Thank you for your interest in Hypatos Studio. Hypatos Studio is Hypatos’ Software as a Service offering for document processing. The protection of your personal data is important to us. Below you will find information on how we handle the data that is collected through your use of Hypatos Studio. Your data will be processed in accordance with the legal data protection regulations.
Hypatos GmbH, c/o Unicorn Workspaces
Am Neuen Markt 9 E-F
14467 Potsdam
info@hypatos.ai
+49 (0) 302 09 97 00
Proliance GmbH / www.datenschutzexperte.de
Datenschutzbeauftragter
Leopoldstr. 21
80802 Munich
datenschutzbeauftragter@datenschutzexperte.de
Our privacy policy should be simple and understandable for everyone. For this reason, our privacy policy generally uses the official terms of the General Data Protection Regulation (GDPR). The official definitions are explained in Art. 4 GDPR.
Hypatos processes personal data on behalf of and in accordance with the inputs of the customer. The subject of this privacy notice is the use of Hypatos Studio and the processing of documents, for example incoming invoices of the customer.
The categories of persons affected by the handling of personal data within Hypatos Studio include:
(1) The personal data are subject to two categories: personal data ofUsers (“Personal User Data”) and personal data of persons mentioned in the documents processed by means of the Services (“Personal Document Data”).
(2) The following data types are affected by data processing :
The type and purpose of data processing of personal data are specified in the Order Form. This includes the following activities and purposes:
Hypatos Studio uses cookies which are stored on your device by the browser and contain certain settings for the use of the website (e.g. the current session). Cookies are used to make our website more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and stored by your browser. Most of the cookies we use are so-called session cookies, which are automatically deleted after the browser is closed. Other cookies remain stored on your terminal device until you delete them, or the storage period expires.
These cookies enable us to recognize your browser on your next visit. In some cases, cookies are used to simplify website processes by saving settings (e.g. settings that have already been made during previous visits). If personal data are also processed by individual cookies implemented by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either to fulfil the contract, or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the product and a customer-friendly and effective design of the site visit.
In order to accept or refuse all or certain cookies, you can set up your browser to inform you when cookies are set. You can also activate the automatic deletion of cookies when closing the browser. The cookie settings for the respective browsers can be customised under the following links:
Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
Chrome: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647
Safari: https://support.apple.com/kb/ph21411?locale=de_DE
Opera: http://help.opera.com/Windows/10.20/de/cookies.html
You can also individually manage the cookies of many companies and functions that are used for advertising purposes. Details about the user tools are available at https://www.aboutads.info/choices/ or http://www.youronlinechoices.com/uk/your-ad-choices.
Most browsers also offer a "do-not-track- feature" This feature allows you to indicate that you do not want to be "tracked" by websites. When the function is activated, the browser will tell ad networks, websites and applications that you do not want to be tracked for the purpose of behaviour-based advertising and such like. For information and instructions on how to use this feature, see the links below:
Mozilla Firefox: https://www.mozilla.org/de/firefox/dnt/
Internet Explorer: https://support.microsoft.com/en-gb/help/17288/windows-internet-explorer-11-use-do-not-track
Google Chrome: https://support.google.com/chrome/answer/2790761co=GENIE.Platform%3DDesktop &hl=en-GB
Safari: https://support.apple.com/kb/PH21416?locale=de_DE
Opera: http://help.opera.com/Windows/12.10/de/notrack.html
In addition, you can prevent the loading of scripts by default. NoScript allows you to run JavaScripts, Java and other plug-ins only on trusted domains of your choice. Information and instructions on how to use this function can be obtained from your browser's provider (e.g. for Mozilla Firefox at: https://addons.mozilla.org/en-GB/firefox/addon/noscript/). Please note that deactivating cookies may limit the functionality of this website.
We generally make sure that personal data is only accessible by a limited number of authorized persons who need the data to provide you with the above-mentioned purposes. Within the scope of the described processing activities, your data is not transferred to third parties, unless
Under these conditions, we use external service providers for the processing of our services, whom we have carefully selected and commissioned in writing. They are bound by our instructions and are regularly monitored by us. Required data processing agreements pursuant to Art. 28 GDPR are concluded before the commission. In particular, these contracts concern web hosting services, the processing of documents, external document labelling, user analytics and IT updates and maintenance. Your personal data will not be transferred to third parties by our service providers. The following sub-processors are used to enable Hypatos Studio:
Name/Company: Amazon Web Services EMEA SARL
Function/activity: Hosting Provider
Headquarters: 38 avenue John F. Kennedy, L-1855Luxembourg
Type of data: Personal User Data as well as Personal Document Data
Location of data processing: European Union
Measures/guarantees to ensure an adequate level of data protection:
https://aws.amazon.com/security/
Name/Company: Microsoft Ireland Operations Limited
Function/activity: Hosting Provider
Headquarters: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
Type of data: Personal User Data as well as Personal Document Data
Location of data processing: European Union
Measures/guarantees to ensure an adequate level of data protection: see Annex A:
Name/Company: Google Ireland Limited
Function/Activity: Cloud OCR – optical character recognition of documents processed by Customer
Headquarters: Gordon House, Barrow Street Dublin 4, Ireland
Location of data processing: EuropeanUnion
Type of data: Personal User Data as well as Personal Document Data
Measures/guarantees to ensure an adequate level of data protection:
https://cloud.google.com/terms/data-processing-terms
Name/Company: MongoDB, Inc.
