Privacy Policy

The following privacy notice provides an overview regarding the collection and processing of user data.
The full information can be found in the Privacy Statement

What data do we collect from our users?

Access data: when calling up and using these web pages

  • Information about the browser type and version used
  • The user’s operating system
  • The user’s IP address
  • The date and time of access
  • Websites from which the user’s system has reached our web pages
  • Internal web pages called up by the user’s system via our web pages

The server log data is retained for 7 days.

Form data: Based on registration

  • Surname
  • First Name
  • E-mail address
  • Telephone
  • Company/Organisation
  • Professional title
  • Payment details (credit card, payment on receipt of invoice)

Analysis data: In addition, we collect additoinal data

We use internet analysis and marketing services (Google Analytics and Google Tag Manager) and Inbound-Marketing and Sales Software (HubSpot and Clearbit) to assess our website call-ups and to optimise our service offering and marketing campaigns. With Google Analytics, the user’s IP address is processed and transferred in an anonymised form. To provide videos on our web pages, we use the Third-Party provider service Vimeo. We also offer the user to follow us on different social media platforms via a follow me button (Twitter, GitHub, Stack Overflow and Vimeo).

How do we collect data from our users?

The access and analysis data are automatially logged during access to our web pages. The form data are collected from what you enter.

What do we use the data from our users for?

We use the access and analysis data in providing our products and services and in optimising and protecting our web pages. With the consent of our users, we use the form data to respond to contact enquiries, messages and product enquiries.

Further uses of the user data

We also use the data from our B2B users for direct marketing (newsletter, emails on product updates or upcoming events). For this, we work in collaboration with a Third-Party providers, “MailChimp” and “HubSpot”, which process the user data on our behalf. Unsubscribing from our newsletter is possible at any time. Where our users register for training courses or events, the processing and storage of form data are carried out via the Third-Party provider “Eventbrite”. Online job applications are made via an applicant portal provided by “Workable”. Data processing agreements exist with all these Third-Party providers, based on the current standards in the General Data Protection Regulation.

What rights do our users have?

  • Information: Users have the standardised right to information about the personal data being stored about them. 
  • Erasure: Users have the right to erasure of their data if these are no longer permitted to be stored.
  • Rectification: Users have a right to rectification of their personal data if we have stored these about users incorrectly.
  • Objection: Users have the right to object, and can contact us in this regard (privacy@Camunda.com)

Our privacy statement

Camunda Services GmbH (hereinafter also referred to as “Camunda”) is a German provider of services and software in the field of workflow automation. Camunda operates a website where the company and its products and services are presented, where users can register for services, information and products, submit job applications and engage in exchanges about Camunda products in forums (hereinafter also referred to as “web pages”).

Via this privacy statement, we wish to explain for users which data are required when using the Camunda webpages, and how we will proceed to use those data if the user browses the Camunda web pages.

We take protection of the personal data of our users very seriously, and we comply with the applicable provisions under data protection law, especially the new General Data Protection Regulation (GDPR) applicable across the EU. We collect, process and use the personal data of our users only if this is essential to respond to their enquiries or to deliver our product and services and insofar as the law permits data processing. This privacy statement is applicable for all services offered in connection with the web pages. If you have any questions or comments about this Privacy Statement, please contact us via privacy@Camunda.com .

I. Name and address of the controller and of its data protection officer

Controller within the meaning of the GDPR, of other data protection laws applicable in the Member States of the European Union and of other provisions having the character of data protection legislation is:

Camunda Services GmbH
Zossener Strasse 55-58
10961 Berlin
Germany
Tel.: +49 30 664 04 09 - 00
E-mail: privacy@Camunda.com
Web pages: https://Camunda.com/

The Data Protection Officer for Camunda is:

Julian Höppner
JBB Data Consult GmbH
Friedrichstraße 95
10117 Berlin
Germany
Tel.: +49.30.20962282
E-mail: hoeppner@jbbdataconsult.de
Web pages: www.jbbdataconsult.de

II. General comments on data processing

1. Personal data

On our web pages we collect personal data about our users. These are, specifically, form data, access data and analysis data :

  • We collect personal data such as the name, e-mail address or telephone number of our users fundamentally only if the user is volunteering this information to us (e.g. as part of making contact or an online job application or registering for a trial version of our software), referred to as “form data”.
  • Where the user browses our web pages, our web server also records additional personal data (e.g. user’s IP address, date and time of access), referred to as “access data”.
  • Our web pages also use what are known as “cookies”. For this, we use both our own Camunda cookies and also Third-Party cookies (Google Analytics and Vimeo), referred to as “analysis data”.

