Privacy Information for the Audvice Enterprise Solution
Last Update: 06 March 2023
The Audvice Applications collect some personal data from its Users, which are outlined here.
From a data privacy perspective, the Controller is the client on whose behalf Audvice GmbH processes personal data as a data processor.
5412 Puch bei Hallein
Processor’s Data Protection Officer
Dr. Karsten Kinast, LL.M.
KINAST Rechtsanwaltsgesellschaft mbH
Definitions and Legal References
Personal Data (or Data)
Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
Information collected automatically through the Audvice Applications (or third-party services employed at Audvice GmbH), which can include: the IP addresses or domain names of the computers utilized by the Users who use the Audvice Applications, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.
The individual using the Audvice Applications who, unless otherwise specified, coincides with the Data Subject.
The natural person to whom the personal data refers.
The natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller, as described in this data privacy information.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, including the security measures concerning the operation and use of the Audvice Applications..
The Audvice Applications
Applications by which or on account of which the User's personal data is collected and processed, referring to the Audvice Mobile App, the Audvice Web App and the Audvice Admin Dashboard.
The service provided by the Audvice Applications as described in the relative terms (if available) and here.
European Union (or EU)
Unless otherwise specified, all references made within this document refer to the European Union including all current member states and the European Economic Area.
This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General data Protection Regulation).
Types of Data Collected
Personal data may be freely provided by the User, or, in case of usage data, collected automatically when using the Audvice Applications. The processing of personal data (e.g. collection, retrieval, use, storage or transmission) always requires a legal basis or your consent. data is deleted as soon as the purpose of the processing has been achieved and there are no longer any legally required retention obligations.
Unless specified otherwise, all data requested by Audvice Applications is mandatory and failure to provide this data may make it impossible for Audvice to provide its services. In cases where Audvice specifically states that some data is not mandatory, Users are free not to communicate this data without consequences to the availability or the functioning of the service.
Mode and Place of Data Processing
Methods of Processing
The data Processor takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the data. The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the data Processor in some cases, the data may be accessible to certain types of persons in charge, involved with the operation of the Audvice Applications (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Sub-Processor by the data Processor. The updated list of these parties may be requested from the Controller at any time.
Legal Basis of Processing
The data Processor may process personal data on behalf of the Controller relating to Users if one of the following applies:
Users have given their consent for one specific purposes, Art. 6 para. 1 GDPR. Note: Under some legislations the Processor may be allowed to process personal data until the User objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of personal data is subject to European data protection law;
provision of data is necessary for the performance of an agreement pursuant to Art. 6 para. 1 lit. b) GDPR with the User and/or for any pre-contractual obligations thereof;
processing is necessary for compliance with a legal obligation pursuant to Art. 6 para. 1 lit. c) GDPR to which the Controller and/or the Processor are subjects;
processing is related to a task that is carried out in the public interest or in the exercise of official authority pursuant to Art. 6 para. 1 lit. d) GDPR vested in the Controller and/or in the Processor;
processing is necessary for the purposes of the legitimate interests pursued by the Controller, the Processor or by a third party pursuant to Art. 6 para. 1 lit. f) GDPR.
In any case, the data Controller and, if applicable, the data Processor will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Personal data shall be processed and stored for as long as required by the purpose they have been collected for.
Personal data collected for purposes related to the performance of a contract between the Controller and the User shall be retained until such contract has been fully performed.
Personal data collected for the purposes of the Controller’s or the Processor’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Controller or the Processor’s within the relevant sections of this document or by contacting the Controller using the information provided in the contact section.
The Controller or the Processor may be allowed to retain personal data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Controller or the Processor may be obliged to retain personal data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, personal data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
The Purposes of Processing
The data concerning the User is collected to allow the data Processor to provide its Service, the data Controller and Processor to comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following: hosting and backend infrastructure, displaying content from external platforms, analytics, contacting the User, platform services and hosting and registration and authentication provided directly by the Audvice Applications.
How Data is processed in Audvice Applications
Audvice Web App
The User can access Audvice through the Audvice Web App in their browser via www.web.audvice.com.
Audvice Mobile App
The User can access Audvice through the Audvice Mobile App, which can be downloaded in the Apple App
Store or Google Play Store on the User’s mobile device.
For iOS mobile devices the Audvice Mobile App is distributed on the Apple App Store. The Apple App Store provides the data Processor with analytics of anonymous data on user engagement and app discovery, marketing campaigns, sales, in-app purchases, and payments to measure the performance of the Audvice Mobile App. The Apple App Store only collects such data from users who have agreed to share them with the data Processor. The Processor has no influence on the collection, processing and use of personal data in connection with your registration and the provision of downloads in the respective app store and app store software. The responsible party in this respect is solely the operator of the respective app store. If necessary, please contact the respective app store provider directly for more information.
For Android mobile devices the Audvice Mobile App is distributed on the Google Play Store, provided by Google LLC or by Google Ireland Limited, depending on how the Processor manages the data processing.
By virtue of being distributed via this app store, Google collects usage and diagnostics data and share aggregate information with the Processor. Much of this information is processed on an opt-in basis.
