Privacy policy from Cozero

Cozero Privacy policy

1. General Information

1.1 We, Cozero GmbH (hereinafter: "We" or "Cozero"), would like to inform you about the processing of personal data when visiting our website, applying to our company, using our services, participating in digital events, and contacting us.Cozero (or "we") is a business-to-business software-as-a-service platform that allows its customers to collect & analyze a company’s activity and emission data, to scout and plan emission reduction measures and to engage the most relevant stakeholders into the transformational process towards a low-carbon business. If you'd like to talk to us directly about privacy-related topics, our contact details follow in the next section of this Privacy Policy.

‍1.2 The terms used below have the same meaning as in the General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR").

‍

2. Data Controller

The entity responsible for the processing of personal data pursuant to Art. 4 No. 7 GDPR is:

Cozero GmbH

Zionskirchstraße 73a, 10119 Berlin, Germany

‍

3. Data Protection Officer

For all questions and as a contact person regarding data protection, our Data Protection Officer is available at any time. The contact details are:

Cozero GmbH

Zionskirchstraße 73a, 10119 Berlin

Germany

E-Mail: privacy@cozero.io

‍

4. Rights of Data Subjects

4.1 You have the following rights regarding the processing of your personal data, which you may exercise against us at any time:

(a) Pursuant to Art. 15 GDPR, request information about the data we process. In particular, you may request information about the purposes of processing, the categories of data, the categories of recipients to whom your data has been disclosed or will be disclosed, the planned retention period, the existence of rights to rectification, erasure, restriction of processing or objection, the existence of a right to file a complaint, the origin of the data (if it was not collected by us), as well as the existence of automated decision-making including profiling and, where applicable, meaningful information about its details.

(b) Pursuant to Art. 16 GDPR, request without undue delay the rectification of inaccurate data or the completion of your personal data stored by us.

(c) Pursuant to Art. 17 GDPR, request the erasure of your personal data stored by us, unless processing is required for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

(d) Pursuant to Art. 18 GDPR, request the restriction of the processing of your data, insofar as the accuracy of the data is contested by you or the processing is unlawful.

(e) Pursuant to Art. 20 GDPR, receive the data you have provided to us in a structured, commonly used, and machine-readable format, or to request the transmission of the data to another controller (“data portability”).

(f) Pursuant to Art. 21 GDPR, object to the processing of your personal data, provided the processing is based on Art. 6(1)(e) or (f) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims. If your objection concerns the processing of data for direct marketing purposes, we will immediately stop such processing. This also applies to profiling, insofar as it is connected with direct marketing.

(g) Pursuant to Art. 7(3) GDPR, withdraw at any time any consent you have previously given to us. This means that we may no longer continue the data processing that was based on this consent in the future.

(h) Pursuant to Art. 77 GDPR, file a complaint with a supervisory authority. As a rule, you may contact the supervisory authority at your usual place of residence, place of work, or at our company’s registered office.

4.2 We point out that, for the processing of your request and for identification purposes, we will process your personal data pursuant to Art. 6(1)(c) GDPR.

‍

5. Visiting the Website

‍5.1 When you access our websites, the following categories of personal data are collected, stored, and further processed by us:

(a) Scope of Data Processing

When you visit our websites, a so-called log data record (server log files) is temporarily stored on our web server in an anonymized way. This consists of:

the page from which the website was requested (referrer URL),
the name and URL of the requested page,
the date and time of access,
the description of the type, language, and version of the web browser used,
the IP address of the requesting computer, shortened so that a personal reference is no longer possible,
the amount of data transferred,
the browser,
the operating system,
the status message indicating whether the request was successful (access status/HTTP status code),
the GMT time zone difference.

(b) Purpose of Data Processing

The storage of log data for the duration of the session is necessary to display our website to you. Processing also serves to ensure the permanent functionality and security of our websites and IT systems.

(c) Legal Basis of Data Processing

The legal basis for processing the log data is Art. 6(1)(f) GDPR, based on our legitimate interest in achieving the purposes described above.

(d) Recipients of the Data

We use external service providers for the operation of the website, who process personal data strictly in accordance with instructions under a data processing agreement pursuant to Art. 28 GDPR. For hosting the website, we use the following providers: Webflow Inc., 398 11th St, 2nd Floor, San Francisco, CA 94103, USA and Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg.