2. Processing of personal data and the legal basis for this

We essentially use form data from our users only insofar as this is necessary to provide a functioning web page and our content and services. The collection of form data from our users generally occurs via data entry by the user (legal basis Art. 6 (1) (a) GDPR or Art. 6 (1) (b) GDPR). Access data are used to prevent misuse of the web pages (legal basis Art. 6 (1) (f) GDPR). Analysis data are used to simplify and to accelerate the handling of the user’s visit to our web page, to generate reports for optimising the web pages or to track and target the interests of the users to enhance the experience on our web pages (legal basis Art. 6 (1) (f) GDPR) (see also website analysis services / Third-Party cookies and also social media plug-ins). The forwarding of personal data to Third-Parties is carried out as part of data processing agreements, respecting the principles of the GDPR and the provisions regarding transfer of data to third countries.

3. Data erasure and storage period

We process and store personal data from our users only for as long as is necessary to achieve the purpose of the storage. Storage may also take place insofar as this was envisaged by European or national legislators in regulations under Union law, national laws or other regulations to which the controller responsible for processing is subject. As soon as the purpose of storage lapses or a specified storage period stated in the regulations expires, the personal data are routinely erased. Access data are erased as a rule after a period of seven days.

III. Offer- and service-specific data processing

In principle users browse our web pages anonymously, so long as they do not make use of a service offered by Camunda. In this case, only the sections on usage data and analysis data (Camunda cookies, log files, website analysis services (Third-Party cookies) and social media plug-ins) are relevant. Where the user procures another service (newsletter, downloading a white paper, applying for a job vacancy, booking a training event, making general contact), then additionally the privacy aspects in the relevant section about form data are to be observed.

1. Web pages and log files

Personal data: Every time our web page is called up, our system automatically records data and information from the computer system of the computer making contact. The following data may be collected for this (access data) :

  • Information about the browser type and version used
  • The user’s operating system
  • The user’s IP address
  • The date and time of access
  • Websites from which the user’s system has reached our web page
  • Internal web pages called up by the user’s system via our web page

The data are similarly stored in the log files for our system. No storage takes place for this data together with other personal data of the user.

Purpose and legal basis: The temporary storage of the IP address by the system is necessary in order to make it possible to deliver the web pages to the user’s computer. For this, the user’s IP address needs to remain stored for the duration of the session. Storage takes place in log files, in order to guarantee the functionality of the web pages. In addition, the data help us to optimise the web pages and to ensure the security of our IT systems. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR. No evaluation of data for marketing purposes takes place in this connection.

Duration of storage and data erasure: The data are erased as soon as they are no longer necessary for achievement of the purpose for which they were collected. In the situation of recording data for provision of the web pages, this is the case if the respective session has ended. In the situation of storing the data in log files, this is the case after seven days at the latest.

Opportunity to object and for removal: The recording of data for provision of the web pages and storage of the data in log files is fundamentally necessary for operation of the web pages. There is consequently no opportunity for the user to object.

2. Camunda cookies (first-party cookies)

Personal data: The Camunda web pages use cookies. Cookies are data stored by the web browser on the user’s computer system. The cookies can be transferred to the computer when calling up a site, thus enabling assignment to the user. The cookies Camunda is using are storing and transmitting the user´s Language settings.

Purpose and legal basis: The purpose of using the language-setting-cookie is to simplify the use of our web pages for users. This purpose also constitutes our legitimate interest in processing personal data pursuant to Art. 6 (1) (f) GDPR. The user data collected via technically necessary cookies are not used to create user profiles.

Duration of storage, data erasure, opportunity to object and for removal: Cookies are stored on the user’s computer and are sent by that computer to our web page. For that reason, the user also has full control over the use of cookies. By changing the settings in their web browser, the user can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also occur automatically. The automatic language recognition function on our web pages cannot be offered without the use of cookies.

3. Website analysis services (Third-Party cookies, Web Beacons and APIs)

On the web pages Camunda is using Third-Party technologies for automatic data collection, like cookies from Google Analytics, HubSpot and Vimeo, APIs from Clearbit or Web Beacons (also referred to as pixel tags) from Facebook, Twitter and LinkendIn. “Cookies” are text files that are stored on the user’s computer and enable analysis of the use of the web pages by the user. A “Web Beacon” is a small string of code that represents a clear graphic image and is used in conjunction with a cookie.

Used Cookies: The Cookies we use may be either “persistent” cookies or “transient” cookies: a persistent cookie will be automatically deleted after a specified period of time, which may vary depending on the cookie. The user can delete the cookie in the security settings of his browser at any time however. A transient cookie will expire once the user is closing his browser. These include in particular session cookies which are used when the user visits the web page. These store a so-called session ID, with which various requests from the user´s browser can be assigned to a common session. This will allow the user´s computer to be recognized when he returns to our web page. The types of cookies we are using on our web pages are listed under the respective section of the Third-Party provider.

