Last updated: August 2024
Any collection, processing and use (hereinafter "use") of data is solely for the purpose of providing our services. Our services have been designed to use as little personal information as possible. For that matter, "personal data" is understood as all individual details about a person or factual circumstances of an identifiable natural person (so-called "affected person"). The following statements on data protection describe what types of data are collected when accessing our App, what happens with these data and how you may object to data usage.
Responsible within the meaning of the EU General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) is:
Delightex GmbH
Address: Christoph-Rapparini-Bogen 25, 80369 Munich, Germany
Email: info@cospaces.io
Homepage: CoSpaces Edu – in the App Store (apple.com) / CoSpaces Edu – in Google Play / cospaces.io
The data protection officer is:
Kemal Webersohn of WS Datenschutz GmbH
If you have questions about data protection, you can contact WS Datenschutz GmbH at the following email address: delightex@ws-datenschutz.de
WS Datenschutz GmbH
Dircksenstraße 51
D-10178 Berlin
We have taken technical and organizational measures to ensure that the requirements of the EU General Data Protection Regulation (GDPR) are met by us, as well as, by external service providers working for us.
If we work with other companies to provide our services, such as email and server providers, this will only be done after an extensive selection process. In this selection process, each individual service provider is carefully selected for its suitability in terms of technical and organizational data protection skills. This selection procedure will be documented in writing and an agreement on the order processing of data (data processing agreement) will only be concluded if the third party complies with the requirements of Art. 28 GDPR.
We maintain a comprehensive privacy and security program that is aimed to protect the security, confidentiality, and integrity of your personal data at all times. We always consider privacy and security when developing or improving CoSpaces Edu and comply with applicable laws. We also provide resources on these topics to our users.
Your information will be stored on specially protected servers. Access to it is only possible for a few specially authorized persons. Our App is SSL/TLS encrypted, as can be seen by the https:// at the start of our URL.
We do not collect, maintain, use or share personal data beyond that needed to run our application.
We do not sell personal data or any other data.
We do not advertise to students through our application.
We process personal data only if necessary in order to run our application. As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out according to the standards of the erasure concept, unless legal or contractual regulations oppose this.
The Children’s Online Privacy Protection Act (COPPA) protects personal information belonging to a child younger than 13. We do not require users younger than 13 to disclose more information than is reasonably necessary to use our services and have taken measures to ensure that the COPPA requirements are met by us, as well as by external service providers we work with.
The data collected by us includes student data that may be subject to the Family Educational Rights and Privacy Act (FERPA), such as student names or student-generated content. For that matter, we have taken measures to comply with FERPA requirements and ensured that external service providers also meet the requirements to this extent.
When visiting our App, AWS web servers temporarily store every access in a log file. The following data may be collected and stored by AWS until automated erasure:
We do not access or analyze this data, which is stored on AWS servers.
We use the services of AWS for hosting purposes. The data processing is carried out by: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, Luxembourg 1855, Luxembourg (a subsidiary of Amazon.com Inc., 410 Terry Avenue North, Seattle WA 98109, USA).
AWS hosting services are used to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services and technical maintenance services, which we use for the purpose of operating this online offer.
You can find more information on the data protection of the service provider here: https://aws.amazon.com/de/privacy/
The legal basis for the temporary storage of the data and log files is Art. 6 para. 1 s. 1 lit. f) GDPR. Our legitimate interest is to make our App accessible for you.
The processing of this data serves: the purpose of enabling the use of the App (connection establishment), system security, the technical administration of the network infrastructure, as well as to optimize the App. The IP address is evaluated only in case of attacks on our network infrastructure or the network infrastructure of our internet provider.
As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out. This happens as soon as you close our App. Our hosting service, Amazon Web Services (AWS), might use data for statistical purposes. Any personal data will be anonymized for this. Our hosting service will delete this data after a period of 6 months.
The data processing is necessary in order to present the App and to ensure the App’s operation. Therefore, objecting is impossible.
Our App uses cookies. This means that when using the App, cookies are stored on your computer. Cookies are small text files which are assigned to the browser you are using and which are stored on your hard drive. Through this information flows to us or the party who set the cookie. Cookies cannot run programs on or transmit viruses to your device. The following data may be transmitted:
The legal basis for the processing of data for cookies, which serve only the functionality of this App, is Art. 6 para. 1 s. 1 lit. f) GDPR.
Our legitimate interests are to provide you with a working App connection and to ensure a comfortable use of this App.
Session cookies are deleted when you log out or close the App.
We only use cookies that are technically necessary to provide you with our services. The use of these is indispensable, which is why it is not possible to object in this case, otherwise the app cannot be used.
