Spherity Privacy Policy


Who are we?

Spherity GmbH is a German software company, building decentralized digital identity management solutions to power the fourth industrial revolution, bringing secure identities to enterprises, machines, products, data and even algorithms. Spherity is certified according to the information security standard ISO 27001.

Spherity GmbH is a data controller for personal data and personally identifiable information collected and processed by Spherity’s services.

Spherity GmbH can be found at:

Emil-Figge-Straße 80

44227 Dortmund

Germany

+49 (0)231 968 197 60

info@spherity.com

Managing Directors: Dr. Carsten Stöcker, Dr. Michael Rüther

USt-IdNr.: DE 316 157 015

 

What data do we collect?

We collect your personal information in order to provide and continually improve our products and services.

Here are the types of personal information we collect:

  • Information you give us: We receive and store any information you provide in relation to Spherity’s services. This information may comprise of:
    • Your name;
    • Your email address;
    • Your IP address;
    • Relevant metadata relating to your time on Spherity’s website;
    • Conversation history with Spherity.

 

  • Automatic information: We automatically collect and store certain types of information about your use of Spherity’s website, including your interaction with content hosted on our website. Like many websites, we use cookies to obtain certain types of information when your web browser or device accesses our website.

 

  • Information provided to us by a third party: In the course of business with Spherity, it is reasonably foreseeable that we may receive personal data from an external source or third party.

 

  • Information necessary to carry out our services: While using Spherity’s digital identity services, for example, personal data may be stored in Spherity’s cloud identity wallet and processed by Spherity’s digital identity agent. 

 

 

How will we use your data?

Processing, collecting and disclosing our users/customers’ personal data in compliance with GDPR is important to Spherity. Accordingly, it is important to lay out exactly how we use your data. 

  1. To carry out business activities: Spherity processes personal data that we receive from you enables us to carry out our digital identity services that we offer to you;
  2. To facilitate effective use of our identity services: Spherity may process and record personal data that we receive in providing data hosting and back-up services on behalf of our clients for the purpose of supporting the client in delivering identity credential-related services and digital wallet services;
  3. To communicate effectively with you: Spherity collects your data so that it can follow up any business activities with accuracy, drawing on interactions you have had with Spherity in the past;
  4. To conduct analytics: Spherity uses analytics on aggregated and anonymized data so we can continually improve our website and keep it secure;
  5. To market our services: If consented to, Spherity will communicate and market its services to you through mediums such as a newsletter, educational emails or sharing articles. If you have consented, you can always choose to opt-out later;
  6. To act on a business change: If Spherity become involved in a merger, consolidation, acquisition, sale of assets, joint venture, securities offering, bankruptcy, reorganization, liquidation, dissolution or other transaction, or if the ownership of all or substantially all of our business otherwise changes, we may share or transfer databases containing personal data of users including your personal data to a successor party or parties in connection with such transaction or change in ownership or legal structure;
  7. To act on a request for necessary disclosure: Spherity may disclose information about you to third parties if deemed necessary by law, for example, to (i) comply with a law, regulation, or mandatory request such as a warrant or court order, to (ii) Protect the any person from death or serious bodily injury, to (iii) Protect the Site or Spherity GmbH from unlawful abuse or attacks.

Third party service providers: Spherity uses some third parties to perform functions on our behalf. Examples include analysing data, providing marketing assistance, transmitting content, storing personal data in secure ways. These third-party service providers have access to personal information needed to perform their functions, but may not use it for other purposes. Further, they must process the personal information in accordance with this Privacy Policy and as permitted by applicable data protection laws. The third parties Spherity uses to process personal data are as follows: 

 

(a)   Google Analytics

 

This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies,” which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of this website’s operator, Google will use this information to evaluate your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use this website’s full functionality. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link (http://tools.google.com/dlpage/gaoptout?hl=de). You can prevent the collection by Google Analytics by clicking on the following link. An opt-out cookie will be set that prevents the future collection of your data when visiting this website: Deactivate Google Analytics. For more information on terms of use and data protection, please visit http://www.google.com/analytics/terms/de.html or https://www.google.de/intl/de/policies/.