Web Beacons: “Web Beacons” differ from cookies in that way that the information is not stored on the user´s hard drive, but invisibly embedded on web pages or in email. Web beacons permit us to track online movements of web users, for example: to count users who have visited those pages or opened an e-mail and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

Opt-Out: The user can prevent the third-party technologies mentioned in the respective section from being stored in the future by placing an opt-out request. The user must click on the “Opt-out from all tracking” button at the following link: https://camunda.com/opt-out/. His opt-out request will set an opt-out cookie in his browser. This serves solely to assign his opt-out request and prevents Camunda from storing cookies on the user´s computer in the future. In addition, the user can always configure his browser setting according to his wishes and decline acceptance of either third-party cookies or all cookies. This way he also has the option to delete previously stored cookies. The user should be aware that in these cases he may not be able to use all features of this web page.

a. Google Analytics

The web pages use Google Analytics, a web analysis service of Google Inc. (“Google”).

Personal data: Information generated by the cookie regarding use of these web pages is generally transferred to a Google server in the USA and stored there. As IP anonymisation is enabled on our web pages, the user’s IP address is, however, previously abbreviated by Google within the Member States of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional instances is the full IP address transmitted to a Google server in the USA and abbreviated there. Google Analytics processes the data on behalf of Camunda. Google Analytics is certified under the US Privacy Shield. A data processing agreement with Google Analytics is in place that conforms to the requirements of the GDPR. Google analytics makes use of the Google’s Tag Manager. For more information about Google’s use of data for marketing purposes, please see the summary page: https://www.google.com/policies/technologies/ads.

Purpose and legal basis: Google will use this information on behalf of Camunda to evaluate use of the web page by the user, to put together reports on web page activities and to provide additional services connected with use of the web pages and use of the internet for the web page operator. The IP address transmitted as part of Google Analytics by the user’s browser is not put together with other Google data. Google Analytics is used to increase the effectiveness of our web pages and requires the passing-on of data about users to us. Generally, the user’s consent is not obtained for this. However, use of these services is justified via Art. 6 (1) (f) GDPR, because Camunda simplifies and accelerates the handling of the visits by its users to the web pages through the use of Google Analytics.

Duration of storage, data erasure, opportunity to object and for removal: The user is able to prevent storage of cookies via a corresponding setting on their browser software; however, we advise that in that case the user may not be able to use all functions of these web pages to the full extent. In addition, the user can prevent the recording of the data generated by the cookie and relating to their use of the web pages (including their IP address) being sent to Google and the processing of this data by Google by downloading and installing the browser plug-in available from the following link: http://tools.google.com/dlpage/gaoptout.

Overview on the specific cookies from Google Analytics used by Camunda

Cookie Name Service Duration Type Description
_gat Google Analytics 1 minute Persistent This cookie is used to throttle request rate.
_ga Google Analytics 2 years Persistent This cookie is used Used to distinguish users.
_gid Google Analytics 1 day Persistent This cookie is used Used to distinguish users.
_gaexp Google Analytics Depends on the length of the experiment but typically 90 days. Persistent Used to determine a user’s inclusion in an experiment and the expiry of experiments a user has been included in.

The storage of cookies and the exchange of data with Google Analytics can also be prevented by enrolling in the opt-out option provided above.

b. HubSpot

For our marketing activities (plan, execute and measure integrated marketing campaigns) we are using HubSpot. HubSpot is one of the leading marketing automation platforms worldwide and allows us to analyze the behavior of our prospects and customers and automate and streamline a multitude of marketing operations.

Personal data: Information generated by the cookie regarding use of these web pages may be transmitted to a HubSpot server outside the EU and stored there. Personal data will only be collected and enriched if the user completes a form on this web page. In this case, in addition to the data the user enters himself, his IP address will also be saved. HubSpot processes the data on behalf of Camunda. HubSpot is certified under the US Privacy Shield. A data processing agreement with HubSpot is in place that conforms to the requirements of the GDPR.

Purpose and legal basis: The cookies used by HubSpot enable us to determine the success or failure of a marketing campaign. Before implementing the cookies on our web page, we have balanced our interest of using HubSpot against the interest of our B2B-users not being exposed to cookies. As the implementation of a tracking code on web properties is one of the most basic and commonest practice with all marketing automation software, we assume that the average B2B-user is aware of the usage of such a marketing tool. We focus on product remarketing and only in rare occasions - and limited to data we collect either directly from users or indirectly via data enrichment platforms-, are we carrying out dynamic messaging. Furthermore, HubSpot offers plenty of options to enable opt-out, which we have included in every email that Camunda sends to the user. No sensitive data (only B2B-user personal data) nor data of minors (they are not the target of our webpages/ products) will be processed. The legal basis for processing the data via the use of cookies is hence the legitimate interest pursuant to Art. 6 (1) (f) GDPR.

