Privacy policy

                    PRIVACY POLICY
              

                          1.	INTRODUCTION
                          Within the scope of the application "flipflapp" (hereinafter: the "App"), an interactive information, reporting and communication tool for employers and employees, personal data is processed. The purpose of this App is to fulfill legal requirements of employee protection and the employer's duty of care (prevention of accidents, reporting of hazards, imparting knowledge and improving work processes, etc.). The use of the app does not serve to monitor employees.
                          We, ycy GmbH, are the data controller for this data processing. Your employer, who has decided to use the app, is also independently responsible under data protection law.
                          The protection and security of your personal data is important to us. We process your personal data exclusively within the framework of the applicable data protection law; this includes in particular the provisions of the EU General Data Protection Regulation (hereinafter: "DSGVO") and the Austrian Data Protection Act (hereinafter: "DSG"). Our contact details are as follows:
                          ycy GmbH, Krotenseestraße 47, 4810 Gmunden, Email: 4u@flipflapp.com, Phone: +43 (0) 660 20 44 074
                          Within the framework of this privacy policy, we will inform you above all about which of your personal data we process, for what purposes and on what legal basis. In addition, we inform you about your rights under data protection law and how you can exercise them.
                          "Personal data" is information that relates to an identified (or identifiable) natural person. This includes, for example, your name, your date of birth, your address, your email address, etc. For the sake of clarity, personal data is referred to in this privacy policy only as "data".
                          On the one hand, we process data in the app that you provide to us yourself. On the other hand, we also process data in the app that is collected automatically (i.e. without your involvement) while you are using the app.
                        

