Privacy policy – CANDIS Software

1. Basic principles

We are pleased that you use CANDIS. The protection and security of our customers' and users' data are important to us. We have therefore designed our website and our business processes so that as little personal data as possible is collected or processed. The following declaration on data protection explains which information we collect during your visit to our website and which parts of this information may be used in which way. Below you can find detailed information about how we handle your personal data.

CANDIS takes the protection of your personal data very seriously and adheres strictly to the rules of the data protection laws of the Federal Republic of Germany, the Telemedia Act and the data protection regulations of the European Union. CANDIS obliges its employees to comply with the data protection requirements of the GDPR.

The following declaration also provides you with an overview of how CANDIS guarantees this protection and what kind of data is collected for what purpose.

For all questions regarding data protection, please contact the following e-mail address: datenschutz@candis.io

2. Collection of server log data

On our website, we process so-called access data (in particular your IP address) for statistical evaluations for the purpose of operating, securing and technically optimising our website. This enables us to present our website to you more effectively and to identify errors. We collect access data when you call up our website and save it in a log file (so-called log file):

• Name of the web page accessed,

• Date and time of the recall,

• the amount of data transmitted / message about the successful retrieval,

• Browser type and version,

• the operating system,

• Referrer URL,

• requesting provider / your IP address

You are not identifiable to us from this data. Protocol data is regularly deleted promptly, but after 90 days at the latest. The legal basis for this data processing is our legitimate interest in the sense of Art. 6 para. 1 lit. f) GDPR.

3. Processing and use

Unless otherwise expressly stipulated in this data protection regulation –CANDIS collects, processes and uses the personal data exclusively for the purpose of handling the contractual relationship in accordance with Article 6 para. 1 letter b) GDPR and for improving the user experience in accordance with Article 6 para. 1 letter a) GDPR, i.e. for

• Creation of an account

• Verification of the customer's identity

• Handling of the payment

• Suggesting individual suggestions for improvement that are helpful to the customer

• In case of an order to contact suppliers to request digital invoices

• To analyzing the usage of different features inside the app to continue to improve them and to develop new functionalitys

• To analyzing uploaded documents to improve the capture quality and to continuously increase the degree of automation

The service provided by CANDIS itself may require the transmission of further data of third parties (e.g. the Customer's employees) relevant to data protection law. Such personal customer data or data of third parties, which the Customer processes within the framework of the accounting processing by CANDIS in accordance with the contract, will be processed by CANDIS by way of the contractual relationship. With respect to this data, the parties will conclude a contract data processing agreement.

Personal data is transferred to third parties if the data subject has expressly consented in accordance with Art. 6 (1) sentence 1 letter a) GDPR to the transfer of data in accordance with Art. 6 para. 1 sentence 1 letter a) GDPR. c) GDPR, there is a legal obligation to do so and/or this is necessary for the performance of a contractual relationship with the data subject pursuant to Art. 6 para. 1 sentence 1 letter b) GDPR.

4. Use of cookies

We use so-called "cookies" on our website. Cookies are small text files that are used by websites to simplify and accelerate the control of your visit to our website or are necessary to enable you to use and access secure areas of the website.

The website cookies contain personal data about the customer. Cookies save the Website's customers from having to enter data more than once, make it easier to transmit specific content and help CANDIS to identify particularly popular areas of the Website. This enables CANDIS, among other things, to tailor the content of its website precisely to the needs of its customers.

If the use of cookies is deactivated via the browser settings, the range of services can no longer be called up.

Depending on where a cookie comes from, so-called first-party cookies and third-party cookies can be distinguished:

Depending on the validity period, so-called transient and persistent cookies can also be distinguished:

Depending on their nature and purpose, the use of certain cookies may require the user's consent. In this respect, cookies can then be distinguished as to whether the user's consent is mandatory for their use:

Insofar as the user's consent is required, we will only use these cookies if you have given your consent in advance. When you call up our website, we display a so-called "cookie banner" in which you can declare your consent to the use of cookies on the website by clicking a button.

Unconditionally required cookies cannot be deactivated via the cookie banner of this website. However, you can generally manage and deactivate these cookies in your browser at any time.

This site uses different types of cookies:

We process the data collected through the use of these cookies on the basis of Article 6 para. 1 letter a) GDPR.

We process the data collected through the use of these cookies on the basis of Article 6 para. 1 letter a) GDPR.

5. Statistical analysis - Tracking

We use tracking technology on our website to measure and evaluate our website and to optimise our content. To protect our users and partners, we are also able to identify and defend against fraud and security risks. The legal basis for this data processing is the consent you have given us (Art. 6 para. 1 lit. a) GDPR). In some cases, error-free functionality on the website cannot be guaranteed if individual cookies are not accepted. For this purpose we use the following products, which are made available to us via service providers:

5.1 Amplitude

We use "Amplitude", a service of Amplitude Inc, 631 Howard Street, Floor 5, San Francisco, CA 94105, USA (hereinafter referred to as: "Amplitude") on our website. Amplitude stores and processes information about your user behaviour on our website.

