PRIVACY NOTICE

Flowable is an affiliate of the mimacom-Flowable Group.

This Privacy notice provides information on the collection, use, sharing and further processing of personal information by mimacom-Flowable Group and its affiliates (“the Group”, “we” or “us”). This Privacy notice also explains the choices you have in relation to these processing activities and your relevant rights in this respect.

This Privacy notice applies as far as the processing activities are not subject to other privacy notices, are evident from the circumstances or are provided for by applicable law.

As used in this Privacy notice, ‘personal information’ or ‘personal data’ means any information that relates to an identified or identifiable individual, for example your name, address, email address, business contact details, or information collected through your interactions with us via our websites, at events or otherwise.

SCOPE

This Privacy notice applies in connection with your use of our websites, mobile applications, online tools, online events, social media, business relationships, agreements, general terms and conditions or by way of other means that link to this Privacy notice, your interactions with us during personal meetings or at Group events, and in connection with other offline sales, services, marketing activities and other business relationship activities with the Group.

WHO IS RESPONSIBLE FOR PERSONAL DATA PROCESSING

Every website, every presence on social media, every other application of the Group and  every services and other processing activities as described in this Privacy notice has a controller within the Group responsible for processing your personal information described in this Privacy notice according to the Regulation (EU) 2016/679 (General Data Protection Regulation (“GDPR”)) or other applicable data protection laws such as the Federal Act on Data Protection. Unless provided otherwise on the website (according to the imprint, terms of use, etc.), Flowable AG, Seilerstrasse 8, CH-3011 Bern, Switzerland is the controller for the website www.flowable.com .

In the event a Group entity communicates through other means (e.g. email, letter, telephone, in person) and the communication does not fall within an activity for which the Group has appointed a dedicated controller within the scope of this Data Privacy or otherwise, the corresponding Group entity is the controller. A list of the Group entities and the countries where they are located is provided in Annex 1, which may be updated from time to time. Please select a region and country to view the registered address and contact details of the Group entity or entities located in each country.

mimacom ag is the Group representative. Therefore, for any inquiry, claim or concerns regarding data protection at our Group (all companies and affiliates), please contact us by sending an email or a postal message to the following address email: datenschutz@mimacom.com, mimacom ag, Seilerstrasse 8, CH-3011 Bern, Switzerland.

Pursuant to Article 27 of the GDPR, the representative of companies and affiliates of the Group domiciled outside of the EU is mimacom Deutschland GmbH, Schloßstraße 70, 70176 Stuttgart, Germany.

PROCESSING OF YOUR PERSONAL DATA WHEN YOU USE OUR WEBSITES, APPLICATIONS AND ONLINE PLATFORMS OR ONLINE EVENTS

Categories of personal data processed, purpose of the processing and legal basis:

When visiting our Group websites, applications or online tools (each a “website offering”), the corresponding Group entity may collect and process the following personal data about you:

  • Personal data that you actively and voluntarily provide us through a website offering that we use to the extent it is necessary for the provision of a service or the execution of the contract and subject to Article 5 GDPR (e.g., when contacting us with your inquiries, submitting an application, in order to download certain documents, reply to a job offer, open a issue in our forum, etc.), including name, email address, telephone number, information submitted as part of a support request, comments or forum posts, etc.; and

  • Information that is automatically transmitted to us by your web browser or device in server log-files when you visit and retrieve the content provided for statistical and system-related purposes comprising your IP-address, time stamp (date and time of the access), device type, browser type and operating system of the requesting computer, referring site, sites accessed during your visit, file name accessed, data volume transferred and notification of successful retrieval. The stored IP address is only analyzed in the event of an attack on our information technology systems. An individual cannot be traced back to the stored user data. The logged data is stored for a period of 30 days and is afterwards erased by the system.

We process your personal data for the following purposes: 

  • To provide you with our services and functions and to administer your use of our website offerings;

  • To verify your identity (e.g. if you registered for a newsletter);

  • To reply and fulfill your specific inquiries; and

  • As reasonably necessary to enforce the applicable terms of use, to establish or preserve a legal claim or defense, to prevent fraud or other illegal activities, including attacks on our information technology systems.

The legal basis for the processing of your personal data are the following:

  • To perform our obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);

  • To comply with our legal obligations (Article 6 (1) (c) GDPR); and/or

  • Legitimate interests pursued by us (Article 6 (1) (f) GDPR), e.g. the efficient, effective and secure performance or management of our services and your use of our website offerings.

  • Your Consent related to the relevant use of your personal data that we may ask you for, which can be withdrawn at any time according to applicable laws (Article 6 (1) (a) GDPR).

