Data Privacy Notice
SIMSme Business for Business Customers
Deutsche Post AG (hereinafter Deutsche Post) appreciates your interest in SIMSme Business. We take your privacy seriously and have developed internal systems to ensure the privacy of your personal data during all stages of processing related to our business operations, including visits to our internet pages and the use of our services.
This document details which data we at Deutsche Post collect during your visit to the SIMSme Business website and when you use the SIMSme Business app, and how such data is used.
2. Personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; This includes information such as proper names, address, telephone numbers and date of birth. Information that cannot be directly associated with a real identity — such as the total number of users of a site — is not considered personal data.
3. Name and contact details of the controller and the data protection officer
This data privacy notice applies to data processing at
Deutsche Post AG
Please contact our data protection officer with any questions related to the processing of your personal data. The data protection team is available to assist you with requests for information, comments or complaints.
Deutsche Post AG
Gabriela Krader, LL.M
4. Competent supervisory authority
Data processing related to postal and telecommunications services:
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen
Other data processing by the responsible parties:
Die Landesbeauftragte für den Datenschutz Nordrhein Westfalen
5. Purpose and legal basis for data processing
5.1 Visit of the website
Deutsche Post is obligated to protect the privacy of the users of our website. When you visit our websites, a certain amount of data must necessarily be collected and stored for connection, configuration and security purposes. Accordingly, our web servers always temporarily store: the connection data of the computer connecting to our website; a list of which of our web pages you visit; the date and duration of your visit; the IP address of your device; identification data related to the browser and operating system you are using to visit us; and the website from which you were referred to our website. Beyond this, no personal data such as your name, address, telephone number or email address is collected unless offered on a voluntary basis, such as to register for the website, to participate in a survey or prize sweepstakes or as required to perform a contract or informational query.
The legal basis for the processing of the aforementioned data categories is Art. 6 Paragraph 1(f) rev GDPR. For these reasons, and in particular to ensure safe and seamless connection, we have a legitimate interest in the processing of such data.
5.2 Use of web tracking
We deploy tracking software to determine the number and frequency of users of our website. This software does not collect any personal data or individual IP addresses. The data is solely collected in an anonymized, aggregated form for statistical purposes and to aid in the development of the website. This in turn helps us to improve not only the services we offer, but also the user-friendliness and customer orientation of content and services on our website.
5.3 Google reCAPTCHA
We use the Google reCAPTCHA service to protect our website from spam and misuse. reCAPTCHA prevents automated software (so-called “Bots”) from undertaking abusive activities on the website. The mechanism works by challenging whether any provided information actually originates from a human user. To do so, the following data is collected and processed:
- Referrer (address of the page on which the Captcha was used)
- IP address of the user
- Google account (if the user is registered with Google, then this is detected and classified)
- The input behavior of the user (such as answering of the reCAPTCHA question, speed of entry into the form fields, sequence of selection of the input fields by the user) to improve the detection performance by Google. Browser, browser size and resolution, browser plug-ins, date and language settings
- Mouse and touch events within the page
Google furthermore reads out cookies from other Google services such as Gmail, Search and Analytics. All data is sent to Google in encrypted form. Google’s subsequent assessment determines which form of Captcha is shown on the site — either a checkbox or text input field. There is no read-out or storage of personal data from the input fields on the forms. For more information about Google’s data protection policy, please visit www.google.com/policies/privacy/.
“Cookies” are small files that allow us to store specific personal information about you on your PC while you are visiting our website. Cookies allow us to determine the frequency of usage and number of users to our internet pages and to design our offerings to be as convenient and efficient for you as possible.
In accordance with Art. 6 Section 1(f) rev. GDPR, we use “session cookies” to optimize our website and ensure convenient, uninterrupted usage. These cookies are stored solely for the duration of your visit to our internet pages. They are automatically deleted once you close your browser. Beyond this, we use other “persistent cookies” to record information about users who visit our internet pages repeatedly. These cookies are used to provide you with the best possible user interface, as well as to “recognize” you and present a more diverse selection of content on our web pages upon repeated visitation.
No individual profile is formed based on use behavior. The content of persistent cookies is restricted to an identification number. No name, email address, IP address etc is stored. Certain exceptions apply to this, as explained in the Cookie chart below.
