We consider it our obligation to work with CleverPush customers to help them prepare for the General Data Protection Regulation (GDPR).
We provide the following resources for our customers, among others:
- Sample passage for data protection declaration for the use of CleverPush
- Order data processing agreement (DPA)
- Possibility of deleting all saved data in the account settings
We take the following measures, among others:
- Customer data is stored within Germany
- Compliance with security standards, HTTPS encryption of all traffic
- Assistance with desired subscription cancellations via our support
1. Data processing agreement
The order data processing agreement must be accepted directly when registering or logging into the dashboard.
2. Text for opt-in message
The text that appears before or next to the opt-in message can be customized in most cases. We provide our customers with a template for this, which can be used in existing channels via the channel settings with a click on Opt-In -> Adjust texts -> Use template. If desired, this pattern can be inserted directly into new channels. The passage is only a sample for our customers, we do not offer any legal advice and do not guarantee the correctness and completeness of the text.
3. Sample passage for data protection declaration
The following passage is only a sample for our customers, we do not offer any legal advice and do not guarantee the correctness and completeness of the text.
Push notifications
You can register to receive so-called push notifications. For this we use the “CleverPush” service, which is operated by CleverPush GmbH, Heidenkampsweg 100, 20097 Hamburg (“CleverPush”).
You will regularly receive information via our push notifications about [Please describe the content of the push notifications in as much detail as possible].
In order to register for the push notifications, you must confirm the request from your browser or end device to receive the notifications. This process is documented and saved by CleverPush. The time of registration and a push token or device ID are stored for this purpose. This data is used on the one hand to be able to send you the push notifications and on the other hand as proof of your registration. The legal basis for this processing is your consent and thus Article 6 (1) (a) GDPR.
CleverPush also statistically evaluates our push notifications. CleverPush can thus recognize whether and when our push notifications were displayed and clicked on. This enables us to determine which push notifications are of interest to recipients in order to tailor future messages to the presumed interests of all recipients and thus increase interest in our offer. In addition to the push token or device ID, we also save the main topic of the app on which the push notifications were activated (e.g. business, sports, etc.). We also use this information to send push notifications to the relevant subscribers that are presumed to be in their interests. The legal basis for the processing is Article 6 (1) (f) GDPR. A push token or device ID is only assigned to a specific person if we are legally obliged to do so, to defend against claims against us, if this is required as evidence, and to prosecute any violations of the law.
You can revoke your consent to the storage and use of your personal data to receive our push notifications at any time with effect for the future. Furthermore, you can object to the use of personal data described above at any time on the basis of Article 6 Paragraph 1 Letter f. Please revoke your consent for this purpose. You can revoke your consent in the settings provided for this purpose for receiving push notifications in the settings of your device or browser.
Your data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Your data will therefore be stored for as long as the subscription to our push notifications is active.
The cancellation process is explained in detail under the following link: https://cleverpush.com/faq.
To accelerate the retrieval of content (e.g. images) and to ward off attacks, CleverPush uses the offers of cloudflare.com, an offer of Cloudflare, Inc., as part of order processing on the basis of the Data Privacy Framework (DPF).
CleverPush does not store any data on Cloudflare’s servers that contain personal data, only general content such as text or images. When you access this content, the end device you are using establishes a connection to Cloudflare and the IP address of the end device you are using is processed as a result.
Push notifications
You can register to receive so-called push notifications. For this we use the “CleverPush” service, which is operated by CleverPush GmbH, Heidenkampsweg 100, 20097 Hamburg (“CleverPush”).
You will regularly receive information via our push notifications about [Please describe the content of the push notifications in as much detail as possible].
In order to register for the push notifications, you must confirm the request from your browser or end device to receive the notifications. This process is documented and saved by CleverPush. The time of registration and a push token or device ID are stored for this purpose. This data is used on the one hand to be able to send you the push notifications and on the other hand as proof of your registration. The legal basis for this processing is your consent and thus Article 6 (1) (a) GDPR.
CleverPush also statistically evaluates our push notifications. CleverPush can thus recognize whether and when our push notifications were displayed and clicked on. This enables us to determine which push notifications are of interest to recipients in order to tailor future messages to the presumed interests of all recipients and thus increase interest in our offer. In addition to the push token or device ID, we also save the main topic of the app on which the push notifications were activated (e.g. business, sports, etc.). We also use this information to send push notifications to the relevant subscribers that are presumed to be in their interests. The legal basis for the processing is Article 6 (1) (f) GDPR. A push token or device ID is only assigned to a specific person if we are legally obliged to do so, to defend against claims against us, if this is required as evidence, and to prosecute any violations of the law.