PROCESSING OF YOUR PERSONAL DATA RELATED TO YOUR BUSINESS RELATIONSHIP WITH OUR GROUP

Categories of personal data processed, purpose of the processing and legal basis:

In connection with a prospective or existing business relationship with a Group entity, we may process the following categories of personal data of current and future contact persons of our customers, partners, suppliers and other business partners (each a “Business Partner”):

  • Contact information, such as full name, work address, work telephone number, work mobile phone number, work fax number and work email address;

  • Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;

  • Further information necessarily processed in a project or contractual relationship with a Group entity or voluntarily provided by the Business Partner, such as personal data relating to orders placed, payments made, requests, and project milestones;

  • Personal data collected from publicly available resources, integrity data bases and credit agencies; and

  • If legally required for Business Partner compliance screenings: date of birth, ID numbers, identity cards and information about relevant and significant litigation or other legal proceedings against Business Partners.

We process your personal data for the following purposes: 

  • To communicate with our Business Partners about services, products and projects of the Group or Business Partners, e.g. by responding to inquiries or requests or providing you with technical information about purchased products;

  • For planning, managing and performing the contractual relationship with our Business Partners; e.g. by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, and providing maintenance and support services;

  • To administrate and perform customer surveys, market analysis, marketing campaigns, sweepstakes, contests, or other promotional activities or events;

  • To maintain and protect the security of our websites, services and products, preventing and detecting security threats, fraud or other criminal or malicious activities;

  • To ensure compliance with legal obligations (e.g. record keeping obligations), Business Partner compliance screening obligations (to prevent white-collar or money laundering crimes), and Group policies or industry standards; and

  • Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

The legal basis for the processing of your personal data are the following:

  • To perform our obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);

  • To comply with our legal obligations (Article 6 (1) (c) GDPR); and/or

  • Legitimate interests pursued by us (Article 6 (1) (f) GDPR), e.g. the efficient, effective and secure performance or management of our business relationship with you.

  • Your Consent related to the relevant use of your personal data that we may ask you for, which can be withdrawn at any time according to applicable laws (Article 6 (1) (a) GDPR)

PROCESSING OF YOUR PERSONAL DATA RELATED TO OUR JOB OFFERINGS AND RECRUITMENT PROCESS

We offer applicants the option to apply for job openings online on our Career-site or via third party providers websites. You can apply for an open position by submitting your application via our application form or the one provided by a specific job board. You can also apply by sending your information via email at jobs@flowable.com.

You will be asked when you submit your application whether you give us consent to hold your details for the full 24 months in order to be considered for other positions or not.At the end of that period, or once you withdraw your consent, your data is deleted or destroyed in accordance with applicable laws.

Categories of personal data processed, purpose of the processing and legal basis:

  • Contact information, such as name and last name, address,phone number and email address, photo, copy of ID or passport;

  • Information related to your professional background and skills such as cv, photo, date of birth, marital status, nationality, professional experience, cover letter and work certificates;

  • Social media pages, websites or any other information a candidate decides to share with us.

We process your personal data for the following purposes: 

  • Examination of job applications suitability, including verifications of qualifications provided by candidates;

  • Contact candidates for recruitment purposes.

The legal basis for the processing of your personal data are the following:

  • To perform our obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);

  • Your Consent related to the relevant use of your personal data that we may ask you for, which can be withdrawn at any time according to applicable laws (Article 6 (1) (a) GDPR)

PROCESSING OF YOUR PERSONAL DATA RELATED TO OUR ONLINE EVENTS

In connection with the attendance to one of our online events we may process the following categories of personal data :

  • Contact information, such as full name, company name, job title and region and email address;

  • Information about your device and your activities. This information could include (a) your computer or other device’s unique ID number; (b) technical information about your device such as type of device, web browser or operating system; (c) your preferences and settings such as time zone and language; and (d) statistical data about your browsing actions and patterns (such as time of drop in and out of a presentation). We might collect this information on a non-anonymous basis.

We process your personal data for the following purposes: 

  • To enable you to log-in and attend the event

  • To improve the content and quality of our events. We collect this information on a non-anonymous basis in order to improve our website, our events, their content and the services we provide, and for analytical and research purpose.

The legal basis for the processing of your personal data are the following:

  • To perform our obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);

Legitimate interests pursued by us (Article 6 (1) (f) GDPR), e.g. the efficient, effective and secure performance or management of our services and online events.

