Privacy and Legal Policy

Below we provide information about the processing of personal data when you use our website and our social media channels.

According to the GDPR, personal data is any information relating to an identified or identifiable natural person. This includes information such as your name, your date of birth, your address, your email address, your IP address or your telephone number as well as your user behaviour. In contrast, information that is not directly linked to your real identity – like generally preferred websites by all users or the number of users of a website – is not considered personal data.

A data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

Processing refers to any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing involves marking stored personal data to limit future processing.

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

A recipient is a natural or legal person, public authority, agency or other body, to which personal data is disclosed, whether or not this is a third party. However, public authorities that may receive personal data as part of a specific enquiry in accordance with law are not considered recipients.

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and those persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, through a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Exclusively automated decision-making – including profiling – in accordance with Art. 22 GDPR refers to decisions made by data processing systems without any human intervention. According to Art. 4 No. 4 GDPR, profiling is any form of automated processing of personal data used to evaluate personal aspects of a natural person.

As we do not offer Nextcloud hosting for others, this Privacy Policy cannot cover what happens on individual Nextcloud instances, i.e. when users use the Nextcloud software. In general:

Our software, be it the Nextcloud server or the Android or iOS apps, is designed from the ground up to ensure that no user data, especially personal data, is transferred to us.

The optional Usage Survey app (usage report) can send us statistical data about the use of the instance, such as installed apps. This data helps us improve our services. You have the option of checking and authorising this data before it is transmitted. We store the data in an aggregated form and not on a single server basis. As a result, this data cannot be used to draw conclusions about the information of an individual instance in the event of a data leak.

When the updater app is activated, it sends information including the installed Nextcloud and PHP version, the installation time and the selected update channel to the Nextcloud updater server to obtain information about possible updates. We store a subset of information including the installation time and the installed version of the instance to collect statistical data.

We operate a push proxy service for mobile applications for private users. Notifications are encrypted and signed by the server, checked and re-signed by the push proxy and then forwarded to the mobile device. This ensures minimal data transmission and protects user privacy throughout the process. Details of the transferred data can be found here. We do not store any personal data.

With regard to third-party apps for the Nextcloud software: We cannot accept any responsibility for these apps and the user data stored or used by them. In our app store we have a policy against the misuse of private data. Any app found to be in breach of this policy will be removed from our app store and its author blocked. However, we do not have the capacity to check all the code of third-party apps and therefore advise caution when installing these apps.

The data transmitted or collected about you will be collected, used, processed, stored and, if necessary – if required by law or contract – passed on to third parties exclusively within the framework of the applicable data protection laws (GDPR, Federal Data Protection Act, State Data Protection Acts and Telemedia Act).

Art. 6 GDPR provides various legal bases for the processing of your personal data, which are referenced in this privacy policy:

1. 6 para. 1 a) GDPR serves as the legal basis for the processing of personal data if the data subject has given consent.
2. 6(1)(b) GDPR serves as the legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is party. This legal basis also applies to processing operations necessary for the performance of pre-contractual measures.
3. If we have to process personal data to fulfil a legal obligation of our company, the legal basis for this is Art. 6 para. 1 c) GDPR.
4. 6 (1) d) GDPR serves as the legal basis if the processing of personal data is necessary to protect the vital interests of the data subject or another natural person.
5. If the processing of personal data is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh this first interest of our company or a third party, this processing is carried out on the legal basis of Art. 6 para. 1 f) GDPR.

Furthermore, your consent may be the legal basis for data processing in the case of express consent for the transfer of personal data to third countries, data processing is also carried out based on Art. 49 para. 1 lit. a GDPR and in the case of Art. 9 para. 2 lit. a GDPR, insofar as special categories of data are processed in accordance with Art. 9 para. 1 GDPR.

The storage of information in the end user’s terminal equipment, such as via cookies stored on your computer, or access to information that is already stored in the terminal equipment, is only permitted if it is justified by one of the following legal bases:

– Section 25 (1) TDDDG: If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR;

– Section 25 (2) no. 1 TDDDG: If the sole purpose is the transmission of a message via a public telecommunications network or

– Section 25 (2) no. 2 TDDDG: If the storage or access is absolutely necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.

