Date: October 12, 2023

General 

We would like to inform you about how we handle your data as well as personal data, including third party data, when you use our services. This privacy statement applies solely to the processing of your data in connection with our online web app (“textada”) accessible at textada.space and subdomains thereof. Please note that this statement does not apply to our website at textada.com and textada.org or to the services and marketing functions offered on these domains and subdomains. 

The responsible body for data processing is: 

textada Project, Felix Hamborg, Moritz Bock, Franziska Weeber 
University of Konstanz 
PO Box 712 
78457 Konstanz
Germany  
Phone +49 7531 88 4805  
E-mail: data-protection@textada.com 

Our privacy policy 

  1. Any personal data you provide to us will be treated by us as strictly confidential and will be stored and used solely for the purpose of this application.  
  1. In doing so, we always ensure that we comply with the applicable data protection laws and treat your data carefully and responsibly.  
  1. We do not sell or rent your personal information to third parties.  
  1. In addition, we always use state-of-the-art security technologies to protect your data from misuse. 

Definitions 

textada/we/us/… – The aforementioned data controller. 

App/Web App/Web App/Services – The online application we provide under a subdomain of textada.space, for example [yourspacename].textada.space, for AI-assisted annotation of text documents. 

Project data – All data entered or imported by you in our app and data created with the app, which is among others: 

  • The texts you enter and any other document data you upload or create, such as text files and PDF files
  • Categories and related information such as keywords  
  • Manually created annotations 
  • Automatically created annotations and their status, such as whether you marked them as correct or incorrect 
  • When creating a project via QDPX import: names of the annotators present in the QDPX file and any other information contained in the QDPX file

Data collection and storage 

To use our services, you need a password-protected user account for which we store your access data on our own servers. If you conclude a free (e.g. as part of a promotional campaign) or paid contract for AI-assisted annotation of text documents with us, we collect and store personal data from you that we require for the execution and billing of the contract, such as your name, your e-mail address, your address and your bank details for order confirmation or invoicing. 

When you call up our webapp, a connection is established with our server. Our server collects and stores the following data: 

  • The access paths of the pages, 
  • the time of the connection establishment,
  • your IP address at this time,
  • your login status, and 
  • project data.

To enable or facilitate the use of our products, data may be stored on your computer as “cookies”. We do not use this data to identify  or contact you. Personal data is collected and stored in accordance with data protection regulations. Further personal data is only collected on a voluntary basis, e.g. when you contact our customer support (see also “Support” below). 

We secure all data entrusted to us with the highest security and best possible protection in accordance with our technical and organizational safeguards. Our technical and organizational measures to protect your data are listed below in this privacy policy. 

When entering data in our app, you may also enter personal data as well as personal data of third parties. It is also possible that while entering your data you may also enter sensitive personal data in the sense of Art. 9 DSGVO, such as information about your health or religious beliefs, or such data about third parties. By entering such data, you agree that we may also collect and store such data to enable you to use our service in accordance with the contract. You also confirm to us that you have the right to enter such data into our system and have it processed by textada in accordance with our contract performance and privacy policy.  

Personal data and their intended use 

To enable you to access our service, we store your access data. The processing of your data during registration is based on your consent pursuant to Art. 6 para. 1 lit. a DSGVO. If you create an account, we may send you tips and information on similar products and services from textada by e-mail. If you no longer wish to receive these emails, you can object at any time, e.g. by clicking on the link at the end of each email. We use your personal data to provide our contractual services, billing for the service, individual product support and, if requested, for our newsletters and product information. We do not disclose your personal data to third parties without your consent, except to our service providers who need your data to process the contract (e.g. payment service providers). We will otherwise only pass on your data if we are legally obliged to do so or if it is necessary for the assertion and enforcement of our rights and claims.  

Our App allows you to enter any text data. As described above, you are required to ensure that you are allowed to enter the data you enter into and process with our App under the circumstances and measures described in this document. This applies in particular to personal data of third parties as mentioned before.  

Security and confidentiality 

Your project data is stored on our server in a specially protected area. We use technical and organizational security measures to ensure the highest possible security against unauthorized access, loss, destruction or manipulation of your data. The security of your use also depends on the quality and security of your password. We will delete all project data stored on our server no later than six months after the end of the usage contract, but we reserve the right to delete this data immediately after the end of the contract. You can delete your project data at any time by using the corresponding “Delete Project” or “Delete Document” functions in the app. If you wish to have your data deleted, you can notify us by email and we will delete your data immediately. Technically, your data cannot be deleted from our backups, but according to our Terms and Conditions, they will be deleted after a certain time at the latest. If we restore a backup that contains data of yours that you had already instructed to be deleted, we will immediately delete this data from the restored data. textada is only used via a secure internet connection (SSL/HTTPS), which is indicated by a lock symbol in the web browser. 