TRANSFER AND DISCLOSURE OF PERSONAL DATA (Art. 13 (1) (e) GDPR)

In accordance with applicable data protection laws, Group entities and our affiliates may transfer personal data of you and our Business Partners to the following categories of Group entities and third parties who process personal data in connection with the use of our website offerings, services and products or our business relationship with you and our Business Partners in accordance with the purpose of data processing as described in this Privacy notice on behalf of the Group or for their own purposes:

  • other Group entities;

  • service providers and other processors (within the Group and external third parties) which provide IT or other services to us and which process such data only for the purpose of such services (e.g. hosting or IT maintenance and support services);

  • partners, suppliers and other business partners;

  • Courts, arbitration bodies, law enforcement authorities, regulators, attorneys and other parties in potential or actual legal proceedings, if necessary, to comply with the law or for the establishment, exercise or defense of rights or legal claims.

Sometimes the recipients to whom we may transfer or disclose personal data of you and our Business Partners are located in third countries in which applicable laws do not offer the same level of data protection as the laws of the home country.  If personal data is disclosed to such countries that do not guarantee adequate protection, we will ensure adequate protection of data disclosed by putting adequate contractual guarantees in place, (e.g. on the basis of EU standard contractual clauses), binding corporate rules, or transferring data pursuant to consent, conclusion or performance of a contract, or in connection with the determination, exercise or enforcement of legal claims according to applicable data protection laws. You may request further information about the safeguards implemented in relation to specific transfers and a copy of the contractual guarantees by contacting datenschutz@mimacom.com. We reserve the right to redact such copies for applicable legal or secrecy reasons.

Moreover, please note that personal data published by you on our website offering (e.g. forums) may be globally accessible to other registered users of the respective website offering.

RETENTION OF DATA

In accordance with the principles of data minimization (Article 5 (1) (c) GDPR) and data economy (Article 5 (1) (e) of the GDPR), the Group retains personal data for no longer than it is necessary for the purposes for which the personal data are processed. Notwithstanding the foregoing, we may process personal data for longer periods subject to the following rules and obligations:

  • We retain personal data as long as we (i) have an obligation to do so (e.g. by way of contract, law or other provisions) or (ii) we have an overriding interest (e.g. an interest for reasons of proof in case of claims, documentation of compliance with certain legal or other requirements or an interest in non-personalized analysis). Deviating rules are reserved with respect to anonymization or pseudonymization of personal data subject to applicable law.

  • As a rule for contract related personal data (including business records and communication) we retain personal data as long as the contractual relation is ongoing and for ten years after the termination of the contractual relationship unless (i) a shorter or longer statutory storage obligation is applicable on a case-by-case basis, (ii) the retention is required for reasons of proof or another valid reason based on applicable law, or (iii) the deletion of the data is required earlier (because e.g. the data is no longer required or a Group entity is required to delete the respective data).

  • As a rule for operational data containing data (e.g. protocols, logs), we retain personal data for a period of 3 – 12 months.

  • In general, Group entities and our affiliates retain personal data as long as necessary to achieve the purposes for which it was collected, usually for the duration of the ongoing employment relationship and for 10 years or any other period after the termination of the employment relationship as legally required or permitted by applicable law. For operational data containing personal data (e.g. protocols, logs), the Group retains it for 3 to 12 months. For Business records, the Group normally retains them as long as there is a legitimate interest in them which is usually not longer than for 10 years. Such legitimate interests may be for example for reasons of proof in case of establishment, exercise or defense of legal claims, documentation of compliance with certain legal or other requirements (if no longer statutory retention periods apply). Deviating retention periods may apply namely with respect to anonymized or pseudonymized data as long as Group entities and our affiliates have a legitimate interest of retention of such data.

  • Personal data will be destroyed by Group entities and our affiliates without delay once there is no longer the need to retain it. If printed on paper, the personal data will be shredded or incinerated. If saved in electronic form, the personal data will be destroyed using irreversible technical means.

WITHDRAW CONSENT

In case you declared your consent for the processing of certain personal data by the Group, you have the right to withdraw your consent at any time with future effect, i.e. the withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal.

SIGNING UP FOR NEWSLETTER

You can subscribe to our newsletter to receive up-to-date information about our products and services. When you sign up for our newsletter, the information you provide (mandatory fields: first name, last name, email address) will be used exclusively for this purpose (Article 6 (1) (a) of the GDPR). Other than that, we do not process any further data. For this purpose we record:

  • your consent to receive newsletters;

You may revoke your consent to the processing of your personal data and to it being used to send you the newsletter at any given time. You can either use the Unsubscribe link in the newsletter or contact us via email at marketing@flowable.com.

COOKIES

We also use cookies and other tracking technology which collect certain kinds of information when you interact with our sites and applications such as IP addresses or browsing preferences. For further information on cookies please refer to our cookie notice.

