Privacy Policy

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

When processing your data, we sometimes use external service providers. As a matter of principle, your data is only passed on to third parties if there is a legal basis for this in accordance with Art. 6 GDPR. If we commission third parties to process your personal data, this is done wherever possible on the basis of a so-called "data processing agreement" in accordance with Art. 28 GDPR.

2.1. When visiting our website

Our website https://valeford.de/ is hosted by HOSTINGER operations, UAB, Švitrigailos Str. 34, Vilnius 03230 Lithuania. You can find more information on data protection at HOSTINGER operations in their privacy policy. A data processing agreement has been concluded with HOSTINGER operations in accordance with Article 28 GDPR. When you visit our website, your web browser automatically sends information to our website server. This information is stored in so-called log files by our server provider for a short period of time. This includes, for example:

• The IP address of your computer,
• Date and time when the access occurred,
• Website from which access is made (referrer URL),
• Name of the requested file,
• Amount of data transferred,
• Browser type and version,
• The operating system of your computer.

The information in the log files is regularly and automatically deleted by the hosting provider. The short-term processing of the above-mentioned data is necessary for the secure and trouble-free operation of our websites and thus serves our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR.

2.2. Use of Cookies

Our website and applications also use cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user calls up a website, a cookie can be stored on the user's operating system. There are so-called "session cookies", which are only stored during your current browser session and are automatically deleted when you close your browser. These are required, among other things, to maintain a log-in status when changing the subpages of our homepage. There are also so-called "persistent" cookies, which are stored on your end device for a longer period of time and allow us to recognize your browser on your next visit to our website, for example, to remember settings you have selected.

We use cookies to make our website and applications more user-friendly and thus have a legitimate interest in storing your personal data in the cookies within the meaning of Art. 6 para. 1 sentence 1 lit. f) GDPR. However, you can decide for yourself whether to use cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. If cookies are deactivated, it may no longer be possible to use all the functions of the website and applications to their full extent.

The legal basis for the processing of personal data using technically unnecessary cookies is Art. 6 para. 1 sentence 1 lit. a) GDPR. The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 sentence 1 lit. f) GDPR.

Cookies are stored on the user's computer or end device and transmitted from it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time.

In addition, cookies are used via Cloudflare, Inc. Turnstile when you enter your data in the contact form. You can find more information on data protection at Cloudflare, Inc. in their privacy policy. Your data and information are stored on Cloudflare, Inc. servers worldwide.

In addition, cookies are used via the Google Ireland Limited Firebase App Check application to ensure security for our applications against unauthorized IT intrusions (bots, etc.). You can find more information on data protection at Google Ireland Limited in their privacy policy. Your data and information are stored on the servers of Google Ireland Limited and Google Inc. worldwide.

2.3. When contacting us

Via our website as well as local and mobile applications and services, we offer you various ways to get in touch with us (via contact form, email, or telephone). If you contact us, we will process the personal data you provide in order to be able to answer your inquiry.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. b) GDPR (for the implementation of pre-contractual measures) and/or Art. 6 para. 1 sentence 1 lit. f) GDPR, as we have a legitimate interest in answering your inquiry. Your details may be stored by us for the efficient processing of your inquiry.

As soon as you contact us, we also pass on your data to our email provider.

2.4. When using the applications

Registration is sometimes required to use the local and mobile applications and services. The data we request during registration (company name, business address, first and last name of the contact person, position, email address, telephone number, etc.) is necessary to be able to give you access to the applications. Your personal data is not generally visible to other users.

For statistical purposes, we collect data during the setup process, such as (for example in Abipilot) the entered first name, the selected federal state and the current semester. This information is technically separated from each other and stored completely anonymously on our servers in a Microsoft Azure database in Sweden. It is not possible to trace this back to you personally or link it to your user account. These aggregated statistics help us to better understand how the app is used.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. b) GDPR (for the implementation of pre-contractual measures) and/or Art. 6 para. 1 sentence 1 lit. f) GDPR. As soon as you delete your user account and existing contractual relationships with you have been fulfilled, we will limit the processing of your personal data and only store it within the scope of the retention periods under tax and commercial law.

2.5. App usage data, device information via Google

Through the integration of services from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, personal data is automatically collected and processed in our applications. This includes in particular

• App usage statistics (e.g. app openings, use of individual functions, purchases, interactions),
• Contact form data when entered in contact forms,
• Device information (e.g. IP address, device type and model, operating system version, app version),
• Crash and non-crash error logs.

The collection takes place automatically via the applications of Google Ireland Limited: Google Analytics for Firebase and Crashlytics.

The processing of this data serves to optimize and further develop our applications, to analyze user behavior to improve stability and user-friendliness, and to detect and correct errors.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f) GDPR, as we have a legitimate interest in functional, secure, and user-friendly applications.

You can find more information on data protection at Google Ireland Limited in their privacy policy. Your data and information are stored on the servers of Google Ireland Limited and Google Inc. worldwide.

