Last updated: 20 Nov. 2024
1. Introduction
Welcome to DOIfast ("Service"). This Privacy Policy explains how we collect, use, and disclose personal data when you use our Service. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR).
2. Data Controller and Data Processor
- Data Controller: For personal data related to account holders (users who sign up for our Service), mal zehn UG (haftungsbeschränkt) is the data controller.
- Data Processor: For personal data collected from end-users (individuals who submit forms using our Service on behalf of account holders), we act as a data processor on behalf of the account holders, who are the data controllers.
4. Personal Data We Process
4.1. Account Holders (Users):
- Account Information: Name, email address, and password.
- Payment Information: Transaction details processed via Stripe.
- Token Transaction History: Records of token purchases and usage.
- Project Configurations and Settings: Details related to your projects, form configurations, and settings.
- Usage Data: Log files, error tracking, usage statistics, and analytics.
4.2. End-Users (Form Submitters):
- Email Address: Collected when an end-user submits a form that uses our Service.
- Form Data: Any data submitted through forms integrated with our Service.
- Verification Data: Unique tokens generated for verification purposes.
5. Purposes and Legal Basis for Processing
5.1. For Account Holders:
- Service Provision and Maintenance: To provide and maintain our Service (Art. 6(1)(b) GDPR).
- Payment Processing: To process payments for token purchases (Art. 6(1)(b) GDPR).
- Communication: To contact you regarding account updates or issues (Art. 6(1)(b) GDPR).
- Service Improvement: To improve our Service based on legitimate interests (Art. 6(1)(f) GDPR).
- Legal Compliance: To comply with legal obligations (Art. 6(1)(c) GDPR).
5.2. For End-Users:
- Verification Emails: To send verification emails as part of the double opt-in process (Art. 6(1)(f) GDPR).
- Data Submission: To forward verified form data to the intended recipients (Art. 6(1)(f) GDPR).
6. Recipients of Personal Data
We may share personal data with:
- Service Providers:
- Firebase (Google Cloud): For data storage and authentication
- Resend: For email delivery services
- Stripe: For payment processing
- Legal Authorities: If required by law or to protect our rights.
7. International Data Transfers
Personal data may be transferred to countries outside the European Economic Area (EEA), including the United States. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to protect your data.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data:
- Encryption: All communications are secured via HTTPS.
- Authentication: Secure user authentication through Firebase Authentication.
- Access Control: Firestore security rules govern data access.
- Rate Limiting: API endpoints are rate-limited to prevent abuse.
- Secure Token Generation: Verification tokens are securely generated using crypto.randomUUID().
9. Data Subject Rights
9.1. For Account Holders:
You have the following rights under the GDPR:
- Right of Access: Obtain confirmation about the processing of your personal data.
- Right to Rectification: Correct inaccurate personal data.
- Right to Erasure: Request deletion of your personal data under certain conditions.
- Right to Restrict Processing: Request restriction of processing under certain conditions.
- Right to Data Portability: Receive your data in a structured, commonly used format.
- Right to Object: Object to processing based on legitimate interests.
9.2. For End-Users:
As we process your data on behalf of account holders, please contact the relevant account holder to exercise your rights. If you contact us directly, we will forward your request to the appropriate account holder.
10. Cookies and Tracking Technologies
We only use session cookies to offer login functionality.
11. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date.
12. Contact Us
If you have any questions or concerns about this Privacy Policy, please contact us: