Privacy Policy luca Webapp

Last revised and updated August 19, 2022

We, culture4life GmbH (“we” or “us”), are committed to protecting your privacy in connection with your use of our services. We will always strive to maintain the security and integrity of your personal data in accordance with applicable data protection law. In particular, we store and process personal data to enable the functionalities described in section 1.2 of the Terms of Use. Other purposes are only given with the processing of your data when visiting our website to ensure a secure web presence, as well as with the processing of your enquiries (precisely for the purposes of this processing). We state these explicitly below.  

Personal data is any information relating to an identified or identifiable natural person. For example, your name, your email address, your whereabouts, but also your IP address constitute personal data, the processing of which is strictly limited by the General Data Protection Regulation (hereinafter referred to as GDPR). Even if this data is pseudonymised, for example through encryption (i.e., it cannot be assigned to you immediately, but only through a combination of data and keys), it must be protected under data protection law and treated in the same way as clear data. The requirements of the GDPR for handling this data primarily affect the data controller, i.e. the person who collects and processes the data. If the data controller forwards the data to service providers in order to provide a service, this must be made transparent to you as the data subject. The respective service provider must be bound by the same standards as the controller and be controlled by the controller.   

In the following, we describe specifically what data we collect and process, on what basis and for what purposes, which service providers we pass this on to and what rights you have regarding your data. 

The controller of the processing of personal data collected directly by us is:

culture4life GmbH
Mörikestrasse 67
70199 Stuttgart
Germany
info@culture4life.de

You can reach our data protection officer at our Berlin location as follows:

culture4life GmbH
Data Protection Officer
Charlottenstraße 59
10117 Berlin
Germany
privacy@culture4life.de

1. data categories

We process the following categories of data necessary to provide or facilitate contact tracing under state regulations issued in connection with COVID infection control:


  • Contact details:
    Name, first name, address, telephone number, e-mail address.

  • Functional data:
    Data mapping IDs, keys and QR codes.

  • Dates of stay:
    Name or designation of the operators you stayed with, date, beginning and end of your stay and the address of your place of stay.

  • Additional Input Data:
    Other information that you submit through input fields in our Services, each of which relates to you, such as notes you enter in the free text fields of our Services.

  • Temporary usage data:
    Data that may be generated when using the luca webapp, i.e. IP address, IP location, type and version of the end device used,
    the browser used
    and installed browser plug-ins
    ,
    Information about the mobile network used, time zone settings, operating system and platform.

2. process description

The luca webapp is the alternative to the luca app for users who prefer to use it via a browser. However, it does not contain all the services of the luca app. Thus, automatic check-out by means of geo-fencing is not possible, nor is the deposit of test, convalescent and vaccination documents. You can find the luca webapp under this

Link


.

After entering your contact details and successfully verifying your phone number, an individual key will be generated for you. This is used to encrypt your contact details. This key remains exclusively local on your own end device until your first check-in. The encrypted data is sent to the luca system transmitted and stored on the servers of our service providers (see section 5.) within the EU area.

Collection of data at the beginning of your stay: Now you can check in with your favorite local spots. The period of your stay at an operator:in is recorded by scanning the QR code. In this context, your personal key (with which your contact details were encrypted in the course of registration) is encrypted with the key of the health authorities. The operator:in turn encrypts this data with its own key. Your contact details are thus encrypted with your user key and this key is encrypted by both the responsible health authority and the operators at every check-in and is thus stored in the luca system in a doubly encrypted form. Neither the operators nor we can see the encrypted data in its clear form and assign it to you as a person. Only the responsible health authority will be able to decode the data in the case of follow-up. If you decide to scan the QR code of the operator:in, it is necessary to turn on the camera of the smartphone. Only the recording of the QR code is saved.

The operator:in is responsible for this processing and we act here as the processor of the operator:in.

Collection of data at the end of your stay: After you have successfully checked in and want to end your stay, you can check out manually in the webapp. If you forget to check out, the operator:in has the option to check you out.

Collection of data at private events: You can likewise create your own private events and check in to those, like if you’re hosting a birthday party at home. When checking in at such private events, the private host:receives in your first and last name. You do see this location in your history, but these private events are not shared with the health department.

Optional sharing of history with the appropriate health department in case of infection: If a health office contacts you and asks you to report your recent stays, you can do this conveniently via your luca webapp. To do this, select the “Release history” function. Then you generate a so-called TAN (i.e. a transaction number that is used for authorization and is only valid for one-time use). Here, the residence data of the last 14 days and your personal key are transferred to the health department. All this data is encrypted for transmission using the health department key. As soon as you provide the health authority with your TAN, this data packet can be assigned by the health authority and then decrypted.

