their legal representatives or vicarious agents intentionally or through gross negligence,
(b) according to the product liability law and
(c) for damage which arises from harm to life, body or health, and for which the provider, their legal representatives or vicarious agents are responsible.
6.2 The provider is not liable for slight negligence unless they have breached an essential contractual obligation whose fulfillment is a prerequisite for proper execution of the contract, or whose breach endangers attainment of the contractual goal and whose observance the customer must regularly rely on.
For material and pecuniary damages, this liability is limited to the damages typical and foreseeable for the contract. The same applies to loss of profit and savings which failed to materialize. Liability for other remote consequential damage is excluded.
For an individual instance of damage, liability is limited to the contract value; for ongoing remunerations, liability is limited to the amount of remuneration per contract year, but not less than € 50,000. Item 4.2 applies accordingly to the statute of limitations. On contract conclusion, the contractual partners can agree further liability in writing, usually in exchange for a separate remuneration. An individually agreed liability sum has priority. Liability as per Item 6.1 is not influenced by this paragraph.
As a supplement with priority, the provider’s liability due to slight negligence arising from the respective contract and its execution with regard to compensation of damage and expenditure – irrespective of the legal grounds – is on a whole limited to the percentage rate agreed in this contract with respect to the remuneration agreed on contract conclusion. Liability as per Item 6.1 b) is not influenced by this paragraph.
6.3 On the basis of a guarantee declaration, the provider is only liable for damage compensation if this was explicitly accepted in the guarantee. In the case of slight negligence, this liability is subject to the limitations set forth in Item 6.2.
6.4 If recovery of data or components (e.g. hardware, software) becomes necessary, the provider is liable only for the expenditure required for recovery given proper data backup and failure precautions by the customer. In case of slight negligence by the provider, this liability arises only if the customer implemented appropriate data backup and failure precautions for the type of data and components before the disruption. This does not apply if agreed as performance to be delivered by the provider.
6.5 Items 6.1 to 6.4 apply accordingly to claims for compensation of expenditure and other liability claims of the customer against the provider. Items 3.3 and 3.4 remain unaffected.
7. Data privacy
8.1 The customer is responsible for complying with import and export regulations applicable to deliveries and services, in particular those associated with the United States. For cross-border deliveries and services, the customer shall cover customs, fees and other charges. The customer is responsible for handling legal and
official procedures in connection with cross-border deliveries and services, unless expressly agreed otherwise.
8.2 In addition to the general contractual terms, the special contractual conditions for the use of software as a service – SaaS Equinox – apply to the use of Paperfly Web Services.
8.3 German law shall apply. Application of the CISG is excluded.
8.4 The provider renders their services on the basis of their general business terms. The customer’s general business terms do not apply, even if the provider has not expressly contradicted them. Acceptance of services by the customer is regarded as recognition of the provider’s general business terms, waiving the customer’s general business terms.
Other conditions are binding only if the provider has recognized them in writing; in this case, the provider’s general business terms apply as a supplement.
8.5 Amendments and supplements to this contract can only be agreed in writing. Insofar as the written form is agreed (e.g. for termination, withdrawals), the text form is not sufficient.
8.6 The provider’s domicile is the place of jurisdiction vis-à-vis merchants, legal persons under public law or special funds under public law. The provider can also file suit against the customer at their domicile.
This is a courtesy translation and in the event there are any differences between the German and English texts, the German text governs.
Münster, 1. Mai 2019.
Equinox FinTech Solutions GmbH‘s contractual terms
for use of software via the Internet
(Software as a Service)
1. Subject matter of the contract
1.1 The provider supplies the contractual services, in particular, access to software, in their area of disposition (from the data processing centre’s interface to the Internet). The scope, nature, purpose and conditions of use of the contractual services are determined by the respective service description, in addition to the software’s FAQs (frequently asked questions).
The paperfly service description is avaible here.
1.2 Further services such as development of customer-specific solutions or necessary adaptations require a separate contract.
1.3 The provider supply updated versions of software.
The provider shall inform customers about updated versions and corresponding instructions on use electronically, and make these accordingly available.
2. Scope of use
2.1 Contractual services may only be used by the customer and only for the purposes agreed in the contract. For the duration of the contract, the customer may access the contractual services by means of telecommunication (via the Internet), and use the functionality associated with the software in a contractually compliant manner by means of a browser or other appropriate application (for example, an “app”). The customer does not receive any further rights, in particular, pertaining to software or any
provided infrastructure services at the respective data processing centre. Any further use requires the provider’s prior written approval.
2.2 The customer must, in particular, not use the software beyond the agreed scope of utilization, or allow third parties to use or access the software. In particular, software or parts thereof must not be copied, sold, transferred temporarily, leased or loaned by the customer.
