Data Protection Statement

From May 25, 2018, the requirements of the EU General Data Protection Regulation will apply throughout Europe. We would like to inform you about the processing of personal data carried out by our company in accordance with this regulation (see Articles 13 and 14 of the GDPR). If you have any questions or comments about this data protection declaration, you can send them to the e-mail address given under point 2 or 3 at any time.

I. Overview

In this section, you will find information on the scope of application, on the person responsible for data processing, on his data protection officers, and on data security.

1. Scope of application

The data processing by the Open as App GmbH can essentially be divided into two categories:

This Privacy Policy applies to the following offers:

All these offers are collectively referred to as “Services”.

2. Responsible

The person responsible for data processing – ie the officer who decides on the purposes and means of processing personal data – in connections with the services of the Data Protection Officer at:

Open as App GmbH,
Amalienstr. 62, 80799 Munich, Germany
Phone: +49 (0)89 3801 2952-1

3. Data Protection Officer

You can contact our data protection officer via this website:

Graduate of Commerce Marc Althaus
Frapanweg 22, D-22589 Hamburg/Germany

4. Data Security

We have established an information security management system in our company in order to develop the measures required in Art. 32 of the GDPR and thus achieve a level of protection appropriate to the risk.

II. The Data Processing  in Detail

In this section of the data protection declaration, we inform you in detail about the processing of personal data within the scope of our services. For better clarity, we’ve structured this information according to certain functionalities of our services. In the normal use of the services, different functionalities and thus also different processes can come into effect, either one after the other or simultaneously.

1. General information about data processing

Unless otherwise stated, the following applies to all processing operations described below:

a. No obligation to provide

You are not obliged to provide data. There is no contractual or legal obligation to provide personal data.

b. Consequence of non-provision

Failure to provide the required data, i.e. data that is marked as mandatory during entry, means that the service in question cannot be provided. Otherwise, failure to provide our services available may mean that they cannot be provided in the same form and quality.

c. Consent

In various cases, you also have the option of giving us your consent (where applicable for only part of the data) to further processing in connection with the processing described below. In this case, we’ll inform you separately about all the details, the scope of the consent, and about the purposes which we pursue with these processing steps in connection with the submission of your declaration of consent.

d. Transfer of personal data to third countries

If we transfer data to third countries, i.e. countries outside the European Union, then the transfer takes place exclusively in compliance with the legally-regulated admissibility requirements.

The admissibility requirements are regulated by Articles 44-49 of the GDPR.

e. Hosting with external service providers

To a large extent, our data processing takes place with the involvement of so-called hosting service providers, who provide us with storage space and processing capacities in their data centers and also process personal data on our behalf in accordance with our instructions. These service providers process data either exclusively in the EU or we have a guaranteed adequate level of data protection through the EU standard data protection clauses.

f. Transmission to state authorities

We transfer personal data to state authorities (including law enforcement authorities) if this is necessary to fulfill a legal obligation to which we are subject (legal basis: Art. 6 para. 1 c) of the GDPR) or if it is necessary to assert, exercise or defend legal claims (legal basis Art. 6 para. 1 f) of the GDPR).

g. Storage time

We do not store your data longer than we need it for the respective processing purposes. If the data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its temporary storage is still necessary. The reasons for this could be, for example, the following:

It is also possible for us to continue to store your data with us if you have given your express consent.

h. Data categories – contact and usage-related data

If you work with Open as App, you can submit certain data to us. Some data is also created automatically. This data includes:

i. Data categories – content data

You can store a variety of data and images in your Open as App account. There is no obligation to upload this data. Open as App does not access this data in your account or will do so only with your explicit permission, e.g. in case of a support request.

This data includes, for example, App user list, user groups, user-created apps, user-stored app conditions (such as a calculated offer), user-created comments, access control lists (list of content to which the user has access), content subscriptions (list of content that the user consumes and for which he wants to receive updates, similar to the “Like/Follow” concept).

2. Accessing the website/application

This section describes how we process your personal data when you access our services. We would particularly like to point out that the transmission of access data to external content providers (see under b.)is unavoidable due to the technical functioning of information transmission on the Internet.

We collect access data in order to ensure the proper functioning of our services, the security of data and business processes, the prevention of misuse, and the prevention of damage caused by interference with the information system. The data is processed to establish a connection, to display the contents of the service, to detect attacks on our site based on unusual activities, and to diagnose errors (according to Art. 6 Para. 1 f) of the GDPR). We store this data for seven days.