When you download our app, the Google Play Store and iOS AppStore require specific information from you and the following data will be transferred:
We would like to point out that when using our apps, the so-called "Coarse Location Permission" can be requested from the user. This is one of the confidential Android or iOS permissions. This authorization request is displayed graphically with a system dialog within the app and must be issued/confirmed by the user. This is a security feature of Google and Apple. This gives Cospaces permission to determine the approximate user location. However, we do not use this permission to determine the approximate location of the user. However, it is possible that Google and Apple process this data. The possible data processing for the European Economic Area and for Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google's privacy policy can be found at: https://www.google.com/policies/privacy/ Apple Inc., 1 Apple Park Way, Cupertino, California, United States.Apple’s privacy policy can be found at: https://www.apple.com/legal/privacy/
The processing of this data takes place on the basis of Art. 6 para. 1 sentence 1 lit. a) GDPR.
The data processing by Google and Apple takes place for the purpose of enabling the use of the app. It is used for system security at Google and Apple.
According to Google and Apple, the personal data will be deleted as soon as they are no longer required for the above-mentioned purposes.
The collection of data for the provision of the app is intended for the operation of the app by Google and Apple as a security feature. If you have any questions about data protection, you can contact Google using the following contact form: https://www.google.de/contact/ or contact Apple using the following contact form: https://support.apple.com/contact
The data subject can register in our App. This requires the data subject to enter personal data in the registration form. Depending on whether you register with us as a student or teacher, we process the following data:
Registration as a teacher:
Registration as a student:
The information provided by the data subject in the registration mask will be used exclusively for processing and will not be disclosed to third parties.
If the data subject enters required personal data in the registration form, the legal basis of the data processing is based on Art. 6 para. 1 s. 1 lit. b) GDPR. However, if the user also enters personal data in the optional input field, the data processing is based on Art. 6 para. 1 s. 1 lit. a) GDPR.
The sending of emails about your registration information is based on Art. 6 para. 1 s. 1 lit. b) GDPR.
The processing of personal data is used solely for us to finish your registration and organize your App account.
The data are deleted as soon as the purpose of storage is no longer required. This is the case if you delete your account and no statutory or regulatory retention periods of erasure contradict. Your data will be stored according to your respective location on servers located either in Europe, the United States or Asia Pacific. A list of countries and their respective server locations can be found under https://cospaces.io/edu/server-regions.html
During and after the registration, the data subject is free to change, correct or delete their personal data. If a user account has not been active for 18 months, it will be automatically deleted.
If you already own an account on Apple, Clever, Google, Microsoft or NAVER, you can register with your account (Third-Party Login). By doing so, you will be linking your account to your CoSpaces account and can also sign up on our web app with your third party-account in the future.
Following data will be provided to us from your chosen third-party account (Apple Inc., Clever Inc., Google LLC., Microsoft Corporation, NAVER Corp.):
For more information regarding each third-party login, the transmitted data and the data privacy settings of your account, we refer to the following data policies of each account provider:
Apple: https://www.apple.com/legal/privacy/de-ww/
Clever: https://clever.com/trust/privacy/policy
Google: http://www.google.com/policies/privacy/?hl=de
Microsoft: https://privacy.microsoft.com/de-de/privacystatement
NAVER: https://policy.naver.com/policy/privacy_en.html
As far as we receive your first and last name as well as your email address, the legal basis of the data processing is based on Art. 6 para. 1 s. 1 lit. b) GDPR. All further information is given to us voluntarily. Therefore, data processing is based on Art. 6 para. 1 s. 1 lit. a) GDPR.
The third-party login facilitates the use of our registration function. We also use third-party logins to make our website better known.
Third-party login data is stored until the declaration of a revocation and used as described.
You can prevent this data processing by using our regular registration process. During and after the registration, the data subject is free to change, correct or delete their personal data. As far as the data processing is based on your consent, you can withdraw your consent to this data processing at any time regarding future processing in accordance to Art. 7 GDPR. Further adjustments may be possible within the settings of your third-party account.
Within the CoSpace website, the "Google Programmable Search Engine" (Google PSE) is used as the central search service. The integrated search service enables a full-text search for content from the official and globally accessible Internet offering.
Data processing for the European Economic Area is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The following data is collected and stored until it is automatically deleted:
The following data is processed within our own servers:
For further information on Google's privacy policy, please refer to the following link: https://www.google.de/intl/de/policies/privacy/
The legal basis for the temporary storage of the data and log files is Art. 6 para. 1 s. 1 lit. a) GDPR. This means that this function is not activated automatically, but requires your explicit consent by activating it in the settings.
The processing of this data serves the purpose of searching for images within the CoSpace via the integrated web search and processing them further using drag and drop.
The data will be deleted as soon as the purpose of the data processing has been fulfilled and there are no legal, official or contractual retention periods to prevent deletion.