 

 

(b)   HubSpot

 

Our sign-up service allows visitors to learn more about our company, schedule a product demo, and provide their contact information and other demographic information. This information is stored on servers operated by our software partner HubSpot. We may use it to contact visitors to our website and determine which services or offers are of interest. All information we collect is subject to this privacy policy. We use all information collected solely to optimize our marketing. HubSpot is a software company based in the USA with a branch office in Ireland.

Contact:

HubSpot

2nd Floor, 30 North Wall Quay

Dublin 1, Ireland

Phone: +353 1 5187500

As there is a transfer of personal data to the USA, different protection mechanisms are required to ensure the data protection level of the GDPR. To ensure this, we have agreed to standard data protection clauses with the provider following Art. 46 (2) lit. c GDPR. These oblige the recipient of the data in the USA to process the data following the protection level in Europe. If this cannot be ensured even through this contractual extension, we endeavor to obtain additional regulations and commitments from the recipient in the USA.

 

(c)   MailChimp

The newsletter is sent using the dispatch service provider “MailChimp”, a newsletter platform of the US provider Rocket Science Group LLC, 675 Ponce de Leon Avenue Northeast, Suite 5000 Atlanta, GA 30308 United States You can view the privacy policy of the dispatch service provider here: https://mailchimp.com/legal/privacy/.

Rocket Science Group LLC d/B/a MailChimp is certified under the Privacy Shield Agreement and offers a guarantee of compliance with the European data protection level (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

Although we acknowledge that after the recent Schrems 2 case, the Privacy Shield has been effectively invalidated. As such, we have agreed to standard data protection clauses with the provider following Art. 46 (2) lit. c GDPR. 

Spherity relies on explicit and freely given consent before marketing through MailChimp.

 

(d)   Google Fonts

This website is using Google Fonts. The Google Fonts API is designed to limit the collection, storage, and use of end-user data to only what is needed to serve fonts efficiently.

Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com. This means your font requests are separate from and don’t contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.

In order to serve fonts quickly and efficiently with the fewest requests, responses are cached by the browser to minimize round-trips to our servers.

Requests for CSS assets are cached for 1 day. This allows us to update a stylesheet to point to a new version of a font file when it’s updated, and ensures that all websites using fonts hosted by the Google Fonts API will be using the most updated version of each font within 24 hours of each release.

The font files are cached for 1 year, which cumulatively has the effect of making the entire web faster: When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. We sometimes update font files to reduce their file size, increase coverage of languages, and improve the quality of their design. The result is that website visitors send very few requests to Google: We only see 1 CSS request per font family, per day, per browser.

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are and are published on our analytics page. We use data from Google’s web crawler to detect which websites use Google fonts. This data is published and accessible in the Google Fonts BigQuery database. To learn more about the information Google collects and how it is used and secured, go to Google’s Privacy Policy: https://policies.google.com/privacy

(e)   Google Tag Manager

In order to monitor system stability and performance, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any user-specific identifiers that could be associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited. Learn more about how the Google Tag Manager uses data in their terms of service: https://support.google.com/tagmanager/answer/7157428

 

Legal basis for processing personal data

The GDPR requires a legal basis for our use of personal data. Our legal basis varies depending on the specific purpose for which we use personal information. We may potentially use:

  • Performance of a contract when we provide you with products or services, or communicate with you about them under the terms of an agreement or contract we have with you. 
  • Our legitimate business interests in (among other things) delivering our Services, conducting commercial research, improving and maintaining our Services, protecting the security or integrity of our databases, protecting our business or reputation, taking precautions against legal liability, dealing with our assets in the event of a business change, protecting and defending our legal rights or property, or for resolving disputes, investigating and attending to inquiries or complaints with respect to your use of our Services;
  • Your explicit and freely given consent when we ask for your consent to process your personal information for a specific purpose that we communicate to you. When you consent to our processing your personal information for a specified purpose, you may withdraw your consent at any time and we will stop processing your data for that purpose.
  • Compliance with a legal obligation when we use your personal information to comply with laws, a court order, a warrant or other relevant legal instrument. 

