Privacy statement

Version: 2.0
Last change in September 2024

Introduction

The protection and security of your personal data is of utmost importance to us and is taken into account in all our business processes. In this privacy statement, we therefore provide you with an overview of the data protection aspects relevant to our online offerings and to the processing of data in the context of contract performance. We explain the following:

  • Which data we collect when you visit or use our online offerings or when you have entered into a contract with us.
  • The purposes for which this data is processed by BlueID-affiliated companies and third-party companies.
  • Your rights and options regarding the processing of your data, and how you can contact us regarding data protection matters.

Scope

This privacy statement applies to the website of BlueID GmbH under the domains https://www.blue-id.com/, https://www.blueid.net/, and https://www.blueid.de (hereinafter “Website”), our BlueID App, as well as the social media offerings of BlueID GmbH on LinkedIn, with the exception of the social media offerings created specifically for the Klassenalarm app (collectively “Social Media Offerings”). Additionally, this statement contains information regarding the processing of your personal data within the framework of the contracts concluded with us.

Information regarding the processing of your personal data by our clients (for example, your employer) can be obtained from them. Separate information on data processing applies to companies affiliated with us.

1. Responsibility and Data Protection Officer

The controller within the meaning of the EU General Data Protection Regulation (GDPR) for the processing of data is:

BlueID GmbH
Schellingstrasse 109a
80798 München

Whenever this privacy statement refers to “we”, “us” or “BlueID”, it exclusively means BlueID GmbH.

You may contact our Data Protection Officer at datenschutz@blue-id.com or by post:

BlueID GmbH
Attn: Data Protection Officer
Schellingstrasse 109a
80798 München

2. Data Processing When Visiting Our Website

2.1. Automatically Collected Access Data

You may visit our website without providing any personal information. Only access data, which is automatically transmitted by your browser, is collected. This includes, for example, your online identifiers (e.g., IP address, session IDs, device IDs), details about the web browser and operating system used, possibly the website from which you accessed our website (e.g., via a link), the names of the requested files (e.g., texts, videos, images), your browser’s language settings, any error reports, and the time stamps of each access.

The processing of this access data is necessary to enable you to visit and comfortably use our website and to ensure its ongoing functionality and security.

The access data is temporarily stored in internal log files in order to compile statistical information about the use of our website. This enables us to continuously optimize and further develop our website with regard to the usage patterns and technical equipment of our users, as well as to eliminate disruptions and security risks. The information stored in the log files does not allow any immediate conclusions to be drawn about your person. This includes, for example, information on whether you accessed our website directly or via other websites, from which country you are accessing our website, and which device you use.

The legal basis for this data processing is Article 6(1)(f) of the GDPR (balancing of interests based on our legitimate interests).

2.2. Your Messages and Communications

We collect all information and data that you provide to us via our website or associated email addresses. For instance, you may contact us via the contact form or by telephone. In some cases, you may also send us files (e.g., PDF documents). The mandatory information required for these functions is usually clearly marked.

Your information is used solely to process your inquiry. The data collected in the process is deleted as soon as storage is no longer necessary, or its processing is restricted if legal retention obligations exist.

Your message will only be forwarded to another BlueID-affiliated company or to third parties if necessary to process your inquiry (for example, we may forward your message to our external Data Protection Officer if they are responsible for your inquiry). Should you not wish for your message to be passed on to another company or third parties, you may indicate this directly in your message. In this case, we will process your message without any information that could be used to identify you (e.g., name, customer number, contact details). Any further processing of your personal data in connection with messages and communications will only take place after obtaining your consent or for the purpose of initiating, fulfilling, or processing a contract.

We also sometimes offer you the opportunity to leave a comment (e.g., in our community blog) that is visible to all users. Comments are published after editorial review if applicable and are deleted at the latest upon your revocation or objection. You also have the option to delete your comments yourself. Your name, email address, and possibly your profile picture will be displayed publicly after publication. The displayed information can be viewed in the settings of your user profile.

