Privacy policy

In the following, we inform you in accordance with Art. 13 GDPR about how your personal data is handled when you visit and use this web application. Please note that your data will be processed by two different controllers to the extent described below.

Data processing by QRSKIN® GmbH

Joint data processing by QRSKIN® GmbH and Innoloft GmbH

Joint controllers

Common point of contact for affected persons

Joint data processing

Your rights

1. Data processing by QRSKIN® GmbH

Controller:

QRSKIN® GmbH

Waldstraße 23 65812 Bad Soden am Taunus Germany

Contact data protection officer:

Franziska Müller

Waldstraße 23 65812 Bad Soden am Taunus Germany

info@qrskin.com

Further information according to Art. 13 GDPR

[Please fill]

2. Joint data processing by QRSKIN® GmbH and Innoloft GmbH

In the course of providing access to the web application at https://qrskin.loftos.com, QRSKIN® GmbH and Innoloft GmbH work closely together. This also applies to the processing of personal data concerning you. The controllers are jointly responsible for the protection of the personal data processed by them to the extent described below (Art. 26 GDPR).

2.1 Joint controllers

Controller 1:

Innoloft GmbH

Jülicher Straße 72a, D-52070 Aachen

www.innoloft.com

Contact Data Protection Officer Controller 1:

PROLIANCE GmbH

www.datenschutzexperte.de

Leopoldstr. 21

80802 Munich

datenschutzbeauftragter@datenschutzexperte.de

When contacting the common point of contact, please state Innoloft GmbH and the company, organization or URL of the web application to which your request relates. Please refrain from enclosing sensitive information, such as a copy of your ID, with your request.

2.2 Common point of contact for affected persons

PROLIANCE GmbH

www.datenschutzexperte.de

Leopoldstr. 21

80802 Munich

datenschutzbeauftragter@datenschutzexperte.de

2.3 Joint data processing

Scope and regulation of joint data processing

The two controllers are jointly responsible to a small extent for data processing in connection with your access to the web application and have concluded an agreement on this in accordance with Art. 26 GDPR. What the two controllers have agreed, which data processing is affected by this and which obligations under the GDPR the two controllers assume in each case can be found below.

Why are there two joint controllers?

The web application available at https://qrskin.loftos.com was provided on the basis of a platform developed by Innoloft GmbH, Innoloft LoftOS. The platform combines the development and hosting of web applications with the functions of a social media platform. One of the main use cases is the creation of communication and information platforms.

One function of LoftOS is the Innoloft Ecosystem. This includes certain networking and communication functions. Users can log in to any application created with LoftOS with the same access data, manage their uniform profile there and communicate across applications with all web application operators and other users.

In order to provide these basic functions of the Innoloft Ecosystem, the user data required for this purpose are processed by Innoloft GmbH (Controller 1) and the operator of the web application (Controller 2) for a common purpose and in the common interest. In this respect, Innoloft GmbH and the operator of the web application are jointly responsible for data processing to the extent described below.

What have those responsible agreed?

Within the scope of their joint controllership under data protection law QRSKIN® GmbH and Innoloft GmbH have set out in a written agreement which of them are subject to which data protection obligations and which of them fulfils which obligations. In particular, the controllers have reached an agreement on who is responsible for the exercise of data subjects' rights under Art. 15-22 GDPR and for the fulfillment of information obligations under Art. 12-14 GDPR and in what manner.

For which processing operations is there joint controllership?

In the table below you will find further information on the scope of joint data processing, the categories of data processed, the group of data subjects and the legal basis for data processing.

Description of processing activity: Provision of the Innoloft LoftOS authentication and login system Responsible parties: Controller 1; Controller 2 Processed data categories: User login data (e-mail address, password, IP address, log data) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Enabling users to log in to applications in Innoloft LoftOS. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

Description of processing activity: Provision of the user profile in Innoloft LoftOS Responsible parties: Controller 1; Controller 2 Processed data categories: Information in the user profile (first name, surname, profile picture, job title, company, interests, biography) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Representation of the user as a member of an application in Innoloft LoftOS. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

Description of processing activity: Provision of the interaction, communication and networking functions of the Innoloft Ecosystem for applications of the Controller 2 in the Innoloft LoftOS and the user of these applications Responsible parties: Controller 1; Controller 2 Processed data categories: User data (first name, surname, profile picture) Usage data (IP address, date and time), Status of the user's membership of an application, Data on how the user interacts with the content of the application, Content data (chat, messages) Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Enabling the user to network and interact with the application of the person Controller 2 and other applications. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

Description of processing activity: Monitoring system stability and error analysis using Sentry Responsible parties: Controller 1; Controller 2 Processed data categories: User ID, browser information, URL, triggering error code Circle of those affected: Users of the Innoloft LoftOS and the Innoloft Ecosystem Purposes and legal basis: Monitoring the stability of the functions of the Innoloft LoftOS, the Innoloft Ecosystem and the applications of the person Controller 2 for the purpose of error analysis and troubleshooting. Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 sentence 1 lit. b GDPR

The processed data is stored in Innoloft LoftOS for as long as is necessary for the aforementioned data processing. As a rule, this is as long as the user has access to the web application or as long as their user profile exists.

The following processors are used within the scope of joint controllership.

Service, order processor (name, address, country): Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland Description of the processing activity:Address completion when inserting an address in the organization profile Processed data categories: IP address, Addresse Circle of those affected:

Server location: EU Guarantees to ensure an adequate level of protection: Standard data protection clauses (SCC) and supplementary measures, Certification in accordance with the EU-US Data Privacy Framework (Google LLC)

Service, order processor (name, address, country): Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA Description of the processing activity: Monitoring the system stability and functional capability of the applications in Innoloft LoftOS Processed data categories: User ID, browser