We are pleased that you have chosen to download and install our OX COI Messenger (hereinafter referred to as “App”). The protection of your personal data is an important topic for us and we will protect your privacy and treat your data confidentially and in accordance with the General Data Protection Regulation (GDPR) and other applicable law.
As a rule, personal data is only processed for the purpose of providing the service of the App. This refers to data that is technically necessary for the operation of the service (e.g. user name or e-mail address).
In addition, your data will only be processed and used for other purposes if there is a legal legitimation or if you have consented to its use. Your data will not be processed if these conditions are not met.
Personal data are any information about personal or factual circumstances of an identified or identifiable natural person. Anonymized or statistical data which could not be related to you or could only be related to you with disproportionate effort are not personal data.
In the following sections we will guide you through the individual processing procedures, explain the respective purpose and the corresponding legal basis.
To establish a connection, the App first asks for your Email address and your password.
The App will then attempt to connect to the specified server of your Service Provider. Please note that the connection is usually logged on the contacted server. Please contact the service provider to determine the scope of the personal data and their handling of the logged data.
If the connection is successful, the App takes over the previously collected e-mail address and asks for the corresponding password in order to transmit both information to the Service Provider and initiate a so-called session. This session serves to grant you access to your e-mail inbox. The service provider then sends an identifier to your device to identify several related requests on your part and associate them with your session. The transmission of the data is necessary for the provision of the core function of the App and is based on Art. 6 Para. 1 lit. b) GDPR.
The App provides you with an option to import your contacts. For this the App requests access to the data that you have stored in your address book on the device. This enables you to use the e-mail addresses stored there within the App. You can either grant or deny access in a query of the operating system of your device. The access is not necessary for the App to work - you can also deactivate the access later in the settings of your operating system. If you grant access by making the appropriate selection in the query, you give us your consent to data processing within the meaning of Art. 6 Para. 1 lit. a) GDPR.
The main feature of the App is the ability to access a compatible e-mail-box from your service provider and to chat in real-time. The e-mails and messages stored there typically contain personal data such as names, e-mail addresses, and sensitive, sometimes highly personal data about you or others. E-mail or message attachments, such as photos, videos, audio files and documents, can also contain sensitive and highly personal data. Please always keep in mind that you are solely responsible for which e-mails or messages you send and which e-mails or messages sent and received you permanently store in your e-mailbox at your Service Provider or in the inbox of the App.
This processing procedure serves to guarantee the functionality of the App in accordance with its intended use and is based on Art. 6 para. 1 lit. b) GDPR. The data will be deleted on your device if you uninstall the App. Usually you can also delete the data in the settings of the device. If required contact your Service Provider to find out how to delete mail data at your Service Provider.
The App does not use any tracking mechanisms that record your user behavior and does not leave any cookies on your device.
You can enable push notifications to get notified about new features. When your Service Provider provides a COI compliant email service, such notifications are transmitted in an encrypted way from your Service Provider to the App. Communication data such as the sender, subject or text of a message is encrypted at your Service Provider, then transmitted in an encrypted form to the service operated by Open-Xchange and hosted on German servers (hereinafter “Push Service”). The Push Service forwards the encrypted data to Google Firebase Cloud Messaging Service and/or Apple Push Notification Service which in turn forward the data to the App. At the App the communication is decrypted and shown to you on your device screen without the need to open the App.
By activating the push functionality, you consent to your Service Provider transmitting this data to the service (Art. 6 para. 1 lit. a) GDPR). Please read the privacy statements of Google, Inc., Apple, Inc. and your Service Provider for more information.
When the push functionality is activated, a unique key is generated to uniquely identify your mobile device, which is then transferred to your Service Provider. This is the only way your Service Provider and the Firebase Cloud Messaging or Apple Push Notification Service can identify your device and deliver push notifications.
This processing operation is necessary to make the push function available and finds its legal basis in Art. 6 para. 1 lit. b) GDPR.
When your Service Provider does not provide a COI-compatible e-mail-service, then the app can only query data in regular intervals. If you enable this feature, you can still get informed about new incoming messages, but such notifications will not be shown as quickly.
You can disable notifications at any time in the App’s settings.
Please note in the following that the data displayed in the App is not stored on our servers, but on the servers of your Service Provider. The data stored in the App or on your device is also outside our control. If you would like to assert your rights from the General Data Protection Regulation in connection with the use of the App, we will still be happy to support you. In the first step, we will check your request to see whether we are the responsible party for your request or whether you would have to address your request to your service provider. In the following we will inform you about your rights, which you can exercise by sending a message to the address given below at section 6.
Upon request, we will confirm whether we process data about you and, if necessary, provide information on which categories of data are processed for which purpose, how long storage is intended and to which recipients the data is or was transferred to for which purpose (Art. 15 GDPR).
If, while using the app, you discover that your personal data is outdated or otherwise incorrect, please contact us. If we are responsible, we will correct the data immediately upon your request. We also complete incomplete data if this is necessary and reasonable taking into account the purposes of the data processing (Art. 16 GDPR).
Upon request, we will delete your data immediately within the scope of our responsibility, if we are not prevented from doing so by legal storage periods. In this case, we will restrict access to the data accordingly. We will also delete your data, if available, if the purpose of the processing no longer applies or you withdraw your consent on which the processing is based on. Please note that it is easier for you to delete the data within the App yourself by selecting the functions described above on your device.
If your data is incorrect or is being processed unlawfully, you also have the right to obtain the restriction of processing these data for a period enabling us or the responsible party to verify the accuracy of the data or lawfulness of the processing. (Art. 18 GDPR). We will then, within the scope of our responsibility, ensure that the data is blocked accordingly.
Furthermore, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is contrary to the General Data Protection Regulation.
You also have the right to obtain your personal data in a structured, common and machine-readable format in order to transfer them to another controller (Art. 20 GDPR).
Please feel free to address data protection related questions or suggestions at any time. Please find our contact details below. There you can confirm, which of your personal data is stored on our servers, receive further information and exercise your rights to access, rectification, erasure, restriction or data portability.
You may contact the data protection department under:
Open-Xchange AG Data Protection Hohenzollernring 72 50672 Köln Germany E-Mail: privacy(at)open-xchange.com
You can also contact our Data Protection Officer: JENTZSCH IT Rechtsanwaltsgesellschaft mbH Dr. Jana Jentzsch Alsterarkaden 13 20354 Hamburg mail(at)jentzsch-it.de