Last Update: May 15, 2018
1. Welcome to zenloop!
Your privacy is important to us
1.1 Who we are
1.3 What 'Personal Data' means
"Personal data means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
1.4 Users, Survey Senders and Survey Recipients
2. Privacy for Users
2.1 Who is a User?
If and while you visit our site www.zenloop.com/en, even without registering for an account, you are a "User" of our site.
2.2 What information do we collect from Users?
We collect the following information from all of our Users in the background while they browse our site:
Statistical usage data: We collect and analyze data about how you found our site, how you browse, how long you stay on it, and what you click on during your stay.
Device and application data: We collect data from the device (for example, if you use a laptop or smartphone) and application (for example, whether you are using Chrome or Firefox) you use to access our site. This includes your public IP address, from which we may also infer your geographic location.
Referral data: If you arrive at our site from an external source (such as a link on another website or in an email), we record information about the source that referred you to us.
- Information from cookies and page tags: We use third party tracking services that employ cookies and page tags (also known as web beacons or web bugs) to collect aggregated and anonymized data about visitors to our websites. This data may include usage and User statistics.
If you interact with our site in certain ways, we will also collect the following information from you:
- Voluntary information: We may collect additional personal information or data from you if you submit it to us voluntarily in other contexts, such as testimonials or public contests.
The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR.
2.3 How do we use the information we collect from Users?
We use the information we collect from Users:
To personalize your experience: Your information helps us to better respond to your individual needs.
To improve our website: We continually strive to improve our website offerings based on the information and feedback we receive from you.
- To improve customer service: Your information helps us to more effectively respond to your customer service requests and support needs, including to help us evaluate or devise new features.
The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR, based on the legitimate interest in increasing the attractiveness of our service.
2.4 When and with whom do we share your information?
zenloop recognizes that you have entrusted us with safeguarding the privacy of your information. Because that trust is very important to us, we will disclose or share your information only in limited circumstances, in accordance with applicable law. In particular, we may disclose your information:
- To our service providers. zenloop uses third-party service providers who help us to provide you with our services. These including credit card and payment processors, data hosting service providers, and providers of web analytics tools. We will give these providers access to your information, but only to the extent necessary for them to perform their services for us. We also contractually bind these service providers to keep your information confidential and to use it only for the purpose of providing their services. All service providers employed by us as contract processors outside the European Economic Area are either certified under the EU-US Privacy Shield or have concluded standard EU contract clauses with us.
The third party service providers we use are:
- "Google Analytics": We use this web analysis service of Google, Inc. ("Google"), situated at 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses so-called "cookies", text files which are saved on your computer and enable analysis of the use of a website. Information on your use of this website (including your IP address) generated by the cookie is transferred to a Google server in the USA and saved there. Google uses this information to evaluate your use of the website in order to compile reports on website activities for the website operator, and to provide additional services related to website and Internet use. However, your IP address is shortened before the usage statistics are evaluated, so that no conclusions can be made about your identity. For this purpose, Google Analytics has been extended on our website by the code "anonymizeIP" to ensure anonymous collection of IP addresses. Google may also transfer this information to third parties, insofar as this is legally specified or insofar as third parties process this data on behalf of Google. Google will in no case connect your IP address to other data saved by Google. You can prevent the installation of cookies via the corresponding settings in your browser; we hereby inform you, however, that you may not be able to take full advantage of all functions of this website in this case. By using this website, you declare that you consent to the processing of data collected about you by Google in the manner described above, and for the purposes described above.
You can counteract the saving and collection of data and effectively opt-out of using this third-party provider with a plugin for your browser, here.
- "Heap": We use Heap Analytics, a web analysis service provided by Heap Inc. ("Heap"), situated at 460 Bryant St., Suite 300, San Francisco, CA 94107, USA. Heap Analytics uses "cookies," which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Heap on servers in the United States. In the event IP anonymization is activated on this website, your IP address will be shortened beforehand by Heap within member states of the European Union or in other signatory states of the Treaty on the European Economic Area. The full IP address will be transmitted to a Heap Server in the USA and shortened there only on an exceptional basis. Heap will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services to website operators relating to website activity and Internet usage. You may prevent the storage of cookies by selecting the appropriate settings on your browser software; however, we must advise you that in this case, you might not be able to use all functions of this website to the full extent. You may prevent Heap from recording the data generated by the cookie and pertaining to your use of the website (including your IP address), or processing these data by activating the following "Do-Not-Track" link.
- "Klenty": We use the web services of KlentySoft Inc. ("Klenty"), 340 S Lemon Ave, #2331 Walnut, CA 91789, USA. Klenty is a sales automation software services primarily for the needs of sales individuals, teams, and organizations (the "Services" or "Service") to manage workflows and communicate with customers and potential customers. When you register with us, we will share your e-mail address with Klenty in order to allow us to use Klenty's services for our sale automation.
If required or permitted by law. Sometimes, public authorities (such as courts, government agencies, public prosecutors, antitrust authorities and others) may require us to disclose information to them in the exercise of their duties (for example in order to investigate, prevent, or take action regarding illegal activities). We may disclose your information as required or permitted by law, including when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.
If there is a change in business ownership or structure at zenloop. If ownership of all or substantially all of our business changes (whether by share deal or asset deal), or we undertake a corporate reorganization (including a merger or consolidation, or any measures pursuant to the German Transformation Act), you expressly consent to zenloop transferring your information to the new owner or successor entity so that we can continue providing our services. If required, zenloop will notify the applicable data protection agency in each jurisdiction of such a transfer in accordance with the notification procedures under applicable data protection laws.
- When we have your permission to do so. Of course, there may also be instances where, in addition to the above, you have given us your express consent to disclose your information to others. This may be the case, for example, where you provide a testimonial about your zenloop experience, or where, with your consent, we disclose your contact details to third parties in order for them to contact you for marketing purposes.
3. Privacy for Survey Senders
3.1 Who is a Survey Sender?
If you register with a zenloop account and subscribe to one of our subscription plans in order to conduct surveys, you are a Survey Sender.
3.2 What information do we collect from Survey Senders?
As a Survey Sender, you are also a User, and we collect and use your information as described in chapter 2 above. Additionally, we collect the following information from you while you use our service:
Registration information: You need a zenloop account before you can create surveys on zenloop. When you sign up for an account on our site, we will collect the information that you provide to us when you register for an account, including your first and last name, email address, username, password, company name.
Billing information: If you subscribe to one of our subscription plans, we will require you to provide your billing details, including your billing name, billing address, and additional financial information depending on the payment method you chose. We will also store information about your individual subscription plan (including the date when you sign-up and dates of any renewals).
"My Account" settings: You can view and edit various preferences and personal details through your "My Account" settings on our platform. For example, you can set preferences such as your default language and default time zone.
Survey data: We collect and store all the questions and responses to the surveys you create and run through our service, including statistics or insights. Of course, on top of keeping this information secure, we also keep it confidential at all times: Only your account has access to your survey questions and responses at any time.
- Recipient data: zenloop allows you to import your Survey Recipients' personal information (for instance, email addresses), so that you can easily invite Survey Recipients to take surveys, and later analyze their results. We will store and process this data exclusively as data processor on your behalf and at your direction.
The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR.
3.3 How do we use the information we collect from Survey Senders?
We use Survey Senders' information for the same purposes as any User information as described in chapter 2 above. Additionally, we also use Survey Senders' information:
To provide our service: We will use your registration information, billing information, "My Account" settings, and your survey and recipient data, to provide our service to you. This will include providing you with customer support, which requires us to access your information to assist you. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.
To create service analyses: We will use your information in aggregated form to create reports or benchmarks. This means that we may use your information for security and operations management, to create statistical analyses, and for research and development purposes. Please note that these analyses, reports and benchmarks will not incorporate your information in a form that could identify or reasonably serve to identify any individual. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR, based on the legitimate interest in increasing the attractiveness of our service.
