Privacy notice for SendStack

We at SendStack believe that everyone has the right to privacy and to choose for themselves what personal data to share (or not), including in newsletters. Many aren’t aware that their every open, click, forward and other actions are sometimes carefully monitored by the sender. This isn’t necessarily an issue though, if people make sure that their subscribers are aware of and accept this monitoring – unfortunately many aren’t even doing that... Providing clear and transparent information about processing someone’s personal data is key – so we try our best to do that in our own notice here. If you have any questions or concerns, simply reach out to us!

This privacy notice explains how we process your personal data when using SendStack as per the General Data Protection Regulation (GDPR) and other relevant privacy and data protection laws applicable to our business.

If you have any questions about this privacy notice, feel free to contact us at:

Company name: Beyond Code GmbH, VAT ID: DE315110518
Business address: An der Lingenmühle 10, 41061 Mönchengladbach, Deutschland
Email address: support@beyondco.de

Your data protection rights

Let’s first start with what everyone should know about the GDPR – your rights, which include:

  • Access and rectification: You can request access to or a copy of the information we process about you and ask us to fix any incorrect data.
  • Erasure, restriction and objection: You may ask us to delete, restrict and/or object to the processing of your personal data. Note, however, that we can’t delete anything we’re required to process (for example for bookkeeping/accounting/tax purposes).
  • Data portability: You may ask us to transfer your personal data to you or to another organisation (but we’re not always required to – just get in touch and we’ll see if we can).

We sure hope it won’t ever get to this, but if you’re unhappy about how we process your personal data, you have a right to complain to a national data authority, which in our case is the Data Protection Commissioner of the state of North Rhine-Westphalia (external link):

State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia
Kavalleriestrasse 2-4
40213 Düsseldorf, Germany
poststelle@ldi.nrw.de

Please consider contacting us first so we can try to rectify what we’ve done wrong, though! And reach out if you have any questions about or want to exercise any of these rights.

PS: Did you know that you’re entitled to a reply within 30 days? Good to know in case you want to exercise your GDPR rights anywhere. ;)

How we get your personal data

For SendStack (our marketing site and the service itself), we process personal data about website visitors, newsletter subscribers, potential customers (including those on our early access list and on trial) and customers (current and former).

We process personal data when you:

  • visit/use our website
  • sign up for our early access list and/or a trial
  • subscribe to our newsletter
  • subscribe to the service (SendStack)
  • respond to one of our surveys

It is voluntary to provide us with personal data, but if you choose not to, we may not be able to provide you with our services. We do not rent, buy or sell personal data from or to others, use automated decisions or profiling in the processing of your personal data or process special category data.

Purpose, lawful basis and retention periods

We only process your personal data when we have a purpose and a lawful basis for doing so. Under the GDPR Article 6-1, the lawful bases we rely on, are:

  • a) Your consent
  • b) We have a contractual obligation (contract)
  • c) We have a legal obligation
  • f) We have a legitimate interest

As a rule, personal data should not be processed and kept for longer than necessary to fulfil the purpose for processing.

Your personal data is only retained for as long as we have a purpose and a lawful basis:

  • Until you withdraw your consent (for example for newsletters)
  • For as long as we have a contractual obligation (for example for sales)
  • For as long as we have a legal obligation in accordance with accounting and bookkeeping rules and/or other legal requirements and regulations (for example for employment)
  • For as long as we have a legitimate interest (for example marketing to existing customers)

You can always withdraw your consent for any data processing based on consent, and you can also reach out to us at any time if you’d like us to stop processing and/or ask us if we can delete your personal data.

Details on the processing of your personal data

In this section we describe in detail when and how we process your personal data, for what purposes and our legal grounds to do so (lawful bases). We also specify the retention periods for the processing.

We process personal data when:

You communicate with us

Depending on how you contact us (usually via email), we process your name, contact details, IP address and other information you choose to send to us. Sometimes we may also speak via an online meeting platform (but we won’t record any such meetings) and we use a customer service system to streamline our support.