The legal basis for this data processing is Article 6(1)(b) of the GDPR. In cases where you contact us for general purposes, leave a comment on our website, or consent to the processing of your data, Article 6(1)(a) of the GDPR shall apply.

2.3. Cookies

To improve the presentation and content of our website, we use our own cookies as well as cookies from third parties. A cookie is a standardized text file that is stored by your browser for a specified period. Cookies enable the local storage of information such as language settings and temporary identifiers, which can be retrieved by the server during subsequent visits. Additionally, cookies allow us to statistically record and analyze general user behavior. Furthermore, we employ services from external providers that process access data for the delivery of interest-based advertising, for example in the context of search queries.

We only use optional cookies and similar technologies for marketing and analysis purposes if you have given your consent for data processing (Article 6(1)(a) GDPR; for data transfers to third countries Article 49(1)(a) GDPR; for the storage of information or access to existing information on your device, Section 25(1) TTDSG). Please refer to Section 6.3 for the risks associated with data transfers to third countries.

Our website uses a program to document your consent and any revocations. This, along with other technically necessary cookies, is based on Article 6(1)(f) GDPR. Essential cookies are stored in accordance with Section 25(2) TTDSG.

If you delete the cookies, you will be asked to give your consent again upon your next visit.

For web analysis and advertising purposes, we use optional cookies from third parties. Further information on this can be found later in this privacy statement.

2.3.1. Google Tag Manager

We optionally use the Google Tag Manager, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). This tool is used by us to manage the tools and external services deployed on our website and allows for the use of so-called tags. A tag is a code element embedded in the source code to control which elements are activated and loaded in which order. In some cases, data is processed on Google servers in the USA. Further information can be found in the Google Privacy Statement.

2.3.2. Google Analytics

We optionally use the web analytics service Google Analytics from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). According to Google, the contact for all data protection matters is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to analyze your user behavior. The access data is aggregated into pseudonymous usage profiles and transmitted to a Google server in the USA, with your IP address being anonymized beforehand. Thus, no direct conclusions about your person can be drawn. Google uses the information obtained via cookies to evaluate the use of our website, compile reports, and provide further services related to website usage. Should you not have consented to the use of analytics cookies, your data will not be collected. Additional options to block Google Analytics are available in your browser settings.

2.3.3. YouTube

We partially embed YouTube videos on our website. YouTube is a video platform operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter “YouTube”). The embedded videos are set in “enhanced privacy mode”, which means that no data about you is transmitted to YouTube unless you play the video. Data is only transmitted to YouTube once you play the video. We have no control over this data transmission.

When you visit a page with embedded YouTube videos, YouTube and Google receive access data and information that you have visited that page – regardless of whether you are logged in. If you do not wish for your data to be associated with your Google account, please log out before playing a video. YouTube and Google may use these data for advertising, market research, and to optimize their own websites. You have the right to object to the formation of such user profiles, which you may direct to YouTube or Google. Further information can be found in the YouTube Privacy Statement.

3. Data Processing in Connection with Contract Conclusion and Performance

3.1. Customer and Partner Management

For the management of our business contacts, we process data about our contractual partners (including address, branches, authorized representatives and their contact details – collectively “Company Data”) as well as information about the respective contacts (e.g., names, positions, professional contact details – collectively “Contact Data”) and any communication with you. These data enable us to reach the appropriate contact person, to process your requests and orders appropriately, and to maintain our business relationship. The legal basis is Article 6(1)(b) GDPR.

3.2. Orders, Order Management and Billing

For the shipment, we record your delivery address and email address and transmit this to our shipping service provider so that you can receive your order and track its delivery status. In the context of order processing and billing, we also collect additional information regarding offers, orders, invoice items and bank details (e.g., for SEPA direct debit mandates). These data may also be used for issuing credit notes. The legal basis is Article 6(1)(b) GDPR.

