Privacy Policy

Privacy Policy (Art. 13 and 14 GDPR)

Last updated: January 2025

1. Data Controller

The controller responsible for data processing within the meaning of the GDPR is:

[Name and address of the controller – to be filled in by the operator]
[Contact email]
[Optional: Data Protection Officer, contact details]

2. Purpose and Legal Basis of Processing

Inkluvo is software for managing client and organisation data (e.g. institutions in child and youth welfare). We process personal data only for the performance of the contract, access control, and technical provision of the application.

  • Contract performance (Art. 6(1)(b) GDPR): User accounts, organisation and client master data, appointments, reports, accommodations, medications, financial and booking data.
  • Legitimate interests (Art. 6(1)(f) GDPR): Technical logs, security measures (e.g. access control, rate limiting), fraud and abuse prevention.
  • Legal obligation (Art. 6(1)(c) GDPR): Retention periods under commercial and tax law where applicable.

3. Special Categories of Personal Data (Art. 9 GDPR)

Where health data (e.g. medications, allergies, diagnoses) or data of children and adolescents are processed in the application, this is done on the basis of:

  • Consent (Art. 9(2)(a), Art. 6(1)(a) GDPR) or
  • Legitimate interests of the institution within the framework of child and youth welfare, where national law (e.g. SGB VIII) provides for this and the interests of the data subjects are safeguarded.

Children’s data: Processing of data of minors takes place only in the context of use by authorised staff of the respective organisation. Minors do not register independently in the application. The organisation is responsible for the lawfulness of collection regarding minors (processor relationship or joint controllership – to be specified by the operator).

4. Recipients and Processors

Personal data are disclosed only to recipients necessary for the provision of the service (e.g. hosting, email delivery). Processors are bound by contract in accordance with Art. 28 GDPR. No disclosure to third parties for marketing purposes takes place.

5. Transfers to Third Countries

Transfers to third countries outside the EEA take place only where the Commission has adopted an adequacy decision or appropriate safeguards (e.g. standard contractual clauses) are in place. The operator shall document in technical documentation the sub-processors used and their locations.

6. Storage Period

  • User and organisation data: Until deletion of the account or organisation, plus a backup retention period (max. 30 days), unless longer legal retention periods apply.
  • Client and case files: In accordance with retention periods defined by the organisation and required by law (e.g. youth welfare, financial accounting).
  • Technical logs: At most 90 days, unless a shorter period is agreed for security reasons.

7. Your Rights

You have the following rights vis-à-vis the controller, among others:

  • Access (Art. 15 GDPR) to the data stored about you,
  • Rectification (Art. 16 GDPR) of inaccurate data,
  • Erasure (Art. 17 GDPR) under the conditions set out there,
  • Restriction of processing (Art. 18 GDPR),
  • Data portability (Art. 20 GDPR),
  • Objection (Art. 21 GDPR) to processing based on Art. 6(1)(f),
  • Withdrawal of consent with effect for the future,
  • Complaint to a supervisory authority (Art. 77 GDPR).

Contact for exercising your rights: [Controller email/address].

8. Obligation to Provide Data

The provision of personal data is necessary for the conclusion and performance of the contract and for use of the application. Without these data, the contract cannot be performed or the service cannot be provided.

9. Automated Decision-Making

There is no automated decision-making within the meaning of Art. 22 GDPR (no profiling with legal effect).

10. Security of Processing (Art. 32 GDPR)

The controller and, where applicable, its processors implement technical and organisational measures appropriate to the risk, including:

  • Access control (authorisation- and organisation-based),
  • Encryption of connections (TLS),
  • Limitation of access attempts (rate limiting),
  • Regular review of measures.

Details on encryption and access control may be set out in separate security or processing documentation.

11. Changes

This privacy policy may be updated as needed. The current version is available at the URL indicated; users or organisations will be informed of material changes.