The purpose is to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. The lawful basis is f), where the legitimate interests are to be able to respond to your inquiries and, on some occasions, to keep records in case of complaints or legal claims. We review this data at regular (internal) GDPR audit days and delete personal data as appropriate, typically every other year.

You subscribe to, pay for and use SendStack

When you sign up for a SendStack subscription, you share your name, email address, contact details, IP address, payment information (including cardholder name, billing address, card payment identifiers, payment amount and payment date), order and purchase history. We use Paddle.com Inc. as our (third-party) payment provider and don’t store any payment card details ourselves. Paddle will use Google Analytics cookies on our checkout page if you previously visited their website (paddle.com) and consented to such cookies. Please read Paddle’s privacy policy for further details and contact information. When you use SendStack, we will monitor usage data like device, browser and connection info, to see if and how our service can be improved.

The purpose of processing your personal data as described above is to fulfil our obligation to deliver the services you have purchased and to manage our customer relationship. The lawful bases are b) contract and c) legal obligation related to accounting, tax and other business rules and regulations we are required to abide by. Usage data is based on f), where our legitimate interests are to continually improve our website and business.

We process the data for as long as you’re a customer and we have a legal obligation as per any applicable rules and regulations we are bound by. For example, we’re required by our national (German) law to store business records (which may include personal data) for 10 years for accounting, tax and other business purposes. Please contact us if you would like to know what is applicable in your case.

You receive marketing as an existing customer

If we have an existing customer relationship with you, we may send you marketing (likely via email), processing personal data like your name, email address, IP address and message content. The purpose is to provide you with good customer service and the lawful basis is f), where the legitimate interest is to offer our relevant products and services to provide excellent service to our customers. The lawful basis may also be a), where you have given us your consent to such marketing.

You can easily opt out of the marketing at any time by clicking the unsubscribe link attached to every marketing email you receive. We process the data for as long as we have a customer relationship with you and/or you unsubscribe or withdraw your consent. The personal data related to marketing will then be deleted at our next GDPR audit day.

You apply for a job or work at our company

When applying for a job with us, we process personal data such as your name, contact details, CVs, references, and other information relevant for a particular role. The purpose is to be able to assess your application and the lawful basis b) necessary for the performance of a contract.

For employees, we process personal data as mentioned above, in addition to other general employment data (for payroll, insurance, sick leaves etc.). The purpose is to be able to manage the employment relationship. The lawful basis for this is b) contract, and possibly Article 9(2)(b) and (h) for special categories of personal data, as well as c) legal obligation related to labour laws.

As a rule, employee information is deleted when the employment relationship ends. However, in the unlikely event of a dismissal or dismissal dispute, it may be necessary to keep employment data for a longer time. Job applicants can ask us to retain their data for other applications in the future (which will then be based on a) your consent), otherwise the information is deleted when a candidate has been selected, at the latest at our next GDPR audit day.

You subscribe to our email newsletter

We regularly send out email newsletters which sometimes contain information about our services. When you become a subscriber, we process personal data such as your name, email address and IP address. The purpose is to share company updates, interesting articles and other content we think might be useful for you. The lawful basis is a) consent and you can easily unsubscribe at any time by clicking the "unsubscribe" link in any such newsletter. We process the data for as long as you subscribe, after which it will be deleted at our next GDPR audit day.

PS: Did you notice that we don’t need a lawful basis for processing “newsletter analytics” personal data? That’s because our entire service was built without any such surveillance.

You respond to our surveys

Responding to our surveys are voluntary. We process personal data such as your name, contact details and other information you choose to share with us. Some surveys are anonymous, which means we don’t process any personal data. We will always let you know what type of survey we do and what, if any, personal data we intend to process.

The purpose is to gather your feedback so that we can continuously improve our products and services, as well as provide you with the best customer service possible in the future. The lawful basis is a) consent. We review any such personal data at our regular GDPR audit day and delete personal data as appropriate, however no later than 3 years after you responded to the survey. Of course, you can contact us at any time to have any such personal data deleted earlier!

