PRIVACY POLICY TRUST&TRACE

This is an unofficial English translation of the TRUST&TRACE Privacy Policy. It is not
a legal translation of the Policy governing the data protection of TRUST&TRACE.
The Privacy Policy is exclusively determined by the original German text. However,
we hope that this translation will help non-German speaking Users to better
understand our Privacy Policy.

The following provisions inform you about the type, scope, duration and purpose
of the processing of personal data by the responsible provider of this website as
well as data protection-relevant third-party components that we use to increase
the usability of our website.

Data is personal when it can be clearly assigned to a specific individual person.
Pursuant to Article 4 Para.1 of Regulation (EU) 2016/679 (General Data Protection
Regulation – GDPR), “processing” refers to any operation or set of operations such
as collection, recording, organization, structuring, storage, adaptation, alteration,
retrieval, consultation, use, disclosure by transmission, dissemination, or
otherwise making available, alignment, or combination, restriction, erasure, or
destruction performed on personal data, whether by automated means or not.

We take the protection of your data very seriously and treat your personal data
confidentially and in accordance with the legal data protection regulations and this
data privacy policy.

Please note that data transmission via the internet (for example, when
communicating via e-mail) may have security vulnerabilities. A comprehensive
protection of the data from access by third parties is not possible.

I. Responsible Provider of the Website and the Webservice

1. Responsible Provider

Responsible provider of this website in terms of data protection law is:

evan GmbH
Antonstrasse 3a – 01097 Dresden – GERMANY

Phone: + 49 800 9200 397
E-mail: data.privacy@evan.team

2. Updates

Please inform yourself regularly about the contents of our data protection
declaration. We will update the data protection declaration as soon as changes in
the data processing are carried out by us or a change in the legal situation makes
this necessary. We will inform you as soon as the changes make it necessary for
you to cooperate (e.g. consent) or to receive other individual notification.

3. General terms

In accordance with Art. 17 and 18 GDPR, the data processed by us will be deleted
or limited in their processing. Unless otherwise specified, the data stored by us
will be deleted as soon as they are no longer required for their intended purpose
and the deletion does not conflict with any legal storage obligations. The
processing of the data is restricted if the data is not deleted because it is required
for other and legally permissible purposes. For this purpose, the data is blocked
and not processed for other purposes. This applies, for example, to commercial
or tax law data in accordance with §257 para. 1 HGB (German Commercial Code)
and §147 para. 1 AO (German Fiscal Code).

II. Information on the Processing of Personal Data

1. Processing of Personal Data by the Responsible Provider

1.1. Server data

For technical reasons, the following data sent by your internet browser to us or to
our server provider will be collected, especially to ensure a secure and stable
website:

Server log files record the type and version of your browser, operating system, the
website from which you came (referrer URL), the webpages on our site visited, the
date and time of your visit, as well as the IP address from which you visited our
site. These data will be temporarily stored, but not in association with any other
of your data.

The basis for this storage is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in
the improvement, stability, functionality, and security of our website.
The data will be deleted within no more than seven days, unless continued storage
is required for evidentiary purposes, in which case, all or part of the data will be
excluded from deletion until the investigation of the relevant incident is finally
resolved.

1.2. Processing operations of the Provider and associated modules

a) Registration process in the Web-App

During the registration process for TRUST&TRACE the user logs in with a valid email
address and a password of his own choice.

The e-mail address is collected by evan GmbH for the following purposes:
Identification of the user, sending of the access link, as well as the possibility to
reset the password.

The legal basis for the processing is, according to Art. 6 para. 1 lit. a) GDPR, your
consent, and according to Art. 6 para. 1 lit. b) for the realization of the Terms of
use for the TRUST&TRACE service. Your e-mail address will only be processed as
long as an existing user account exists, and the e-mail address is no longer
required to perform post-contractual obligations or for other legal reasons. In this
case the processing is legitimate according to Art. 6 para. 1 lit. b), c) GDPR. During
the registration process, your clear name and position in the company can also be
recorded. This collected information is used to identify you in the company and to
provide you with a customized dashboard according to your field of activity.
The legal basis for this processing is your consent in accordance with Art. 6 para.
1 lit. b) GDPR. This data will be processed by evan GmbH during the term of your
user contract. You can revoke your consent according to Art. 7 para. 3 p. 1 GDPR
at any time.

b) Invitation via e-mail

Existing customers of the service can invite their business partners to participate
in the offered service by entering a valid e-mail address. The purpose of this data
processing is to provide an individualized invitation link to the offered services as
well as to connect with the business partner. Should you receive such an invitation
e-mail, there are several possibilities.

