Last update: May 2018
1. Identity of GoSt-Barefoots
Buchholzer Weg 17
Tel.: + 49 99 811 44
2. What information do we collect?
You may visit our site anonymously.
If you choose to register on our website, four categories of data to and on behalf of you will be processed:
When you register for an account on our site, place an order, subscribe to our newsletter or respond to a survey, basic contact details are collected such as the e-mail address and name of your contact person, company name, address, phone number, VAT number, preferred language and currency, any purchase order number, any e-mail and address of invoice receivers.
We collect your direct input after login, like the domain name(s) of the website(s) where you implement the Service and configuration of the content, looks and behavior towards website visitors (“End Users”).
“End User Data (CookieBot)”
Our website is scanned by CookieBot at regular intervals for existing and possibly newly added cookies. GoSt-Barefoots thus has the option of describing these cookies in the Cookie Declaration.
• The End User’s IP number in anonymized form (last three digits are set to ‘0’).
• The date and time of the consent.
• User agent of the End User’s browser.
• The URL from which the consent was submitted.
• An anonymous, random and encrypted key value.
• The End User’s consent state, serving as proof of consent.
The key and consent state are also saved in the End User’s browser in the first party cookie “CookieConsent” so that the website can automatically read and respect the End User’s consent on all subsequent page requests and future End User sessions for up to 12 months. The key is used for proof of consent and an option to verify that the consent state stored in the End User’s browser is unaltered compared to the original consent submitted to CookieBot.
“System Generated Data”
We store meta data on basis of the other types of data, e.g.: Subscription data, like start date, latest invoice date and the result of a mandatory VAT number validation. Issued invoices are stored so that you may access any issued invoices from within you account.
You can issue instructions to GoSt-Barefoots through configuration and/or execution of relevant functions offered in your account. If a specific instruction regarding personal data cannot be carried out through your account, you may send instructions to us through the help desk (also part of your account).
You will be informed by GoSt-Barefoots about relevant changes concerning your account, such as the implementation of additional functions, by e-mail, if you subscribe to GoSt-Barefoots newsletter from the account settings page.
3. What do we use your information for?
Any of the information we collect from you may be used for one or more of the following purposes:
3.1. To personalize your experience (the information will help GoSt-Barefoots better respond to your individual needs);
3.2. To improve our website (GoSt-Barefoots continually strives to improve our website offerings based on the information and feedback we receive from our customers);
3.3. To identify you as a contracting party;
3.4. To enable secure login for you in your account;
3.5. To establish a primary channel of communication with you;
3.6. To enable GoSt-Barefoots to issue valid VAT invoices and to process transactions (your information will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the service requested);
3.7. To enable automated handling of the subscriptions;
3.8. To send periodic e-mails (The e-mail address you provide for order processing, may be used to send you information and updates pertaining to your order, in addition to receiving occasional company news (if accepted), updates, related product or service information, etc.) If at any time you would like to unsubscribe from receiving future e-mails, you can eg unsubscribe from our newsletter after logging into your account.
4. Legal basis
4.1. EU General Data Protection Regulation (GDPR)
The processing of your data is either based on your consent or in case the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, cf. GDPR art. 6(1)(a)-(b).
If the processing is based on your consent, you may at any time withdraw your consent by contacting us using the contact information in clause 1.
4.2. California Online Privacy Protection Act Compliance
Because GoSt-Barefoots values your privacy we have taken the necessary precautions to be in compliance with the California Online Privacy Protection Act. We therefore will not distribute any personal information to outside parties without your consent except as stated in clause 7.
As part of the California Online Privacy Protection Act, all users of our website may make any changes to their information at any time by logging into their account and navigating to the “profile page”.
4.3. Children’s Online Privacy Protection Act Compliance
GoSt-Barefoots is in compliance with the requirements of the Children’s Online Privacy Protection Act. We will not intentionally collect any information from anyone under 13 years of age. Our website, products and services are all directed at people who are at least 13 years old or older.