(e) Retention Period

Log data is stored for 24 hours and then deleted, unless it must be retained longer to trace an identified attack in exceptional cases.

5.2 On our websites, we use a tracking tool that does not use cookies but counts users through IP addresses. For this purpose, we use: Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia.

‍

6. Cozero Application

Below we inform you how we process data of our customers or employees of our customers. This also applies to potential customers who are interested and receive trial access to the platform, as well as contact persons at suppliers who create user accounts. The data controller in each case is the company that is our customer. We act as a processor.

Creating a user account for individuals is necessary to use the Cozero application. User accounts require that organizations are customers of Cozero, unless it is a trial access. Customers may create user accounts for their employees and for third parties, in particular their service providers, in order to enable the exchange of CO₂-related data via Cozero.

In further business communication with us, particularly in the context of supplier data management within the Cozero application, Cozero users can create suppliers including specifying the company name and a contact person.

The designated supplier contact persons then receive an email request to provide their customer with the requested data via Cozero. For this purpose, they can log into the Cozero application, where a user account is created, enter the requested data, and share it with their customer via Cozero.

6.1 Scope of Data Processing

In the course of our business relationship with you as a business partner or as an employee of a business partner, we process the data that we receive from you or your employer. When creating a new user, personal data such as name, job title, and email address are collected. In this context, we process the following categories of data:

Professional contact and organizational data: e.g., name, first name, title, academic degree, gender, name of the company you represent, department, business email address, postal address, telephone number.
Data relating to professional circumstances: e.g., job title, tasks, activities, qualifications.
Other: In addition, we may process further data that you provide during interaction with our employees, or that we have lawfully collected about you from publicly available sources (e.g., commercial register).

6.2 Purpose of Data Processing

Your data is processed by us for the purpose of establishing and carrying out the contractual relationship with our business partner, as well as for fulfilling legal requirements.

6.3 Legal Basis of Data Processing

The legal basis for the processing is the data processing agreement in place.

6.4 Recipients of the Data

At our company, only those persons have access to your data who need it for the purposes described above. On the basis of agreements pursuant to Art. 28 GDPR, personal data may be processed by external service providers (e.g., support, hosting, or analytics providers). These external service providers have been carefully selected and commissioned by us. They are contractually bound to follow our instructions, implement appropriate technical and organizational measures to protect the rights of data subjects, and are regularly monitored by us.

(a) The external service providers of our Cozero application can be found here:: https://www.cozero.io/subprocessors

6.5 Retention Period

(a) The data mentioned will be stored by us for as long as we need it for the specific processing purpose. As a rule, we store your data at least for the duration of our business relationship with you or with the business partner for whom you work.

(b) Certain data will also be stored for the duration of statutory limitation periods (generally three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g., under the German Commercial Code or the Fiscal Code) require (generally, however, no more than ten years).

(c) In certain circumstances, we may be required to retain your data for a longer period. This may be the case, for example, if deletion of the data is prohibited for the duration of an official or judicial proceeding.

‍

7. Business Communication

Below we inform you how we process general business communication data of our business partners or employees of our business partners.

7.1 Scope of Data Processing

In the course of our business relationship with you as a business partner or as an employee of a business partner, we process the data that we receive from you or your employer. This includes, in particular, data that we obtain when you are in contact with our employees. In this context, we process the following categories of data:

(a) Professional contact and organizational data: e.g., name, first name, title, academic degree, gender, name of the company you represent, department, business email address, postal address, telephone number.

(b) Data relating to professional circumstances: e.g., job title, tasks, activities, qualifications.

(c) Other: In addition, we may process further data that you provide during interaction with our employees, or that we have lawfully collected about you from publicly available sources (e.g., commercial register).

7.2 Purpose of Data Processing

Your data is processed by us for the purpose of establishing and carrying out the contractual relationship with our business partner, as well as for fulfilling legal requirements.

7.3 Legal Basis of Data Processing

a) If you are personally our business partner, processing takes place on the basis of Art. 6(1)(b) GDPR for the performance or initiation of a contract.

(b) For the purpose of complying with legal obligations, processing is carried out on the basis of Art. 6(1)(c) GDPR in conjunction with statutory and regulatory requirements (for example, from tax or commercial law).

(c) If you are an employee of one of our business partners, your data will be processed on the basis of our overriding legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in the effective and practical cooperation with our business partners and their employees.

7.4 Recipients of the Data

Within our company, only those persons have access to your data who require it for the purposes described above. On the basis of agreements pursuant to Art. 28 GDPR, personal data may also be processed by external service providers (e.g., support, hosting, or analytics providers). These external service providers have been carefully selected and commissioned by us. They are contractually bound to follow our instructions, implement suitable technical and organizational measures to protect the rights of the data subjects, and are regularly monitored by us.

We use the following services in connection with contract performance (support, billing, etc.):

(a) HubSpot, 25 First Street, Cambridge, MA 02141 USA.

(b) MIRO, Schönhauser Allee 9, 10119 Berlin, Germany.

(c) DHPG, Jean-Monnet-Straße 2, 10557 Berlin, Germany.

(d) Google Ireland Limited, Gordon House Barrow Street 4, Dublin, Irland.

(e) Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland.

(f) Notion Labs, Inc. 2300 Harrison Street San Francisco, CA 94110, USA.

(g) Docusign Germany GmbH Mies-van-der-Rohe-Straße 6, 80807 Munich, Germany.

(h) DATEV eG Paumgartnerstr. 6 – 14, 90429 Nuremberg, Germany.

(i) Linear Orbit, Inc. 2261 Market St STE, 10632 San Francisco, USA.

(j) Stripe Payments Europe, Limited, 1 Grand Canal Street Lower Dublin, Ireland.

7.5 Retention Period

‍

8. Contact Form

8.1 Scope of Data Processing

When you use our contact form to get in touch with us, we process the personal data you provide in this context.

8.2 Purpose of Data Processing

The purpose of processing is to establish the contact you requested and to provide the information you asked for.

8.3 Legal Basis of Data Processing

If the contact is made for the initiation or performance of a contract, the legal basis is Art. 6(1)(b) GDPR.

If the contact does not serve a (pre-)contractual purpose, the processing is based on our legitimate interests (e.g., for general communication, answering questions) pursuant to Art. 6(1)(f) GDPR.

8.4 Recipients of the Data

Within our company, only those persons who require access for the purposes described above have access to your data. On the basis of agreements pursuant to Art. 28 GDPR, personal data may also be processed by external service providers (e.g., support, hosting, or analytics providers). In this case: Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg; Hubspot, 25 First Street, Cambridge, MA 02141, USA.

8.5 Retention Period

The data will be stored for as long as necessary to respond to your inquiry. If this results in a contract, the data will be stored in accordance with the preceding section. Otherwise, we will retain the data for the duration of statutory retention periods and then delete it.

‍

9. Marketing Emails

9.1 We occasionally send emails with marketing content. In this context, we generally process the following data:

(a) Name, first name, title/form of address

(b) Job position and company affiliation

(c) Email address

(d) Information on whether and when the email was opened, and which content in the email was clicked, if applicable

9.2 We send marketing emails for promotional purposes. If a business relationship already exists and our marketing measure relates to similar services, the legal basis is Art. 6(1)(f) GDPR (legitimate interests). Otherwise, we obtain prior consent, in which case the legal basis is Art. 6(1)(a) GDPR.

9.3 For the sending and evaluation of marketing emails, we use the service provider HubSpot, 25 First Street, Cambridge, MA 02141 USA. We have a data processing agreement in place with HubSpot pursuant to Art. 28 GDPR.

9.4 You may object to receiving marketing emails at any time and without providing reasons. To do so, click the unsubscribe link contained in each marketing email or contact us via the contact details provided above.

‍

10. Webinars

10.1 We occasionally conduct webinars. To participate in these webinars, you must register. In this context, we generally process the following data:

(a) Name, first name, title/form of address

(b) Job position and company affiliation

(c) Email address

(d) IP addresses

10.2 The legal basis is Art. 6(1)(f) GDPR. Our legitimate interests lie in the professional organization of digital events and product presentations, in strengthening customer relationships through regular webinars, and in analyzing and optimizing content based on participant behavior.

