Privacy Policy

Version: 3.0 / Stand: September 2020

In this privacy policy, we (Lano Software GmbH) would like to tell you how we process your personal data when you use our website and platform.

Personal data is information relating to an identified or identifiable person. This primarily includes all information that enables conclusions to be drawn regarding your identity, e.g. your name, your telephone number, your address or your email address. Statistical data that we collect, for example, when you visit the platform and that cannot be associated with you, is not considered personal data.

You can print or save this privacy policy by using the customary functions of your browser. You may also download and archive this privacy policy as a PDF file by clicking here.

This privacy policy tells you about how data is processed both on this website and on our platform.

1   Contacts

Your contact and the Controller responsible for the processing of your personal data when you visit our website and platform within the meaning of the EU General Data Protection Regulation (GDPR) is

Lano Software GmbH
Rosenthaler Straße 13
10119 Berlin
Germany

Telephone: +49 30 5683 9697
Email: support@lano.io

You may also contact our data protection officer at any time should you have questions about data protection in connection with our services or the use of our website. They can be contacted via the above postal address and at the email address (keyword: “FAO data protection officer”).

2   Website visitors, companies and contractors

This privacy policy is divided up into three main sections. First, we set out how data is processed on our website www.lano.io. This section is aimed at persons who visit our website but do not set up an account on our platform. The second main section describes data processing from a company perspective and is aimed at persons in a company who manage contractors on our platform. The third main section sets out data processing principles from the perspective of contractors or service providers, agencies, freelancers. These are persons who offer their services to companies. In the following, the term contractor is uniformly used here.

3   Joint controllers

Our platform helps companies to manage their contractors. Wherever contractors’ personal data is processed in the context of a cooperation arrangement, we and the respective company usually determine the purposes and means of processing jointly. In accordance with Article 26 of the GDPR, this means that we and the respective company are jointly responsible for the personal data of the contractors. Our information obligations to them are fulfilled with this privacy policy. You may exercise your rights as a contractor against both, us and the company contracting you.

4   Data processing on our website

4.1 Accessing our website/access data

Every time you use our website, we collect access data automatically transmitted by your browser in order to enable your visit to the website. Access data includes the following in particular:

  • IP address of the requesting device
  • Date and time of request
  • Address of accessed website and requesting website
  • Information on the browser and operating system used
  • Online identifiers (e.g. device IDs, session IDs)

This access data must be processed in order to enable you to visit the website and ensure the uninterrupted functionality and security of our systems. The legal basis is Article 6(1)(1)(b) of the GDPR. For data protection reasons, log files are not permanently stored or analysed by us.

4.2 Getting in touch

There are various ways you can get in touch with us. This includes the chat function, requesting a demo date or creating a ticket for contractors in our help centre. In this context, we process your data only for the purpose of communicating and scheduling online appointments with you. The legal basis is Article 6(1)(b) of the GDPR.

The data collected by us for the purpose of getting in touch is automatically erased once your request has been completely processed, unless we still need your request to fulfil contractual or statutory obligations (see “Storage period”).

4.3 Registering as a Lano partner

You have the opportunity to register for our affiliate or expert program in order to recommend us further and benefit from it yourself. The data you are obliged to provide is marked as mandatory fields. Without this data, registration is not possible. The legal basis for the processing is Article 6(1)(b) of the GDPR.

4.4 Newsletter

You have the opportunity to subscribe to our newsletter, in which we provide you with regular information about innovations to our products and campaigns.

Subscribing to our newsletters utilises the double opt-in procedure, i.e. we will only send you newsletters by email if you confirm, by clicking on a link in our notification email, that you are the owner of the specified email address. If you confirm your email address, we will store your email address, the time of sign-up, and the IP address used during the sign-up process until such time as you unsubscribe from the newsletters. The sole purpose of this storage is to send you the newsletters and be able to prove that you signed up to receive them. You can unsubscribe from the newsletter at any time. Each newsletter contains an unsubscribe link. Alternatively, you can of course also simply send a message using the contact details given above or in the newsletter (e.g. by email or letter). The legal basis for this processing is your consent as per Article 6(1)(a) of the GDPR.

In our newsletters we use commercially available technologies to measure interactions with the newsletters (e.g. opening of the email, clicked links). We use this data in pseudonymous form for general statistical evaluations as well as for the optimising and further development of our content and customer communication. This is done with the help of small graphical elements embedded in our newsletters (pixels). The data is collected on a pseudonymised basis only and is not associated with any of your other personal data. The legal basis for this is our above-mentioned legitimate interest as per Article 6(1)(1)(f) of the GDPR. We want to use our newsletter to share content of maximum relevance to our customers and to better understand what readers are actually interested in. If you do not want us to analyse your usage patterns, you can unsubscribe from the newsletter or generally deactivate graphics in your email client. Data relating to interaction with our newsletters is stored in pseudonymised form for 30 days and then fully anonymised.

