Semanux

Privacy Policy for Semanux Access

In this privacy policy, we, Semanux GmbH, Abraham-Wolf-Straße 56, 70597 Stuttgart (hereinafter: “Semanux”, “we” or “us”) inform you about the collection of personal data when using Semanux Access (including its various editions, e.g., Semanux Access Flex and Semanux Access Pro), a software developed by us for the innovative, multimodal operation of a computer with the head and other input options (hereinafter: “Semanux Access” or “Software”).

We take the protection of your personal data very seriously and observe the applicable data protection regulations, in particular the provisions of the General Data Protection Regulation EU 2016/679 (hereinafter: “GDPR”). With the following explanations, we are fulfilling our obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing of your personal data.

This data protection declaration has a modular structure and consists of a general part A, which relates to all processing situations in connection with the software, and special parts B to E, which relate to specific processing situations that are described in more detail there. An overview of the subdivision of this data protection declaration can be found in the following table:

PartDesignationContents
AGeneralTerminology, controller, contact details, processing principles, rights of data subjects
BActivation of a Single LicenseDescription of data processing as part of the activation of a single license (type of data, purpose, legal basis, storage period, transfer to third parties)
CActivation of a Subscription LicenseDescription of data processing as part of the activation of a subscription license (type of data, purposes, legal basis, storage period, transfer to third parties)
DUse of the SoftwareDescription of data processing when using our software (type of data, purpose, legal basis, storage period)
ESubmission of FeedbackDescription of data processing when transmitting feedback within the framework of the software (type of data, purpose, legal basis, storage period)

The following terms used in this privacy policy have the meanings set out below according to the definitions used in the GDPR:

  • “Personal data” (Article 4(1) GDPR) is any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be provided by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photo, video or sound recordings can also contain personal data).
  • “Processing” (Article 4(2) GDPR) means any process in which personal data is handled, whether with or without the help of automated (i.e., technology-based) procedures. In particular, this includes collecting (i.e., acquiring), recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, distribution or other provision, comparison, the linking, the restriction, the deletion or the destruction of personal data as well as the change of an objective or purpose on which the data processing was originally based.
  • “Controller” (Article 4(7) GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “Third party” (Article 4(10) GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons, who under the direct responsibility of the person responsible or the processor, are authorized to process the personal data; this also includes other corporate legal entities.
  • “Processor” (Article 4(8) GDPR) means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller, in particular in accordance with their instructions (e.g., an IT service provider). In terms of data protection law, a processor is in particular not a third party.
  • “Consent” (Article 4(11) GDPR) of the data subject means any freely given, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Insofar as we alone or jointly with others determine the purposes and means of processing your personal data, we are the controller for the processing of your personal data in accordance with Article 4(7) GDPR.

Our contact details:

Semanux GmbH
Abraham-Wolf-Strasse 456
70597 Stuttgart
Germany

According to the principles of applicable data protection law, any processing of personal data is generally prohibited and only permitted if the processing falls under at least one of the following justifications:

  • Article 6(1)(a) GDPR (“Consent”): If the data subject has freely given a specific, informed and unambiguous indication of his or her wishes, by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of his or her personal data for one or more specific purposes;
  • Article 6(1)(b) GDPR: If the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contact;
  • Article 6(1)(c) GDPR: If the processing is necessary compliance with a legal obligation to which the controller is subject (e.g., a statutory retention obligation);
  • Article 6(1)(d) GDPR: If the processing is necessary to protect the vital interests of the data subject or another natural person;
  • Article 6(1)(e) GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or
  • Article 6(1)(f) GDPR (“Legitimate Interests”): If the processing is necessary to protect legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the data subject is a child).

For the respective processing carried out by us, we indicate below the respective applicable legal basis. Processing can also be based on several legal bases. It is then justified until the conditions of the last relevant legal basis are no longer met.

For the processing we carry out, we state below how long the data will be stored by us and when it will be deleted or blocked.

If no explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies. In principle, your data will only be stored on servers in Germany, subject to a possible transfer according to the regulations in the special parts of this data protection declaration.

However, storage can take place beyond the specified time, for example if storage is provided for by legal regulations to which we are subject as the responsible body (e.g., Section 257 of the German Commercial Code (Handelsgesetzbuch, HGB), Section 147 of the German Fiscal Code (Abgabenordnung, AO)). If the storage period provided for in the statutory provisions expires, the personal data will be blocked or deleted, unless further storage by us is necessary and can still be supported by a legal reason.

We use appropriate technical and organizational security measures to protect your data against accidental or intentional unauthorized manipulation, partial or complete loss, destruction or against unauthorized access by third parties, taking into account the state of the art, the implementation costs and the type, the scope, the context and purpose of the processing and the risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

We will be happy to provide you with more detailed information on request. Please contact us using the contact details given in A.2.

We use external service providers as processors to process our business transactions and provide our services. They act exclusively according to our instructions and are contractually obliged (Article 28 GDPR) to comply with data protection regulations.