As soon as the purpose of storing the respective personal data of the data subject no longer applies, it will be deleted or blocked. However, data may be stored beyond this point in time if this is provided for in European or national regulations, laws or other provisions to which we are subject as the data controller. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless further storage of such data is necessary for the conclusion or fulfilment of a contract.

As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These companies may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively to fulfil contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer at the relevant points in this privacy policy.

The European Commission certifies that some third countries have data protection standards comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data pursuant to Art. 46 para. 1, 2 lit. c GDPR (the standard contractual clauses of 2021 are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en), certificates or recognised codes of conduct as well as if you have given your express consent to the transfer of personal data to third countries (Art. 49 para. 1 lit. a GDPR).

The scope and type of collection and use of your data differs depending on whether you visit our website only to retrieve information or whether you make use of our offers – such as Nextcloud instant trial, newsletter subscriptions or email contact:

In principle, it is not necessary for you to provide us with personal data in order to use our website for information purposes only. Instead, we automatically collect, use and store information in the server log files during your visit to our website, which is transmitted to us by the browser you are using.

The legal basis for this temporary storage of data and log files is Article 6(1)(f) GDPR, as our legitimate interests in this storage as set out below outweigh your interests, fundamental rights and freedoms: The IP address is considered personal data. Temporary storage of the IP address by the system is necessary to transmit our website to your browser. For this purpose, the IP address must remain stored for the duration of the session. It is stored in log files to ensure the functionality of our website. We also use the data to optimise our website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes.

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. For data collected to provide our website, this occurs when the respective session ends. If the data was stored in log files, it is deleted after 7 days at the latest. However, it is also possible to store the data beyond this period. In such cases your IP address will be deleted or anonymised, making personal identification no longer possible.

(d) Possibility of objection and removal

The collection of data for the provision of our website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, you have no option to object.

Our website and social media profiles contain information to enable quick contact and communication. If you contact us by email, telephone, fax or via our social media profiles, the personal data you provide (e.g. first name, surname, email address, any other voluntary information) will be stored. Your IP address and the date and time are also stored when you send the message by email. The information and contact details you provide will be stored by us to answer your enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

If you use our profiles in social networks to contact us (e.g. by creating your own posts, responding to one of our posts or sending us private messages), the data you provide, such as your name or email address, will also be collected by the respective social network (see XIX. below).

The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. This is the case when the respective conversation with the user has ended. The conversation is considered ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

After an objection or cancellation declared by you [see below under (5)], your personal data will be deleted within 7 days.

However, this data will not be deleted if we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent (e.g. in connection with the processing of customer inquiries or complaints and in order to be able to prove previous consent).

You have the option to withdraw your consent to the processing of personal data at any time [see XXI. (8) Right of withdrawal below].

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see XXI. (1) Right to object below].

You can send both the cancellation and the objection, e.g. by email to dpo@nextcloud.com. Note that this means conversations that are ongoing, instant trials you have started, newsletter subscriptions and other services that require us to have your data, will stop.

If you register for a newsletter, we will only collect your email address in order to provide this service. The collection and transmission of the email address is only used for sending our newsletter. It is otherwise not possible to use the newsletter. This entire process is documented and stored, including the time of registration and confirmation as well as your IP address. No data is passed on to third parties in connection with the data processing for sending newsletters. Our newsletter is published regularly and contains, for example, information about products and events.

The user’s email address is stored for as long as the subscription to the newsletter is active. The data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. This occurs when you no longer wish to subscribe to the newsletter and revoke your consent [see (5) below]. Your personal data will be deleted within 7 days of your cancellation. However, this data will not be deleted if and insofar as we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent (e.g. in connection with proof of your consent to receive the newsletter). The double opt-in data will also be stored for this period so that we can prove this. Thereafter, we will retain the data for a further period of 3 years after cancellation in order to be able to prove the existence of consent to receive the newsletter.

The other personal data collected during the registration process is generally deleted after a period of seven days.

