Privacy Policy according to the specifications of the GDPR

Privacy Policy for the Energy Management Software for Business Customers

The company GreenPocket GmbH (hereinafter "GreenPocket", for more information please visit www.greenpocket.de), is pleased that you are using our Energy Management Software for Business customers. Data protection and data security are very important to us. Therefore, we would like to inform you about the personal data we collect during your usage to our website and about the intended purposes.

As changes to the law or changes to our corporate processes may require an adaptation of this privacy statement, we ask you to read this privacy policy regularly. The privacy policy can be accessed any time via the link in the footer of the login page and each web page after login, saved and printed out.

§1 Data Controller and Scope

The controller according to the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection acts of the Member States, as well as other data protection regulations, is:

GreenPocket GmbH
Schanzenstrasse 6-20
51063 Cologne
Germany

Phone: +49 (0) 221 355 095-0
E-mail: info@greenpocket.de
Website: www.greenpocket.de

This privacy policy applies to the Energy Management Software for Business Customers (hereinafter referred to as "EMS").

§2 Data Protection Officer

The external Data Protection Officer of GreenPocket can be contacted at:

Mr Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Hohenzollernring 54
D-50672 Cologne
Germany

§3 Principles of Processing Personal Data

Personal data are all information relating to an identified or identifiable natural person. This includes information such as your name, age, address, telephone number, date of birth, e-mail address, IP address or user behaviour. Information that cannot (or only with a disproportionate effort) be referred to your person, e.g. by anonymizing the information, is not personal data. The processing of personal data (e.g. the collection, retrieval, use, storage or transmission) always requires a legal basis or your consent.

Processed personal data will be deleted as soon as the purpose of the processing has been fulfilled and no legally prescribed retention obligations are to be observed.

In case we process your personal data for the provision of certain offers, please find below information about the specific processes, the scope and purpose of data processing, the legal basis for processing and the respective storage period.

§4 Data Processing

1. Energy Management Software for Business Customers

a. Scope and Purpose of the Processing

When you access and use our EMS, we only collect and use your personal data of our users to the extent to which this is necessary to provide a fully functional EMS and services within the software. To this means we collect functional cookies (session ID of the user) that are technically necessary to show you the EMS and to ensure the stability and security of the software.

b. Legal Basis

Art. 6 para. 1 lit. f GDPR serves as the legal basis for the data processing. The processing of the mentioned data is necessary for the provision of our services and thus serves the protection of a legitimate interest of our company.

c. Data Deletion and Storage Time

The data subject’s personal data are deleted or blocked as soon as the purpose of the storage is fulfilled. The collection of data for the provision of the software and the storage of data in log files is absolutely necessary for the operation of the software. Consequently, there is no possibility of objection for the user. Further storage may take place in individual cases if this is required by law.

§5 Registration / Customer Account

a. Scope and Purpose of the Processing

An administrator of your company created your user account with some personal data (see below), which is necessary for the execution of contractual measures between your company and GreenPocket. In order for you to use the EMS you need a user account. For this we need your e-mail address to

• send you an e-mail with your user name and a link for the setting of your password; you may receive this e-mail at a later stage if you use the function “Forgot password”
• send you an e-mail with a link to set your password if you want to change the password
• send an e-mail to your old e-mail address and another one to your new address when you want to change your address, to make sure that the change is really initiated by you
• send you an alert message via e-mail, e.g., when a consumption value is larger than a threshold you specified beforehand
• send you regularly an individual energy report that you defined beforehand. These reports may also be send to other users via e-mail addresses that you enter within the EMS. These other addresses are solely used for sending these energy reports. There will be no disclosure to a third party.

On each page within the EMS you see a feedback window. By using this you can send feature wishes or other comments to your company and to the product management of GreenPocket, so that bugs or necessary features can be developed quickly. Within this mail, your e-mail address, which is used throughout the EMS, is shown for possible further enquiries.

When you use a demo access to the EMS, then GreenPocket opened your user account so that you can try all the features and functions of the EMS. For this we use your e-mail address exactly as written above.

