Privacy Policy

Open-Xchange Privacy Policy for the OX COI Messenger

We are pleased that you have chosen to download and install our OX COI Messenger (hereinafter referred to as “App”). The protection of your personal data is an important topic for us and we will protect your privacy and treat your data confidentially and in accordance with the General Data Protection Regulation (GDPR) and other applicable law.

With this Privacy Policy, we inform you about the types of your personal data we collect and the purposes it will be used for. Since changes of the laws, jurisdiction or our corporate procedures may require an adjustment of this Privacy Policy, we reserve the right to change it without further notice. This makes it necessary to regularly re-read this document to keep track of the changes. Possible changes will not affect the legal basis of any data processing and collection. In case the legal basis changes, we will inform you proactively in the respective situation while using the App, asking for your consent.

Scope of the data collection and processing

As a rule, personal data is only processed for the purpose of providing the service of the App. This refers to data that is technically necessary for the operation of the service (e.g. user name or e-mail address).

In addition, your data will only be processed and used for other purposes if there is a legal legitimation or if you have consented to its use. Your data will not be processed if these conditions are not met.

Please note that the App is designed to access a third-party e-mail service that has set up a user account with an individual e-mail mailbox on its server for you (hereinafter “Service Provider”). Please check with your service provider about how they handle your data. This privacy policy only describes the processes in the App itself.

Personal data

Personal data are any information about personal or factual circumstances of an identified or identifiable natural person. Anonymized or statistical data which could not be related to you or could only be related to you with disproportionate effort are not personal data.

Collection and processing operations

In the following sections we will guide you through the individual processing procedures, explain the respective purpose and the corresponding legal basis.

Log-In data

To establish a connection, the App first asks for your Email address and your password.

The App will then attempt to connect to the specified server of your Service Provider. Please note that the connection is usually logged on the contacted server. Please contact the service provider to determine the scope of the personal data and their handling of the logged data.

If the connection is successful, the App takes over the previously collected e-mail address and asks for the corresponding password in order to transmit both information to the Service Provider and initiate a so-called session. This session serves to grant you access to your e-mail inbox. The service provider then sends an identifier to your device to identify several related requests on your part and associate them with your session. The transmission of the data is necessary for the provision of the core function of the App and is based on Art. 6 Para. 1 lit. b) GDPR.

After successful log-in, the App stores the specified log-in data together with the server information in an access-protected area of the device. This data storage is based on your consent, which you give by pressing the log-in button (6 para. 1 lit. a) GDPR). For information on how to handle the data in the access-protected area of your device, please check the operating instructions and privacy policy of the device manufacturer and the provider of the installed operating system. There you will also find information on how long the data will be stored. Usually, you can also delete the data manually in the device settings. Otherwise, the data will be deleted if you uninstall the App, if your service provider rejects the initial log-in, or if you log-out of the App manually.

Contact data from the address book

The App provides you with an option to import your contacts. For this the App requests access to the data that you have stored in your address book on the device. This enables you to use the e-mail addresses stored there within the App. You can either grant or deny access in a query of the operating system of your device. The access is not necessary for the App to work - you can also deactivate the access later in the settings of your operating system. If you grant access by making the appropriate selection in the query, you give us your consent to data processing within the meaning of Art. 6 Para. 1 lit. a) GDPR.

User generated data

The main feature of the App is the ability to access a compatible e-mail-box from your service provider and to chat in real-time. The e-mails and messages stored there typically contain personal data such as names, e-mail addresses, and sensitive, sometimes highly personal data about you or others. E-mail or message attachments, such as photos, videos, audio files and documents, can also contain sensitive and highly personal data. Please always keep in mind that you are solely responsible for which e-mails or messages you send and which e-mails or messages sent and received you permanently store in your e-mailbox at your Service Provider or in the inbox of the App.

This processing procedure serves to guarantee the functionality of the App in accordance with its intended use and is based on Art. 6 para. 1 lit. b) GDPR. The data will be deleted on your device if you uninstall the App. Usually you can also delete the data in the settings of the device. If required contact your Service Provider to find out how to delete mail data at your Service Provider.