2.3 The provider is authorized to take appropriate technical measures to prevent non-contractual use. This must not significantly impair contractually compliant use of the services.
2.4 If a user exceeds the scope of utilization or an unauthorized transfer of use takes place in breach of the contract, the customer, on request, shall immediately supply the provider with all available information for assertion of claims due to the non-contractual use including, in particular, the user’s name and address.
2.5 The provider may withdraw the customer’s right of access and/or cancel the contract if the customer substantially exceeds their authorized scope of use or breaches regulations for preventing unauthorized use. In this context, the provider can interrupt or block access to the contractual services. Beforehand, the provider must always set a reasonable grace period of remedy for the customer. Sole revocation of access
authorization does not simultaneously constitute cancellation of the contract. Revocation of access authorization without notice can be upheld by the provider only for a reasonable period of time not exceeding 3 months.
2.7 The provider’s entitlement to remuneration for use above and beyond the agreed scope remains unaffected.
2.8 The customer is entitled to renewed granting of access authorization and access options after proving that they have ceased non-contractual use and prevented further non-contractual use.
3. Availability, defective services
3.1 Availability of provided services is determined by the service description.
3.2 Just a minor reduction in a service’s suitability for contractual use shall not give rise to claims by the customer regarding defects. Strict liability of the provider regarding defects already existent at the time of contract conclusion is ruled out.
4. Data protection
4.3 The customer remains the data controller generally in the contractual relationship and in the context of data protection legislation. If the customer processes personal data in connection with the contract (including collection and use), said customer assures that they are entitled to this according to the applicable provisions, in particular, those concerning data protection, and exempts the provider from claims by third parties in the event of a breach.
4.4 The following applies to the relationship between the provider and customer: The customer is responsible for processing (including collection and use) of personal data vis-à-vis the data subject, unless the provider is answerable to any claims by the data subject as regards breaches of duty attributable to them.
The customer shall review, process and answer any enquiries, requests and claims by the data subject. This also applies to claims raised by the data subject against the provider. The provider shall support the customer as part of their duties.
4.5 The provider guarantees that the customer’s data are saved exclusively in the territory of the Federal Republic of Germany, or a member state of the European Union, or another state party to the agreement on the European Economic Area, unless agreed otherwise.
An overview of the physical and operational security measures for the network and datacentre infrastructure as well as service side specific security implementations are detailed here.
5. Customer’s obligations
5.1 The customer shall protect the access rights as well as identification and authentication details assigned to said customer and users against access by third parties, and not relay these details to unauthorized parties.
5.2 The customer is obliged to exempt the provider from all claims of third parties due to legal breaches which are either based on the customer’s unlawful use of the subject matter of the contract, or which occur with their consent. If the customer recognizes or must recognize that such a breach is imminent, they are obliged to immediately inform the provider.
5.3 The customer shall utilize the opportunities made available by the provider for securing their data in their original sphere of responsibility.
6. Non-contractual use, damage compensation
6.1 For each case involving unauthorized use of a contractual service in the customer’s area of responsibility, the customer shall pay damage compensation equal to the remuneration which would have been due for contractually compliant use over the minimum contractual period applicable to this service.
Proof that the customer is not responsible for unauthorized use, or that damage is either absent or much less significant, remains reserved for the customer. The provider remains entitled to assert further damage claims.
6.2 Acceptable Use Policy
The following list is not exhaustive and is for guidance only.