As part of your use of our website, we use technical aids for various functions, particularly cookies, which can be stored on your end device. When you access our website and at any time thereafter, you have the choice to allow cookies generally or to select specific individual additional functions . You can make changes in your browser settings or via our Consent Manager, accessible at the bottom of every subpage of our website under Cookie settings. In the following, we first describe cookies from a technical perspective (a) before detailing your individual choices by describing technically necessary cookies (b) and cookies that you can voluntarily select or deselect (c).

Cookies are text files or database information stored on your hard drive and assigned to the browser you are using so that certain information can flow to the location that sets the cookie. Cookies cannot execute programmes or transmit viruses to your computer, but are primarily used to make the website faster and more user-friendly. This website uses the following types of cookies, whose function and legal basis are explained below:

These cookies, especially session cookies, are automatically deleted when you close the browser or log out. They contain a session ID that allows various requests from your browser to be assigned to the shared session, enabling your browser to be recognised when you return to our website.

These cookies are automatically deleted after a specified period, which varies depending on the cookie. You can view the cookies set and the duration at any time in your browser settings and delete the cookies manually.

The technical structure of the website requires us to use certain technologies, particularly cookies. Without these technologies, our website cannot be displayed ( correctly) or the support functions could not be enabled. These are essentially transient cookies that are deleted at the end of your visit to the website, at the latest when you close your browser. One such cookie is the choice of website language. These cookies cannot be deselected if you wish to use our website. The individual cookies can be seen in our Consent Manager.

We only set various cookies with your consent, which you can select via our Cookie Consent Manager when you first visit our website. The functions are activated only if you give your consent and can be used in particular to enable us to analyse and improve visits to our website, to make it easier for you to use different browsers or end devices, to recognise you on subsequent visits or to place advertising (possibly also to tailor advertising to your interests, measure the effectiveness of advertisements or show interest-based advertisements).

We describe the cookies we use and their functions, which you can select and revoke individually via the Consent Manager, both in the Consent Manager itself and additionally in some cases below in this Privacy Policy.

The legal basis for processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in ensuring the user-friendliness of the website and in fulfillin the legal requirements of the GDPR.

In cases where we are legally obliged to obtain consent, this processing is also necessary to fulfil a legal obligation (Art. 7 para. 1 GDPR) to which we are subject (Art. 6 para. 1 sentence 1 lit. c GDPR).

Through our consent manager, we inform you about the use of cookies on our website and enable you to decide wether to accept or reject them. This also enables us to obtain and manage your consent for data processing. Data is processed using cookies for this purpose.

The encrypted key and the cookie status are stored on your end device using a cookie to establish the corresponding cookie status on future page views. This cookie is automatically deleted after 30 days. The cookies are also deleted if you adjust your browser settings accordingly. You can change your selected cookie preferences at any time at the bottom of each subpage under “Cookies preferences”.

You can change the settings you have selected regarding accepted cookies at any time on each subpage at the bottom under “Cookie preferences”.

You have the option to withdraw your consent to the processing of personal data at any time [see XXI. (8) Right of withdrawal below]. To do this, you can change the settings you have selected regarding accepted cookies on each subpage of our website at the bottom under “Cookie preferences” at any time.

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see XXI. (1) Right to object below].

You can send both the cancellation and the objection, e.g. by email to dpo@nextcloud.com.

The user can prevent or cancel the installation of a cookie and its storage, and thus his cookie consent, at any time by changing the settings of his browser. However, the functionality of this website is then not guaranteed.

As a developer, you can upload apps you have created to our App Store or update existing apps. You can also write comments and rare apps. An account is required for these actions. Alternatively, you can log in using an existing Github account.

After registering in the App Store, you can write comments and rate apps under your user name. We recommend that you use a pseudonym as your user name instead of your real name.

Other information such as your name and email address is mandatory. This is necessary, for example, in the event that you lose access to your account (e.g. change of name and abandonment of the original email address) and proof must be provided to us that you are the original developer of an uploaded app and are authorised to update or migrate it under a new account.

The legal basis for the processing of the data is, if and insofar as your consent has been obtained, Art. 6 para. 1 lit. a) GDPR.