Cookies and tracking

The App does not use any tracking mechanisms that record your user behavior and does not leave any cookies on your device.


You can enable push notifications to get notified about new features. When your Service Provider provides a COI compliant email service, such notifications are transmitted in an encrypted way from your Service Provider to the App. Communication data such as the sender, subject or text of a message is encrypted at your Service Provider, then transmitted in an encrypted form to the service operated by Open-Xchange and hosted on German servers (hereinafter “Push Service”). The Push Service forwards the encrypted data to Google Firebase Cloud Messaging Service and/or Apple Push Notification Service which in turn forward the data to the App. At the App the communication is decrypted and shown to you on your device screen without the need to open the App.

By activating the push functionality, you consent to your Service Provider transmitting this data to the service (Art. 6 para. 1 lit. a) GDPR). Please read the privacy statements of Google, Inc., Apple, Inc. and your Service Provider for more information.

When the push functionality is activated, a unique key is generated to uniquely identify your mobile device, which is then transferred to your Service Provider. This is the only way your Service Provider and the Firebase Cloud Messaging or Apple Push Notification Service can identify your device and deliver push notifications.

This processing operation is necessary to make the push function available and finds its legal basis in Art. 6 para. 1 lit. b) GDPR.

When your Service Provider does not provide a COI-compatible e-mail-service, then the app can only query data in regular intervals. If you enable this feature, you can still get informed about new incoming messages, but such notifications will not be shown as quickly.

You can disable notifications at any time in the App’s settings.

The App itself or the e-mails may contain links to external websites that use cookies and/or tracking mechanisms. We have no control over this. We therefore cannot inform about this. Please refer to the privacy policy of the respective operator of the external website. This privacy statement only describes the data processing operations within the App.

Rights of data subjects

Please note in the following that the data displayed in the App is not stored on our servers, but on the servers of your Service Provider. The data stored in the App or on your device is also outside our control. If you would like to assert your rights from the General Data Protection Regulation in connection with the use of the App, we will still be happy to support you. In the first step, we will check your request to see whether we are the responsible party for your request or whether you would have to address your request to your service provider. In the following we will inform you about your rights, which you can exercise by sending a message to the address given below at section 6.

Right of access by the data subject

Upon request, we will confirm whether we process data about you and, if necessary, provide information on which categories of data are processed for which purpose, how long storage is intended and to which recipients the data is or was transferred to for which purpose (Art. 15 GDPR).

Right to rectification

If, while using the app, you discover that your personal data is outdated or otherwise incorrect, please contact us. If we are responsible, we will correct the data immediately upon your request. We also complete incomplete data if this is necessary and reasonable taking into account the purposes of the data processing (Art. 16 GDPR).

Right to erasure („Right to be forgotten“)

Upon request, we will delete your data immediately within the scope of our responsibility, if we are not prevented from doing so by legal storage periods. In this case, we will restrict access to the data accordingly. We will also delete your data, if available, if the purpose of the processing no longer applies or you withdraw your consent on which the processing is based on. Please note that it is easier for you to delete the data within the App yourself by selecting the functions described above on your device.

Right to restriction of processing

If your data is incorrect or is being processed unlawfully, you also have the right to obtain the restriction of processing these data for a period enabling us or the responsible party to verify the accuracy of the data or lawfulness of the processing. (Art. 18 GDPR). We will then, within the scope of our responsibility, ensure that the data is blocked accordingly.

Right to lodge a complaint

Furthermore, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is contrary to the General Data Protection Regulation.

Right to data portability

You also have the right to obtain your personal data in a structured, common and machine-readable format in order to transfer them to another controller (Art. 20 GDPR).


Please feel free to address data protection related questions or suggestions at any time. Please find our contact details below. There you can confirm, which of your personal data is stored on our servers, receive further information and exercise your rights to access, rectification, erasure, restriction or data portability.

You may contact the data protection department under:

Open-Xchange AG Data Protection Hohenzollernring 72 50672 Köln Germany E-Mail: privacy(at)

You can also contact our Data Protection Officer: JENTZSCH IT Rechtsanwaltsgesellschaft mbH Dr. Jana Jentzsch Alsterarkaden 13 20354 Hamburg mail(at)