Duration of storage, data erasure, opportunity to object and for removal: The user is able to prevent storage of cookies via a corresponding setting on their browser software. Further information on data collection, evaluation and processing of the user’s data by HubSpot and on their rights in relation to this can be obtained from HubSpot´s cookies policy, which is available from https://legal.hubspot.com/cookie-policy.

Overview on the specific cookies from HubSpot used by Camunda

Cookie Name Service Duration Type Description
_hssc Hubspot 30 min Persistent This cookie is used to keep track of sessions, number of page views and timestamp.
_hssrc Hubspot Session duration Transient This cookie is set whenever a new session is started. This serves to determine if the user has started a new session.
_hstc Hubspot 2 years Persistent This is the main HubSpot cookie. It contains information about the user (identified by an unique identifier). It stores domains, timestamps and numbers of sessions.
hubspotutk Hubspot 10 years Persistent This cookie contains a user unique identifier, its value gets checked on form submission to avoid duplication of contacts.

The storage of cookies and the exchange of data with Hubspot can also be prevented by enrolling in the opt-out option provided above.

c. Clearbit

For our marketing activities we also use Clearbit, a data provider, in conjunction with HubSpot to enrich our opt-in database and customize our marketing campaigns via APIs.

Personal data: Information the B2B user is providing via a form will be send via HubSpot to Clearbit though an API call, thus helping us to enrich the user´s data with business information. Clearbit processes the data on behalf of Camunda. Clearbit is certified under the US Privacy Shield. A data processing agreement with Clearbit is in place that conforms to the requirements of the GDPR.

Purpose and legal basis: The APIs used by Clearbit enable us to “enrich” or supplement information based on the user’s unique business email, which the user has entered in one of our online forms. Via the prospector functionality we can build a list of specific and relevant contact persons (within the companies that we have targeted for marketing campaigns), which we intend to contact later on via direct marketing mails. Before implementing the cookies on our web page, we have balanced our interest of using Clearbit against the interest of our B2B-users not being exposed to cookies. As Clearbit is a data enrichment and prospecting platform used widely by thousands of companies online, we assume that the average B2B-user is aware of the usage of such a marketing tool. We provide the option to enable opt-out, which we have included in every email that Camunda sends to the user. No sensitive data (only B2B-user personal data) nor data of minors (they are not the target of our webpages/ products) will be processed. The legal basis for processing the data via the use of APIs is hence the legitimate interest pursuant to Art. 6 (1) (f) GDPR.

Duration of storage, data erasure, opportunity to object and for removal: Further information on data collection, evaluation and processing of the user’s data by Clearbit and on their rights in relation to this can be obtained from Clearbit´s privacy statement, which is available to download from: https://clearbit.com/privacy

d. Vimeo components (including as lframe)

We use the provider Vimeo for incorporating videos. Vimeo is operated by Vimeo, LLC, with its registered office at 555 West 18th Street, New York, New York 10011.

Personal data: Information generated by the cookie regarding use of the “Vimeo Services” is generally transferred to a server in the USA and stored there. The following list shows the cookies used by Vimeo: https://vimeo.com/cookie_list

Purpose and legal basis: We use plug-ins from the provider Vimeo on our web pages. If the user calls up a web page configured with such a plug-in, a connection is established with the Vimeo servers in the USA.  Information about the user’s visit and their IP address is stored there when this happens. Where there are interactions with the Vimeo plug-ins (e.g. clicking the start button), this information is similarly sent to Vimeo and stored there. If the user is logged in as a member at Vimeo, Vimeo assigns this information to the user’s personal user account. When the plug-in is used, e.g. by clicking on the start button for a video, this information is similarly assigned to their user account. Additionally, Vimeo calls up the Google Analytics tracker via an iFrame in which the video is called up. This is independent tracking by Vimeo to which we have no access. The justification for data collection is Art. 6 (1) (f) GDPR.

Duration of storage, data erasure, opportunity to object and for removal: The user can prevent this assignment via our web page by logging off from their Vimeo user account before using our web pages and deleting the corresponding cookies from Vimeo. The users can prevent the recording of the Google Analytics applications called up by Vimeo and of the data generated by it and relating to their use of the website (including IP address) being sent to Google and the processing of there data by Google by downloading and installing the browser plug-in available from the following link: https://tools.google.com/dlpage/gaoptout. Further information on data processing and advice on privacy from Vimeo can be found at https://vimeo.com/privacy.

e. Web Beacons We use Web Beacons from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), LinkedIn (Headquarters 2029 Stierlin Ct. Ste. 200 Mountain View, CA 94043) and Twitter, Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107) on our website via the usage of the Google Tag Manager. LinkedIn and Twitter are certified under the Privacy Shield Agreement and thus guarantee compliance with European data protection.