The legal basis for the processing of the data transmitted to us during registration, before the apps are made available or commented on, is also Article 6(1)(c) and (f) GDPR. We have an interest in contacting you in the event of technical problems with the uploaded apps or their updates as well as illegal content in your comments. We need your email address to contact you if a third party objects to your comment as unlawful. We will then carry out a so-called notice-amend-take-down procedure and give your the opportunity to respond.

The processing of personal data serves the purpose of offering a functional app store with open source apps for the Nextcloud software. For security reasons, we cannot allow the anonymous uploading and distribution of apps.

The data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. If you declare an objection or cancellation: [see below under (5)], your personal data will be deleted within 7 days.

However, this data will not be deleted if we are authorised or obliged to continue storing it on the basis of a legal ground other than your consent (e.g. in connection with the processing of customer enquiries or complaints and in order to be able to prove previous consent).

Once your data has been deleted, your comments and ratings will only be displayed as “Anonymous” and no longer with your user name.

You have the option to revoke your consent to the processing of personal data at any time [see below . (8) Right of revocation].

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see below XIX. (1) Right to object].

You can send both the cancellation and the objection, e.g. by email to dpo@nextcloud.com. In such a case, however, the conversation cannot be continued.

For security reasons, we must also remove the apps you have uploaded when deleting your personal data.

From time to time we organise online or offline events for which you can register via our homepage. For this purpose, we collect data necessary for the organisation of the event:

We also ask you to provide additional voluntary information to make it easier for us to organise the event. Your telephone number will only be used to contact you if we have any questions about your registration; it will not be shared with third parties or used it for any other purpose.

We ask about your dietary preferences so that we have enough suitable catering available. The capacity in which you are associated with Nextcloud helps us to assess the composition of the specific audience and plan our event agenda. Both pieces of information are stored separately from your personal data for statistical purposes only.

When organising such events, we also issue calls for speakers in order to give you the opportunity to be selected by us for a presentation at one of our events if you wish. To this end, we ask for information that will enable us to assess whether your presentation is suitable for our event.

The legal basis for the processing of the data is, if and insofar as your consent has been given, Art. 6 para. 1 lit. a) GDPR.

The legal basis for this is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the smooth organisation of the event.

The legal basis for paid and free events is also Art. 6 para. 1 lit. b) GDPR, as participation is also based on a contract.

You have the option to withdraw your consent to the processing of personal data at any time [see XXI.(8) Right of withdrawal below].

You can also object to the processing of your personal data at any time if and insofar as this processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR [see XXI.(1) Right to object below].

You can send both the withdrawal and the objection, e.g. by email to dpo@nextcloud.com. In such a case, however, the conversation cannot be continued.

Our website uses the web analysis service Matomo, which uses the the cookies specified in “Cookies preferences” accessible via the footer of our website. Collection and analysis only occurs if you have authorised this by setting the cookie banner accordingly and thereby declaring your consent. You can revoke this consent at any time by changing the setting of the cookie banner under “Cookies preferences” in the footer of our website.

We store the information collected in this way in the Matomo cloud. We have concluded an order processing agreement for this purpose.

Our website uses Matomo with the “AnonymiseIP” extension. This ensures that IP addresses are processed in abbreviated form, i.e. anonymised, maintaining user anonymity during web analysis. The IP address transmitted by your browser via Matomo is not merged with other data collected by us and is not transmitted to third parties.

The legal basis for the use of Matomo is your consent in accordance with Section 25 (1) TDDDG, Art. 6 (1) (a) GDPR, provided that you have given your consent via our cookie banner. You can revoke your consent at any time. Please make the appropriate settings via our cookie banner. You can access this via the “Cookies preferences” in the footer of our website.

The processing of users’ personal data in anonymised form allows us to analyse their surfing behaviour. By analysing this data, we can compile information about how individual components of our website are used. This helps us to continually improve our website and improve its user-friendliness.

The data is deleted as soon as it is no longer required for our recording purposes. In our case, this is the case after 365 days. Cookies are deleted after a maximum of 30 days.

As a user, you also have full control over the use of Matomo. You can deactivate its use by changing the settings in the cookie banner on this website. You can access this cookie banner via “Cookies preferences” in the footer of our website.