                          2.	DATA PROCESSING AND ITS PURPOSES
                          Your data is processed in order to provide you with the app in the best possible way and with all functions. In the following we inform you in detail about the data processing in the app.
                          2.1. Data processing in connection with registration / profile creation / system administration 
                          In order to use the app, registration is required. The registration process is as follows: You will be provided with a link where you can download the app. After you have opened the app, you can register yourself - after selecting your language - with your personal access code (you will receive this from your employer), your e-mail address and a password of your choice.
                          After you have read the privacy policy and accepted the terms of use (this is required for using the app), you will be asked to enable the location detection and so-called push messages (these are messages from the app that are displayed on your device) on your device for the app. Please note that both are required to be able to use the app to its full extent. In the registration process, you will also be optionally asked about your skills and interests, which serves to ensure that the app can make optimal suggestions and show you content.
                          After completing the registration process, you will enter the closed (= company-owned) area of your employer in the app and will be activated there as a user. Your employer has already created you as a user, entered the data necessary for the operation of the app and assigned you to the groups that are important for you. You can then voluntarily add further information to your profile and share it, such as a profile picture. You can log out of the app at any time and log in again with your access data.
                          Data processing in connection with registration, profile creation and system administration (including user administration) includes the following data (categories): • User ID (will be stored in the system), • Email address (provided by your employer), • Password (set by you), • First and last name (provided by your employer), • Department (provided by your employer), • Function (provided by your employer), • Group (provided by your employer), • Phone number (provided by your employer), • Language (provided by your employer), • Skills and interests (optional - according to your specification), • Other profile information (optional - according to your specification), • Profile picture (optional). • Data on the use of the app
                          The registration incl. profile creation is necessary to ensure the function as an internal (social) network incl. company and system administration. This data processing is therefore based on the legal basis of Article 6 para 1 lit f DSGVO (legitimate interests of your employer). Secondarily, this data processing can also be based on the terms of use accepted by you as a legal basis within the meaning of Article 6 para 1 lit b DSGVO (necessity to initiate or fulfill a contract).
                          2.2.	Data processing in connection with the use of the app
                          During the use of the app, the data that has been assigned to your profile (i.e. the data that was provided by your employer when you created your profile or that you yourself provided during registration - see point 2.1.) will be processed. Which additional data is processed depends on which of the numerous functions you use and how you use these functions, as explained in more detail below. This usage data is stored in our database. The app does not evaluate usage data for analysis or statistical purposes.
                          2.2.1. Data processing in connection with interaction with other users, contributions and groups
                          There are various possibilities for you to get in touch with other users and to communicate. Users can, among other things:
                          • Communicate with each other via the Messenger function in writing, verbally and also via video (in pairs or also in larger chat groups), • follow and unfollow each other, and block followers (such requests can be accepted or rejected by users), • Post, see posts from other users, and interact with posts (such as "liking", commenting, and sharing,) • Join and leave groups, create and delete groups, invite and remove other users from groups, and communicate with each other within groups.
                          In all interactions with other users*, posts and groups, all data created in the process will be processed. This includes the following categories of data:
                          • Your profile information (see point 2.1.), • All your communication content (written and audiovisual), • Your interactions with other users (your followers and the users you follow), • Your interactions with other users (likes you get and give), • Your posts and your interactions with posts from other users, • Your group memberships as well as your interactions with users and posts by users within groups, • Your search behavior when searching internally in the app.
                          This data only arises from your actions - you therefore decide yourself which data is processed when interacting with other users. However, this data can also be generated by other users interacting with you (e.g. when they send you a request to follow you or send you an invitation to join a group).
                          The processing of data in connection with the interaction with other users is necessary to ensure the function of the app as an internal (social) network. This data processing is therefore primarily based on the legal basis of Article 6 para 1 lit f DSGVO (legitimate interests of your employer). Secondarily, this data processing may also be based on the terms of use accepted by you as a legal basis within the meaning of Article 6 para 1 lit b DSGVO (necessity for the performance of the contract).
                          2.2.2. Data processing in connection with the creation and uploading of videos and images
                          You can film or photograph certain work processes or situations in the app and then upload these videos or photos to the app. This can be, for example, the presentation of a (sample) workflow to encourage more precise or efficient execution, or the presentation of a dangerous work situation to sensitize work colleagues to certain dangers. These videos or photos are then displayed in the app's "newsfeed" as posts with attached comments or hashtags and can be "liked" by other users or shared with other users in the Messenger function.
                          Video review: Uploaded videos and photos are reviewed for inappropriate content through an automated process. In case of inappropriate content, the moderator (a designated employee of your employer) will be informed. In this case, the moderator will review the video or photo and may reject it in justified cases (this will be communicated to users in a short message). Rejected videos and photos are automatically archived for documentation purposes (and are not accessible to users, but can be restored by the employer). In addition, users can also report inappropriate videos or photos in the newsfeed to the moderator. In this case, the moderator can remove inappropriate posts after reviewing them - if necessary.
                          Reporting a dangerous situation: If you recognize a dangerous situation at work, you can simply film or photograph it and report it directly in the app. You can choose whether this report should be anonymous or non-anonymous. A person defined by your employer will then check this report of a dangerous situation (the responsible person cannot establish a personal reference to you if your report is anonymous). However, in both cases it is possible that the responsible person asks you clarifying questions about your report in a chat (or in case of an anonymous report in an anonymous chat). The responsible person is then free to initiate necessary measures and - if necessary - to publish your video or photo in the newsfeed.
                          Specifically, the following categories of data may be processed in connection with the creation and uploading of videos and photos: • Your profile information (see point 2.1.), • Your data in connection with the interaction with other users and with contributions (see point 2.2.1.), • Image and audio data (if you are recognizable on videos/photos), • Comments and hashtags on videos (if they come from you or are related to you), • Categories you have checked in connection with your video/photo.
                          The processing of data in connection with the creation and uploading of videos and images is necessary to ensure the function of the app as an internal (social) network - specifically the optimization of technical and organizational work processes through audiovisual explanation. This data processing is therefore primarily based on the legal basis of Article 6 para 1 lit f DSGVO (legitimate interests of your employer). Secondarily, this data processing can also be based on the terms of use accepted by you as a legal basis within the meaning of Article 6 para 1 lit b DSGVO (necessity to initiate or fulfill a contract).
                          2.2.3. Data processing in connection with employer-employee communication
                          As an internal information, reporting and communication tool, the app also serves to digitize and optimize communication between you and your employer. For example, your employer can communicate notices, information, instructions, etc. and provide test tools to check whether you have understood certain instructions (e.g. instructions, safety precautions, work instructions, etc.). Your employer can also provide surveys and learning content. In addition, you can report to your employer various incidents in the company, such as identified safety risks. All of these functions involve the processing of your data. Specifically, the following categories of data are processed:
                          • Your profile information (see point 2.1.), • Your feedback on surveys, • Your answers in Testtools, • the information that you have received notices, information, instructions or similar content ("Read Receipts"), • the information that you have been given access to certain learning content, • the information that you have completed certain learning content, • the information that you have downloaded provided documents or similar content or clicked on provided links (e.g. to the intranet or to company software).
                          The processing of data in connection with employer-employee communication is necessary to ensure the function of the app as an internal information, reporting and communication tool. This data processing is therefore primarily based on the legal basis of Article 6 para 1 lit f DSGVO (legitimate interests of your employer). Secondarily, this data processing can also be based on the terms of use accepted by you as a legal basis within the meaning of Article 6 para 1 lit b DSGVO (necessity for the initiation or performance of a contract).
                          2.2.4. Data processing in connection with "geofencing" (recording your location)
                          If your employer has opted for this option, the app will only work at geographically precisely defined locations, namely at the workplace This is ensured by a technical measure known as "geofencing". Specifically, the following categories of data are processed:
                          • Your profile information (see point 2.1.), • Your location data, • Your IP address, • Geofencing coordinates of the locations (this can also include the location of your home office).
                          Since "geofencing" serves to protect the business and trade secrets of your employer, the processing of your location data can be based on the legal basis of Article 6 para 1 lit f DSGVO (legitimate interests of your employer). Your location data will only be processed in the moment and will not be stored, but will be deleted immediately. Neither we nor your employer have active access to your location data - it is therefore not possible to locate your live location.
                        

