1. Overview

itemis SaaS services are online software applications that allow users to create, edit, manage, analyze and share digital content and artefacts, depending on the specific service used.

In order to provide these services in a secure, stable and reliable manner, certain personal data is processed, for example for registration, authentication, operation of the services, storage of user content and ensuring IT security. This gives rise to data protection obligations under applicable laws.

This Privacy Policy provides the information required under Article 13 and 14 of the EU General Data Protection Regulation (GDPR) and comparable transparency obligations under applicable United States privacy laws.

If you reside in California, Virginia, Colorado, Connecticut, or Utah, additional rights apply to you under the privacy laws of these states. These rights are described in Section 13, which also contains the Notice at Collection required under these laws.

2. Scope, applicability, and contracting entity

This Privacy Policy applies to all software-as-a-service products provided under the itemis SaaS offering, including, without limitation, all related hosting, operation, security, maintenance, and support services, as well as any other services, features or activities that are functionally related to or necessary for the provision, operation or improvement of the itemis SaaS services.

This Privacy Policy applies regardless of the legal basis or contractual form under which the itemis SaaS services are used, including trial or test usage.

For the purposes of this Privacy Policy, the controller within the meaning of Article 4 (7) GDPR ("ITEMIS") is the itemis legal entity responsible for providing the SaaS offering, as determined by the Customer’s principal place of business at the time the agreement is concluded:

a) If the Customer’s principal place of business is located in the United States of America:

itemis Inc.
150 North Michigan Avenue, 35th Floor
60601 Chicago
USA

b) If the Customer’s principal place of business is located outside of the United States of America:

itemis AG
Speicherstraße 8
D-44147 Dortmund
Germany

The applicable itemis entity is the sole contractual partner of the Customer under the Terms of Use and acts as the controller for the processing of personal data in connection with the provision of the SaaS offering.

Where an itemis entity is not established in the European Union and is subject to the GDPR, it has appointed a representative in the European Union in accordance with Article 27 GDPR. In such cases, the representative is:

itemis AG
Speicherstraße 8
D-44147 Dortmund
Germany

ITEMIS has appointed a Data Protection Officer where required by applicable law. The Data Protection Officer can be contacted at: [email protected]. General data protection inquiries that are not addressed to the Data Protection Officer may be directed to: [email protected].

This Privacy Policy is intended to provide transparency to users of the itemis SaaS services and to individuals whose personal data may be processed in connection with the use of such services.

This Privacy Policy applies to all use of the itemis SaaS services. Its legal effect and the data protection role assumed by ITEMIS depend on the applicable usage scenario as described in Section 3 of this Privacy Policy.

3. Usage scenarios and role allocation

3.1. General approach

The role of ITEMIS under applicable data protection law depends primarily on how the itemis SaaS services are used. There are two distinct usage scenarios, each leading to a different allocation of roles:

  • Customer-controlled usage, and

  • Individual (user-only) usage.

In no case does ITEMIS act as a joint controller together with customers or users.

3.2. Customer-controlled usage (business use)

In the customer-controlled usage scenario, the itemis SaaS services are used by a customer to process personal data relating to data subjects, such as employees, customers, or other individuals.

In this scenario:

  • the customer determines the purposes and means of the processing and acts as the controller, and

  • ITEMIS processes personal data exclusively on behalf of and under the documented instructions of the controller and acts as a processor.

ITEMIS does not determine any independent purposes for such processing and does not use the personal data for its own purposes. A Data Processing Addendum (DPA) forms part of the contractual relationship where required under applicable law.

The customer remains responsible for providing appropriate privacy information to the affected data subjects and for handling data subject requests.

This Privacy Policy does not replace the customer’s own privacy notices. Instead, it is intended to supplement them by describing the technical processing carried out by ITEMIS in its role as a processor. The customer remains solely responsible for fulfilling its information obligations towards data subjects.

3.3. Individual usage (user-only use)

In the individual usage scenario, the itemis SaaS services are used by a natural person exclusively to process that person’s own personal data.

In this scenario:

  • ITEMIS acts as the controller for the processing of personal data necessary to provide and operate the services, as further described in Sections 4 to 6 of this Privacy Policy, and

  • the user is the data subject.

No Data Processing Addendum applies or is required in this scenario.