5. How do we protect your information?
GoSt-Barefoots implements the following technical, physical and organizational measures to maintain the safety of your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized use, unauthorized modification, disclosure or access and against all other unlawful forms of processing.
Our website is located on a so-called "dedicated server" in the data center of a renowned Internet Service Provider. Here, numerous functions are used to ensure high availability and continuous data backup. Otherwise, personal information will not be stored outside GoSt-Barefoots.
To ensure integrity, all data transits are encrypted to align with best practices for protecting confidentiality and data integrity. All data is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider’s database (PayPal) only to be accessible by those who are authorized to access such systems and who are required to keep the information confidential.
For data in transit, the Service uses industry-standard transport protocols between devices and Microsoft datacenters and within datacenters themselves.
All personnel are subject to full confidentiality and any subcontractors and subprocessors are required to sign a confidentiality agreement if not full confidentiality is part of the main agreement between the parties.
Whenever personal data is accessed by authorized personnel the access is only possible over an encrypted connection. When accessing the data in a database, the IP number of the person accessing the data must also be pre-authorized to obtain access.
Any device being used to access personal data is login protected by GoSt-Barefoots’s Azure Active Directory (AAD), Microsoft’s identity and access management service, and has GoSt-Barefoots’s corporate antivirus solution (AVG) installed. If any personal data are temporarily stored on a device, the storage unit on the device must also be strongly encrypted.
On premise devices storing personal data temporarily is at all times, except when not being actively used or relocated under uninterrupted supervision, locked in a safe. Personal data are never stored on mobile media like USB sticks and DVD’s.
GoSt-Barefoots will at all times keep you informed about changes to the processes to protect data privacy and security, including practices and policies. You may at any time request information on where and how data is stored, secured and used. GoSt-Barefoots will also provide the summaries of any independent audits of the Service.
All access to personal data is blocked by default, using a zero privileges policy. Access to personal data is restricted to individually authorized personnel. GoSt-Barefoots’s Security and Privacy Officer issues authorizations and maintains a log of granted authorizations. Authorized personnel are granted a minimum access on a need-to-have basis through our AAD.
5.6. The ability to intervene
GoSt-Barefoots enables your rights of access, rectification, erasure, blocking and objection mainly by providing built-in functions for data handling in your account, by offering the option to send instructions through GoSt-Barefoots’s helpdesk and also by informing about and offering the customer the possibility of objection when GoSt-Barefoots is planning to implement changes to relevant practices and policies.
GoSt-Barefoots uses security reports to monitor access patterns and to proactively identify and mitigate potential threats. Administrative operations, including system access, are logged to provide an audit trail if unauthorized or accidental changes are made.
System performance and availability is monitored from both internal and external monitoring services.
5.8. Personal Data breach notification
In the event that your data is compromised, GoSt-Barefoots will notify you and competent Supervisory Authority(ies) within 72 hours by e-mail with information about the extent of the breach, affected data, any impact on the Service and GoSt-Barefoots's action plan for measures to secure the data and limit any possible detrimental effect on the data subjects.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.
For information on the cookies we use see GoSt-Barefoots’s Cookie Declaration.
7. Do we disclose any information to outside parties?
GoSt-Barefoots does not sell, trade or otherwise transfer to outside parties any personally identifiable information.
This does not include trusted third parties or subcontractors who assist us in operating our website, conducting our business, or servicing you. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety. Furthermore, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
7.1. Subcontractors/trusted third parties
GoSt-Barefoots is an independent, independent company and does not work with subcontractors. Any intended changes concerning the addition or replacement of subcontractors or subprocessors handling personal data will be announced to you with at least 3 months’ notice. You retain at all times the possibility to object to such changes or to delete your account at GoSt-Barefoots.