This is done expressly with your consent and active involvement by providing the TAN. After you have communicated your TAN, revoking this consent (see also section D. below) is pointless because the health department is the controller of further processing after retrieving the data and acts on a legal basis.

Transmission of contact tracing data by operator:s to the appropriate health department:Based on your history, the health department can assign and contact the affected operator(s) to find out which other persons were also in the location (i.e., in the spatial area of the operator(s)) at the time in question. The operator:in can then submit the requested data to the health department via your luca profile. Since the data is dual-encrypted (using the operator:in and the health department key), parts of the data will override the operator:in encryption. The health department receives the data still encrypted with the health department key and can decrypt it. This means that only the health department can view the clearing data. The operator:in is responsible for this processing and we act here as the processor of the operator:in.


3. special categories

personal

data according to Art. 9 DSGVO

When transferring your visit history (as shown in the process description) to a health department, there is an increased likelihood that you are infected. Since this may allow conclusions to be drawn about your health, this transfer will only take place on the basis of your express consent pursuant to Art. 9 (2) a) in conjunction with Art. 6 (1) 1 a) DSGVO.

Other sensitive data (e.g. political opinions, religious affiliation, genetic or biometric information) are generally not processed by us. We ask that you not disclose any such information to us through or in connection with our Services.

4. purposes and legal bases of the processing operations

We will process your personal data only for the purpose of assisting in contact tracing as part of the COVID pandemic response and, in this context, improving data quality in accordance with the legal bases listed. In the following, the processing carried out for this purpose is described and the respective legal bases for the processing of your personal data are stated.

Digit. Processing and, if applicable, additional purpose Legal basis Responsible
(1) When you register, we collect and store your
contact details
and
functional data
Art. 6 (1) 1 b) DSGVO:

Based on the terms of use for the luca services that apply between you and us.

culture4life GmbH (we)
(2) During registration we verify your
phone number
by automated SMS dispatch or call. For this purpose, the telephone number will be transmitted to the SMS dispatch service providers listed in section 5.
Art. 6 (1) 1 b) DSGVO:

Based on the terms of use for the luca services that apply between you and us.

culture4life GmbH (we)
(3) When you check in with an operator:in, they use luca to collect your
whereabouts data
and if necessary
additional input data
The processing is carried out on the basis applicable to the operators. In the case of those obliged to follow up contacts, this is the legal basis (respective state ordinance in conjunction with § 28a IfSG). For operators using luca voluntarily, this is your consent. Operator:inside

We process the data on the basis of the order processing agreement between the relevant operator:in and us.

(4) If you want to scan the QR code of the operator:in yourself to perform the check-in, this is done using your camera. Only the QR code is scanned in the process. Data located in the environment is not recorded.

Art. 6 (1) 1 a) DSGVO:

Consent by switching on the camera function, if necessary after prompting in the webapp.

You can revoke your consent at any time for the future by turning off your camera function. (see also part D.)

Operator:inside

We process the data on the basis of the order processing agreement between the relevant operator:in and us.

(5) At the same time, when you check in, your f
unctional data
to operators to create the link between you and your stay.
Art. 6 (1) 1 b) DSGVO:

Based on the terms of use between you and us for the luca webapp

culture4life GmbH (we)
(6) You can do the check-out manually in your webapp. In addition, the operator:in can check you out. The processing is carried out on the basis applicable to the operators. In the case of those obliged to follow up contacts, this is the legal basis (respective state ordinance in conjunction with § 28a IfSG). For operators using luca voluntarily, this is your consent. Operator:inside

We process the data on the basis of the order processing agreement between the relevant operator:in and us.

(7) During registration and use of the luca web app, temporary
temporary usage data
collected and stored. The purpose is to ensure the security of the luca system and thus guarantee the provision of services to you.
Art. 6 (1) 1 b) DSGVO:

Based on the terms of use between you and us for the luca webapp

culture4life GmbH (we)
(8) If a health department contacts you with a request to share your visit history, you can do so voluntarily through the luca webapp. Then your
Contact details
,
functional data
and the
residence data
for the selected period to the respective health office.
Art. 9 (2) a) in conjunction with Art. 6 (1) 1 a) DSGVO:

Explicit consent to the extent that any sensitive data is transferred to a health department (see also Section C.).

culture4life GmbH (we)
(9) An operator:in visited by you may be requested to provide visitor data for a specified period of time by a health department. Thereby your
Contact details
,
functional data
,
residence data
and if necessary
additional input data
transmitted to the health department.
The processing is carried out on the basis applicable to the operators. In the case of those obliged to follow up contacts, this is the legal basis (respective state ordinance in conjunction with § 28a IfSG). For operators voluntarily using luca, this is your consent. Operator:in

We process the data on the basis of the order processing agreement between the relevant operator:in and us.

