This privacy statement applies to data processing by Saiga GmbH ("Saiga, "Controller", "we" or "us"). Saiga offers a virtual personal assistant to help you take care of private and business matters ("Concierge Service"). You can upload business letters, forms and other files to the Saiga App ("App") and give Saiga access to the respective file for processing support.
When you use our app and when you visit our website saiga.co ("Website"), personal data is collected and processed, which we process in compliance with the applicable data protection regulations. Personal data is any information relating to an identified or identifiable natural person, e.g. name, address, and e-mail address. When processing your personal data, we observe the applicable data protection laws, in particular the European General Data Protection Regulation ("GDPR") and the Federal Data Protection Act ("BDSG").
This privacy statement describes which personal data we process, for which purposes and on which legal basis.
We take the protection of your personal data very seriously. We process your data only for the purposes clearly defined in this privacy statement. If we process data for other purposes and/or pass on your data to third parties for other purposes, we will only ever do so with your explicit consent.
1. Name and Contact Details of the Controller
Responsible for the processing of your data is Saiga GmbH, Ritterstr. 12, 10969 Berlin, Phone: +49 (0)30 83797411, e-mail: firstname.lastname@example.org.
2. Collection and Storage of Personal Data as well as Method and Purpose of their Processing, relevant Legal Basis and Storage Period
2.1. Informative Use of our Website
During the mere informative use of our Website, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called server log files), whereby logging only takes place to the technically necessary extent. The following information is collected:
- IP address of the requesting Internet-enabled device
- date and time of access
- name and URL of the accessed file
- website from which the access is made (referrer URL)
- the browser you use and, if applicable, the operating system of your internet-enabled device as well as the name of the access provider.
The legal basis for the collection of this data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest in collecting this data results from the following purposes:
- ensuring optimal use of our Website,
- ensuring smooth connection establishment,
- evaluation of system security and stability.
2.2. Registration for Use of the App
We collect the following personal data when you register for our app for the first time:
- your e-mail address
- your name
To confirm the e-mail address you have provided, we use the so-called double opt-in procedure. This means that after your registration we will send you an e-mail to the e-mail address you have provided, in which we ask you to confirm your e-mail address.
We process your registration data in order to fulfil the Concierge Service Agreement concluded with you. The legal basis is Art. 6 para. 1 lit. b) GDPR. If you use the App as an employee of a company registered with us or as a person authorised to represent such a company, data processing for the aforementioned purposes constitutes a legitimate interest on our part, so that we can base data processing on Art. 6 (1) sentence 1 lit. f) GDPR.
2.3. Transmission of Documents and Information for the Use of the Concierge Service
With our Concierge Service, we support you in taking care of private and business matters. For this purpose, the App allows you to upload information of any kind. This can include business letters, forms, identification documents and other files. The documents will often contain personal data about you. Depending on the matter you need us to assist you with, this may include:
- Personal information such as name, date of birth, address etc.
- family information
- Information on your leisure time behaviour (hobbies, interests, etc.)
- Information about your state of health
- account information
- Other private information (insurance, real estate, motor vehicles, etc.)
- Professional and business information
It is possible that you upload these files on our systems or on systems provided by yourself (e.g. Google Drive, Dropbox). In the latter case, you conclude the contract directly with the relevant third-party provider on your own initiative. The third-party provider is responsible for your personal data stored on the systems under data protection law. We receive access to the systems of the third-party providers to the extent that this is necessary for the purposes of our support services.
You always have the possibility to access, adapt or delete the files you have submitted for the purpose of the support service.
We process the above data in order to fulfil the Concierge Service Agreement with you. The legal basis is Art. 6 para. 1 lit. b) GDPR. In the case of the transmission of your identity card or passport, we process the data contained on the official documents only with your express consent pursuant to Art. 6 para. 1 lit. a) GDPR in conjunction with section 20 para. 2 sentence 3 Act on Identity Cards and Electronic Identification (PAuswG), Section 18 para. 3 sentence 3 Act on Identity Cards and Electronic Identification (PAuswG). If you provide us with special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data, data on your political opinion, religious or ideological convictions, your trade union membership), we process this data on the basis of your explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR.
2.4. Creation of a Personal User Profile and Evaluation
If you have sent us files containing personal data, we will first use the data to assist you with the matter you have requested (section 2.3.). In addition, we will file the data in your personal user profile and store it there. This helps us to use the relevant data again should you require support from us in another matter. In this case, you do not have to submit the data to us again.
The information we store about you also helps us to continually improve our service. We use your information to better understand how we can support you in the future, what that support might look like and to make suggestions to you. By creating your personal user profile and analysing your data, we pursue the sole purpose of improving our service to you and making it more efficient. Your data will not be used for any other purpose.
The storage of the data in your profile and the evaluation of your transmitted data is based on your express consent in accordance with Art. 6 (1) a) GDPR.
