Data protection for Senfcall
We have launched "Senfcall" to offer you a data-minimising and secure alternative to well-known conference systems. Security, integrity and privacy are the basis of our work. Our aim is therefore not only to comply with legal requirements such as the General Data Protection Regulation (GDPR) but also to achieve the maximum technically possible data minimisation in the necessary processing of personal data (in short: "data"). According to the GDPR, any automatic procedure and any automatically executed process in connection with personal data is to be regarded as "processing" of data. It is therefore not possible to do without data processing entirely, as this includes the storage of log data as well as the (temporary) processing of video and audio data (stream). Personal data is only processed by us within the scope of absolute necessity, for the provision of our services and for troubleshooting. In addition, we want to create the greatest possible transparency about the data processed by us, among other things with the following data protection declaration.
Attention: The English version of our data protection declaration is for information purposes only. Only the German version is legally binding.
Data protection declaration
- Information about us as responsible persons
- Rights of the users and affected persons
- Information on data processing
- Summary: What data do we process and why?
- Data transmission
- Log data
- Cookies
- Contract processing
- Contact requests / Contact possibility
- Video and audio data
- Customer account / registration function
- Forwarding of data
- Statistics
- Server locations and server providers
Information about us as responsible persons
Senfcall is a project of students from Darmstadt and Karlsruhe under the auspices of Computerwerk Darmstadt e.V.
Responsible provider of this website and the services offered here in the legal sense:
Computerwerk Darmstadt e.V.
Karolinenplatz 5
64289 Darmstadt
Germany
E-mail: datenschutz@senfcall.de (PGP-Key)
Attention unencrypted e-mails may be read by third parties. We strongly recommend the use of encrypted mail communication.
Responsible for data protection at the provider is:
Stephan Voeth (reachable via the above mentioned mail address)
Rights of the users and affected persons
You have some rights which you can assert by law alone. These are unfortunately a bit dry to read, but an important achievement in the fight for the sovereignty of your data and firmly established by the GDPR.
You have the right
- to obtain confirmation as to whether or not data concerning your person are being processed, information on the data processed, further information on data processing and copies of such data (see also article 15 GDPR);
- to the correction or completion of incorrect or incomplete data from you (see also article 16 GDPR);
- to the immediate deletion of data relating to you (see also Article 17 GDPR), or, if further processing is necessary in accordance with Article 17 Paragraph 3 GDPR, to restriction of processing in accordance with Article 18 GDPR;
- to receive the data concerning you and provided by you and to transmit this data to other providers/responsible persons (see also article 20 GDPR);
- upon complaint to the supervisory authority, if you believe that the data concerning you is or has been processed by us in violation of data protection regulations (see also Article 77 GDPR). The responsible body in this case is the [Hessische Beauftragte für Datenschutz und Informationsfreiheit (Hessian Commissioner for Data Protection and Freedom of Information)](https://datenschutz.hessen.de/) ([Complaint form](https://datenschutz.hessen.de/service/beschwerde))
In addition, we are obliged to inform all recipients to whom data has been disclosed by us about any correction or deletion of data or the restriction of processing that is carried out on the basis of Articles 16, 17 paragraph 1, 18 GDPR. However, this obligation does not apply if such notification is impossible or involves disproportionate effort. Notwithstanding this, every user has a right to information about these recipients. Likewise, you as a user as well as all persons concerned have the right to object to the future processing of your data in accordance with article 21 GDPR, provided that the data is processed by us in accordance with article 6 paragraph 1 letter f) GDPR. To exercise your rights, we recommend that you contact us by PGP-encrypted e-mail to the e-mail address indicated in section "Information about us as responsible persons".
Information on data processing
Your data processed when using our offer will be deleted or blocked as soon as the purpose of the storage is no longer applicable, the deletion of the data does not conflict with any legal storage obligations, and no other information on individual processing methods is provided in the following.
