Product Privacy Notice (SaaS)

The controller responsible for data processing in connection with the use of the software platform divery.io is:

The software platform divery.io is a cloud-based Software-as-a-Service (SaaS) solution designed to support business processes, in particular for dive centers, dive schools and comparable organizations.

In the course of using the software, personal data is processed that is entered into or generated
within the platform by the customer or its users.

Depending on how the platform is used, the following categories of data may be processed in particular:

• User and account data
  (e.g. name, email address, username, role, access rights)
• Customer and business data
  (e.g. booking, participant, invoicing or contact data)
• Communication data
  (e.g. support requests, ticket contents)
• Usage and log data
  (e.g. log files, timestamps, technical access information)

The scope of processed data depends on the specific use and configuration by the customer.

Personal data is processed exclusively for the following purposes:

• provision and operation of the software platform,
• management of user accounts and access rights,
• execution of the functions used by the customer,
• error analysis, maintenance and further development of the software,
• processing of support requests,
• ensuring IT security and system stability.

Personal data is processed on the basis of:

• Article 6(1)(b) GDPR (performance of a contract),
• Article 6(1)(f) GDPR (legitimate interest in secure operation),
• Article 6(1)(c) GDPR (compliance with legal obligations),
• Article 28 GDPR (processing on behalf).

To the extent that personal data is entered into and processed within the platform by the
customer, such processing is carried out as processing on behalf pursuant to Article 28 GDPR.

The customer acts as the controller;
Tools4Vision GmbH acts as the processor.

The details are governed by a separate Data Processing Agreement (DPA).

The software platform is operated in a cloud infrastructure.

In particular, the following service providers are used:

• cloud hosting (e.g. Amazon Web Services within the EU/EEA),
• infrastructure, security and monitoring services.

Processing takes place exclusively within the EU/EEA or in compliance with appropriate safeguards pursuant to Articles 44 et seq. GDPR.

Access to personal data by the Provider’s employees occurs only to the extent necessary for
technical support, error analysis, maintenance and operation.

All employees are bound by confidentiality obligations and receive data protection training.

Personal data is disclosed to third parties only if:

• this is necessary for the performance of the contract,
• there is a legal obligation to do so, or
• the customer has expressly consented.

The Provider does not use the data for its own purposes.

Personal data is stored only for as long as necessary for the respective purposes or as required by statutory retention obligations.

After termination of the contractual relationship, data is deleted or returned in accordance with the Data Processing Agreement.

At the customer’s request, personal data will be returned within 30 days after contract termination in a common, machine-readable standard format (e.g. CSV or JSON), unless statutory retention obligations prevent this.

The Provider implements appropriate technical and organizational measures pursuant to Article 32 GDPR to protect personal data.

These include in particular:

• access restrictions,
• encryption,
• logging,
• regular security reviews.

The provider does not use the data for its own purposes.

Data subjects have, in particular, the right to:

• access (Article 15 GDPR),
• rectification (Article 16 GDPR),
• erasure (Article 17 GDPR),
• restriction of processing (Article 18 GDPR),
• data portability (Article 20 GDPR),
• objection (Article 21 GDPR).

Requests must be addressed to the respective controller (the customer).

The Provider reserves the right to amend these privacy information if required due to legal,
technical or organizational changes.

Automated decision-making or profiling within the meaning of Article 22 GDPR does not take place.