We occasionally embed content on our website, including YouTube videos and Vimeo videos behind a click-through wall. Connections to external services to retrieve this data are only made when such external content is activated; no cookies are stored in the user’s browser. We do not pass on any data to these external services, but they may collect some information when a video is played.

The processing takes place exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG, provided you have given your consent to the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. This happens when you access the videos. Consent can be revoked at any time via the “Cookies preferences” in the footer of our website.

The provider of the video portal YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. Further information on the handling of user data can be found in YouTube’s privacy policy at https://policies.google.com/privacy?hl=de

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to comply with these data protection standards. More information can be found at the following link:

https://www.dataprivacyframework.gov/s/.

The provider is Vimeo Inc. (555 West 18th Street, New York, New York 10011, USA. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. More information on the handling of user data can be found in Vimeo’s privacy policy at https://vimeo.com/privacy.

Please note that this forum is intended for private users and for answering questions in the private user area. Enterprise customers should use our support portal.

Our forum, accessible at help.nextcloud.com, is based on the open source software Discourse. This instance is operated by us. We do not publish, share or otherwise distribute data from this instance. By using the forum, you agree to our General Terms and Conditions. Here you will find the complete terms and conditions for the use of our forums.

Our forum can be read without the need to register. To actively participate in our forum, you must register by providing your email address, a chosen password and a chosen user name. There is no obligation to use your real name; it is possible to use a pseudonym.

(a) User account

Users can activate and deactivate their own accounts on this instance if required. A user account is required to post in the forum, create your own profile and view other users’s profiles.

This requires an email address, which is never displayed publicly.

You choose a unique user name.

You can voluntarily enter your name.

We use the double opt-in procedure for this service, i.e. you will receive an email in which you must confirm that you are the owner of the email address provided by clicking on an activation link.

You will only receive notifications if you have activated the link. You can unsubscribe from the notifications at any time, e.g. by clicking on the link contained in the email or by using the contact details provided. We will store the data you provide, the time of your registration for the service and your IP address until you unsubscribe from the notification service.

If you register a forum account, we store all the information you enter in the forum, i.e. public posts, private messages, etc., to operate the forum until you deactivate your account.

(b) Cookies

No cookies are stored unless an account is created. Upon account creation, a session cookie is created. When logged in, several technical cookies store personal preferences, such as dark mode, text size, the page you are redirected to after logging in, etc. No consent is required for these cookies, as they are essential for the functionalities used by the user.

Nextcloud uses your account data to identify you in the forum and to create personalised pages for you, such as your profile page.

(c) Email address in connection with Nextcloud Forum

Nextcloud uses your email address to:

• Notify you about posts and other activities in the forum (according to your settings)
• Reset your password and ensure the security of your account
• to contact you under special circumstances related to your account, especially when carrying out a notice-and-take-down procedure after we have been notified of allegedly illegal content originating from you
• to inform you about legal requests, such as DMCA requests Digital Millenium Copyright Act) from the USA

(d) User profile – separate setting possible

If you do not set your profile page yourself, your user name will be displayed with your posts.

You can enter additional data for your account on the profile settings page of your account, such as a short biography, your place of residence or your birthday. This information is made available to other registered users of the forum. Your profile will therefore only be displayed to those who are registered users themselves. You do not have to provide this additional information and you can delete it at any time. As long as your account is active, the data will be saved.

The legal basis for data processing is your consent to the creation of your user account and to receiving messages by email in accordance with Art. 6 para. 1 lit a) GDPR.

Another legal basis is the contract concluded with you for the free use of the forum, Art. 6 para. 1 lit b) GDPR with user profile, options for posting etc..

The legal basis for data storage for the double opt-in process is also Art. 6 para. 1 lit f) GDPR.

Insofar as legal obligations exist, e.g. according to the NetzDG or to official orders, Art. 6 para. 1 sentence 1 lit. c GDPR is relevant. The aforementioned data is necessary for us as a host provider under civil law, as this is the only way we can protect ourselves from civil law claims and maintaining business operations would otherwise not be possible.

The personal data you provide will be used to enable you to participate in the forum. An email address and a user name are necessary, as processing is required either to display your contributions or to protect against the rights of third parties.

Your personal data and all your activities such as posts or comments etc. will be labelled with your user name and stored for as long as your user account remains active.