We use amplitude for marketing and optimization purposes, in particular to analyse the use of our website and to be able to continuously improve individual functions and offers as well as the user experience. By statistically evaluating user behaviour, we can improve our offer and make it more interesting for you as a user. The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a) GDPR.

We have concluded standard contract clauses with Amplitude in accordance with Art. 46(II)(b). c) GDPR in order to be able to guarantee the exercise and enforceability of our users' rights and the level of protection of their data. In individual cases, processing may be carried out on the basis of Art. 49 para. I Letter a) GDPR. We would like to point out that we select our third-party services as carefully as possible, but that due to the current legal situation with service providers in the USA there is a residual risk for evaluation by American authorities.

Third Party Information: Amplitude Inc, 631 Howard Street, Floor 5, San Francisco, CA 94105, USA. For further information from the Third Party Provider on data protection, please refer to the following website: https://amplitude.com/privacy.

5.2 Sentry

We use "Sentry", a service of Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA (hereinafter referred to as: "Sentry") on our website. Sentry stores and processes information about your user behavior on our website.

We use Sentry for troubleshooting and optimization purposes, including analyzing the use of our web software and continuously improving individual features and offerings and the user experience. By evaluating code errors and monitoring system stability, we can improve our services and make them more error-free for you as a user. The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a) GDPR. Sentry only collects device data, this collection is anonymous and is deleted after use.

We have concluded standard contract clauses with Sentry in accordance with Art. 46 para. II (b). c) GDPR in order to be able to guarantee the exercise and enforceability of our users' rights and the level of protection of their data. In individual cases, processing may be carried out on the basis of Art. 49 para. I Letter a) GDPR. We would like to point out that we select our third-party services as carefully as possible, but that due to the current legal situation with service providers in the USA there is a residual risk for evaluation by American authorities.

Third Party Information: Functional Software, Inc. 132 Hawthorne Street, San Francisco, CA, USA. For more information about the Third Party Provider's privacy practices, please visit the following website: https://sentry.io/privacy/.

5.3 Intercom

We use "Intercom" on our website, a service provided by Intercom, Inc., 55 Second Street, Suite 400, San Francisco, CA 94105, USA (hereinafter referred to as: "Intercom"). Intercom stores and processes information about your user behaviour on our website.

We use intercom for Marketing- and optimization purposes communication purposes to provide you with a live chat function for quick troubleshooting and assistance in particular to analyze the use of our website and to continuously improve individual functions and offers as well as the user experience. By statistically evaluating user behaviour we can improve our offer and make it more interesting for you as a user. The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a) GDPR.

We have concluded standard contract clauses with Intercom in accordance with Art. 46(II)(b). c) GDPR in order to be able to guarantee the exercise and enforceability of our users' rights and the level of protection of their data. In individual cases, processing may be carried out on the basis of Art. 49 para. I Letter a) GDPR. We would like to point out that we select our third-party services as carefully as possible, but that due to the current legal situation with service providers in the USA there is a residual risk for evaluation by American authorities.

Third Party Information: Intercom, Inc., 55 Second Street, Suite 400, San Francisco, CA 94105, USA. For more information about the Third Party Provider's privacy practices, please visit the following website: https://www.intercom.com/legal/terms-and-policies.

5.4 Segment

We use "Segment" on our website, a service provided by Segment.io, Inc., 100 California Street, Suite 700, San Francisco, CA 94111, USA (hereinafter referred to as: "Segment"). Segment stores and processes information about your user behaviour on our website.

We use segments for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. By statistically evaluating user behaviour, we can improve our offer and make it more interesting for you as a user. The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a) GDPR.

We have concluded standard contractual clauses with segment standard clauses in accordance with Art. 46 (II) lit. c) GDPR in order to be able to guarantee the exercise and enforceability of our users' rights and the level of protection of their data. In individual cases, processing may take place on the basis of Art. 49 (I) (a) GDPR. We would like to point out that we select our third-party services as carefully as possible, but that due to the current legal situation with service providers in the USA there is a residual risk for evaluation by American authorities.

Further information from the third party provider on data protection can be found on the following website: https://segment.com/docs/legal/privacy/

5.5 Looker

We use "Looker" software on our website, a web analytics service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

We use segments for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. By statistically evaluating user behaviour, we can improve our offer and make it more interesting for you as a user. The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a) GDPR.