Technical and organizational security measures (TOMs) 

We have implemented a large number of technical and organizational security measures in line with the current state of technology and security. These can be found in the document Technical and Organizational Security Measures. 

Cookies use  

To optimize our service and provide our customers with a better user experience, we use cookies and similar technologies. These text files store information about the visit to a website and are stored by the browser on the user’s computer. Cookies can store, for example, language settings or login status to enable and facilitate the use of our webapp. Some cookies are absolutely necessary for the operation of the webapp, for example to save the login status, while others evaluate user behavior. 

Cookie types 

We may use the following types of cookies: 

  • Permanent cookies: Certain cookies that we use are stored permanently on the user’s device, even after the browser has been closed. For example, these cookies allow us to save the login status so that you do not have to log in again. 
  • First-party cookies: First-party cookies are set by us. 
  • Necessary (absolutely required) cookies: Cookies may be absolutely necessary for the operation of our web app, for example to save your login status. 
  • Optional cookies, e.g. for statistics: Such cookies are optional and are only used after your consent. They help us understand how users use our app. We use this information to improve our software. 

Legal basis  

The processing of personal data by means of technically necessary cookies is based on Art. 6 para. 1 lit. b, c and f DSGVO. 

The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 (1) lit. a DSGVO if the user has consented to this.  

Duration of storage 

As a user, you have the possibility to control the use of cookies. You can disable or restrict the transfer of cookies by changing the settings in your internet browser. Cookies that have already been stored can be deleted manually or automatically at any time. Please note that if cookies are deactivated, it may not be possible to fully use all the functions of our website. 

Cookie consent and objection 

For technically unnecessary cookies, we request your consent before activation. 

International data transfer 

With the exception of any embedded media as described in “Integration of third-party services and content”, we do not have any international data transfer. Your data and in particular all project data is as described in this statement in Germany or the EU area. 

Integration of third-party services and content 

It is possible that third-party content, such as videos from YouTube or graphics from other websites, may be embedded in our web app. In this case, it is necessary for the providers of this content (hereinafter referred to as “third-party providers”) to collect the IP address of the user in order to be able to send the content to the browser of the respective user. The IP address is thus required for the display of this content. We endeavor to only use content where the respective providers use the IP address exclusively for the delivery of the content. However, we have no influence on whether the third-party providers store the IP address for statistical purposes, for example. 

Legal basis and your rights 

Legal basis for the processing of your personal data 

The processing of your personal data by us is mainly based on the necessity for the performance of contracts (Article 6(1)(b) DSGVO), as is the case, for example, with the provision of services. This also applies to processing operations that are necessary for the performance of pre-contractual measures, such as in the case of inquiries about our services. 

We also process personal data on the basis of legal obligations, such as tax regulations. In addition, we rely on explicit consents (Article 6(1)(a) DSGVO) from you or third parties to process personal data. These consents are given through voluntary declarations. 

Right of access, rectification, erasure, restriction of processing 

You can request information about your data stored with us or correction, blocking and deletion of your stored data and its processing free of charge at any time. If a deletion is contrary to legal, contractual or commercial or tax retention periods or other legally anchored reasons, your data will not be deleted, but restricted for further processing. To do so, please contact us via: 

– in writing to: textada Project, Felix Hamborg, University of Konstanz PO Box 712, 78457 Konstanz, Germany 
– by e-mail at: data-protection@textada.com 

Right of revocation 

You have the right to object to the processing of your personal data at any time. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the assertion, exercise or defense of legal claims. This right also includes the right to revoke your consent under data protection law that you have given us for the processing of your data at any time. 

Right to data portability 

You have the right to receive and transmit the personal data concerning you, which you have provided to us and whose processing is based on consent or a contract and is carried out with the help of automated processes, in a structured, common and machine-readable format.  

Duration of the storage of personal data 

The deletion of data takes place within the framework of the statutory retention obligations and periods, taking into account the purpose limitation. The commercial or tax data of a completed fiscal year will be deleted in accordance with the legal regulations after ten or six years, unless longer retention periods are prescribed or required for legitimate reasons. Shorter deletion periods are applied in special areas (e.g. in case of longer inactivity on your part). If data is not affected by this, it will be deleted when the aforementioned purposes cease to apply. 

Right to complain to a supervisory authority 

If you believe that the processing of personal data concerning you violates applicable data protection law, you may exercise the right to lodge a complaint with a supervisory authority. 

Need to collect their personal data 

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contractual partner). It is usually necessary for the conclusion of a contract that you provide us with personal data, which will subsequently be processed by us. Failure to provide the personal data would mean that the contract with you could not be concluded. 