5.4.1 Cookie chart and cookie categories
Cookies can be categorized into the following four groups. Please note that cookies can belong to more than one category
Absolutely necessary: The following cookies are absolutely necessary to allow for navigation of the website and the use of its features. The services you wish to use would be unavailable without them.
Performance: These cookies collect information about how users use a website, such as which pages visitors call up most frequently. No information that can be used to personally identify the user is collected in this process. All information collected by these cookies is aggregated and is thus anonymous. The data is used solely to improve the functional flows of the website.
Functionality: These cookies allow websites to record your decisions and provide expanded, personalized functionality. For example, these cookies can be used to note changes to font sizes, font styles and language preferences. They also facilitate the provision of services you wish to use, such as playback of videos or commenting on a blog. The information collected by these cookies can be anonymized; the cookies are not capable of tracking which other websites you’ve visited.
Targeted advertising: These cookies allow for ads to be shown to you that are of greater relevance to you and your interests. These also serve to limit the number of cases in which you will see advertising, and improve the ability to measure the effectiveness of the advertising campaign. The ads are typically placed by an advertising consortium, with the permission of the website operator. They establish that you have visited a website; that information is forwarded to other organizations, such as advertising agencies. The Deutsche Post website does not currently use any such targeted advertising cookies.
The following chart lists all specific cookies used on the website.
- Cookie: Adobe SiteCatalyst Analytics Cookies
Name: s_cc, s_sq
- Cookie: Adobe SiteCatalyst Analytics Cookies
Purpose: This cookie is set when a visitor calls up the home page. It provides an ID for each unique, discrete visitor and collects information on how our website is used. We use this information to determine ongoing steps in the development of our website and to improve our ability to provide user-specific content. The cookie contains information in anonymous form (Unique Visitor ID, time and date). This information is solely used internally and confidentially by Deutsche Post to improve the website for visitors. It is deleted after 90 days.
- Cookie: Google Adwords Conversion-Tracking Cookies
Purpose: This cookie is set when a visitor clicks on an ad placed by Google. It becomes invalid after 30 days and contains no personal data, and hence is not used for personal identification. When a visitor visits specific internet pages on our website and the cookie is still valid, Google and Deutsche Post can identify that the visitor has clicked on the ad and was forwarded to this page. This information, retrieved via the aid of the conversion cookie, serves to create conversion statistics for AdWords customers. It does not, however, contain any information that could be used to identify the user personally.
- Cookie: Google Remarketing Cookies
Purpose: This cookie is set when a visitor clicks on an ad placed by Google. In doing so, Google stores a small file containing a numerical sequence in the browser of the site visitor. That number is used to record visits to the website as well as anonymized data on the usage of the website. If the visitor subsequently visits another website in the Google display network, then ads are likely to be placed that reflect previously visited product and informational areas. No personal data from the visitor of the website is stored.
- Cookie: Management Cockpit Login Cookies
Purpose: This cookie is set via an optional checkbox when an administrator accesses the Management Cockpit application. It serves to identify a unique, discrete visitor and records the email address of the visitor to simplify the login process for that visitor.
- Cookie: Web Messenger Login Cookies
Purpose: This cookie is set via an optional checkbox when a user accesses the Web Messenger application. It serves to identify a unique, discrete visitor and records the email address of the visitor to simplify the login process for that visitor.
5.4.2 Use of Cookie
It is possible to use our services without enabling cookies. You can set your browser to prevent it from storing cookies, limit cookies on specific websites or configure your browser to inform you when a cookie is set. You can delete cookies from your computer’s hard drive at any time (Folder: “Cookies”). Please note that doing so may degrade the functionality and appearance of the website. Most browsers include the ability to control the behavior of the majority of cookies. For more information about cookies, including questions of which cookies are set and how to manage and delete them, please visit All About Cookies at http://www.allaboutcookies.org/. For EU-specific information about cookies and the various options for deactivating them, please also visit the website Your Online Choices at http://www.youronlinechoices.eu/.
To opt out of Adobe SiteCatalyst Analytics’s cross-website tracking (or to change your settings if you’ve previously opted out), please visit Adobe SiteCatalyst Analytics Opt-out at http://www.112.2o7.net/optout.html?second=1&second_has_cookie=0&locale=de_DE.