5. recipients of personal data

In order to achieve the purposes described earlier in this Privacy Policy, we disclose your personal data to the following recipients, with the understanding that they may not use this data in any way other than to provide services to us (as so-called processors within the meaning of Article 28 of the GDPR):

Services provided by suppliers Provider Processed data
Software maintenance and software operation services neXenio GmbH, Charlottenstr. 59, 10117 Berlin Contact data, functional data, residence data, additional input data, temporary usage data.

(The processing is limited to a possible inspection of the listed data in the context of the implementation of the software maintenance and operation services).

IT infrastructure services (server) Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn, Germany Contact data, functional data, residence data, additional input data, temporary usage data.

Server location: Germany, Hungary (Open Telekom Cloud)

IT infrastructure services Bundesdruckerei Group GmbH, Kommandantenstraße 18, 10969 Berlin Contact data, functional data, residence data, additional input data, temporary usage data.

Server location: Germany

SMS dispatch services Message Mobile GmbH, Stresemannstraße 6, 21335 Lüneburg, Germany Phone number
SMS dispatch services Sinch Germany GmbH, Wilhelm-Wagenfeld-Str. 20, 80807 Munich Phone number

Order processing contracts in accordance with Art. 28 DSGVO have been concluded with these recipients. They can only process your data for a specific purpose and on our instructions.

We may also share your personal information with the following recipients:

  • Operators with whom we cooperate and whose locations you have visited using the luca webapp.
  • Health departments to whom you share your visit history from the luca webapp, or if you qualify as a potential contact person to an infected person, to enable contact tracing under state regulations issued in connection with COVID infection control, among other things.

6. duration of the storage of personal data

Your personal data will be automatically deleted after expiry of the periods described below:

Contact and functional data

  • Within the luca webapp you will find a so-called delete button. With this you can independently perform the complete deletion of your contact and functional data from the luca system. After clicking the delete button, your data will remain in the luca system for another 28 days. This is necessary in order to comply with any legal requirement for contact tracing by providing the residence data and thus also the contact data of the last 28 days by operators.
  • When uninstalling the luca webapp, your user key stored in the webapp will be deleted. Without this key, your contact data can no longer be used, assigned and decrypted.
  • Your contact information will be deleted from the luca system annually if you remain inactive. If the luca web app is used again for check-in after the data on the servers has been deleted annually, the contact data still stored on the smartphone is again stored in encrypted form within the luca system.
  • Your functional data, which was encrypted by checking in with an operator:in, is automatically deleted after 28 days.

After independent deletion by pressing the delete button or continuous inactivity, your data can still be transmitted to a health authority up to 4 weeks after your last stay with an operator. so that you can be contacted by a health can be contacted by a health office.


  • Residence data and additional input data:
    Your stay data and input data generated by or in connection with checking in with an Operator:in will be deleted after 28 days in accordance with the Corona/COVID infection control regulations.
  • In addition to verification processed phone number: Your phone number will be processed by our subcontractors Message Mobile GmbH and Deutsche Telekom AG for verification purposes only. This is stored for up to 45 days in their production databases, or up to 60 days in their archive databases. Any storage beyond this does not take place.
  • Temporary Usage Data: Your temporary usage data is processed in log files. These are stored by us for a maximum of 7 days and then automatically deleted. Any storage beyond this does not take place.

