In the following provisions, we, i.e. Hemro International AG ("Hemro/we"), inform you about the type, scope and purpose of the collection and use of your personal data in the context of the Mahlkönig Sync App (hereinafter: "App"). Personal data is any information relating to an identified or identifiable natural person. This includes in particular your name, address and email address.
1. Controller and Data Protection Officer
The controller of the App and the responsible party in terms of data protection law is the
Hemro International AG
Board of Directors with power of representation: Dr. Marcel Lehmann, Adrian Schürmann, Ziya Boro
Tel.: +41 44 864 18 00
Data Protection Officer:
Data Protection Officer
2. Data processing and purpose
Depending on the specific use of the App, personal data is processed for the purposes stated below. Unless otherwise stated, the legal basis for data processing is Art. 6 (1) sentence 1 lit. b GDPR.
2.1 Download the App
When downloading the App, the necessary information is transferred to the respective app store, i.e. in particular user name, email address and customer number of your account, time of download, payment information and individual device codes. We have no influence on this data collection and are not responsible for it. We process this data provided to the extent necessary for downloading the App on your device. This data is not stored any further beyond this.
2.2 Device and connection data
When your device establishes a connection with our server, your device and connection data are processed. These are IP address, date and time of the request, device identification number (UDID and comparable device numbers) as well as further device information (operating system and version, manufacturer and model, IMEI, IMSI, mobile phone number, MAC address). Connection data is not used to draw conclusions about the person of the user or merged with data from other data sources, but is used to identify your device, to improve the App and for troubleshooting. The legal basis is Art. 6 (1) sentence 1 lit. f GDPR. After the respective session or use of the App, the data is anonymised by shortening the IP address at domain level.
2.3 Initial registration
To use the App, you must first register. For the initial registration, you must enter your email address and will receive a confirmation link via email. Once you click on the link the email, you will be re-directed to the App and must enter a company name, your name and choose your password ("login data"). A password must be at least 8 characters long and preferably always consist of a combination of upper and lower case letters, numbers and special characters. Trivial words such as "ABC" or keyboard sequences (e.g. "qwert" or "asdfgh"), all kinds of names (e.g. of friends, colleagues, family members, pets), names of cities and buildings, comic characters, car brands, car registration plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are problematic.
Login data must be kept strictly secret. If a password is nevertheless passed on, for example to enable access to certain data by third parties in an emergency, the password must be changed immediately. For your own protection, it is prohibited to reuse passwords that have already been used.
In addition, your IP address and the time of registration are stored by us as part of the initial registration. This is necessary to ensure the security of our information technology systems. The legal basis for the processing of your data in this case is Art. 6 (1) sentence 1 lit. f GDPR.
2.4 Login data - regular login
In order to be able to log in to the App in the future after the successful initial registration (sec. 2.3), it is regularly necessary to enter your login data. Your login data is encrypted for transmission to the server and cannot be viewed by third parties. You do not have to enter your login data every time you use the App. Instead, your login data is temporarily stored on the end device through the use of a refresh token. However, to prevent unauthorized use of the App by third parties, we recommend that you log out after use and re-enter your access data each time you use the App.
2.5 Use of the App
It is not necessary to enter personal data to use the App. When using the App, only device data of the end device for the grinding process, e.g. coffee used, degree of grinding and grinding time, are transmitted to our servers.
2.6 Crash reports/error message
If you agree to the transmission of a crash report after a system crash of the App or another technical error, the corresponding information will be transmitted anonymously to the developers of the App for the purpose of evaluation.
2.7 Push Notifications, Location-Based Functions
We may send you emails, text messages, push notifications, alerts, and other messages related to the App, such as enhancements, offers, products, events, and other promotions.
After downloading the App, you will be prompted to accept or decline push notifications/alerts. If you choose to decline, you will not receive push notifications/alerts. If you agree, push notifications/alerts shall be sent to you automatically. If you no longer want to receive push notifications/alerts from the App, you can unsubscribe at any time by changing your notification settings on your mobile device.
