MeinDatensatz
DE EN
Legal

Privacy Policy

Last updated: March 2025

1. Data Controller

IDentity Center GmbH

Frankfurter Str. 151B, 63303 Dreieich, Germany

E-Mail: info@meindatensatz.de

Phone: +49 69 175369080

IDentity Center GmbH ("we", "us") operates the MeinDatensatz service at meindatensatz.de. This privacy policy explains what personal data we collect, how we use it, and your rights as a data subject.

2. Data We Collect

2.1 Business Customer Registration

When you register as a business customer (tenant), we collect:

  • Salutation, first name, and last name
  • Business email address
  • Company name
  • Preferred language
  • IP address and browser information at registration (security log)

2.2 One-Time Passwords (OTP)

We use one-time email codes (OTP) instead of passwords for administrative login. These codes are automatically deleted after use or expiry and are never stored in plain text.

2.3 Usage Data and Logs

For the secure operation of the service, we store technical log data including:

  • Date and time of access
  • IP address (for security checks)
  • Pages accessed
  • Error messages

Logs do not contain plain-text content of customer records.

2.4 Customer Records (Escrow Function)

As part of the escrow function, business customers upload their end-customer records in encrypted form. This data is stored exclusively end-to-end encrypted. We process this data as a data processor under Art. 28 GDPR on behalf of the respective business customer and have no access to decrypted content at any time. Since only non-decryptable ciphertext and opaque reference identifiers are stored, this data does not constitute personal data within the meaning of Art. 4(1) GDPR as far as IDentity Center GmbH is concerned (cf. Recital 26 GDPR). A Data Processing Agreement under Art. 28 GDPR is therefore not required. The full legal reasoning and technical safeguards are available at meindatensatz.de/avv and meindatensatz.de/toms.

2.5 Contact Form

If you contact us via the contact form or by email, we store your details (name, email, message) to process your request.

3. Legal Basis for Processing

  • Art. 6(1)(b) GDPR – Contract performance: processing to provide the service to registered business customers.
  • Art. 6(1)(f) GDPR – Legitimate interests: security logging, abuse prevention, system operation.
  • Art. 6(1)(a) GDPR – Consent: where you have given explicit consent (e.g. newsletters, if offered).
  • Art. 28 GDPR – Data processing agreement: for encrypted customer records in escrow operation.

4. Retention Periods

  • Registration data is retained for the duration of the contractual relationship and deleted within 30 days of termination, unless statutory retention obligations apply.
  • OTP codes are automatically deleted after use or after expiry (10 minutes).
  • Security logs are automatically rotated after 90 days.
  • Audit logs are retained for the legally required or contractually agreed minimum period.
  • Encrypted customer records are deleted upon contract termination or at the business customer's instruction.

5. Recipients of Data

We do not share your personal data with third parties unless:

  • You have given explicit consent,
  • disclosure is necessary for contract performance,
  • we are legally required to do so, or
  • processors (e.g. hosting providers with servers in Germany) process data on our behalf under DPAs pursuant to Art. 28 GDPR.

No data is transferred to third countries outside the EU/EEA.

6. Cookies and Sessions

We use only technically necessary session cookies that are deleted when your browser session ends. These cookies serve solely to maintain your session (login status) and are strictly required for the operation of the service. No tracking, analytics, or marketing cookies are used.

7. Hosting and Servers

The service is operated on servers located in Germany. Servers are operated by IDentity Center GmbH or a German hosting provider under a data processing agreement.

8. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) – You may request information about the data stored about you.
  • Rectification (Art. 16 GDPR) – You may request correction of inaccurate data.
  • Erasure (Art. 17 GDPR) – You may request deletion of your data under certain conditions.
  • Restriction (Art. 18 GDPR) – You may request restriction of processing.
  • Portability (Art. 20 GDPR) – You may request your data in a machine-readable format.
  • Objection (Art. 21 GDPR) – You may object to processing based on legitimate interests at any time.
  • Withdrawal of consent – Any consent given may be withdrawn at any time with effect for the future.

To exercise your rights, please contact: info@meindatensatz.de

You also have the right to lodge a complaint with the competent data protection supervisory authority. The responsible authority is the Hessian Commissioner for Data Protection and Freedom of Information (Hessischer Beauftragter für Datenschutz und Informationsfreiheit), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany (www.datenschutz.hessen.de).

9. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in law or our service. The current version is always available at meindatensatz.de/privacy.