SECURITY

We implement appropriate technical and organizational security measures to protect your data managed on our systems against accidental or intentional tampering, loss, or access by unauthorized persons. The security measures are subject to continuous improvement in line with technological developments.

We take the appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized use, disclosure or access, in particular where processing involves the transmission of data over a network, and against all other unlawful forms of processing and misuse.

In the event personal data is compromised as a result of a Personal Data Breach we will make the necessary notifications, as required under applicable laws.

CHILDREN

Our websites, services and products are not intended for children and we do not knowingly collect personal data from children under the age of 16. If we are notified or otherwise learn that personal data of a child under the age of 16 has been improperly collected, we will take all reasonable steps to delete that personal data.

LINKS TO OTHER WEBSITES AND THIRD-PARTY POLICIES

We may provide links to other websites and applications (e.g. social media websites). Please note that our browsing and interaction on any other website is subject to the terms of use and privacy policies and notices of such third-party websites. This Privacy notice applies only to the website and services of the Group as set forth in this Privacy notice and not to other websites or applications operated by third parties that we do not control the privacy practices of such other websites or applications.  We strongly encourage you to read the terms of use and privacy policies and notices of other websites carefully before providing personal data through that website. We are not responsible or liable for the privacy practices, information or content of such third-party websites.

RIGHTS OF DATA SUBJECTS (Art. 13 (2) (b) GDPR)

Any affected individual may request information from us as to whether data concerning him or her is being processed. In addition, they have the right to request the correction, destruction or restriction of personal data regarding them as well as to object to the processing of personal data. Should the processing of personal data be based on consent, the affected individual may withdraw consent at any time. Moreover, in countries of the EEA the affected individual may, in certain cases, have the right to obtain data gathered during the use of online services in a structured, common and machine-readable format which allows for further use and transfer. We reserve the right to restrict the rights of the affected individual in accordance with applicable law (e.g. not to disclose comprehensive information or not to delete data).

In the event a Group entity makes an automated decision with respect to a certain individual which may have a legal effect for the affected individual or seriously affect him or her in a similar way, the affected individual shall have the right subject to applicable law to communicate with a controller of the Group and to request a reconsideration of the decision or to request the prior evaluation by the controller. In this case the affected individual may no longer be able to use certain automated services. The individual will be informed thereof subsequently or separately in advance.

In order to exercise your data protection rights as a data subject or to obtain further information about the processing of your personal data by us, make suggestions or lodge complaints, please contact us by sending an email or a postal message to the following addresses: datenschutz@mimacom.com.

Any affected individual may also raise a complaint with the competent data protection authority, which in the case of a flowable controller in Switzerland is the Federal Data Protection and Information Commissioner in Switzerland (http://www.edoeb.admin.ch), the flowable controller in Germany is the Data Protection Office in Bonn (Die Bundesbeauftragte für den Datenschutz und die Informationssicherheit, www.bfdi.bund.de). In all other cases a list of the competent data protection authorities can be found here.

CHANGES TO THIS PRIVACY NOTICE

As we are constantly developing our web pages, services and products and employing new technologies, or to comply with legal requirements or to meet changing business needs, we reserve the right to amend this Data Privacy Notice at any time and without prior notice or announcement. In case there is an important change that we want to highlight to you, we will inform you in an appropriate manner (e.g. via a pop-up notice or statement of changes on our website). We therefore recommend that you carefully re-read this Privacy notice from time to time.

The latest version posted on this website shall be applicable.

Should the Privacy Notice form part of an agreement with our Business Partners, we may inform them of an update or amendments by email or in another appropriate manner and in accordance with applicable laws. The amendments shall be deemed to have been accepted unless an objection is raised within 30 days of notification. In case of objection the corresponding Group entity shall be free to terminate the agreement exceptionally and with immediate effect.

DO YOU HAVE ANY QUERIES REGARDING DATA PROTECTION?

For any queries pertaining to data protection please send us an email to datenschutz@mimacom.com.

Last updated on: September 2022

Annex 1

Switzerland and EU countries

mimacom AG

mimacom management AG

mimacom Deutschland GmbH

mimacom ibérica s.l.u. 

Flowable Holding AG

Flowable AG

Flowable Deutschland GmbH 

Flowable International GmbH

Flowable Licenses AG

Flowable Mimacom Services Deutschland GmbH      

Flowable Polska s.p. z. o.o.

Flowable Services GmbH

Flowable Services Spain s.l.u.

Non-EU countries

mimacom USA Inc.

Flowable Canada IT Services Inc.    

Flowable USA Inc.