7. rights of the data subjects

With regard to the processing of your personal data, you have the following rights provided for in the GDPR, which you can exercise against us for all processing operations for which we are responsible (see Part C.):

  • The right to request a statement as to whether your personal data are being processed and, if this is the case, the right to information about these data. This information includes, among other things, the purposes of processing, the categories of personal data processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Art. 15 GDPR). We store your data exclusively in encrypted form and do not possess the keys required for decryption. Therefore, we cannot track whether personal data of a specific person is processed in the luca system. Unlike ourselves, you can see all the processing forms of the data collected and stored in encrypted form in your own history and contact details. This is different for data that we receive from you as clear data when you contact us yourself (e.g., for support requests). We will be happy to provide you with information on these upon request.
  • The right to request the correction of your personal data if it is incorrect or incomplete (Art. 16 DSGVO).You can only correct your contact data yourself (except for the history) in the luca webapp. We already fulfill this right through the functionalities provided. To exercise it, you only need to go to the corresponding area within the luca webapp and make the correction/change. We ourselves can only process your request with regard to data that we receive from you as clear data (e.g. through a direct contact by you with us).
  • The right, under certain conditions, to demand that your personal data be deleted immediately (so-called “right to be forgotten”) (Art. 17 DSGVO).We comply with this right by providing a delete button. You can use this to delete your data, whereby the deletion takes place within the periods described in section C. 6. We ourselves cannot carry this out for you due to the encryption. If we have stored data about you (e.g. because you have contacted us in another context) that we can assign to you or that is not based on the information you have stored within the luca webapp, we will delete this data in accordance with your request, unless there is a justified interest or legal retention periods to the contrary.
  • The right to request the restriction of the processing of your personal data under certain conditions (Art. 18 GDPR). Due to the encryption and the fact that we do not have the necessary keys for decryption, we can only fulfill this right with regard to the clear data transmitted by you.
  • The right to withdraw at any time any consent given to us regarding the processing of your personal data (for sharing your history with the Health Department, for data collection, camera). This is done for the future by changing your settings. Such revocation does not affect the lawfulness of the processing that took place until your revocation. Please note that in case of revocation, the encrypted data cannot be assigned to you due to the encryption and therefore cannot be excluded from processing until it is automatically deleted.

Please note that we generally do not process your personal data in the form of plain data, but in encrypted form, and therefore in certain cases we will not be able to comply with a corresponding request by you to grant the aforementioned rights.

To exercise these rights against us, you may also contact our Data Protection Officer using the contact details set out in Part B of this Privacy Policy.

Notwithstanding the foregoing rights, you have the right to lodge a complaint with a supervisory authority for data protection and freedom of information, such as the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Lautenschlagerstrasse 20, 70173 Stuttgart, P.O. Box 10 29 32, 70025 Stuttgart.

Tel.: 0711/615541-0
Fax: 0711/615541-15

poststelle@lfdi.bwl.de

The webapp offers you the possibility to pay digitally in various locations in cooperation with the payment service provider Rapyd Europe.  

  1. Data categories

If you wish to make a payment via the luca system, the following data will be processed and, if necessary, shared with the operator and the payment service provider used during the payment process:    

  • Payment method information: bank and billing account information, credit card information, name of cardholder.   
  • Information about the transaction with the operator: transaction ID, time, date of the transaction, invoice amount, name or designation of the operator.  

Temporary usage data is collected when using these features:  

Data that may be generated when using the luca App, i.e. IP address, IP location, type and version of the end device used, information on the mobile network used, time zone settings, operating system and platform. 

  1. Process description

When you visit a restaurant or event (operator), you can decide to pay the bill using luca Pay. The operator provides you with a QR code that is placed for example on a table and contains the open invoice amount of your order.   

After scanning the QR code, you will be redirected to the luca website. There, you will be shown the information on your invoice stored by the operator. You can either see the open amount of the table or select an amount yourself. You can also enter a tip in the desired amount.  

By confirming the invoice amount and the tip, you will be automatically forwarded to the payment service provider Rapyd Europe. There you can check the payment amount and recipient again. You can choose between MasterCard, Visa card and ApplePay as means of payment. After selecting, you can enter your payment method information. After a final confirmation on your part, your payment will be executed by the payment service provider Rapyd Europe under the operator’s own data protection responsibility. When you pay, information about the transaction with the operator is stored. 

  1. Special categories of personal data according to Art. 9 GDPR

No special category data within the meaning of Art. 9 GDPR are processed. 

  1. Purposes and legal basis of the processing operations 

The following section describes the processing operations and their purposes and legal basis, which serve the purpose of a one-off payment transaction in connection with the processing of the data specified in section D.1.  

 

Sec. 

Processing and purpose 

Legal basis 

Controller 

(1) 

If you want to scan the QR code of the operator to make the payment, this is done using your camera (by holding your smartphone camera over the QR code). Only the QR code is scanned. Data in the vicinity will not be recorded. 