To provide and improve our services, we also cooperate with providers who create and compile statistics, as well as providers of IT services (e.g. data centers and providers of hosting, backup and database services). These technical service providers have access to your data only to the extent necessary to perform their tasks. The technical service providers are obliged to treat your data in accordance with this data protection declaration and the applicable data protection laws.

This order processing is carried out in accordance with (Art. 28 of the GDPR). Our service is hosted and provided in the Azure Cloud Europe. Data is hosted and availability and usage data are collected. We use the European provider MailJet SAS (e-mail address) to transmit system messages by e-mail. To improve the user experience and to monitor errors, we use Sentry and AppCues, which process data that can be used to identify the user, e.g. an IP address or App ID. For easy access to content within the app, we use to provide deep links that may also be associated with user identification. uses various features to recognize your device in order to be able to show you the content intended for you after the app has been installed. An “Opt-Out” for this so-called fingerprinting is possible via the following page:

You can use data you share with other cloud providers to create an app, e.g. Google OAuth/Google Sheets/Google Drive/OneDrive/Dropbox. Interaction with these third parties only takes place with explicit consent.

3. Marketing information

Here you can read what happens to your personal data in connection with a subscription to marketing information in accordance with Art. 6 Para. 1 letter b) of the GDPR. Your data will be stored for the duration of the information subscription, provided there are no further documentation obligations.

To send marketing information by e-mail, you can register with your e-mail address. Your registration will be verified using the double-opt-in procedure. We collect additional personal data to personalize our information. We also document the registration data in order to be able to trace the registration/confirmation or deregistration if required. We use the user profile data for marketing information, the use of the account, or your role in the account to design information according to your needs and interests.

We use third-party systems to process all of the above data. We use HubSpot (Privacy Shield) to improve our services, provide advertising content, and automate information processes. You can make appointments directly with us using the Calendly service. We use Salesforce (Privacy Shield) to manage our sales and customer data. As a payment service for credit card processing, we use Stripe and Quaderno, where contact and financial data is processed. Wista is used to provide videos and marketing information in our services. An IP address is transmitted when a film is viewed.

4. Application

When you apply to us, we process your personal data in the following way (according to Art. 6 Par. 1 b) of the GDPR: In order to identify, contact us, communicate, initiate contracts and check your age, we require address data, contact data and personal master data that you provide to us in your application. Your application data will be used to select a suitable applicant. The data is processed by the responsible dept. for application management. We delete this data after six months unless you have given us permission to store this data for a longer period of time.

5. Customer Support

This way, we process your personal data if you use our customer service (article 6 paragraph 1 b), f)): In order to process your customer inquiries and user complaints, we require personal master data, contact data as well as the contents of the inquiries/complaints. Your IP address, e-mail address, and your request will be processed with Zendesk. You enter the e-mail address actively when creating the ticket in the help area. We store this data as long as your account exists. On you can read technical details about our service. If you leave comments there, your e-mail address may be passed on to

6. Tracking

Below we describe how your personal data is processed using tracking technologies to analyze and optimize our services and for advertising purposes.

The description of the tracking procedures also includes information on how you can prevent or object to data processing. Please note that the so-called “Opt-out”, i.e. the rejection of processing, is usually stored via cookies. If you use our services via a new terminal or in another browser, or if you have deleted the cookies set by your browser, you must declare your rejection again.

(1) Purposes of the processing

The analysis of user behavior via tracking helps us to check the effectiveness of our services, to optimize and adapt them to the needs of the users, and to correct errors. It also serves to statistically determine characteristic values about the use of our services (range, the intensity of use, surfing behavior of users) – on the basis of uniform standard procedures – and in this way to obtain market-wide comparable values.

Tracking to measure the success of advertising campaigns serves to optimize our ads for the future and enables marketers and advertisers to optimize their ads accordingly. The purpose of tracking to optimize the display of advertising is to show users advertising tailored to their interests, to increase the success of advertising, and consequently advertising revenues.

(2) Legal basis of the processing

Informed consent within the meaning of the GDPR is required for services that make the behavior of affected persons on the Internet comprehensible and for services for the creation of user profiles.

(3) The tracking procedures used in detail

This website uses Google Analytics, a web analysis service of Google Inc (“Google”), 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie on your use of this website is usually transmitted to the Google server in the US and stored there. In case of activation of the IP anonymization on this website, your IP address will, however, be truncated by Google within Member States of the European Union or in other member states party to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website and Internet use. The IP address transmitted by your browser to Google Analytics is not merged with other Google data. Google Analytics data may not be passed on without the customer’s consent unless special circumstances such as legal requirements exist. To prevent this tracking procedure, you can disallow it at .