In connection with use of any Paperfly Service, website or system (collectively, the “Paperfly Platform”), you must not:
➔ Post or transmit abusive messages, defamatory, libelous, false or misleading
statements, hate speech, or messages that incite or threaten violence;
➔ Transmit spam, chain letters, or unsolicited messages (including email and SMS);
➔ Impersonate another person, misrepresent your affiliation with another person
or entity, engage in fraud, or hide or attempt to hide your identity;
➔ Access any unauthorized part of the Paperfly Platform;
➔ Interfere with the normal functioning, integrity or operation of the Paperfly Platform;
➔ Upload or transmit invalid data, viruses, worms, harmful code, malware, or other software agents;
➔ Decipher or decrypt transmissions, circumvent any access, authentication or copy restrictions of, or otherwise attempt to compromise the security of the Paperfly Platform (including another user’s account);
➔ Attempt to probe, scan or test the vulnerability of any part of the Paperfly Platform without proper authorization;
➔ Attempt to modify, or gain unauthorized use of or access to, another user’s account(s), website(s), application(s), system(s), equipment or data;
➔ Collect or harvest any personally identifiable information, including account names, from any other user’s account;
➔ Use the Paperfly Service or other parts of the Paperfly Platform in violation of any applicable law or regulation, including privacy laws in applicable jurisdictions; or
➔ Upload, use or transmit any content, data or materials that violate applicable laws or regulations;
➔ reproduce, duplicate, copy, sell, trade, resell, lease, rent, resell, sublicense or exploit for any commercial purposes, any portion or use of, or access to, the
➔ incorporate the Paperfly Service (or any portion of such) with, or use it with or to provide, any site, product, or service, other than on sites/applications
owned-and-operated by User and as specifically permitted herein; (please contact us for integration of the Paperfly Service (or any portion of such) into custom enterprise applications)
➔ publicly disseminate information regarding the performance of the Payperfly Service (which is deemed Equinox’s Confidential Information);
➔ modify or create a derivative work of the Paperfly Service or any portion of it;
➔ reverse engineer, disassemble, decompile, translate, or otherwise seek to obtain or derive the source code, underlying ideas, algorithms, file formats, or
non-public APIs to any Paperfly Service, except to the extent expressly permitted by applicable law and then only with advance notice to Paperfly;
➔ break or circumvent any security measures, rate limits, or usage tracking (such as event tracking) of the Paperfly Service, or configure the Paperfly Service (or any component thereof) to avoid sending events or to otherwise avoid incurring fees;
➔ distribute any portion of the Paperfly Service excepted as permitted herein;
➔ access the Paperfly Service for the purpose of building a competitive product or service or copying its features or user interface;
➔ use the Paperfly Service for purposes of product evaluation, benchmarking, or other comparative analysis intended for publication without Equinox’s prior written consent; or
➔ remove or obscure any proprietary or other notices contained in the Paperfly Service, including in any reports or output obtained from the Paperfly Service.
➔ use or permit the Services to be used for any illegal or misleading purpose, or any manner inconsistent with these Terms.
7.1 Claims by the user for damages are excluded. This does not apply to claims for damages by the user arising from injury to life, limb, health or from the violation of essential contractual obligations (cardinal obligations) as well as liability for other damages which are based on an intentional or grossly negligent breach of duty by the provider, his legal representatives or vicarious agents . Essential contractual obligations are those whose fulfillment is necessary to achieve the objective of the contract.
7.2 In the event of a breach of essential contractual obligations, the provider is only liable for the contractually typical, foreseeable damage, if this was simply caused by negligence, unless it concerns damage claims by the user from injury to life, limb or health.
7.3 The restrictions in paragraphs 7.1 and 7.2 also apply in favor of the legal representatives and vicarious agents of the provider if claims are asserted directly against them.
7.4 The liability restrictions resulting from paragraphs 7.1 and 7.2 do not apply if the provider maliciously concealed the defect or assumed a guarantee for the quality of the service. The same applies if the provider and the user have made an agreement on the quality of the service. The provisions of the Product Liability Act remain unaffected.
8. Malfunction management
8.1 Disruptions in trial mode
Using the Paperfly SaaS in free trial mode the Equinox GmbH assumes no liability for the loss or inaccessibility of data, unless Equinox GmbH has acted fraudulently, willfully or through gross negligence. As far as legally permissible, a claim to maintenance and support is excluded.
8.2 The provider shall receive the customer’s reports of malfunctions, classify the malfunctions into agreed categories (Item 8.4) and use this classification to implement the agreed measures to analyze and remedy the malfunctions..
8.3 The provider shall receive the customer’s reports of malfunctions during said provider’s normal business hours and assign an ID to each report. On request by the customer, the provider shall confirm receipt of a malfunction report with a notification of the ID assigned to it.
8.4 Unless agreed otherwise, the provider shall classify received malfunction reports after an initial inspection into one of the following categories:
a) Serious malfunction
The malfunction is based on a fault which has occurred in the contractual services so as to make use of these services, especially pertaining to software, impossible or possible only with significant limitations. The customer cannot circumvent this problem in a reasonable manner, and is therefore unable to complete urgent jobs.
b) Other malfunction
The malfunction is based on a fault which has occurred in contractual services so as to limit the customer’s use of these services, especially pertaining to software, more than just insignificantly, without there being a serious malfunction.
c) Other report
Malfunction reports which do not fall into category a) or b) are assigned to the category of other reports. Other reports are handled by the provider only in accordance with the agreements reached in this regard.
8.5 In the case of reports about serious malfunctions and other malfunctions, the provider shall promptly initiate relevant measures according to the circumstances reported by the customer, in order to first localize the cause of the malfunction.
If a reported malfunction does not turn out to be a fault in the contractual services, especially the supplied software, after initial analysis, the provider shall promptly inform the customer about this.
