Privacy and Data Protection at LiteLog | GDPR Compliant

Privacy Policy

Effective: September 23, 2025

1. Controller

Controller for data processing:
IQONEX GmbH
Eugen-Richter-Straße 45
99085 Erfurt, Germany
E-Mail: info@litelog.de

Supervisory Authority:
Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI)
Häßlerstraße 8, 99096 Erfurt
Phone: +49 361 57-3112900
E-Mail: poststelle@datenschutz.thueringen.de

2. Rights of Data Subjects

You have the following rights under GDPR:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7 (3) GDPR)

You also have the right to lodge a complaint with the supervisory authority (Art. 77 GDPR).

3. Data Collection on Our Website

a) Hosting and Logfiles

• Hosting: Platform.sh (EU region)
• Data: IP address, date/time, URL, referrer, browser type/version, operating system
• Purpose: operation, security, error diagnostics
• Legal basis: Art. 6 (1) (f) GDPR
• Storage period: 30 days

b) Cookies & Consent

• Necessary cookies (Art. 6 (1) (f) GDPR)
• Optional cookies (analytics/marketing) only with consent (Art. 6 (1) (a) GDPR)
• Consent management: in-house system, revocable at any time

c) Registration / User Account

• Data: name, email, login credentials, roles, tenant
• Purpose: contract performance, access management
• Legal basis: Art. 6 (1) (b) GDPR
• Storage period: contract duration + 90 days

d) Contact

• Data: information from contact forms or emails
• Purpose: handling of inquiries
• Legal basis: Art. 6 (1) (a), (b) GDPR
• Storage period: 12 months

e) Appointment Scheduling

• Provider: Brevo Meetings (Sendinblue/Brevo)
• Data: name, email, appointment details, video link if applicable
• Legal basis: Art. 6 (1) (b) GDPR
• Storage period: until completion + statutory retention obligations

f) Google reCAPTCHA

Use of Google reCAPTCHA

We use Google reCAPTCHA on our website and within our portal. The service is provided by:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
(“Google”).

Google reCAPTCHA is used to protect our forms (e.g. registration, login, contact forms, password reset) against misuse by automated programs (bots). For this purpose, reCAPTCHA analyzes various information (e.g. IP address, browser and device information, date and time, referrer URL, mouse and scroll movements, cookies of Google services and – if you are logged in to your Google account – a possible association with this account).

The processing may also take place on servers of Google LLC in the United States. We have concluded the EU Standard Contractual Clauses with Google. Nevertheless, an equivalent level of data protection as in the EU cannot be fully guaranteed in third countries such as the USA (e.g. potential access to your data by public authorities).

Legal basis & consent

We only use Google reCAPTCHA if you have given your prior consent.
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and – insofar as cookies or similar technologies are used – Section 25(1) TTDSG (German law).

In practice, this means:

Before you give consent, the reCAPTCHA script is not loaded.

No data is transmitted to Google and no reCAPTCHA tracking takes place before you accept in our cookie/consent banner.

Only after your consent has been given, reCAPTCHA is loaded and used on the relevant forms.

You can withdraw your consent at any time with effect for the future via our cookie/consent manager. In that case, reCAPTCHA will no longer be loaded; certain functionalities (e.g. submitting forms) may then no longer be available or only work to a limited extent.

For more information on how Google processes data, please refer to Google’s Privacy Policy:
https://policies.google.com/privacy

and the specific information on reCAPTCHA:
https://policies.google.com/terms

4. Analytics and Marketing Tools

a) Google Analytics 4

• Data: usage behavior, interactions, device info
• Note: no storage of EU IP addresses
• Third-country transfer: USA (SCCs)
• Legal basis: Art. 6 (1) (a) GDPR
• Storage period: 14 months

b) Hotjar

• Data: clicks, scrolls, heatmaps, feedback (no form field entries)
• Legal basis: Art. 6 (1) (a) GDPR
• Storage period: 12 months

c) Google Ads / Conversion Tracking

• Data: conversions (e.g. form submissions)
• Legal basis: Art. 6 (1) (a) GDPR
• Storage period: depends on campaign duration

d) Meta Pixel (Facebook Pixel)

We use the Meta Pixel of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland ("Meta") on our website and inside the portal.

• Purpose: conversion tracking, reach measurement and remarketing for ads on Facebook and Instagram.
• Data: pseudonymous identifier (Pixel cookie), IP address, browser and device information, pages visited, triggered standard events (e.g. "CompleteRegistration", "Purchase").
• Third-country transfer: USA, on the basis of EU Standard Contractual Clauses. In third countries such as the USA, an EU-equivalent level of data protection cannot be guaranteed (e.g. access by authorities).
• Legal basis: your consent under Art. 6 (1) (a) GDPR and § 25 (1) TTDSG.
• Storage period: up to 180 days; aggregated reports longer.

The Meta Pixel is only loaded after you consent in the cookie/consent banner. No scripts run and no data is sent to Meta before consent. You can withdraw your consent at any time with effect for the future via our cookie/consent manager.

For details about Meta's data processing see:
https://www.facebook.com/privacy/policy

5. Payment Methods

Payments are processed via Stripe Payments Europe, Ltd., Dublin, Ireland.

Stripe processes: payment details (credit card, IBAN, amount), billing data (name, address, email), IP address.

Legal basis:

• Art. 6 (1) (b) GDPR (contract performance)
• Art. 6 (1) (f) GDPR (fraud prevention, secure processing)

Further information: Stripe Privacy Policy

Available methods via Stripe:

• Credit Card (via Stripe)
• PayPal: PayPal Privacy Policy
• Amazon Pay: Amazon Pay Privacy Policy
• Google Pay: Google Pay Privacy Policy

6. Mobile Apps

a) LiteLog Android App

• Data: location (incl. background), camera/media (QR, photos, videos), NFC UIDs, account data, event/tour logs, diagnostic/crash data
• Purpose: attendance tracking, guard tours, security, support
• Legal basis: Art. 6 (1) (a), (b), (f) GDPR
• Storage period: logs 12 months, account data contract duration + 90 days, crash data 30–90 days

b) LiteLog iOS App

• Data: same as Android
• App Store Privacy Label: account data & event logs marked as “Data linked to you”
• App Tracking Transparency: no IDFA, no cross-device tracking
• Legal basis: Art. 6 (1) (a), (b), (f) GDPR
• Storage period: same as Android
• Availability: App Store + in-app (Settings → Privacy)

7. Security (Art. 32 GDPR)

• TLS/SSL encryption
• Access restrictions & role/permission concepts
• Pseudonymization of log data
• Data minimization & deletion policies
• Regular backups
• Staff training

8. Storage Periods (Overview)

• Server logs: 30 days
• Contact inquiries: 12 months
• Registration/account data: contract duration + 90 days
• Crash/diagnostic data: 30–90 days
• Contract/billing data: 6 years (HGB) / 10 years (AO)
• Appointment bookings: until completion + statutory retention obligations

9. Changes

We reserve the right to update this Privacy Policy when services, technologies, or legal requirements change.

10. Data Protection Officer

E-Mail: info@litelog.de

If a Data Protection Officer is appointed under § 38 BDSG, their contact details will be published here.

Contact

For questions about this Privacy Policy:
info@litelog.de