Privacy policy

In the following, we inform you in accordance with Art. 13 GDPR about how your personal data is handled when you visit and use this web application. Please note that your data will be processed by two different controllers to the extent described below.

Data processing by Social Impact gGmbH

Joint data processing by Social Impact gGmbH and Innoloft GmbH

Joint controllers

Common point of contact for affected persons

Joint data processing

Your rights

1. Data processing by Social Impact gGmbH

Controller:

Social Impact gGmbH

Schiffbauergasse 7, D-14467 Potsdam

Contact data protection officer:

The data protection officer of Social Impact gGmbH can be reached via e-mail: datenschutz@socialimpact.eu.

IITR Datenschutz GmbH

Dr. Sebastian Kraska Marienplatz 2, D-80331 München

2. Joint data processing by Social Impact gGmbH and Innoloft GmbH

In the course of providing access to the web application at https://si-alliance.eu, Social Impact gGmbH and Innoloft GmbH work closely together. This also applies to the processing of personal data concerning you. The controllers are jointly responsible for the protection of the personal data processed by them to the extent described below (Art. 26 GDPR).

2.1 Joint controllers

Controller 1:

Innoloft GmbH

Jülicher Straße 72a, D-52070 Aachen

www.innoloft.com

Contact Data Protection Officer Controller 1:

PROLIANCE GmbH

www.datenschutzexperte.de

Leopoldstr. 21

80802 Munich

datenschutzbeauftragter@datenschutzexperte.de

When contacting the common point of contact, please state Innoloft GmbH and the company, organization or URL of the web application to which your request relates. Please refrain from enclosing sensitive information, such as a copy of your ID, with your request.

Controller 2:

Social Impact gGmbH

Schiffbauergasse 7, D-14467 Potsdam

Contact Data Protection Officer Controller 2:

The data protection officer of Social Impact gGmbH can be reached via e-mail: datenschutz@socialimpact.eu.

IITR Datenschutz GmbH

Dr. Sebastian Kraska

Marienplatz 2, D-80331 München

2.2 Common point of contact for affected persons

PROLIANCE GmbH

www.datenschutzexperte.de

Leopoldstr. 21

80802 Munich

datenschutzbeauftragter@datenschutzexperte.de

2.3 Joint data processing

Scope and regulation of joint data processing

The two controllers are jointly responsible to a small extent for data processing in connection with your access to the web application and have concluded an agreement on this in accordance with Art. 26 GDPR. What the two controllers have agreed, which data processing is affected by this and which obligations under the GDPR the two controllers assume in each case can be found below.

Why are there two joint controllers?

The web application available at https://si-alliance.eu was provided on the basis of a platform developed by Innoloft GmbH, Innoloft LoftOS. The platform combines the development and hosting of web applications with the functions of a social media platform. One of the main use cases is the creation of communication and information platforms.

One function of LoftOS is the Innoloft Ecosystem. This includes certain networking and communication functions. Users can log in to any application created with LoftOS with the same access data, manage their uniform profile there and communicate across applications with all web application operators and other users.

In order to provide these basic functions of the Innoloft Ecosystem, the user data required for this purpose are processed by Innoloft GmbH (Controller 1) and the operator of the web application Social Impact gGmbH (Controller 2) for a common purpose and in the common interest. In this respect, Innoloft GmbH and Social Impact gGmbH as the operator of the web application are jointly responsible for data processing to the extent described below.

What have those responsible agreed?

Within the scope of their joint controllership under data protection law Social Impact gGmbH and Innoloft GmbH have set out in a written agreement which of them are subject to which data protection obligations and which of them fulfils which obligations. In particular, the controllers have reached an agreement on who is responsible for the exercise of data subjects' rights under Art. 15-22 GDPR and for the fulfillment of information obligations under Art. 12-14 GDPR and in what manner.

For which processing operations is there joint controllership?

In the table below you will find further information on the scope of joint data processing, the categories of data processed, the group of data subjects and the legal basis for data processing.

Description of processing activity: Provision of the Innoloft LoftOS authentication and login system Responsible parties: Controller 1; Controller 2 Processed data categories: User login data (e-mail address, password, IP address, log data) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Enabling users to log in to applications in Innoloft LoftOS. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

Description of processing activity: Provision of the user profile in Innoloft LoftOS Responsible parties: Controller 1; Controller 2 Processed data categories: Information in the user profile (first name, surname, profile picture, job title, company, interests, biography) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Representation of the user as a member of an application in Innoloft LoftOS. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

Description of processing activity: Provision of the interaction, communication and networking functions of the Innoloft Ecosystem for applications of the Controller 2 in the Innoloft LoftOS and the user of these applications Responsible parties: Controller 1; Controller 2 Processed data categories: User data (first name, surname, profile picture) Usage data (IP address, date and time), Status of the user's membership of an application, Data on how the user interacts with the content of the application, Content data (chat, messages) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Enabling the user to network and interact with the application of the person Controller 2 and other applications. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

Description of processing activity: Monitoring system stability and error analysis using Sentry Responsible parties: Controller 1; Controller 2 Processed data categories: User ID, browser information, URL, triggering error code Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Monitoring the stability of the functions of the Innoloft LoftOS, the Innoloft Ecosystem and the applications of the person Controller 2 for the purpose of error analysis and troubleshooting. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

The processed data is stored in Innoloft LoftOS for as long as is necessary for the aforementioned data processing. As a rule, this is as long as the user has access to the web application or as long as their user profile exists.