Please remember that you must reapply your opt-out settings if you delete your cookies or visit the site using a different browser or computer.
You can also opt out of some or all ad cookies on your computer by visiting the website of the Network Advertising Initiative (NAI) at http://optout.networkadvertising.org/?c=1#!/.
Not every visitor to our website is using a web browser. Some users visit the Deutsche Post website or use its applications on a mobile device. In this case it may not be possible to deactivate cookies or change your web browser settings.
5.5 Use of SIMSme Business
To provide SIMSme Business for your use, certain pieces of your personal data are required. This data is required to perform the contract regarding the use of SIMSme Business. The legal basis for the processing of the aforementioned data categories is Art. 6 Paragraph 1(b) rev GDPR, as it is related to the performance of a contract into which you have entered. The following sections provide additional information on this.
SIMSme Business is an internet-based, platform-independent service for secure exchange of messages between users of mobile devices and desktop PCs. In this relation, the follow definitions shall apply:
- App Messenger: Messenger based on mobile apps for use of SIMSme on smartphones.
- Messenger: Application for communication via SIMSme as an app messenger or web messenger.
- Web Messenger: Messenger based on web browsers for use of SIMSme on a desktop and tablet.
5.5.2 Collection and processing of data during registration
To register for a SIMSme user account, the Messenger records the mobile phone number and/or email address and, where desired, nickname and profile image of the user. Beyond this, SIMSme Business can optionally use the email directory feature. For this function, the user provides first and last name and a business email address. An activation code is then sent by email to that last address. The mobile phone number or email address is then stored in hashed form in the SIMSme server.
For the public address book, the domain portion of the email address is hashed with a specific value. This ensures that all users from the same domain will be visible to one another based on that domain hash. As the domain is the sole portion shared among users, the domain is formed using an algorithm built around an AES key. This AES key is used to encrypt the user data (first and last names, email address). Based on the shared domain, a directory containing users’ first and last names is then constructed in verified Messenger apps.
You can also use SIMSme without allowing access to your contacts. If you register with SIMSme and explicitly approve access to the phone book contacts on your smartphone, these are then sent to the server for a hashed comparison and then deleted. Contacts who have saved your number in their telephone book and who are also using SIMSme are then informed about your registration when they search for other users.
5.5.3 Collection and processing of data during use of Messenger
SIMSme stores your login data (nickname, mobile phone number and/or email address and password) locally in your Messenger app so that you can remain permanently connected. Your communications data is also stored locally in encrypted form within the messenger. Our servers, which are all based in Germany, solely receive your mobile phone number and/or email address, your profile photo and your nickname.
Messages are end-to-end encrypted and are only stored temporarily on our servers. All messages are deleted from the server after 90 days. Messages available on the server during that 90 day window are synchronized between multiple devices logged in with the same SIMSme user account so that those messages can be accessed on any devices the account holder uses. User accounts and all related data can be completely deleted from our servers by the user from within the profile settings.
5.5.4 Importance and use of the password
When creating an SIMSme user account, an RSA key pair is generated on your device. The private key is encrypted based on the device password you select and can only be decrypted using that same device password. In addition, the user can select to create a “recovery code” when first creating the key pair. This code is then stored to the device in encrypted form.
No one — including Deutsche Post — knows your private key other than you.
If you forget your device password and have activated the relevant function in Messenger, then you can have the “Recovery Code” sent from your device via a separate, previously defined secure communication channel. Once received, the code can be used to unlock the application and assign a new device password. The recovery code is calculated using a secure process and is only issued by your device when you specifically request it. If you did not activate the relevant function in your app’s settings, then your current app profile can no longer be used and any stored messages are no longer accessible. As such, your SIMSme password is highly important. Even if you allow the app to remain logged in permanently, you must always know your password in case you need to delete your profile or make changes to the password settings.
5.5.5 Collection and processing of data in the Management Cockpit
To order Business licenses using the website, the following business customer information is required for billing purposes: name, street, house number, postal code, city, country and VAT ID. The Management Cockpit is a web application protected for security reasons (2-factor authentication) with a personal browser certificate and a password login.
Certain additional information is required to issue a certificate for the administrator. This includes: Last name, first name, email address (login), mobile number (SMS verification), domain name (address directory) and finally the Client certificate. The aforementioned data are stored in unencrypted form in the Management Cockpit. The Administrator can also update individual pieces of data (such as the address) and order new licenses.
