Privacy Policy

Contact details of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

Contact details of the data protection officer

Scope of processing personal data

In general, we only process the personal data of our users to the extent necessary to provide a functioning website with our content and services. The regular processing of personal data only takes place with the consent of the user. Exceptions include cases where prior consent cannot be technically obtained and where the processing of the data is permitted by law.

Legal basis for the processing

Where consent is appropriate for processing personal data, Art. 6 (1) (a) GDPR serves as the legal basis to obtain the consent of the data subject for the processing of their data.

As for the processing of personal data required for the performance of a contract of which the data subject is party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual activities.

When it is necessary to process personal data in order to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing of data is necessary to safeguard the legitimate interests of our company or that of a third party, and the fundamental rights and freedoms of the data subject do not outweigh the interest of the former, Art. 6 (1) (f) GDPR will serve as the legal basis for the processing of data.

Data removal and storage duration

The personal data of the data subject will be erased or restricted as soon as the purpose of its storage has been accomplished. Additional storage may occur if this is provided for by the European or national legislator within the EU regulations, law, or other relevant regulations to which the data controller is subject. Restriction or erasure of the data also takes place when the storage period stipulated by the aforementioned standards expires, unless there is a need to prolong the storage of the data for the purpose of concluding or fulfilling the respective contract.

Your documents are deleted irreversible from our servers within 7 days when you use the "Delete" button. Documents are deleted automatically after 60 days without view (Does not apply to Pro accounts).

If you delete your account, all personal data and all your documents will be permanently deleted within 7 days.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. When you delete your account, all associated data is permanently deleted within 7 days. Deleting your account also deletes all data stored at payment provider Stripe and ticket system Freshdesk (if there is any). Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you.

Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

• Right to obtain information about the data stored about you (Art. 15 GDPR)
• Right to rectification if incorrect personal data is processed (Art. 16 GDPR)
• Right to deletion or restriction of processing if legal requirements are met (Art. 17 and 18 GDPR)
• Right to data portability in certain cases (Art. 20 GDPR)
• Right to object to processing for direct marketing purposes, including related profiling. If you object, the data will no longer be processed for these purposes (Art. 21 GDPR).

Furthermore, there is a right of appeal to a supervisory authority (Art. 77 GDPR).

The supervisory authority responsible for us is:

Description and scope of data processing

Each time our platform is called up, our system automatically collects data and information from the operating system of the calling device.

The following data is collected:

• Browser type, browser version and operating system
• Referrer URL of the user
• IP address and broad location based on the IP address
• Date and time of access

This data is stored in the log files of our system. This data is not stored together with other personal data of the user.

Purpose of the processing

The temporary storage of the IP address by the system is necessary to enable delivery of the platform to the user's device. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the platform and to prevent abuse. In addition, we use the data to optimise the platform and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes are also our legitimate interest in data processing according to Art. 6 (1) (f) GDPR.

Legal basis for the processing

The legal basis for the temporary storage of the data and the log files is Art. 6 (1) (f) GDPR.

Duration of the storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the platform, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after 14 days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

Possibility of objection and removal

The collection of data for the provision of the platform and the storage of the data in log files is mandatory for the operation of the platform.

Description and scope of data processing

Our platform uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's device. When a user calls up a platform, a cookie may be stored on the user's operating system. This cookie contains a characteristic character string that enables the device to be uniquely identified when the platform is called up again.

We use cookies to make our platform more user-friendly. Some elements of our platform require that the calling device can be identified even after a platform change.

The following data is stored and transmitted in the cookies:

• Language settings
• Entered search terms
• Functionality of the website
• Identifiers of uploaded documents

Purpose of the processing

The purpose of using technically necessary cookies is to simplify the use of the platform for users. Some functions of our platform cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.

We need cookies for the following functionality of the application:

• Access of previously uploaded files
• Applying language settings
• Log-in functionality

The user data collected through technically necessary cookies are not used to create user profiles.

Legal basis for the processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) (f) GDPR.

The legal basis for the use of technically necessary cookies is § 25 (2) (2) TTDSG in conjunction with Art. 6 (1) (f) GDPR.