Given our commitment to compliance as a company, it is unlikely that Spherity will rely on the grounds of legitimate interests, owing to loopholes and grey areas arising out of this ground which do not lend well to the protection of personal data for a data subject.

Third-country transfers of personal data

These consist of transfers out of the European Economic Area. Whenever we transfer personal information to countries outside of the European Economic Area, we ensure that the information is transferred in accordance with this Privacy Policy and as permitted by the applicable laws on data protection. We rely on European Commission adequacy decisions or use contracts with standard safeguards published by the European Commission. This is for example, how we use HubSpot in a compliant way, as explained above.

 

What are your data rights?

If you have personal data processed by Spherity, you are a ‘data subject’. As a data subject, you have a number of rights which we, Spherity, as the data controller for your data, must uphold. 

Right to information (Art. 15 GDPR)

Data subjects have the right to obtain information about whether and, if so, what information is stored about them and for what purposes. Art. 15 GDPR conclusively regulates which information must be made available to the data subject. In addition, he or she is also entitled to a free copy of the data.

Right to rectification (Article 16 of the GDPR)

Pursuant to Article 16 of the GDPR, the data subject has the right to demand that the controller rectify any inaccurate personal data without undue delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

Right to erasure (Art. 17 GDPR).

The data subject has the right to request from the controller that personal data concerning him or her be erased without undue delay and the controller is obliged to erase personal data without undue delay.

Right to restriction of processing (Art. 18 GDPR).

The data subject has the right to request the controller to restrict the processing of his/her data.

Right to data portability (Art. 20 GDPR)

The data subject has the right, provided that the conditions are met, to receive the personal data concerned that he or she has provided to a controller in a structured, commonly used and machine-readable format and he or she has the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided.

Right to object (Art. 21 GDPR)

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out on the basis of Article 6(1)(e) or (f). This can be done both in automated and electronic form.

If you want to act on one of these rights, you can make a request. Upon receiving a request, we have one month to act on your request. If you would like to make a request, please contact us at:

Contact email: info@spherity.com

How long do we keep your data for?

Spherity will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

What are cookies?

Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our website, we may collect information from you automatically through cookies or similar technology.

For further information, visit: allaboutcookies.org

How do we use cookies?

Spherity uses cookies in a range of ways to improve your experience on our website, including:

  1. Helping to understand how you use the website.
  2. Helping to aggregate data about the performance of the website.
  3. Google analytics as described above.

For any cookie on Spherity’s website, regardless of whether it collects personal data or not, Spherity has the cookie disabled by default. This is important given the CJEU ruling in the Planet 49 case which ruled that any pre-ticked cookie boxes do not constitute valid consent.  

Spherity also respects the ‘Do not Track’ header.

How to manage cookies

You can set your browser not to accept cookies. ​You can block cookies by installing a browser add-on such as Privacy Badger or uBlock Origin. However, in a few cases, some of our website features may not function properly as a result.

Children

Spherity’s services are not directed to children and/or persons under the age of majority in their respective jurisdictions. Spherity do not knowingly collect personal data from individuals under eighteen (18) years of age. Any data found to be collected from a person under the age of eighteen will be expressly removed, unless we receive explicit permission from a parent or legal guardian. 

Changes to our privacy policy

Spherity keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on 03 May 2021.

 

How to contact us

If you have any questions about Spherity’s Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us at:

Contact email: info@spherity.com

Mail address: Emil-Figge-Straße 80, 44227 Dortmund, Germany

Competent supervisory authority

Should you wish to report a complaint or if you feel like Spherity has not addressed your concern in a satisfactory or timely manner, you may contact the relevant competent supervisory authority. 

The supervisory authority responsible for our company is:

 

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia

Kavalleriestr. 2-4

40213 Düsseldorf

Telephone: +49 (0)211 38424-0

poststelle@ldi.nrw.de