If you wish to accept this invitation, please note the information under “1.2. a)
Registration process”, as you are now in the normal registration process.
If you have received the e-mail by mistake or wish not to accept the invitation, your
saved e-mail address will be processed as follows: When the link expires (48h) the
e-mail address will be deleted from our systems.

You can also prevent the reception of future e-mails by sending a postal
notification or an e-mail to “data.privacy@evan.team“.

Please note that we will then have to store your e-mail address on the basis of
your consent in accordance with Art. 6 para. 1 lit. b) GDPR, so that we can exclude
you from automated e-mails.

1.3. Newsletter

If you register for our free newsletter, the data requested from you for this
purpose, i.e. your e-mail address and, optionally, your name and address, will be
sent to us. We also store the IP address of your computer and the date and time
of your registration. During the registration process, we will obtain your consent
to receive this newsletter and the type of content it will offer, with reference made
to this privacy policy. The data collected will be used exclusively to send the
newsletter and will not be passed on to third parties.

The legal basis for this is Art. 6 Para. 1 lit. a) GDPR.

You may revoke your prior consent to receive this newsletter under Art. 7 Para. 3
GDPR with future effect. All you have to do is inform us that you are revoking your
consent or click on the unsubscribe link contained in each newsletter.
We use “MailChimp” for our newsletter, see section “II. 2.10 Use of MailChimp” for
further information.

1.4. Contact

If you contact us via e-mail or the contact form, the data you provide will be used
for the purpose of processing your request. We must have this data in order to
process and answer your inquiry; otherwise we will not be able to answer it in full
or at all.

The legal basis for this data processing is Art. 6 Para. 1 lit. b) GDPR.
Your data will be deleted once we have fully answered your inquiry and there is
no further legal obligation to store your data, such as if an order or contract
resulted therefrom.

1.5. Cookies

a) Session cookies

On our website we use so-called cookies to recognize multiple uses of our offer by
the same user or internet access owner. This recognition is based on the IP
address stored in the cookies. Cookies are small text files that are stored on your
computer by your browser. Cookies do not damage your computer and contain
no viruses. Cookies serve to make our offer more user-friendly, effective and
secure.

The legal basis for such processing is Art. 6 Para. 1 lit. b) GDPR, insofar as these
cookies are used to collect data to initiate or process contractual relationships.
If the processing does not serve to initiate or process a contract, our legitimate
interest lies in improving the functionality of our website. The legal basis is then
Art. 6 Para. 1 lit. f) GDPR.

When you close your browser, these session cookies are deleted.

b) Third-party cookies

If necessary, our website may also use cookies from companies with whom we
cooperate for the purpose of advertising, analyzing, or improving the features of
our website. Please refer to the following information under 2. for details, in
particular for the legal basis and purpose of such third-party collection and
processing of data collected through cookies.

c) Disabling cookies

You can refuse or define the use of cookies by changing the settings on your
browser or by clicking „Reject“ or „Cookie Settings“ on the Cookie banner at the
bottom of the website upon first visit of it. Likewise, you can use the browser to
delete cookies that have already been stored. However, the steps and measures
required vary, depending on the browser you use. If you have any questions,
please use the help function or consult the documentation for your browser or
contact its maker for support. Browser settings cannot prevent so-called flash
cookies from being set. Instead, you will need to change the setting of your Flash
player. The steps and measures required for this also depend on the Flash player
you are using. If you have any questions, please use the help function or consult
the documentation for your Flash player or contact its maker for support.
Please note that if you deactivate or restrict the use of cookies you will not be able
to use all of the services we offer.