4.4.1 SendGrid

We use SendGrid, an email delivery platform provided by Twillio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA, for sending out our newsletters. SendGrid has access to your name and email address. For further information, please see SendGrid’s privacy policy at https://sendgrid.com/policies/privacy/. We have concluded an EU standard contract with SendGrid to ensure that your data is handled securely. The legal basis for the use of SendGrid is Article 6(1)(f) of the GDPR, justified by our interest in an uncomplicated process for sending you a newsletter.

5   Use of cookies and similar technologies

This website uses cookies and similar technologies (together “tools”) provided either by ourselves or by third parties.

A cookie is a small text file stored by the browser on your device. Cookies are not used to run programs or transmit viruses to your computer. Most browsers are configured to accept cookies by default. You can, however, adjust your browser settings to reject cookies or only store them after you have provided your consent. Some of our services may fail to function properly if you reject cookies. Similar technologies particularly include fingerprints, web beacons, tags, and pixels.

The tools we use are listed below, sorted by category. We particularly want to inform you about the providers of the tools, the duration for which cookies are stored, and how and when we disclose your data to third parties. We also explain the cases in which we obtain your voluntary consent to use the tools and how you can withdraw this consent.

5.1 Legal basis and right to withdraw consent

5.1.1 Legal basis

We use tools required to operate our website and others, where explicitly set out, on the basis of our legitimate interest pursuant to Article 6(1)(1)(f) of the GDPR to enable your convenient and personalised use of the website and ensure that use is as time-saving as possible. In some cases, these tools may also be required for the performance of a contract or for steps required prior to entering into a contract, in which case processing is carried out pursuant to Article 6(1)(1)(b) of the GDPR.

All other tools, in particular those for marketing purposes, are used on the basis of your consent pursuant to Article 6(1)(1)(a) of the GDPR as well as section 15 (3) (1) of the German Telemedia Act (TMG) , provided that user profiles have been created for the purpose of marketing or market research. We will only process your data using these tools if you have provided your consent for us to do so.

5.1.2 Obtaining your consent

To obtain and manage your consents, we use the Cookiebot tool from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter referred to as “Cookiebot”). This tool can be used to consent to all, individual or no data processing by means of cookies.

When you visit our website, Cookiebot will receive your consents or withdrawals of consent, your IP address and information about your browser, your device and the time of your visit. Cookiebot also uses a required cookie to store your consents and withdrawals of consent. If you erase your cookies, we will request your consent again the next time you visit the website.

This data processing is required for the purpose of providing you with the cookie management solution required by law and to comply with our documentation obligations. The legal basis for the use of Cookiebot is Article 6(1)(f) of the GDPR, justified by our interest in fulfilling the legal requirements for cookie consent management.

5.1.3 Withdrawing your consent or changing your selections

You have the right to withdraw your consent to the use of certain tools at any time. To do so, click on the following link Link. You can then change the selection of tools to whose use you wish to consent. Alternatively, you may exercise your right to withdraw your consent directly with the provider.

5.1.4 Required tools

We use certain tools to enable the basic functions of our website (“necessary tools”). We cannot provide our service without the use of these tools. Required tools are therefore used without consent on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR, or for the performance of a contract or for steps required prior to entering into a contract pursuant to Article 6(1)(b) of the GDPR.

5.2.1 First-party cookies

We use first-party cookies, in particular

  • for login authentication
  • for load balancing
  • to record that an item of information on our website has been displayed to you – so that it is not shown again the next time you visit the website

5.2.2 Google Tag Manager

Our website uses Google Tag Manager, a service offered to users in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and to all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”).

Tag Manager is used to manage tracking tools and other services, so-called website tags. A tag is an element stored in the source code of our website for the purpose of recording predefined usage data, for example. Google Tag Manager does not use cookies. Google Tag Manager ensures that the usage data required by our partners is forwarded to them.

Google Tag Manager sets the following cookies for technical debugging purposes: “gtm”; “gtm_auth”; “gtm_debug”; “gtm_preview”; “gtm_mt”.

We have concluded a processing contract with Google. Some data is processed on a Google server in the USA. In the event that personal data is transferred to the USA, we have concluded standard contractual clauses with Google pursuant to Article 46(2)(c) of the GDPR.

