Data Privacy

sustainabill GmbH is firmly committed to protecting the privacy and security of your data. Therefore, we have designed our website and business processes with the aim of collecting and processing as little personal data as possible. This privacy policy explains which information we record during your visit to our website and our cloud platform and for which purposes and how this information is used.


This privacy policy was last updated in May 2021.

“We” or “us” in this privacy policy refers to sustainabill GmbH, Im Mediapark 5, 50670 Cologne, Germany.
This privacy policy applies to the processing of personal data collected via our websites under sustainabill.de and cloud.sustainabill.io and we are the controller in this regard.

You may reach our data protection officer under: privacy@sustainabill.de.

2.1 When contacting us or signing up to our email newsletter

If you provide data via the contact form, we will use this data only to comply with your request (legal ground may be Art. 6 Sec. 1 Clause 1 (a), (b) or (f) of the European General Data Protection Regulation, “GDPR“). We will delete the data within three months after your request has been taken care of, unless we are entitled or obliged to retain your data for a longer time period.

If you subscribe to our newsletter, we will store the given contact details for the purpose of delivering the newsletter (legal ground is Art. 6 Sec. 1 Clause 1 (a) or (b) GDPR). You will remain registered to receive the newsletter until you opt out from receiving them. Each newsletter includes a link enabling you to opt out from the newsletter subscription. You may further opt out at any time with effect for the future by letting us know you wish to object or to withdraw your consent (see Sec. 8 below). If you opt out we will delete your data, unless we are entitled or obliged to further retain your data.

2.2 When using the sustainabill platform under cloud.sustainabill.io

I.    REGISTRATION / LOG-IN:

When you register your organization with us (i.e. the sustainabill platform, available under cloud.sustainabill.io), you have to agree to our License Agreement and Terms of Use. Besides, we need information to set up and manage your organization’s account. This information is provided by you and includes, for example, your name, the name of your organization, your email address and password as well as (further) contact and payment details. We process this information to enter into and fulfil the agreement with your organization and reply to your requests (Art. 6 Sec. 1 Clause 1 (b), (c) and (f) GDPR). Particularly your email address will be used for log-in access to your account and to inform you about updates in the sustainabill platform which are relevant for the performance of the agreement with your organization (Art. 6 Sec. 1 Clause 1 (b) and (f) GDPR).

II.    USAGE OF THE SUSTAINABILL PLATFORM:

When you use the sustainabill platform, we process information about you in our role as data processor on behalf of your organization in its role as data controller, i.e. we process your personal data to the extent necessary for the performance of the agreement with your organization (Art. 6 Sec. 1 Clause 1 (b) and (f) GDPR). Such personal data may include information entered by you when you log into your account (for example, your name and email address), contents of correspondence with you as well as your usage of the sustainabill platform, including the con-tents of the correspondence between yourself and others. Your organization is responsible for the processing of your personal data in the sustainabill platform. It may, for ex-ample, grant or withdraw access to a feature, access, analyze, modify, export, share and/or remove the data in the sustainabill platform and/or otherwise apply its policies to it. Please refer to your organization for further details.

III.    INVITATION TO THE SUSTAINABILL PLATFORM AND/OR CONTACT DETAILS PROVIDED BY OUR CUSTOMERS

Customers may invite suppliers to the sustainabill platform which are not yet registered with us. If you are a supplier contact, you may receive such invitation. Alternatively, customers may ask you to allow them to share your data (address of your organizations as well as your contact details) on the sustainabill platform. For these purposes, sustainabill acts as a data processor of the respective customer in the sense of Art. 4 Sec. 8, 28 GDPR. If sustainabill intends to process your personal data beyond its role as the customer’s data processor, sustainabill will inform you accordingly and will obtain your consent (Art. 6 Sec. 1 Clause 1 (a) GDPR) to such processing, if necessary.
2.3    Customers may invite suppliers to the sustainabill platform which are not yet registered with us. If you are a supplier contact, you may receive such invitation. Alternatively, customers may ask you to allow them to share your data (address of your organizations as well as your contact details) on the sustainabill platform. For these purposes, sustainabill acts as a data processor of the respective customer in the sense of Art. 4 Sec. 8, 28 GDPR. If sustainabill intends to process your personal data beyond its role as the customer’s data processor, sustainabill will inform you accordingly and will obtain your consent (Art. 6 Sec. 1 Clause 1 (a) GDPR) to such processing, if necessary.

3.1 Logfiles

Each time you visit our websites under sustainabill.de or our cloud platform under cloud.sustainabill.io, our web servers automatically save – like any other web servers – standardized information in a log file about your terminal device and the used browser: the IP address and your internet access provider, the specific address of the visited web pages, possibly the web page from which you were directed to us (link source), the version and type of the web browser used, the operating system of your device, as well as the date and time of page requests. We partly require this information for technical reasons, i.e. in order to be able to display our website and ensure stability. In addition, we store IP addresses in log files in order to be able to pursue our rights and restore IT security in case of an attack against our IT (our legitimate interest; Art. 6 Sec. 1 Clause 1 (f) GDPR). For this reason, such data will be held for 14 days. We will not use this information for purposes other than those. We do not share this information with third parties. With the exception of your IP address, it is not possible for us to connect the log files information to you as a person. We only use IP addresses in log files for identification of users in case of an attack.

