We (hereinafter referred to as "3flows", "we") take data protection very seriously. As the data controller under applicable data protection laws, we take all measures required by applicable data protection law to ensure the protection of your personal data. For any questions regarding data processing at 3flows and the exercise of your rights, you can also contact us free of charge at privacy@3flows.com.

APPLICATION AREA OF THE PRIVACY POLICY

According to the legislator, the processing of personal data includes activities such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing through transmission, dissemination or other forms of provision, aligning or combining, restricting, deleting or destroying personal data.

Personal data is any information relating to an identified or identifiable natural person.

This privacy policy concerns the personal data of customers, potential customers, applicants, or visitors.

This privacy policy applies to both our website www.3flows.com and the website:

• www.3flows.de

• www.3flows.ai

• www.3flows.dev

WHAT PERSONAL DATA DO WE PROCESS?

Your personal data will be collected by us when you contact us, for example, as a potential customer or client. This may happen when you express interest in our products, register for our online services, reach out to us via our communication channels, or when you use our products or services in the context of existing business relationships.

• The following types of personal data are processed by us:

• Identification information such as first and last name, address data, email address, telephone number, fax number

• Order data such as customer number, order number, billing data

• Company-related data such as company name, department, activity

• Data regarding your online behavior, such as IP addresses, usernames, data on your visits to our website, actions taken on our websites and in customer portals, access location

• Information on your interests and wishes that you communicate to us, for example via our contact form or other communication channels

• Information regarding your professional career, e.g., vocational training, previous employers, other qualifications as well as further information comparable to these data categories.

SENSITIVE DATA

Sensitive data, meaning special categories of personal data such as health information, political opinions, religious or trade union membership, are not collected in this way.

USE OF COOKIES

The websites partially use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies serve to make our services more user-friendly, effective, and secure. Cookies are small text files that are placed on your computer and stored by your browser.

The majority of the cookies we use are called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser on your next visit.

You can configure your browser to be informed about the setting of cookies and to allow cookies only on a case-by-case basis, to exclude the acceptance of cookies in specific cases or generally, and to activate the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

You can find out more about cookies at allaboutcookies.org

If you have consented, your visit to this website will be recorded by Google Analytics.

FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA – AND ON THE BASIS OF WHICH LEGAL BASIS?

CONTRACT FULFILLMENT

We process your data to fulfill our contracts. This also applies to information you provide to us during pre-contractual correspondence. The specific purposes of data processing depend on the respective product and the application made and can also be used to analyze your needs and check which products and services are suitable for you.

CONDUCTING THE CONTRACTUAL RELATIONSHIP

We process the data you have sent us in the context of your application to check whether your professional qualifications are suitable for the advertised position. We use your information solely for the application process and transfer it to your personnel file upon contract conclusion. If no agreement should be reached, your information will be deleted or destroyed. We will not use your applicant information for any purposes other than carrying out the application process.

NEWSLETTER

We process your data to fulfill our contracts. This also applies to information you provide to us during pre-contractual correspondence. The specific purposes of data processing depend on the respective product and the application made and can also be used to analyze your needs and check which products and services are suitable for you.

For newsletter management and distribution, we use the service of Mailchimp.

Only after successfully completing a double opt-in procedure will you receive our newsletter. You have the right at any time to view your consent declaration or unsubscribe from the newsletter. Corresponding links are included in each issue of the newsletter. In the event of unsubscribing from our newsletter, we will immediately delete your contact information from our newsletter distribution list.

To ensure the effectiveness of an electronic consent, as is used for signing up for the newsletter, the legislator imposes certain requirements. This includes the logging of your consent declaration. We therefore log the date and time of the consent, the text of the consent declaration, whether the checkbox was selected, your email address, as well as all other voluntary information. We also log the date and time of the click on the confirmation link and the link in the confirmation email. We collect these details solely to comply with legal obligations.

