Platform Privacy Policy

Our privacy policy outlines how we handle personal data when using our sales productivity software Weflow (the web application, backend services, and the chrome extension together "Weflow"). We consider the protection of your privacy to be of paramount importance. For this reason, compliance with the legal requirements on data privacy is, for us, a matter of course.
‍
‍
Contact
Weflow GmbH
Oranienburger Str. 1 - 3
10178 Berlin
Germany
Email: privacy@getweflow.com
‍
‍
Personal Data
Personal data refers to any information about personal or factual circumstances of an identified or identifiable person. This includes information and details such as your name or your email address. Personal data are referred to herein as “Data”.
‍
‍
What data we collect when using Weflow
The Data listed below are collected through Weflow in different circumstances (e.g. sign up or general usage).When you participate in a session via Weflow as a registered user, we collect the following Data:
‍
- IP Address
- JWT Token
‍
When you participate in a session via Weflow as a non-registered user, we only collect the following data when you visit our login or sign up page:
‍
- IP Address
- Session ID
‍
When you agree to sign up for Weflow using your Salesforce credentials (Salesforce SSO) and agree to this Privacy Policy and the General Terms and Conditions, we collect the following Data:
‍
- IP Address
- User Agent
- Email address (the one used for Salesforce)

When you allow Weflow to read your Google Workspace or Gmail emails by connecting the Weflow App via the Google API Service to our application:

- Email address (Google Workspace or Gmail)
- All emails in all folders or labels incl.
- All email headers (e.g. sender, recipients, subject)
- Email content
- All events in subscribed Google Calendars
- Event description
- Event participants
‍

Legal Basis
Your Data are handled according to the following legal provisions:

- With regard to services you use for the performance of a contract, Art. 6(1)(b) of the GDPR; and/or
- Otherwise, with particular regard to log personal data we collect while you are using the Weflow service, on legitimate interests, Art. 6(1)(f) of the GDPR (see above);
- Otherwise, with particular regard to statistical data and online identifiers (Third-Party-Services) with your consent, Art. 6(1)(a) of the GDPR and/or
- In the event of Data being passed on to Third Parties for the purpose of extending the service with add-ins (e.g. Google API Service), etc. with your consent, Art. 6(1)(a) of the GDPR.

‍
Legitimate Interests
When handling your Data, we pursue the following legitimate interests:
- To improve the offering;
- To make it more user-friendly;
- To identify and resolve errors;
- To control server workloads; and/or
- To protect against fraud.

Data Sources
Unless otherwise specified, we obtain the Data from you (including via devices used by you).‍
‍
‍
Data Transfer to Third Countries
Data is transferred to third countries outside the European Union. This is done on the basis of contractual regulations stipulated by law that ensure appropriate protection of your data and that are available for you to review on request.If individual third-party services are subsidiaries of companies from the USA, we cannot guarantee that the US authorities will not access the subsidiaries' data on the basis of the US CLOUD Act. We have taken all possible measures to avoid such access and will cease cooperation with the respective third-party service if we become aware of the disclosure of our data due to the US CLOUD Act.
‍
‍
Retention Period
We retain your Data,

- If you have consented to this as part of the processing, until such time as you withdraw your consent;
- If we need the data to undertake an agreement until such time as the contractual relationship with you ceases or legal retention periods expire; and/or
- If we use the data on the basis of a legitimate interest, until such time as your overriding interest obliges us to delete or anonymise them.

‍
Purposes of Use
Data will only be collected by us to the extent and for the purpose for which you provide the Data to us, e.g. for registration or the use of Weflow functions.

‍
Connections to other services  
You have the possibility to use and integrate various services, such as email inboxes, within the scope of using Weflow. Please note that in case of integration of different services, the Data may be disclosed to the Third-Party. In this case, the data protection provisions of the individual service apply.