3.3. Credit Checks

If necessary, we obtain credit checks from a credit agency in order to better assess the liquidity of our contractual partners and to minimize default risks for (partial) orders paid on account. No credit checks are conducted on employees of the contractual partner. The legal basis for this data processing is Article 6(1)(f) GDPR.

3.4. Product Liability and Warranty

In order to assess statutory and contractual claims, we may collect information regarding the delivered products, their use, and invoice data. In addition to company data, customer data from invoices and order documents may also be processed. The legal basis is Article 6(1)(b) GDPR.

3.5. Controlling and Reporting

Information on orders and invoice items is also used for internal cost and performance accounting, controlling, and reporting, which serves our corporate management and planning. The legal basis is Article 6(1)(f) GDPR. In this context, personal data are generally anonymized.

3.6. Other Data Processing

If necessary, we process your data or the data of users you have created in order to inform you about technical innovations concerning the products you have purchased, provided that such processing is necessary for the contractual use of our products. The legal basis is Article 6(1)(b) GDPR.

4. Data Processing on Our Social Media Offerings

BlueID is represented with its own social media presence on the following social networks and is reachable for you:

LinkedIn

We inform you about news and activities of BlueID on these platforms and gladly use the opportunities provided by social networks to communicate directly with their members. However, please note that we have no influence on the data processing practices of these networks. It cannot be ruled out that your data may be transferred to third countries. Therefore, please be careful about what personal information and messages you share via social media, and if in doubt, use other contact options provided by us. We assume no liability for the behavior of the operators or other members of the social networks.

If you communicate with us via social media, we process the information provided by the respective social network (e.g., your name, profile page, and the content of your messages to us) in accordance with the purpose of your communication (e.g., service inquiries, suggestions, criticism). The data collected in this context is deleted or its processing is restricted once storage is no longer necessary or if legal retention obligations exist.

The legal basis for this processing is Articles 6(1)(a) and 6(1)(b) GDPR as well as Article 6(1)(f) GDPR based on our legitimate interests.

5. Online Meetings and Videoconferences

We use Microsoft Teams to conduct online meetings, telephone or videoconferences, and webinars (collectively “Meetings”). Teams is a software provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter “Microsoft”), and is available as a desktop, web, and mobile application.

During a meeting, participant data (e.g., display name, first name, last name, telephone, email address, encrypted password, or profile picture) and metadata (such as the meeting’s subject, description, IP address, your telephone number, device/operating system information, timestamps of participant activity, chat and message statistics, and recording data) may be processed.

Prior to a meeting, you will typically receive an invitation email containing a link to join the meeting and a calendar appointment. To participate, you must provide at least your name and, in the case of telephone participation, your telephone number – unless anonymous participation is enabled, in which case we will inform you accordingly. The transmission via microphone and camera can be disabled at any time. Meetings are only recorded or logged with your consent and prior notice. Microsoft may use these metadata for analysis and reporting purposes.

All data transmission is encrypted (currently using MTLS, TLS, or SRTP) and data storage generally occurs on servers within the European Economic Area (EEA). In cases where data is processed in the USA, we rely on the EU Standard Contractual Clauses for data protection. For further information, please refer to Microsoft’s Privacy Statement at https://privacy.microsoft.com/de-de/privacystatement.

The legal basis for data processing in connection with meetings is our legitimate interest (Article 6(1)(f) GDPR) as well as, for pre-contractual or contractual measures, Article 6(1)(b) GDPR. The storage of information on your device is governed by Section 25(2) TTDSG.

6. Disclosure and Transfer of Data

6.1. Principle

We will only disclose your data if:

  • You have given your explicit consent pursuant to Article 6(1)(a) GDPR,
  • the disclosure is legally permissible and necessary for the performance of contractual relationships (Article 6(1)(b) GDPR) or for the implementation of pre-contractual measures,
  • we are legally obligated to disclose pursuant to Article 6(1)(c) GDPR, or
  • the disclosure is necessary for the assertion, exercise, or defense of legal claims by BlueID or an affiliated company (Article 6(1)(f) GDPR) and no overriding fundamental interest exists on your part to prevent the disclosure.