You can object to the processing of your data at any time. If you have any questions about data protection or wish to exercise your rights, please contact our data protection officer. Further information about Google can be found at the following link: https://developers.google.com/custom-search/docs/overview
In our continuous effort to improve the user experience and simplify the use of our services, we have introduced an integration with Google Classroom. This integration allows teachers to create and manage "CoSpaces assignments" through their Google Classroom classes.
The processing of this data takes place on the basis of Art. 6 para. 1 sentence 1 lit. a) GDPR. We would like to emphasize that the protection and security of our users' personal data is of the utmost importance. When using the Google Classroom integration, no personal data of students or teachers is collected or shared without their explicit consent.
To use this feature, the admin of the license plan must enable the Google Classroom integration under the license plan settings first. Once enabled, teachers that are a part of the same license plan will be able to access Google Classroom features to manage their class assignments efficiently.
The data will be deleted as soon as the purpose of the data processing has been fulfilled and there are no legal, official or contractual retention periods to prevent deletion.
We run a forum. Users can leave comments in the forum. These posts can also be commented on by third-party users. If the user publishes a comment in our Forum, we store and publish, in addition to the comment content itself, following data:
A transfer of the data to third parties does not take place, unless the affected person has given his/her consent.
This data processing is legally based on our legitimate interest (Art 6 para. 1 s.1 lit. f) GDPR) in enabling our users to participate in an active and fair community.
All data that you disclose in the context of the commenting function are given voluntarily, so that the storage of this data is based on the legal basis of Art. 6 para. 1 s. 1 lit. a) GDPR.
The collection of data is intended to ensure the stability and usability of this website and the forum. Also, it is necessary to prevent misuse of the commenting function. In addition, comments enable our users to share their questions and experiences.
We process personal data only as long as necessary. As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out according to the standards of the erasure concept, unless legal or contractual regulations oppose this.
As far as our data processing is based on our legitimate interest, you have the possibility of objecting to data processing (see Art. 21 GDPR and “Your rights”). In the event of a disagreement, please provide us with the reasons why we should not process your personal data as we have done. We will then examine the situation and either discontinue or adjust the data processing or will tell you based on which reasons we have to continue this processing.
As far as the data processing is based on your consent, you can prevent it by not agreeing with them. You also have the option to withdraw your consent at any time (see Art. 7 GDPR and “Your rights”). A withdrawal only applies to any processing that takes place after it has been pronounced. This can be done by telephone, mail, email or any other means. In case we delete your account, the comment content will remain visible for all visitors, but your account information will be anonymized and is no longer retrievable. All other data will be deleted.
We use hCaptcha from Intuition Machines, Inc., to protect us from excessive spam. This program is designed to ensure that the inquirer is a human and not an automated program:
Intuition Machines, Inc. 1065 SW 8th St #704, Miami FL 33130, USA.
It processes most data locally or regionally, anonymizes or promptly discards any personal data, and adheres to strict data retention and minimization policies. hCaptcha also provides enterprise features for zero personal data (PII) processing and has mechanisms to geographically restrict data access.
Further information on the handling of personal data can be found in the privacy policy https://www.hcaptcha.com/gdpr. Intuition Machines, Inc. is US Data Privacy Framework certified: Data Privacy Framework.
Data processing is based on the legitimate interest acc. to. Art. 6 para. 1 s. 1 lit. f) GDPR. Our legitimate interest lies in the fact that there are natural persons with a potential interest behind the requests. By limiting the number of requests, we can respond to individual requests more quickly and efficiently and at the same time protect our website against automatically distributed malware.
hCaptcha is a service used to differentiate between human users and automated bots on websites. It serves as a security measure to protect sites from spam and abuse. By presenting challenges that are easy for humans to solve but difficult for bots, hCaptcha ensures that the interactions on a site are legitimate.
hCaptcha is designed to operate without any long-term retention of personal data at all.
You may object to the processing of your data on grounds relating to your particular situation. For this purpose, please contact our data protection officer.
When you shop in our App, we will process your first name and surname, address and email address to complete the purchase agreement and the delivery agreement with you.
The legal basis for this data processing is Art. 6 para. 1 s.1 lit. b) GDPR. We are processing your data for the fulfilment of purchase contracts and supply agreements.
We process your data to close the contract, to handle the payment, for billing, to ensure on-time delivery and to inform you about that delivery.
We provide your data to our contracted processors and service providers, so that they can process the delivery and, if necessary, communicate with you to announce and coordinate the delivery of your ordered goods.
We process personal data only as long as necessary. As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out according to the standards of the erasure concept, unless legal or contractual regulations oppose this.
The data processing is necessary in order to be able to process your purchase contract, which is why it cannot be waived. There is therefore no option to object.
We offer Stripe as a payment service. With Stripe, you can use payment information stored in your Stripe account to make purchases quickly and securely. To use the payment service through Stripe, prior registration is required. The data processing is carried out by: Stripe Payments Europe Ltd (subsidiary of Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA).
Data processing by Stripe is carried out only for bookings that require online payments. The information collected by Stripe includes:
Different payment methods may require the collection of different categories of data. The payment method information Stripe collects depends on the payment method you choose. When you complete a transaction, Stripe may also receive:
For more information, please see Stripe's privacy policy: https://stripe.com/en-lu/privacy
Our legal basis is based on Art. 6 para. 1 s. 1 lit. b) GDPR.
The transmission of the data is necessary to prevent any misuse. We inform you that Stripe may transmit the personal data to credit agencies. This is because Stripe reserves the right to check your identity and creditworthiness.
We will only store your data for as long as is necessary to process your payment and invoice you. If you are a Stripe user, Stripe will retain your personal data for as long as the services are provided to you. The data will then be deleted unless there are regulatory, contractual or legal retention obligations that prevent deletion.
The data processing is mandatory in order to be able to process your payment via Stripe, which is why it cannot be dispensed with if you have chosen this payment method. There is therefore no possibility to opt out.
In order to be able to provide our services, we use the support of service providers from third party countries (non-EU countries). In order to ensure the protection of your personal data in this case, we conclude processing contracts with each - carefully selected - service provider. All of our processors provide sufficient guarantees to implement appropriate technical and organizational measures. Our third country data processors are either located in a country with an adequate level of data protection (Art. 45 GDPR) or provide appropriate safeguards (Art 46 GDPR).
Adequate level of protection: The provider comes from a country whose level of data protection has been recognized by the EU Commission. For more information, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
EU standard contract clauses: Our provider has submitted to the EU standard contractual clauses to ensure secure data transfer. For more information, see: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en
Binding Corporate Rules: Article 47 of the GDPR provides the possibility of ensuring data protection when transferring data to a third country via Binding Corporate Rules. These are examined and approved by the data security authorities within the framework of the consistency mechanism pursuant to Art. 63 GDPR.
Consent: In addition, a data transfer to a third country without an adequate level of protection will only take place if you have given us your consent in accordance with Art. 49 sec. 1 lit. a) GDPR for this purpose.
You have the following rights with respect to the personal data concerning you:
If you have given your consent to the processing of your data, you can withdraw it at any time. This will affect the admissibility of processing your personal data by us for the time after you have withdrawn your consent. To withdraw your consent, contact us personally or in written form.
You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data and the following information:
In the case of such a request, you must provide enough information about your identity to proof that the request concerns your own personal data.
You have the right to obtain from us without undue delay the rectification and completion of inaccurate personal data concerning yourself.
You may also request the erasure of your personal data if any of the following applies to you:
Where we made the personal data public and are obliged to erase the personal data pursuant to Art. 17 para. 1 GDPR, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
These rights shall not apply to the extent that processing is necessary:
You shall have the right to obtain from us restriction of processing where one of the following applies:
Where processing has been restricted under the aforementioned conditions, such personal data shall, except for storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the limitation of the processing is restricted, you will be informed by us before the restriction is lifted.
If you have asserted to us your right to rectification, erasure or restriction of data processing, we will inform all recipients of your personal data to correct, delete or restrict the processing of data, unless this proves impossible or involves disproportionate effort.
You also have the right to know which recipients have received your personal data.
You have the right to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format. Also, you have the right to transmit those data to another controller, where
In exercising your right to data portability, you have the right to obtain that personal data transmitted directly from us to another controller, as far as technically feasible. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority that has been delegated to us.
Where we based the processing of your personal data on a legitimate interest (Art. 6 para. 1 s. 1 lit. f) GDPR), you may object to the processing. The same applies if the data processing is based on Art. 6 para. 1 s. 1 lit. e).
In this case, we ask you to explain the reasons why we should not process your personal data. Based on this we will terminate or adapt the data processing or show you our legitimate reasons why we continue the data processing.
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of the personal data concerning you is against the infringes of the GDPR.
The supervisory authority to which the complaint has been submitted shall inform you of the status and results of the complaint, including the possibility of a judicial remedy according to Article 78 GDPR.
To exercise these rights, please contact our data protection officer:
Kemal Webersohn from Webersohn & Scholtz GmbH
or by mail:
WS Datenschutz GmbH
Dircksenstraße 51
D-10178 Berlin
We reserve the right to change this privacy policy in compliance with legal requirements. In the case that personal data will be used in any manner inconsistent to the terms initially provided, we will inform you in a timely manner, allowing you to make a choice before such changes are enforced.
August 2024