Privacy Policy

The controller for the collection, processing, and use of your personal data in accordance with Art. 4 No. 7 GDPR is:

Chordis GmbH
Düsseldorfer Straße 105
40545 Düsseldorf
Germany

Commercial Register: Amtsgericht Düsseldorf
Registration Number: HRB 110143
VAT ID: Pending

Email: privacy@chordis.de
Phone: +49 (0) 15253620236

If you wish to object to the collection, processing, or use of your data in accordance with these data protection provisions, either in whole or for specific measures, you can send your objection to the controller.

You can save and print this privacy policy at any time.

Below, we explain what personal data we use, for what purpose, and on what legal basis. When we refer to "website" or "service", we are referring to our product "Chordis" with its associated components, specifically the web application at Chordis.eu.

A separate privacy policy exists for our marketing website Chordis.de.

2.1 Hosting

We use hosting services to provide the following: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we require to operate the service.

In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta-, and communication data based on our legitimate interest in an efficient and secure provision of our website or service in accordance with Art. 6(1) sentence 1 f) GDPR.

2.2 Access Data in Server Log Files

When you visit our website, we collect information about you. We automatically record things like your activities on the site and how you interact with us. We also record information about your device, whether it's a computer or a mobile phone. This information helps us to better understand and improve our website.

The data we collect includes:

• The name and URL of the file you accessed
• Date and time of your visit
• How much data was transferred
• Whether the access was successful (HTTP response code)
• Which internet browser and version you are using
• Which operating system your device is running
• The page you came from (Referrer URL)
• Other websites you visited via our site
• Information about your internet provider
• Your IP address and from which provider you have your internet connection

We use this collected data to make our website safer and better. This helps us find and fix errors, as well as improve our services. We only use this data for general statistical analysis and not to identify you personally. This is important for the secure operation of our website.

Sometimes we also review this data more closely if we suspect that someone is using our website in an unauthorized manner. We store your IP address for a short time if it is necessary for security reasons or for billing purposes. After you leave the website or a payment is made, we delete the IP address if we no longer need it. We also retain IP addresses if we believe someone is using our website for criminal activities.

2.3 Cookies

We use cookies to ensure the functionality of our service. For this purpose, only technically necessary cookies are stored. Since sensitive data is processed in the product's components, especially on Chordis.eu, we explicitly do not use any technically unnecessary cookies here.

2.3.1 What are Cookies?

A cookie is a small text file that we store on your hard drive or device when you visit our website. This file contains various information that allows our website to provide you with a pleasant visit, e.g., by "remembering" certain information or preferences you have set.

When a cookie is activated, it is assigned an identification number. Your personal data is not linked to this identification number. Your name, IP address, or similar data that would allow the cookie to be associated with you are not stored in the cookie. Using cookie technology, we only receive pseudonymized information, e.g., about pages visited or offers viewed.

Without the use of cookies, websites cannot save your preferences or registration details for your next visit.

2.3.2 What Cookies Do We Use?

We use technically necessary cookies that enable certain core functions of our service. This could, for example, be the storage of certain data or settings.

The use of technically necessary cookies is based on our legitimate interest in accordance with Art. 6(1) sentence 1 f) GDPR. Our service is intended to be user-friendly and functional, and the use of these cookies generally does not impair your interests as a data subject. Therefore, a case-by-case assessment is usually not necessary. Insofar as a cookie is necessary to provide our service to you, the legal basis is Art. 6(1) sentence 1 b) GDPR.

2.4 Data for Fulfilling Our Contractual Obligations

We process personal data that we need to establish a contractual relationship with you and to fulfill our contractual obligations within an existing contractual relationship, such as name, address, email address, ordered services, billing, and payment data.

The legal basis for processing this data is Art. 6(1) sentence 1 b) GDPR, as this data is required for us to fulfill our contractual obligations to you or to initiate a contract with you.