To provide the services described in parts B to E, in which the software from your end device establishes an Internet connection with one of our (virtual) servers and exchanges data, we use the hosting services of the provider netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany (hereinafter: “netcup”). Your data will be processed as part of the hosting services. Specifically, netcup records the time and type of connection, your IP address and the address of the service called up by the software on the server, which is technically necessary. Furthermore, netcup records this data in log files, which are automatically deleted after 14 days. You can find out more about data processing by netcup from netcup's privacy policy. The data processing serves to display and run the software and to carry out troubleshooting, analyzes of the utilization of our systems and to ward off cyber attacks. In individual cases, we can link the data recorded via netcup with other data for manual error analysis. The legal basis for data processing is Article 6(1)(f) GDPR (Legitimate Interests). The data is stored for as long as is necessary to fulfill the purpose.

As part of the granting of the use of our software, it may happen that your personal data is transmitted to other companies that we commission as service providers in the course of providing our services. These may also be located outside the European Economic Area (“EEA”), i.e., in third countries. Such processing is only carried out for the performance of contractual and business obligations, to maintain your business relationship with us or on the basis of another legitimate interest as described in this privacy policy. We will inform you about the respective details of the data exchange with companies in third countries in the appropriate places in the special part of this data protection declaration.

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard through so-called adequacy decisions (list of these countries and copies of the adequacy decisions). In other third countries to which personal data can be transmitted, however, there cannot be a uniformly high level of data protection due to the lack of legal regulations. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct in connection with appropriate technical measures. Please contact us using the contact details given under A.2 if you would like further information on this.

We do not intend to use the personal data collected from you for automated decision-making processes (including profiling).

We are not subject to any special legal or contractual obligations to pass on the processed personal data to third parties.

We do not make contracts with us conditional on you providing us with personal information in advance. As a user, you are also not legally or contractually obliged to provide us with your personal data; however, it may be that we can only provide certain services to a limited extent or not at all if you do not provide us with the necessary data. If this should exceptionally be the case within the scope of our services and activities to be provided to you, you will be informed of this.

You can exercise your rights as a data subject with regard to your processed personal data at any time using the contact details given under A.2. You can also lodge a complaint about the processing of your personal data with a data protection authority.

As a data subject, you have the following rights:

  • Right of access (Article 15 GDPR): You are entitled at any time to demand confirmation from us within the scope of Article 15 GDPR as to whether we are processing personal data relating to you; if this is the case, you are also entitled under Article 15 GDPR to obtain information about this personal data and certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of an automated decision-making and, in the case of third-country transfers, the appropriate safeguards) and to receive a copy of your data. The restrictions of Section 34 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply.
  • Right to rectification (Article 16 GDPR): You have the right to demand that we rectify the personal data stored about you if it is inaccurate or incorrect.
  • Right to erasure (Article 17 GDPR): You are entitled, under the conditions of Article 17 GDPR, to demand that we delete personal data concerning you immediately. The right to deletion does not exist, among other things, if the processing of the personal data is required, for example, to fulfill a legal obligation (e.g., statutory storage obligations) or to assert, exercise or defend legal claims. In addition, the restrictions of Section 35 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply.
  • Right to restriction of processing (Article 18 GDPR): You are entitled, under the conditions of Article 18 GDPR, to require us to restrict the processing of your personal data.
  • Right to data portability (Article 20 GDPR): You are entitled, under the conditions of Article 20 GDPR, to demand that we provide you with the personal data that you have provided to us in a structured, common and machine-readable format hand over.
  • Right of revocation (Article 7(3) GDPR): You can revoke your consent to the processing of personal data at any time. Please note that the revocation only applies to the future. Processing that took place before the revocation is not affected. An informal notification, e.g., by email, to us is sufficient to declare the revocation.
  • Right to object (Article 21 GDPR): You are entitled to object to the processing of your personal data under the conditions of Article 21 GDPR, so that we must stop processing your personal data. The right to object only exists within the limits provided for in Article 21 GDPR. In addition, our interests may conflict with the termination of processing, so that we are entitled to process your personal data despite your objection. We will take into account any objection to any direct marketing measures immediately and without reconsidering existing interests.
  • Right to lodge a complaint (Article 77 GDPR): You are free to lodge a complaint with a supervisory authority in accordance with Article 77 GDPR regarding the processing of your personal data by us. As a rule, you can contact the supervisory authority at your usual place of residence or our registered office (The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany, T: +49 711 615541‑0, F: +49 711 615541‑15, Email: poststelle@lfdi.bwl.de).

Semanux Access has a minimum age limit in each country or region. Semanux Access is directed to children whose age:

  • is under the age of 14 years,
  • makes it illegal to process their personal data, or
  • requires parental consent to process their personal data

We do not knowingly collect or use personal data from children under the applicable age limit. If you're under the age limit, do not use Semanux Access, and do not provide any personal data to us. If you become aware that a child under the age limit has provided personal data to Semanux, contact us.