For a user account we use the following personal data:

• First and last name
• E-mail address
• User name
• Password
• Viewing rights for all or parts of a company hierarchy
• Functional roles, e.g. that you are allowed to see and use alerts or individual reports

When you use the portal you can define certain settings that are saved as well:

• Alerts: Alert rules for a location are visible for all users that have viewing rights to this location. For each rule it is shown who was the last user that changed the rule. (Directly after initially defining the rule it is thus shown which user defined it.) When you defined a role and another user changed it, then her or his user name is shown and not yours any more.
• Favourites: You can save analyses that you are using very often to later retrieve them more quickly. Only you can see these favourites.
• Personal settings: You can save the time period and the data of the dashboard and also which page is shown first after login. Only you can see settings.
• Administration area: In several edit windows you can see which user made the last change:
• Upload and import of master data, e.g., CSV-files with location information
• User overview: last change of user data
• Meter readings: last addition of meter readings
• Client overview in the multi-tenant area: last change of client data or functions

The legal basis for the processing of this data is article 6 paragraph 1 lit. b GDPR, as the processing is necessary for the execution of pre-contractual measures.

b. Legal Basis

Personal data (cf. § 4 2. a.) are processed in accordance with article 6 (1) lit. b GDPR for the performance of a contract between you and GreenPocket.

In case of a demo access to the EMS, the personal data (cf. § 4 2. a.) are processed in accordance with article 6 (1) lit. b GDPR for the implementation of pre-contractual measures.

c. Storage Time

As soon as the processed data are no longer necessary for the execution of the contract, they will be deleted. It may be necessary to store your personal data in order to comply with contractual or legal obligations even after the contract has been fulfilled. Further storage may be necessary in individual cases if this is required by law.

With a demo access to the EMS, the data processed for the user account and during your visits will be deleted as soon as the account is deleted. Further storage can be carried out in individual cases if this is required by law.

d. Cancellation

You have the possibility to cancel the registration and to change your personal data any time. To do this, please contact an administrator at your company that is responsible for the administration of users.

When you want to end a demo user account for the EMS for business customers, please contact your key account at GreenPocket or send an e-mail to info@greenpocket.de

However, if the processed data are necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible insofar as this does not conflict with contractual or statutory obligations.

§6 Third Party Transfers

We only share your personal information with third parties if:

• you have given your express consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR,
• it is legally permissible and necessary for the fulfilment of a contractual relationship with you pursuant to Art. 6 (1) sentence 1 lit. b GDPR,
• there is a legal obligation to pass on the data in accordance with Art. 6 (1) sentence 1 lit. c GDPR,
• the disclosure pursuant to Art. 6 (1) sentence 1 lit. f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.

§7 Cookies

a. Scope and Purpose of Processing

We use cookies in our EMS. Cookies are small files which are sent by us to the browser of your terminal device and stored there as part of your visit to our software. Some functions of our EMS cannot be offered without the use of technically necessary cookies. Other cookies allow us to perform various analyses. Cookies are, for example, able to recognize the browser you are using when you visit our EMS again and to transmit various information to us. We can use cookies to make our software more user-friendly and effective, for example, by tracking your use of our EMS and by determining your preferred features or settings). In case third parties use cookies to process information, they will collect the information directly from your browser. Cookies do not cause any damage to your device. They cannot run programs or contain viruses.

Our EMS uses required cookies, which are necessary for the functionality of the software, as well as tracking cookies (see below).

Required cookies are required for technical reasons so that you can visit our EMS and use the functions we offer. In addition, these cookies contribute to the safe and correct use of the EMS:

• Session-IDs for authentication and Restart token: are saved as long as you are visiting the login page; are necessary for the verification if a login is allowed (authentication process) and for safety reasons
• Cookie disclaimer: records if you saw and accepted the cookie disclaimer layer or if you just closed it; is used to decide if you will see the cookie disclaimer at your next visit.
• Session-ID: is saved as long as you are using the software (after login); necessary for the functionality of the software. With session-IDs we can bundle different requests of your browser to one single session and we can recognize your terminal device at later visits of the EMS.

b. Legal Basis

Due to the described purposes of use (cf. § 6. a.), the legal basis for the processing of personal data using cookies lies in Art. 6 para. 1 lit. f GDPR. If you have given us your consent to the use of cookies on the basis of a reference ("cookie disclaimer") given by us in the EMS, the lawfulness of the use is additionally governed by Art. 6 para. 1 s. 1 a GDPR.

c. Storage Time

As soon as the data transmitted by the cookies is no longer necessary for the purposes described above, this information will be deleted. Further storage may take place in individual cases if this is required by law.

d. Browser Settings

Most browsers are already set to accept cookies by default. However, you can change your browser settings so that it only accepts certain cookies or no cookies at all. However, we would like to point out that you may no longer be able to use all the functions of our EMS if cookies are disabled by your browser settings in our EMS.

You can also use your browser settings to delete cookies already stored in your browser. Furthermore, it is possible to set your browser so that it informs you before cookies are stored. Since the different browsers may differ in their respective functions, we ask you to use the respective help menu of your browser for the setting options.

If you would like a comprehensive overview of all third-party access to your Internet browser, we recommend that you install specially developed plug-ins.

