Privacy Policy of Qundo Technology GmbH for Websites and Mobile Applications

(Booth 17. November 2021)

The following data protection information serves the purpose ofinformingyou in accordance with Chapter 3 of the General Data Protection Regulation (GDPR) about the processing of your personal data (hereinafter referred to as “data”) processed in connection with the use of this website, the mobile application (hereinafter collectively referred to as the “website” and “app”) and the Qundo services by Qundo Technology GmbH (“Qundo”). In addition, we inform you about the scope of your consent to the processing of your data in accordance with section 3.3.3 of this data protection declaration and the possibility of revoking your consent to Qundo, also described in section 3.3.3.

The processing of your data takes place in compliance with the relevant data protection regulations, in particular the provisions of the GDPR and the Federal Data Protection Act (BDSG).

1. Controller

The controller within the meaning of the GDPR is the

Qundo Technology GmbH, Hardenbergstraße 27, 10623 Berlin

2. Data Protection Officer

You can contact our external data protection officers as follows:

Data Protection Officer:

Mr. Adrian Obermiller

Bröskamp Consulting GmbH, Email:

3. Purposes and Legal Bases of Data Processing

3.1 Processing of Data when Using the App

When you download the mobile app, the necessary information is transferred to the App Store, i.e. in particular your user name, your e-mail address and the customer number of your account, the time of the download, payment information if applicable and the individual device identification number. We have no influence on this data collection and are not responsible for it. We only process the data insofar as it is necessary for downloading the mobile app to your mobile device and in this context, insofar as it is necessary for using the app, on the basis of Art. 6 (1) p. 1 lit. b) DS-GVO.

Qundo uses Firebase Crashlytics, a service of Google Ireland Ltd, Google Building Gordon House, Barrow Street, Dublin 4, Ireland, as part of the provision of the app, in particular to be able to improve stability and reliability. In the event of a crash, information is transmitted to Google’s servers in the USA (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the mobile phone, last log messages). This information does not contain any personal data.

Crash reports are only sent with your express consent. When using iOS apps, you can give your consent in the settings of the app or after a crash. With Android apps, there is the option to generally consent to the transmission of crash notifications to Google and app developers when setting up the mobile device.

The legal basis for the data transmission is Art. 6 para. 1 lit. a) DS-GVO.

You can revoke your consent at any time by deactivating the “crash reports” function in the settings of the iOS apps (in the magazine apps, the entry is in the menu item “Communication”).

For the Android apps, deactivation is basically done in the Android settings. To do this, open the Settings app, select the item “Google” and there, in the three-point menu at the top right, the menu item “Use & Diagnosis”. Here you can deactivate the sending of the corresponding data. You can find more information in the help for your Google account.

Further information on data protection can be found in the data protection information of Firebase Crashlytics at

Translated with (free version)

3.2 Verification and Confirmation of Identity – Smart Ident

The processing of your data by Qundo, in connection with the verification and confirmation of identity, is carried out on behalf of the respective partner company of Qundo, such as .B. a bank or an insurance company. The processing of your data takes place exclusively for the purpose of verifying your identity. Your declaration to the respective partner remains unaffected.

For the purpose of verifying and confirming your identity, we only process the data that you provide to us in the context of using the Qundo service, as well as data that the respective partner provides to us for the purpose of comparison with the data collected by us.

The scope of the processing of this data and also the legal basis for this processing depends on the intended or the already existing contractual relationship between you and the partner, as well as the legal requirements, which require proof of identity in individual cases. Depending on the legal basis for proof of identity, proof of the existence of a valid, official identity document(e.B. Identity card) required. As a rule, the following data is processed:

  • Surname, first name
  • Place of birth
  • Date of birth
  • Nationality
  • Full address
  • IP address
  • Operating system of the used device
  • Photo of the person and the front and back of the identity document
  • Identification data (such as date and place of issue, issuing authority, etc.)
  • Video and sound recording

If we have established and verified your identity, we will transmit the collected data to the partner. If, at your request, the determination of your identity via a sales partner has been forwarded by us or a sales partner of the partner, the sales partner will only receive a success message on the verification status. The partner will process the transmitted data to fulfil its money laundering or other identification obligations, as well as its rights and obligations arising from the contractual relationship with you.

The processing of your personal data takes place on one or more of the following legal bases:

if we verify your identity on behalf of our customer: Art. 6 para. 1 sentence 1 lit. b) GDPR

the contract between you and the organisation with which you are associated provides for your identity to be verified. As a contractor, we are also contractually associated with this organization.

In connection with the money laundering-relevant legitimation, we may be obliged to pass on your data at least partially to our partner. If this is the case, the corresponding legal basis is the legal obligation pursuant to Art. 6 para. 1 sentence 1 lit.c) GDPR.

3.3 Inquiries via Contact Form or E-Mail

To send your inquiries to us, e.B. via the contact form or to our e-mail address, we process your data provided in this context – including your name and e-mail address.

We process your data to answer your inquiries on the following legal basis:

If your contact is made within the framework of a contract to which you are a party or for the implementation of pre-contractual measures, the legal basis is Art. 6 para. 1 sentence 1 Lit.B.) GDPR.

To safeguard our legitimate interests in accordance with Art. 6 para. 1 sentence 1lit. f) GDPR; our legitimate interest lies in the appropriate response to customer inquiries.

3.4 Evaluation and Feedback of the App

As part of the identity check, you have the option of anonymously submitting a rating (1 – 5 stars) at the end of the process, as well as adding a comment. This information is collected by Qundo for informational purposes only, to improve our application based on user feedback, and may be provided on a voluntary basis.