2.6. App usage data, device information via Hotjar

Through the integration of services from Hotjar Ltd., Dragonara Business Centre, Dragonara Road, 3141 St Julian's, Malta, personal data is automatically collected and processed in our applications. This includes in particular

• App usage statistics (e.g. app openings, use of individual functions, purchases, interactions, user behavior),
• Device information (e.g. IP address, device type and model, operating system version, app version),
• Crash and non-crash error logs.

The collection takes place automatically via the applications of Hotjar Ltd.

The processing of this data serves to optimize and further develop our applications, to analyze user behavior to improve stability and user-friendliness, and to detect and correct errors.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f) GDPR, as we have a legitimate interest in functional, secure, and user-friendly applications.

You can find more information on data protection at Hotjar Ltd. in their privacy policy. Your data and information are stored on Hotjar Ltd. servers worldwide.

2.7. App usage data, device information via TikTok Pixel

Through the integration of services from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, personal data is automatically collected and processed in our applications. This includes in particular

• App usage statistics (e.g. app openings, use of individual functions, purchases, interactions, user behavior),
• Device information (e.g. IP address, device type and model, operating system version, app version),
• Crash and non-crash error logs.

The collection takes place automatically via the applications of TikTok Technology Limited: TikTok Pixel.

The processing of this data serves to optimize and further develop our applications, to analyze user behavior to improve stability and user-friendliness, and to detect and correct errors.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f) GDPR, as we have a legitimate interest in functional, secure, and user-friendly applications.

You can find more information on data protection at TikTok Technology Limited in their privacy policy. Your data and information are stored on TikTok Technology Limited servers worldwide.

2.8. App usage data, device information via RevenueCat, Inc.

Through the integration of services from RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, Canada, personal data is automatically collected and processed in our applications. This includes in particular

• App usage statistics (e.g. app openings, use of individual functions, purchases, interactions, user behavior),
• Device information (e.g. IP address, device type and model, operating system version, app version),
• Crash and non-crash error logs.

The collection takes place automatically via the applications of RevenueCat, Inc.

The processing of this data serves to optimize and further develop our applications, to analyze user behavior to improve stability and user-friendliness, and to detect and correct errors; in particular for the technical processing and management of subscriptions and in-app purchases.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f) GDPR, as we have a legitimate interest in functional, secure, and user-friendly applications.

You can find more information on data protection at RevenueCat, Inc. in their privacy policy. Your data and information are stored on servers of RevenueCat, Inc. worldwide.

2.9. Data for advertising purposes

Through the integration of services from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, personal data is automatically collected and processed in our applications for advertising purposes. This includes in particular the advertising ID (IDFA) as well as information on app openings, use of individual functions, purchases, and other interactions. The collection takes place automatically via Google AdMob, Google AdSense and Google User Messaging Platform.

The processing of this data serves to display personalized advertising, to measure the effectiveness of advertising campaigns, and to finance and provide our free offers.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a) GDPR, insofar as you have consented to the use of your advertising ID for advertising purposes. Without your consent, this data will not be used for personalized advertising.

You can find more information on data protection at Google Ireland Limited in their privacy policy. Your data and information are stored on the servers of Google Ireland Limited and Google Inc. worldwide.

2.10. Use of Google Fonts

For the uniform presentation of fonts on our website, we use Google Fonts, a service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you access our website, your browser loads the required fonts directly from Google servers. Your IP address is transmitted to Google Ireland Limited in the process.

The processing of your data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.

You can find more information on data protection at Google Ireland Limited in their privacy policy. Your data and information are stored on the servers of Google Ireland Limited and Google Inc. worldwide.

2.11. AI Processing

To provide features in our services (e.g. AI Insight and Ask AI in Abipilot), we process your input data and text queries. Data transmission initially takes place to our own servers in a Microsoft Azure database in Sweden. From there, only the text content (prompt) necessary for the query is forwarded without personal reference for processing to Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Carmanhall And Leopardstown, Dublin, D18 P521, Ireland (via Azure OpenAI Service). Processing takes place in isolation on Microsoft Ireland Operations Ltd. servers worldwide. You can find more information on data protection at Microsoft Ireland Operations Ltd. in their privacy policy.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a), b) and f) GDPR.

2.12. Consent Logging

To prove your given consent (agreement to terms and conditions and privacy policy etc.), we log the time of consent, the app version and a generated device identifier in a Microsoft Azure database in Sweden. This serves to fulfill our accountability and verification obligations.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a), b) and f) GDPR.

2.13. When participating in a survey

We conduct surveys to measure the satisfaction of our service in order to optimize the applications with the information collected and to better adapt them to your needs.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a), b) and f) GDPR.

2.14. Newsletter

It is possible to subscribe to a free newsletter. When you register for the newsletter, your email address and the date and time of registration are transmitted to us from the input mask.

For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy. In connection with the data processing for the dispatch of newsletters, no data is passed on to third parties. The data is used exclusively for sending the newsletter. The legal basis for the processing of data after the user has registered for the newsletter is Art. 6 para. 1 sentence 1 lit. a) GDPR if the user has given their consent. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. The user's email address is therefore stored as long as the subscription to the newsletter is active. You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare the revocation by clicking on the link provided in every newsletter email or by sending an email to the email address given in section 1 of this privacy policy.