§7 Tools for Tracking and Analysis

We use tracking and analysis tools to ensure continuous optimization and user-oriented design of our EMS. With the help of tracking measures it is also possible for us to statistically record the use of our EMS by visitors and to further develop our online offer for you with the help of the knowledge gained.

On the basis of these interests, the use of the tracking and analysis tools described below is justified in accordance with Art. 6 para. 1 s. 1 lit. f GDPR. The following description of the tracking and analysis tools also shows the respective processing purposes and the processed data.

1. Matomo (formally known as Piwik)

The EMS for Business Customers uses Matomo, an open source software for statistical analysis of visitor access. Matomo uses cookies for this purpose. The information generated by these cookies about your use of our EMS is transmitted to our server and combined there into a pseudonymised user profile. This enables us to evaluate the use of our EMS and to design the EMS according to your needs. This information is not forwarded to third parties. The IP address is not associated with any other of your personal data. An allocation of your IP address is prevented by anonymization using IP masking. Matomo is configured on our EMS in such a way that a "Do-Not-Track" setting in your browser is observed.

Matomo collects the following data which tell us which functions are more used than others:

• country, federal state, city
• time stamp of the page impression
• the browser used, incl browser version, browser langauage and the plugins installed
• the operating system of the user
• the screen resolution of the user
• the anonymised IP address of the user
• time stamp of the last visit
• time stamp of the first visit
• a randomly generated unique user ID
• generation time of the visited page
• the number of actions per visit
• the page title of the visited page
• the URL of the visited page
• the length of stay per visit
• the functions and features that were used during the visit

Based on this data GreenPocket calculates statistics about the user behaviour, e.g., overviews about the used terminal devices and browsers or about the actions per visit, e.g. if data were exported or meter readings were entered. Matomo in itself is very transparent about which data are collected. You can read for yourself, which data are collected on the website https://matomo.org/faq/general/faq_18254/.

You can generally prevent cookies from being saved by setting your browser accordingly. However, we would like to point out that in this case you may not be able to use all functions of this EMS to their full extent.

If you do not agree with the storage and evaluation, you can object to it at the bottom of this page. As a result, an opt-out cookie is stored in your browser, which means that Matomo does not collect any session data.

§8 Hyperlinks

Our EMS contains hyperlinks to websites of other providers. When you activate these hyperlinks, you will be directed directly to the other providers' website. You will recognize this when the URL is changed. Please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

§9 Your Rights as a Data Subject

If your personal data are processed, you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and the following rights apply to you:

• Pursuant to Art. 15 GDPR you can request information about your personal data processed by us.
• In particular, you may obtain information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or objection, the right to lodge a complaint with a supervisory authority, the origin of your data, if not collected from us, about transfer to third countries or international organisations, and the existence of automated decision-making, including profiling and, where applicable, meaningful information about the logic involved.
• Pursuant to Art. 16 GDPR you can immediately demand the correction of incorrect data or the completion of your personal data stored with us.
• Pursuant to Art. 17 GDPR, you may request the deletion of your personal data stored by us, provided that the processing is not necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
• Pursuant to Art. 18 GDPR, you can request the restriction of the processing of your personal data if you contest the accuracy of the data, if the processing is unlawful, if we no longer need the data and if you refuse their deletion because you need to establish, exercise or defend legal claims. You are also entitled to the right under Art. 18 GDPR if you have objected to the processing in accordance with Art. 21 GDPR.
• Pursuant to Art. 20 GDPR, you may request that the personal data you have provided us with be received in a structured, current and machine-readable format or you may request that it be transmitted to another person responsible.
• Pursuant to Art. 7 para. 3 GDPR you can withdraw your consent at any time. As a consequence, we are no longer allowed to continue the data processing based on this consent for the future.
• Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority. You can contact the supervisory authority of your habitual residence, place of work or our company headquarters.

§10 Right to Object

In case the processing of your personal data is based on legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR insofar as there are reasons which arise from your particular situation or if the objection refers to direct marketing. In the case of direct marketing, you have a general right to objection which will be considered without mentioning any particular situation.

§11 Data Security and Security Measures

We are committed to protecting your privacy and treating your personal information confidentially. In order to avoid any manipulation, loss or misuse of your data stored by us, we take extensive technical and organisational security measures that are regularly reviewed and adapted to technological progress. This includes, among other things, the use of recognized encryption methods (SSL or TLS).

However, we would like to point out that due to the structure of the internet, it is possible that the rules of data protection and the above mentioned security measures may not be observed by other persons or institutions for which we are not responsible.

In particular, unencrypted data - e.g. if this is done by e-mail - can be read by third parties. We have no technical influence on this. It is the responsibility of the user to protect the data provided by him against misuse by encryption or in any other way.

Back to homepage