Duration of storage, Possibility of objection and elimination

Cookies are stored on the user's computer and transmitted from it to our platform. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our platform, it may no longer be possible to use all functions of the platform to their full extent.

If you use a Safari browser from version 12.1, cookies are automatically deleted after seven days. This also applies to opt-out cookies that are set to prevent tracking measures.

Description and scope of data processing

Within our platform, it is possible to contact us via the email address provided. In this case, the user's personal data transmitted with the email will be stored. The following data is transmitted to us:

• E-mail address
• Name
• Pseudonym
• IP address of the calling computer
• Date and time of the call

By contacting us via e-mail, the data processed is transferred to the service provider: Freshworks Inc., 2950 S. Delaware Street, Suite 201, San Mateo, California, USA (Freshdesk). The data is transferred to Freshworks servers in the USA. Part of the order processing contract with Freshworks are EU standard contractual clauses (Art. 46 (2) (c) GDPR).

For more information, please visit: https://www.freshworks.com/data-processing-addendum/

Freshdesk is a web-based customer relationship management (CRM) platform and ticket management solution that enables us to plan and monitor our customer support activities. Further information: https://www.freshworks.com/privacy/ and https://www.freshworks.com/gdpr/company/.

The data is used exclusively for processing the conversation.

Purpose of the processing

In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

Legal basis for the processing

The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 (1) (f) GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis is Art. 6 (1) (b) GDPR.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended.

The additional personal data collected during the sending process will be deleted after a period of 14 days at the latest.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us will be deleted in this case.

Description and scope of data processing

A contact form is available on our platform, which can be used for electronic contact. If a user uses this option, the data entered in the input mask is transmitted to us and stored.

• E-mail address
• Name
• Pseudonym
• IP address of the calling computer
• Date and time of the call

In connection with the data processing through the contact forms, the data is transferred to Freshworks Inc. (Freshdesk) in the USA based on EU standard contractual clauses. See details above under Email contact.

The data is used exclusively for processing the conversation.

Purpose of the processing

The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the submission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

Legal basis for the processing

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. Our legitimate interest results from the purpose of the data processing. If the e-mail contact is aimed at the conclusion or implementation of a contractual relationship, the additional legal basis is Art. 6 (1) (b) GDPR.

Duration of storage

The additional personal data collected during the submission process will be deleted at the latest after the end of the contractual relationship or the end of the general use of the platform.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. Alternatively, you can contact us and we will modify or delete your data and/or delete your account/data for you.

Use of social networks

We use different networks for our company websites. When using some networks, personal data may be transferred to servers in the USA. In order to ensure appropriate guarantees for the protection of the transfer and processing of personal data outside the EU, the transfer of data to and processing of data by the networks listed below is carried out on the basis of appropriate guarantees pursuant to Art. 46 et. seq. GDPR, in particular by concluding standard data protection clauses pursuant to Art. 46 (2) (c) GDPR.

Twitter

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland. On our company website, we provide information and offer Twitter users the opportunity to communicate. If you carry out an action on our Twitter company website (e.g. comments, posts, likes, etc.), it may be that you make personal data (e.g. clear name or photo of your user profile) public. However, since we generally or to a large extent have no influence on the processing of your personal data by Twitter, we cannot make any binding statements about the purpose and scope of the processing of your data.

Our corporate presence in social networks is used for communication and information exchange with (potential) customers. In particular, we use the corporate presence to present the company and its services.

In this context, publications about the company's appearance may contain the following contents:

• Information about products
• Information about services
• Customer contact

Every user is free to publish personal data through activities. The legal basis for data processing is Art. 6 (1) (a) GDPR. The data generated by the company website is not stored in our own systems.

You can object at any time to the processing of your personal data that we collect in the context of your use of our Twitter corporate presence and assert your data subject rights as stated under this privacy policy. To do so, send us an informal email to info@cloudconvert.com. More information about the processing of your personal data by Twitter and the corresponding objection options here: https://twitter.com/de/privacy

Use of service providers

The platform is hosted on servers of a service provider commissioned by us.

Our service provider is:

• OVH GmbH, Christophstraße 19, 50670 Köln, Germany

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the platform. The information stored is:

• Browser type, browser version and operating system
• Referrer URL of the user
• IP address and broad location based on the IP address
• Date and time of access

This data is not merged with other data sources. The collection of this data is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - for this purpose, the server log files must be collected.