Short summary: What data do we process and why?
| Data type | What exactly is this data? | Use of the data (reason for use) |
|---|---|---|
| Log and system data |
These can be, for example:
|
This data is partly transmitted automatically by your browser, your device or your internet provider (IP address) or is generated by our systems (e.g. conference names and number of participants). We use this data exclusively to operate and improve our services. In the case of IP addresses, this is done, for example, in order to be able to identify a problem in the event of error messages or, in the case of the number of conference participants, in order to be able to use our servers at an even load. |
| Data transmission of the web conference system |
These can be, for example:
|
This is data that may be generated when using our web conferencing system and is then transferred via our servers. For the respective data use, the corresponding service must of course be used. If a webcam or microphone is not used, e.g. to passively participate in a conference or web seminar, no audio or video recordings of you will be processed (but metadata will still be generated). All data provided will be stored temporarily by us exclusively for the purpose of the conference and will be deleted at the latest at the end of the conference. Attention: All these data can also be accessed by the other participants during the conference or are actively sent to them (e.g. audio and video stream). When using the phone dial-in function, the last four digits of your phone number are used as the display name and therefore visible to all web users participating in the conference! |
| Transfer to third party providers |
These can be, for example:
|
In order to use the phone dial-up service we offer, we use a third party provider who serves as a link between the phone network and our servers. By calling the provided phone number, this third party will know the phone number of the caller. In addition, the audio stream to and from the phone is handled by the third party provider. You can find more details about third party providers and data transfer under the point "Data transfer". |
| Cookies |
These can be, for example:
|
These cookies are necessary for the operation of the service. Instead of saving your name or other data in plain text, we give your browser a session cookie. This contains, in simple terms, a password which enables us to clearly assign you to your conference room or your user account, for example. The GDPR cookie helps us ensure that we have informed you of this privacy policy. This cookie is only set if you expressly confirm that you have taken note of this declaration. You can find more details about cookies under the point "Cookies". |
Data transmission and data security
Data to and from our servers is transmitted exclusively via secure, encrypted channels. For this we use so-called transport encryption. This means that the data is only available unencrypted on the end devices and on our server and cannot be used by third parties who intercept the encrypted data, e.g. on the road. Unfortunately, it is not yet possible to offer end-to-end encryption with the system we use.
Log Data
For technical reasons, data is transmitted to us by the browser. This data is partly stored in log files to enable us to troubleshoot problems and is therefore necessary to guarantee a safe and stable offer. We reduce the logging to the necessary minimum, so that less data than those listed here can be collected. This data may include:
- type and version of your Internet browser
- the operating system
- the website from which you have switched to our website (referrer URL)
- a list of the website(s) you visit with us (exact address)
- date and time of the respective access
- the IP address of the Internet connection from which the use of our offer takes place
- the room name of the videoconference you attended
- phone number (in case of phone dial-up)
- metadata of the video conference system (start and end of conferences, number of participants)
These data collected in this way are only temporarily stored by us. However, they will not be combined with other personal data or assigned to other personal data.
The storage is based on Article 6 para. 1 letter f) GDPR. The legitimate interest required by GDPR is the improvement, stability, functionality and security of our offer (especially troubleshooting).
Your data will be deleted after seven days at the latest, provided that no further storage is necessary for troubleshooting. Otherwise, the data is completely or partially exempt from deletion until the final processing of an incident, but only for the maximum period permitted by law.
Cookies
- Cookies
To enable the use of our offer we use cookies. These are files that are stored and saved on your end device by the browser you use. Through these cookies, certain information on the use of our services is stored to an individual extent and read out by the server when you call up the web pages. The data stored in the cookies include, for example, the session ID (in the session cookie) in order to be able to assign you correctly, documentation of your agreement to this data protection declaration and other data necessary for the use of the services.
The legal basis for this processing is article 6 paragraph 1 letter b.) GDPR, as these cookies process data for the purpose of contract management, i.e. for the provision of our services. - Third-party cookies
We do not use third party cookies.
However, in the case of the integration of external videos by users in the conference system, third-party cookies may be retrieved by the browser. Unfortunately, we have no influence on this. - Disposal possibility
You can prevent or limit the storage of cookies by adjusting your browser settings. You can also delete stored cookies at any time. However, the steps necessary for this depend on the browser you are using. Please refer to the help function or documentation of your browser or contact the developer.
Should you prevent or restrict the installation of cookies, this can lead to the fact that the functions of our offer are completely or partially no longer usable.
Contract processing
The data transmitted by you for the use of our service offer are processed by us for the purpose of contract implementation and are required in this respect. Conclusion and processing of the contract are not possible without the provision of your data.
The legal basis for the processing is article 6 paragraph 1 letter b) GDPR.
We delete the data with complete contract processing, but must observe the tax and commercial law retention periods.