If you deactivate your account, your public statements, especially forum contributions, will remain visible to all readers, but your user profile will no longer be accessible and posts in the forum will be labelled “Anonymous”. All other data will be deleted. If you would like your public posts to be deleted as well, please contact the person responsible using the contact details provided above.

Please note that the https://support.nextcloud.com/ portal is only available to our Enterprise customers. Access requires an existing contractual relationship with us. If you do not have an existing subscription, you will not be able to use this portal.

This website is hosted by an external service provider (hoster). The personal data collected for our support portal is stored on the hoster’s servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated to fulfil our support obligations under our contracts.

The hoster is used to fulfill the contract with our existing customers (Art. 6 para. 1 lit. b GDPR) and to ensure the secure, fast and efficient provision of our support portal by a professional provider (Art. 6 para. 1 lit. f GDPR).

We have concluded a data processing agreement (DPA) with the aforementioned hoster. This contract mandated by data protection law, ensures that the host processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

We provide our support services with the help of a support portal. Upon signing the contract, you must register your company in the portal.

The contracted company must designate at least one contact person. Their contact details (name and email address) will be stored in the support portal. The company can add or remove contact persons at any time. It is also possible to enter a neutral email such as “nextcloud-support@companyname.com”.

The contact persons will receive security notices and other messages to fulfil the support obligations within the scope of the contractual relationship. The contact persons can request support services (ticket system).

Support is one of the main services included in the subscription contract and data is processed accordingly to fulfil the contract. The problem described in the respective ticket is stored with reference to the company concerned and its contact person. This ensures that the information can be consulted when adressing the problem and in the event of follow-up problems.

The personal data processed as part of the support measures to fulfil the contract will be deleted as soon as they are no longer required to achieve the purpose for which it was collected. This may occur when the contract is terminated, unless we are obliged to continue storing the data based another legal ground, e.g. statutory retention periods under the German Fiscal Code (AO) and German Commercial Code (HGB).

As a company, you can change your contact persons at any time after logging in.

You can also contact us, e.g. by email to dpo@nextcloud.com, if you are not (or no longer) available as a contact person. However, since you were appointed by your company, we request that you seek clarification within the company.

If you do contact us, please understand that we will need to confirm with the company how to proceed, especially if you are the only contact person.

In the Jobs section, we publish our vacancies and ask you to send your applications by email. In your own interest, we recommend sending encrypted applications by email.

When you apply for a position advertised by us, only our HR department and the relevant department will have access to your data. If you submit an unsolicited application, your details will be made available to all those specialist areas/departments with vacancies matching your applicant profile. Your data will only be shared with third parties if we are legally required to do so in individual cases. If we use processors, we ensure they are contractually obliged to protect your personal data in the same way.

If you are employed by us, the data transmitted will be stored in your personnel file in compliance with the statutory provisions.

To read the RSS feed, you need a so-called RSS reader. The RSS reader reads the feeds you have subscribed to and automatically notifies you of new entries. This allows you to keep an eye on new entries in the areas you have selected at all times. If you are interested in a new document, simply click on it and it will open in the browser. There are various technical options for obtaining RSS feeds, e.g. integration into an email client with corresponding functionality. The email client retrieves the latest news at predefined intervals and makes them available to you in a folder similar to new emails.

You can find instructions for integration on the providers’ support pages (enter the name of the email client and the keyword “RSS feed” in a search engine). Alternatively, RSS feeds can also be displayed using special programs (feed readers), which can be more convenient.

Our security scanner works exclusively on the basis of publicly available information. This includes the list of known vulnerabilities, relevant to ownCloud and Nextcloud releases, as well as all existing hardenings and settings that can be checked without access to your server. Our scanner only checks if necessary and saves the results (server URL and the version of the last scan), but does not update them automatically. Under no circumstances is personal data collected or processed. If you make changes, this will not be taken into account and you will have to perform the query again.

(b) Through this link, your data will not be transmitted to the operators of the respective social media platform. If you click on one of these links, you will be redirected to the respective website of the social network and forwarded. Depending on your browser settings, this will happen by opening a new tab or a pop-up. Your data is only collected and processed by the operator of the respective social network when you change the URL.