Users may opt-out of this analytics feature directly through their device settings.
Admins of the Controller’s Audiothek can manage Users and playlists in the Audvice Admin Dashboard. These include, for example, adding new Users, deactivating Users, editing tracks and playlists.
Controller’s admins have access to the following data in the admin dashboard:
First name, last name and email address of all Users in the audio library
Status of the User (invitation pending, User active, User deactivated)
Information about all shared playlists in the audio library (creator, title, description, date of sharing)
Information about all shared tracks in the audio library (creator, title, number of plays, date of sharing)
Groups (title, description, User)
Admins can view this data via the admin dashboard but cannot listen to audio content there. Admins can only listen to playlists, which have been shared with the Admin as a User in the Controller’s audio library, via the Audvice Mobile App or Audvice Web App.
The legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. The provision of user data is necessary and obligatory for the conclusion or execution of the contract. If useres do not provide their data, they will not be able to register or use the functions of the app, i.e. it will not be possible to conclude and/or execute a contract.
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was processed. The processing will be restricted if there are legal obligations to retain data.
Authentication & User Profile
The User’s email address is being processed for authentication and email notifications. The Audvice Applications do not have access to the Controller’s email address directory.
If the Controller chooses authentication through invitations, the Controller is inviting the User with their email- address to use the Audvice Applications. To access Audvice Applications the User is required to accept the invitation and setup their profile. To successfully complete the profile setup and be granted access to Audvice Applications the User is required to provide their first name, last name and choose a password.
If the Controller chooses authentication through Single-Sign-On the User can access Audvice Applications with their Single-Sign-On credentials. Only when the User logs in for the first time Audvice Applications will process the User’s personal data, including email-address, first name, last name and if the Controller chose Single-Sign- On mapping information on their department or country to automatically assign them to groups.
The purpose for processing this is to help the Controller manage Users and to enable the User to identify other Users in the Audvice Applications
The legal basis for the processing of the mentioned data is Art. 6 para. 1 lit. b) GDPR. The provision of the this required user data is necessary and obligatory for the conclusion or execution of the contract.
Optionally the user can also provide additional non-mandatory information, such as job title, LinkedIn profile and a profile picture. After the User’s first login the Audvice Applications are processing access and refresh tokens as well as the language of the User’s device. The purpose for this is to provide easier access for the User after their first manual login and display the Audvice Application in the User’s language.
If the User is assigned a creator role by the Controller they can record tracks and share them as playlists with other users or groups in the Audvice Mobile App. Before recording, the User is asked for permission to access the device’s microphone and local storage. The user is able to allow or deny and also change it at any time in their phone settings. When the User records tracks in the Audvice Mobile App they will be saved to drafts and get stored in the local device storage. Only when the User selects tracks from their drafts and shares them as a playlist, the audio files are being processed by the Processor and will be removed from the local storage and uploaded together with the playlist meta data to our servers for streaming.
Playlist meta data includes required data namely title of the playlist, title of the tracks, and optional data namely playlist description and link to any external source. Once the playlists have been shared an automatic transcript of each track in the playlist is generated, which serves the sole purpose of providing the listener with a visual anchor.
The legal basis for the processing is the legitimate interest in processing personal data according to Art. 6 para. 1 lit. f) GDPR.
Locally Stored Data
Audvice Applications saves the access and the refresh token after the User logs in the app. In order to keep the User logged in, the access and the refresh token are stored after User’s first manual login. The audio library ID is also stored in the local storage.
Recently Listened Playlists
Audvice Applications process the User’s streaming history to enable the User to finish playlists where they left
off and to give the content creator of the playlist insights on who listened to their tracks.
When a User is searching for something in the Audvice Applications, namely playlist, tracks, groups or Users, we store the last search words in the local storage. This information is stored to help the User find the last things they were searching for faster.
Local storage is also used to improve Users’ experience. For example, storing the language helps translating the Audvice Applications into the preferred language immediately after the User opens a page. Storing the volume helps remember the preferred volume, with which the users listens to tracks. This way the User doesn’t have to adjust the volume each time after the Audvice Application is closed.
All data stored in the Local Storage can be erased by the User in the Audvice Applications by clearing the
browser’s or phone’s cache.
The legal basis for the processing is the legitimate interest in processing personal data according to Art. 6 para. 1 lit. f) GDPR.
The User may receive push or email notification which process first name, last name, email address, title of the playlist being shared and personal data specifically mentioned below.
The Audvice Mobile Application may send push notifications to the user to inform them on recent and relevant activities in the Audvice Applications. When first logging into the Audvice Mobile App the User is asked for permission to receive push notifications.
After the User has consented, a device token is created. The device token is necessary to know which of the User's devices should receive push notifications. The device token is NOT the UID of the physical device. It’s created by SNS to identify the devices.
Every notification sent to the User has its own deep link URL. When a User clicks on a push notification, the Processor uses this deep link to open the exact location of this notification (e.g., a User gets a notification that a playlist has been shared with them. When clicking on the notification, the deep link opens the Audvice Mobile App and takes the User to this specific playlist). After the notification has been processed, the deep link for that notification is removed from the local storage. The User can revoke the consent at any time in their device settings. Deletion of the registration ID along with the User's push settings will be carried out upon de- registration.