2.5 Email or Phone Contact

If you contact us (e.g., by phone, contact form, or email), we process your information to handle your request and in case further questions arise.

If the data processing is for pre-contractual measures taken at your request, or if you are already our customer, for the performance of the contract, the legal basis for this data processing is Art. 6(1) sentence 1 b) GDPR. Otherwise, we process your personal data based on our legitimate interest in answering your questions in accordance with Art. 6(1) sentence 1 f) GDPR.

Unless specified otherwise, we only store your personal data for as long as necessary to fulfill our purposes.

We delete your personal data after storage is no longer required (e.g., after your request has been fully answered, for the duration of our contractual relationship until its final termination), or – in the case of legal retention obligations – we restrict processing. Please note that further processing is particularly necessary for:

• Fulfillment of legal retention obligations, which may arise, for example, from the German Commercial Code (HGB) and the Tax Code (AO). The periods specified therein are up to ten years.
• Preservation of evidence within the framework of statutory limitation periods. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, although the regular limitation period is 3 years.

In some cases, the law requires the retention of personal data, such as in tax or commercial law. In these cases, we store the data only for these legal purposes, but do not process it otherwise, and delete it after the legal retention period has expired. The legal basis for this processing is Art. 6(1) sentence 1 c) GDPR.

Under applicable laws, you have various rights regarding your personal data. If you wish to exercise these rights, please send your request by email or by post, clearly identifying yourself, to the address mentioned in Section 1.

Below is an overview of your rights.

4.1 Right to Confirmation and Access

You have the right to clear information about the processing of your personal data.

Specifically:

You have the right at any time to obtain confirmation from us as to whether we are processing personal data concerning you. If this is the case, you have the right to request free information from us about the personal data stored about you, along with a copy of this data. Furthermore, you have a right to the following information:

• the purposes of the processing;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly in the case of recipients in third countries or international organizations;
• if possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this duration;
• the existence of a right to rectification or erasure of the personal data concerning you or to restriction of processing by the controller, or a right to object to this processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• if the personal data is not collected from you, all available information about the origin of the data;
• the existence of automated decision-making, including profiling, in accordance with Art. 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, as well as the scope and intended effects of such processing for you.

If personal data is transferred to a third country or an international organization, you have the right to be informed of the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transfer.

4.2 Right to Rectification

You have the right to request that we correct and, if necessary, complete personal data concerning you.

Specifically:

You have the right to request the immediate correction of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – including by means of a supplementary statement.

4.3 Right to Erasure ("Right to be Forgotten")

In a number of cases, we are obliged to delete your personal data.

Specifically:

According to Art. 17(1) GDPR, you have the right to request that we delete your personal data immediately, and we are obliged to delete personal data immediately if one of the following reasons applies:

• Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• You withdraw your consent on which the processing was based according to Art. 6(1) sentence 1 a) GDPR or Art. 9(2) a) GDPR, and there is no other legal ground for the processing.
• You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
• Your personal data has been unlawfully processed.
• The deletion of your personal data is required to fulfill a legal obligation under Union or Member State law to which we are subject.
• Your personal data was collected in relation to information society services offered pursuant to Art. 8(1) GDPR.

If we have made your personal data public and are obliged to delete it pursuant to Art. 17(1) GDPR, we will take appropriate measures, including technical ones, taking into account the available technology and implementation costs, to inform the data controllers processing your personal data that you have requested the deletion of all links to this personal data or of copies or replications of this personal data.

4.4 Right to Restriction of Processing

In a number of cases, you are entitled to request that we restrict the processing of your personal data.

Specifically:

You have the right to request that we restrict processing if:

• you contest the accuracy of your personal data, for a period enabling us to verify the accuracy of your personal data;
• the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of its use instead;
• we no longer need the personal data for the purposes of processing, but you require the data for the establishment, exercise, or defense of legal claims; or
• you have objected to processing pursuant to Art. 21(1) GDPR, pending verification of whether the legitimate grounds of our company override yours.