2. Processing by third parties and processors

2.1. General

As far as the evan GmbH discloses data to other persons and companies
(processors or third parties), transfers them to them or otherwise grants them
access to the data, this is done exclusively on the basis of a legal permission (e.g.
if a transfer of the data to third parties, such as server providers, according to Art.
6 para. 1 lit. b GDPR is necessary for the fulfillment of the contract), you have
consented, a legal obligation provides for this or on the basis of our legitimate
interests (e.g. when using agents, webhosters, etc.).

If we commission third parties to process data on the basis of a so-called “data
processing contract”, this is done on the basis of Art. 28 GDPR.

2.2. MS Azure

Microsoft Azure is a cloud service of Microsoft Corporation, One Microsoft Way,
Redmond, WA 98052-6399 USA, which provides tools, servers and frameworks for
the business organization of companies and online services. MS Azure is the
infrastructure provider for the offered services. Azure processes the access data
of the users, manages the web space and services the hosting of the servers.
The purpose of processing by this third party provider is the strategic availability
for the services offered by evan GmbH within the framework of TRUST&TRACE.
This means that all personal data in connection with the use of our services are
sent to Azure data centers in Europe (with locations in Amsterdam and Frankfurt).
It cannot be ruled out that personal data may be transferred, at least partially, to
the USA.

As the USA have no separate data protection agreement with the European Union,
the country is considered an insecure third country. You expressly consent to the
transfer of your data to the USA as an unsafe third country for the stated purpose
in accordance with Art. 49 para. 1 subpara. 1 lit. a GDPR.

There are risks with regard to the protection of your personal data in such a
transfer, as there may be no adequate level of data protection and data subject
rights may not be enforceable.

It may also mean that third parties such as public authorities could access your
data in accordance with the regulations applicable there.

You may revoke your consent at any time (Art. 7 para. 3 GDPR).

The legal basis for the use of the services described above is Art. 6 para. 1 lit. a)
GDPR, for the possible transfer of user-related data in the USA it is Art. 49 para. 1
subpara. 1 lit. a) GDPR. The purpose of the data processing is to provide our
services.

2.3. Sendgrid

Sendgrid is the e-mail service integrated in MS Azure from Twilio Inc. 375 Beale
Street, Suite 300, San Francisco, CA, 94105 USA.

We use this service to send standardized e-mail invitations using templates and a
corresponding access link in the e-mail notification.

For this purpose, data, in particular the e-mail address, the IP address and the
device name, are transmitted to Sendgrid on our behalf. The related servers are
located, at least partially, in the USA.

As the USA have no separate data protection agreement with the European Union,
the country is considered an insecure third country. You expressly consent to the
transfer of your data to the USA as an unsafe third country for the stated purpose
in accordance with Art. 49 para. 1 subpara. 1 lit. a GDPR.

There are risks with regard to the protection of your personal data in such a
transfer, as there may be no adequate level of data protection and data subject
rights may not be enforceable. It may also mean that third parties such as public
authorities could access your data in accordance with the regulations applicable
there. You may revoke your consent at any time (Art. 7 para. 3 GDPR).
An e-mail sent with Sendgrid also contains a tracking pixel, a so-called web beacon.
This pixel helps us to evaluate whether and when you read our message and
whether you clicked on links contained therein. In addition to other technical data,
such as data about your computer hardware and your IP address, the processed
data is stored so that we can optimize our invitations and respond to the wishes
of our users. The data will thus increase the quality and attractiveness of our
service.

The legal basis for the use of the services described above is Art. 6 para. 1 lit. a)
GDPR, for the possible transfer of user-related data in the USA it is Art. 49 para. 1
subpara. 1 lit. a) GDPR. The purpose of the data processing is to improve our
invitation function as well as its execution.

2.4. evan.network

The evan.network is a blockchain network operated by the evan GmbH. It is used
to process and store Verifiable Credentials, which can contain certificates or other
information. These are stored and hashed unalterable, secure and encrypted. This
hash value is finally stored in the blockchain and can clearly reference the
corresponding file.

