Data Privacy Statement (product)

Last updated: January 2024

Data privacy statement - CoSpaces Edu product

Any collection, processing and use (hereinafter "use") of data is solely for the purpose of providing our services. Our services have been designed to use as little personal information as possible. For that matter, "personal data" is understood as all individual details about a person or factual circumstances of an identifiable natural person (so-called "affected person"). The following statements on data protection describe what types of data are collected when accessing our App, what happens with these data and how you may object to data usage.

1 General information on data processing

1.1 Person Responsible (Controller)

Responsible within the meaning of the EU General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) is:

Delightex GmbH
Address: Christoph-Rapparini-Bogen 25, 80369 Munich, Germany
Email: info@cospaces.io
Homepage: CoSpaces Edu – in the App Store (apple.com) / CoSpaces Edu – in Google Play / cospaces.io

1.2 Name and address of the Data Security Officer

The data protection officer is:
Kemal Webersohn of WS Datenschutz GmbH

If you have questions about data protection, you can contact WS Datenschutz GmbH at the following email address: delightex@ws-datenschutz.de

WS Datenschutz GmbH
Dircksenstraße 51
D-10178 Berlin

‍webersohnundscholtz.de

1.3 Protection of your data

We have taken technical and organizational measures to ensure that the requirements of the EU General Data Protection Regulation (GDPR) are met by us, as well as, by external service providers working for us.

If we work with other companies to provide our services, such as email and server providers, this will only be done after an extensive selection process. In this selection process, each individual service provider is carefully selected for its suitability in terms of technical and organizational data protection skills. This selection procedure will be documented in writing and an agreement on the order processing of data (data processing agreement) will only be concluded if the third party complies with the requirements of Art. 28 GDPR.

We maintain a comprehensive privacy and security program that is aimed to protect the security, confidentiality, and integrity of your personal data at all times. We always consider privacy and security when developing or improving CoSpaces Edu and comply with applicable laws. We also provide resources on these topics to our users.

Your information will be stored on specially protected servers. Access to it is only possible for a few specially authorized persons. Our App is SSL/TLS encrypted, as can be seen by the https:// at the start of our URL.

We do not collect, maintain, use or share personal data beyond that needed to run our application.

We do not sell personal data or any other data.

We do not advertise to students through our application.

1.4 Erasure of personal data

We process personal data only if necessary in order to run our application. As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out according to the standards of the erasure concept, unless legal or contractual regulations oppose this.

1.5 CoSpaces Edu & COPPA

The Children’s Online Privacy Protection Act (COPPA) protects personal information belonging to a child younger than 13. We do not require users younger than 13 to disclose more information than is reasonably necessary to use our services and have taken measures to ensure that the COPPA requirements are met by us, as well as by external service providers we work with.

1.6 CoSpaces Edu & FERPA

The data collected by us includes student data that may be subject to the Family Educational Rights and Privacy Act (FERPA), such as student names or student-generated content. For that matter, we have taken measures to comply with FERPA requirements and ensured that external service providers also meet the requirements to this extent.

2 Use of data on this App and in log files

2.1 Scope of processing personal data

When visiting our App, AWS web servers temporarily store every access in a log file. The following data may be collected and stored by AWS until automated erasure:

Date and time of access
Name and URL of the retrieved file
Transmitted amount of data
Message if the retrieval was successful
Detection data of the browser and operating system used

We do not access or analyze this data, which is stored on AWS servers.

We use the services of AWS for hosting purposes. The data processing is carried out by: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, Luxembourg 1855, Luxembourg (a subsidiary of Amazon.com Inc., 410 Terry Avenue North, Seattle WA 98109, USA).

AWS hosting services are used to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services and technical maintenance services, which we use for the purpose of operating this online offer.

You can find more information on the data protection of the service provider here: https://aws.amazon.com/de/privacy/

2.2 Legal basis for processing personal data

The legal basis for the temporary storage of the data and log files is Art. 6 para. 1 s. 1 lit. f) GDPR. Our legitimate interest is to make our App accessible for you.