Purpose and legal basis: We use the Web Beacons for marketing purposes in order to target our users with advertising which is tailored to their interests. In addition, we use the Web Beacons in order to restrict the likelihood that an advert will be displayed and in order to measure the effectiveness of our advertising measures. The legal basis for this is Art. 6 (1) (f) GDPR. The purposes pursued by the data processing come under the legitimate interest of direct marketing.

Duration of storage, data erasure, opportunity to object and for removal: At any time, the user has the right to raise an objection to the processing of his data for the purpose of such advertising by enrolling in the opt-out option provided by Camunda (https://camunda.com/opt-out/). Alternatively, the user can prevent the setting of cookies in his browser settings. Further information on data collection, evaluation and processing of the user’s data by Facebook, LinkedIn or Twitter and on their rights in relation to this can be obtained by the user from the company´s privacy statements, downloadable from https://www.facebook.com/legal/FB_Work_Privacy, https://www.linkedin.com/legal/privacy-policy or http://twitter.com/privacy.

4. Links to social media platforms

In our website-footer we offer links to the social media platforms Twitter, GitHub, Stack Overflow and Vimeo where you can follow Camunda. We have not implemented Like- Share- or other social media buttons.

If the user calls up a page containing a follow me button, indicated using the respective social media logo, a direct connection with the social media servers is established by their browser. Information is then transferred to the respective social media platform indicating that the page was called up.

Twitter: is a micro-blogging service from the American company Twitter, Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107). Further information on data collection, evaluation and processing of the user’s data by Twitter and on their rights in relation to this can be obtained by the user from Twitter’s privacy statement, downloadable from  http://twitter.com/privacy.

GitHub: is a web-based hosting service for version control using git (88 Colin P Kelly Jr Street, San Francisco, CA 94107). Further information on data collection, evaluation and processing of the user’s data by GitHub and on their rights in relation to this can be obtained by the user from GitHubs’s privacy statement, downloadable from  https://help.github.com/articles/github-privacy-statement/

Stack Overflow: is an online community for developers to learn, share their knowledge, and build their careers (110 William Street 28th Floor, New York, NY 10038). Further information on data collection, evaluation and processing of the user’s data by Stack Overflow and on their rights in relation to this can be obtained by the user from Stack Overflow’s privacy statement, downloadable from  https://stackexchange.com/legal/privacy-policy

Vimeo: is operated by Vimeo, LLC, with its registered office at 555 West 18th Street, New York, New York 1001. Further information on data collection, evaluation and processing of the user’s data by Vimeo and on their rights in relation to this can be obtained by the user from Vimeo´s privacy statement, downloadable from  https://vimeo.com/privacy.

5. Newsletter and White Papers

We also offer the user the opportunity to keep up to date about Camunda and upcoming meetings and developlments in the workflow-automation field via our newsletters and white papers.

Personal data: If the user subscribes to our company’s newsletter or downloads a white paper, we require only the user’s e-mail address, which we will store for as long as the user wishes to obtain the newsletter. The data in the respective input mask are stored in Camunda’s internal database and transmitted to MailChimp (https://mailchimp.com/) and HubSpot. These companies process the data on behalf of Camunda. MailChimp and HubSpot are certified under the US Privacy Shield. A data processing agreement with MailChimp and HubSpot is in place that conforms to the requirements of the GDPR.

Purpose and legal basis: Collecting the user’s e-mail address is used for sending the newsletter. In addition, we use the data to further optimise our newsletter for our users, by operating newsletter tracking via MailChimp / HubSpot (specifically “open rate” and “click rate” tracking). The user´s consent to receiving the newsletter is obtained via a double-opt-in process. The legal basis for processing the data after the user registers for the newsletter is hence Art. 6 (1) (a) GDPR. Newsletter tracking is similarly justified pursuant to Art. 6 (1) (f) GDPR.

The data we collect when registering for the newsletter or downloading the whitepaper is further used to inform the user via email about product updates and upcoming events. This is our legitimate interest, which we can only pursue by sending emails and running product specific marketing-campaigns. We assume that the business customer has a continuing interest in Camunda-specific products and services (6 (1) (f) GDPR).