The legal basis is Article 6(1)(1)(f) of the GDPR, based on our legitimate interest in integrating and managing multiple tags on our website in an uncomplicated manner.

Further information can be found in the Google Tag Manager overview.

5.3 Functional tools

We also use tools to improve the user experience on our website and to offer you more features (“functional tools”). While these are not strictly necessary for the basic functionality of the website, they may bring significant benefits to users, in particular with respect to user-friendliness and the provision of additional communication and display channels.

5.3.1 Intercom

We use the support tool Intercom from Intercom, Inc. (INTERCOM, INC., 55 2nd St, 4th Fl., San Francisco, CA 94105, USA) for the product tour and the help centre. It is a communications platform for direct interaction between website visitors and Lano using a chat function. Should any questions arise, we can provide you with timely assistance using this communication option. If you have registered, certain personal data shall be collected and forwarded at regular intervals. Your information (browser type/version, operating system used, time of the server specification, first name, surname, telephone number, email address, company name) is collected in this context during registration on the portal and transmitted securely to Intercom via SSL encryption.

Lano also uses Intercom to analyse and evaluate website usage (e.g. usage data) in order to provide individual support in the use of the website and to optimise the website in terms of user-friendliness.

The data recorded in this context may be transmitted to an Intercom server in the USA for evaluation and storage there.

The legal basis is Article 6(1)(b) of the GDPR, insofar as the data is required to answer your enquiry within the initiation or implementation of a contract, and otherwise Article 6(1)(f) of the GDPR, whereby our legitimate interest is the maintenance of the communication with (potential) customers and the positive external effect through the rapid availability of our employees.

More information on the Intercom privacy policy can be found at the following link https://www.intercom.com/legal/privacy.

5.3.2 Calendly

For online demo appointments, we use Calendly, a cloud service provided by Calendly LLC, 1315 Peachtree St NE, Atlanta, GA 30309, USA, that makes it possible to find and schedule available online appointments. To make an appointment, you must provide your first name and surname, email address, telephone number, company name and an available date. Calendly uses cookies to book meetings. Once a meeting is booked, an invited person in the EU can disable cookies by deleting cookies in their Internet browser. Cookies are required to authenticate Calendly users.

We have agreed EU standard contractual clauses with Calendly to guarantee that your data is treated in accordance with European standards. The legal basis for the use of Calendly is your consent as per Article 6(1)(a) of the GDPR.

5.3.3 Freshdesk

Our helpdesk software, which is primarily aimed at ticketing for contractors, is provided for us by Freshdesk, SaaS of Freshworks GmbH, Neue Grünstraße 17, 10179 Berlin, Germany. To generate a ticket, we need your email address, your name and the description of the problem you have. We have a processing contract with Freshworks to ensure that the data submitted to Freshworks in this context is secure. The legal basis is Article 6(1)(b) of the GDPR, insofar as the data is required to answer your enquiry within the initiation or implementation of a contract, and otherwise Article 6(1)(f) of the GDPR, whereby our legitimate interest is the maintenance of the communication with (potential) customers and the positive external effect through the rapid availability of our employees.

5.4 Analytical tools

In order to improve our website, we use tools for statistical collection and analysis of general usage behaviour based on access data (“analytical tools”). We also use analytics services to evaluate the use of our various marketing channels.

5.4.1 Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). The contact provided by Google for all queries relating to data protection is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies and similar technologies to analyse and improve our website based on your usage patterns. Google will process the information obtained in order to evaluate your use of the website, to compile reports on the website activities for the website operators, and to provide further services associated with the use of the website and the internet.

We have made the following privacy settings in Google Analytics:

  • IP anonymisation (truncation of IP address prior to evaluation, preventing any conclusions to be drawn regarding your identity)
  • Automatic erasure of old logs/limitation of storage duration
  • Advertising features enabled (including GA Audiences remarketing groups)
  • Personalised advertising disabled
  • Measurement protocol disabled
  • Cross-website tracking disabled (Google Signals)
  • Data sharing with other Google products and services disabled

Google Analytics processes the following data:

  • Anonymised IP address
  • Referrer URL (previously visited website)
  • Pages accessed (date, time, URL, title, length of visit)
  • Downloaded files
  • Clicked links to other websites
  • As applicable, attainment of specific targets (conversions)
  • Technical information: operating system; browser type, version, and language; device type, make, model, and resolution;
  • Approximate location (country and possibly town, based on anonymised IP address)

Google Analytics sets the following cookies for the stated purpose and storage durations:

  • “_ga” for 2 years and “_gid” for 24 hours (to distinguish unique website visitors by a user ID)
  • “_gat” for 1 minute (to throttle requests to Google servers)
  • As applicable, “IDE” for 13 months (third-party cookie to distinguish unique website visitors by a user ID, to measure interactions with advertising, and for displaying personalised advertising)

The data arising in this context may be transmitted by Google to a server in the USA for evaluation and storage there.