2.3 Purpose of data processing

The processing of this data serves: the purpose of enabling the use of the App (connection establishment), system security, the technical administration of the network infrastructure, as well as to optimize the App. The IP address is evaluated only in case of attacks on our network infrastructure or the network infrastructure of our internet provider.

2.4 Duration of storage

As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out. This happens as soon as you close our App. Our hosting service, Amazon Web Services (AWS), might use data for statistical purposes. Any personal data will be anonymized for this. Our hosting service will delete this data after a period of 6 months.

2.5 Right of objection and erasure

The data processing is necessary in order to present the App and to ensure the App’s operation. Therefore, objecting is impossible.

3 Use of cookies

3.1 Description and scope of data processing

Our App uses cookies. This means that when using the App, cookies are stored on your computer. Cookies are small text files which are assigned to the browser you are using and which are stored on your hard drive. Through this information flows to us or the party who set the cookie. Cookies cannot run programs on or transmit viruses to your device. The following data may be transmitted:

Your last session ID (encrypted)

3.2 Legal basis for data processing

The legal basis for the processing of data for cookies, which serve only the functionality of this App, is Art. 6 para. 1 s. 1 lit. f) GDPR.

3.3 Purpose of data processing

Our legitimate interests are to provide you with a working App connection and to ensure a comfortable use of this App.

3.4 Duration of storage

Session cookies are deleted when you log out or close the App.

3.5 Right to objection and erasure

We only use cookies that are technically necessary to provide you with our services. The use of these is indispensable, which is why it is not possible to object in this case, otherwise the app cannot be used.

4 Data processing during download

4.1 Description and scope of data processing

When you download our app, the Google Play Store and iOS AppStore require specific information from you and the following data will be transferred:

Username
E-mail address
Customer number of your account
Time of download
Device identification number

4.2 Note on requesting location data

We would like to point out that when using our apps, the so-called "Coarse Location Permission" can be requested from the user. This is one of the confidential Android or iOS permissions. This authorization request is displayed graphically with a system dialog within the app and must be issued/confirmed by the user. This is a security feature of Google and Apple. This gives Cospaces permission to determine the approximate user location. However, we do not use this permission to determine the approximate location of the user. However, it is possible that Google and Apple process this data. The possible data processing for the European Economic Area and for Switzerland is carried out by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google's privacy policy can be found at: https://www.google.com/policies/privacy/ Apple Inc., 1 Apple Park Way, Cupertino, California, United States.Apple’s privacy policy can be found at: https://www.apple.com/legal/privacy/

4.2.1 Legal basis for data processing

The processing of this data takes place on the basis of Art. 6 para. 1 sentence 1 lit. a) GDPR.

4.2.2 Purpose of data processing

The data processing by Google and Apple takes place for the purpose of enabling the use of the app. It is used for system security at Google and Apple.

4.2.3 Duration of data processing

According to Google and Apple, the personal data will be deleted as soon as they are no longer required for the above-mentioned purposes.

4.2.4 Right to objection and erasure

The collection of data for the provision of the app is intended for the operation of the app by Google and Apple as a security feature. If you have any questions about data protection, you can contact Google using the following contact form: https://www.google.de/contact/ or contact Apple using the following contact form: https://support.apple.com/contact

5 Registration

5.1 Description and scope of data processing

The data subject can register in our App. This requires the data subject to enter personal data in the registration form. Depending on whether you register with us as a student or teacher, we process the following data:

Registration as a teacher:

Name (required)
Username (required)
Email address (required)
Chosen password (required)
Financial information (required when purchasing CoSpaces Edu Pro License Plans “the Paid Subscriptions”)

Registration as a student:

Email address
Username (required)
Chosen password (required)

The information provided by the data subject in the registration mask will be used exclusively for processing and will not be disclosed to third parties.

5.2 Legal basis for data processing

If the data subject enters required personal data in the registration form, the legal basis of the data processing is based on Art. 6 para. 1 s. 1 lit. b) GDPR. However, if the user also enters personal data in the optional input field, the data processing is based on Art. 6 para. 1 s. 1 lit. a) GDPR.

The sending of emails about your registration information is based on Art. 6 para. 1 s. 1 lit. b) GDPR.