If we learn that we've collected the personal data of a child under the applicable age limit, we'll take reasonable steps to delete the personal data. This may require us to delete the Semanux account for that child.

We reserve the right to make changes to this privacy policy.

When we make material changes to this privacy policy, we will provide you with prominent notice as appropriate under the circumstances. For example, we display a prominent notice within the mySemanux section of our website or send you an email.

This data protection declaration is valid from September 2023.

If our software is obtained from one of our distributors on the basis of a single license, this single license is activated by entering an activation code provided by us. In connection with entering the activation code, a “hashed” identification feature of the end device (the BIOS UUID, a character string with which each end device can be uniquely identified globally) is collected as a digital fingerprint and linked to the single license that was activated with the activation code. “Hashed” here means the use of a so-called one-way function that converts the identification feature into a unique character string which, according to the current state of the art, can no longer be converted back into the identification feature. It is therefore not possible for anyone to draw conclusions about the identification feature itself.

The data processing serves to ensure that the software can only be used in accordance with the single license on a specific end device activated for the single license and to detect and prevent misuse of the software.

The data processing takes place on the basis of Article 6(1)(b) GDPR, insofar as this is necessary to carry out pre-contractual measures at the request of the customer or end user or to fulfill the usage contract with the customer or end user.

Furthermore, the data will be collected and processed insofar as this is required by Article 6(1)(f) GDPR is required for the functionality of the software or to prevent misuse of our software and your interest in the protection of your personal data does not outweigh it.

The data will be stored for as long as is necessary to achieve the stated purposes.

If our software is obtained on the basis of a subscription license, activation takes place by logging in with a Semanux account by entering the combination of email and password chosen by the user. In connection with this Semanux account registration, a “hashed” identification feature of the end device (the BIOS UUID, a character string with which each end device can be uniquely identified globally) is collected as a digital fingerprint and linked to the logged-in Semanux account. “Hashed” here means the use of a so-called one-way function that converts the identification feature into a unique character string which, according to the current state of the art, can no longer be converted back into the identification feature. It is therefore not possible for anyone to draw conclusions about the identification feature itself.

The data processing serves to ensure that the software can only be used by a specific user on a specific device activated for the subscription license in accordance with the subscription license and to detect and prevent misuse of the software.

The data processing takes place on the basis of Article 6(1)(b) GDPR, insofar as this is necessary to carry out pre-contractual measures at the request of the customer or end user or to fulfill the usage contract with the customer or end user.

Furthermore, the data will be collected and processed insofar as this is required by Article 6(1)(f) GDPR is required for the functionality of the software or to prevent misuse of our software and your interest in the protection of your personal data does not outweigh it.

The data will be stored for as long as is necessary to achieve the stated purposes.

Immediately after the initial activation of the software (described in part B or C), an authentication token is generated on the server side and stored on the user's end device. From now on, this authentication token will be transmitted every time the software connects to one of our servers in order to be able to check the active license status of the software.

On each day of its execution, the software sends a request to our servers with the authentication token and the hashed device identification feature described in parts B and C, respectively, in order to check the license status of the software for the respective device. The data transmitted here will not be stored by us.

Furthermore, as part of the use of the software, we collect configuration data in an anonymous form, which is also sent to our servers in combination with the authentication token. The authentication token is only used to prevent unauthorized sending of configuration data. After verification of the permissible submission, the personal reference according to Article 4(1) GDPR of the configuration data is removed (“anonymized”), for which purpose the authentication token and other personal data are excluded from storage on the server.

The purpose of data processing is to ensure that the software is only used by authorized users and on a device authorized for this purpose and that misuse of the software is detected and prevented.

We use the anonymized configuration data to analyze how the software is used and to improve it.

The data processing takes place on the basis of Article 6(1)(b) GDPR, insofar as this is necessary to carry out pre-contractual measures at the request of the customer or end user or to fulfill the usage contract with the customer or end user.

Furthermore, the data will be collected and processed insofar as this is required by Article 6(1)(f) GDPR is required for the functionality of the software or to prevent misuse of our software and your interest in the protection of your personal data does not outweigh it.

The data will be stored for as long as is necessary to achieve the stated purposes.

You have the option to send feedback to us in the form of messages via the software. We collect and store an authentication token (as described in Section C) and the messages you enter (including text, image or video).

The personal data that you send us as part of the feedback will be stored by us in order to take note of your request and to be able to use it to improve our software and to be able to contact you in order to answer your message.

The processing takes place with your consent in accordance with Article 6(1)(a) GDPR. Furthermore, when contact is made with regard to a contractual relationship, processing takes place on the basis of Article 6(1)(b) GDPR if you contact us in connection with an existing contract or a contract that you wish to conclude with us.

The data will be stored for as long as is necessary to achieve the stated purposes.