Privacy Policy for Haiilo Services

I. Applicability

In the following, we provide information about the collection of personal data in the context of the software solutions provided by Haiilo in the cloud and other services. This Privacy Policy ("Privacy Policy") applies to the respective contracting group company of the Haiilo Group ("Haiilo", "we" or "us"). 

Depending on the service, Haiilo is either a Processor or a Controller. As a Processor (see section II.), we process your personal data on behalf of your employer, who in this case is the Controller. In this case, please contact your employer directly with any questions. Information on the processing operations of Haiilo as the Controller can be found under section III.

II. Processing operations of Haiilo as a Processor 

Our software is intended for use by companies and is used for communication and collaboration. If our software is provided to you through your employer, they are the Controller of your personal data and you must contact them with any questions or requests regarding your personal data, as we are not authorized to answer them. Haiilo is not responsible for the privacy or security practices of your employer, which may differ from this Privacy Policy. We collect data under the direction of your employer and have no direct relationship with individual users of the software. The use of data collected through our services is limited to the purpose of providing the service for which your employer has engaged a member of the Haiilo Group.

1. Types of Personal data

In order to make the software available to your employer (and therefore also to you), we are regularly commissioned by your employer to process the following personal data:

a) Profile data

To use the software, you only need to provide your name and e-mail address. You and/or your employer can also add further profile data.

b) Access data

In order to display the software and ensure stability and security, so-called log files are required to be automatically collected from your end device. These include the IP address, the browser used, the operating system of the end device used, the network, the date and time of access, the website from which the request comes or the amount of data transferred.

c) Communication data

The Haiilo software offers you the opportunity to post your own content, comment on other people's content or communicate with your employees and colleagues via the chat.

d) Cookies

A session cookie and a Remember Me cookie are used in the Haiilo software. The session cookie stores a so-called session ID, which is used to validate access authorization. This allows your computer to be recognized when you return to the website. The session cookie is required for security and licensing reasons and is deleted when you log out or otherwise after 30 days. The Remember Me cookie prevents you from receiving an email indicating the first use of the device each time you log in. For security and usability reasons, a user ID and a timestamp are stored for a maximum of one year.

e) Local storage

When Local Storage is used, data is stored locally in your browser's cache, which can be read even after the browser window has been closed or the program has been exited - unless you delete the cache. Local Storage enables us to save your preferences when using the Haiilo software on your computer so that they are available when you visit again. For this purpose, we store metadata to improve the UX (e.g. sorting order, last used emojis, etc.)

f) Metadata

Metadata may also be collected. To protect your privacy, data that may allow a reference to you is pseudonymized and processed in accordance with the latest security standards. 

The data can be made available to your employer in the analysis tool. This gives them the opportunity to measure platform activity. This is done exclusively anonymously in a graphically prepared format. Data records consisting of data from fewer than 12 users are not analyzed. These measures make it impossible for your employer to assign the data to a specific user. 

In some cases, metadata is also used to display a so-called leaderboard.

g) Further data

If you connect Haiilo Software to your social media accounts via the Advocacy Tool, we will also process the URL of the profile picture of the relevant social network and the relevant authentication token.

2. Use of AI

An AI component can be used to create new content, summarise posts, answer questions and convert textual data into natural language. 

Your employer has the option to enable their own provider and license to be used within the Haiilo software via an interface, or using the Haiilo AI Turnkey Solution.

For the Haiilo AI Turnkey Solution, Haiilo uses the AI services from Google (Google Vertex AI platform). Only data that is related to the specific prompt / user interaction is transmitted and processed. There is no blanket data transfer without user interaction. The data is transmitted exclusively via an encrypted connection. Google does not use any data to further train or optimise their AI model.

3. Storage Duration

You have the option of deleting your own content in the Haiilo software at any time. A complete deletion of the user account is not feasible, also to enable reactivation if necessary. However, your employer has the option of defining a deadline for the deletion of your account, after which the personal data will be automatically anonymized. After this time, it will no longer be possible to identify you and it will not be possible to restore your data.

