Effective Date: August 2020
1. Who are we?
We are the “data controller” of the information that you provide to us when you participate in one of our user research projects. If you have any questions concerning this Notice, you can contact us at:
Köpenicker Str. 122
We have also appointed a Data Protection Officer (“DPO”) who acts on behalf of Taxfix in supporting our compliance efforts in relation to the processing of personal data. You can contact our DPO at:
Attn: Data Protection Officer
Köpenicker Str. 122
[email protected]; [email protected] (re: Taxfix DPO)
2. What information do we collect?
We collect information from you in the process of recruiting you for a user research project as well as in the course of your participation itself. The information we collect from you will depend on the kind of user research project you participate in but may include things such as:
- your name, phone number, email address or other contact information we may use to communicate with you about the research;
- demographic and other background information (age, gender, country);
- your profession, income and tax data;
- information about your filing experience and habits;
- any information you submit or communicate to us during the research;
- behavioral information; and
- to the extent you have given us your permission, videos, voice recording and photos.
3. How do we collect your information?
- Information Provided by Candidate – We mainly collect data directly from you in the course of your research participation. We may collect such information through a survey, experiment or phone/video interview, and we typically recruit participants for this through email, social media, or even within the Taxfix app.
- Personal Data from Third Parties – Sometimes, we recruit candidates for user research through a partner agency or platform. These agents and platforms are usually research recruitment specialists who obtain candidate details themselves and then share them with Taxfix when a candidate has been recruited to work with us.
- Personal Data from the app – If you’re a user research participant and you happen to be a Taxfix user, some of the information we hold about you for purposes of user research is collected from your interaction with and use of Taxfix’s services, app and website.
4. How do we use your information?
Data protection law provides that we can only use your data where we have a legal basis to do so. We will have a legal basis for processing your information for user research purposes (a) where we have your consent or (b) where we have a legitimate business interest for processing.
- Consent – If you are participating in a user research project, you will be asked to fill out a consent form for the specific project. This consent serves as the basis of our processing, which we do in order to analyze the results of the user research project and use those results to further improve our product and service. Remember, participation in any of our user research projects is entirely voluntary, which means that providing your information to us in this context is not mandatory and subject to your express agreement.
- Legitimate Interest – We may process certain information about you prior to commencing a user research project. This may be for further assessment of your suitability, or to provide you with relevant information about the study, or even to follow up with you after a study for any feedback. In such cases, we are processing your data on the basis of our legitimate business interests.
5. How do we disclose your data?
- Service Providers – We share your information in limited circumstances with our suppliers and service providers, namely, online survey tools and research platforms for conducting research surveys online and IT service providers (including cloud providers) for purposes of facilitating the research sessions, data storage and analysis. In particular, we process your data using G Suite, which means that we share it with Google, our primary storage and cloud computing services provider. We grant our trusted service providers access to your information only for purposes of performing these tasks on our behalf. They are contractually bound to our instructions, have suitable technical and organizational measures to protect the rights of the data subjects, and are regularly monitored by us.
- Other Disclosures – We may disclose your personal data to authorities or other third parties, including, for example, law enforcement agencies, law firms or public authorities, if we believe in good faith that such disclosure is necessary in connection with a legal investigation, to comply with relevant laws, to protect or defend our rights or property and to investigate or assist in preventing any violation or potential violation of the law or this Notice.
6. Are there any foreign transfer of the information?
Certain service providers with whom we share your personal data may be located in countries outside the European Economic Area (EEA). These countries may have data protection laws that differ from the laws of Germany and in such cases, we will put in place data transfer agreements based on the applicable EU Standard Contractual Clauses or rely on other available data transfer mechanisms to protect personal data.
7. How long do we keep your data?
We will keep your user research data as long as necessary to achieve the purpose(s) for which it was collected. Our current policy is to retain research data for up to two years from the end of the calendar year during which it was collected. If you have asked to join our participant hub of individuals interested in participating in ongoing research with Taxfix, we may, however, keep your information in that hub or registry until you ask us to remove you from it.
After the applicable retention period, we will either delete or de-identify your data or, if neither deletion nor de-identification is possible (for example, due to the data being stored on a backup service), we will isolate your data from further processing until deletion or de-identification is possible. We may keep and continue to use data that is no longer identifiable to you (e.g., aggregate data).
8. How do we keep your data secure?
We have adopted measures to provide your data with a level of security appropriate for the degree of risk involved with the processing activities described in this notice. These measures are designed to protect your research data against accidental or unlawful destruction, loss or alteration as well as unauthorized access. The specific measures we employ vary but include pseudonymization of identifying data where feasible, controls to limit access to services or systems that contain personal data, contractual safeguards with third parties who process data and maintaining procedures to handle any suspected security interests.
9. What are your legal rights?
You have certain rights to your personal data, including the right to:
- request a copy of the personal data that we process and details of how we use that information;
- correct or update your personal data;
- transmit your personal data in machine-readable format to another party; and
- erase your personal data, restrict or object to a processing activity or – if consent is the basis for processing – to withdraw your consent (without affecting the lawfulness of processing based on consent before the withdrawal of consent); provided, that this may not apply if there are other legal justifications to continue processing and we may need to retain certain personal data where required or permitted under applicable law.
If you would like to request access, review, correct, delete or port the personal data we have collected about you, or to discuss how we process your personal data, please contact us at [email protected] To help protect your privacy and security, we will take reasonable steps to verify your identity before granting you access to your personal data. We will make reasonable attempts to investigate promptly, comply with or otherwise respond to your requests; provided, however, that we reserve the right to deny requests where, in our discretion, they may be unfounded, excessive, or otherwise unacceptable under applicable law.
10. How will we update this notice?
We may update this Notice from time to time, including if, for example, legal requirements that apply to us or our internal operations and processes changes. Updates will be made available here. Significant changes will be notified to you by email.