4. Purposes of processing

Personal data is processed solely to the extent necessary to provide, operate and secure the itemis SaaS services. Depending on the applicable usage scenario, the purposes of processing include in particular:

  • registering and authenticating user accounts,

  • operating and providing the services,

  • storing, editing and sharing user-generated content,

  • protecting the services against unauthorised access and attacks,

  • correcting errors and providing technical support, and

  • managing contact and communication data in customer relationship systems.

ITEMIS does not process personal data for marketing, profiling, data resale or other unrelated purposes.

All processing activities described in this section are carried out solely for the purpose of providing, operating, maintaining and securing the itemis SaaS services and do not constitute independent purposes of ITEMIS.

5. Categories of personal data

5.1. Technical data processed when accessing publicly available web interfaces

Where the itemis SaaS services provide publicly accessible web interfaces or functionalities that can be used without registration or login, certain technical data is processed when users access such interfaces.

This includes, in particular, connection and access data such as IP address, date and time of access, browser and device information, and technical request data. This processing is necessary to enable the delivery of the web content, to ensure the security and stability of the services, and to prevent misuse.

5.2. Categories of personal data processed in connection with the use of the itemis SaaS services

Beyond the technical data described above, ITEMIS processes only those categories of personal data that are necessary for the operation and secure provision of the itemis SaaS services. These include in particular:

  • Contact data, such as name and e-mail address;

  • Usage and access data, such as usernames, roles, session information and authentication tokens;

  • Authentication data, including encrypted passwords or OAuth-related data when using third-party login services;

  • Content data, meaning information and artefacts created, uploaded or managed by users within the services;

  • Connection and device data, such as IP address, browser type, operating system, and language settings;

  • Protocol and metadata, such as access logs, change histories, error messages, and security logs.

Where content created or uploaded by users contains personal data, the nature and scope of such data depend solely on how the services are used by the customer or user. ITEMIS does not determine the content or the purposes and means of the processing.

Depending on the specific itemis SaaS service used, additional or more specific categories of personal data may be processed. Such product-specific information is described in the annexes to this Privacy Policy, which form an integral part of this document.

Where users enter or upload content containing personal data relating to other individuals, ITEMIS does not have direct knowledge of the identity of such individuals and does not independently analyse or interpret user content.

As a result, ITEMIS is not in a position to directly inform such individuals about the processing of their personal data.

5.3. Processing of contact and account data in CRM systems

HubSpot is used by ITEMIS as a customer relationship management (CRM) system. HubSpot is used exclusively for managing customer and contact relationships, such as assigning user accounts to existing customers, handling contractual and communication relationships, and supporting customer-related communication.

If a user account is linked to an existing CRM record, ITEMIS processes the following additional categories of personal data for these purposes:

  • Contact data from the CRM system, specifically name and e-mail address;

  • Customer account-related information, such as the assignment of users to specific customer organizations or contract statuses.

This processing is strictly ancillary to the provision of the itemis SaaS services and does not constitute an independent purpose of ITEMIS.

HubSpot does not receive or process content data, project data or usage data beyond what is necessary for the CRM-related purposes described in this section. No additional product-specific recipients apply beyond those described in this Privacy Policy.

6.1. Where ITEMIS acts as controller

Where ITEMIS acts as controller, personal data is processed on the following legal bases, each as specifically assigned to the respective processing activity below.

6.1.1. Access to publicly available web interfaces

The processing of technical data in connection with access to publicly available web interfaces or functionalities of the itemis SaaS services that can be used without registration or login is based on the legitimate interests of ITEMIS in accordance with Article 6 (1) f GDPR.

These legitimate interests include in particular:

  • the secure and reliable technical delivery of web content,

  • the operation and stability of the services,

  • the protection against unauthorised access, misuse and attacks, and

  • the detection and prevention of technical errors.

This processing is limited to what is technically necessary and does not involve profiling or tracking for marketing or similar purposes.

6.1.2. Registration and use of the itemis SaaS services by individual users

Where individual users register for and use the itemis SaaS services for their own purposes, personal data is processed for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract, in accordance with Article 6 (1) b GDPR.

This applies in particular to the processing of contact data, authentication data and usage data that are necessary to create and manage user accounts, to provide access to the services and to enable their proper operation.

In addition, personal data may be processed where this is necessary to comply with applicable legal obligations to which ITEMIS is subject, in accordance with Article 6 (1) c GDPR.

Such obligations may arise, for example, from commercial, tax or accounting laws, or from binding orders of public authorities.

