Privacy Policy

This policy governs all of our personal data subjects, based on the EU-GDPR (gdpr-info.eu) regulations.

Table of Contents

1. Definitions

1.1 Provider (also we, us and our)
Mononox.com is operated by Mr. Sven Tolle, Bahnhofsplatz 42 (6th Floor), 28195 Bremen, Germany.

1.2 Users (also you, your and yours)
All people visiting, requesting quotes, contacting us, accepting offers, placing orders and managing services.

Respectively:

  • Visitors: Just browsing, no interaction
  • Contacts: Submitted form data
  • Clients: Submitted form data, Order data, User account info

1.3 Personal Data
Any Data that can be used to personally identify a person, such as..

  • First and Last name
  • Email address (Business email at company)
  • Billing address (Company billing address)
  • Payment data (Company bank account, IBAN/BIC)
  • IP address (Full IP’s are processed by our firewall and during online purchases only, otherwise they’re anonymised)

2. Collected Data

  • This website can be visited completely anonymously.
  • No third-party or other user-level analytics are used on our website, all we use is a general statistic.
  • All server and error log files are anonymised.

Web browsing data: IP (anonymised unless a security rule is broken, see more in section 2.6, which also applies to this website), Device type, Operating system, Browser, Referrer, Access time and target location on our website.

2.1 Cookies

Our website uses cookies. Cookies are small text files, saved by our web server to your web browser’s storage. They can contain text or numbers, such as session identifiers or site settings you may have applied. We use them to make your browsing expierience more secure, stable and to allow our Contacts and Clients to log into their accounts. None of these cookies are used to track users and they are only valid for one session. You can disable cookies for this site through your browser’s options. Please note that you may not be able to log in or submit forms without cookies.

2.2 Forms

We treat all Visitor, Contact and Client data as strictly confidential. Information submitted to us by any means will not be shared to any outside party without your explicit consent. Our system stores this data only as long as it takes to submit the message and automatically purges it from the server after that. From there, your information enters into our encrypted email archive where it’s stored for as long as the law requires us to and it will be automatically deleted after that.

Visitors: No data
Contacts: All submitted form data
Clients: All submitted form data, account information

2.3 Accounts

We don’t allow public registration. Contacts looking to become Clients can request an account by using the contact or quote request form. We may reject or create new accounts at our own discretion. If an account is being denied, all of the data you’ve submitted will be deleted rightaway. Otherwise the account will be available for the client until our services seize or the client wishes to delete the account. Request account deletion through our contact form or by emailing info@mononox.com.

2.4 Purchases

If we accept business Clients to purchase our services, we require the following information to process the payment.

  • Company name
  • Email address (Business email at company)
  • Billing address (Company billing address)
  • Payment data (Company bank account, IBAN/BIC)

2.5 Client Services

While conducting administrative Services on our client’s websites we don’t collect any visitor data. If we’re asked to fix something and we happen to see any personal data stored on that site, we’re instructed and have personally signed an agreement not to copy, store or share this information in any way other than absolutely required to commence the work we were hired to do and to delete it right after were finished.

When we take website backups, we make sure they’re encrypted first so even if our file storage was comprimised, it wouldn’t give an attacker anything of value. There is no privacy implication regarding our backup storage.

2.6 Web Application Firewall

We deploy a web application firewall on all websites we manage. It sits locally on the client’s server and scans all traffic against a defined set of security rules. Only when breaking one of these rules, which wouldn’t happen to regular visitors, we share this IP address and other (non-personal) data with our firewall vendor (see: Third-Party Processors) so they may protect other people from known malicious IP addresses. In general, all data sent to this vendor will be deleted by them (and us) after 90 days. However, since IP addresses don’t stop being malicious on a schedule, this period may be extended in some cases. We firmly believe this is in any way to be considered legitimate interest for us, our clients and all of their website’s visitors as security is simply not optional. We understand the impact of this and we’re doing everything we can to minimise the effect on regular users, it should be next to none. Should anyone come into contact with our firewall for no apparent reason, we will gladly file a request to remove their IP address from the blocking lists.

Here’s our Legitimate Interest Assessment for this purpose: Download PDF

3. Purpose and Deletion

  • We collect only the minimum required data to conduct our services, it’s never shared without your consent.
  • We collect web browsing data only to maintain the security of our website. It will be deleted after 30 days.
  • Applicable law requires us to maintain a record (6-10 years) of all mission-critical communications, including emails and any tax-related data (such as invoices, quotes and order histories).

3.1 Legal Basis

We only collect and process data that’s absolutely required to provide our services and to manage your enquiries to us. The legal basis for any such processing is the legitimate interest, according to art. 6, 1 F of the GDPR regulations or explicit (revocable) user consent.

3.2 Deletion

All deletion schedules occur automatically and without notice.

4. Your Rights

You may at any time…

  • Enquire about the personal data we have stored about you.
  • Have your personal information deleted or anonymised.
  • Request a copy of your data.
  • Revoke your consent to process your personal data.

All Privacy enquiries will be completed within 30 days. We will ask users to verify their identity before sending out any private data.

Send any Privacy-related enquiry through our contact form, email privacy@mononox.com, call us or send us a letter.

Mononox does not use any automated decision making processes, tools or services.

Should you be unable to resolve your privacy related issue with us directly, you may file a complaint at the respective local authority:

Die Landesbeauftragte für Datenschutz und Informationsfreiheit
Arndtstraße 1
27570 Bremerhaven

T: 0421 3612010
E: office@datenschutz.bremen.de (PGP Key)
W: www.datenschutz.bremen.de

5. Data Protection

The key component in dealing with sensitive data is encryption. We use TLS encryption exclusively on the website, form submissions are sent to us using secure connections and our data storage is also encrypted. We use Two-Factor Authentication where ever possible. Our systems are checked for malware several times a day and our backups are also securely encrpyted. We’re destined to continue our efforts to protect user and usage data in order to comply with legal requirements (GDPR) and industry standards at all times. However, we’re unable to guarantee 100% security (as that simply doesn’t exist). We advise users to evaluate their risks and proceed at their own discretion.

5.1 Emergency Measures

Should all preventative measures fail and a data breach occurs, we will take the following actions.

  • Temporary deactivation of infected or breached systems for forensic analysis.
  • In-depth security assessment and documentation, finding and and fixing the security hole.
  • Detailed notification (within 72 hours) of the authorities, insurance companies and all users affected.
  • Distributing new encryption keys and passwords as well as new TLS certificates for the website(s).

6. Third-Party Processors

We keep our third party dependency to a minimum. All of the companies listed below delare full compliance with the EU-GDPR guidelines and we have agreements with them to form a legal base for collecting and processing such data.

Web hoster: All-Inkl.com Neue Medien Münnich, DE – Privacy policy
Firewall vendor: WordFence (Defiant Inc.) USA –  Privacy policy
Accounting software: Haufe-Lexware GmbH & Co. KG, DE – Privacy Policy

7. Policy Updates

We reserve the right to change this policy at any time and without prior notice. Our clients are asked to frequently revise this document to make sure it meets their regulations. Continued use implies full consent with these terms.

Latest update: January 18 2020