6.2. Disclosure to External Service Providers of BlueID

Part of the data processing described in this privacy statement is carried out on our behalf by external service providers, such as data centers, IT service providers, or consulting companies. These service providers may only use the data for the fulfillment of their tasks, have been carefully selected by us, are contractually bound to follow our instructions, and are subject to appropriate technical and organizational security measures.

If we transfer data to service providers outside the European Economic Area (EEA), we will inform you separately about this and the specific guarantees on which the data transfer is based. If you wish to receive copies of the guarantees as proof of an adequate level of data protection, please contact our Data Protection Officer.

6.3. Data Transfer to Third Countries

As explained in this privacy statement, we use various services whose providers are located in third countries (e.g., the USA), i.e., countries whose level of data protection does not correspond to that of the European Union. In the absence of an adequacy decision, we have taken appropriate measures (e.g., EU Standard Contractual Clauses or binding internal data protection policies) to ensure an adequate level of data protection for any transfers. Otherwise, we rely on exceptions under Article 49 GDPR, in particular on your explicit consent or the necessity of the transfer for contract performance.

Without an adequacy decision or appropriate safeguards, there is a risk that authorities in the third country (e.g., intelligence agencies) may gain access to your data, and your data subject rights may be limited. If we obtain your consent via the cookie banner, you will be informed again if applicable.

7. Marketing

7.1. Newsletter

If you wish to subscribe to a newsletter (e.g., community updates) offered on our website, we require your email address along with information that allows us to verify that you are the owner of the provided email address and that you agree to receive the newsletter. Further data is collected only on a voluntary basis. This information is used exclusively for the dispatch of the requested newsletter and will not be shared with third parties.

The processing of the data entered in the newsletter subscription form is based solely on your consent (Article 6(1)(a) GDPR). You may revoke your consent to the storage and use of your data for newsletter dispatch at any time, for example via the “unsubscribe” link in the newsletter. The legality of any data processing that has already occurred remains unaffected by the revocation.

The data stored for the newsletter will be retained until you unsubscribe and will be deleted thereafter.

7.2. Other Forms of Contact

As part of customer acquisition, we may contact you by telephone or email. The data collected in this process (e.g., name, position, telephone number, email address) is obtained from publicly available sources (such as your website) or provided by your company’s contacts. We treat these data confidentially and do not pass them on to third parties without your consent. You have the right to revoke your consent or to object to data processing for the purpose of customer acquisition at any time. The legal basis for this data processing is Article 6(1)(a) GDPR in conjunction with Sections 7(2) and (3) of the UWG.

If you are already a customer, we will contact you based on our legitimate interest to inform you about product innovations or additional offers from BlueID. The legal basis for this processing is Article 6(1)(f) GDPR. You may object to this processing at any time.

8. Data Processing in the Context of Our App

8.1. Data Processing When Downloading and Installing the Apps

In order to download and install our app from an app store (e.g., Google Play Store or Apple App Store), you must first register for a user account with the app store provider and conclude a corresponding user agreement. We have no influence over this agreement and are not a party to it. During the download and installation, the necessary information (e.g., username, email address, customer number, download timestamp, device identifier) is transmitted to the respective app store. We process these data solely to enable the download and installation of the app on your mobile device.

The legal basis is Article 6(1)(b) GDPR; if you have given your consent, Article 6(1)(a) GDPR applies.

8.2. Data Processing When Using the App

When you use our app, various technical data (e.g., IP address, installation data, details about the content and functions used, form inputs, usage duration, device specifications) are transmitted to our servers. These data enable the use of the app, ensure its technical functionality, and help to prevent and analyze attempts at attacks or fraud.

The legal basis is Article 6(1)(b) GDPR; if you have given your consent, Article 6(1)(a) GDPR applies.

