Data protection statement

In this statement, we inform you about what data is collected when you use the ForestManager app. You can read how they are used and what data protection rights you have.
For a better understanding, we try to avoid technical representations as much as possible.

Who is the owner of the app?

The provider of the app ForstManager – Die WaldApp (hereinafter referred to as „app“) is rBITech GmbH, Franz-Mayer-Straße 1, 93053 Regensburg (hereinafter referred to as „rBITech“).
rBITech is also the data protection officer for the processing of personal data of App users.
You can reach the data protection officer of rBITech either at the above address or at datenschutz@rBITech.de.

How is the personal data processed?

As a matter of principle, rBITech processes your personal data only on the basis of consent granted by you in accordance with Article 6(1) sentence 1 (a) and Article 9(2) (a) of the GDPR. You may revoke any consent you have given at any time. For more information on your right of withdrawal and instructions on how to exercise it, please see section 11.

What personal data is processed?

The app only collects data for synchronization with third parties and for location tracking during app use. This means that no data is collected that shoots at your identity, location or data that can be used for statistical analysis. To use the app and synchronization, the following data is collected:

Access data

Access data is accrued when you activate the following functions:

• the synchronization
• the registration of an additional mail address
• inventory data collection
• SOS function
• backreporting
• Tracking of paths and turning points
• Background localization for more accurate position tracking

The data resides on a server stationed in Germany. For the basic operation of the app, only technical data such as device information, timestamp, partially anonymized and randomly generated user ID are stored.
In addition, the following miscellaneous data is processed for synchronization:

• Date and time of retrieval (timestamp)
• Amount of data transferred (packet length)
• Message about successful retrieval
• E-mail address
• Name
• Distance and identifiers of rescue points in the vicinity
• Exact position
• Device identification

All access data is processed exclusively to maintain the technical infrastructure and to exchange information with share partners. At no time is it possible to create a user profile or identify you personally as a user of the app. The IP address is not stored after the end of the usage process.
If you send support requests by e-mail, this message is created in the communication portal of rBITech GmbH and stored on a server in Germany. For more information on data processing for support requests, please refer to the following link:
https://www.rbitech.de/datenschutz

Sharing of emergency call data

It is possible within the app on each page, at any time to send an emergency message. In this message, the last recorded location coordinates and the nearest rescue points from it with distance and cardinal direction are transmitted. This data is not stored on a server at any time.

Register synchronization

To use the synchronization it is necessary to register as a person. For this purpose, the following data is collected:

• Name
• E-mail address

To establish a permanent connection, you can have the synchronization partner scan the QR code on site or send an invitation link. After confirmation by the partner, their approved data is visible to you and their approved data is visible to the partner. This connection can be disconnected at any time. After permanent disconnection, all data on the remote device will be permanently removed. The use of synchronization requires that all synchronization partners use the app.
The QR code and the invitation link contain the following data:

• Name of the connection partner
• Random user ID
• IP address (Cloud features store IP addresses only temporarily to provide the service)

Connection data is generated and stored in Firebase until the user account is deleted. Used by Firebase Cloud Function and Cloud Messaging. Please read the privacy policy of Firebase at the following link:ps://firebase.google.com/support/privacy#data_processing_information.

Data sharing through synchronization

If you have activated the function for synchronization of data with third parties on your user device, after the invitation confirmation by the synchronization partner, data changes and extensions are only transmitted when you start the synchronization. Automatic data exchange does not take place. It is possible to stop or adjust the data exchange at any time. The following data is transferred:

• Location data of notes and territories
• Stored name of the owner
• Date and time of all saved comments
• Category of the note
• Encrypted metadata (log version, …)
• Paths and turning points

The metadata is stored in a log for 14 days. The metadata is not part of the app, but an integral part of the operating system of your user device. The metadata is therefore provided by Google (Android user device) and is accordingly subject to Google’s privacy policy. The operating system-side data processing is beyond the control of rBITech.
For more information on the collection of metadata from your user device, please consult your user device manufacturer.
Metadata is only processed by the app if synchronization is enabled.

Retrieving the partner’s data

The app queries the server system for the data changes using the stored key as soon as the button for synchronization has been started. Changes are displayed and overlaps are marked.

Informative use of the app

Insofar as the app is only used for the use of specially created data, i.e. no synchronization takes place, the processing of the data takes place exclusively locally on your end device and no personal data is generated. Websites linked in the app are opened and displayed in the default browser of your user device. Which data is processed depends on the browser used.

Which permissions and functions does the app require?