Contact request / contact possibility
If you contact us via contact form or e-mail, the data you provide will be used to process your request. The information you provide is necessary to process and answer your request. Without the provision of this information, we will not be able to answer your request, or at best only to a limited extent.
The legal basis for this processing is article 6 paragraph 1 letter b) GDPR.
Your data will be deleted if the inquiry has been answered conclusively and the deletion does not conflict with any legal storage obligations, such as in the event of a possible subsequent contract execution or for evidence purposes, if you send us nasty e-mails or inform us about crimes on our system. We hope, however, that neither of the latter two scenarios will occur.
Web conference system
For the transmission of video and audio signals within the web conference, the open source software BigBlueButton™, as well as some additional in-house developments or enhancements are used. On the basis of WebRTC, data or media streams are transmitted.
These data can be among others:
- audio and video data (image of the user (your video image), voice and spoken and shown content, desktop content/screen sharing)
- the settings you choose (audio or video usage, display name/username)
- chat contributions
- shared files/presentations
- voting results
- last four digits of your phone number (if you dial in by phone)
As the operator, we do not store any of the above-mentioned data about you beyond the duration of the web conference without your consent, unless you have explicitly agreed to this. Beyond the log files mentioned in point 3.2, nothing will be saved or recorded by us without your explicit consent.
The legal basis for this processing is article 6 paragraph 1 lit. a) and b) GDPR.
Customer account / registration function
If you create a customer account with us via our website, we will collect and store the data you enter during registration (e.g. name or e-mail address) exclusively for pre-contractual and contractual services and to improve the usability of our offer (e.g. an overview of the conference rooms you have created on our server). At the same time we save the date and time of your registration. This data will not be passed on to third parties.
If you consent to this processing within the registration process, article 6 paragraph 1 letter a) GDPR is the legal basis for the processing.
If the registration also serves the purpose of pre-contractual measures, the legal basis for this processing is also Article 6 paragraph 1 letter b) GDPR.
You can revoke your consent to the storage of your data at any time with effect for the future (in accordance with article 7 paragraph 3 GDPR).
All you have to do is inform us of your revocation. Please also refer to the section "Rights of the users and affected persons" and the recommended ways to contact us. In the event of your revocation, the data collected will be deleted as soon as processing is no longer necessary. In doing so, we may have to observe storage periods in accordance with tax and commercial law.
Forwarding of data
We will not transfer your personal data to third parties for purposes other than those listed below.
We only share your personal information with third parties if
- you have given your express consent in accordance with article 6 paragraph 1 sentence 1 lit. a GDPR,
- this is legally permitted and according to article 6 paragraph 1 sentence 1 lit.b GDPR for the processing of contractual relationships with you is absolutely necessary, such as in the case of the use of our phone dial-up via our partner easybell.de,
- there is a legal obligation for the transfer according to article 6 paragraph 1 sentence 1 lit.c GDPR,
- the disclosure according to Article 6 Paragraph 1 S.1 lit.f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
At present, we only transfer data automatically in the event of a phone dial-in by one of the participants. In this case, the phone number of the participants will be processed by our partner. Furthermore, the audio stream of the web conference is streamed via the servers of easybell.de.
Any further automated transfer of data to third parties does not take place. A manual transmission only takes place for the reasons stated above.
Statistics
For the monitoring of our servers and to report about their utilization, we collect statistics about the use of the servers, as well as the server utilization. These statistics do not contain any personal data, however, personal data is automatically evaluated for the usage statistics (e.g. the number of users in a room is counted).
The backend BigBlueButton we use uses a API (programming interface) which allows us to collect these statistics. For example, we can determine which conference rooms are open on a server and which users are in these rooms. In the feedback to the software, the names of the conference rooms, the display names of the users and their characteristics (role, type of use (audio only, with microphone, webcam use) and a few other metadata) are given.
The software only counts rooms and users and publishes these results, together with further information, in the statistics.
Only this evaluation, without personal data, is stored beyond the short processing time and partly also published.
Server sites and server providers
Our server locations are exclusively within Germany and are therefore subject to European and German (data protection) laws. The provider of the servers is currently [Hetzner Online GmbH](https://hetzner.de). The server provider has no access to the data on the server operated by us and therefore no access to personal data of our users.
Attention: The English version of our data protection declaration is for information purposes only. Only the German version is legally binding.