You can revoke your consent to the storage and use of your personal data to receive our push notifications at any time with effect for the future. Furthermore, you can object to the use of personal data described above at any time on the basis of Article 6 Paragraph 1 Letter f. Please revoke your consent for this purpose. You can revoke your consent in the settings provided for this purpose for receiving push notifications in the settings of your device or browser.
Your data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Your data will therefore be stored for as long as the subscription to our push notifications is active.
The cancellation process is explained in detail under the following link: https://cleverpush.com/faq.
To accelerate the retrieval of content (e.g. images) and to ward off attacks, CleverPush uses the offers of cloudflare.com, an offer of Cloudflare, Inc., as part of order processing on the basis of the standard contractual clauses.
CleverPush does not store any data on Cloudflare’s servers that contain personal data, only general content such as text or images. When you access this content, the end device you are using establishes a connection to Cloudflare and the IP address of the end device you are using is processed as a result.
Information via Facebook Messenger
You can revocably register to receive messages via Facebook Messenger at any time. You will regularly receive messages about [Please describe the content of the push notifications in as much detail as possible].
For this functionality, we use the “CleverPush” service, which is operated for us by CleverPush GmbH, Heidenkampsweg 100, 20097 Hamburg (“CleverPush”) as a processor. In order to be able to send you the messages, we process a user ID that the operator of Facebook Inc. makes available to us. We ourselves cannot identify you via this ID. The legal basis for the processing is Art. 6 Para. 1 a) GDPR with your consent.
We do not statistically evaluate how often links in the messages we send are clicked on. This enables us to determine which information is of interest to the recipients in order to tailor future messages to the presumed interests of all recipients and thus increase interest in our offer. In addition to the user ID, we also save the main topic of the page on which the notification was activated (e.g. business, sports, etc.). We also use this information to send messages to the relevant subscribers that are presumed to be in their interests. The legal basis for the processing is Article 6 (1) (f) GDPR.
You can revoke your consent to the storage and use of your personal data to receive our news at any time with effect for the future. Furthermore, you can object to the use of personal data described above at any time on the basis of Article 6 Paragraph 1 Letter f. For this purpose, please revoke your consent to receive the messages via the messenger you are using.
The cancellation process is explained in detail under the following link: https://cleverpush.com/faq.
Information via Telegram Messenger
You can revocably register for receiving messages via Telegram Messenger at any time. You will regularly receive messages about [Please describe the content of the push notifications in as much detail as possible].
For this functionality, we use the “CleverPush” service, which is operated for us by CleverPush GmbH, Heidenkampsweg 100, 20097 Hamburg (“CleverPush”) as a processor. In order to be able to send you the messages, we process a user ID that the operator of Telegram Messenger Inc. makes available to us. We ourselves cannot identify you via this ID. The legal basis for the processing is Art. 6 Para. 1 a) GDPR with your consent.
We do not statistically evaluate how often links in the messages we send are clicked on. This enables us to determine which information is of interest to the recipients in order to tailor future messages to the presumed interests of all recipients and thus increase interest in our offer. In addition to the user ID, we also save the main topic of the page on which the notification was activated (e.g. business, sports, etc.). We also use this information to send messages to the relevant subscribers that are presumed to be in their interests. The legal basis for the processing is Article 6 (1) (f) GDPR.
You can revoke your consent to the storage and use of your personal data to receive our news at any time with effect for the future. Furthermore, you can object to the use of personal data described above at any time on the basis of Article 6 Paragraph 1 Letter f. For this purpose, please revoke your consent to receive the messages via the messenger you are using.
The cancellation process is explained in detail under the following link: https://cleverpush.com/faq.
Technical and organizational measures according to Art. 32 DS-GVO
The measures described below are the measures we have taken. These are supplemented by the measures taken by our subcontractors. The processing commissioned by the customer takes place mostly or exclusively with these sub-service providers. Therefore, the measures taken by our subcontractors must always be included in the assessment of the security of the processing.
1. Confidentiality (Art. 32 Para. 1 lit. b GDPR)
1) Access control
1.1) The following measures implemented by us prevent unauthorized persons from having access to the data processing systems:
- Manual locking system
- security locks
- Securing the building shafts
- Doors with knob outside
- Key regulation / list
- Careful selection of security guards
- Care in selecting cleaning services
1.2) The following measures implemented by our sub-processors prevent unauthorized persons from having access to the data processing systems:
- Electronic access control system with logging
- High-security fence around the entire data center park
- Documented allocation of keys to employees and colocation customers for colocation racks (each customer exclusively for his colocation rack)
- Guidelines for escorting and tagging guests in the building
- 24/7 staffing of the data centers
- Video surveillance at the entrances and exits, security locks and server rooms
2) Access control – The following implemented measures prevent unauthorized persons from having access to the data processing systems.