Otherwise the provider shall initiate appropriate measures to further analyze and correct the reported malfunction or – in the case of third-party software – send the malfunction report including their analysis results to the distributor or manufacturer of the third-party software with a request for remedy. To circumvent or remedy a fault in contractual services, especially the supplied software, the provider shall promptly supply the customer with available measures such as procedural instructions or corrections to the supplied software. The customer shall promptly implement such measures to
circumvent or remedy malfunctions, and promptly notify the provider again of any remaining malfunctions when deploying the measures.
9. Contact point (Hotline)
9.1 Contact point for free trial users
In trial mode the customer is not legally entitled to be serviced by our hotline for a specific Saas service. The Equinox GmbH may shut down the hotline for trial users any time. However we appreciate any feedback, wishes and ideas from our customers!
9.2 Contractual services
The provider shall set up a contact point (hotline) for the customer. This point of contact processes the customer’s inquiries in connection with technical requirements and conditions for use of the supplied software, as well as individual functional aspects.
9.3 Receipt and processing of inquiries
As a prerequisite for receipt and processing of inquiries, the customer is to announce an appointment of expert and technically qualified staff to the provider, and assign these staff to internally process inquiries from users of the maintained software. The customer is obliged to submit inquiries to the hotline only via these staff members appointed for communicating with the provider, using the forms supplied by the provider for this purpose. The hotline receives such inquiries via e-mail, fax, and telephone during the
provider’s normal business hours.
The hotline shall process proper inquiries as part of normal business routine and answer them as far as possible. In its responses, the hotline can refer the customer to available documentation and other training material for the supplied software. If the hotline is not able to answer an inquiry at all or in a timely fashion, the provider – if this is expressly agreed – shall forward the inquiry for processing, especially in the case of inquiries regarding software not developed by said provider.
Other hotline services such as further contact hours and periods as well as on-call service or the provider’s deployment on-site at the customer’s premises must be expressly agreed in advance.
10. Contract duration and termination
10.1 The contractually agreed services shall be provided from the date specified in the contract, initially for the duration specified in the contract. During this minimum term, premature ordinary termination is ruled out for both parties.
10.2 The contract may be terminated with a notice period of three months, at the earliest on expiry of the minimum term. If this does not take place, the contract shall be extended by one more year, unless it was terminated ordinarily with a notice period of 3 months before expiry of the respective extension period.
10.3 Each contractual partner’s right to extraordinary termination for important reasons remains unaffected.
10.4 Every declaration of termination must be in writing to be effective. Item 8.4 of ‘AV Equinox‘ applies here.
10.5 Before termination of the contract, the customer will back up their data inventory (e.g. via download) under their own responsibility and in a timely manner. On request, the provider will support the customer in this process, Item 4.3 of ‘AV Equinox‘ being applicable here. Already for reasons pertaining to data protection legislation, the customer will no longer be able to regularly access such data after
termination of the contract.
11. Validity of ‘AV Equinox‘
Equinox’s general contractual terms (document titled ‘AV Equinox‘) apply additionally.
This is a courtesy translation and in the event there are any differences between the German and English texts, the German text governs.
Münster, 1. Mai 2019.
Paperfly is a document request management system (DRMS) targeted at Enterprises, government authorities and office professionals in document-intensive industries.
Paperfly aims to optimize business workflows, saves time and helps to close more sales. Paperfly promotes customer loyalty by making paperwork fast, simple and convenient. Analog and digital documents can be classified, tagged, annotated, quality assured and quality-checked in batch mode and be imported in standard enterprise solutions, cloud storage, or customer specific interfaces.
High security enterprise solutions with forwarding of documents to customer owned vpn gateways and hosting in private data centers is available on request.
Optical Character Recognition with industry standard LSTM (Long Short Term Memory) based OCR systems, as well as AI based automatic quality assurance of documents are available as premium features.
Up to 10 document requests per month can be send in trial mode. Storage in trial mode is limited to 1GB. You can use a trial account in a productive environment, as we try to give the customer an indefinite trial period to verify the stability, efficiency and cost savings of our services. However, note that no backups are supported for trial accounts. There is no protection against data loss, as our demo server systems are updated with new features regularly.
2. Paperfly Core Features
2.1 Document Collection
Paperfly Document Collection offers the user the possibility to quickly request documents from third parties. To use the Document Collection function the user must add the corresponding widget to the request. Users can change the title of the document to be requested and choose whether it is an optional or mandatory document to complete the request workflow. The recipient of the request can easily photograph / scan and upload the requested document with their smartphone or laptop. Paperfly supports the recipient in scanning documents with the following functions: automatic edge detection, automatic perspective correction and automatic image optimization.