Looker can also transfer data to the USA. With Looker, we have concluded standard contractual clauses according to Art. 46(II)(b). c) GDPR in order to be able to guarantee the exercise and enforceability of our users' rights and the level of protection of their data. In individual cases, processing may be carried out on the basis of Art. 49, para. I, Letter a) GDPR. We would like to point out that we select our third-party services as carefully as possible, but that due to the current legal situation with service providers in the USA there is a residual risk for evaluation by American authorities. For more information on how Pardot handles personal data from the European Union, please refer to the privacy Statement: www.salesforce.com/company/privacy.

For more information about how Looker processes your data, please visit https://looker.com/trust-center/privacy/policy.

5.6 wootric Surveys

On our website we use technologies from "Wootric", a service of Wootric, Inc, 233 Sansome Street, 2nd Floor, San Francisco, USA (hereinafter referred to as: "Wootric").

With the help of Wootric we conduct individual surveys on user behaviour and satisfaction on a voluntary basis. This is done via the Wootric servers. By evaluating the surveys we can improve our offer and fürmake it more interesting for you as a user. This is also our legitimate interest in the processing of the above data by the third party provider. The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a) GDPR.

We have concluded standard contract clauses with Wootric in accordance with Art. 46(II)(b). c) GDPR in order to be able to guarantee the exercise and enforceability of our users' rights and the level of protection of their data. In individual cases, processing may be carried out on the basis of Art. 49, para. I, Letter a) GDPR. We would like to point out that we select our third-party services as carefully as possible, but that due to the current legal situation with service providers in the USA there is a residual risk for evaluation by American authorities.

For more information on data processing by Wootric, please visit: https://www.wootric.com/company/privacy/.

5.7 Google Analytics

We use Google Analytics, web analytics services provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4. Ireland ("Google").

The protection of your data is important to us, which is why we have additionally extended Google Analytics with the configuration parameter "anonymizeIp". Your IP address is only recorded in abbreviated form by the code. We therefore process your personal usage data in Google Analytics anonymously. This means that the user's IP address is shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area.

The IP address transmitted by the user's browser will not be merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Otherwise, your data will only be processed pseudonymously, as explained in more detail below. It is not possible for us to draw any conclusions about your person. Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, pseudonymous user profiles of the users can be created from the processed data.

The storage of the cookies is based on Art. 6 para. 1 lit. a GDPR. You can revoke your consent under the data protection settings in the user profile.

Google processes the data on our behalf on the basis of an order processing agreement between us and Google. This ensures that the data processing on our behalf is carried out in accordance with the GDPR while guaranteeing the protection of the rights of the data subjects.

For further information on the use of data by Google, setting and objection options, please refer to Google's privacy policy (https://policies.google.com/technologies/ads) as well as the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Further information on the terms of use of Google Analytics and the data protection regulations can be found at: http://www.google.com/analytics/terms/de.html or at https://policies.google.com/?hl=de&gl=de.

6. Newsletter

On our website you can subscribe to our newsletter to receive information. We will only process the voluntary information you provide us with for the purpose of sending you the newsletter. Our legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future.

Salesforce Email Studio

Newsletters are sent via "eMail Studio", a newsletter dispatch platform of the cloud provider Salesforce (salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany).

The email addresses of our newsletter recipients, as well as their other data described in this notice, are stored on Salesforce's servers. Salesforce uses this information to send and evaluate the newsletter on our behalf.

In addition, Salesforce may, at its discretion, use this data to optimise or improve its own services, for example, to technically optimise the sending and presentation of newsletters or for statistical purposes to determine the countries from which recipients come. This data is used in pseudonymous form, i.e. without allocation to a user. However, Salesforce does not use the data of our newsletter recipients to write to them itself or pass them on to third parties.

The legal basis for this type of data processing is your consent, Art. 6 para. 1 lit. a GDPR, e.g. when ordering the newsletter or registering on our website. You may object to the sending of newsletters and mailings by HubSpot at any time with effect for the future by clicking on the unsubscribe link in the respective e-mail. If, for example, you unsubscribe to your newsletter, your data will be deleted as far as possible.

Salesforce processes the data on our behalf (Art. 28 GDPR). You can view the data protection regulations of the shipping service provider here: https://www.salesforce.com/de/company/privacy/

7. credit card function

You have the option of using the optional credit card function of CANDIS and Pliant. In the following, we would like to inform you about the processing of your data in case of using the credit card function.

7.1 Basic information

The credit card function is provided by our partner Pliant (infinnity financial technologies GmbH, Oberwallstraße 6 c/o rent24, 10117 Berlin, Germany, hereinafter referred to as "Pliant"). The personal data is transferred to Pliant, which is legally and contractually obliged to adequately protect your personal data. Pliant and CANDIS process the data under a joint responsibility within the meaning of Article 26 of the GDPR and in this regard have established agreements as to which of us fulfills which data protection obligations; we will provide you with the essential content upon request. We transmit credit card and transaction data required to use the credit card functions provided by the partner via its application (e.g. name of the card user, card number, amount, date, time, merchant name) to the respective partner. Further information on the data processed via the partner application can be found in the partner's data protection information. If you have any questions regarding the protection of data subjects' rights, you can contact us (e.g. by e-mail to support@candis.io) as well as the respective partner.