Beyond the specific cases described above, personal data may also be processed on the basis of the legitimate interests of ITEMIS in accordance with Article 6 (1) f GDPR.

These legitimate interests relate in particular to ensuring the security, stability and reliability of the itemis SaaS services, including system maintenance, error analysis and the continuous improvement of the services, taking into account the reasonable expectations of users and the technical and organisational safeguards in place.

6.2. Where ITEMIS acts as processor

Where ITEMIS acts as processor, personal data is processed solely on behalf of and under the documented instructions of the customer. The customer is responsible for determining the applicable legal bases and for fulfilling all related transparency obligations.

7. Recipients and sub-processors of personal data

Personal data is made accessible only to the extent necessary for the purposes described in this Privacy Policy.

Access within ITEMIS’ organisation is limited to authorised personnel who require such access to perform their tasks and are subject to confidentiality obligations and the need-to-know principle. Such internal access does not constitute a disclosure to third parties within the meaning of data protection law.

Personal data is disclosed to external recipients only where this is necessary for the provision of the itemis SaaS services or where ITEMIS is legally obliged to do so.

7.1. Sub-processors (Article 28 GDPR)

The following service providers are regularly and predictably involved in the provision of the itemis SaaS services and act as sub-processors within the meaning of Article 28 GDPR, where ITEMIS processes personal data on behalf of the Customer.

This list is exhaustive with regard to currently approved and known sub-processors.

7.1.1. Amazon Web Services

Amazon Web Services EMEA S.à r.l.
38 Avenue John F. Kennedy
L-1855 Luxembourg
Luxembourg

  • Purpose: Cloud infrastructure, hosting, storage and operation of the itemis SaaS services

  • Categories of personal data: All personal data processed within the services

  • Processing locations: European Union (eu-central-1, Frankfurt, Germany)

  • Transfer mechanism: Not applicable for EU processing; where applicable, EU Standard Contractual Clauses (SCCs)

7.1.2. HubSpot

HubSpot, Inc.
25 First Street, 2nd Floor
Cambridge, MA 02141
United States

  • Purpose: Customer relationship management, customer support and service-related communication for all itemis SaaS products

  • Categories of personal data: Contact data, communication data, customer account data as described in Section 5.3.

  • Processing locations: United States

  • Transfer mechanism: EU Standard Contractual Clauses (SCCs), supplemented by additional safeguards

Other itemis entities may be involved as sub-processors, where such entities process personal data on behalf of the respective itemis entity acting as ITEMIS, as defined in Section 2 of this Privacy Policy.

7.2. Other disclosures

Personal data may further be disclosed:

  • to public authorities, courts or supervisory bodies, where ITEMIS is legally obliged to do so under applicable law;

  • to customer-controlled third parties (e.g. authentication or integration providers configured by the Customer), in which case such providers act as independent controllers and not as sub-processors of ITEMIS.

8. International data transfers

The itemis SaaS services are hosted on infrastructure located within the European Union. As a rule, personal data is not transferred to countries outside the EU or the EEA, subject to the exceptions and safeguards described below.

Where exceptions apply, in particular when using service providers established in the United States, appropriate safeguards are implemented, such as:

  • adequacy decisions of the European Commission,

  • standard contractual clauses, and

  • additional measures where required.

Despite processing within the EU, it cannot be completely ruled out that public authorities in third countries may access data in individual cases where legally authorised to do so.

Where ITEMIS acts as a processor, any international data transfers are carried out solely in accordance with the customer’s documented instructions. In such cases, the customer remains responsible for assessing the lawfulness of the transfer under applicable data protection law, while ITEMIS implements the required contractual and technical safeguards.

9. Consequences of not providing personal data

Where ITEMIS acts as controller, access to publicly available parts of the services is possible without providing personal data.

However, registration and use of the itemis SaaS services generally require certain personal data, such as contact and authentication data. Without this data, registration and use of the services are not possible.

Where ITEMIS acts as a processor, the customer acting as controller is responsible for informing data subjects about the consequences of not providing personal data.

10. Automated decision-making

ITEMIS does not carry out automated decision-making within the meaning of Article 22 GDPR. In particular, no profiling takes place that produces legal effects concerning users or similarly significantly affects them.

11. Retention and deletion

Personal data is retained only for as long as necessary to fulfil the purposes described in this Privacy Policy, as further specified by the retention periods set out below. Retention periods are determined based on functional requirements of the services, security considerations and applicable legal obligations, and are limited to what is strictly necessary for these purposes.