2.2 Paperfly Quick Forms
Paperfly Quick Forms offers users the option of creating web forms using drag-and-drop functionality. To use the Quick Forms function, the user must add the corresponding widget to the request. When creating a request, the user can decide whether he wants to create a new Quick Form or use an existing template instead.
A Quick Form can consist of the following components: text field, number field, multi-line text field, date selection, check boxes, selection list, option field, link, heading, paragraph, dividing line. If the signature function for the user account has been activated / ordered, a signature field widget is also displayed. The Quick Form is sent to the recipient to be filled out on smartphone or desktop devices. The recipient can complete an inquiry once he has filled out all the required fields.
2.3 Paperfly Mobile PDF
Paperfly Mobile PDF offers the user the option of uploading, editing, and sending existing PDF files to third parties. If the uploaded PDF file contains fillable fields, these will – as far as the fields are compatible with the Paperfly fields – be imported in Paperfly. In addition, the user has the option of manually adding the following fields: text field, number field, multi-line text field, date selection, check boxes, selection list, option field, link. If the signature function for the user account has been activated / ordered, a signature field wiget is also displayed. The PDF form is sent to the recipient to be filled out on smartphone or desktop devices. A recipient can complete an inquiry once he has filled out all mandatory fields.
2.4 Electronic Signature
Paperfly offers the electronic signature in accordance with Regulation (EU) No. 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and to repeal Directive 1999/93 / EC. The Paperfly function of the electronic signature can only be used in combination with Mobile PDFs or Quick Forms. If the electronic signature function is activated, the user can add a signature field to the document. The recipient receives the request by email or SMS. If the request is encrypted using a double authentication, the recipient must first enter the security key that is communicated to him via another communication channel in order to be able to see the request.
The recipient must click on the signature field to sign the document. He can either upload an existing signature image or sign it directly on the screen with the finger / mouse pointer. If a request that contains at least one signature field is completed, the time of the data transfer is logged by the Paperfly server. A new file is created from the originally uploaded document pages and from the data entered by the user (including the signature image). The file is signed with a certificate and locked against changes. Paperfly provides the user with an audit trail in which all process steps are logged.
2.5 Payment Collection
Paperfly offers the user the option of requesting payments from third parties.
Equinox FinTech Solutions GmbH works with Stripe Payments Europe, Limited to offer Payment Collection in Paperfly. Before the Payment Collection function can be used, a company representative must go through the Stripe onboarding process. Once the onboarding process has been completed, the user can add a payment request to the request using the corresponding payment widget. The user has to enter the amount that he requests from the recipient of the request, as well as a purpose. Various options are offered to the recipient of the request to pay the requested amount. The amount received by the recipient is credited to the company (customer of Equinox FinTech Solutions GmbH) in Stripe. The customer can determine whether the accumulated credit is paid to him daily, weekly, or monthly. Alternatively, the customer can trigger the payment manually.
2.6 Document for information
Paperfly offers the user the opportunity to send a document for information to a recipient. The user can either upload a new file (PDF, PNG, JPG) or use an existing template. The recipient does not return any data.
2.7 Document for immediate confirmation
Paperfly offers the user the option of sending the recipient a document, the contents of which the recipient must read and confirm. The user can either upload a new file (PDF, PNG, JPG) or use an existing template. An inquiry can only be completed if the recipient has scrolled the document down and clicked the confirm button. The user can specify what the button should be called.
2.8 Team functionality
Paperfly offers the user the opportunity to work in a team with other users of the same company. All team users can see all requests made by a team member. Every team member has unrestricted access to all functionalities of team requests.
Paperfly offers the user the possibility to save frequently used document requests as a template. The user can also create templates for individual query modules. The following template types can be created: workflow, Quick Form, PDF form, document for information, document for immediate confirmation.
2.10 Two-factor authentication
Paperfly offers the user the option of encrypting a document request using a freely selectable security key. The security key must be communicated to the recipient of the request via a communication channel outside of Paperfly (e.g. by telephone). The recipient of the request can only see the content of the request if he enters the security key he has been given.
Documents that are submitted can – if activated – be parsed by Paperfly through Long Short Term Memory OCR. Only documents in the German language are currently supported. Other languages are available on request. The text extracted from the document is available for the user to export.
2.12 Paperfly Web Portal
The Paperfly WebPortal is a web application that allows the user to use the Paperfly functions directly in the browser. The user must register to use the Paperfly WebPortal. To register, the user must enter the following data: first name, last name, email, password and an invitation code. The user receives the invitation code either from Paperfly when it is set up for the first time, or from his supervisor in the company if the user is added to a team. You can request an invitation code at any time contacting email@example.com.