Duration of storage, data erasure, opportunity to object and for removal: The data are used solely for dispatch of the newsletter, for access to the white paper and for other marketing-campaigns, where we inform the user about product-updates and upcoming events. The data subject can cancel the newsletter subscription and the receipt of further email communication at any time. Similarly, consent to storage of personal data can be withdrawn at any time. There is a corresponding link for this purpose in every newsletter. And the user can, of course, send an e-mail at any time for rectification or erasure of their data to privacy@Camunda.com. Further information on data collection, evaluation and processing of the user’s data by MailChimp and HubSpot and on their rights in relation to this can be obtained from MailChimp’s or HubSpot’s privacy statement, which is available to download from  https://mailchimp.com/legal/privacy/ or https://legal.hubspot.com/privacy-policy.

6. Trial version and getting in touch:

If the data subject uses the opportunity on the Camunda web pages to obtain access to a trial version by entering personal data or to get in touch with us generally, the data in the respective input mask are transferred to Camunda.

Personal data: The following data are collected as part of the registration process:

  • First name and surname
  • E-mail address
  • Company
  • Telephone
  • Job title

The data in the respective input mask are stored in Camunda’s internal database. If the data and the customer contact are further qualified, the data are firstly transferred to our CRM. This is provided by Pipedrive as SaaS (https://www.pipedrive.com/). This company processes the data on behalf of Camunda. Pipedrive processes the data in Estonia, i.e. there is no data transfer to a non-European country. A commissioned data processing agreement conforming to the requirements of the GDPR exists with Pipedrive. In the event of further qualification, the data are also transferred to MailChimp (https://mailchimp.com/) and HubSpot (https://www.hubspot.de/). These companies process the data on behalf of Camunda. MailChimp and HubSpot are certified under the US Privacy Shield. A data processing agreement with MailChimp and HubSpot is in place that conforms to the requirements of the GDPR.

Purpose and legal basis: Getting in touch and downloading the trial version serve to initiate and, under some circumstances, to fulfil a contract where the contractual partner is the user or serves to carry out pre-contractual measures; the legal basis for processing the data is therefore Art. 6 (1) (b) GDPR. The forwarding of the data to external Third-Parties (Pipedrive, MailChimp and HubSpot) is similarly justified pursuant to Art. 28 GDPR and Art. 6 (1) (f) GDPR together with section 7 III UWG. The data we collect when registering (trial version or getting in touch) is further used to inform the user via email about product updates and upcoming events. This is our legitimate interest, which we can only pursue by sending emails and running product specific marketing-campaigns. We assume that the business customer has a continuing interest in Camunda-specific products and services (6 (1) (f) GDPR).

Duration of storage, data erasure, opportunity to object and for removal: The data are erased as soon as they are no longer necessary for achievement of the purpose for which they were collected. Even once the contract is concluded, it may be necessary to store personal data of the contractual partner, in order to satisfy contractual or legal obligations. If the data are necessary for fulfilment of a contract or to carry out pre-contractual measures, early erasure of the data is only possible insofar as no contractual or legal obligations oppose erasure. Should contact be made but where this does not result in conclusion of a contract, the personal data are erased if the respective conversation with the user is ended. The conversation is ended if the circumstances permit the conclusion that the circumstances concerned have been decisively clarified. The user has the opportunity at any time to withdraw their consent to the processing of the personal data. Where the user makes contact with us via e-mail, they may revoke storage of their personal data at any time. In such a situation, the conversation cannot be continued. All personal data stored in the course of making contact are erased in this situation. And the user can, of course, send an e-mail at any time for rectification or erasure of their data to privacy@Camunda.com.

7. Job applications

Where a candidate applies directly via our web page and thus uses our online applicant platform, the data in the respective input mask are transferred directly to our Third-Party provider Workable. This company processes the data on behalf of Camunda. Workable has its registered office in the UK. A data processing agreement with Workable is in place that conforms to the requirements of the GDPR.

Personal data: The following data are specifically collected as part of the registration process: personal data with contact information and a description of the user’s education and training, work experience and skills. Additionally, there is the opportunity to provide Camunda (via Workable) with electronically stored documents such as certificates or covering letters. Camunda does not require any information from the user that the German General Equal Treatment Act (AGG) prohibits the exploitation of (race, ethnic origin, gender, religion or world-view, disability, age or sexual identity). Information about illnesses, pregnancy, ethnic origin, political views, philosophical or religious convictions, membership of a trade union, physical or mental health or sexual preferences are similarly not to be transferred.

Purpose and legal basis: The purpose of the data processing is solely to support the decision on whether an applicant is suitable for a post that has been advertised and whether a contract of employment can be entered into with them. The legal basis for processing the data after the user has submitted the application is Art. 88 GDPR in conjunction with section 32 of the Federal Data Protection Act (BDSG). The forwarding of the data to Workable is similarly justified pursuant to Art. 28 GDPR and Art. 6 (1) (f) GDPR.