To send you periodic emails: The email address you provide as part of your registration information may be used to send you information and updates pertaining to your order. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR
- To contact you for marketing purposes: In addition and depending on whether you have given us your consent to do so, we may use your email address to send you occasional company news, updates, and related product or service information. If any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email that we send to you.
4. Privacy for Survey Recipients
4.1 Who is a Survey Recipient?
If you have been invited to participate in a zenloop survey by a Survey Sender (for example, on the Survey Sender's website or via an email), and you visit our site to answer the survey, you are a "Survey Recipient".
4.2 What information do we collect from Survey Recipients?
As a Survey Recipient, you are also a User, and we collect and use your information as described in chapter 2 above. Additionally, we collect the following information from you on behalf of the Survey Sender who invited to respond to a survey:
Survey responses: We collect and store the responses you give in response to the survey you are answering. Depending on the survey, that may include your name and/or other personal information. The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR.
- Email address: zenloop records your email address if the Survey Sender provides it to us in order to send you an invitation to a survey. The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR. We trust that the creator has asked you for your consent beforehand. Of course, you may opt out from receiving survey invitations at any time by following the unsubscribe instructions at the bottom of each email that you receive through us.
4.3 How do we use the information we collect from Survey Recipients?
That depends on the type of information you provide to us:
- Other information: Other than survey responses, we use Survey Recipients' information for the same purposes as any User information as described in chapter 2 above.
Additionally, we also use Survey Recipients' information in aggregated form to create reports or benchmarks. This means that we may use your information for security and operations management, to create statistical analyses, and for research and development purposes. Please note that these analyses will not incorporate your information in a form that could identify you personally in any way. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR, based on the legitimate interest in increasing the attractiveness of our service.
5. Data controller and data processor
zenloop is the data controller for any User and Survey Sender information that we collect. However, the data controller for the survey response data provided by Survey Respondents is the Survey Sender. The Survey Sender determines how their survey questions and responses are used. zenloop processes such data only on behalf of and in accordance with the Survey Sender's instructions. If you have any questions about a survey you are taking, please contact the Survey Sender directly.
6. How long do we store your information?
We will store your personal data in accordance with applicable statutory retention periods. After expiration of that period, the corresponding data will be routinely deleted, as long as it is no longer necessary for the fulfillment of a contract between you and us.
If you are a Survey Sender, when you cancel your account, all of your data and content will be deleted from our systems, as permitted by law. Please note that this content cannot be recovered once your account is cancelled. We are not liable for any loss or damage following, or as a result of, the cancellation of your account, and it is your responsibility to ensure that any content or data which you require is backed-up or replicated before cancellation.
Notwithstanding the above, we will retain and use your information and data to comply with our legal obligations (including any statutory retention periods), resolve disputes, or enforce our agreements. We may also retain and use your information to the extent such information is incorporated in any of our statistical analyses, reports and benchmarks. Please note that these analyses, reports and benchmarks will not incorporate your information in a form that could identify or reasonably serve to identify any individual.
7. How Users can control their information
7.1 Your rights as a data subject in general
Your rights in respect to our processing of your personal data include the following:
Right of access: You may obtain from us free information about your personal data that is stored with and processed by us at any time, and a copy of this information (see chapter 7.2 below for more details).
Right to rectification: If you believe any of the personal data that we store or process about you is inaccurate or incomplete, you may request rectification of such incorrect or incomplete data (see chapter 7.2 below for more details).
Right to erasure (right to be forgotten): Where certain conditions are met, you may request erasure of your personal data at any time (see chapter 7.3 for more details).
Right to restriction of processing: Where certain conditions are met, you may obtain from us a restriction of processing (see chapter 7.4 for more details).
Right to object: At any time, you may object, on grounds relating to your particular situation, to the processing of your personal data (see chapter 7.5 for more details).
Right to data portability: You have the right to receive the personal data concerning you, which was provided to us, in a structured, commonly used and machine-readable format (see chapter 7.6 for more details).
Right to withdraw consent: Where our processing of your personal data is based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of the processed based on your consent before its withdrawal (see chapter 7.7 for more details);
- Right to lodge complaint: If you feel that any of our data processing measures or means are in violation of applicable law, you have the right to lodge a complaint with a supervisory authority (see chapter 7.8 for more details).
7.2 Can I access and correct my personal data?
Yes. By law, you have the right to review the personal information that zenloop holds about you, and you may also request us to correct, delete, restrict or block that data if required. You can exercise these rights at any time by contacting our privacy support at firstname.lastname@example.org.
If you are a Survey Sender, you may modify your personal information by logging in and visiting your settings on the "My Account" page and "Plan + Billing" page, following the instructions provided, or going to our "Contact Us" page. We encourage you to promptly update your personal information when it changes.
If you are a Survey Recipient, please note that your personal data (including any personal data that may be contained in the survey responses you give) is managed and controlled exclusively by the Survey Sender – zenloop processes such data only on behalf of the Survey Sender, and in accordance with the Survey Sender's instructions. If you would like to review, correct, delete, restrict or block your personal data or your survey responses, we ask that you please contact the Survey Sender directly.
7.3 What if I do not want my personal data to be processed?
If you do not want your personal data to be processed, you have the right to request that the data concerning you shall be erased without undue delay, provided that one of the following reasons applies and insofar the processing is not necessary:
The personal data were collected for purposes or processed in any other way for which they are no longer necessary;
You withdraw your consent, on which the processing is based and there is no other legal basis for processing;
You object against the processing and there are no overriding legitimate grounds for the processing;
The personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which we are subject;
- The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
If of the above-mentioned reasons applies and you wish to have your personal data deleted, please contact our privacy support at email@example.com. We will then arrange for the deletion request to be complied with immediately.
7.4 Can I restrict what you do with my personal data?
Yes. You may obtain from us a so-called 'restriction of processing', where one of the following applies:
The accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
The processing of your personal data is unlawful and you oppose the erasure of the personal data and request instead the restriction of their use;
We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- You have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether our legitimate grounds override yours.
If one of the aforementioned conditions is met, and you wish to request the restriction of the processing of your personal data stored by us, you may contact us at any time to arrange for the restriction of the processing.
7.5 Can I object to the processing of my personal data?
Yes. You may at any time object, on grounds relating to your particular situation, to a processing of your personal data which is based on Article 6 (1) (e) or (f) GDPR. If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds in accordance with Article 21 (1) GDPR.
Where we process personal data for direct marketing purposes, you also have the right to object at any time to the processing of your personal data for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Where we process personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, you may, on grounds relating to your particular situation, object to the processing of your personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
7.6 Can I get my data transferred to another controller?
You have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from us, provided that the processing is based on your consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means. Note that this transfer may be prohibited if the processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority vested in zenloop. In exercising your right to data portability, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
7.7 What happens if I change my mind – can I revoke my consent?
7.8 All went wrong – what can I do?
If you feel that our data protection measures are in violation of the law, insufficient or for any other reason you see fit, you have the right to lodge a complaint with a supervisory authority, in accordance with Article 77 GDPR.
8. Data security
8.1 Where is your data stored?
The servers that we use to host and process your data and information are located in Germany, a Member State of the European Union, or another signatory to the Agreement on the European Economic Area.
8.2 How do we safeguard your data?
We are committed to handling your personal information and data with the utmost care. For this purpose, we have implemented and will maintain various technical and organizational measures here at zenloop. The measures that we undertake to protect your data are set out in our Data Security Concept, which you can find in annex 1. These measures are intended to protect your data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.
8.3 Is there a risk that my data could still be viewed by third parties?
Unfortunately, yes. Regardless of the security protections and precautions we take, there is always a risk that your personal data may be viewed and used by unauthorized third parties as a result of collecting and transmitting your data through the internet. If you have any questions about the security of your personal information, please contact our customer support at the "Contact Us" page.