If you decide to delete your account, your posted content and comments will be retained for the time being. However, your user name will be anonymized under each post or comment and displayed as "deleted user". If you would like to have specific content you have shared deleted, please contact your responsible internal super admin.

III. Processing operations by Haiilo as the Controller

1. Crash notification

Apps can crash or fail to load properly ("crash"). To detect such app crashes, we use the "Firebase Crashlytics" service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Crash logs are processed with information for analysis. In the event of a crash, anonymous information is collected and transmitted (status of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the cell phone, last log messages). This information does not contain any personal data.

This data is encrypted both for transmission and in idle state during storage and is automatically deleted after 90 days.

Crashlytics can be switched off by your admin. To do so, they must contact our support team via the ticket system.

The legal basis for data processing with Google Firebase is Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in the optimization and economic operation of our apps and data processing is necessary to safeguard this interest. The processing is necessary from a technical point of view, as it helps us to adapt the scaling requirements. Furthermore, it is only high-level data that does not go beyond pure statistics. The information collected with Firebase about the use of our apps is transmitted to us via Google in Ireland. The data is only collected anonymously. It is not linked to other user data.

In principle, the Google Firebase server is hosted in Europe. As Google is a US company, it cannot be ruled out that data will be transferred to the USA. The data is pseudonymized, i.e. stored anonymously on the servers, so it is not possible to draw any conclusions about the user's identity.

Further information on data protection and data security at Firebase can be found here:

– https://firebase.google.com/support/privacy/ 

– https://docs.fabric.io/apple/fabric/data-privacy.html#crashlytics 

– https://support.google.com/firebase/answer/6318039 

2. Newsletter

The customer designates one or more contact persons or administrators who will receive a newsletter with information or updates about the product at regular intervals. The name and e-mail address are processed for this purpose. 

The processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR for the fulfillment of the contract. 

The newsletter is sent using the "Hubspot" software from HubSpot, Inc, 25 First Street, Cambridge, MA 02141 USA. Further data protection information about this provider can be found at https://legal.hubspot.com/de/privacy-policy 

The data will be stored by us for the duration of the existing contractual relationship and then deleted.

3. Research Community

When you register for the Haiilo Research Community, we process your first and last name, your e-mail address, the name of your company and the feedback you provide. This data is collected and processed for the purpose of planning and conducting feedback interviews on product development. 

For the registration we use the software "Typeform" of TYPEFORM SL, Calle de Pallars 108 (Aticco), 08018 - Barcelona (Spain). You can find further data protection information about this provider at https://admin.typeform.com/to/dwk6gt?typeform 

This data is then stored using the "Hubspot" software from HubSpot, Inc, 25 First Street, Cambridge, MA 02141 USA. You can find further data protection information about this provider at https://legal.hubspot.com/de/privacy-policy 

The data processing is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

The interviews are conducted via a video chat client of your choice.

With your consent, the interview can be recorded and analyzed using the "Dovetail" software from Dovetail Research Pty Ltd, Level 1, 276 Devonshire Street, Surry Hills, Sydney, 2010 NSW, Australia. You can find further data protection information about this provider at https://dovetail.com/help/privacy-policy/   

The data will be stored for the duration of the user account in the Research Community and deleted after the account is deleted.

4. Client Community

If you are part of the Client Community, we process your first and last name, your email address, the name of your company and, if applicable, other personal data that you share within the Client Community.

The data processing is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

The data will be stored in the Client Community for the duration of the user account and deleted after the account is deleted.

IV. Contact

Haiilo GmbH, Gasstraße 6, 22761 Hamburg, Germany (see our legal notice) is the Controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) and the contact for asserting the rights mentioned in V. You can reach our data protection officer at dpo@haiilo.com  or at our postal address with the addition "the data protection officer".

V. Your rights

If personal data is processed by us as the Controller, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and purpose of the processing, in particular the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR) and the right to object (Art. 21 GDPR). If the processing of personal data is based on your consent, you have the right to withdraw this data protection consent in accordance with Art. 7 III GDPR.

Please contact our data protection officer (see IV.) to assert your rights as a data subject with regard to the processed data.

VI. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.