We also use HubSpot, a service of HubSpot Inc. HubSpot is certified under the EU-US Privacy Shield. “Web beacons” are used here and “cookies” are also set. These are stored on your computer, enabling us to analyze your use of the website. HubSpot evaluates the recorded information (e.g. IP address, geographical location, type of browser, duration of the visit, and pages accessed) on our behalf in order to generate reports on the visit and the pages visited. If you subscribe to e-mail news and download whitepapers and other documents, HubSpot also enables us to track your visits to Open as App using your additional information (especially your name and e-mail address) and, if applicable, to inform you specifically about your preferred topics. If you generally do not want HubSpot to record cookies, you can prevent them from being saved at any time by changing your browser settings. For more information about how HubSpot works, please refer to the HubSpot Inc. privacy policy at

If you choose not to receive interest-based advertising, you can also visit the website, click on “Preference Management” and follow the instructions to completely or individually prevent the use of data for interest-based advertising by the service providers listed there. You will still receive advertising that is not interest-based.

Marketing cookies are used to follow visitors to websites. The intent is to show ads that are relevant and engaging to the individual user and therefore more valuable to publishers and third-party advertisers.

7. Social Media-Plugins

To enable one single-sign-on, we offer you the option of registering directly at Open as App from your existing Microsoft Active Directory profile. You can also share apps via social media platforms.

This website may contain additional plugins from social networks such as Facebook, Google+, Twitter, or Pinterest, which are operated by third parties and via which messages can be sent to the corresponding social network with the help of a button, e.g. to rate, recommend or share content. In this way, we pursue the purpose and the legitimate interest in making our services better known. We configure our services so that data transmission does not take place until you press the button. The legal basis for data transmission, in this case, is Art. 6 I f) of the GDPR. The respective provider is responsible for processing the transmitted data in compliance with data protection regulations.

If you want to use these functions, you will first be redirected to the platform page, where you will be asked to log in with your user name and password. Of course, we do not take note of your registration data. If you are already logged on to the platform, this step is skipped. The platform will then inform you which data is transmitted to us (e-mail address and public profile). You confirm this by clicking on the relevant button. We then create your customer account using the transmitted data. A permanent link between your customer account and your account on the corresponding platform does not take place except to protect your account from external access. The purpose and scope of the data collection and the further processing and use of the data by the social media platform, as well as your associated rights and settings options for the protection of your privacy can be found in the platform’s Privacy Policy.

8. Implemented Technologies

III. The Rights of Affected Persons

1. Right to object

If we process your personal data for direct marketing purposes, you have the right to object at any time (with effect for the future) to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, if it is associated with such direct marketing.

You also have the right to object at any time, for reasons arising from your particular situation, with future effect, to the processing of personal data concerning you in accordance with Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.

You can exercise your right of objection free of charge.

You can contact us using the contact details listed at I.2.

2. The right to information

You have the right to know whether we process personal data concerning you, what personal data this may be, and further information in accordance with Art. 15 of the GDPR.

3. The right of rectification

You have the right to request us to correct any incorrect personal data concerning you without delay (Art. 16 of the GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – even by means of a supplementary declaration. Please contact us on

4. The right to cancellation („The right to be forgotten“)

You have the right to demand from us that personal data concerning you be deleted immediately, provided that one of the reasons specified in Art. 17 para. 1 of the GDPR applies and the processing is not required for one of the purposes regulated in Art. 17 para. 3 of the GDPR. Please contact us on

5. The right to restriction of procession

You are entitled to demand a restriction on the processing of your personal data if one of the conditions laid down in Article 18, paragraph 1, letters a) to d) of the GDPR is met.

6. The right to data transferability

You have the right to receive the personal data concerning you that you have provided to us in a structured, common, and machine-readable format. You also have the right to transmit this data to another responsible person without any hindrance on our part, or to arrange for direct transmission by us, if this is technically possible. This should always apply if the data processing is based on consent or on a contract and the data is processed automatically. This does not apply to data stored in paper form only.

7. The right of revocation when consent has been given

If the processing is based on your consent, you have the right to revoke your consent at any time. The lawfulness of the processing on the basis of the consent until the revocation will not be affected.

8. The right of appeal

You have the right of appeal to a supervisory authority.