Duration of storage, data erasure, opportunity to object and for removal: If the job application is successful, the data indicated may be used under certain circumstances for technical administrative matters as part of the employment. All employees entrusted with processing the data are obliged to respect the confidentiality of the applicant’s data. Third-Parties (apart from Workable) will not obtain knowledge of the users’ information under any circumstances. Should Camunda not be able to offer the applicant a position, we will retain the data sent by the applicant for up to six months for the purpose of answering questions in connection with the application and the rejection. The data are used exclusively for the job application process. The candidate can withdraw the application or the consent to storage of their personal data at any time. For this purpose, the applicant can write an e-mail to privacy@Camunda.com. Further information on data collection, evaluation and processing of the user’s data by Workable and on their rights in relation to this can be obtained from Workable’s privacy statement, which is available to download from https://www.workable.com/privacy.

8. Forum

On our web page, the user has the opportunity to exchange information with other interested parties about questions relating to Camunda software.

Personal data: Where a user registers for the forum, we record their e-mail address and their user name. If a user posts to a forum, the user name they have chosen is displayed and is therefore viewable by the public. The contribution they have submitted can also be downloaded by any interested party, together with the time of posting. However, the e-mail address is not published.

The web page allows the users to register via a Third-Party account. Currently we are offering this service for GitHub and Google. This service may be reduced or extended in the future. This allows for usage of certain data stored by Google or GitHub in relation to the user´s account there to log into the Forum. We may then ask the user to complete the necessary sign-in information as applicable and described above. In addition to certain basic profile information (e.g. user name) we also receive the email address the user is using for his Google or GitHub account as we need this address to initiate and, subsequently, administrate the user account in the Forum.

Purpose and legal basis: The purpose of the data processing is to provide a platform enabling users to exchange information with one another and with Camunda about our product and our services. Registration of the data is necessary for the provision of content or services. The legal basis for storage of the data is accordingly Art. 6 (1) (f) GDPR.

Duration of storage, data erasure, opportunity to object and for removal: The data are automatically erased as soon as they are no longer necessary for achievement of the purpose for which they were collected. In the event of recording data for registering on the forum, this is the case if the user deletes their account. Old posts are not deleted, however. Registered persons also have the opportunity at any time to delete or have the stored data amended. The data subject can obtain information at any time about the personal data stored about them. For this purpose, the user can write an e-mail to privacy@Camunda.com.

9. Training courses and events

The user also has the opportunity to register for events on our web pages and to book training courses. The handling of booking requests operates exclusively via our Third-Party provider Eventbrite. This company processes the data on behalf of Camunda. Eventbrite is certified under the US Privacy Shield. A data processing agreement with Eventbrite is in place that conforms to the requirements of the GDPR.

Personal data: The following data are collected as part of the booking process:

  • First name (ticket purchaser and seminar participants)
  • Surname (ticket purchaser and seminar participants)
  • E-mail (ticket purchaser and seminar participants)
  • Telephone number
  • Company (including address, telephone number, etc.)
  • Payment details (credit card, payment on receipt of invoice)

Purpose and legal basis: The data are used exclusively for registration for the event and for billing for the event or for organising the training course. Storage of the data is necessary for registration for the event and for booking the training course. The legal basis for storage of the data is Art. 6 (1) (f) GDPR. The forwarding of the data to Eventbrite is similarly justified pursuant to Art. 28 GDPR and Art. 6 (1) (f) GDPR.

Duration of storage, data erasure, opportunity to object and for removal: Registered persons have the opportunity at any time to have the stored data amended. Erasure of data can only be considered insofar as it does not put at risk the handling of the service. The data subject can obtain information at any time about the personal data stored about them. For this purpose, the user can write an e-mail to privacy@Camunda.com. Further information on data collection, evaluation and processing of the user’s data by Eventbrite and on their rights in relation to this can be obtained by the user from Eventbrite’s privacy statement, which is available to download from https://www.eventbrite.de/support/articles/de/Troubleshooting/datenschutzrichtlinien-von-eventbrite?lg=de.

IV. Rights of users (data subjects)

If the user’s personal data are processed, this person is a data subject in the sense of the GDPR. The data subject/user is entitled to the following rights vis-à-vis Camunda:

1. Right of access

The user can demand confirmation from Camunda regarding whether personal data concerning them are being processed by us.