7.2 Legally required disclosure
GoSt-Barefoots will not disclose the customer’s data to law enforcement except when instructed by you or where it is required by law. When governments make a lawful demand for customer data from GoSt-Barefoots, GoSt-Barefoots strives to limit the disclosure. GoSt-Barefoots will only release specific data mandated by the relevant legal demand.
If compelled to disclose your data, GoSt-Barefoots will promptly notify you and provide a copy of the demand unless legally prohibited from doing so.
8. Third party links
Occasionally, at our discretion, we may include or offer third party products or services on our website. These third party sites have separate independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked websites. Nonetheless, we seek to protect the integrity of our website and welcome any feedback about these websites.
9. Where do we store the information?
No stored data will be transferred, backed up and/or recovered by GoSt-Barefoots outside of the European Union.
9.1. Personal data location
All data and databases are stored on GoSt-Barefoot's own servers. Databases are continuously backed up to enable restore to any point in time within a retention period of 35 days. Backups are stored on file storage at the same geographical location as the database. Regardless of the security measures taken by our Internet Service Provider, our web server is also backed up at the same intervals at GoSt-Barefoots.
10. Access, data portability, migration, and transfer back assistance
You may at any time obtain confirmation from GoSt-Barefoots as to whether or not personal data concerning you are being processed.
You may at any time order a complete data copy, which you may transmit to another controller of the data. Your data will be delivered within 10 working days by GoSt-Barefoots as spreadsheet files in Microsoft Excel-format. Logical relations between datasets will be preserved in form of unique identifiers. You are required to pay €1,000 + any applicable taxes on delivery for each data copy order.
11. Request for rectification, restriction or erasure of the personal data
You may at any time obtain without undue delay rectification of inaccurate personal data concerning you, cf. clause 5.6.
11.2. Restriction of processing personal data
You may at any time request GoSt-Barefoots to restrict the processing of personal data when one of the following applies:
a. if you contest the accuracy of the personal data, for a period enabling GoSt-Barefoots to verify the accuracy of the personal data;
b. if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or
c. if GoSt-Barefoots no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims.
You may without undue delay request the erasure of personal data concerning you, and GoSt-Barefoots shall erase the personal data without undue delay when one of the following applies:
a. if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing;
c. if you object to the processing in case the processing is for direct marketing purposes;
d. if the personal data have been unlawfully processed; or
e. if the personal data have to be erased for compliance with a legal obligation in EU or national law.
12. Data retention
12.1. Data retention policy
Account Data will due to tax regulations be retained for up to five full fiscal years from your cancellation of your Service account.
Configuration Data and System Generated Data will be erased immediately when you delete your account or request the deletion from us.
End User Data will be erased on an ongoing basis after 12 months from registration, and immediately when you delete your account.
12.2. Data retention for compliance with legal requirements
You cannot require GoSt-Barefoots to change any of the default retention periods, except for the reasons for erasure pursuant to clause 11.3, but may suggest changes for compliance with specific sector laws and regulations.
12.3. Data restitution and/or deletion
You can request a copy of the data before deleting your account. You must not delete your account until the data copy has been delivered, as GoSt-Barefoots otherwise will not be able to deliver the data copy.
GoSt-Barefoots logs all system updates, configuration changes and access to provide an audit-trail if unauthorized or accidental changes are made.
You may request a data protection audit performed by an independent third party who is also accepted by GoSt-Barefoots. You will pay €5,000 plus applicable taxes for an audit request along with €200 per hour GoSt-Barefoots is spending in connection with the audit as well as any other costs related to the audit, including the auditor.
GoSt-Barefoots will cooperate with you in order to ensure compliance with applicable data protection provisions, e.g. to enable you to effectively guarantee the exercise of data subjects’ rights (right of access, rectification, erasure, blocking, opposition), to manage incidents including forensic analysis in case of security breach.
15. Terms of Service
Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of our website.
16. Your consent
You may at any time lodge a complaint with a supervisory authority regarding GoSt-Barefoots collection and processing of your personal data.