‍
Third-Party Services
We use various Third-Party-Services to improve Weflow and to improve the user experience as described below.
‍
HubSpot
We use HubSpot, provided by HubSpot, Inc.; Address: 25 First Street, Cambridge, MA 02141 USA, as a marketing platform to reach our customers, understand how they interact with our communications and other content, and to customize marketing based on our users’ interests. Furthermore, Weflow uses HubSpot to provide free digital resources (e.g., templates, e-books, checklists, etc.) to potential users in return for their contact information, which is captured through email forms with a confirmed opt-in process. Subsequently, this contact information is used to engage the potential users with informational (educational) and marketing (promotional) emails. For more information, please refer to HubSpot’s privacy policy: https://legal.hubspot.com/privacy-policy
‍
Amplitude
We use Amplitude, an analytics service, provided by Amplitude Inc., 501 2nd Street, Suite 100 San Francisco, CA 94107, USA, to better understand and optimize behavior when using Weflow. Amplitude Inc. stores data in the form of generic IDs including timestamp and numerous other information, such as user ID, platform, device type, app version, geo-information, possibly the mobile provider, the device language or browser details. This data does not constitute personally identifiable information for Amplitude Inc. IP addresses are not stored. Furthermore, Amplitude Inc. is not aware of any other data that could enable Amplitude to identify you. Amplitude Inc. is certified under the US-EU Privacy Shield. For more information, please refer to Amplitude's privacy policy: https://amplitude.com/privacy

Hotjar
We use Hotjar, a web analytics service. The provider is Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (website: https://www.hotjar.com).Hotjar is a tool used to analyse your user behaviour on Weflow. Hotjar allows us to record your mouse movements, scrolling movements and clicks, among other things. Hotjar can also determine how long you have remained with the mouse pointer on a particular spot. From this information, Hotjar creates so-called heat maps, which can be used to determine which white areas are viewed preferentially by the website visitor.Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at which point you abandoned your input in a contact form (so-called conversion funnels).In addition, Hotjar can be used to obtain direct feedback from website visitors. This function serves to improve the website operator's web offerings.Hotjar uses cookies. Cookies are small text files that are stored on your computer and saved by your browser. They serve to make our offer more user-friendly, effective and secure. In particular, these cookies allow us to determine whether Weflow has been visited with a specific end device or whether the functions of Hotjar have been deactivated for the browser in question. Hotjar cookies remain on your terminal device until you delete them.You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. When deactivating cookies, the functionality of this website may be limited.For more information, please refer to Hotjar's privacy policy: https://www.hotjar.com/legal/policies/privacy/
‍
Nylas
In Weflow we use Nylas’ Email API software (https://developer.nylas.com/docs/connectivity/email/) to connect to your Google Workspace or Gmail email account. Nylas is only used if you have provided us with explicit access to your email account (see “Use of Google API Services”).For more information, please refer to Nylas’ privacy policy: https://www.nylas.com/privacy-policy/‍
‍
Segment
In Weflow we use the software of Segment.io, Inc. 101 15th St San Francisco, CA 94103 USA.
Data is collected and stored, from which usage profiles are created using pseudonyms. These usage profiles are used to analyze visitor behavior and are evaluated to improve our offer. Cookies can be used for this purpose, which enable recognition when our website is visited again. The pseudonymized usage profiles are not combined with personal data about the bearer of the pseudonym without a separate, explicit consent.For more information, please refer to Segment's privacy policy: https://segment.com/docs/legal/privacy/
‍
Sentry
We use the web analytics service Sentry. The service is offered by Functional Software, Inc, 132 Hawthorne St, San Francisco, CA 94107. The service collects and stores data created from anonymized usage profiles. These are used exclusively for the analysis of error cases and the monitoring of system stability. Cookies are used for this purpose. Cookies are small text files that are stored locally on your computer and thus enable recognition when you visit the site again. You can object to the data collection and storage by Sentry at any time with effect for the future by deactivating the cookies in the browser settings. For more information, please refer to Sentry's privacy: https://sentry.io/privacy/
‍
ProductFruits
In order to advertise new features and allow customers to provide feedback, as well as to provide guides for onboarding to the Weflow software, Weflow makes use of Attn: Product Fruits s.r.o, Rozdelovska 1999/7, 169 00, Praha 6, Czech Republic (EU). The following data is processed: Anonymous ID, browser, language, country, email address, pixel width and height, IP, operating system and device type. The scope of IP processing is limited to determine the country code of the country of origin for identifying all users. Storage period of the data: The processed data remains with Weflow until a customer requests us to delete it, revoke consent to store it, or the purpose for storing the data no longer applies. Mandatory legal provisions – in particular legal retention periods – remain unaffected. Weflow has concluded a contract with ProductFruits in which we oblige ProductFruits to protect customer data and not to pass it on to third parties. The processing is based on the standard contractual clauses.For more information, please refer to ProductFruit’s privacy policy: https://productfruits.com/policies/privacy


Use of Google API Services:
‍
Google API Services Disclosure
Weflow’s use of Data / Information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements:

We use Google’s Application Programming Interface (API) Services - specifically the People API and the Gmail API - to access your Google Workspace or Gmail email account.