We have concluded a processing contract with Google for the use of Google Analytics. To find out more about the risks associated with this, please see section 9 (“Transfer of data to third countries”).

The legal basis is your consent as per Article 6(1)(a) of the GDPR. You may also withdraw your consent. Objection: You can prevent your visit being recorded by using the following opt-out button. This creates a deactivation cookie so that the Google Analytics script is no longer executed. Should no opt-out button be displayed below, it has probably been blocked by an ad blocker or similar technology on your browser – if this is the case, check your browser settings: [Insert opt-out]

Further information on this can be found in Google’s privacy policy.

5.4.2 Hotjar

Our website uses Hotjar, a web analysis service provided by Hotjar Ltd., Elia Zammit Street 3, St Julians STJ 1000, Malta (“Hotjar”).

Hotjar is used to generate so-called heat maps. Heat maps display statistics in graphical form about mouse movements and clicks on our website, allowing us to analyse our website based on your user behaviour. This allows us to identify frequently used functions of our website and to further improve the website. However, your IP address is truncated before the usage statistics are evaluated, so that no conclusions can be drawn regarding your identity. In addition to mouse movements and clicks, information about the operating system, browser, incoming and outgoing links, geographical origin, and the resolution and type of the device used are evaluated for statistical purposes. This information is pseudonymous and will not be passed on to third parties by us or Hotjar. Data which you enter in form fields on our website will be hidden and not collected by Hotjar.

The legal basis is your consent pursuant to Article 6(1)(a) of the GDPR. You may withdraw your consent at any time.

More information on this can also be found in the Hotjar privacy policy.

5.4.3 LinkedIn Analytics

We also use “LinkedIn Analytics”, a service provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter referred to as: “LinkedIn”). LinkedIn Analytics stores and processes information about your user behaviour on our website. Among other things, LinkedIn Analytics uses cookies, i.e. small text files, which are stored locally in the cache of your web browser on your device and which allow your use of our website to be analysed.

We use LinkedIn Analytics for optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience.

You can also prevent LinkedIn from collecting the above information at LinkedIn itself at https://www.linkedin.com/psettings/guest-controls.

The data arising in this context may be transmitted by LinkedIn to a server in the USA for evaluation and storage there. The legal basis is your consent pursuant to Article 6(1)(a) of the GDPR. You may withdraw your consent at any time.

Further information on data privacy at LinkedIn can be found at the following website: https://www.linkedin.com/legal/privacy-policy.

5.5 Marketing tools

We also use tools for marketing purposes (“marketing tools”). Some of the access data resulting from the use of our website is used for interest-based advertising. The analysis and evaluation of this access data enables us to display personalised advertising, i.e. advertising matched to your actual interests and needs, on our website and on the websites of other providers.

The legal basis for the marketing tools is your consent pursuant to Article 6(1)(1)(a) of the GDPR. To withdraw your consent, see 4.1.3: “Withdrawing your consent or changing your selections”. In the event that personal data is transferred to the USA, we will obtain your explicit consent to allow this data transfer via the cookie banner pursuant to Article 49(1)(a) of the GDPR. To find out more about the risks associated with this, please see the section 9 (“Transfer of data to third countries”).

In the following section, we would like to explain these technologies and the providers we use in more detail. Data we collect includes in particular:

  • IP address of the device
  • Cookie ID
  • Mobile device ID (device ID)
  • Referrer URL (previously visited website)
  • Pages accessed (date, time, URL, title, length of visit)
  • Downloaded files
  • Clicked links to other websites
  • As applicable, attainment of specific targets (conversions)
  • Technical information: operating system; browser type, version, and language; device type, make, model, and resolution;
  • Approximate location (country and possibly town)

The data we collect, however, is stored only in pseudonymised form, preventing any direct conclusions relating to your person to be drawn.

5.5.1 Google Marketing Platform and Ad Manager (formerly DoubleClick)

Our website uses the Google Marketing Platform and the Google Ad Manager, services offered to users in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and to all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”).

These services use cookies and similar technologies to present advertisements relevant to you. The use of these services enables Google and its partner sites to serve ads based on previous visits to our and other websites on the internet.