With respect to other types of messages or communications, such as emails, text messages, etc., you may opt out or unsubscribe by either following the specific instructions contained in such communications or by sending us an email with your request to email@example.com
3. Device data in connection with the use of the grinder
You can connect the grinder to our server (cloud) via your own internet connection. As soon as the grinder has been connected to the cloud and the grinder has an internet connection, the grinder sends device data to the cloud (e.g. grinder status, grind events). The data is provided either on an event-driven basis or at specific intervals (e.g. every hour), depending on the settings. The device data is used by Hemro for statistical purposes and will be visualized in analytics charts and tables. Hemro and Hemro's customers have access to this data, whereby Hemro's customers only have access to the data of the devices in their company.
Please note: Device data is technical data that is generated during the operation of a machine. As such, it is generally not personal data and therefore the GDPR does not apply. However, a personal reference can arise through combination with other data from a source outside of our server if a connection between the grinder and a person can be identified, e.g. through individual use of the grinder by a person at a certain time. The combination and thus the "creation" of a personal reference is the sole responsibility of the specific grinder-user. However, if the user can derive a personal reference from the data from the specific use, this data still has no personal reference for Hemro. If at all, it would then be pseudonymous data for Hemro, the processing of which would be permissible on the basis of a legitimate interest in accordance to Art. 6 (1) sentence 1 lit. f GDPR.
4. Data transmission
We only disclose your personal data to third parties or other recipients if this is necessary for the provision of services, you have given your consent, there is a legal obligation or the disclosure of data or it is permitted on the basis of another legal basis. Where necessary, we have concluded agreements with the recipients of your data on commissioned processing in accordance with Art. 28 GDPR. We will only disclose your data to government bodies within the scope of legal obligations or on the basis of an official order or court decision.
5. Data transfer to countries outside the EU
As a general rule, we do not transfer your data to recipients outside the EU. However, if it is necessary for our purposes, we will only transfer your data if it is ensured that the recipient of the data guarantees an adequate level of data protection and no other interests worthy of protection speak against the transfer of data.
6. Duration for which personal data are stored / criteria for determining the duration
We will store your personal data for as long as this is necessary for the aforementioned processing purposes or in case of an objection that no compelling reasons worthy of protection exist for Hemro or in case of a withdrawal of consent if no other legal basis for data processing exists. However, in certain cases, e.g. if there is a legal obligation to retain data, your personal data will not be deleted immediately but will first be blocked.
7. Security measures to protect your personal data
We protect your data against unauthorised access, loss or destruction through technical and organisational measures. Our security measures are continuously improved in line with technological developments. In this context, however, it is important that you operate an active update management in order to always keep the software on your devices up to date. If you are using outdated versions of iOS or Android, for example, some security measures in connection with the App may not be guaranteed.
8. Your rights
Within the framework of the legal requirements, you are in principle entitled to request from Hemro:
- confirmation of whether Hemro is processing your personal data,
- information about this data and the circumstances of the processing,
- correction, insofar as this data is incorrect,
- deletion, insofar as there is no justification for the processing and no (longer) obligation to retain,
- restriction of processing in specific cases determined by law,
- objection in the event of data processing on the basis of Art. 6 (1) sentence 1 lit. f GDPR and
- transfer of your personal data - insofar as you have provided it - to you or a third party in a structured, common and machine-readable format.
If you have given your consent to the processing of your personal data, you have the right to withdraw your consent again at any time. Processing of your personal data will then not be allowed in the future. However, this will not affect the lawfulness of the processing carried out with your consent before you withdrew your consent.
Please address your specific request to our data protection officer in writing or via email, clearly identifying your person:
Data Protection Officer
Finally, we would like to inform you of your right to complain to the supervisory authority.
9. No automated individual decision
We do not use your personal data for automated individual decisions.