3. Paperfly Basic Features
3.1 Basic free features in trial mode:
– Access to the Paperfly web browser portal to manage, search and organize documents and document requests as well as workflow templates.
– Ability to create an unlimited number of templates for custom business cases.
– Up to 10 document requests via email a month
– Analog documents can be scanned and uploaded to cloud storage with a free WPA application on Android or iOS smartphones.
– Import of PDF or image files via browser upload form
– 1 GB free non public storage in a data center located in Germany.
– Documents uploaded to cloud storage are stored with AES-256 encryption
– Documents imported to the DMS can be saved, deleted or shared by the requester at any time.
The General Terms (AV Equinox) and contractual terms for use of software via the Internet (SAAS-Equinox) apply.
3.2 Out-of-the-box workflows, Custom workflows
Besides the available common business cases an unlimited number of templates for custom workflows can be created.
3.3 Cloud Storage, Encryption
All Documents uploaded to cloud storage are stored with server-side AES-256 encryption.
Paperfly users can download and save single or multiple documents locally at any time
3.5 Commercial Use
The Paperfly DRMS is targeted at business customers, government authorities and enterprises worldwide. It is permitted and encouraged to use a trial account in a productive environment (see also 1. GENERAL).
4. Paid Subscriptions
A paid subscription supplements the free functionality of the Paperfly DRMS. The total number of possible requests per month is not limited in the paid subscription.
5. Supported file types and file sizes
The paperfly portal currently supports the following file types:
Files which exceed 50MB (Megabytes) are not supported below an enterprise service level.
6. System Requirements
In order to send document requests or access documents within the paperfly portal the user is required to enter his/her valid credentials which are verified with the paperfly portal application.
The Equinox GmbH shall not be responsible for the provision of internet access or computer hardware (like desktop computers or mobile devices) or software (like web browsers) required to run the paperfly services.
7. Web Applications
The web applications Paperfly portal and the Paperfly scan client are generally compatible with the latest version of the web browers Chrome, Mozilla Firefox, Opera and Safari. You can find the most up to date browser compatibility list here
8. Mobile Device Applications
The Equinox GmbH provides customers a mobile web application for recent Android and iOS devices. You can find the most up to date mobile device operating system compatibility list here.
Besides uploading with a web form the file system the mobile device’s camera (if available) can be used to scan a document and upload it to the Paperfly portal..
Any questions, problems and wishes can be directed to firstname.lastname@example.org.
The general terms and conditions of Equinox GmbH (AV Equinox) and the contractual terms for the use of software over the Internet (SAAS-Equinox) apply.
This is a courtesy translation and in the event there are any differences between the German and English texts, the German text governs.
Münster, 1. March 2019
We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the Equinox FinTech Solutions GmbH.
This data protection declaration specifies how Equinox FinTech Solutions GmbH collects and uses personal data from customers and other persons on our websites, including paperfly.io and equinox-fintech.de, our mobile applications, our Paperfly web app or platforms to whom our Paperfly Portal application is embedded and / or accesses or uses other of our websites, products or services that are linked to this data protection declaration. By using our services, you understand that we collect and use your personal data as described in this data protection declaration.
The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to the Equinox FinTech Solutions GmbH. By means of this data protection declaration, our enterprise would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.
As the controller, the Equinox FinTech Solutions GmbH has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed via this website, our mobile applications, our Paperfly web app or platforms on which our Paperfly Portal application is embedded. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.
The data protection declaration of the Equinox FinTech Solutions GmbH is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.
In this data protection declaration, we use, inter alia, the following terms:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or controller responsible for the processing
Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
j) Third party
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and Address of the controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
Equinox FinTech Solutions GmbH
Phone: +49 251 322009 10
3. Name and Address of the Data Protection Officer
The Data Protection Officer of the controller is:
Dr. Sebastian Kraska
IITR Datenschutz GmbH
Phone: +49 89 18917360
Any data subject may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.
4. Collection of general data and information
The website of the Equinox FinTech Solutions GmbH collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.
When using these general data and information, the Equinox FinTech Solutions GmbH does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, the Equinox FinTech Solutions GmbH analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
5. Registration on our website
The data subject has the possibility to register on the website of the controller with the indication of personal data. Which personal data are transmitted to the controller is determined by the respective input mask used for the registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the controller, and for his own purposes. The controller may request transfer to one or more processors (e.g. a parcel service) that also uses personal data for an internal purpose which is attributable to the controller.
By registering on the website of the controller, the IP address—assigned by the Internet service provider (ISP) and used by the data subject—date, and time of the registration are also stored. The storage of this data takes place against the background that this is the only way to prevent the misuse of our services, and, if necessary, to make it possible to investigate committed offenses. Insofar, the storage of this data is necessary to secure the controller. This data is not passed on to third parties unless there is a statutory obligation to pass on the data, or if the transfer serves the aim of criminal prosecution.