The data arising in this context may be transmitted by Google to a server in the USA for evaluation and storage there. In the event that personal data is transferred to the USA, we will obtain your explicit consent to allow this data transfer via the cookie banner pursuant to Article 49(1)(a) of the GDPR. To find out more about the risks, please see section 9 (“Transfer of data to third countries”).

If you do not agree to the use of the Google Marketing Platform and Ad Manager, Google will display only general advertising not selected on the basis of information collected about you on this website.

Further information can be found in Google’s privacy policy.

5.5.2 Marketing Solutions (formerly LinkedIn Ads)

We also use “Marketing Solutions (formerly LinkedIn Ads)”, a service provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter referred to as “Marketing Solutions”). We use Marketing Solutions for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. By statistically analysing user behaviour, we can improve our offer and make it more interesting for you as a user. LinkedIn uses cookies and similar technologies to present advertisements relevant to you. The use of these technologies enables LinkedIn and its partner sites to serve ads based on previous visits to our and other websites on the Internet. You can also prevent LinkedIn from collecting the above information at LinkedIn itself at https://www.linkedin.com/psettings/guest-controls.

The data arising in this context may be transmitted by LinkedIn to a server in the USA for evaluation and storage there. In the event that personal data is transferred to the USA, we will obtain your explicit consent to allow this data transfer via the cookie banner pursuant to Article 49(1)(a) of the GDPR. To find out more about the risks, please see section 9 (“Transfer of data to third countries”).

Further information on data privacy at LinkedIn can be found at the following website: https://www.linkedin.com/legal/privacy-policy.

5.5.3 Facebook conversion and retargeting tags

For marketing purposes, our website uses conversion and retargeting tags (also “Facebook pixels”) provided by the social network Facebook, a service offered to users outside the USA and Canada by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, and to all other users by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (together “Facebook”).

We use Facebook pixels to analyse the general use of our websites and to track the effectiveness of Facebook advertising (“conversion”). In addition, we use the Facebook pixels to show you individualised advertising messages based on your interest in our products (“retargeting”). Custom audience remarketing is also used. For this, Facebook processes data that the service collects via cookies, web beacons, and similar technologies on our websites.

The data resulting in this context can be transmitted by Facebook to a server in the USA for evaluation and stored there. In the event that personal data is transferred to the USA, we will obtain your explicit consent to allow this data transfer via the cookie banner pursuant to Article 49(1)(a) of the GDPR. To find out more about the risks, please see section 9 (“Transfer of data to third countries”).

If you are a member of Facebook and Facebook has permitted it via your account’s privacy settings, Facebook may also link the information we collect from your visit to us to your member account and use it to target Facebook ads. You can view and change the privacy settings of your Facebook profile at any time.

If you do not agree to the use of Facebook pixels, Facebook will display only general Facebook ads not selected on the basis of information collected about you on this website.

Further information can be found in Facebook’s privacy policy.

6   Data processing on our platform

6.1 Data processing from a company perspective

If you are employed by a company and manage contractors on the platform, both the information provided above and in the following applies to the processing of your data.

6.1.1 Registration

You may sign up for our login area in order to utilise our platform’s full range of functions. The data you are obliged to provide (title, name,  official contact details) is marked as mandatory fields. It is not possible to sign up without providing this data. The legal basis for the processing is Article 6(1)(b) of the GDPR.

6.1.2 Your profile

Within your login area, you may add further personal data to create a full profile. The collected data is used to ensure transparency when placing orders and processing. You can also upload a photograph and adjust your language preferences. The legal basis for the processing is Article 6(1)(b) of the GDPR. The information in your profile can be seen by colleagues in your company and contractors.

6.1.3 Your activities

We store your Lano activities relating to the management of projects and tasks, to the development and organisation of the partner network, and to the approval and payment of invoices. We collect data in order to make our service available to you and support you on any questions you may have. The legal basis for the processing is Article 6(1)(b) of the GDPR.

6.1.4 Analytics

We use your data, in aggregated form, to create reports or benchmarks. This means that we may use your data for security and operational management, statistical analysis, and research and development purposes. These analyses, reports, and benchmarks do not contain any information that can be used to identify you. The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in boosting the attractiveness of our services.

6.1.5 Information by email

The email address you provide during the sign-up process may be used to send you information and updates on the use of our platform. The legal basis is Article 6(1)(b) of the GDPR. The email address will only be used for marketing purposes if we have obtained your consent to this. The legal basis is Article 6(1)(a) of the GDPR.