4.5 Right to Data Portability

You have the right to receive, transmit, or have us transmit your personal data in a machine-readable format.

Specifically:

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another controller without hindrance from us, provided that

• the processing is based on consent pursuant to Art. 6(1) sentence 1 a) GDPR or Art. 9(2) a) GDPR or on a contract pursuant to Art. 6(1) sentence 1 b) GDPR and
• the processing is carried out by automated means.

In exercising your right to data portability pursuant to paragraph 1, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

4.6 Right to Object

You have the right to object to our lawful processing of your personal data if this is based on your particular situation and our interests in processing do not override yours.

Specifically:

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1) sentence 1 e) or f) GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

If we process personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

You have the right, for reasons arising from your particular situation, to object to the processing of your personal data concerning you for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.

4.7 Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

Automated decision-making based on the collected personal data does not take place.

4.8 Right to Withdraw Consent

You have the right to withdraw consent for the processing of personal data at any time.

4.9 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you is unlawful.

We make every effort to ensure the security of your data within the framework of applicable data protection laws and technical possibilities.

To secure your data, we maintain technical and organizational measures (TOMs) in accordance with Art. 32 GDPR, which we continuously adapt to the state of the art. You can find the current measures at https://www.chordis.com/toms.

As a rule, we only use your personal data within our company.

If and to the extent that we involve third parties in the performance of contracts (such as logistics service providers), they will only receive personal data to the extent that the transmission is necessary for the corresponding service.

In the event that we outsource certain parts of data processing ("commissioned processing"), we contractually oblige processors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of your rights.

Insofar as data is transferred to controllers or processors in the USA, the legal basis is the adequacy decision between the USA and the EU of July 10, 2023, in accordance with Art. 45(1) GDPR in conjunction with the certification of the respective service (Certification list: https://www.dataprivacyframework.gov/list).

Only in cases where a controller or processor outside the EU does not fall under an adequacy decision, the following legal bases are considered:

• Specific consent in accordance with Art. 49 GDPR, if we obtain your specific consent for a particular transfer of personal data to a third country, or
• The Standard Contractual Clauses (SCC) provided by the EU Commission in accordance with Art. 46 GDPR in conjunction with an individual risk assessment for the respective data recipient in the third country.

We currently work with the following processors and subprocessors:

6.1 Subprocessors for Hosting Infrastructure

During the provision of the Chordis service, Chordis processes personal data on behalf of the respective customer. In doing so, Chordis uses the following subprocessors, in particular to store/host/collect personal data or provide other infrastructure.

1blu GmbH
Riedemannweg 60
13627 Berlin
Germany
Purpose: Provision of servers & standby systems for operating the Chordis.eu platform. Personal data in the form of customer data, such as contract information, is processed on these systems.

Statichost.eu
c/o Knackeriet
Sankt Paulsgatan 25
11848 Stockholm
Sweden
Purpose: Static website hosting of chordis.de. Personal data in the form of IP addresses are processed on these systems.

6.2 Service-Specific Subprocessors

Chordis works with third-party providers to deliver certain functions or features within the Chordis service. These providers have access to relevant personal data (both in identifiable and anonymous form) to provide their respective functions. The use of the information is limited to the purposes listed below.

Heinlein Hosting GmbH (mailbox.org)
Schwedter Straße 8/9A
10119 Berlin
Germany
Purpose: Sending non-transactional emails, calendar events and meetings.

6.3 Processors in Marketing, Sales, and Billing

Chordis processes certain personal data not on behalf of the respective customer but for its own purposes and under its own responsibility, in particular to conduct marketing analyses, map sales processes, and bill for subscriptions. For this, Chordis uses the following processors.

SENDINBLUE / Brevo.com
17 rue de Salneuve
75017 Paris
France
Purpose: Customer Relationship Management (CRM) for maintaining customer contacts, sending transactional emails