Data Privacy Policy for facelift and facelift Social Share Mobile Applications
Preamble
The facelift software, hereinafter referred to as the Service, is a cloud software that enables its users to prepare and publish content for social media, to engage with the community, and to analyze social media activities. The facelift mobile application, hereinafter referred to as the Mobile App, is an alternative user interface for the Service.
The facelift Social Share mobile application, hereinafter referred to as Social Share App, is a mobile application for users to publish content prepared via the Service through their personal social media profiles.
Hereinafter, the Mobile App and the Social Share App are referred to as the Apps.
The Service and the App are created and maintained by
Facelift brand building technologies GmbH
Gerhofstraße 19
D-20354 Hamburg, Germany,
hereinafter referred to as Facelift. Facelift’s Data Protection Officer can be contacted via email to dataprivacy@facelift-bbt.com.
The Service and the Apps are exclusively intended for non-private use. Usage of the Service and the Apps requires a user account that must be set up by an entity, hereinafter referred to as the Facelift Customer, on whose behalf users of the Mobile App prepare and publish content and engages the Facelift Customer’s community in social media networks, and from whom user of the Social Share App receive prepared content.
Consequently, it is assumed that users of the Apps, hereinafter referred to as the User, use the Apps for the performance of a contract or chain of contracts – directly or indirectly – between themselves and the Facelift Customer or are otherwise legally entitled to act on the Facelift Customer’s behalf. If the User does not use the Apps on behalf of a Facelift Customer, the User must cease usage of the Apps and must delete the Apps from their devices immediately.
Purposes, Controllership, Legal Basis of Processing
Personal data processing concerning the Mobile App is primarily for the User to prepare and create content for social media profiles of the Facelift Customer, as well as for the User to engage with the Facelift Customer’s community via said social media profiles. Personal data processing concerning the Social Share App is primarily for the User to publish prepared content through their personal social media profiles. Secondarily, data processing concerning the Apps is to provide the Apps, and more general the Service, in an orderly and secure manner, as well as to support users and improve the Apps and the Service, especially regarding user experience.
Regarding the Apps, both Facelift and the Facelift Customer have separate exclusive non-joint controllership concerning processing activities. Notwithstanding contradictory agreements between Facelift and the Facelift Customer, Facelift is the sole controller concerning the secondary purposes mentioned above. The secondary purposes result in the following categories of processing activities
- User support,
- Orderly functioning of the Apps and the Service, and
- Continual improvement of the Apps and the Service.
For every processing activity related to the Apps that is not listed above, the Facelift Customer is the controller and Facelift acts as processor for the Facelift Customer on the basis of a data processing agreement in accordance with Article 28 of the European Union General Data Protection Regulation (GDPR).
This policy is exclusively applicable to processing activities for which Facelift is the controller.
Regarding processing activities for which Facelift is the controller, the processing of personal data concerning the User is based on Article 6(1) lit. f GDPR; the legitimate interests of Facelift being
- the performance of its contracts with its customers, including, but not limited to, the Facelift Customer; and
- its general business interests concerning improvements of the Apps and the Service, especially the identification and removal of programming errors (bugs) and the improvement of user experience.
Recipients of Personal Data, Transfers to Third Countries
Personal data for which the Facelift Customer is the controller is shared by Facelift with the Facelift Customer and with Facelift’s hosting provider. Facelift’s hosting provider is legally and geographically based within the European Union.
Personal data for which Facelift is the controller may be shared with third parties if the third parties’ expertise is necessary for the purposes of processing, this particularly holds true for Facelift’s hosting provider.
Where Facelift shares personal data with third parties located outside the EU or European Economic Area, such transfers of personal data rely on adequacy decisions by the European Commission in accordance with Article 45 GDPR1, or are based on appropriate safeguards in the form of standard data protection clauses for the transfer of personal data to third countries as adopted by the European Commission.2
Facelift transfers personal date to the following third parties.
| Third Party | Third Country | Purpose / Processing Activity |
| Intercom Inc. | USA | User support: ticket system and in-app chat support (Mobile App only) |
| Google LLC | USA | User support: push notifications for in-app chat support (via Firebase Cloud Messaging); Orderly functioning of the Apps and the Service: crash reports (via Firebase Crashlytics, Android version of Mobile App only) |
| Mixpanel Inc. | USA | Continual improvement of the Apps and the Service: pre-processing and analysis |
| Twilio Inc. | USA | Continual improvement of the Apps and the Service: analysis (via Segment) |
Data Retention
Personal data is retained for varying timespans depending on the purposes of processing. For processing activities for which Facelift is the controller retention periods are as follows:
- log files containing personal data are retained for up to 30 days;
- other personal data will be retained until no longer relevant, considering the purposes of data processing, the circumstances of data collection, and whether or not personal data can be anonymized for the purpose.