The registration of the data subject, with the voluntary indication of personal data, is intended to enable the controller to offer the data subject contents or services that may only be offered to registered users due to the nature of the matter in question. Registered persons are free to change the personal data specified during the registration at any time, or to have them completely deleted from the data stock of the controller.
The data controller shall, at any time, provide information upon request to each data subject as to what personal data are stored about the data subject. In addition, the data controller shall correct or erase personal data at the request or indication of the data subject, insofar as there are no statutory storage obligations. The entirety of the controller’s employees are available to the data subject in this respect as contact persons.
6. Contact possibility via the website
The website of the Equinox FinTech Solutions GmbH contains information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject. There is no transfer of this personal data to third parties.
7. Routine erasure and blocking of personal data
The data controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to.
If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.
8. Rights of the data subject
a) Right of confirmation
Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the controller.
b) Right of access
Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
the existence of the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.
c) Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.
d) Right to erasure (Right to be forgotten)
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
The personal data have been unlawfully processed.
The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the Equinox FinTech Solutions GmbH, he or she may, at any time, contact any employee of the controller. An employee of Equinox FinTech Solutions GmbH shall promptly ensure that the erasure request is complied with immediately.
Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. An employees of the Equinox FinTech Solutions GmbH will arrange the necessary measures in individual cases.
e) Right of restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by the Equinox FinTech Solutions GmbH, he or she may at any time contact any employee of the controller. The employee of the Equinox FinTech Solutions GmbH will arrange the restriction of the processing.
f) Right to data portability
Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
In order to assert the right to data portability, the data subject may at any time contact any employee of the Equinox FinTech Solutions GmbH.
g) Right to object
Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.
The Equinox FinTech Solutions GmbH shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If the Equinox FinTech Solutions GmbH processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to the Equinox FinTech Solutions GmbH to the processing for direct marketing purposes, the Equinox FinTech Solutions GmbH will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the Equinox FinTech Solutions GmbH for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to object, the data subject may contact any employee of the Equinox FinTech Solutions GmbH. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is not based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject’s explicit consent, the Equinox FinTech Solutions GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.
If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact any employee of the Equinox FinTech Solutions GmbH.
i) Right to withdraw data protection consent
Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact any employee of the Equinox FinTech Solutions GmbH.
9. Data protection for applications and the application procedures
The data controller shall collect and process the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail or by means of a web form on the website to the controller. If the data controller concludes an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by the controller, the application documents shall be automatically erased two months after notification of the refusal decision, provided that no other legitimate interests of the controller are opposed to the erasure. Other legitimate interest in this relation is, e.g. a burden of proof in a procedure under the General Equal Treatment Act (AGG).
10. Data protection provisions about the application and use of Google Analytics (with anonymization function)
On this website, the controller has integrated the component of Google Analytics (with the anonymizer function). Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behavior of visitors to websites. A web analysis service collects, inter alia, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and in order to carry out a cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
For the web analytics through Google Analytics the controller uses the application “_gat. _anonymizeIp”. By means of this application the IP address of the Internet connection of the data subject is abridged by Google and anonymised when accessing our websites from a Member State of the European Union or another Contracting State to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyze the traffic on our website. Google uses the collected data and information, inter alia, to evaluate the use of our website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our Internet site for us.
Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. With the setting of the cookie, Google is enabled to analyze the use of our website. With each call-up to one of the individual pages of this Internet site, which is operated by the controller and into which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through the Google Analytics component for the purpose of online advertising and the settlement of commissions to Google. During the course of this technical procedure, the enterprise Google gains knowledge of personal information, such as the IP address of the data subject, which serves Google, inter alia, to understand the origin of visitors and clicks, and subsequently create commission settlements.
The cookie is used to store personal information, such as the access time, the location from which the access was made, and the frequency of visits of our website by the data subject. With each visit to our Internet site, such personal data, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.
The data subject may, as stated above, prevent the setting of cookies through our website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google Analytics from setting a cookie on the information technology system of the data subject. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/.
11. Data protection provisions about the application and use of Google-AdWords
On this website, the controller has integrated Google AdWords. Google AdWords is a service for Internet advertising that allows the advertiser to place ads in Google search engine results and the Google advertising network. Google AdWords allows an advertiser to pre-define specific keywords with the help of which an ad on Google’s search results only then displayed, when the user utilizes the search engine to retrieve a keyword-relevant search result. In the Google Advertising Network, the ads are distributed on relevant web pages using an automatic algorithm, taking into account the previously defined keywords.