                          3.	DATA EXCHANGE WITH YOUR EMPLOYER
                          For the purpose of providing the app as an internal information, reporting and communication tool, your data categories listed in this data protection declaration will be transmitted by us to your employer or by your employer to us for the purposes stated in point 2. However, neither your location data nor your communication content in the messenger function will be passed on or made accessible to your employer. Please note that communication content outside of the Messenger function is visible to your employer, such as comments on posts or discussions in groups.
                        

                            4.	TRANSFER OF DATA TO OTHER RECIPIENTS OF YOUR DATA / DATA TRANSFER TO THIRD COUNTRIES
                            In addition, to the extent necessary for the purposes set forth in this Privacy Policy, we may share your information with the following groups of third parties ("Recipients"):
                            • IT service providers used by us, such as, in particular, providers of cloud, analysis, maintenance or support services, as well as service providers that use artificial intelligence; • Payment service provider; • In individual cases: public authorities, courts or other public bodies, if we are obliged by law or by an official or judicial order of an EU member state to disclose data to these bodies.
                            Data transfer to third countries: For data storage, we used the Google Cloud Platform, which is operated by the Irish company Google Cloud EMEA Limited (70 Sir John Rogerson's Quay, Dublin 2, Dublin), a third party not affiliated with us. Data processing by Google also results in data transfers to third countries (outside the EU or EEA). Google is certified under the US Data Privacy Framework, which ensures the permissibility of data transfers to the US (based on an adequacy decision of the European Commission). More detailed information on data processing within the framework of the Google Cloud Platform can be found at the following link: https://cloud.google.com/terms/cloud-privacy-notice?hl=en.
                            We will only share your personal information with third parties if: • This is necessary according to Article 6 para 1 lit b DSGVO for the processing of contractual relationships with you (concerns the terms of use); • This is required in accordance with Article 6 (1) (c) to comply with a legal obligation or an official order (applies in the event that we are required by law or by an official or judicial order of an EU member state to disclose data to authorities, courts or other public bodies); or • This can be based on our legitimate interest in the proper and fully functional operation of the app or the legitimate interest of your employer in the internal use of the app, or if this is necessary for the assertion, exercise or defense of legal claims and thus to protect our legitimate interests and (in both cases) there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data.
                        