Art. 6 (1) 1 a) GDPR:  

Consent by switching on the camera function, if necessary, after a request in the app.  

You can revoke your consent for the future at any time by switching off your camera function. 

Operator 

  

(Processing is the sole responsibility of the operator) 

(2) 

If you want to make a payment and have started the payment process in your app (by scanning the QR code), your payment method information will be stored with our payment service provider Rapyd Europe. This is done for the purpose of processing the payment. 

Art. 6 (1) 1 b) GDPR in conjunction with Art. 49 (1.) 1. b and c (for the performance of the contracts in force between you and the operator) 

Operator 

  

(Processing is the sole responsibility of the operator) 

(3) 

During the payment process, information about the transaction with the operator is stored. This serves the purpose of traceability and is required for the allocation of the payment to your invoice.   

Art. 6 (1) 1 b) GDPR in conjunction with Art. 49 (1.) 1. b and c (for the performance of the contracts in force between you and the operator) 

Operator 

  

(Processing is the sole responsibility of the operator) 

  1. Recipients of personal data

 

Services supplied by provider 

Provider 

Data processed 

Execution of payments and related services 

Rapyd Europe hf, Suðurlandsbraut 30, 108 Reykjavík, Iceland 

User ID, payment information, information about the transaction with the operator, temporary usage data (under Rapyd’s own responsibility).  

  

Here you can read Rapyd Europe’s current privacy policy. The storage period of your data transmitted to Rapyd can be found in G.7. 

Software maintenance and software operation services  

neXenio GmbH, Charlottenstr. 59, 10117 Berlin 

User ID, information about the transaction with the operator, temporary usage data 

IT infrastructure services (server) 

Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn 

User ID, information about the transaction with the operator, temporary usage data.  

  

Server location: Germany, Hungary (Open Telekom Cloud) 

Data Processing Agreements have been concluded with these recipients in accordance with Art. 28 GDPR, so that they can only process your data for a specific purpose and on our instructions. 

 

  1. Data transfer to third countries

Due to the cooperation with the payment service provider Rapyd Europe, which belongs to an international group of companies (Rapyd Financial Network (2016) Ltd.), your personal data (user ID, payment means information, information about the transaction with the operator) will also be processed by third parties, among others, in the context of the performance of the payment service. These third parties may be in countries different from yours and outside of the European Economic Area (EEA) and Switzerland. In these countries, an equivalent level of data protection is not always provided. In accordance with EEA data protection law, Rapyd Europe has taken specific measures to ensure the protection of your personal data. In particular, when transferring your personal data within companies affiliated with Rapyd, the current standard contractual clauses approved by the relevant supervisory authorities will apply. The Rapyd Financial Network (2016) Ltd. group of companies is certified in accordance with the PCI-DSS 2.0 (Payment Card Industry Data Security Standard). Contact Rapyd Europe (privacy@rapyd.net) for more information. 

  1. Duration of the storage of personal data

Your personal data will be automatically deleted after expiry of the periods described below:  

  • Payment method information and information about the transaction with the operator are stored by the payment service provider Rapyd for up to 10 years in accordance with banking supervisory regulations.   
  • Temporary usage data: Your temporary usage data that is collected when you use the luca App is processed by us in log files. These are stored for a maximum of 7 days and then automatically deleted. Temporary usage data collected when using the Rapyd Europe website can be stored for up to one year under Rapyd Europe’s own responsibility.  
  1. Rights of the data subjects

Regarding the processing of your personal data, you have the following rights provided for in the GDPR, which you can exercise against us for all processing operations for which we are responsible (see Part G. 4.):  

  • The right to request a statement as to whether your personal data is being processed and, if this is the case, the right to information about this data.  
  • The right, under certain conditions, to demand that your personal data be deleted immediately (so-called “right to be forgotten”) (Article 17 of the GDPR).  

To exercise these rights against us, you can also contact our data protection officer using the contact details provided in Part B of this Privacy Policy.  

Regardless of the above rights, you have the right to lodge a complaint with a supervisory authority for data protection and freedom of information, for example the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, which is responsible for us: 

Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Postfach 10 29 32, 70025 Stuttgart. 

Tel.: +49 711/615541-0 

Fax: +49 711/615541-15 

poststelle@lfdi.bwl.de 

This is the current version of our privacy policy (effective as of August 19, 2022). We reserve the right to adapt this data protection declaration (in particular in the event of changes in the legal situation or changes to our services). For this reason, we recommend that you check this privacy policy at regular intervals.