SECURITY

We use your personal data, among other things, in the following cases:

• To protect you or your company from fraudulent activities, we analyze your data. This may occur, for example, if you have become a victim of identity theft or if unauthorized persons have gained access to your user account in another way;

• To improve the reliability of our web applications, our IT support closely collaborates with you in the event of technical problems. In this context, we also evaluate logs of page accesses, actions taken, etc.;

• To ensure IT security;

• To document and prove facts in the case of potential legal disputes.

BASED ON YOUR CONSENT

If you have consented to the processing of your personal data for one or more specific purposes, the processing of your data by us is permitted. You can revoke this consent at any time in the future without incurring costs other than the transfer costs at the basic rates (costs of your internet connection). The revocation of consent does not affect the lawfulness of the processing carried out until the revocation.

BASED ON LEGAL REQUIREMENTS OR IN THE PUBLIC INTEREST

As a company, we are subject to various legal requirements (for example, from tax legislation). To comply with our legal obligations, we process your personal data to the necessary extent.

WHERE WE TRANSMIT DATA AND WHY

DATA USE WITHIN

Within credeo, those departments that need access to your personal data to fulfill our contractual or legal obligations, or to protect our legitimate interests, gain access.

DATA USE OUTSIDE

We respect the protection of your personal data and only pass on information about you if legal provisions require it, you have consented, or to fulfill contractual obligations.

In the case of the following recipients, a legal obligation to disclose your personal data may apply:

• Public authorities or supervisory authorities, e.g., tax authorities, customs authorities;

• Judicial and law enforcement authorities, e.g., police, courts, public prosecutors;

• Lawyers or notaries, e.g., in legal disputes;

• Auditors.

In order to fulfill our contractual obligations, we cooperate with other companies. These include:

• Transport service providers and forwarding agents;

• Banks and financial service providers for settling all financial transactions.

• In-house service providers

• In order to efficiently manage our operations, we rely on the services of external service providers, who may receive personal data from you to fulfill the described purposes, including IT service providers, print and telecommunications service providers, collection, consulting, or sales companies.

To ensure that the same data protection standards as in our company are maintained with the service providers, we have concluded appropriate contracts for data processing. These contracts regulate, among other things:

• that third parties only have access to the data that they need to complete the tasks assigned to them;

• that only employees at the service providers who have specifically committed to comply with data protection regulations have access to your data;

• that technical and organizational measures are taken by the service providers to ensure data security and data protection;

• what happens to the data when the business relationship between the service provider and us ends.

For service providers located outside the European Economic Area (EEA), we take special security measures (e.g., by using special contractual clauses) to ensure that the data is treated with the same care as in the EEA. We regularly review all our service providers for compliance with our requirements.

GOOGLE ANALYTICS

To ensure that the same data protection standards as in our company are maintained with the service providers, we have concluded appropriate contracts for data processing. These contracts regulate, among other things:

Google Analytics uses so-called "cookies." These are text files that are stored on your computer and allow the analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.

In the event of IP anonymization being activated on this website, your IP address will, however, be truncated by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and there truncated. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activities, and provide further services related to website use and internet use to the website operator. The IP address transmitted by your browser within the framework of Google Analytics will not be merged with other data from Google.

You can prevent the storage of cookies by adjusting your browser software accordingly; however, we point out that in this case, you may not be able to use all features of this website in full. Furthermore, you can prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de

Further information on terms of use and data protection can be found under the Google Analytics conditions or the Google Analytics overview.

CLOUD

Our website and our internal systems are operated by the following services:

• Framer.com for our internet presence

• Google GSuite for email and calendar

• Apple Cloud for contacts and synchronization of iPhones

• Slack and Teams for video conferences

• GitHub for SCM

• bitrise.io for software distribution of app test versions

• Figma.com for distributing design proposals

• Dropbox as a central data storage

• Atlassian as an issue tracking system

All cloud services used are said to be GDPR compliant according to their own statements.

ARE YOU OBLIGATED TO PROVIDE PERSONAL DATA TO US?