The information you enter is recorded and processed in encrypted form.
For more information on how the data is processed in the blockchain, please visit
https://evan.network/terms/

The nodes (servers in the evan.network) are operated exclusively in Europe by
providers with appropriate data processing agreements with the evan GmbH.
The purpose of the data processing is to secure the information and the
traceability of the offered services. The legal basis for the use of the services
described above is Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any
time in accordance with Art. 7 para. 3 GDPR.

2.5. Google reCAPTCHA

We use Google reCAPTCHA to prevent bot requests and automated unauthorized
access to the website and web service. This is done using a risk analysis engine to
prevent malicious software from performing abusive activities on the site and web
service.

This function is mainly used to distinguish whether an input is made by a natural
person or abusive through automatic and automated processing. The service
includes the sending of the IP address and possibly other data required by Google
for the service reCAPTCHA to Google and is based on our legitimate interest in
determining individual responsibility on the Internet and avoiding abuse and
spam. The servers used by Google LLC are located, at least partially, in the USA.
As the USA have no separate data protection agreement with the European Union,
the country is considered an insecure third country. You expressly consent to the
transfer of your data to the USA as an unsafe third country for the stated purpose
in accordance with Art. 49 para. 1 subpara. 1 lit. a GDPR.

There are risks with regard to the protection of your personal data in such a
transfer, as there may be no adequate level of data protection and data subject
rights may not be enforceable.

It may also mean that third parties such as public authorities could access your
data in accordance with the regulations applicable there. You may revoke your
consent at any time (Art. 7 para. 3 GDPR).

Further information about Google reCAPTCHA as well as Google’s privacy policy
can be found at: https://www.google.com/intl/de/policies/privacy/
The legal basis for the use of the services described above is Art. 6 para. 1 lit. a)
GDPR, for the possible transfer of user-related data in the USA it is Art. 49 para. 1
subpara. 1 lit. a) GDPR. The purpose of data processing is to improve the
functionality, security and accessibility of our website.

2.6. Cloudflare

We use Cloudflare, based in San Francisco, CA, USA, as our DNS and SSL/ TLS
provider. This means that all data related to access to this website may be routed
through servers operated or monitored by the Cloudflare. This is done, first, to
secure the connection between a user’s computer and our servers and, second, to
prevent DDoS attacks on our website(s). It is also possible that personal data of
users may be temporarily stored on Cloudflare servers. Cloudflare ensures that all
data stored on their servers or on servers under their supervision, regardless of
the duration of data storage, are processed in accordance with the regulations
defined by the GDPR.

The servers used by Cloudflare are located, at least partially, in the USA.
As the USA have no separate data protection agreement with the European Union,
the country is considered an insecure third country. You expressly consent to the
transfer of your data to the USA as an unsafe third country for the stated purpose
in accordance with Art. 49 para. 1 subpara. 1 lit. a GDPR.

There are risks with regard to the protection of your personal data in such a
transfer, as there may be no adequate level of data protection and data subject
rights may not be enforceable.

It may also mean that third parties such as public authorities could access your
data in accordance with the regulations applicable there. You may revoke your
consent at any time (Art. 7 para. 3 GDPR).

The legal basis for the use of the Cloudflare services described above is Art. 6 para.
1 lit. a) GDPR, for the possible transfer of user-related data in the USA it is Art. 49
para. 1 subpara. 1 lit. a) GDPR. The purpose of data processing is to improve the
functionality, security and accessibility of our website.

2.7. Webhosting-Provider

We use Network Invest, owned by Mr. Markus Braune, located at Dresden,
Germany, as our webhosting provider. That means all data connected to this
website are stored on servers operated or supervised by the webhosting-provider.
It might be possible that personal data collected through our website are also
stored temporarily on those servers. Network Invest ensures that all data stored
on their servers or the servers supervised by them, irrespective of the duration of
the data storage, are processed in the European Union and according to the
regulations defined through the GDPR.

The legal basis for using the webhosting services described above is Art. 6 Para. 1
lit. a) GDPR. The purpose of the data processing lies in improving the functionality
of our website.