5.3 Purpose of data processing

The processing of personal data is used solely for us to finish your registration and organize your App account.

5.4 Duration of storage

The data are deleted as soon as the purpose of storage is no longer required. This is the case if you delete your account and no statutory or regulatory retention periods of erasure contradict. Your data will be stored according to your respective location on servers located either in Europe, the United States or Asia Pacific. A list of countries and their respective server locations can be found under https://cospaces.io/edu/server-regions.html

5.5 Right to objection and erasure

During and after the registration, the data subject is free to change, correct or delete their personal data.

6 Third-party login

6.1 Description and scope of data processing

If you already own an account on Apple, Clever, Google, Microsoft or NAVER, you can register with your account (Third-Party Login). By doing so, you will be linking your account to your CoSpaces account and can also sign up on our webapp with your third party-account in the future.

Following data will be provided to us from your chosen third-party account (Apple Inc., Clever Inc., Google LLC., Microsoft Corporation, NAVER Corp.):

Account-ID
First name
Last name
E-mail address
Verification of your third-party account
Link to your public profile at the chosen platform provider
If you use Google or Clever for your login: Username

For more information regarding each third-party login, the transmitted data and the data privacy settings of your account, we refer to the following data policies of each account provider:

Apple: https://www.apple.com/legal/privacy/de-ww/
Clever: https://clever.com/trust/privacy/policy
Google: http://www.google.com/policies/privacy/?hl=de
Microsoft: https://privacy.microsoft.com/de-de/privacystatement
NAVER: https://policy.naver.com/policy/privacy_en.html

In our continuous effort to improve the user experience and simplify the use of our services, we have introduced an integration with Google Classroom. This integration allows teachers to create and manage "CoSpaces assignments" through their Google Classroom classes. 
To use this feature, the admin of the license plan must enable the Google Classroom integration under the license plan settings first. Once enabled, teachers that are a part of the same license plan will be able to access Google Classroom features to manage their class assignments efficiently.

We would like to emphasize that the protection and security of our users' personal data is of the utmost importance. When using the Google Classroom integration, no personal data of students or teachers is collected or shared without their explicit consent. The data required for the functionality of the integration is processed in accordance with our privacy policy and Google's privacy policy. 

We encourage users to read Google's privacy policy to gain a full understanding of how their data is handled as part of this integration. ‍

6.2 Legal basis for data processing

As far as we receive your first and last name as well as your e-mail address, the legal basis of the data processing is based on Art. 6 para. 1 s. 1 lit. b) GDPR. All further information is given to us voluntarily. Therefore, data processing is based on Art. 6 para. 1 s. 1 lit. a) GDPR.

6.3 Purpose of data processing

The third-party login facilitates the use of our registration function. We also use third-party logins to make our website better known.

6.4 Duration and storage

Third-party login data is stored until the declaration of a revocation and used as described.

6.5 Right to objection and erasure

You can prevent this data processing by using our regular registration process. During and after the registration, the data subject is free to change, correct or delete their personal data. As far as the data processing is based on your consent, you can withdraw your consent to this data processing at any time regarding future processing in accordance to Art. 7 GDPR. Further adjustments may be possible within the settings of your third-party account.

7 Forum

7.1 Description and scope of data processing

We run a forum. Users can leave comments in the forum. These posts can also be commented on by third-party users. If the user publishes a comment in our Forum, we store and publish, in addition to the comment content itself, following data:

Time stamp of your log-in
Username

A transfer of the data to third parties does not take place, unless the affected person has given his/her consent.

7.2 Legal basis of data processing

This data processing is legally based on our legitimate interest (Art 6 para. 1 s.1 lit. f) GDPR) in enabling our users to participate in an active and fair community.

All data that you disclose in the context of the commenting function are given voluntarily, so that the storage of this data is based on the legal basis of Art. 6 para. 1 s. 1 lit. a) GDPR.

7.3 Purpose of data processing

The collection of data is intended to ensure the stability and usability of this website and the forum. Also, it is necessary to prevent misuse of the commenting function. In addition, comments enable our users to share their questions and experiences.