The legal basis for data processing concerning push notifications is your consent and thus Art. 6 para. 1 lit. a) GDPR. You can revoke your consent to receive push notifications at any time with effect for the future.
The Audvice Applications send email notifications to the user to inform them on recent and relevant activities in the Audvice Applications.
The legal basis for data processing concerning email notifications is the user’s consent and thus Art. 6 para. 1 lit. a) GDPR. The user can revoke his consent to receive email notifications at any time with effect for the future by opting out directly in the email to no longer receive the notifications.
Audvice is applying analytics across all Audvice Applications with the purpose of improving user experience and developing new features that benefit the User and Controller. All data is anonymized or condensed before being processed for analytics.
The legal basis for this is Art. 6 para. 1 lit. f) GDPR. If the user has given his consent, the legality of the use is also based on Art. 6 para. 1 lit. a) GDPR.
Hosting and Backend Infrastructure
All user data at rest or in transit is processed on severs in Frankfurt, Germany, provided by Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg. There is no transfer of personal data outside of the EU.
All personal data at rest, namely email-address, first name, last name, user ID, profile picture, LinkedIn profile, streaming history, tracks (audio-files), playlist metadata, including title, description, link to external sources and track titles, transcripts is encrypted through Bring Your Own Key. The Key is solely held by Audvice, which prevents third parties, including Amazon Web Services to access personal data at rest.
All personal data in transit is encrypted. This includes data processed through email notifications, which is encrypted using TLS; data processed through push-notifications, which is encrypted using SSL; streaming of tracks, which is encrypted using SSL; data processed through the generation of transcripts, which is encrypted through SSL.
The use of AWS is based on Art. 6 para. 1 lit. f) GDPR. The Processor has a legitimate interest in the most reliable presentation of Audvice Applications. If a corresponding consent was requested, the processing is based exclusively on Art. 6 para. 1 lit. a) GDPR; the consent can be revoked at any time.
The data will be stored as long as a contractual relationship with the Controller exists. After that, the data will be deleted as long as no legal regulations require a longer deletion period.
The Processor has concluded a data Processing Agreement (DPA) with AWS. This is a contract required by data protection law, which ensures that AWS only processes the personal data of the Users the Audvice Applications in accordance with the Processor’s instructions and in compliance with the GDPR.
Furthermore, the EU standard contractual clauses have been concluded and a transfer impact assessment of the Amazon Web Services Sub-Processor is available.
Contacting by the User
If you contact Audvice by email, your email address and the content of your message will be forwarded to the Controller to process your request and stored in the event that follow-up questions arise. The processing of your personal data serves the purpose of being able to assign your request and to be able to answer you.
In this context, the legal basis for the processing of your personal data is the Controller’s legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. The Controller has a legitimate interest in fulfilling the inquiries of the Audvice Application’s Users and in responding to them in a timely manner.
The personal data will be deleted after the storage is no longer necessary or the processing will be restricted if legal storage obligations prevent the deletion.
The rights of Users
If your personal data is processed, you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and the following rights apply to you:
Pursuant to Art. 15 GDPR you can request information about your personal data processed by us. In particular, you may obtain information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or objection, the right to lodge a complaint with a supervisory authority, the origin of your data, if not collected from us, about transfer to third countries or international organisations, and the existence of automated decision-making, including profiling and, where applicable, meaningful information about the logic involved.
Pursuant to Art. 16 GDPR you can immediately demand the correction of incorrect data or the completion of your personal data stored with us.
Pursuant to Art. 17 GDPR, you may request the deletion of your personal data stored by us, provided that the processing is not necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
Pursuant to Art. 18 GDPR, you can request the restriction of the processing of your personal data if you contest the accuracy of the data, if the processing is unlawful, if we no longer need the data and if you refuse their deletion because you need to establish, exercise or defend legal claims. You are also entitled to the right under Art. 18 GDPR if you have objected to the processing in accordance with Art. 21 GDPR.
Pursuant to Art. 20 GDPR, you may request that the personal data you have provided us with be received in a structured, current and machine-readable format or you may request that it be transmitted to another person responsible.
Pursuant to Art. 7 para. 3 GDPR you can withdraw your consent at any time. As a consequence, we are no longer allowed to continue the data processing based on this consent for the future.
Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority. You can contact the supervisory authority of your habitual residence, place of work or our company headquarters.
In case the processing of your personal data is based on legitimate interest in accordance with Art. 6 para. 1 s. 1 lit. f) GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR insofar as there are reasons which arise from your particular situation or if the objection refers to direct marketing. In the case of direct marketing, you have a general right of objection which will be considered without mentioning any particular situation.
You can exercise these rights by contacting firstname.lastname@example.org.
Audvice GmbH as the Processor will receive the requests from data subjects. The request will be forwarded to the Controller for the requests to be properly addressed.
List of Sub-Processors
Amazon Web Services EMEA SARL
38 avenue John F. Kennedy