The location of the website's server is geographically in Germany.

Use of geotargeting

We use the IP address and other information provided by the user (in particular postcode in the context of registration or ordering) for regional targeting ("geotargeting").

Regional targeting is used, for example, to automatically show you regional offers or advertisements that are often more relevant to users. The legal basis for the use of the IP address and, if applicable, other information provided by the user (in particular postcode) is Art. 6 (1) (f) GDPR, based on our interest in ensuring more precise targeting and thus providing offers and advertising with higher relevance for users.

In the process, part of the IP address and the additional information provided by the user (in particular postcode) are merely read out and not stored separately.

You can prevent geotargeting by using, for example, a VPN or proxy server that prevents precise localisation. In addition, depending on the browser used, you can also deactivate location localisation in the corresponding browser settings (insofar as this is supported by the respective browser).

We use geotargeting on our platform for the following purposes:

• Determination of the value added tax
• Platform functions such as customer targeting
• Geoblocking

Description and scope of data processing

On our platform, we offer users the opportunity to register by providing personal data. The data is entered in an input mask and transmitted to us and stored.

Registration allows the user to use the extended service functionality and access the previously converted files.

The data will not be passed on to third parties. The following data is collected as part of the registration process:

• Email address
• Pseudonym
• Profile picture
• IP address of the calling computer
• Date and time of registration

You can also register/create a customer account via your Facebook, Google or Twitter account. In this case, you do not have to enter your data manually and we receive your data (Pseudonym, e-mail address, profile picture) from Facebook, Google or Twitter, which we need to create a customer account for you.

As part of the registration process, the user's consent to the processing of this data is obtained.

Purpose of the processing

Registration of the user is necessary for the fulfilment of a contract with the user or for the implementation of pre-contractual measures. To use the extended services, it is necessary to register to clearly distinguish the user and allocate the desired resources.

Legal basis for the processing

The legal basis for the processing serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures. Therefore, the additional legal basis for the processing of the data is Art. 6 (1) (b) GDPR.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for the data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the implementation of the contract.

Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations.

Possibility of objection and removal

You can modify the data on your dashboard and you can delete your account at any time. If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

Description and scope of data processing

We offer our customers various payment options for processing costs incurred through the provision of our service. For this purpose, we forward customers to the platform of the corresponding payment service provider, depending on the payment option. After completion of the payment process, we receive the payment data of the customers from the payment service providers or our house bank and process them in our systems for the purpose of invoicing and accounting.

Payment by credit card

It is possible to complete the payment process by credit card.

If you have selected payment by credit card, payment data will be passed on to payment service providers for payment processing. All payment service providers comply with the specifications of the Payment Card Industry (PCI) Data Security Standards and have been certified by an independent PCI Qualified Security Assessor.

Within the framework of payment by credit card, the following data are regularly transmitted:

• Purchase amount
• Date and time of purchase
• First name and surname
• Address
• Email address
• Credit card number
• Period of validity of the credit card
• Security code (CVC)
• IP address
• VAT ID

Payment data is passed on to the following payment service providers:

• Stripe Inc.

Further information on the data protection guidelines as well as revocation and removal options vis-à-vis the payment service providers can be found here: https://stripe.com/en-gb-de/privacy

Payment by SEPA direct debit mandate

Your data will be processed for the purpose of carrying out the SEPA direct debit procedure for the settlement of costs incurred through the use of our services.

As soon as we have received the SEPA direct debit mandate signed by you, the data provided by you therein will be stored for the debiting of costs incurred. The data will be transferred to the participating banking institutions (Stripe Inc., house bank of Lunaweb GmbH and the banking institution specified by you) within the framework of the direct debit procedure.

Purpose and legal basis

The transmission of payment data to payment service providers serves to process the payment (e.g., when you purchase a product and/or use a service), as well as to carry out direct debit procedures. The legal basis is Art. 6 (1) (b) GDPR.

Duration of the storage

All payment data as well as data on possible chargebacks will only be stored for as long as they are needed for payment processing and possible processing of chargebacks and debt collection as well as for combating misuse.