We process your data for these purposes on the following legal basis:

If you have given us your consent, in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

4. Categories of Recipients

Within Qundo, access to the data is only granted to those departments that need it to fulfil our contractual and legal obligations.

As part of our activity as a processor, we transmit the collected data to the respective partner with whom you are in contact. If, at your request, the determination of your identity via a sales partner has been forwarded by us or a sales partner of the partner, the sales partner will only receive a success message on the verification status. The partner will have tokeepthe transmitted data to fulfill his money laundering or other identification obligations, as well as his rights and obligations from the contractual relationship between the partner and the sales partner, in particular to prove the conclusion of the contract.

As part of our processing, we share your personal data, to the extent permitted or required by law, with other recipients who provide services to us in connection with the services offered (e.B. IT service providers). We limit the disclosure of your personal data to what is necessary and monitor compliance with all legal requirements in accordance with strict requirements. Qundo uses the services of AWS (Amazon Web Services) to process all data and stores all data in a data center in Frankfurt am Main, Germany.

5. Links

The websites of all third-party providers are subject to their own data protection principles. We are not responsible for their operation, including data handling. If you send information to or through such third-party sites, you should review the privacy statements of those sites before sending them information that can be attributed to you.

6. Duration of Storage

As part of the verification of your identity or an equivalent legitimation, we process your data on behalf of our clients. The storage period with us is 14 days. After the expiry of the 14 days, your data will be deleted automatically.

Within the framework of the Money Laundering Act, our client may be obliged to keep the data for a period of up to five years or for a period of up to 10 years in accordance with commercial or tax law requirements.

If you send us an inquiry when using our website, we will also store your personal data for the duration of the answer to your request or for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.

In addition, we then store your personal data until the statute of limitations of any legal claims arising from the relationship with you expires in order to use them as evidence if necessary. The limitation period is usually between 12 and 36 months but can also be up to 30 years.

Upon the expiry of the limitation period, we will delete your personal data, unless there is a statutory retention obligation, for example from the German Commercial Code (§§ 238, 257 (4) HGB) or from the Tax Code (§ 147 (3), 4 AO). These retention obligations can be two to ten years.

7. Your Rights as a Data Subject

Under the statutory conditions, you are entitled to the following rights as a data subject, which you can assert against us:

Right to information: You are entitled at any time to request confirmation from us within the framework of Art. 15 GDPR as to whether we are processing personal data concerning you; if this is the case, you are also entitled under Art. 15 GDPR to receive information about this personal data as well as certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, your rights, the origin of the data, the use of automated decision-making and, in the case of third-country transfer, the appropriate guarantees) and a copy of your data.

Right to rectification: In accordy with Article 16 of the GDPR, you are entitled to request that we rectify the personal data stored about you if it is inaccurate or incorrect.

Right to erasure: Under the conditions of Article 17 GDPR, you are entitled to demand that we delete personal data concerning you without undue delay. The right to erasure does not exist, among other things, if the processing of personal data is necessary for (i) the exercise of the right to freedom of expression and information, (ii) to fulfil a legal obligation to which we are subject (e.B statutory retention obligations) or (iii) to assert, exercise or defend legal claims.

Right to restriction of processing: You are entitled, under the conditions of Article 18 GDPR, to demand that we restrict the processing of your personal data.

Right to data portability: Under the conditions of Article 20 GDPR, you are entitled to request that we provide you with the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format.

Right to object: You are entitled to object to the processing of your personal data under the conditions of Article 21 GDPR, so that we must stop processing your personal data. The right to object exists only within the limits provided for in Art. 21 GDPR. In addition, our interests may prevent the processing from being terminated, so that we are entitled to process your personal data despite your objection.

You have the right, for reasons arising from your particular situation to object at any time to the processing of personal data concerning you byus. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

If you have already started with the identification, exercise the objection by ending the process. If the identification is still pending, please contact your contractual partner (e.B. bank, insurance, etc.). As a precautionary measure, we would like to point out that you may no longer be able to achieve the goal you wanted to achieve with the help of identity verification.

Right of appeal: Complaints can be addressed to the bodies mentioned in sections 1 and 2. In addition, under the conditions of Article 77 GDPR, you are entitled to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

The supervisory authority responsible for us is Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin. Email: Phone number Headquarters: +49 30 13889-0 Fax: +49 30 2155050

Revocation of consent: If you revoke all or part of your consent given to us to the collection, processing and use of your data with effect for the future, we will immediately delete your data to the extent desired by you or block it for further use, subject to statutory retention periods.

8. Obligation to Provide Data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to provide you with our website, will not be able to answer your inquiries to us and will not be able to provide you with our services. Personal data that we absolutely need for the above-mentioned processing purposes are indicated by a “*” or another sign.

9. Encryption

When collecting or transmitting your data, we use state-of-the-art encryption according to TLS v.1. 2/1.3 via SSL certificate via reverse proxy between the app and our software. In addition to the encryption technologies, the partner must authenticate each time it is accessed to retrieve the data. Encryption and the necessary authentication with OAuth ensure the confidentiality of the communication. This security feature is active when either an intact key or a closed lock (browser-dependent) icon appears at the bottom of your browser window.

10. Changes

We reserve the right to change this Privacy Policy at any time. Any changes will be announced by publishing the amended privacy policy on our website. Unless otherwise specified, such changes shall take effect immediately. Therefore, please check this data protection declaration regularly in order to view the latest version.