7.4 Duration of storage

We process personal data only as long as necessary. As soon as the purpose of the data processing is fulfilled, erasure of the data is carried out according to the standards of the erasure concept, unless legal or contractual regulations oppose this.

7.5 Right to objection and erasure

As far as our data processing is based on our legitimate interest, you have the possibility of objecting to data processing (see Art. 21 GDPR and “Your rights”). In the event of a disagreement, please provide us with the reasons why we should not process your personal data as we have done. We will then examine the situation and either discontinue or adjust the data processing or will tell you based on which reasons we have to continue this processing.

As far as the data processing is based on your consent, you can prevent it by not agreeing with them. You also have the option to withdraw your consent at any time (see Art. 7 GDPR and “Your rights”). A withdrawal only applies to any processing that takes place after it has been pronounced. This can be done by telephone, mail, email or any other means. In case we delete your account, the comment content will remain visible for all visitors, but your account information will be anonymized and is no longer retrievable. All other data will be deleted.

8 Online Purchase

8.1 Description and scope of data processing

When you shop in our App, we will process your first name and surname, address and email address to complete the purchase agreement and the delivery agreement with you.

8.2 Legal basis for data processing

The legal basis for this data processing is Art. 6 para. 1 s.1 lit. b) GDPR. We are processing your data for the fulfilment of purchase contracts and supply agreements.

8.3 Purpose of data processing

We process your data to close the contract, to handle the payment, for billing, to ensure on-time delivery and to inform you about that delivery.

We provide your data to our contracted processors and service providers, so that they can process the delivery and, if necessary, communicate with you to announce and coordinate the delivery of your ordered goods.

8.4 Duration of storage

8.5 Right to objection and erasure

The data processing is necessary in order to be able to process your purchase contract, which is why it cannot be waived. There is therefore no option to object.

8.6 Stripe

8.6.1 Description and scope of data processing

We offer Stripe as a payment service. With Stripe, you can use payment information stored in your Stripe account to make purchases quickly and securely. To use the payment service through Stripe, prior registration is required. The data processing is carried out by: Stripe Payments Europe Ltd (subsidiary of Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA).

Data processing by Stripe is carried out only for bookings that require online payments. The information collected by Stripe includes:

Payment method
Payment method information (e.g. credit or debit card number or bank account details)
Purchase amount
Date of purchase

Different payment methods may require the collection of different categories of data. The payment method information Stripe collects depends on the payment method you choose. When you complete a transaction, Stripe may also receive:

Name
Email address
Billing or shipping address
and in some cases your transaction history to authenticate you

For more information, please see Stripe's privacy policy: https://stripe.com/en-lu/privacy

8.6.2 Legal basis for data processing

Our legal basis is based on Art. 6 para. 1 s. 1 lit. b) GDPR.

8.6.3 Purpose of data processing

The transmission of the data is necessary to prevent any misuse. We inform you that Stripe may transmit the personal data to credit agencies. This is because Stripe reserves the right to check your identity and creditworthiness.

8.6.4 Duration of storage

We will only store your data for as long as is necessary to process your payment and invoice you. If you are a Stripe user, Stripe will retain your personal data for as long as the services are provided to you. The data will then be deleted unless there are regulatory, contractual or legal retention obligations that prevent deletion.

8.6.5 Right to objection and erasure

The data processing is mandatory in order to be able to process your payment via Stripe, which is why it cannot be dispensed with if you have chosen this payment method. There is therefore no possibility to opt out.

9 Service providers from third countries

In order to be able to provide our services, we use the support of service providers from third party countries (non-EU countries). In order to ensure the protection of your personal data in this case, we conclude processing contracts with each - carefully selected - service provider. All of our processors provide sufficient guarantees to implement appropriate technical and organizational measures. Our third country data processors are either located in a country with an adequate level of data protection (Art. 45 GDPR) or provide appropriate safeguards (Art 46 GDPR).

Adequate level of protection: The provider comes from a country whose level of data protection has been recognized by the EU Commission. For more information, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

EU standard contract clauses: Our provider has submitted to the EU standard contractual clauses to ensure secure data transfer. For more information, see: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en

Binding Corporate Rules: Article 47 of the GDPR provides the possibility of ensuring data protection when transferring data to a third country via Binding Corporate Rules. These are examined and approved by the data security authorities within the framework of the consistency mechanism pursuant to Art. 63 GDPR.