8.3. Push Notifications

As an iOS user, you may receive push notifications (e.g., for new keys or door openings via the Home Screen), even when the app is not active. These notifications may appear as sounds, banners on the screen, and/or icon badges. You can disable push notifications at any time in your iOS settings under “Notifications”. The legal basis for this data processing is Articles 6(1)(b) and 6(1)(f) GDPR, based on our contractual obligations and our legitimate interest in informing you transparently.

Push notifications on Android devices operate in a similar manner. These settings can be adjusted within the app under “Notifications”.

8.4. Permissions

For full functionality, the app must be allowed to access certain features of your device. Depending on your operating system, this may require your explicit permission, which you can adjust at any time in your device’s system settings. Below we list, by way of example, the permissions required on iOS:

Siri & Search: Required for the app to use your device’s search function (via Siri). Without this permission, the search function may be limited.

Background App Refresh: Allows the app to update automatically in the background, thereby reducing load times. Without this permission, this function will not be available.

Bluetooth: Necessary to transmit digital keys to installed locking systems. Depending on your OS version, access to location data may also be required. Without this permission, functional limitations may occur.

Camera: Required for scanning and activating key activation links via QR codes.

Similarly, Android devices require permissions for location services, storage, Bluetooth, and camera access to ensure full functionality.

The legal basis for this data processing is Articles 6(1)(a), 6(1)(b), and 6(1)(f) GDPR. You may withdraw any given consents at any time in your device settings.

9. Retention Period

Unless otherwise specified in this privacy statement, we will store and process your data only for as long as is necessary to fulfill our contractual or legal obligations or for the purposes for which the data was collected.

Thereafter, we will delete the data without delay, unless the data is needed until the expiration of statutory limitation periods for evidentiary purposes in civil claims or due to legal retention obligations. Additionally, data may be stored for accounting purposes, in which case the processing will be restricted so that it is not used for any further purposes.

The legal basis is Article 6(1)(c) GDPR; for legitimate interests, Article 6(1)(f) GDPR.

10. Your Rights

To exercise your statutory data protection rights, you may contact our Data Protection Officer at any time (see Section 1).

You have the right, pursuant to Article 15 GDPR, to obtain information about the processing of your personal data. We will provide you with a detailed overview of the data processed.

If the data stored by us is incorrect or outdated, you have the right to have it rectified (Article 16 GDPR).

You may also request the deletion of your data. If deletion is not possible due to legal retention obligations, the processing will be restricted (Article 17 GDPR).

You have the right to restrict the processing of your data if you believe that the data we have stored is not accurate (Article 18 GDPR).

You have the right to data portability, i.e., you can request a digital copy of your personal data (Article 20 GDPR).

Furthermore, you have the right to lodge a complaint with a data protection supervisory authority.

11. Right of Withdrawal and Objection

You have the right to withdraw your consent, once given under Article 6(1)(a) GDPR, at any time. This means that we will no longer continue the data processing based on that consent for the future. The withdrawal does not affect the legality of the processing carried out before the withdrawal.

If we process your data on the basis of our legitimate interests, you have the right to object to such processing at any time pursuant to Article 21 GDPR, particularly against direct marketing. Please note that we may need to process certain data even after your objection to ensure that you are not contacted again.

To exercise these rights, a simple notice to the contact details provided in Section 1 is sufficient.

12. Data Security

We maintain appropriate technical measures for all data processing to ensure data security, in particular to protect your data from unauthorized access, dangers during data transmission, and other security risks. These measures are updated in accordance with the current state of technology. To secure the data you provide on our website or in the app, we use Transport Layer Security (TLS), which encrypts the information you enter.

13. Amendments to this Privacy Statement

We update this privacy statement from time to time, for example when we adapt our website or when legal or regulatory requirements change.

Privacy and privacy settings

By clicking “Accept,” you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, please see our Privacy statement.

PreferencesRejectAccept all
Privacy statementimprint