                          5.	LINKS TO OTHER WEBSITES
                          The app may contain, at certain points, links to third-party websites that are not under our control. These links are provided for informational purposes only. If you click on one of these links, data about you may be collected by the operators of the respective websites. These data processing operations may differ considerably from the data processing operations described here. We have no influence on these data processing operations and therefore accept no responsibility or liability whatsoever. Likewise, we assume no responsibility or liability for their content.
                        

                            6.	DATA RETENTION
                            In any case, your data will be stored and processed until the time your profile is deleted. Beyond that, we will only retain your data for as long as permitted by data protection law and necessary for our business purposes, to protect the interests of your employer or due to legal requirements. Data retention is based either on the legal basis of Article 6(1)(c) of the GDPR (if processing is necessary for compliance with a legal or regulatory obligation to which we are subject, such as in particular the seven-year retention obligation for tax and accounting purposes) or on the legal basis of Article 6(1)(f) of the GDPR (if processing is necessary to protect our legitimate interests or the legitimate interests of your employer; e.g. as evidence in legal disputes). The communication content in chats is deleted after one year.
                        

                            7.	DATA SECURITY
                            The protection of your data is important to us. Therefore, we use appropriate security measures to protect the data we process against unauthorized access, collection, use, disclosure, copying, modification or deletion.
                        

                            8.	YOUR RIGHTS UNDER THE DSGVO
                            Right to information: Upon request, we will provide you with comprehensive information on all data stored by us about you within the legally standardized period. This information includes, among other things, the purpose of processing, the categories of data and the categories of recipients.
                            Right to rectification: If you discover that we are using your data without your consent, or if we are in breach of legal provisions, or if your data is incorrect, you can contact us at any time at the e-mail address below and request that the data be corrected. We will comply with this request in a timely manner and correct, supplement or amend your data, provided that this does not conflict with any legitimate interests on our part or legal obligations.
                            Right to deletion: If you wish that your data available to us is no longer stored, you can also request the deletion of your data at any time by sending a written request to the e-mail address below. We will then delete all of your data stored by us, unless we are entitled or obligated by law to continue storing this data. In such a case, we will inform you that your data will continue to be stored by us. We cannot be held responsible for the deletion of your data by third parties to whom we have passed on data in order to fulfill a contract.
                            Right to data transfer: You have the right, insofar as this is technically possible, to have all data stored by us about you transferred to another responsible party.
                            Right to object: You have the right to object to the processing of your data if the processing is based on our legitimate interests or those of your employer, provided that grounds for doing so arise from your particular situation.
                            Right to revoke consent: If you have given your consent to data processing, you have the option of revoking this consent at any time in writing to the e-mail address below. Please note, however, that the revocation of consent does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation.
                        

                          9.	CONTACT FOR DATA PROTECTION CONCERNS
                          If you have any questions about this privacy policy, wish to contact us with a data protection concern or wish to exercise your rights, please feel free to contact us at any time by e-mail (privacy@flipflapp.com). We will provide you with feedback on your request as quickly as possible.
                        

                          10.	COMPLAINT FORM
                          In the event that you do not wish to contact us directly with your concern, you can also contact the data protection authority. The website of the data protection authority is available at the following link: https://www.dsb.gv.at. The competent data protection authority is: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Wien
                        

                          11.	CHANGES TO THE PRIVACY POLICY
                          Our privacy policy is updated at certain intervals. The current version of our privacy policy is always available on our website (flipflapp.com/privacy) and in the app under "Settings" and there in the menu item "Privacy".
                        