In the context of the business relationship between you and us, we require the following categories of personal data from you:

• all necessary data for establishing and conducting a business relationship;

• data that are needed to fulfill contractual obligations;

• data that we are legally obligated to collect.

• Without this data, it is not possible for us to enter into or carry out contracts with you.

RETENTION PERIODS

According to applicable data protection regulations, we do not store your personal data longer than we need them for the purposes of the respective processing. If the data is no longer needed to fulfill contractual or legal obligations, it will be deleted by us regularly, unless its temporary retention is still necessary. The following reasons may apply for further storage:

Commercial or tax retention obligations must be complied with: The retention periods are primarily subject to the regulations of the Commercial Code and the Tax Code, lasting up to 10 years.

To preserve evidence in the event of legal disputes within the framework of legal limitation periods: Limitation periods in civil law can last up to 30 years, while the regular limitation period is three years.

YOUR RIGHTS

In the context of the processing of your personal data, you also have certain rights. More details can be found in the relevant provisions of the General Data Protection Regulation (Articles 15 to 21).

RIGHT TO ACCESS AND RECTIFICATION

You have the right to obtain information from us about which of your personal data we process. If this information is incorrect, you can request that we correct the data or complete it in case of incomplete information. If we have shared your data with third parties, we will notify the respective third parties where legally required.

RIGHT TO DELETION

You may request the immediate deletion of your personal data under the following circumstances:

• If your personal data is no longer necessary for the purposes for which it was collected;

• If you have revoked your consent, and there are no other legal grounds for processing the data;

• If you object to the processing and there are no overriding legitimate grounds for processing;

• If your data has been processed unlawfully;

• If your personal data must be deleted to comply with legal obligations.

Please note that we must check before deleting your data whether there are legitimate grounds for processing your personal data.

RIGHT TO RESTRICT PROCESSING (“RIGHT TO BLOCK”)

You may request the restriction of processing your personal data for one of the following reasons:

• If you dispute the accuracy of the data, until we have had the opportunity to verify the accuracy of the data;

• If the data is unlawfully processed, but you instead request the restriction of the use of personal data rather than deletion;

• If we no longer need the personal data for the purposes of processing, but you still need it for the establishment, exercise or defense of legal claims;

• If you have objected to the processing, and it is not yet clear whether your legitimate interests outweigh our interests.

RIGHT TO OBJECT

If the processing is carried out in the public interest or based on a balancing of interests, you have the right to object to the processing for reasons relating to your particular situation.

If an objection is made, we will not further process your personal data unless we can demonstrate compelling legitimate grounds for the processing of your data that outweigh your interests, rights, and freedoms, or because your personal data serves the assertion, exercise, or defense of legal claims. The objection does not affect the lawfulness of the processing carried out up to the objection.

In cases where your personal data is used for advertising purposes, you can object to this form of processing at any time. We will then no longer process your personal data for these purposes.

The objection can be made informally and should be addressed to:

3flows GmbH

Echternacher Str. 23

50933 Cologne

Email: privacy@3flows.com

RIGHT TO ACCESS

You have the right to receive the personal data you have provided for processing upon request in a portable and machine-readable format.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY (ART. 77 GDPR)

We always strive to process your requests and claims as quickly as possible to protect your rights accordingly. Depending on the frequency of requests, it may take up to 30 days before we can further inform you about your concern. If it takes longer, we will promptly notify you of the reasons for the delay and discuss further procedures with you.

In some cases, we may not be able to provide you with information. Where legally permissible, we will inform you of the reason for denying the information.

If you are not satisfied with our responses and reactions or believe that we are violating applicable data protection law, you are free to lodge a complaint with both our data protection officer and the competent supervisory authority. The supervisory authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information

North Rhine-Westphalia

P.O. Box 20 04 44

40102 Düsseldorf

Tel.: 0211/38424–0

Fax: 0211/38424–10

E-Mail: poststelle@ldi.nrw.de