The app requires access to various functions and interfaces of your user device. For this, it is necessary that you grant certain permissions to the app. The permissions are programmed differently by different manufacturers. For example, individual authorizations may be combined into authorization categories, whereby you can only agree to the authorization category collectively. Please note that if the app rejects an access, you will not be able to use any or only a few functions of the app.

Technical requirements

• Internet
The app requires an internet connection for synchronization to be able to communicate to the system server of the.
• Camera
Your user device requires a camera to be able to use it to scan a QR code as part of the synchronization. The camera is also needed to capture images during the production data acquisition.
• Background operation
The app uses background operation (that is, when you are not actively using the app) to record paths and locate the nearest rescue points. If you disable background operation, you must start all actions in the app itself.
• Location detection
Location detection must be enabled to locate coordinates and rescue points. The location data is stored in the notes and transferred with synchronization. Deleting the notes also removes the location data.
If background localization is activated, the exact position is determined for up to 45 minutes after the last action to avoid a longer wait for a more accurate GPS position.
• Notifications
The user is notified locally about news and changes to the synchronized data. Since necessary for this notification function is already enabled in the operating system.

When will the data be deleted

All app data is deleted as soon as it is no longer needed for the app’s functions:

Sync data

The data shared in the app will be automatically deleted from the sync partner as soon as you remove the partner from the app. The deleted partner will be informed about it in a notification.

Data in Firebase

All user data (ID, name, key) will be irrevocably deleted as soon as the account is deleted. The rBITech GmbH has no influence on the deletion process on functions provided by Google. The deletion is based on the specifications of Google. Currently, the data is automatically deleted after 14 days. In addition, within the framework of the functionalities provided by Google, you can initiate a manual deletion in the system settings of your device, if necessary. Firebase retains instance IDs until the Firebase customer makes an API call to delete the ID. After the call, the data is removed from live and backup systems within 180 days.

Data on cloud servers

Stored user-related data is irrevocably removed from the server after account deletion. If you have consented to provide inventory data anonymously for research and development when registering the app, the data will continue to be used for site-related analyses without user reference after account deletion. For technical reasons, this consent can no longer be revoked at a later date (§27, §35 BDSG).

To whom is the data passed on?

For the maintenance and operation of the technical infrastructure of the app (e.g. server systems, hotline), rBITech GmbH is commissioned and takes over the commissioned data processing for rBITech GmbH (§28 DSGVO).
Furthermore, rBITech GmbH only discloses personal data collected in connection with the use of the app to third parties to the extent that rBITech GmbH is legally obligated to do so or the disclosure is necessary for legal or criminal prosecution in the event of attacks on the technical infrastructure of the app. A passing on in other cases does not take place in principle.

Will data be transferred to a third country?

The data generated when using the app is processed exclusively on servers in Germany or in another EU or EEA member state.

Revocation of consent

You have the right to revoke the consent given in the App vis-à-vis rBITech GmbH at any time with effect for the future. However, this does not affect the lawfulness of the processing until the revocation.
To revoke your consent in the synchronization, you can trigger the function by removing the partners and delete the user account. The user ID and the associated key will be removed in Firebase. The rBITech GmbH then stored operating data can no longer be assigned to your user device. If you want to set a synchronization again, it requires a new registration and consent. Please note that rBITech GmbH has no possibility to delete transmitted random IDs directly from the end devices of other users.

Your further data protection rights

Insofar as rBITech GmbH processes personal data from you, you are also entitled to the following data protection rights:

• the rights under Articles 15 – 18, 20, 21 DSGVO
• the right to complain to a competent supervisory authority for data protection. To do so, you can either contact the competent supervisory authority in your place of residence or the competent authority at the registered office of rBITech GmbH. The competent supervisory authority for rBITech GmbH is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 27, 91522 Ansbach.

We draw your attention to the fact that the rights just mentioned can only be fulfilled by rBITech GmbH if the data to which the claims relate can be clearly assigned to you as a person. This would only be possible if rBITech GmbH collects further personal data from you or your terminal device, which allows a clear assignment to your person or your terminal device.
Since this is not necessary for the basic use of the app (and also not desired by us), rBITech GmbH is not obligated to such data collections (§ 11 para. 2 DSGVO). Furthermore, it would no longer be within the scope of striving to work as data-savingly as possible. Thus, the above articles will only be fulfilled with additional information about the person, which is not available to rBITech GmbH.
It is different when using the synchronization. Since personal data is collected here you can fall back on the above articles.

Status 24.03.2021