9. What is the legal basis for all of this?
In processing your personal data, zenloop acts in accordance with applicable law at all times. We have named the appropriate legal basis for each data processing. Below we explain what they mean. We base our data related processes on Article 6 (1) (a) GDPR, which states that data processing is allowed if the data subject grants his or her consent for one ore more specific purposes.
If the processing of personal data is necessary for the performance of a contract to which you are a party (or in order to take steps at your request prior to entering into such contract), our processing is based on Article 6 (1) (b) GDPR. Pre-contractual measures can be broadly defined and can already represent surfing on our website.
If zenloop is subject to a legal obligation which requires a processing of personal data (such as the fulfilment of tax obligations), our processing is based on Article 6 (1) (c) GDPR.
In very rare cases, the processing of personal data by us may be necessary to protect the vital interests of a data subject or of another natural person; in these cases, our processing is based on Article 6 (1) (d) GDPR.
We do not currently perform any tasks in the public interest or in the exercise of official authority vested in us; however, we may do so in the future, and where we do so, our processing is based in Article 6 (1) (e) GDPR.
Finally, our processing of personal data is based on Article 6 (1) (f) GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if the processing is necessary for the purposes of the legitimate interested pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Where our processing of personal data is based on Article 6 (1) (f) GDPR, our legitimate interests are as briefly sketched, including to operate our website, to provide our service, to ensure the stability and security of our website and services, to personalize the experience of our users and respond to their individual needs (including to continually improve our website and our customer services), and to contact you for marketing purposes (where you have given us your consent to do so).
10. Does zenloop use automated decision-making?
No. As a responsible company, zenloop does not make use of any automatic decision-making.
12. How to contact us
Here are our contact details (pursuant to Article 4 para. 7 of the European General Data Protection Regulation GDPR):
zenloop GmbH Brunnenstrasse 196 10119 Berlin, Germany firstname.lastname@example.org
ISiCO Datenschutz GmbH
Am Hamburger Bahnhof 4
10557 Berlin, Germany
Technical and organizational measures to ensure the security of processing
1. Measures to ensure confidentiality
1.1. Physical access control
Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.
Description of physical access control:
- Safety locks on doors
- Careful selection of cleaning staff
- Admission management: authorized personnel and scope of authorization are pre-defined
- Careful selection of security staff
- Further measures by service provider
1.2. Logical access control
Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.
Description of logical access control system:
- Limitation of the number of authorized employees
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- User rights are granted restrictively
- All log-ons / log-offs are recorded
- Use of central password policy
1.3. Data access control
Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.
Description of data access control:
- Limitation of the number of authorized employees
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- All data access is logged automatically
- Small number of system administrators
- Records and log files are analyzed regularly
1.4. Separation rule
Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.
Description of the separation control process:
- Systems allow for data segregation (multi-tenancy), data is segregated by software
- Productive systems and test systems are separated from each other
- Data sets can be accessed only through those applications which have been pre-defined
- Database user rights are issued and managed centrally
1.5. Pseudonymization measures
Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures.
Description of the pseudonymization:
- none due to work on a central server system
2. Measures to ensure integrity
2.1. Transmission and transport control
Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.
Description of the transmission and transport control:
- Unnecessary printouts are terminated
- No use of physical data carriers
- Comprehensive logging procedures
- No use of private data carrieres at at work
2.2. Input control
Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems.
Description of the input control process:
- Logging of all system activities and keeping of these logs for at least six months
- Use of central rights management for entering, altering and deleting data
3. Measures to ensure availability and resilience
3.1. Availability control
Measures to ensure that personal data are protected against accidental destruction or loss.
Description of the availability control system
- Backups are taken on a regular basis
- Backup and recovery plan is in place
- Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers
- Additionally diverse measure of server service providers
3.2. Quick recovery
Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident.
Description of the measures for quick recovery:
- Data backup procedure
4. Measures for the regular testing and evaluation of the security of data processing
Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller.
Description of the order control measures:
- Involvement of external data protection officers for all data protection-related questions
- Formalized processes for data privacy incidents