Function/Activity: Cloud MongoDB deployment
Headquarters: MongoDB Limited, Building Two, Number One Ballsbridge, Ballsbridge, Dublin 4,Ireland
Location of data processing: European Union
Type of data: Personal User Data
Measures/guarantees to ensure an adequate level of data protection:
https://www.mongodb.com/technical-and-organizational-security-measures
Name/Company: Atlassian. Pty Ltd
Function/Activity: Service Desk for Customer support
Headquarters: Level 6, 341 George Street,Sydney, NSW, 2000 Australia
Location of data processing: EU,USA, Australia
Type of data: Personal User Data
Measures/guarantees to ensure an adequate level of data protection: Standard Contractual Clauses (SCCs) for processors as approved by the European Commission
Also see:
Name/Company: Mailjet SAS
Function/Activity: e-mail notification dispatch service
Headquarters: 13-13 bis, rue de l’Aubrac, 75012 Paris, France
Location of data processing: European Union
Type of data: Personal User Data, Personal Document Data
Measures/guarantees to ensure an adequate level of data protection: https://documentation.mailjet.com/hc/en-us/sections/360007328433-Security-Privacy
Name/Company: SupportYourApp, Inc. DBA Label Your Data
Function/Activity: Data Labelling Service Provider
Headquarters: 1007 North Orange Street, 4th Floor, Suite 122, Wilmington, DE 19801, USA
Location of data processing: USA
Type of data: Personal Document Data
Measures/guarantees to ensure an adequate level of data protection: Standard Contractual Clauses (SCCs) for processors as approved by the European Commission; additional safeguards
Name/Company: CenterDevice GmbH
Function/Activity: Cloud document management system (DMS)
Headquarters: Rheinwerkallee 3, 53227 Bonn, Germany
Location of data processing: European Union
Type of data: Personal User Data as well as Personal Document Data
Name/Company: DeepL SE
Function/Activity: Translation Service Provider
Headquarters: Maarweg 165, 50825 Cologne, Germany
Location of data processing: European Union
Type of data: Personal User Data, Personal Document Data
Measures/guarantees to ensure an adequate level of data protection: Data Protection Agreement according to Art. 28 GDPR
Name/Company: Aggranda
Function/Activity: Managed Service Provider
Headquarters: Copaceni Street No 30-34, Ap. D3, Room 2 030395 București, Romania
Location of data processing: European Union
Type of data: Personal User Data, Personal Document Data
Measures/guarantees to ensure an adequate level of data protection: Data Protection Agreement according to Art. 28 GDPR
Name/Company: Wargitsch & Comp. AG
Function/Activity: Managed Service Provider
Headquarters: Ingolstädter Straße 92, 85276 Pfaffenhofen an der Ilm, Germany
Location of data processing: European Union
Type of data: Personal User Data, Personal Document Data
Measures/guarantees to ensure an adequate level of data protection: Data Protection Agreement according to Art. 28 GDPR
The period for which the personal data will be stored is determined by the relevant statutory storage periods (e.g. from commercial law and tax law). The corresponding data is deleted routinely upon expiry of the respective period. If data is required for the fulfilment of a contract or contract initiation, or if we have a legitimate interest in further storage, the data will be deleted if they are no longer required for these purposes or if you make use of your right of withdrawal or objection.
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. This website uses SSL encryption for security reasons and to protect the transmission of confidential content.
Hypatos is certified under the ISO27001:2017 industry standard.
If you have questions regarding the processing of personal data within Hypatos Studio, please reach out to us using the following e-mail address: privacy@hypatos.ai
In the following, you will find information about your data subject rights, which the current data protection law grants you against the controller concerning the processing of personal data:
The right, pursuant to Art. 15 GDPR, to obtain information about your personal data processed by us. In particular, you may request information about the purposes of processing, the categories of personal data concerned, the categories of recipients to whom your data has been or will be disclosed, the envisaged period for which the data will be stored, the existence of the right to request from the controller rectification or erasure or personal data or restriction of processing of personal data concerning you or to object such processing, the existence of a right to lodge a complaint with a supervisory authority, the origin of your data, if these have not been collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences.
The right to obtain without undue delay the rectification of inaccurate personal data concerning you, in accordance with Art. 16 GDPR.
The right to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary to exercise the right of freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
The right, pursuant to Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is contested by you, the processing is unlawful, but you oppose the erasure and we no longer need the data for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims or you have filed an objection against the processing pursuant to Art. 21 GDPR.
The right, in accordance with Art. 20 GDPR, to receive the personal data concerning you, which you have provided to us in in a commonly used and machine-readable format and the right to transmit those data to another controller.
The right to withdraw your given consent pursuant to Art. 7 para. 3 GDPR with effect in the future at any time.
The right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR, in particular in the Member State of your habitual residence, place of work.
The right to withdraw your given consent pursuant to Art. 7 para. 3 GDPR: You have the right to withdraw your given consent concerning the processing of your personal data with effect for the future at any time. In the event of withdrawal, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to object
If your personal data is processed by us based on legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR, you have the right, pursuant to Art. 21 GDPR, to object at any time to the processing of your personal data on grounds relating to your particular situation. If the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement of stating a particular situation.
If you wish to exercise your right of withdrawal, objection or any of your other rights, simply send an e-mail to privacy@hypatos.ai.
We reserve the right to adapt or update this privacy policy, if necessary, in compliance with the applicable data protection regulations. In this way, we can adapt it to the current legal requirements and take account of changes to our services, e.g. the introduction of new services. The most current version applies to your visit.
December 2023
