DATA PRIVACY POLICY

In the following, we inform you about the type, scope and purpose of the processing of your personal data when using the evoach web application. Personal data is any information relating to an identified or identifiable natural person.

§ 1 - Controller

The controller ("Controller") within the meaning of the EU General Data Protection Regulation (GDPR) is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. The controller within the meaning of the GDPR for the personal data we process is:

evoach GmbH

Haid-und-Neu-Strasse 7

76131 Karlsruhe

Phone +49 (0) 171 2918067

E-mail team@evoach.com

(hereinafter referred to as "evoach").

§ 2 - Internal data protection officer, data protection authority

(1) evoach has appointed Ms Anke Paulick as its internal data protection officer.

(2) The data protection authority locally responsible for evoach is

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

P.O. Box 10 29 32, 70025 Stuttgart

Königstraße 10a, 70173 Stuttgart

Tel.: 0711/61 55 41 - 0

Fax: 0711/61 55 41 - 15

E-mail: poststelle@lfdi.bwl.de

Internet: https://www.baden-wuerttemberg.datenschutz.de

§ 3 - Registration and use of the app

(1) Users can register as coachees or coaches for the use of the evoach web applications. The web applications are hereinafter uniformly referred to as "web app", as all subsequent information applies to both apps.

(2) Registered users who use the web app are hereinafter referred to as “users”, “coaches” or “coachees”. As a user, you can only use the web app after registering. In order to register, it is necessary that you provide the following information about yourself in the app: First name, last name and email address. You cannot register for the webapp without providing this information.

(3) Users can additionally provide personal data as part of the onboarding process after registration for a better user experience, such as preferred language, desired coaching topics, profile picture, etc., which will be stored in their user profile and coaching sessions.

(4) Coachees go through the actual coaching process in protected chat rooms accessible only to them. The chat transcripts are only available to the user and are accessible via the web app. The coachee decides for him/herself whether to share the chat transcripts with his/her coach.
with their coach. In addition, the coachee can delete his/her data independently.
The coachee's data will never be made available to the employer, unless the coachee actively shares it himself with another person.

(5) evoach may make copies of the coaching sessions. In this case, all personal data will be removed from the copies and any personal information will be pseudonymised (such as names given to the chatbot). This means that the copies of the sessions as well as the content can no longer be traced back to the original content and persons. The copies are used to analyse usage and improve the service.

(6) Registration data and user profile are not automatically deleted by default so that users always have access to their chat logs. Data of users who have purchased a licence will be kept for the duration of the legal period.

(7) In addition to the protected chatbots described above, which are only accessible after registration, chatbots can also be made accessible without registration and integrated into coaches' websites, for example. The data of these public chatbot sessions are not protected by username and password. In these public chatbots, the coachee shares data with the coach who created the chatbot.

§ 4 - Contacting by email

(1) If you contact evoach by email, your message will be processed together with your contact details (your name, email address and any other information).

(2) This data processing is based on evoach's legitimate interest in processing your request and any follow-up messages (Article 6(1)(f) GDPR).

(3) Data transfer between mail servers is encrypted as long as your email provider supports encryption.

§ 5 - Processors and recipients of personal data

(1) Processors under Article 28 GDPR.

(a) For the operation of our website on the Internet, evoach uses services of the following service provider: Wix.com.

(b) To receive, store and send emails, evoach uses services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

(c) For the processing of personal customer data (not coaching sessions) and mailings as part of marketing measures, evoach uses software services from Mailchimp, encharge.io and Pipedrive.
This may involve the transfer of personal data to the USA, a third country for which there is no adequacy decision by the European Union Commission. The data transfer therefore takes place in accordance with Article 46 par. 2 GDPR on the basis of the EU standard contractual clauses.
The orchestration of the data between the services is automated via tools from the company zapier.com. However, no data is stored there.

(d) Our web apps for coachees and coaches are made available via Amazon Web Service (AWS). Only servers hosted in Frankfurt are used for this. The web apps store both the chatbots and the coaching session data.
(e) Access to the web apps is protected by login and password. An identity management system from intension GmbH is used for registration and login. The user's first name, last name, e-mail and password are stored there. The servers are located exclusively in Germany.

(f) Chatbots can use interfaces of external services whose functions work on the basis of artificial intelligence (Large Language Models, etc.). For this purpose, chat data is sent to OpenAI, i.e. the data is transferred to the USA. The data is sent anonymously. OpenAI cannot assign the data to any person registered with evoach.

§ 6 - Your rights

(1) In relation to your personal data processed by evoach, you have the following rights:

(a) To obtain confirmation as to whether evoach is processing personal data relating to you. If yes, evoach will inform you about the personal data held about you and the further information pursuant to Article 15 para. 1. 1 and 2 GDPR.

(b) To have your inaccurate personal data rectified or incomplete data completed without undue delay.

(c) To request the erasure of your personal data without undue delay under the conditions of Article 17 para. 1 GDPR, to the extent that its processing is not necessary under Article 17 para. 1 GDPR.

(d) To request the restriction of the processing of your data if one of the requirements of Article 18(1) GDPR is met. In particular, you may request restriction instead of erasure. evoach will communicate any rectification or erasure of your personal data to all recipients to whom your personal data has been disclosed, unless this proves impossible or disproportionately burdensome.

(e) To preserve the personal data you provide to evoach in a structured, commonly used and machine-readable format.

(f) To the extent that any data processing is based on consent given by you, to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the data processing based on the consent prior to its withdrawal.

(g) To object at any time to the processing of your personal data; this right applies to processing pursuant to Article 6(1)(f) DPRG which is necessary for the purposes of the legitimate interests pursued by evoach or by a third party, except where such interests are overridden by your interests or by the fundamental rights and freedoms of the data subject which require the protection of personal data. If you exercise your right to object, evoach will no longer process the personal data concerned unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. This applies in particular to the use of your personal data for marketing purposes, with the consequence that evoach will no longer process your data for these purposes.

(2) If you consider that the processing of your personal data infringes the GDPR, you may lodge a complaint with a supervisory authority, in particular in the Member State where you have your habitual residence, your place of work or the place of the alleged infringement. This does not exclude other administrative or judicial remedies.