7.2 Collection of personal data

We process the following personal data for the use of the credit card function:

First and last name

Mail address

Telephone number

Credit card number

Booking data (amount, date, time, merchant name)

The personal data is processed for the purposes stated in 7.3. The storage period depends on the legal requirements.

7.3 Processing and use

CANDIS collects, processes and uses the personal data for the processing of the contractual relationship in accordance with Art. 6 Para. 1 Letter b) DSGVO i.e. to

Ordering the credit card from our partner Pliant

to set up and use the credit card function in CANDIS (accounting recording of credit card transactions, and other credit-card functions).

Personal data is transferred to third parties if the data subject has expressly consented to this in accordance with Art. 6 Para. 1 Sentence 1 Letter a) DSGVO, if there is a legal requirement for the data transfer in accordance with Art. 6 Para. 1 Sentence 1 Letter c) DSGVO, or if there is a legal requirement for the data transfer in accordance with Art. 6 Para. 1 Sentence 1 Letter d) DSGVO. c) DSGVO, and/or this is necessary for the performance of a contractual relationship with the data subject pursuant to Art. 6 para. 1 sentence 1 letter b) DSGVO.

In order to set up the credit card, we have to pass this information on to our partner Pliant. The transfer takes place by e-mail via a mailbox set up specifically for this purpose at Pliant. For this reason, you will be asked to explicitly confirm the transfer of data during the registration process. The issuer of the credit card is Transact Payments Malta Limited (“TPML”). You can find their Privacy Policy here: Privacy Policy . The contract for the credit card is between TPML and you.

In addition, we ask for your consent to support the registration process. This consent is important in order to be able to retrieve the required information in case of queries regarding the progress of the registration.

7.4 Recipient

The credit card is provided by our partner Pliant (infinnity financial technologies GmbH, Oberwallstraße 6 c/o rent24,

10117 Berlin, Germany, hereinafter referred to as "Pliant"). The personal data is transmitted to Pliant, which is legally and contractually obliged to adequately protect your personal data.

The database of the credit card function in CANDIS is hosted on the servers of Amazon Web Services EMEA Sàrl, 5 Rue Plaetis, L-2338 Luxembourg (backend). To this extent, the personal data is transferred when used to Amazon Web Services EMEA Sárl as a processor, which is legally and contractually obliged to adequately protect your personal data and to correct or delete it upon our instruction in accordance with the relevant legal and contractual provisions. Amazon Web Services EMEA Sárl third party service providers to provide the services and infrastructure necessary to operate.

8.your data subject rights

With regard to the data processing listed here, you are entitled to various data subject rights which are regulated in the GDPR.

Right to information

First of all, you have the right to obtain information about the data you have provided us with and which we have processed (art. 15 GDPR).

Right of rectification, erasure and limitation

In addition, you can request the correction (Art. 16 GDPR), deletion (Art. 17 GDPR) and restriction (Art. 18 GDPR) of your data.

Right of data transfer and right of objection

They also have a right to data transferability (Art. 20 GDPR) and a right of objection (Art. 21 GDPR).

Right of appeal

Without prejudice to any other administrative or judicial remedy, you also have the right to complain to a data protection authority. You may do so by contacting the data protection authority at your usual place of residence or at our head office. The address of the supervisory authority responsible for us is

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstr. 219

10969 Berlin

Phone: (49) 30 13889-0

e-mail: mailbox@datenschutz-berlin.de

9. Responsible person / data protection officer

If you have any further questions, e.g. about data we have stored about you, please do not hesitate to contact us.

CANDIS GmbH

Friedrichstraße 200

10117 Berlin

Represented by:

Managing Director: Christian Ritosek

Contact us:

Phone: (49) 30 346 556 100

e-mail: info@candis.io

Our data protection officer is Mr Ali Tschakari, LL.M. Bitkom Servicegesellschaft mbH, Albrechtstraße 10, 10117 Berlin. You can contact him directly at the e-mail address datenschutz@bitkom-consult.de or datenschutz@candis.io.

10. Status and update of this data protection declaration

This privacy policy is valid as of 20 September 2022.

CANDIS reserves the right to amend these data protection provisions at any time, taking into account currently applicable data protection regulations. In the event of changes, the Customer will be informed of the changes when registering for the range of services and must agree to the amended data protection provisions in accordance with section 5.1 of these data protection provisions.