- Personal and individual user log-in when registering on the system or company network
- Authorization process for access rights
- Authorized User Limitation
- Single Sign On
- Additional system log-in for certain applications
- firewall
3) Access Control – The following implemented measures ensure that unauthorized persons do not have access to personal data.
- Management and documentation of differentiated authorizations
- Conclusion of contracts for order data processing for the external care, maintenance and repair of data processing systems, provided that the processing of personal data is the subject of the service for remote maintenance.
- Evaluations/logging of data processing
- Authorization Process for Permissions
- Approval routines
- Profiles/roles
- Measures to prevent unauthorized copying of data to data carriers that can be used externally (e.g. copy protection, blocking of USB ports, “Data Loss Prevention (DLP) system”)
4) Separation control – The following measures ensure that personal data collected for different purposes are processed separately.
- Access permissions by functional responsibility
- Separate data processing through differentiated access regulations
- Multi-client capability of IT systems
- Use of Test Data
- Separation of development and production environment
2. Pseudonymization (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)
The processing of personal data takes place in such a way that the data can no longer be assigned to a specific data subject without consulting additional information, provided that this additional information is stored separately and is subject to appropriate technical and organizational measures.
3. Integrity (Art. 32 Para. 1 lit. b GDPR)
1) Transfer control – It is ensured that personal data cannot be read, copied, changed or removed without authorization during transmission or storage on data carriers and that it is possible to check which persons or bodies have received personal data. To ensure this, the following measures have been implemented:
- Encryption of email or email attachments (e.g. WinZip)
- Encryption of the storage medium of laptops
- Secure file transfer (e.g. sftp)
- Secure data transport (e.g. SSL, ftps, TLS)
- Electronic signature
- Secured WiFi
2) Input control – The following measures ensure that it can be checked who processed personal data in data processing systems and at what time.
- Access rights
- System-side logging
- Document Management System (DMS) with change history
- Security/Logging Software
- Functional responsibilities, organizationally defined responsibilities
- Multiple eyes principle
- “Data Loss Prevention (DLP) System”
4. Availability and resilience (Art. 32 Para. 1 lit. b GDPR)
Availability control and resilience control – The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client.
- Security concept for software and IT applications
- back-up procedure
- Storage process for back-ups (fireproof safe, separate fire compartment, etc.)
- Ensuring data storage in the secured network
- Needs-based import of security updates
- Disk mirroring
- Setting up an uninterruptible power supply (UPS)
- Air-conditioned server room
- Virus protection
- Firewall
5. Procedure for regular review, assessment and evaluation (Art. 32 Para. 1 lit. d GDPR; Art. 25 Para. 1 GDPR)
1) Data protection management – The following measures are intended to ensure that an organization that meets the basic data protection requirements is in place:
- Internal Privacy Policy
- Guidelines/instructions to ensure technical and organizational measures for data security
- Obligation of employees to data secrecy
- Adequate training of employees in data protection matters
- Keeping an overview of processing activities (Article 30 GDPR)
- Carrying out data protection impact assessments, if necessary (Article 35 GDPR)
2) Incident Response Management – The following measures are intended to ensure that reporting processes are triggered in the event of data protection violations:
- Reporting process for data protection violations according to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
- Reporting process for data protection violations according to Art. 4 No. 12 GDPR towards those affected (Art. 34 GDPR)
6. Data protection-friendly default settings (Article 25 (2) GDPR)
1) The default settings must be taken into account both in the standardized default settings of systems and apps and when setting up the data processing procedures. In this phase, functions and rights are specifically configured, the admissibility or inadmissibility of certain inputs or input options (e.g. free texts) is determined with regard to data minimization and the availability of user functions is decided (e.g. with regard to the scope of processing). Likewise, the type and scope of personal reference or anonymization (e.g. in the case of selection, export and evaluation functions that can be defined and preset or made available in a freely configurable manner) or the availability of certain processing functions, logging, etc. fixed.
7. Order Control
The following measures ensure that personal data can only be processed in accordance with the instructions.
- Agreement on order processing with regulations on the rights and obligations of the contractor and client
- Process for issuing and/or following instructions
- Determination of contact persons and/or responsible employees
Subprocessors
- Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
– Hosting of the servers used by the contractor - Amazon Web Services EMEA Sàrl, 5 Rue Plaetis L-2338 Luxembourg
– Hosting of the servers used by the contractor - CloudFlare, Inc., San Francisco, US (HQ) 101 Townsend St, San Francisco, USA
– Content Delivery Network provider - proinity LLC, Färberstrasse 9, 8832 Wollerau, Switzerland
– Content Delivery Network provider - MongoDB Inc., Building Two, Number One Ballsbridge Dublin 4, Ireland
– Hosting of the databases