The following processors are used within the scope of joint controllership.

Service, order processor (name, address, country): Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland Description of the processing activity:Address completion when inserting an address in the organization profile Processed data categories: IP address, Addresse Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Server location: EU Guarantees to ensure an adequate level of protection: Standard data protection clauses (SCC) and supplementary measures, Certification in accordance with the EU-US Data Privacy Framework (Google LLC)

Service, order processor (name, address, country): Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA Description of the processing activity: Monitoring the system stability and functional capability of the applications in Innoloft LoftOS Processed data categories: User ID, browser information, URL, triggering error code Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Server location: Iowa, USA Guarantees to ensure an adequate level of protection: Standard data protection clauses (SCC) and supplementary measures, Certification in accordance with the EU-US Data Privacy Framework (Google LLC)

Service, order processor (name, address, country): PubNub Inc, 50 Francisco Street, Ste 100, San Francisco, CA 94133 USA Description of the processing activity: Messenger system on the platform Processed data categories: IP address, chat messages Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Server location: EU Guarantees to ensure an adequate level of protection: Standard data protection clauses (SCC) and supplementary measures, Certification in accordance with the EU-US Data Privacy Framework

Service, order processor (name, address, country): Sinch AB, Lindhagensgatan 74 Stockholm, 112 18 Sweden Description of the processing activity: Sending system mails regarding authentication and login to the LoftOS system Processed data categories: E-mail address, first name, last name Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Server location: EU Guarantees to ensure an adequate level of protection: Not required as EU company

Service, order processor (name, address, country): DeepL GmbH, Maarweg 165, 50825 Cologne Description of the processing activity: Translation with regard to the information in the user profile Processed data categories: Information in the user profile (biography) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Server location: Finland Guarantees to ensure an adequate level of protection: Not required as EU company

Outside of the processing operations listed above, the (further) processing of personal data is carried out under separate controllership by Controller 2.

Who assumes which obligations under the GDPR and what does this mean for you as a data subject?

As part of their joint controllership under data protection law, Controller 1 and Controller 2 have agreed which of them will fulfill which obligations under the GDPR and have set this out in a written agreement:

Obligations under the GDPR: Art. 5 and 6 GDPR (compliance with data protection principles and existence of a legal basis) Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): Yes

Obligations under the GDPR: Art. 26 para. 1: Transparent definition in an agreement of who fulfills which obligation under this ordinance. The agreement must reflect the respective actual functions and relationships of the jointly responsible parties vis-à-vis the persons concerned. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): Yes

Obligations under the GDPR: Art. 26 para. 1: Information on the contact point for data subjects. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 26 para. 2: The essential content of the agreement shall be made available to the person concerned. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 27: Written designation of an EU representative if a responsible party is not established in the EU. Innoloft GmbH (Controller 1):No Social Impact gGmbH (Contoller 2): Yes

Obligations under the GDPR: Art. 13: Duty to provide information when collecting personal data. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 14: Duty to provide information where personal data has not been collected from the data subject. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 15: Implementation of requests concerning the data subject's right to information. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 16: Implementation of requests concerning the right to rectification. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 17 and 18: Implementation of requests concerning the right to erasure or restriction of processing, including Art. 19, notification of the obligation to erase. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 20: Implementation of requests regarding the right to data portability. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 21: Implementation of requests concerning the right to object. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 24 para. 1 in conjunction with Art. Art. 32: Definition of technical and organizational measures for risk assessment and, if applicable, for data protection impact assessment (Art. 35) and consultation with a supervisory authority/transfer of important information (Art. 36 para. 3). Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 24 para. 1: Documentation of the selection of technical and organizational measures (as proof). Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 24 para. 1: Review and update of technical and organizational measures. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 28 GDPR: Selection and monitoring of processors and conclusion of corresponding contracts Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 30: Keeping a record of processing activities. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): Yes

Obligations under the GDPR: Art. 32: GDPR (data security) Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): No

Obligations under the GDPR: Art. 33, 34: Procedure for reporting personal data breaches to the supervisory authority. Innoloft GmbH (Controller 1):Yes Social Impact gGmbH (Contoller 2): Yes

2.4 Your rights

Below, you will find information on the data subject rights granted to you by the applicable data protection law vis-à-vis the controller with regard to the processing of your personal data: The right to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details. The right to demand the immediate correction of incorrect or incomplete personal data stored by us in accordance with Art. 16 GDPR. The right to request the deletion of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. The right to demand the restriction of the processing of your personal data in accordance with Art. 18 GDPR if you dispute the accuracy of the data, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR. The right, pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request transmission to another controller. The right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of the federal state of our registered office stated above or, if applicable, that of your usual place of residence or workplace. The right to withdraw consent granted in accordance with Art. 7 (3) GDPR: You have the right to withdraw your consent to the processing of data at any time with effect for the future. In the event of revocation, we will delete the data concerned immediately, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right of objection

If your personal data is processed by us on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that this is done for reasons arising from your particular situation. Insofar as the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right to object without the requirement to specify a particular situation.

Irrespective of the above provisions as to which of the two joint controllers is responsible for exercising the rights of data subjects in accordance with Art. 15 to 22 GDPR, you can assert your rights with both controllers or the joint contact point for data subjects using the contact details given above.