Data Privacy Statement

Last updated: April 2022 Version 1.00000

1. Introduction

With the following data protection declaration, we would like to inform you of the types of your personal data we process, for what purposes, and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our service and on our websites, within external online presences, such as our social media profile.

The provisions of our data protection declaration listed here apply without restriction to all Sofile internet offers referenced here by word and internet link.

2. Contact Details

Our full contact details in accordance with the European GDPR can be found at the end of this Privacy Statement.

3. Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed according to consent and purpose of use:

• Inventory data (e.g., names, addresses)
• Content data (e.g., text input, photographs, videos)
• Contact data (e.g., e-mail)
• Meta/communication data (e.g., device information, IP addresses)
• Usage data (e.g., websites visited, interest in content, access times)
• Contract data (e.g., subject matter of contract, term, customer category)
• Payment data (e.g., bank details, invoices, payment history)

Categories of data subjects:

• Employees (e.g., employees, applicants, former employees)
• Business and contractual partners
• Interested parties
• Communication partners
• Customers
• Users (website visitors, users of our services)

Purposes of processing:

• Evaluation of visits, events
• Office and organizational procedures
• Direct marketing
• Interest-based and behavioral marketing
• Contact requests and communication
• Profiling (creation of user profiles)
• Reach measurement (access statistics, recognition of returning visitors)
• Security measures
• Tracking (interest/behavior-based profiling, use of cookies you allow)
• Contractual services, billing, and services
• Administration and response to inquiries

Applicable legal basis

In the following, we share the legal bases of the General Data Protection Regulation (GDPR) based on which we process personal data. If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these in the data protection declaration.

• Consent (Art. 6 para. 1 p. 1 lit. a GDPR) – The data subject has given his/her consent to the processing of personal data relating to him/her for a specific purpose or purposes.
• Performance of a contract and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures carried out at the data subject’s request.
• Legal obligation (Art. 6 (1) p. 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR) – Processing is necessary to protect the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

4. Data security

Our service is secured in accordance with legal requirements, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, appropriate technical and organizational measures to ensure the personal data a level of protection appropriate to the risk.

Within the website visit, we use the widespread SSL (Secure Socket Layer) procedure in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

5. Transfer and disclosure of personal data

During our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks, or providers of additional services and content that are integrated into our service. In this case, we observe the legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Data transfer within the organization

Furthermore, we may transfer personal data to other companies within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and operational interests or is done if it is necessary to fulfill our contract-related obligations or if there is consent of the data subjects or a legal permission.

6. Data processing in third countries

We try to avoid it, but insofar as we need to process data in a third country (outside the European Union, the European Economic Area) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this is only done in accordance with the legal requirements.

7. Cookie statement

Cookies are files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie is primarily used to store information about a user during or after his visit within an online offer. The stored information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched. We further include in the term cookies other technologies that perform the same functions as cookies, such as user IDs.

The following cookie types and functions are distinguished:

• Temporary cookies (also: session cookies): temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
• Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, the interests of users used for reach measurement or marketing purposes can be stored in such a cookie.
• First-party cookies: First-party cookies are set by us.
• Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
• Necessary cookies (also: essential or absolutely necessary) cookies: Cookies may be absolutely necessary for the operation of a website (e.g., to store logins or other user input or for security reasons).
• Statistical, marketing, and personalization cookies: Furthermore, cookies are generally also used in the context of range measurement and when a user’s interests or behavior (e.g., viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also referred to as “tracking,” i.e., tracing the potential interests of users. To the extent that we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or in the context of obtaining consent.

The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is your declared consent (Art. 6 (1) p. 1 lit. a GDPR). Otherwise, the data processed with the help of cookies is processed based on our legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR) or if the use of cookies is necessary to fulfill our contractual obligations (Art. 6 para. 1 p. 1 lit. b GDPR).

Unless we provide you with explicit information about the storage period of permanent cookies, please assume that the storage period can be up to four years. You can’t decline to provide cookies.

Before we process or have processed data in the context of the use of cookies, we ask users for consent that can’t be revoked. Cookies are used at most, which are necessary for the operation of our online offer. Their use is based on our interest and the interest of users in the expected functionality of our online offer.

Types of data processed: Usage data (e.g., web pages visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).

Data subjects: Users (e.g., website visitors, users of online services).

Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

8. Services

We process data of our contractual, business partners, and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually to respond to inquiries). We process this data to fulfill our contractual obligations, to secure our rights, and for the purposes of the administrative tasks associated with this information as well as for the business organization. Within the framework of the applicable law, we only pass on the data of the contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the contractual partners (e.g., to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). You will be informed about further forms of processing below in this declaration. We inform the contractual partners in each case which data is required for the aforementioned purposes before or as part of the data collection.

We delete the data after the expiry of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons (e.g., for tax purposes generally 10 years). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order, generally after the end of the order.

If we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.

9. User account

Contractual partners can create an account within our online offer upon request. Customer accounts are not public, protected, and cannot be indexed by search engines.

10. Offering of software, platform, and services

We process the data of our users, registered users, and any demanders (users) to be able to provide our contractual services to them as well as on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further. The required information is identified as such in the context of the order, purchase order, or comparable contract conclusion and includes the information necessary for the provision of services and billing as well as contact information to be able to hold any consultations.

● Types of data processed: inventory data (e.g., names, addresses, as well as via AWS Cognito), payment data (via Paddle.com), contact data (e.g., email, phone numbers), contract data (e.g., subject matter of contract, term, customer category, as well as via AWS Cognito), usage data (via AWS Cognito), meta/communication data (e.g., device information, IP addresses).

● Data Subjects: Prospective customers, business and contractual partners, customers.

● Purposes of processing: contractual performance and service, contact requests and communication, office and organizational procedures, administration and response to requests, security measures.

● Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

11. Use of online platforms

We offer our services on online platforms operated by other service providers. In this context, the data protection notices of the respective platforms apply in addition to our data protection notices. This applies in particular regarding the reach measurement and interest-based marketing methods used on the platforms.

● Types of data processed: types of data processed: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.

● Data subjects: Customers.

● Purposes of processing: Contractual performance and service.

● Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

12. Payment service providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers for this purpose in addition to banks and credit institutions. The data processed by the payment service providers may include inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions necessary for contractual fulfillment. However, the data entered is only processed by the payment service providers and stored with them. We only receive information with confirmation or negative information of the payment, i.e., no personal information. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. This transmission is for the purpose of checking identity and creditworthiness. In this regard, we refer to the terms and conditions and data protection notices of the payment service providers.

For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information, and other data subject rights.

● Types of data processed: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.

● Data subjects: Customers, interested parties.

● Purposes of processing: Contractual performance and service.

● Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

We currently use Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom, exclusively as another payment service provider. Data protection information and general terms and conditions of Paddle Ltd. can be found at https://paddle.com/gdpr and https://paddle.com/privacy.

13. Providing the service and web hosting

To provide our Service securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the Service can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services. The data processed as part of the provision of the hosting service may include all information relating to the users of our service, which is generated during use and communication. This regularly includes the IP address, which is necessary to provide the content of our services, and all entries made within our services or from websites, as well as the metadata packages for the use of our services.

• Types of data processed: inventory data (names, addresses), contact data, content data (text inputs, photographs, videos), usage data, meta/communication data.
• Data subjects: Customers, employees (e.g., employees, applicants, former employees), prospective customers, communication partners.
• Purposes of processing: office and organizational procedures.
• Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

We use the following third-party providers for this purpose:

• Amazon Web Services: Cloud service; service provider: Amazon Web Services Europe S.à.r.l., 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Web Services, 2021 Seventh Ave, Seattle, Washington 98121, USA, (collectively AWS), parent company: Amazon.com, Inc, 2021 Seventh Ave, Seattle, Washington 98121, USA; website: https://www.amazon.de; privacy policy: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice-GERMAN_2020-01-24.pdf; Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.

14. Collection of access data and log files

We ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses, and the requesting provider.

• Types of data processed: processed types of data: inventory data (names, addresses), contact data, content data (text input, photographs, videos), usage data, meta/communication data.
• Data subjects: Users (e.g., website visitors, users of our service).
• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

15. Registration, login, user, and user account

Users can create a user account. As part of the registration process, users are provided with the required mandatory information and processed for the purpose of providing the user account based on contractual obligation fulfillment. The processed data includes the login information (name, password as well as an e-mail address). The data entered during registration is used for the purposes of using the user account and its purpose.

Within the scope of the use of our registration and login functions as well as the use of the user account, we or the third-party provider AWS Cognito store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to other third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.

• Types of data processed: processed data types: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: contractual performance and service, security measures, administration, and response to inquiries.
• Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

We currently use AWS Cognito Privacy Notice and Terms and Conditions:

• Security & IAM Policies
• Data Protection Notice

16. Contacting us

When contacting us (via contact form, email, telephone or via social media), the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures. The response to contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.