3.2 Tracking and technical control with cookies

We use cookies on our websites under sustainabill.de and cloud.sustainabill.io. A cookie is a small piece of data (usually a code or a small image file) send from our websites and stored on your device by your web browser while you are browsing. It allows recognition of your device when you are browsing on our websites. You may block and delete cookies via the settings of your web browser or choose settings to indicate when a cookie is being sent.  Furthermore, when you visit our websites, a cookie banner will inform you about our usage of cookies and enable you to agree to or block them.

3.3 Maps and Address Resolution (Mapbox Incorporated)

The sustainabill platform utilizes map services provided by Mapbox Incorporated, (short “Mapbox“). If you are using our cloud platform, sustainabill transfers your organization’s address or GPS coordinates to Mapbox. In addition, when you access those parts of the platform which provide a map, your internet browser or application will connect to servers operated by Mapbox located in the United States of America. In order for the map to be displayed, your IP address will be forwarded to Mapbox and a session cookie (i.e. a temporary cookie which allows Mapbox to link the actions of a user during a browser session) may be set. The use of the aforementioned tools is based on Art. 6 Sec. 1 Clause 1 (f) GDPR: the data processing is done to improve the user-friendliness on the sustainabill platform and is in the interest of an appealing presentation of our services. It is therefore in our legitimate interest. sustainabill has no control over such connections and processing of the aforementioned data by Mapbox. You can find more information on the processing of user data by Mapbox under the following link: https://www.mapbox.com/legal/privacy/. To prevent all of the connections and processing described above, use the settings feature in your sustainabill profile and turn off displaying maps. See Annex 1 (Subcontractors and Service Providers), [2] for additional details.

3.4 Signing up to our newsletter and inviting suppliers (Mailjet SAS)

The sustainabill platform and the sustainabill Website uses emails to communicate with you or your suppliers. To make sure that emails are delivered we use the technology of Mailjet SAS. This use of is based on Art. 6 Sec. 1 Clause 1 (f) GDPR: It is in our legitimate interest that emails are delivered and any problems with delivery (such as typing errors in email addresses or misuse) can immediately be identified and rectified. Mailjet will process any email address entered in the sustainabill platform or the sustainabill website to make sure that the email can be delivered. You can find more information on the processing of this data by Mailjet SAS under the following link: https://www.mailjet.com/security-privacy/. See Annex 1 (Subcontractors and Service Providers), [3] for additional details.

CAPTCHA

On some forms on our website we add a Google Captcha to ascertain that the forms are likely filled by humans. This helps us to reduce the amount of spam and marketing emails send via our website.

Unless specified otherwise in the above, we delete your personal data when the contract between your organization and us ended, all claims have been met and we are neither obliged to further store your data (for example, due to statutory retention obligations) nor entitled to further store your data (for example, based upon consent).

We do not disclose or otherwise transfer your personal data to any third party without your prior consent except in the following situations:

5.1    We use third party IT providers in order to provide our services. Such providers act as our processors within the meaning of Art. 28 GDPR. Amongst others, we use the Telekom Deutschland GmbH’s Open Telekom Cloud to store and process all customer data. Telekom Deutschland GmbH itself stores and processes all data in Germany. Your data will leave the borders of Germany under no circumstances. See Annex 1 (Subcontractors and Service Providers), [1] for additional details.

5.2    We use services of third parties which are as such not part of our contractual services but still necessary in order to enter into or perform the contracts with our customers or to pursue claims or to defend against claims (our legitimate interests) and which require a disclosure/transfer of the data. Such third parties include advisors (in particular tax and legal advisors), providers of logistics and postal services, payment and claims management providers, courts and public authorities. In such case, the legal ground for disclosure/transfer is Art. 6 Sec. 1 Clause 1 (b), (c) or (f) GDPR.

5.3    The disclosure/transfer is necessary for compliance with a legal obligation to which we are subject (Art. 6 Sec. 1 Clause 1 (c) GDPR).

To protect your personal data against unauthorized access, loss and misuse, we have taken extensive technical and operational security precautions. Our security procedures are regularly reviewed and adapted to technological progress. Our employees are under obligation to maintain confidentiality.

We will conduct appropriate reviews of this privacy policy and will work to continuously improve it and revise it as necessary. Any changes made to the policy will be disclosed directly to users and/or posted on our websites.

8.1    Right to access the personal data we process about you
8.2    Right to rectification of your personal data
8.3    Right to erasure (“right to be forgotten”)
8.4    Right to restriction of processing
8.5    Right to data portability

8.6    Right to object: you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interest, including profiling based on this. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to such processing, which includes profiling to the extent that it is related to such direct marketing.

8.7    To the extent we process your personal data based on your consent, you may withdraw such consent at any time. In such case, we shall no longer process the personal data, unless we are obliged or entitled to further process the personal data based on another legal ground.
8.8    Furthermore, you have the right to lodge a complaint with a supervisory authority. A list of supervisory authorities in Germany and their contact details you may find under the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Please do not hesitate to contact us if you have any further questions, for example concerning the personal data recorded. You may use the following email: privacy@sustainabill.de.