No automated decision making, no profiling 

As a responsible company, we do not use automatic decision-making or profiling. 

Order processing according to Art. 28 DSGVO 

If you use us as a processor in accordance with Article 28 of the General Data Protection Regulation (GDPR) and transfer personal data from third parties to us, you are obliged under the GDPR to ensure data security by means of an order processing agreement (OPA). We will only act as an order processor if you store third party data on our servers, e.g. by entering the third party data in textada. We would like to support you in this and will gladly send you our standardized AVV upon written request to data-protection@textada.com. 

Product development 

This point only applies if you have explicitly agreed to this during the ordering process by confirming with the checkbox “Product development” (so-called opt-in). 

To improve the performance of our automatic annotation prediction system, we may analyze your project data and use it for product development. For example, textada employees may use manual and automatic analysis methods to determine insights about the nature of the project. In particular, we use this to determine and prioritize which product features we will implement and when. Another core purpose under your consent to use project data for product development is to use your project data to train and evaluate machine learning methods (colloquially referred to as Artificial Intelligence or AI; hereinafter ML Methods). For example, we may use your project data to develop or improve ML methods, such as by training ML methods with your project data. This could benefit you or other customers in the future, for example when less manual annotations are needed, since our ML Methods achieve a higher accuracy in predicting annotations from the outset due to the training described before. 

According to the current state of research, there is a possibility that current ML methods can reveal information about the data used for their training. The following example gives an overview of such a situation: customers 1, 2 and 3 agree to product development. We train an ML method with their project data. This will be used by customer 4. It would be possible that customer 4 gets annotations suggested with certain categories that occurred in the project data of customer 1, 2 or 3, even if these categories do not occur in the project of customer 4. We have implemented organizational and technical measures to prevent this. For example, we test our models for so-called false positives and biases, i.e. when category suggestions cannot actually be derived from the project data at hand. Nevertheless, as a precautionary measure, we would like to point out that information disclosure cannot be completely ruled out.  

Only give your consent to the item “Further product development” if you expressly agree to these circumstances. Do not give your consent in any case if your project data are special categories of personal data according to Art. 9 GDPR, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation. 

You can revoke your consent in writing at any time. For technical reasons, however, a revocation cannot be considered retroactively. Specifically, this means that even after revocation, we may carry out all the above purposes for the project data entered or created up to the time of revocation. However, as of receipt of your revocation, we will no longer use any new project data for the above-mentioned purposes. 

Mautic

Our app uses Mautic (https://www.mautic.org/), an open source web analytics platform. It helps us to understand how we can improve the app by providing app-related behavior data. The data processing corresponds to our legitimate interest according to Art. 6 para. 1 lit. f DSGVO. If you already have consented or will consent to your data being processed with Mautic in multiple of our websites or apps, e.g., by registering for our newsletter, purchasing or using a product, we may integrate information coming from these sources.

We only process the analytics data generated with Mautic from users who have explicitly given their consent to this privacy policy. We also guarantee that this data will not be shared with third parties. Never are any of your documents or other project-related data you create or process in our app sent to or processed with Mautic.

The data collected by Mautic essentially includes a narrowly defined set of user actions in our app, such as clicking the predict button or opening the documentation. Mautic’s data collection and use is limited to what is necessary to conduct our business with respect to you.

Hotjar

We use Hotjar to better understand the needs of our users and to optimize the offering and experience in our app. It should be noted that CrazyHotjar also processes data in the USA. In accordance with the opinion of the European Court of Justice, data transfer to the USA does not currently provide sufficient protection.

Using Hotjar’s technology, we get a better understanding of our users’ experiences (e.g., how much time users spend on which pages, which links they click, what they like and dislike, etc.) and this helps us tailor our offerings to our users’ feedback. Hotjar works with cookies and other technologies to collect data about our users’ behavior and about their devices, in particular IP address of the device (collected and stored only in anonymized form during your website use), screen size, device type (Unique Device Identifiers), information about the browser used, location (country only), language preferred to use our app. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.

As a basis for data processing with recipients in third countries (i.e. those that are not part of the European Union, Iceland, Liechtenstein or Norway, in particular the USA) or for the onward transfer of data there, Crazy Egg makes use of so-called standard contractual clauses (Article 46, paragraphs 2 and 3 of the GDPR). These standard contractual clauses (SCC) provided by the EU Commission are intended to ensure that your data comply with European data protection standards, even if they are transferred to and stored in third countries (for example, the USA). By using these clauses, Crazy Egg commits to comply with European data protection standards even if your relevant data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. The decision and the associated standard contractual clauses can be found here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.

For more information about the standard contractual clauses and the data processed through the use of Hotjar, please see the Privacy Policy at https://www.hotjar.com/legal/policies/privacy/de/.