Where such processing takes place, the user can demand details from Camunda concerning the following information:

  • the purposes for which the personal data are being processed;
  • the categories of personal data being processed;
  • the recipients or the categories of recipients to whom the personal data concerning the user were disclosed or are being disclosed;
  • the planned duration of storage of the personal data concerning the user or, if concrete details of this are not possible, criteria for determining the storage period;
  • the existence of a right to rectification or erasure of the personal data concerning the user, of a right to restriction of processing by the controller or of a right of objection to this processing;
  • the existence of a right of complaint to a supervisory authority;
  • all available information about the origins of the data, if the personal data were not collected at Camunda;
  • confirmation that no automated decision-making, including profiling pursuant to Art. 22 (1) and (4) GDPR takes place at Camunda;
  • confirmation that there is no statutory or contractually-specified obligation for Camunda to provide personal data; provision may, however, be necessary for the conclusion of contract (where this is not provided, under certain circumstances no conclusion of contract is possible);
  • the user also has the right to request information about whether the personal data concerning them are being sent to a third country or to an international organisation. In connection with this, the user may request to be informed regarding the appropriate safeguards pursuant to Art. 46 GDPR in connection with transfer.

2. Right to rectification

The user has a right to rectification and/or completion by Camunda where the processed personal data concerning them are incorrect or incomplete. Camunda will make the rectification without undue delay.

3. Right to restriction of processing

Under the following conditions, the user can request restriction of processing of the personal data concerning them:

  • if the user contests the accuracy of the personal data concerning them, for a period that enables Camunda to verify the accuracy of the personal data;
  • if the processing is unlawful and the user opposes the erasure of the personal data and instead requests the restriction of use of the personal data;
  • if Camunda no longer needs the personal data for the purposes of the processing, but the user requires this for the establishment, exercise or defence of legal claims; or
  • if the user has lodged an objection to the processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds for Camunda override those of the user.

If the processing of the personal data concerning the user was restricted, this data will, with the exception of storage, only be processed with their consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where the restriction of processing was established in accordance with the above provisions, the user will be informed by Camunda before the restriction is lifted.

4. Right to erasure

a. Duty of erasure

The user may demand that Camunda erase the personal data concerning them without undue delay, and Camunda will have the obligation to erase these data without undue delay where one of the following grounds applies:

  • the personal data concerning the user are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • the user withdraws their consent on which the processing is based according to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and where there is no other legal ground for the processing.
  • the user objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the user objects to the processing pursuant to Art. 21 (2) GDPR.
  • the personal data concerning the user have been unlawfully processed.
  • the personal data concerning the user have to be erased for compliance with a legal obligation in Union or Member State law to which Camunda is subject.
  • the personal data concerning the user were collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.

b. Information to third parties

Where Camunda has made the personal data concerning the user public and where Camunda is obliged pursuant to Art. 17 (1) GDPR to erase the data, Camunda, taking account of the available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the user has requested from Camunda the erasure of all links to those personal data or of copies or replications of those personal data.

c. Exceptions

The right to erasure does not exist to the extent that processing is necessary

  • for exercising the right to freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which Camunda is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Camunda;
  • for reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

5. Right to be informed

Where the user has asserted the right to rectification, erasure or restriction of processing by Camunda, Camunda will be obliged to notify all recipients to whom the personal data concerning the user were disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or is associated with disproportionate expense.

The user has the right Camunda to be informed by Camunda about these recipients.

6. Right to data portability

The user has the right to receive the personal data concerning them, which they have provided to Camunda, in a structured, commonly used and machine-readable format. The user further has the right to transfer those data to another controller without hindrance from Camunda, to whom the personal data have been provided, where

  • the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and
  • the processing is carried out by automated means.

In exercising this right, the user further has the right to have the personal data concerning them transferred directly by Camunda to another controller, where technically feasible. This will not adversely affect the freedoms and rights of other persons.

The right to data portability does not apply for the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Camunda.

7. Right to object

The user has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on Art. 6 (1) (e) or (f) GDPR. Camunda will cease to process the personal data concerning the user, unless the user can demonstrate compelling legal grounds for the processing which override the interests, rights and freedoms of Camunda, or where processing serves the establishment, exercise or defence of legal claims.

Where personal data concerning the user are processed for direct marketing purposes, the user has the right to object at any time to processing of personal data concerning them for the purposes of such marketing. Where the user objects to processing for direct marketing purposes, the personal data concerning them will cease to be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the user may exercise their right to object by automated means using technical specifications.

8. Right to revocation of the declaration of consent under the privacy law

The user has the right to withdraw their declaration of consent under the privacy law at any time. The revoking of consent does not affect the lawfulness of the processing that has taken place by reason of the consent up to the time of withdrawal.

9. Automated individual decision-making including profiling

Not applicable; no automated decision-making or other profiling measures take place at Camunda.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the user has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their workplace or the place of the alleged infringement, if the user considers that the processing of the personal data concerning them infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

V. Change log

August 2018: This privacy statement has been updated to describe the usage of Cookies and Web Beacons and to reflect the implementation of our new marketing tools HubSpot and Clearbit.

previous versions

May 2018: This privacy statement has been completely revised to conform to the requirements set out in the GDPR and was first published in this form on the 25th of May 2018.