Our use of information and Data received from Google APIs (“Google API Services Data”) will adhere to the Google API Services User Data Policy, including the Limited Use requirements.


Types of Data Collected with Google API Services
We are collecting and using the following Google API Services Data:

Via the Google People API
- Email address (Google Workspace or Gmail)
- Your personal info, including any personal info you've made publicly available


Via the Google Gmail API
- Email labels
- All emails in all folders or labels incl.
- All email headers (e.g. sender, recipients, subject)
- Email content

Via the Google Calendar API
- Calendar labels
- All calendar events of subscribed calendars
- Event description
- Event participants
‍
‍
Use of Google API Services Data
Google Workspace/Gmail users can connect their account to Weflow. We then regularly read all new emails and calendar events and try to link them to objects in Salesforce (a software to manage customer relationships) - e.g. an email or calendar event might be linked to an existing Opportunity in Salesforce.

Our policies and procedures define requirements that prohibit the unauthorized use of Google API Services Data within Weflow.

In order to perform improvement to Weflow, we may need to share your Google API Services Data with other development team members; however, Weflow policies require that this type of sharing only be performed

(a) when necessary to provide or improve user-facing features that are prominent from the requesting app’s user interface,
‍
(b) to comply with applicable laws, or
‍
(c) as part of a merger, acquisition or sale of assets of Weflow. All other transfers or sales of Google API Services Data are completely prohibited.

We and our developers are never allowed to use or transfer Google API Services Data to serve users advertisements. This includes personalized, re-targeted and interest-based advertising.

Weflow strictly complies with all requirements, including Limited Use Policy of Google:
- We limit our use of data to provide or improve user-facing features that are prominent in the requesting application's user interface;
- We do not transfer Google API Services Data except for the purposes as set out in the Limited Use Policy;
- We do not allow humans to read the Google API Services Data except as set out in the Limited Use Policy;
- We acknowledge that all other transfers, uses, or sales of Google API Services Data are prohibited and we ensure that our employees, agents, contractors, and successors comply with this Google API Services User Data Policy.


Data Security
We are very serious about the protection of your Data. To ensure this protection, we have taken various technical and organizational measures to protect your data from access by unauthorized third parties. We have concluded Data Processing Agreements with our processors, which comply with the requirements of the GDPR. If your data is transferred to a third country, which only happens if this is pointed out in this privacy policy, additional protective measures have been taken by us. Our employees are committed to complying with data protection and only get access to the absolutely necessary data from you. We will only share your Data if you authorize us to do so or if we are legally entitled or obliged to do so.

We do not sell your Data under any circumstances!
‍
Rights of the Data Subject
Right to access, rectification, to object, to complaint, erasure and blockage.

- You have the right to request information about whether and which Data is processed by our company. - - You also have the right to demand that your Data is rectified or amended.
- Under certain circumstances, you have the right to request that your Data should be deleted.
- Under certain circumstances, you have the right to demand that the processing of your Data should be restricted.
- You can withdraw your consent to the processing and use of your Data completely or partially at any time with future effect.
- You have the right to obtain your Data in a common, structured and machine-readable format.
- If you have any questions, comments, complaints or requests in connection with this data privacy policy and the processing of your Data, you can also contact us.
- You also have the right to complain to the responsible supervisory authority if you believe that the processing of your Data is in violation of applicable data protection laws.

‍
Contact Options
‍
You can contact us as follows:
‍
Weflow GmbH
Oranienburger Str. 1 - 3
10178 Berlin
Germany
‍
Email: privacy@getweflow.com

Date of Issue of this Data Privacy Policy: February 14th, 2023
‍
We reserve the right to make amendments at any time to this data privacy policy for future effect.