You supply services to or collaborate with us

When you enter into an agreement with us either as a vendor, partner, processor or similar, we process personal data such as your name, contact details and correspondence. The purpose is to be able to enter into this agreement and to respond to your inquiries and the lawful basis is b) contract. We review this data at our regular GDPR audit day and delete personal data as appropriate, however no later than 5 years after the contract has been terminated, unless the personal data is part of business records we’re required to keep for 10 years as per national German law. We process other communication data as per the first paragraph in this chapter, please see above.

You use our website

When you use our website, we use only technical cookies for the login and login-related functionality. Such cookies are strictly necessary for our site to function and don’t require consent as per the ePrivacy directive.

We also use an analytics script from Fathom Analytics, one of the most privacy-protecting analytics companies at the market. As a privacy-focused company, we (obviously) want to process as little personal data as possible. Fathom Analytics doesn't even use cookies, complies with the GDPR and ePrivacy directive (including PECR), and only keep IP addresses and timestamp logs when an IP address is determined to be attacking their infrastructure. You can read more about this on their website.

The purpose of using an analytics tool at all is to understand our website traffic, in the most privacy-friendly way as possible, so that we can continually improve our website and business. The lawful basis is f), where our legitimate interests are to continually improve our website and business.

Whom we share your personal data with

We don’t share more personal data with other parties than is strictly necessary to run our business efficiently and securely. This includes sharing your personal data with parties such as:

  • Public authorities we are obliged to report to
  • Our accountant, auditor, lawyer and others helping us in a professional capacity
  • Data processors: providers of services that process your personal data on our behalf*
  • IT support, if necessary

We require that all recipients secure data in accordance with accepted standards information security and are bound by confidentiality (either in a contract between us or acting under an appropriate statutory obligation of confidentiality). We ensure that data processing terms are in place with anyone who processes data on our behalf, in line with the requirements in the GDPR Article 28(3).

We use processors for:

  • Email, calendar and online meetings
  • Accounting/bookkeeping and invoicing
  • Cloud storage
  • This website, which includes our online store, online payments and online web portal (where you access the services you purchase from us)
  • Business receipts
  • Newsletters
  • Project management, timekeeping, digital notebook and scheduling
  • Signing documents electronically
  • Surveys and customer satisfaction feedback

To protect our business, we don't publish further details (like names) of our processors. If you'd like to know more about our processing and whom we share your personal data with, please contact us.

Transfer of personal data outside the EU/EEA

In some cases, your personal data will be transferred outside the EEA (the EU member states plus the EEA countries Iceland, Norway and Liechtenstein), for example where we use processors to manage payments and transactional emails.

As a privacy-focused company, we are picky about the vendors and third parties we use. We assess their business overall (for example their business reputation), security measures (and if they’ve had any data breaches), GDPR compliance (do they have an adequate website privacy notice, do they keep records of processing activities etc.) and legal documents.

We only use processors we trust, that are well known and where we have data processing terms in place with (in line with the GDPR Article 28(3)). We check whether a country outside the EEA offers an adequate level of data protection (has obtained an EU “adequacy decision”) or, if this is not the case, that other necessary safeguards are in place like the EU standard contractual clauses (“SCC”, also called Model Clauses) for the international transfer of personal data. If you want further details on such transfers, please contact us.

Security

We take security very seriously and we will always do our utmost to safeguard your personal data in the best possible way (as also described in the paragraph above). For example, our personnel use strong passwords, a password manager and have enabled two-factor authentication, where possible. We use encryption where possible/logical, have implemented access control, and several other measures to secure our personal data and prevent unauthorized access, alteration and deletion. We have worked with software development for many years, and we have robust knowledge in this area.

We only allow others to access and/or process your personal data in accordance with our instructions, only when strictly necessary and subject to confidentiality. If we experience a personal data breach, i.e., a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, and it poses a medium to high risk for the people affected, we will notify the national data authority within 72 hours. If the risk is deemed high for the people affected, we will also notify them directly, if possible.

We hope the above provides you with transparent and clear information about how we process your personal data. If you have any questions at all, please reach out. We work every day to create an awesome, privacy-friendly newsletter service and we highly value your feedback.

This privacy notice was last updated: 2021-12-15