The operating company of Google AdWords is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, UNITED STATES.
The purpose of Google AdWords is the promotion of our website by the inclusion of relevant advertising on the websites of third parties and in the search engine results of the search engine Google and an insertion of third-party advertising on our website.
If a data subject reaches our website via a Google ad, a conversion cookie is filed on the information technology system of the data subject through Google. The definition of cookies is explained above. A conversion cookie loses its validity after 30 days and is not used to identify the data subject. If the cookie has not expired, the conversion cookie is used to check whether certain sub-pages, e.g, the shopping cart from an online shop system, were called up on our website. Through the conversion cookie, both Google and the controller can understand whether a person who reached an AdWords ad on our website generated sales, that is, executed or canceled a sale of goods.
The data and information collected through the use of the conversion cookie is used by Google to create visit statistics for our website. These visit statistics are used in order to determine the total number of users who have been served through AdWords ads to ascertain the success or failure of each AdWords ad and to optimize our AdWords ads in the future. Neither our company nor other Google AdWords advertisers receive information from Google that could identify the data subject.
The conversion cookie stores personal information, e.g. the Internet pages visited by the data subject. Each time we visit our Internet pages, personal data, including the IP address of the Internet access used by the data subject, is transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.
The data subject may, at any time, prevent the setting of cookies by our website, as stated above, by means of a corresponding setting of the Internet browser used and thus permanently deny the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. In addition, a cookie set by Google AdWords may be deleted at any time via the Internet browser or other software programs.
The data subject has a possibility of objecting to the interest based advertisement of Google. Therefore, the data subject must access from each of the browsers in use the link www.google.de/settings/ads and set the desired settings.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/.
12. Data protection provisions about the application and use of Twitter
On this website, the controller has integrated components of Twitter. Twitter is a multilingual, publicly-accessible microblogging service on which users may publish and spread so-called ‘tweets,’ e.g. short messages, which are limited to 280 characters. These short messages are available for everyone, including those who are not logged on to Twitter. The tweets are also displayed to so-called followers of the respective user. Followers are other Twitter users who follow a user’s tweets. Furthermore, Twitter allows you to address a wide audience via hashtags, links or retweets.
The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, UNITED STATES.
With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a Twitter component (Twitter button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to download a display of the corresponding Twitter component of Twitter. Further information about the Twitter buttons is available under https://about.twitter.com/de/resources/buttons. During the course of this technical procedure, Twitter gains knowledge of what specific sub-page of our website was visited by the data subject. The purpose of the integration of the Twitter component is a retransmission of the contents of this website to allow our users to introduce this web page to the digital world and increase our visitor numbers.
If the data subject is logged in at the same time on Twitter, Twitter detects with every call-up to our website by the data subject and for the entire duration of their stay on our Internet site which specific sub-page of our Internet page was visited by the data subject. This information is collected through the Twitter component and associated with the respective Twitter account of the data subject. If the data subject clicks on one of the Twitter buttons integrated on our website, then Twitter assigns this information to the personal Twitter user account of the data subject and stores the personal data.
Twitter receives information via the Twitter component that the data subject has visited our website, provided that the data subject is logged in on Twitter at the time of the call-up to our website. This occurs regardless of whether the person clicks on the Twitter component or not. If such a transmission of information to Twitter is not desirable for the data subject, then he or she may prevent this by logging off from their Twitter account before a call-up to our website is made.
The applicable data protection provisions of Twitter may be accessed under https://twitter.com/privacy?lang=en.
13. Data protection regulations for the application and use of Paperfly for Microsoft Teams
Microsoft Teams (MS Teams for short, or just Teams) is a platform that combines chat, meetings, notes and attachments. The service is integrated in the Office 365 Office suite with Microsoft Office and Skype / Skype for Business.
Microsoft Teams is operated by Microsoft Corporation, Redmond, WA 98052-6399.
By using Paperfly in the Microsoft Teams context, data for usage statistics may be generated automatically, this data is under the sovereignty of Microsoft and can be called up in the Microsoft Teams Admin Center under Analytics & Reports. Microsoft’s current data protection regulations can be found at https://privacy.microsoft.com/de-de/privacystatement.
14. Legal basis for the processing
Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR.
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR.
Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
15. The legitimate interests pursued by the controller or by a third party
Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders.
16. Period for which the personal data will be stored
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.
17. Provision of personal data as statutory or contractual requirement
Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data
We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner).
Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded.
Before personal data is provided by the data subject, the data subject must contact any employee. The employee clarifies to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of non-provision of the personal data.
18. Existence of automated decision-making
As a responsible company, we do not use automatic decision-making or profiling.
Münster, 1. Mai 2019