2.5. Data Processing of Third Party Data
When you send us files, it is often the case that they contain not only data about you, but also data about third parties. These may include the following categories of affected persons, among others:
- family members
- own employees/staff
- employees/staff of contractual partners
- public authority employees
In this case, you are responsible for the processing of this personal data under data protection law within the meaning of Art. 4 No. 7 GDPR. You must comply with the applicable provisions of data protection law. We will process this data on your behalf and in accordance with your instructions exclusively for the purposes described in this privacy statement. A corresponding data processing agreement between you and us will specify the corresponding rights and obligations.
2.6. Data Processing for Personal Addressing by e-mail
If you give us your explicit consent, we will send you information about our services and offers by e-mail. For this purpose, we process your name and e-mail address. When you register for our newsletter, we use the double opt-in procedure. This means that after you have registered with your e-mail address, we will send you an e-mail to the specified e-mail address in which we ask you to confirm that you actually wish to receive the newsletter.
The legal basis for sending our information is Art. 6 para. 1 lit. a) GDPR.
For sending the e-mails, we use the third-party provider Mailchimp, a newsletter sending platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. E-mail addresses of our newsletter recipients are stored on MailChimp's servers in the USA. MailChimp uses this information to send and evaluate the newsletters on our behalf. For this reason, we have concluded a "Data Processing Agreement" ("DPA" or also "Order Processing Agreement") with MailChimp.
The DPA contains a reference to the European Standard Contractual Clauses, which provide a guarantee for the transfer of your personal data to the USA. Furthermore, according to its own information, MailChimp may use the data to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and presentation of the newsletters or for economic purposes to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write to them itself or to pass it on to third parties.
You can read the privacy statement of MailChimp at https://mailchimp.com/legal/privacy/.
2.7. Storage Period
You can delete your account in our App and/or the files uploaded in connection with the use of the Concierge Service yourself at any time. After termination of the agreement, we will also delete the user profile created about you. Apart from that, we store your data as long as it is necessary for the processing of the existing agreement with you, i.e. until the expiry of the statutory or possible contractual warranty rights. After expiry of this period, we retain the information of the contractual relationship required under commercial and tax law for the periods determined by law.
2.8. Optimization of Website and App
Other cookies remain on the terminal device you are using, so that you will be recognised the next time you visit. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is created.
The activation of cookies is necessary for the proper functioning of the website. We therefore have a legitimate interest in their use. The legal basis for the related data processing is therefore Art. 6 para. 1 sentence 1 lit. f) GDPR.
2.8.2. Google Analytics
We use Google Analytics, a web analytics service provided by Google Inc, 1600 Amphitheatre Parkway, Mountainview, CA 94043, USA ("Google"), to design our services in line with requirements and to optimise them on an ongoing basis.
In this context, pseudonymised usage profiles are created and cookies are used. The information generated by the cookie about your use of our Website, such as browser type/version, operating system used, referrer URL (the previously visited page), host name of the accessing computer (IP address), time of server request, is transmitted to a Google server in the USA and stored there. The transfer of data to the USA takes place on the basis of the European Standard Contractual Clauses. The information is used to evaluate the use of the Website, to compile reports on advertising activities and to provide other services associated with the use of the Website and the Internet for the purposes of market research and the design of these Internet pages in line with requirements. The IP address is anonymised so that an assignment is not possible (so-called IP masking).
Data processing in connection with Google Analytics is based on your explicit consent pursuant to Art. 6 (1) a) GDPR.
For more information on data protection at Google Analytics, please visit the website of the third-party provider:
Data protection overview: http://www.google.com/intl/de/analytics/learn/privacy.html
as well as the privacy statement:
2.8.3. Google Tag Manager
Furthermore, we use the Google Tag Manager of Google Inc. This Google service allows website tags to be managed via an interface. Only tags are implemented, i.e. no cookies are set and no personal data is collected. The Tag Manager triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. For more information, please read the Google Tag Manager usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.
3. Further Use of External Service Providers
In order to process your personal data, we sometimes use the services of other external service providers (IT service providers, providers for the authentication of your person, providers for the execution of electronic signatures). These service providers process your personal data on our behalf, in accordance with our instructions and our supervision exclusively for the purposes set out in this privacy statement. In addition, we include account information and payment initiation services in our App.
In order for you to sign in to our App, we use the log-in service Auth0, 10900 NE 8th Street, Suite 700, Bellevue, WA 98003 USA ("Auth0"). Auth0 authenticates your identity via the single sign-on service for all login processes, whereby you only need to provide your email address and password to log in each time. Your personal data is stored on servers within the European Union. There is no transfer to the USA. You can find more information on data protection at Auth0 at: https://auth0.com/de/gdpr
If we require your signature when performing a Concierge Service, we use the external service provider DocuSign Germany GmbH, Neue Rothofstrasse 13-19, 60313 Frankfurt ("DocuSign"). It is possible that DocuSign will transfer your personal data to the USA for further processing. DocuSign has implemented binding corporate rules to enable the transfer of personal data from the European Union to third countries in a legally secure manner ("Binding Corporate Rules", "BCR").
You can find these Binding Corporate Rules here: https://www.docusign.com/trust/privacy/bcrp-privacy-code and
Further information on data protection at DocuSign can be found at the following address: https://www.docusign.de/unternehmen/datenschutz.
In addition, you can retrieve bank data from your accounts via our partner finAPI (finAPI GmbH, Adams-Lehmann-Str. 44, 80797 Munich, "finAPI"). finAPI is an account information service and payment initiation service that has a corresponding PSD2 licence. finAPI specialises in particular in retrieving bank data from all relevant German banks. To use the service, you conclude a separate user agreement with finAPI for the retrieval of your account data. To retrieve your bank data via finAPI, you need the access data to your respective bank accounts ("Access Data"). With regard to the Access Data, finAPI is the sole responsible officer within the meaning of the GDPR. The Access Data are stored exclusively at finAPI. The bank data are stored in encrypted form on your respective end device at finAPI. Further information on the processing of your data by finAPI can be found in the privacy statement of finAPI GmbH for the use of finAPI services at https://www.finapi.io/finapi-nutzung-und-datenschutz.pdf.
4. Transfer of Data to Third Party Countries
Except as set out in sections 2 and 3, we do not transfer your personal data to recipients in countries outside the European Union or the European Economic Area [where a level of data protection comparable to that in the European Union cannot be assumed].
5. Data Security
All personal data transmitted by you is transferred using the secure and proven SSL (Secure Socket Layer) standard, which is also used for online banking, for example. We also use appropriate technical security measures to protect stored personal data against manipulation, partial or complete loss and unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data is only stored on servers hosted in the EU that are certified in accordance with DIN ISO/IEC 27001 (as amended from time to time).
6. Your Rights
In relation to our processing of your personal data, you are entitled to the following rights free of charge:
6.1. Right to Information pursuant to Art. 15 GDPR
You have the right to receive information from us about whether and which data we process about you. This includes information on how long and for what purpose we process the data, the source of the data and the recipients or categories of recipients to whom we pass on the data. We can also provide you with a copy of this data.
6.2. Right to Rectification pursuant to Art. 16 GDPR
You have the right to request that we rectify information about you that is not or no longer accurate without delay. In addition, you can request that we complete your incomplete personal data. If required by law, we will also inform third parties of this rectification if we have disclosed your personal data to them.
6.3. Right to Deletion pursuant to Art. 17 GDPR
You have the right to request that we delete your personal data without delay if one of the following cases applies:
- Your data is no longer necessary for the purposes for which it was collected or otherwise processed or the purpose has been achieved;
- You withdraw your consent and there is no other legal basis for the processing;
- You object to the processing and there are no prevailing legitimate grounds for the processing; in the case of the use of personal data for direct marketing, a mere objection by you to the processing is sufficient;
- Your personal data has been processed unlawfully;
- The deletion of your personal data is necessary to comply with a legal obligation under European Union law or the law of a member state to which we are subject.
Your right to deletion may be restricted on the basis of statutory provisions. This includes in particular the restrictions listed in Article 17 GDPR and Section 35 Federal Data Protection Act (BDSG).
6.4. Right to the Restriction of Processing pursuant to Art. 18 GDPR
You have the right to request us to restrict the processing of your personal data if one of the following reasons applies:
- you dispute the correctness of your personal data for a period of time that allows us to verify the correctness of the personal data;
- the processing is unlawful and you object to the deletion of the personal data and request instead the restriction of the use of your personal data;
- we no longer need your personal data for the purposes of processing; however, you need them for the assertion, exercise or defence of legal claims, or
- you have objected to the processing as long as it has not yet been determined whether our legitimate reasons outweigh yours.
If you have obtained a restriction on processing under the above list, we will inform you before the restriction is withdrawn.
6.5. Right to Data Portability pursuant to Art. 20 GDPR
You have the right to obtain personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to others. The exercise of this right does not affect your right to deletion.
6.6. Right to Object pursuant to Art. 21 GDPR
According to Art. 21 GDPR, you have in particular the right to object to the processing of your data at any time on the grounds of your particular situation, if we base this processing on legitimate interests pursuant to Art. 6 Art. 1 lit. f) GDPR. If you object, we will no longer process your personal data, except in two cases:
- We can prove that there are compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms; or
- the processing serves the assertion, exertion or defence of legal claims.
In particular, if we process your personal data for direct marketing, you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for this purpose.
6.7. Right of Withdrawal of Consent pursuant to Art. 7 GDPR
You can withdraw your consent given to us at any time with effect for the future. This withdrawal can be made in the form of an informal notification to the above-mentioned contact addresses. If you withdraw your consent, the legitimacy of the data processing carried out up to that point will not be affected.
6.8. Right to file a Complaint with the Supervisory Authority
If you believe that the processing of your data by us violates applicable data protection law, you have the right to file a complaint with one of the competent supervisory authorities. The supervisory authority responsible for us is:
Berlin Commissioner for Data Security and Freedom of Information („Berliner Beauftragte für Datenschutz und Informationsfreiheit“)
Phone: +49 30 13889-0
Fax: +49 30 2155050