Personal data processed by Facelift for a given purpose will be deleted once the data is no longer needed for the purpose.
Data Subject Rights
The User is granted the rights of data subjects laid down in Chapter III GDPR.
Under Article 15 GDPR, the data subject is entitled to obtain from the controller confirmation as to whether personal data concerning them is being processed. If personal data concerning the data subject is being processed by the controller, the data subject also has the right to request from the controller information regarding the purposes of processing; the categories of personal data concerned; the (categories of) recipients of personal data concerning the data subject, in particular, recipients in third countries or international organizations; where possible, the retention periods of personal data, or if not possible, the criteria used to determine such retention periods; the right to request from the controller rectification or erasure or the restriction of processing or to object to processing; the right to lodge a complaint with a supervisory authority; the origin of personal data concerning the data subject where such data was not collected from the data subject; the existence of automatic decision-making, including profiling, and meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.
Under Article 16 GDPR, the data subject has the right to obtain from the controller that inaccurate personal data concerning the data subject be rectified without undue delay.
Under Article 17 GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning the user without undue delay, unless the processing of personal data concerning the data subject is necessary for the right of freedom of expression and information; for compliance with legal obligations; for reasons of public interest; or for the establishment, exercise, or defense of legal claims.
Under Article 18 GDPR, the data subject has the right to obtain from the controller the restriction of processing of personal data concerning the data subject provided that the accuracy of the personal data is contested; the processing is unlawful and the data subject opposes erasure and requests restriction instead; the controller does not need the personal data any longer but the data is required by the data subject for the establishment, exercise, or defense of legal claims; or the data subject has objected to processing of personal data concerning them, as long as it takes to verify that the controller’s legitimate interest override the data subject’s.
Under Article 20 GDPR, the data subject has the right to receive from the controller the personal data concerning them which they have provided to the controller in a structured, common, machine-readable format, provided that the processing is based on consent pursuant to Article 6(1) lit. a or Article 9(2) lit. b GDPR or is based on a contract pursuant to Article 6(1) lit. b GDPR. Per the data subject’s request, the data may also be transmitted to another controller.
Under Article 21 GDPR, the data subject has a right to object. In accordance with Article 21(4) GDPR, this right must be presented clearly and separately from any other information. Accordingly, the right is presented in the section entitled “Right to Object.”
In addition to the rights granted to the User under Chapter III GDPR, where the processing of personal data concerning the data subject is based on consent, the data subject has, under Article 7(3) GDPR, the right to revoke said consent at any time.
Under Article 77(1) GDPR, the data subject is also entitled to lodge a complaint with a supervisory authority, especially a supervisory authority at the data subject’s habitual place of residence, at the data subject’s place of work, or with the controller’s relevant supervisory authority.
Right to Object
Under Article 21 GDPR the data subject has the right to, at any time and on grounds relating to their particular situation, object to processing of personal data concerning them where the processing is based on Article 6(1) lit. e or f GDPR. After the right has been claimed by the data subject, the controller must cease the processing of personal data concerning the data subject unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject; or the processing is necessary for the establishment, exercise, or defense of legal claims.
The data subject always has the right to object to processing of personal data concerning them for direct marketing purposes.
Concerning processing activities for which Facelift is the controller, the right to object can be claimed via email to dataprivacy@facelift-bbt.com.
Consequences of Failure to Provide Personal Data, Automated Decision-Making, Profiling
Failure of the User to provide personal data may prevent Facelift from granting access to the Service to the User, from providing the User with adequate user support, or from ensuring the orderly functioning of the Apps and the Service for the User.
Facelift does not subject the User to automatic decision-making, including profiling, as defined in Article 22 GDPR.
[1]The full list of countries that provide adequate protection can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
[2]The text of the standard data protection clauses can be obtained from the European Commission at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en