Consent: In addition, a data transfer to a third country without an adequate level of protection will only take place if you have given us your consent in accordance with Art. 49 sec. 1 lit. a) GDPR for this purpose.

10 Your rights

You have the following rights with respect to the personal data concerning you:

10.1 Right to withdraw a given consent (Art. 7 GDPR)

If you have given your consent to the processing of your data, you can withdraw it at any time. This will affect the admissibility of processing your personal data by us for the time after you have withdrawn your consent. To withdraw your consent, contact us personally or in written form.

10.2 Right of access (Art. 15 GDPR)

You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data and the following information:

the purpose of processing;
the categories of personal data concerned;
the recipients or the categories of recipient to whom your personal data have been or will be disclosed, in particular recipients in countries outside of the EU or international organisations;
where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
all available information on the source of your personal data;
the existence of automated decision-making, including profiling, referred to Art. 22 para. 1 and 4 GDPR and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

In the case of such a request, you must provide enough information about your identity to proof that the request concerns your own personal data.

10.3 Right to rectification and erasure (Art. 16, 17 GDPR)

You have the right to obtain from us without undue delay the rectification and completion of inaccurate personal data concerning yourself.

You may also request the erasure of your personal data if any of the following applies to you:

the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed;
you withdraw consent on which the processing is based according to Art. 6 para. 1 s.1 lit. a) or Art. 9 para. 2 lit. a) GDPR, and where there is no other legal ground of processing;
you object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject;
the personal data have been collected in relation to the offer of information society services referred to in Art. 8 para. 1.

Where we made the personal data public and are obliged to erase the personal data pursuant to Art. 17 para. 1 GDPR, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

These rights shall not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h) and i) as well as Art. 9 para. 3 GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, in so far as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
for the establishment, exercise or defence of legal claims.

10.4 Right to restriction of processing (Art. 18 GDPR)

You shall have the right to obtain from us restriction of processing where one of the following applies:

the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
you have objected to processing pursuant to Art. 21 para. 1 GDPR pending the verification whether our legitimate grounds override yours.

Where processing has been restricted under the aforementioned conditions, such personal data shall, except for storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the limitation of the processing is restricted, you will be informed by us before the restriction is lifted.

10.5 Right to information (Art. 19 GDPR)

If you have asserted to us your right to rectification, erasure or restriction of data processing, we will inform all recipients of your personal data to correct, delete or restrict the processing of data, unless this proves impossible or involves disproportionate effort.

You also have the right to know which recipients have received your personal data.

10.6 Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format. Also, you have the right to transmit those data to another controller, where

the processing is based on consent pursuant of Art. 6 para. 1 s.1 lit. a) GDPR or of Art. 9 para. 2 lit. a) GDPR or is based on a contract pursuant of Art. 6 para. 1 s. 1 lit. b) DS-GVO; and
the processing is carried out by automated means.

In exercising your right to data portability, you have the right to obtain that personal data transmitted directly from us to another controller, as far as technically feasible. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority that has been delegated to us.

10.7 Right to object (Art. 21 GDPR)

Where we based the processing of your personal data on a legitimate interest (Art. 6 para. 1 s. 1 lit. f) GDPR), you may object to the processing. The same applies if the data processing is based on Art. 6 para. 1 s. 1 lit. e).

In this case, we ask you to explain the reasons why we should not process your personal data. Based on this we will terminate or adapt the data processing or show you our legitimate reasons why we continue the data processing.

10.8 Right to lodge a complaint with supervisory authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of the personal data concerning you is against the infringes of the GDPR.

The supervisory authority to which the complaint has been submitted shall inform you of the status and results of the complaint, including the possibility of a judicial remedy according to Article 78 GDPR.

11 How you perceive these rights

To exercise these rights, please contact our data protection officer:

Kemal Webersohn from Webersohn & Scholtz GmbH
delightex@ws-datenschutz.de

or by mail: