COYO Cloud, COYO Classic app & COYO app
– what kind of data will be processed,
– why it is processed,
– how we use the data,
– how and when the data is deleted,
– what rights you have,
so you can assess the legitimacy of the data processing and exercise your rights.
I. Scope and definitions
COYO offers companies a social intranet as a service for internal information provision, communication and networking.
The contract for the use of the COYO software is in place with our customer. In case of any questions regarding data protection, please contact them. General questions about the app, including privacy law aspects, can also be directed to our own data protection officer at firstname.lastname@example.org or by mail to the following address, to the attention of the “data protection officer":
COYO GmbH, Gasstraße 6a, 22761 Hamburg
If, in exceptional cases, you do not go through your company, but directly write to us by e-mail or mail, we will store your name, e-mail or postal address and telephone number, if you provided them, so that we can reply to you. Once the correspondence with you is completed, thus the storage of the data is no longer necessary, we will delete the data or limit the processing.
III. Reservation to change
IV. Data processing when using COYO services
By using the COYO services, connection data can be collected automatically in addition to the data you provide yourself. The information that are relevant to you and therefore particularly worthy of protection for us are those by means of which you can be personally identified, e.g. name, e-mail address, telephone number – so-called "personal data". We process these only to the extent that we have been instructed to do so by the responsible customer or to the extent it is necessary in order to provide you with an optimal user experience of COYO as the digital home of your company.
1. Automatically processed data
a) Access data
By using the COYO Services your device automatically transmits information to our server, which are stored temporally, so-called logfiles. These include:
– IP address,
– Operating system and device,
– Date and time of request,
– The website making the request,
– Respective volume of data transferred
This data is technically necessary for us to display you our services and guarantee stability and security. Our interest in the collection of such data lies in the improvement of data protection as well as the network- and information security. The data is stored up to seven days and deleted afterwards, except a threat from the user has been discovered.
b) Cookies and Local Storage
Local storage stores data locally in the cache of your browser. This data is stored persistently, thus also remains stored after closing your browser window or the program. You may erase them by deleting your browser’s history. Local storage enables us to save your preferences when using COYO on your device, so they will be accessible the next time you visit. Following data may be stored locally:
– Your last login name,
– User language,
– If messaging sidebar is open,
– Your filter settings.
Third parties do not have access to the data stored in local storage. The data will neither be transmitted to third parties nor used for advertisement. We us this technology as well as the storage of cookies out of legitimate interest (Art. 6 (1) f) GDPR), to present you a user-friendly COYO.
You can configure your browser settings as desired and refuse to accept any cookies or delete them. You also receive an overview of all stored cookies and local data. On mobile devices identifier can be deactivated accordingly. You can figure out how that works in the help-menu of your device or browser settings. Please note that you may not be able to use all functions of our services.
2. Data provided by the user
The sharing of content and information by users lies within the nature of a social intranet. In addition to your registration, you also provide data by posting and commenting. The contracts with our customers or your company prevent us from using this content, unless it is necessary for the provision and optimization of our services or legally required. This is therefore not processed by us beyond the mere storage on the servers of our service providers. We also have no control over the content of this data, which is rather the responsibility of the customers instructing us. We also generally delete such data only at the request of the responsible person/customer or after the end of our contractual relationship with them.
a) Registration data
In order to be able to use COYO services, a user account must be created. Your name and e-mail address must be entered (mandatory information). In principle, there is no obligation to use a real name, which means that you are not forced to reveal your true identity, but you may also choose a pseudonym ("nickname"). Note that your company may require you to register with a real name. You may also voluntarily provide additional information to personalize your profile, such as date of birth, cell phone number, address, job title or department. The registration data is therefore collected so that you can register for the COYO services and use them. If – within the context of registration at your company (customer) – you give your consent to the use of COYO, the data will be processed on the basis of Art. 6 (1) a) GDPR. If COYO is used in your company without consent, the processing takes place on the basis of legitimate interests in accordance with Art. 6 (1) 1 f) GDPR. The responsible body is the customer in each case.
A complete deletion of the user account is not feasible, also in order to enable a reactivation on demand. However, in the event of an account being deleted by the end user, the customer has the option of setting a deadline after which the personal data is automatically anonymised. After this period of time, identification of the user is no longer possible, also a recovery is then excluded.
b) Communication data
If you decide to delete your account, your posted content and comments will be retained for the time being - they belong to our customers, i.e. your company. However, your user name will be anonymized under each post or comment and usually displayed as "deleted user". If you would like to have specific content shared by you deleted, please contact your company's internal responsible superadmin.
c) Automatic translation function
With the automatic translation function, COYO offers its customers the possibility to integrate third-party translation software into their social intranet. If a customer signs a contract with such a provider for the use of its translation software, end users will be able to click and have individual posts automatically translated into the desired language, provided that this language is also included in the software. The text to be translated will necessarily be transmitted to the third-party provider. The providers of the translation software that can be imported via COYO guarantee without exception that the content of the text will not be used for purposes other than those of the translation service and will be deleted either immediately thereafter or after a short period of time. Please note that COYO only provides the option of an automatic translation function. The concrete contracts are concluded by the customer and the translation software provider. Accordingly, your company is responsible, the third party is data processor and their agreements apply. You can find out about the data security of possible providers here:
d) Analysis Tools Function
COYO and its customers can use the COYO Analytics extension to analyze usage data. COYO Analytics helps to collect, organize and analyze usage-relevant data in order to make statistical information visible. This way, for example, the platform activity as well as the relevance and acceptance of content can be classified, whereby information can be addressed to employees in a more targeted manner. In particular, this can improve the performance of the COYO software and thus internal communication with employees.
The data collected with COYO Analytics is processed and stored exclusively in Germany. In order to protect the privacy of users, data that may be related to a person is pseudonymized, anonymized and processed in accordance with the latest security standards as early as possible. The data generated by this processing is subject to the strict German and European data protection laws and standards and are processed in accordance with these. The data is made available to the customer exclusively in a graphically prepared format. Data sets consisting of data from less than 12 users are not evaluated.
Due to the above described measures, it is not possible for the customer to assign the data to a specific user.
The data will not be used for any other purpose, combined with other data or passed on to third parties. IP addresses are not collected and cookies are not used for analysis by COYO Analytics.
The data processing takes place on the basis of the legal provisions of Art. 6 Para. 1 lit. f (legitimate interest) of the General Data Protection Regulation. COYO's legitimate interest and that of the customer is the concern to further improve the COYO software and to optimize the content provided.
V. Data processing when using the COYO Classic app and COYO App
In addition to using COYO on your desktop, we provide the corresponding webview app COYO Classic as well as the native COYO app (together, the "apps"), which you can download to your mobile device from the app store.
1. When downloading
2. Web Analysis Tools
For the apps, we use so-called web analysis tools. Similar to how we were commissioned by our customers to process data, we instruct (analysis) service providers to use data for us. They undertake to comply with the same data protection obligations as COYO GmbH and guarantee an appropriate level of data protection with their technical and organisational measures. They collect data regarding the behaviour of end users and help us to evaluate them in order to optimise our services and your experience with COYO. For example, we want to know how many end users use our apps, which functions they are most interested in and where there is still room for improvement. Hence, the goal of using analysis tools is to maximize usability. Analysis tools could identify individual users. However, as it is a regular collection of purely statistical data, a personal identification is not required. Rather, measures are taken to anonymise personal user data and thus to exclude a specific allocation to individual end users.
Listed below are the tools we use and the data they process exactly:
a) Google Analytics
If you would like to learn more about Google Analytics, please visit the following links:
b) Google Firebase
We use Google’s "Firebase" service for our apps. Firebase uses technologies that facilitate the use of our apps or enable an analysis of your use of our apps, e.g. through push notifications or error logs. The purpose of using Firebase is to analyze the use of our apps, to improve them regularly and to be able to operate them more economically. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.
Here you will find the Firebase technologies we use:
• Cloud Messaging
With the help of cloud messaging, users are notified via the different platforms (iOS / Android). These so-called push notifications are automatically displayed by the app on the user's device and inform the user, i.a. about news, received chat messages and markings in posts or comments.
So-called instance IDs are used so that a user receives the relevant push notifications. These are pseudonymized by Firebase Cloud Messaging, which means that no conclusions can be drawn about the identity of the user.
The user is also free to switch push notifications on or off in his settings or to receive push notifications without communication data.
We regularly request Firebase to delete the instance IDs when they are no longer required for the purpose of storing them (notifying users). After such a request to Firebase, the instance IDs are saved for 180 days before they are deleted permanently. Every transmission is encrypted.
Apps can crash or not load properly ("crash"). We use Crashlytics to identify such app crashes and match them to the right user. So-called crash protocols with identifiers are processed for such evaluation. In the event of a crash, anonymous information is collected and transmitted (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the cell phone, last log messages). This information does not contain any personal data.
This data is encrypted both for transmission and in idle state during storage and automatically deleted after 90 days.
Firebase Analytics helps us measure app usage and user engagement. This is how data is collected to determine how the users of the apps behave, i.e. what they click on and which pages have the most activities. Here, too, the analysis data must be able to be assigned to a meaningful evaluation of an ID, whereby it should be noted that the information content varies from device to device and also depends on its software environment (Android devices that receive their apps via the Google Play Store send more Information than iOS devices). However, persons cannot be identified through such assignments.
Mobile ad identifiers - which are similar to cookies (see above) - are stored for 60 days and instance IDs to record the number of users.
Crashlytics and Analytics can be turned off by your admin. To do this, he would have to report to our support via the ticket system.
In principle the Google Firebase Server is hosted in Europe. Since Google is a US company, it cannot be precluded that data will be transferred to the United States. The data is pseudonymised, i.e. stored anonymously on the servers, so it is not possible to trace the person of the user.
The legal basis for data processing with Google Firebase is Art. 6 Para. 1 S. 1 f) GDPR, since we have a legitimate interest in the analysis, optimization and economic operation of our apps and data processing is necessary to safeguard this interest. The information recorded with Firebase about the use of our apps is transmitted to us via Google in Ireland. The data is collected solely anonymously. There is no connection to other user data.
Further information on data protection and data security at Firebase can be found here:
VI. Your rights
Here you can inform yourself what rights you have and how you can exercise them.
Our customer, i.e. your company is responsible for the processing of your personal data and the safeguard of your rights. We – assigned with the data processing – are committed to support our customer thereby and want to facilitate the exercise of your rights.
If you e.g. want to correct or delete personal data, with which you have registered in the social intranet of your company, please refer to the responsible person in your corporation. Should you contact us directly for this manner, we will forward your request to the responsible customer (i.e. your company) and await his instruction.
1. Right to access, Art. 15 GDPR
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:
why this is happening, what kind of data categories are being processed, to whom the personal data has been disclosed, how long the data will be stored or the criteria used to determine that period respectively, whether the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you or to object such processing exists, at which supervisory authority you have the right to lodge a complaint and to what extent guarantees for the data transfer to a third country exists.
2. Right to rectification, Art. 16 GDPR
Should data concerning you be inaccurate or incomplete, you have the right to obtain rectification or completion respectively.
3. Right to data portability, Art. 20 GDPR
You have the right to receive the personal data concerning you and to transmit those data to another controller.
4. Right to restriction, Art. 18 GDPR
You have the right to obtain restriction of processing, if you contested the accuracy of the personal data or objected to processing, for a period enabling us to verify the accuracy or whether the legitimate grounds of us override those of you. You may also obtain restriction of processing, if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead or if the data is not needed anymore for the purposes of the processing, but they are required by you subject for the establishment, exercise or defense of legal claims.
We will then subject to the instruction of the customer and ensure, that your data still remains, but is excluded from processing. You will be informed in time, if the restriction is lifted again.
5. Right to erasure, Art. 17 GDPR
In case your personal data is no longer necessary in relation to the purposes for which they were collected, you objected to the processing or withdrew consent on which the processing is based or there is no other legal ground for the processing, you have the right to obtain the erasure of personal data concerning you without undue delay (‘right to be forgotten’). The same applies, if the data has been unlawfully processed, except you refuse the erasure and exercise your right to restriction.
Your data will not be erased, if the processing is necessary to fulfil a legal obligation. In such cases we restrict the processing subject to the instruction of the customer. We will act accordingly, in cases where the data is necessary for the establishment, exercise or defense of legal claims.
6. Right to lodge a complaint, Art. 77 GDPR
You additionally have the right to lodge a complaint with a supervisory authority, if you consider that the processing of personal data relating to you on behalf of the customer infringes GDPR.
You can therefor appeal to the supervisory authority of the state in which the customer has its registered office. You can find the address here:
VII. Right to object pursuant to Art. 21 GDPR and consent withdrawal
You can at any time object to processing which is based on the purposes of legitimate interests. In exercising your right to object you should state the reasons, why the processing should be stopped. Your interest thereby needs to override the interest of our customer to process. This can rely on grounds relating to your particular situation. In case of a reasoned objection, we will together with your company examine the situation and either no longer process your personal data or adapt the processing accordingly or demonstrate compelling legitimate grounds for the processing. Given consent to the processing can be withdrawn at any time.
VIII. Data security
We have taken technical and organizational security measures to prevent unwanted access to your data. In particular, we encrypt any transfer to the SSL / TLS standard in conjunction with the respectively highest encryption level supported by your browser or device. Our employees are committed to confidentially and carefully handle personal data. In addition, all service providers have been checked by us.
We also use appropriate technical and organisational security measures in accordance with our internal data protection concept to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
IX. Overview of purposes for processing
For a better understanding and to facilitate the exercise of your rights, we have gathered information about the categories, purposes and legal basis for processing of personal data on the behalf of our customer.
|Category||Purpose||43rding to GDPR|
|Contact||Contact COYO directly (exception)||Art. 6 (1) 1 a) consent|
|Access||Provision of services, data security and protection||Art. 6 (1) 1 f) legitimate interest|
|Cookies||Optimization of services, personalization||Art. 6 (1) 1 f) legitimate interest|
|Local storage||Optimization of services, personalization||Art. 6 (1) 1 f) legitimate interest|
|Registration||Provision of services, contact||Art. 6 (1) 1 a) consent or Art. 6 (1) 1 f) legitimate interest (depending on internal company processes)|
|Use||Provision of services, optimization of services, personalization, data security and protection||Art. 6 (1) 1 a) consent or Art. 6 (1) 1 f) legitimate interest (depending on internal company processes)|
|Analysis||Optimization of services, personalization, data security and protection||Art. 6 (1) 1 f) legitimate interest|
With regard to above legal grounds, it should be noted that § 26 BDSG (German Federal Data Protection Act) only applies in the employment context, i.e. in relation to the employment contract between the employer and the employee. However, since COYO is not used in the employment context, but as a communication and collaboration tool in the company, where external persons are also involved, the processing takes place on the basis of Art. 6 GDPR.
As of June 26, 2020