CEDRUMO

Privacy Notice

Use of our app Cigar Collection Manager

This is the English translation of the legally authoritative German Datenschutzerklärung. In case of any discrepancy, the German version prevails.

§ 1 Information on the processing of personal data

(1) We provide you with our app "Cigar Collection Manager", which you can download to your mobile device. Below we inform you about the processing of personal data when you use our app. We thereby also wish to fulfil the statutory obligations, in particular under the EU General Data Protection Regulation (GDPR). Personal data is any data that relates to you personally, e.g. name, address, email addresses, user behaviour.

(2) The controller in accordance with Art. 4 (7) GDPR is:

CEDRUMO Digital Ventures GmbH i.G., Tizianstraße 20, D-83026 Rosenheim, info@cedrumo.com (see our legal notice).

(3) Where we engage commissioned service providers for individual functions of our offering, we always select and monitor these service providers carefully and inform you in detail below about the respective processing activities. We also name the defined criteria for the storage period. To the extent that our service providers or partners are based in a country outside the European Economic Area (EEA), we inform you of the consequences in the description of the offering.

(4) We do not use any advertising tracking in our app.

§ 2 Processing of personal data when using our app

(1) When you download the app and conclude subscriptions, the required information is transmitted to the App Store, in particular the user name, email address and customer number of your account, the time of download, payment information and the individual device identifier. The App Store also independently collects various data and makes analysis results available to its users. We have no influence over this data processing and are not responsible for it. We process the data only to the extent necessary to download the mobile app to your mobile device.

(2) When you use the app, we process data as described below. The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR, in order to make our free service or, upon conclusion of a subscription, chargeable functions available to you:

Our app uses services provided by Google Firebase, a platform operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Firebase is used for the authentication of users and for the storage of data (Cloud Firestore, Firebase Cloud Storage).

For authentication and user identification, an anonymous user ID (UID) is generated. This UID is a unique, random identifier that is assigned to your device and does not allow any direct conclusions to be drawn about a person.

Users may voluntarily enter their own content into the app, for example:

  • cigars in your collection
  • rum or beverage pairings
  • humidor data
  • ratings
  • favourites
  • personal notes
  • moments of enjoyment or memories
  • photos

Depending on the content, this data may be personal data or contain such data.

After storage in the Firebase cloud, the content is linked to the anonymous user ID. Text content is stored in Cloud Firestore in the region europe-west3 / Frankfurt; photos are stored in Cloud Storage.

(3) The anonymous user ID and the content are stored for as long as you use the offering. In the event of inactivity over an extended period (typically 12 months) or if you delete the app, the data is automatically deleted.

(4) When Firebase Authentication is used, Google processes the data required to perform and secure the authentication. This may include technical connection data, such as IP addresses generated during communication with the Firebase servers. The IP address is generally stored in the Firebase server logs for 30 to 90 days. In addition, the operating system, device model and app version are transmitted to Firebase. The legal basis for these data processing activities is Art. 6 (1) sentence 1 lit. f GDPR. As the operator, we have a legitimate interest in the security and continued operability of our service. Further information can be found at https://firebase.google.com/support/privacy.

(5) Google may transfer the stored data to the USA. The transfer takes place on the basis of the EU-US Data Privacy Framework (adequacy decision of the EU Commission) or supplementary Standard Contractual Clauses. The legal basis for the data transfer to the USA is Art. 49 (1) sentence 1 lit. b GDPR (performance of a contract) and Art. 6 (1) lit. f GDPR (legitimate interests in providing the service).

§ 3 Processing of data from your end devices (cookies)

Our app does not use any cookies.

§ 4 Data processing by third parties, commissioned data processing

(1) The following categories of recipients, which are usually data processors, may receive access to your personal data:

  • Service providers for the operation of our app and the processing of the data stored or transmitted through the systems (e.g. for data centre services, payment processing, IT security). The legal basis for the disclosure is then Art. 6 (1) sentence 1 lit. b or lit. f GDPR, where they are not data processors;
  • Public authorities, to the extent this is necessary to fulfil a legal obligation. The legal basis for the disclosure is then Art. 6 (1) sentence 1 lit. c GDPR;
  • Persons engaged for the conduct of our business operations (e.g. auditors, banks, insurers, legal advisors, supervisory authorities). The legal basis for the disclosure is then Art. 6 (1) sentence 1 lit. b or lit. f GDPR.

(2) Beyond this, we only pass on your personal data to third parties if you have given express consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR.

§ 5 Contacting us as the operator of the app

When you contact us by email, telephone or via a contact form, the data you provide (email address, where applicable name and telephone number) is stored by us in order to answer your questions. The purpose of the data processing is the individual communication with you, for the initiation or performance of a contract or other handling of your enquiry. Insofar as you contact us in the context of a contractual relationship or to initiate a contract, the data processing takes place in accordance with Art. 6 (1) sentence 1 lit. b GDPR. In all other cases, we process your data on the basis of our legitimate interest in accordance with Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in handling your enquiry, depending on the content and purpose of the message you have transmitted. The personal data we collect in connection with you contacting us will be deleted upon your request for deletion, upon withdrawal of consent or upon completion of the matter you have raised, provided that no statutory retention obligations or rights conflict with this. The storage period ends at the latest upon expiry of the statutory limitation periods; these are calculated in accordance with § 199 BGB (German Civil Code).

§ 6 Your rights

1. Right of access

(1) You have the right to obtain information from us about the personal data concerning you to the extent of Art. 15 GDPR.

(2) This requires an application from you, which must be sent either by email or by post to the addresses given above.

2. Right to object to data processing and to withdraw consent

(1) In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you. We will then cease the processing of your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or where the processing serves the establishment, exercise or defence of legal claims.

(2) In accordance with Art. 7 (3) GDPR, you have the right to withdraw at any time, with effect for the future, any consent you have given (including before the GDPR came into force, i.e. before 25 May 2018) — that is, your voluntary, informed and unambiguous expression of will, by means of a declaration or other clear affirmative act, that you agree to the processing of the personal data concerned for one or more specific purposes. The consequence is that we may no longer continue the data processing based on this consent for the future.

(3) In this regard, please contact the contact point specified above.

3. Right to rectification and erasure

(1) Insofar as personal data concerning you is inaccurate, you have the right under Art. 16 GDPR to request immediate rectification from us. Please direct any such request to the contact point given above.

(2) Under the conditions set out in Art. 17 GDPR, you have the right to request the erasure of personal data concerning you. Please direct any such request to the contact point given above. The right to erasure exists in particular where the data in question are no longer necessary for the purposes of collection or processing, where the data storage period has expired, where an objection has been raised, or where there has been unlawful processing.

4. Right to restriction of processing

(1) In accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data from us.

(2) Please direct any such request to the contact point given above.

(3) The right to restriction of processing exists in particular where the accuracy of the personal data is disputed between you and us; in that case the right exists for the period required to verify the accuracy. The same applies where the successful exercise of a right to object is still disputed between you and us. This right also exists in particular where you have a right to erasure and request restricted processing instead of erasure.

5. Right to data portability

(1) In accordance with Art. 20 GDPR, you have the right to receive from us the personal data concerning you that you have provided to us, in a structured, commonly used, machine-readable format, in accordance with the relevant requirements.

(2) Please direct any such request to the contact point given above.

6. Right to lodge a complaint with the supervisory authority

(1) In accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority about the collection and processing of your personal data.

(2) You can reach the competent supervisory authority at the following contact details: Bayerisches Landesamt für Datenschutzaufsicht, Promenade 18, 91522 Ansbach, Germany, email: poststelle@lda.bayern.de.