The application server has access to the corporate data in the SIMSme database, as this is needed to provide the web application for the Management Cockpit. The SIMSme database contains the name of the company and the hashed domain. In addition to the licenses, credit codes are anonymously assigned to the Management Cockpit. They enable a more efficient use of the Management Cockpit dashboard, the Administrator can use anonymized data about the users and messages from individual chats, group chats or distribution channels. It is the responsibility of the Administrator to define groups of a sufficient size (at least 7 users) to ensure compliance with the data protection laws by preventing the behavior of any individual user from being identifiable.
5.5.6 Collection and processing of data for quality assurance purposes
When using the SIMSme Messenger, anonymized and cumulative data on user behavior is recorded and statistically assessed for quality assurance and improvement reasons, such as the number of all messages sent via SIMSme, operating system, app version, number of all logins per day etc. It is not possible to associate the anonymous data with any natural person.
We have commissioned Adjust GmbH of Berlin to process this data. Adjust GmbH has received the EU ePrivacy seal, certifying that it complies with data privacy standards. For more on this, please see https://www.eprivacy.eu/kunden/vergebene-siegel/firma/adjust-gmbh/.
If you do not wish to allow the collection and processing of this anonymized data by the SIMSme app, you can deactivate this function in the settings section of the SIMSme app under Data Protection. If you are already in the SIMSme app, a link to deactivate the function will appear at the end of this text.
6. Storage duration
Your personal data is deleted or locked as soon as the purpose of storage is no longer applicable. Storage may also be extended to meet legal storage requirements. Locking or deletion of the data then occurs once the legally specified storage period has expired, unless further storage of the data is required to conclude or perform a contract.
7. Recipients or categories of recipients
Deutsche Post does not and will not forward your personal data to third parties, except where required by law, or to fulfill a contractual requirement, or where you have expressly given your consent for it to do so.
External service providers processing the data on our behalf have offered sufficient guarantees that they are working with suitable technical and organizational measures to process the data in compliance with the requirements of the EU General Data Protection Regulation. As per Art. 28 GDPR, they are obligated to strict confidentiality. In this case, Deutsche Post remains responsible for the protection of your personal data. The external service providers process personal data only upon documented instruction to do so by Deutsche Post.
8. Transfer to foreign countries
Transfer to foreign countries means that data is forward to a state outside the European Economic Area (EEA), or access from within such a state is allowed. Your SIMSme-related data will never be processed in such a foreign country.
10. Rights of the Data Subject
You as data subject have the following rights:
- to receive information about your data that we have stored,
- notification if your data is not properly stored,
- deletion or – where storage obligations exist — limitation of processing to only that specific data necessary for the denoted purpose,
- to receive data that you have provided in a structured format that is current and can be read electronically,
- the right to revoke consent if the processing of your data affects a justified interest / against the use of data for advertising purposes / against a decision based solely on automated processing, including profiling.
- If you have any doubts that the processing of your data is in compliance with data protection law, complaints should be filed with the competent supervisory authority.
Should you wish to enforce your rights, please contact the following office: by postal mail at Deutsche Post AG // SIMSme; Charles-de-Gaulle-Str. 20; 53113 Bonn or by email to email@example.com. Insofar as you provided consent for a specific type of processing, you can revoke this at any time at the address provided to you at the time of consent.
11. Data security
Deutsche Post uses all necessary technical and organizational security measures to protect your personal data against loss and misuse. For example, your data is stored in a secure environment that is not accessible to the public. In some cases, your personal data is encrypted during transmission using Secure Socket Layer (SSL) technology. This means that communication between your computer and Deutsche Post servers is handled using an accredited encryption process, presuming your browser supports SSL. If you wish to contact Deutsche Post by email, please not that we cannot ensure the confidentiality of any information you provide. The content of email messages can be intercepted and read by third parties. We therefore recommend that you send us any confidential information solely via postal mail.
12. Last Update of this Data Privacy Notice
We review our Data Privacy Information on a regular basis. Deutsche Post reserves the right to change its data privacy statement at any time and without prior warning. Please visit regularly to inform yourself about any changes. By using this website, you are providing your consent to this data privacy declaration. This declaration was last updated on May 15, 2018.