• Types of data processed: inventory data (names, addresses), contact data, content data (text input, photographs, videos), usage data, meta/communication data.
• Data subjects: Communication partners
• Purposes of processing: contact inquiries and communication, administration, and response to inquiries
• Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

17. Notifications

We may send emails and other electronic notifications. Our notices may contain information about our services, technical information, and information about ourselves. By default, when registering, you agree to receive notifications. To unsubscribe from our notifications, it is usually sufficient to use the link 'Unsubscribe' inside the notification. Then your email will be excluded from the mailing list. However, we will send you emails with critical information.

18. Website analysis and optimization

Web analytics (also referred to as “reach analysis”) is used to evaluate the flow of visitors to our service offering and may include behavior, interests or demographic information about visitors as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online service or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization. In addition to web analysis, we may also use test procedures, for example, to test and optimize different versions of our online offering or its components. For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose may be used. This information may include, for example, content viewed, websites visited and elements used there, and technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.

The IP addresses of users are also stored. However, we use an IP masking procedure (pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

• Types of data processed: Usage data and usage times
• Data subjects: Users (e.g., website visitors, users of our services).
• Purposes of processing: reach measurement, tracking, visit action evaluation, profiling, interest-based and behavioral marketing.
• Security Measures: IP masking
• Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

For this purpose, we use Yandex.Metrica: 16 Lva Tolstogo St., Moscow 119021, Russia (“YANDEX” LLC). The general terms and conditions and data protection information for this service can be found at https://metrica.yandex.com/about/info/privacy-policy

19. Design, organization, implementation, and auxiliary tools

We use based on our legitimate interests in the economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR, we use services, platforms, and software of others for purposes of organization, administration, planning as well as provision of our services. When selecting third-party providers and their services, we observe the legal requirements. In this context, personal data may be processed and stored on the servers of third-party providers. This may involve various data that we process in accordance with this privacy policy. This data may include master data and contact data of users, data on transactions, contracts, other processes, and their contents. If users are referred to the third-party providers or their software or platforms during communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore explicitly point out to observe the data protection notices of the respective third-party providers.

• Types of data processed: inventory data (e.g., names, addresses), contact data, content data (text input, photographs, videos, etc.), meta/communication data.
• Data subjects: Communication partners, users (e.g., website visitors, users of our services).
• Purposes of processing: contact requests and communication
• Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

We use the following service providers for this purpose:

• Amazon Web Services: Cloud service; service provider: Amazon Web Services Europe S.à.r.l., 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Web Services, 2021 Seventh Ave, Seattle, Washington 98121, USA, (collectively AWS), parent company: Amazon.com, Inc, 2021 Seventh Ave, Seattle, Washington 98121, USA; website: https://www.amazon.com; privacy policy: https://aws.amazon.com/legal.
• Paddle.com Market Limited: 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom. Paddle Ltd. privacy notice and terms and conditions can be found at https://paddle.com/gdpr and https://paddle.com/privacy.

20. Erasure of personal data

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (for example, the purpose of processing this data no longer applies or the need for it no longer exists). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person. For more detailed information, please refer to the explanations in the respective sections of this privacy policy.

22. Rights of the data subject

You have the right:

• According to Art. 7 para. 3 GDPR to revoke your consent once given to us at any time. This has the consequence that we may no longer continue the data processing, which was based on this consent, for the future;
• in accordance with Art. 15 GDPR, to request information about your personal data processed by us;
• pursuant to Art. 16 GDPR, to request without undue delay the rectification of inaccurate or incomplete personal data held by us;
• pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
• pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Art. 21 GDPR;
• pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common, and machine-readable format or to request the transfer to another controller; and
• complain to a supervisory authority in accordance with Art. 77 GDPR.

● Right to object

If your personal data is processed based on legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, for example, if there are grounds for doing so that arise from your situation. If you wish to exercise your right to object, an e-mail to info@sofile.io will suffice.

● Name and address of the data controller:

Sofile Tech LLC
59 Komitas, ap. 205, Yerevan, Armenia, 0014
E-mail address: info@sofile.io
Phone: +374 55799406
Domain: https://app.sofile.cloud

23. Topicality and change of this data protection statement

Due to the further development of our website and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification. You can access and print out the current data protection declaration on the website at any time.