10.3 For handling webinar registrations, we use the service provider Livestorm, 16, rue Cuvier, 69006 Lyon, France.‍

‍

11. Video Conferencing Tools

11.1 To conduct video and audio conferences, webinars, and other types of online meetings, we use third-party video conferencing tools. The following categories of data may be processed in this context:

(a) Master data (e.g., names, addresses)

(b) Contact data (e.g., email addresses, telephone numbers)

(c) Content data (e.g., text entries, photographs, videos)

(d) Metadata/communication data (e.g., device information, IP addresses)

11.2 The data is processed for the purpose of setting up and carrying out online meetings or video conferences. Processing takes place on the basis of Art. 6(1)(b) GDPR (performance of a contract) or, where applicable, on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interests lie in efficient and secure communication with our communication partners.

11.3 We have data processing agreements in place with the providers of video conferencing solutions pursuant to Art. 28 GDPR.

‍

12. Job Applications

If you would like to become part of our team and apply to us, we process your personal data as follows:

12.1 Scope of Data Processing

During the application process, we process the following categories of data:

(a) Private contact and identification data, e.g., name, first name, academic title, gender, email address, postal address, and telephone number

(b) Data about professional qualifications, e.g., school and educational background, language skills, place of study or training, certificates

(c) Curriculum vitae and the data it contains

(d) Other data provided as part of the application

12.2 Purpose of Data Processing

Application data is processed exclusively for the purpose of carrying out the application process.

12.3 Legal Basis of Data Processing

The legal basis for processing is Section 26(1) BDSG and Art. 6(1)(b) GDPR.

12.4 Recipients of the Data

Application documents are received by the contact person named in the job posting and are internally forwarded to other employees responsible for the application process. We use external service providers for the application process who strictly process personal data on the basis of a data processing agreement pursuant to Art. 28 GDPR. For the recruitment procedure, we use the following service providers:

(a) Teamtailor AB, Östgötagatan 16, 11621 Stockholm, Sweden.

(b) Notion Labs, Inc., 2300 Harrison Street, San Francisco, CA 94110, USA.

(c) Humaans, 5-9 Quality Ct, London WC2A 1HP, United Kingdom.

(d) Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland.

(e) Google Ireland Limited, Gordon House Barrow Street 4, Dublin, Ireland.

12.5 Retention Period

If an employment relationship is established, we will continue to process the application data for the purposes of the employment relationship. Details will be provided in the privacy notice for employees. If no employment relationship results, we generally store application data for a period of six months from the time of rejection. The application documents are then deleted.

‍

13. Social Media

13.1 We operate various profiles on social media in order to provide information there and to communicate with you. Please note that the respective social media providers may store cookies in your browser, in which your usage behavior is recorded for market research and advertising purposes. These usage profiles may also be created across multiple devices. The platform operators evaluate these usage profiles in order to show you personalized advertising. Individuals who are not registered users of the respective platform may also be affected by this data processing. The platform operators may also share the data with other companies and transfer it to countries outside the EU.

13.2 We receive information from the platform operators, in particular statistical evaluations, about visits to our profile. This may also include personal data. For the processing of personal data in this context, both we and the respective platform operator are jointly responsible. A corresponding agreement on joint processing is published by the respective platform operator. The processing of your personal data when visiting one of our profiles is based on our legitimate interests in presenting our company in a varied manner, using effective means of communication to improve our public presence, and communicating with you. The legal basis for this is Art. 6(1)(f) GDPR. If you have given the platform operator your consent to data processing, the legal basis is Art. 6(1)(a) GDPR.

13.3 Further information on the scope, purposes, and legal bases of data processing on LinkedIn, as well as your rights in relation to the platform operator, can be found here: https://de.linkedin.com/legal/privacy-policy

13.4 Further information on the scope, purposes, and legal bases of data processing on YouTube, as well as your rights in relation to the platform operator, can be found here: https://policies.google.com/privacy?hl=en-US

‍

14. Data Security

14.1 We implement appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. These measures take into account the state of the art, the costs of implementation, as well as the nature, scope, context, and purposes of processing, and the risks associated with a data breach (including its likelihood and potential impact) for the data subject. Our security measures are continuously improved in line with technological developments.

14.2 We will be pleased to provide you with further information upon request. Please contact our Data Protection Officer for this purpose.

‍

15. Profiling

We do not use the personal data collected from you for any procedure involving automated decision-making (including profiling).

‍

16. Responsible Supervisory Authority

The supervisory authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information

Alt-Moabit 59–61, 10555 Berlin, Germany

Telephone: +49 30 13889-0

Email: mailbox@datenschutz-berlin.de