Furthermore, payment data may be stored beyond this if and as long as this is necessary to comply with statutory retention periods or to prosecute a specific case of misuse. Your personal data will be deleted upon expiry of the statutory retention obligations, i.e., after 10 years at the latest.

Possibility of objection and removal

You can revoke your consent to the processing of your payment data at any time by deleting your account, notifying the responsible party or the payment service provider used. However, the payment service provider used may still be entitled to process your payment data if and as long as this is necessary for the contractual processing of payments.

Description and scope of data processing

On our website we use functions of the content delivery network OVHcloud of OVH GmbH. A Content Delivery Network (CDN) is a network of regionally distributed servers connected via the Internet to deliver content, especially large media files such as videos. OVHcloud offers web optimization and security services that we use to improve the load times of our website and to protect it from misuse. When you visit our website you will be connected to the servers of OVHcloud, e.g. to retrieve content. This allows personal data to be stored and evaluated in server log files, the user's activity (e.g. which pages have been visited) and device and browser information (e.g. IP address and operating system). Further information on the collection and storage of data by OVHcloud can be found here: https://www.ovhcloud.com/de/personal-data-protection/

Purpose and legal basis

The use of OVHcloud features serves to deliver and accelerate online applications and content.

The collection of this data is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website - for this purpose, the server log files must be collected.

Duration of storage, Possibility of objection and removal

Your personal information will be retained for as long as is necessary to fulfil the purposes described in this Privacy Policy or as required by law.

Information about objection and removal options regarding OVHcloud can be found at https://www.ovhcloud.com/de/personal-data-protection/.

Description and scope of data processing

We use artificial intelligence features provided through Google Gemini for two purposes: automated content moderation of uploaded documents and the optional "Ask AI" feature, which allows users to chat with a document.

For content moderation, we may transmit the document name, a thumbnail of the first page and a text or markdown representation of the document to Google Gemini in order to detect prohibited or abusive content and protect the platform and its users.

When you use "Ask AI", we may transmit the content of the document, your prompts, the chat history within the current conversation and the generated responses to Google Gemini so that the requested answers can be generated. Use of this feature is optional and can be enabled or disabled for a document by the document owner where available.

Depending on the specific request, technical metadata required for secure delivery of the service, such as time of request, document identifier and basic connection data, may also be processed.

Purpose of the processing

The processing for content moderation serves to identify unlawful, harmful or otherwise prohibited content, to enforce our terms, and to protect the security and integrity of our platform.

The processing for "Ask AI" serves to provide an interactive document assistance feature, including answering questions about a document and helping users navigate and understand its contents.

Legal basis for the processing

The legal basis for processing in connection with content moderation is Art. 6 (1) (f) GDPR. Our legitimate interest lies in preventing misuse, detecting prohibited content, and protecting our platform, our users and third parties.

The legal basis for processing in connection with the "Ask AI" feature is Art. 6 (1) (b) GDPR insofar as the processing is necessary to provide the feature requested by the user. Where individual processing steps are not strictly necessary for the performance of a contract, the legal basis is Art. 6 (1) (f) GDPR based on our legitimate interest in providing a secure and user-friendly AI-assisted document service.

Recipients and third-country transfer

The AI features are provided using Google Gemini. Depending on the service setup, personal data may be processed by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

In this context, personal data may be transferred to countries outside the European Union or the European Economic Area, in particular to the USA. Where required by law, such transfers are made on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular the EU Standard Contractual Clauses and, where applicable, an adequacy decision such as the EU-U.S. Data Privacy Framework.

Further information on Google's privacy practices can be found here: https://policies.google.com/privacy.

Duration of storage

We store prompts, responses and moderation results only for as long as necessary to provide the respective feature, ensure security, investigate misuse, or comply with statutory retention obligations. The underlying documents remain subject to the general retention periods described in this Privacy Policy.

Possibility of objection and removal

You can object to processing based on Art. 6 (1) (f) GDPR on grounds relating to your particular situation. You can also refrain from using the "Ask AI" feature or disable it for your documents where this option is available. If you want us to review or erase personal data processed in connection with these AI features, you can contact us at any time using the contact details provided in this Privacy Policy.