6.1.6 Recommendations from contractors

Contractors may recommend companies to use our platform as part of our recommendation program. To do this, the contractor sends us an official email address of its corporate customer. The legal basis for the storing of the email address is Article 6(1)(f) of the GDPR, justified by our interest in the growth of our customer base.

6.2 Data processing from the perspective of contractors

If you are a contractor, both the information provided above and in the following applies to the processing of your data.

6.2.1 Registration

You may sign up for our login area in order to utilise our platform’s full range of functions. The data you are obliged to provide (name, email address) is marked as mandatory fields. It is not possible to sign up without providing this data. The legal basis for the processing is Article 6(1)(b) of the GDPR.

6.2.2 Your profile

Within your login area, you may add further personal data to create a full profile. You can enter your date of birth, your contact details, descriptions about yourself and your skills. The collected data is used to ensure transparency when placing orders. You can also upload a photograph and adjust your language preferences. You may also link your social media presences in a designated area. The legal basis for the processing is Article 6(1)(b) of the GDPR. The information in your profile can only be seen by your customers.

6.2.3 Your activities

We store your Lano activities relating to the management of projects and tasks, to the development and organisation of the customer network, and to invoicing. We collect data in order to make our service available to you and support you on any questions you may have. The legal basis for the processing is Article 6(1)(b) of the GDPR.

6.2.4 Network invitation by email

In some cases, your email address is provided to us by the company that wants to invite you to join a project. In this case, we use your email address on the basis of Article 6(1)(f) of the GDPR. We trust that the company has asked you for and obtained your consent in advance. You can object to these emails at any time.

6.2.5 Contracts and documents

Our platform also manages documents that your customer makes available to you. We store the data solely on the basis of Article 6(1)(f) of the GDPR. We have no influence or responsibility regarding the content of the documents. Should you have any queries in this regard, please contact your customer.

6.2.6 Analytics

We use your data, in aggregated form, to create reports or benchmarks. This means that we may use your data for security and operational management, statistical analysis, and research and development purposes. These analyses, reports, and benchmarks do not contain any information that can be used to identify you. The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in boosting the attractiveness of our services.

6.3 Cookies and tools integrated on the platform

6.3.1 Docusign

We use Docusign, software provided by DocuSign Germany GmbH, Neue Rothofstrasse 13-19, 60313 Frankfurt, that allows contracts to be electronically signed, prepared, executed, and managed. Docusign stores all the data you enter in connection with its service, as well as your device’s usage data and transaction-related data. For further information, please see Docusign’s privacy policy at https://www.docusign.de/unternehmen/datenschutz. We have concluded a processing contract with Docusign to ensure that your data is handled securely. The legal basis for the use of Docusign is Article 6(1)(f) of the GDPR, justified by our interest in providing you with an easy-to-use document management system.

6.3.2 Stripe

We use the services of Stripe from Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA (“Stripe”).

Stripe is an external payment service provider used to process payments made to us. We do not retain any personally identifiable data or financial information such as credit card numbers in association with the processing of such payments. Rather, this data (in particular contact and transaction data such as credit card details or bank details) is forwarded directly to Stripe, whose use of your personal data is regulated by its privacy policy.

Stripe collects further data for its own purposes, such as for the prevention of abuse and the further development of its products as well as for marketing purposes. The other data collected via cookies and other technology includes, in particular, communication data (IP address, device identifier, browser version, information on the operating system).

Stripe uses the following cookies for the specified purpose with the respective storage period: “__stripe_mid” for 1 year, “__stripe_sid” for 30 minutes and “m” for 2 years (all fraud prevention and detection).

The legal basis is Art. 6(1)(1)(b) of the GDPR in order to fulfil the payment as part of a contract with you, and otherwise Art. 6(1)(1)(f) of the GDPR, whereby the use of an external payment service provider is based on our legitimate interest in being able to offer you an additional payment option with Stripe.

We have concluded a processing contract with Stripe (https://stripe.com/dpa/legal).

Some of Stripe’s data processing takes place on servers located in the USA.

Further information can be found in Stripe’s privacy policy.

 6.3.3 Currency Cloud

We use Currency Cloud, a software of the provider, The Currency Cloud Ltd., Stewardship Building, 1st Floor, 12 Steward Street, London, England, E1 6FQ as a payment platform that automates the life cycle of payments from receipt of money to currency conversion and payment. Currency Cloud stores all the data associated with the service that is relevant for payment processing. This includes all data required for Know Your Customer (KYC), and Customer Due Dilligence (CDD) checks and other data required to meet legal or regulatory requirements, including Financial Conduct Athority (FCA) requirements. The data is also required to prevent fraud or financial crime.

The legal basis is Article 6(1)(b) GDPR, in order to fulfill the payment under a contract with you, and otherwise Article 6(1)(f) GDPR, whereby the use of an external payment service provider is based on our legitimate interest in being able to offer you a convenient payment option with Currency Cloud.

For further information, please read the Currency Cloud privacy policy https://www.currencycloud.com/legal/privacy/. With Currency Cloud, we have concluded EU standard contractual clauses for some of their services, which guarantee that your data will be treated according to European standards. Otherwise, Currency Cloud acts on its own responsibility for your data.

6.3.4 Payment service provider finAPI

We use finAPI, a service provided by finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich, Germany.  In order to be able to offer online banking directly as a software provider, a provider must be in possession of a banking licence from BaFin, the German Federal Financial Supervisory Authority. We therefore carry out online banking using the service provider finAPI. finAPI is a fintech company with a BaFin licence. All transactions using online banking within Lano are handled by finAPI. finAPI is responsible for communication with the bank and then transmits to Lano the account statements or transaction information after the payment (e.g. bank transfer) has been completed. A transaction number (TAN) must be entered during all processes that initiate payments (bank transfers or direct debits). You must type in this number whenever you initiate a transaction. Neither Lano nor finAPI store TANs on any servers – they are used solely to execute the transaction. Lano itself, as well as the interface to finAPI, uses TLS 3.0 and 256-bit encryption. This is the same standard of security used, for example, in normal internet banking. The legal basis is Article 6(1)(b) GDPR, in order to fulfill the payment under a contract with you, and otherwise Article 6(1)(f) GDPR, whereby the use of an external payment service provider is based on our legitimate interest in being able to offer you a convenient payment option.

You can find information on finAPI’s data protection policies at https://www.finapi.io/datenschutz/.

6.3.5 SendGrid

We use Sendgrid, an email delivery platform provided by Twillio Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105, USA, for the targeted delivery of emails to customers. SendGrid has access to your name and email address. For further information, please see SendGrid’s privacy policy at https://sendgrid.com/policies/privacy/. We have concluded a processing contract with SendGrid to ensure that your data is handled securely. The legal basis for the use of SendGrid is Article 6(1)(f) of the GDPR, justified by our interest in providing you with an easy-to-use email delivery system.

6.3.6 YouTube videos

We have integrated videos on our platform from a contractor’s point of view that are stored on YouTube and can be played directly from our platform. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave, CA 94066 San Bruno, USA (“YouTube”), a company owned by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

By visiting the website, YouTube and Google receive the information that you have accessed the corresponding subpage of our website. This is the case regardless of whether or not you are logged in to YouTube or Google. YouTube and Google use this data for the purposes of advertising, market research, and the demand-oriented design of their websites. If you access YouTube on our website while logged in to your YouTube or Google profile, YouTube and Google may also associate this event with your respective profiles. If you do not wish this association, you must log out of Google before visiting our website. The legal basis is Article 6(1)(f) of the GDPR based on our legitimate interest in increasing the user-friendliness of our platform.

More information can also be found in Google’s privacy policy which also applies to YouTube.

6.3.7 Google Maps

Our platform uses the map service Google Maps, a service offered to users in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and to all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”).

In order for the geographical knowledge we use to be integrated and displayed in your web browser, your web browser must connect to a Google server, which may also be located in the United States, when visiting the contact page.

By integrating the geographical knowledge, Google receives the information that a page on our platform has been called from the IP address of your device. If you enter an address on our platform with the aid of a map while logged in to your Google profile, Google may also link this event to your Google profile. If you do not wish to be linked with your Google profile, you must log out of Google before visiting our contact page. Google stores your data and uses them for the purposes of advertising, market research and personalised presentation of Google Maps. The legal basis is Article 6(1)(f) of the GDPR based on our legitimate interest in increasing the user-friendliness of our platform.

Further information about this can be found in Google’s privacy policy and the additional terms of use for Google Maps.

6.3.8 Adobe Sign

We use Adobe Sign, software provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland,   which allows you to electronically sign, prepare, execute and manage contracts. Adobe stores all the data you enter in connection with its service, as well as your device’s usage data and transaction-related data. For more information, please see Adobe Sign’s privacy policy www.adobe.com/de/privacy/policy.html. We have concluded EU standard contractual clauses with Adobe Sign to ensure that your data is handled securely. The legal basis for the use of Docusign is Article 6(1)(f) of the GDPR, justified by our interest in providing you with an easy-to-use document management system.

6.3.9 Google Tag Manager

We also make use of Google Tag Manager on our platform. See the details of this in section 5.2.2.

6.3.10 Intercom

We also use Intercom on our platform. See the details of this in section 5.3.1.

6.3.11 Google Analytics

We also make use of Google Analytics on our platform. See the details of this in section 5.4.1. The Google Audiences Remarketing function is not activated on the platform.

6.3.12   Hotjar

We also use Hotjar on our platform. See the details of this in section 5.4.2.

7   Disclosure of data

We will generally only disclose the data we collect if

  • you have given your express consent pursuant to Article 6(1)(1)(a) of the GDPR
  • disclosure pursuant to Article 6(1)(1)(f) of the GDPR is necessary in order to assert, exercise, or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data
  • we are legally obliged to disclose it pursuant to Article 6(1)(1)(c) of the GDPR
  • this is legally permissible and, pursuant to Article 6(1)(1)(b) of the GDPR, is necessary for the processing of contractual relationships with you or for steps prior to entering into a contract carried out at your request

Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include data centres that store our website and databases, IT service providers that maintain our systems, and consulting firms. Should we disclose data to our service providers, they may use the data solely for the fulfilment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects, and are regularly monitored by us.

In addition, a transfer of your data may occur in connection with official enquiries, court orders, and legal proceedings if they are deemed necessary for legal prosecution or enforcement.

8   Transfer of data to third countries

As explained in this privacy policy, we make use of services offered by providers that may be located in “third countries” (e.g. the USA), i.e. countries that do not have a level of data protection comparable to that in the European Union. Where this is the case and where the European Commission has not adopted an adequacy decision (Article 45 of the GDPR), we have taken precautions to ensure an adequate level of data protection for any transfers of data. These include the European Union’s standard contractual clauses and binding internal data protection regulations.

Where this is not possible, we use as the legal basis for data transfers the derogations set out in Article 49 of the GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract.

If data is to be transferred to a third country and neither an adequacy decision nor other suitable guarantees are available, there exists the possibility and risk that authorities in the third country (e.g. secret services) may obtain access to the transferred data for the purpose of collecting and analysing it, and that your rights as a data subject may not be enforceable. You will be informed of this when your consent is obtained via the cookie banner.

9   Storage duration

In principle, we store personal data for only as long as is necessary to fulfil the contractual or statutory obligations for which we have collected the data. We then delete the data immediately, unless we need the data until the end of the statutory limitation period for purposes of evidence for civil claims or due to statutory retention obligations.

For evidence purposes, we must retain contract data for a further three years beyond the end of the year in which our business relationship with you is terminated. Any claims become statute-barred at the earliest after the statutory period of limitation.

Even after this time, we still need to store some of your data for accounting purposes. We are obliged to do so on the basis of statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods they stipulate for the retention of documents range from two to ten years.

10   Your rights

You have a right of access to information about how we process your personal data at any time. We will explain our data processing procedures to you and provide you with a summary of the personal data concerning you that we hold. If data we have stored is incorrect or obsolete, you have the right to have this data rectified. You may also request the erasure of your data. If, in exceptional cases, erasure is not possible due to other legal regulations, the data will be blocked so that it is only available for this legal purpose. You may also restrict processing of your personal data if, for example, you have doubts about the accuracy of this data. Your also have the right to data portability, i.e. on request we will send you a digital copy of the personal data concerning you that you have provided to us.

In order to assert your rights described here, you may contact us at any times using the contact details given above. This also applies should you wish to obtain copies of guarantees to prove an adequate level of data protection.

You have the right to withdraw consent once given to us at any time. As a result, we will not continue to process data based on this consent in the future. Withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to withdrawal.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data on grounds relating to your particular situation at any time. Should you object to data processing for direct marketing purposes, you have a general right to object, which we shall comply with even if you do not state any reasons for your objection. 

Should you wish to exercise your right to withdraw or object, simply send an informal email to the contact details given above.

Finally, you shall have the right to file a complaint with the data protection supervisory authority. You may exercise this right before a supervisory authority in the Member State in which you are staying, working or in the place of the alleged infringement. In Berlin, where Lano Software GmbH is based, the competent supervisory authority is Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, Germany.

11   Data security

We apply up-to-date technical measures to ensure data security, in particular to protect your personal data from risks during data transmission and to prevent it from being disclosed to third parties. These measures are updated to comply with the state of the art. In order to protect the personal data you provide on our website, we use Transport Layer Security (TLS), which encrypts the information you enter.

12   Amendments to the privacy policy

We may update this privacy policy from time to time, for example when we update our website or when statutory or official requirements change.