(a) As the operator of a Facebook fan page, we can only view the information stored in your public Facebook profile, provided you have such a profile and are logged into it when you visit our fan page. We are also the administrator of a Facebook group and can access the information posted there.

In addition, Facebook provides us with anonymous usage statistics that we use to improve the user experience when visiting our fan page. We do not have access to the usage data that Facebook collects to compile these statistics. Facebook has undertaken to us to assume primary responsibility under the GDPR for the processing of this data, to fulfil all obligations under the GDPR with regard to this data and to make the essentials of this obligation available to those affected. This data processing serves our (and your) legitimate interest in improving the user experience when visiting our fan page in line with the target group. The legal basis for the data processing is therefore Art. 6 para. 1 lit. f) GDPR.

(b) Facebook also uses so-called cookies, which are stored on your device when you visit our fan page, even if you do not have your own Facebook profile or are not logged into it during your visit to our fan page. These cookies allow Facebook to create user profiles based on your preferences and interests and to show you customised advertising (inside and outside Facebook). Cookies remain on your end device until you delete them. You can find details on this in Facebook’s privacy policy.

We have no influence on the data processing carried out by Facebook Ireland in connection with cookies. For options to protect your data, please refer to the information above in section (2)(c).

(a) Instagram is also offered by Facebook Ireland [see (3)(b) above]. In addition to the content you submit, depending on your privacy settings, information about your profile, your likes and your posts may be visible to us.

(b) Facebook Ireland also uses so-called cookies on instagram, which are stored on your end device when you visit our instagram site even if you are not registered or are not logged into your account during your visit. These cookies allow Facebook to create user profiles based on your preferences and interests and to show you customised advertising (inside and outside Facebook). Cookies remain on your device until you delete them. Details on this can be found in Instagram’s privacy policy above in section [see (3)].

We have no influence on the data processing carried out by Facebook Ireland in connection with cookies. We refer you to the options for protection mentioned above in section (2)(c).

The processing of personal data can be found in the respective privacy policy on these pages. Any data collected there is not processed by us.

(1) Right of objection

(a) You have the right to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR for direct marketing purposes without providing reasons. We will then no longer process your personal data for these purposes. This also applies in principle to profiling insofar as it is associated with such direct advertising. However, we do not currently engage in profiling.

(b) You may also object to other processing that we derive from a legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f) GDPR by stating reasons related to your particular situation. This also applies in principle to profiling based on this provision However, we do not currently engage in such profiling. We will stop processing your personal data unless we can demonstrate compelling reasons for the processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

(c) Any objection can be made informally. For example, sending an email to dpo@nextcloud.com is sufficient.

You have the right to rectification and/or completion vis-à-vis us as the controller or Google, for example, if the personal data processed by us concerning you is incorrect or incomplete. We must make the correction without delay.

Under the following conditions, you may request the restriction of the processing of your personal data:

(a) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

(c) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, or

(d) you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet determined whether our legitimate reasons override your reasons. If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been applied in accordance with the above conditions, we will inform you before the restriction is lifted.

You can request that we delete your personal data immediately, and we are obliged to delete this data immediately if one of the following reasons applies:

1. The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
2. You withdraw your consent on which the processing was based according to Art. 6 para. 1 lit. a) or Art. 9 para. 2 lit. a) GDPR, and where there is no other legal ground for the processing.
3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
4. The personal data concerning you have been unlawfully processed.
5. The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject.
6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to a controller other than the controller to whom the personal data was provided without hindrance from us, provided that

1. the processing is based on consent pursuant to Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 lit. b) GDPR and
2. the processing is carried out by automated means.

In exercising this right, you also have the right to request that the personal data concerning you be transferred directly by us as a controller to another controller, where technically feasible. This transfer should not affect the freedoms and rights of other persons. The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as the controller.

This website uses SSL encryption for security reasons and to protect the transmission of confidential content that you send to us. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser bar. Activating SSL encryption protects the data you transmit to us from being read by third parties.

We reserve the right to amend this data protection declaration in order to continually adapt it to the applicable provisions, as well as our offerings on our website.