The following standard retention periods apply:

  • User account data: deleted no later than six (6) months after the user’s last activity or upon request;

  • Content and project data: stored as long as actively used or shared; deleted when the associated account is deleted;

  • Protocol and security data: stored for a maximum of thirty (30) days unless required for security investigations;

  • Backups: deleted automatically in accordance with standard retention periods of the hosting provider;

  • CRM data: deleted once the user account is deleted and no further business reasons require retention.

Where personal data is processed by ITEMIS on behalf of a customer under a Data Processing Addendum (DPA), the retention and deletion of such data are governed exclusively by the applicable DPA and the customer’s instructions issued thereunder.

The retention periods described in this Privacy Policy apply only insofar as no overriding contractual or statutory obligations, in particular under a Data Processing Addendum (DPA), require a different handling.

After expiry of the applicable retention periods, personal data is permanently and securely deleted.

12. Rights of data subjects

12.1. General rights of data subjects

Data subjects have the rights granted under applicable data protection laws, including in particular:

  • the right of access,

  • the right to rectification,

  • the right to erasure,

  • the right to restriction of processing,

  • the right to data portability, and

  • the right to object to processing.

Where ITEMIS acts as controller, data subjects have the right to lodge a complaint with a supervisory authority.

For processing activities subject to the GDPR, the competent supervisory authority is, in particular:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf
Germany

Data subjects may also lodge a complaint with the supervisory authority in the EU Member State of their habitual residence, place of work or place of the alleged infringement.

12.2. Where ITEMIS acts as processor

In the customer-controlled usage scenario, data subjects must address their requests to the customer acting as controller. ITEMIS supports the customer in fulfilling such requests in accordance with applicable law and contractual arrangements.

12.3. Where ITEMIS acts as controller

Where ITEMIS acts as controller, data subjects may exercise their rights directly against ITEMIS by contacting ITEMIS using the contact details provided in Section 2.

13. Additional information for residents of certain U.S. states (Notice at Collection)

This section applies if you reside in California, Virginia, Colorado, Connecticut, or Utah.

For the purposes of this section, “personal data” or “personal information” has the meaning set out in the applicable U.S. state privacy laws and includes information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual.

The categories of personal data collected, the purposes of processing, the categories of recipients and the applicable retention periods are described in Sections 4, 5, 7, 8 and 11 of this Privacy Policy and together constitute the Notice at Collection required under applicable U.S. state privacy laws.

ITEMIS confirms that:

  • personal data is not sold;

  • personal data is not shared for cross-context behavioural advertising;

  • personal data is not used for targeted advertising; and

  • no profiling with legal or similarly significant effects takes place.

Depending on the applicable U.S. state law, residents may have the following rights with regard to their personal data:

  • the right to know what categories of personal data are processed and for what purposes;

  • the right to access personal data processed about them;

  • the right to request deletion of personal data, subject to applicable legal exceptions;

  • the right to request correction of inaccurate personal data;

  • the right to obtain a copy of their personal data in a portable format; and

  • the right to opt out of certain forms of processing, where applicable.

Requests to exercise these rights may be submitted by contacting ITEMIS using the contact details provided in Section 2.

ITEMIS will respond to such requests within the time limits required by applicable law and may take reasonable steps to verify the identity of the requesting individual.

Where required by applicable U.S. state law, residents have the right to appeal a decision regarding their request by contacting ITEMIS using the same contact details.

14. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in the services or applicable legal requirements. The version published at the time the services are accessed or used applies.

15. Annexes to this Privacy Policy

The following annexes form part of this Privacy Policy and provide product-specific information for individual itemis SaaS services. The annexes specify and complement this Privacy Policy. In the event of inconsistencies, this Privacy Policy prevails.

16. Annex A – itemis CREATE

16.1. Product description

itemis CREATE is a software-as-a-service application that supports collaborative modelling, documentation and analysis of structured information and artefacts. The service enables users to create, edit, manage and share content within projects and teams.

The allocation of roles and responsibilities follows the principles set out in the main body of this Privacy Policy.

16.2. Product-specific categories of personal data

This section lists only deviations from and additions to the generic categories of personal data described in Section 5 of this Privacy Policy.

16.2.1. Additional categories

None.

16.2.2. No longer applicable categories

None.

16.3. Product-specific recipients and sub-processors

None.