This also enables the revocation of the consent to the storage of the personal data collected during the registration process.

2.15. Email advertising

We reserve the right to send you information about new free and paid features of our applications as well as new products and services by email.

This is done on the basis of Section 7 (3) of the German Act Against Unfair Competition (UWG) and serves our predominantly legitimate interest in addressing our customers for advertising purposes in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If you do not wish to receive such emails, you can object to the use of your email address for this purpose. A message to the email address given in section 1 of this privacy policy is sufficient for this.

2.16. GPS Data

Via our services (e.g. Xevono logbook), we collect and process your precise location data (GPS coordinates). This includes recording the start location, destination and the distance traveled during an active recording. This data is stored and processed locally on your end device. It is not transmitted to our servers unless you explicitly activate a synchronization or backup function.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a), b) and f) GDPR.

2.17. Audit-proof Archiving

To ensure the tamper resistance of data in our services (e.g. Xevono logbook), checksums and logs are automatically created for every change to an entry and transferred to an immutable storage in the Microsoft Azure Cloud in Switzerland. This data is stored in an audit-proof manner for ten years in accordance with statutory retention periods and then automatically deleted. The following are stored: timestamp of the change, checksum (hash) of the entry and an anonymous transaction ID.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a), b) and f) GDPR.

2.18. Interfaces for Data Storage

Within the scope of using the services, you sometimes have the option to optionally export backup copies to your private cloud storage (e.g. Google Drive, Dropbox, Microsoft OneDrive, iCloud Drive etc.). The connection to these services is established exclusively at your request. You authenticate yourself directly with the respective provider. We do not receive access to your access data.

2.19. Local Authentication

To protect sensitive data, the services sometimes offer the option of authentication using Face ID or Touch ID. Your biometric data is checked exclusively locally on your device. We never receive access to your biometric data, but only the information from the system as to whether the authentication was successful or not.

2.20. Bug Reporting

If you use the "Report bug" function in our services, technical information (device model, operating system version) and a log of the last app activities (log file) will be transmitted to us in addition to your message. This data is used exclusively for the technical analysis and rectification of the reported error.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. a), b) and f) GDPR.

Your personal data will be stored by us and our service providers in accordance with applicable data protection law, insofar and as long as this is necessary for the processing purposes stated in this privacy policy. We will then delete your personal data or take measures to properly anonymize the data. Something different applies if we are legally obliged or entitled to store your personal data for a longer period (e.g. to meet compliance requirements or for tax, accounting, and auditing purposes or to detect and prevent fraudulent or illegal activities).

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a) GDPR serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 sentence 1 lit. b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 para. 1 sentence 1 lit. d) GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights, and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 sentence 1 lit. f) GDPR serves as the legal basis for the processing.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:

5.1. Right of access

In accordance with Art. 15 GDPR, you can request confirmation from the controller as to whether personal data concerning you is being processed by them.

If such processing is taking place, you can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
• the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to this processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• all available information about the origin of the data if the personal data are not collected from the data subject;
• the existence of automated decision-making, including profiling, in accordance with Art. 22 paras. 1 and 4 GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is being transferred to a third country or to an international organization. In this context, you can request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

5.2. Right to rectification

In accordance with Art. 16 GDPR, you have a right to rectification and/or completion against the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification without delay.

5.3. Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of personal data concerning you in accordance with Art. 18 GDPR:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to processing pursuant to Art. 21 para. 1 GDPR pending the verification whether the legitimate grounds of the controller override yours.

Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

5.4. Right to erasure

In accordance with Art. 17 GDPR, you can request the controller to erase the personal data concerning you without undue delay, and the controller is obliged to erase this data without undue delay where one of the following grounds applies:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You revoke your consent, on which the processing was based pursuant to Art. 6 para. 1 sentence 1 lit. a) or Art. 9 para. 2 lit. a) GDPR, and there is no other legal basis for the processing.
• You object to the processing in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Art. 21 para. 2 GDPR.
• The personal data concerning you have been processed unlawfully.
• The erasure of personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
• The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 para. 1 GDPR.

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 para. 1 GDPR, they shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure does not exist insofar as the processing is necessary

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h) and i) as well as Art. 9 para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the establishment, exercise or defense of legal claims.

5.5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the latter is obliged to communicate any rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right against the controller to be informed about these recipients.

5.6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where

• the processing is based on consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 sentence 1 lit. b) GDPR and
• the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be impaired by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5.7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 sentence 1 lit. e) or f) GDPR; this also applies to profiling based on these provisions. The controller will no longer process the personal data concerning you unless they can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes. You have the possibility, in connection with the use of information society services - notwithstanding Directive 2002/58/EC - to exercise your right to object by automated means using technical specifications.

5.8. Right to revoke the data protection declaration of consent

You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

5.9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for entering into, or performance of, a contract between you and the controller,
• is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
• is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a) or b) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to, the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

5.10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

We reserve the right to adapt this private policy occasionally so that it always complies with the current legal requirements or to implement changes to our services in the privacy policy, for example when introducing new services. The new privacy policy will then apply to your next visit.