2.8. Google Analytics

With your consent, Google Analytics, a web analysis service of Google is used on
this website. Google Analytics belongs to Google LLC., located in Mountain View,
California, USA. The use includes the „Universal Analytics“ operating mode, which
makes it possible to assign data, sessions and interactions across multiple devices
to a pseudonymous user ID and thus analyze a user’s activities across devices.
Google Analytics uses cookies. The information generated by the cookie about
your use of this website is usually transferred to a Google server in the USA and
stored there. IP anonymization is activated on this website, so Google will reduce
your IP address within Member States of the European Union or in other states
party to the Agreement on the European Economic Area beforehand. On this
website Google Analytics has been extended to include IP anonymization in order
to ensure anonymous collection of IP addresses (IP masking). The IP address
transmitted by your browser in the context of Google Analytics is not merged with
other Google data. For more information on terms of use and data protection,
please visit https://policies.google.com/?hl=en.

a) Purposes of the Processing

On behalf of the operator of this website, Google will use this information to
evaluate your use of the website, to compile reports on website activity and to
provide the website operator with other services related to website and Internet
use.

b) Legal Basis

The legal basis for the use of Google Analytics is your consent in accordance
with Art. 6 para. 1 lit. a GDPR.

c) Recipients or Categories of Recipients

The recipient of the collected data is Google.

d) Transfer to Third Countries

Personal data will be transferred to the USA.
As the USA have no separate data protection agreement with the European Union,
the country is considered an insecure third country. You expressly consent to the
transfer of your data to the USA as an unsafe third country for the stated purpose
in accordance with Art. 49 para. 1 subpara. 1 lit. a GDPR.

There are risks with regard to the protection of your personal data in such a
transfer, as there may be no adequate level of data protection and data subject
rights may not be enforceable.

It may also mean that third parties such as public authorities could access your
data in accordance with the regulations applicable there.
You may revoke your consent at any time (Art. 7 para. 3 GDPR).

e) Duration of Data Storage

The data sent by us and linked to cookies, user-identifiers (e.g. User-IDs) or
advertising-identifiers are automatically deleted after 14 months. Data whose
retention period has been reached is automatically deleted once a month.

f) Rights of the Persons affected

You can revoke your consent at any time with effect for the future by blocking
the storage of cookies by setting your browser software accordingly; however,
we would like to point out that in this case you may not be able to use all
functionalities of this website to their full extent.

You can also prevent Google from collecting the data generated by the cookie and
relating to your use of the website (including your IP address) and from processing
this data by Google by downloading and installing the Browser Add-on. Optout
cookies will prevent future collection of your data when you visit this website.
To prevent Universal Analytics from collecting data across different devices, you
must opt-out on all systems used.

2.9. Use of MailChimp – Newsletter

We offer you the opportunity to register for our free newsletter via our website.
We use MailChimp, a service of The Rocket Science Group, LLC, 512 Means Street,
Suite 404, Atlanta, GA 30318, USA, hereinafter referred to as “The Rocket Science
Group”.

The servers used by MailChimp are, at least partially, located in the USA. As the
USA have no separate data protection agreement with the European Union, the
country is considered an insecure third country. You expressly consent to the
transfer of your data to the USA as an unsafe third country for the stated purpose
in accordance with Art. 49 para. 1 subpara. 1 lit. a GDPR.

There are risks with regard to the protection of your personal data in such a
transfer, as there may be no adequate level of data protection and data subject
rights may not be enforceable. It may also mean that third parties such as public
authorities could access your data in accordance with the regulations applicable
there.

You may revoke your consent at any time (Art. 7 para. 3 GDPR).
If you register for our free newsletter, the data requested from you for this
purpose, i.e. your e-mail address and, optionally, your name and address, will be
processed by The Rocket Science Group. In addition, your IP address and the date
and time of your registration will be saved. During the registration process, your
consent to receive this newsletter will be obtained together with a concrete
description of the type of content it will offer, and reference made to this privacy
policy.

The newsletter then sent out by The Rocket Science Group will also contain a
tracking pixel called a web beacon. This pixel helps us evaluate whether and when
you have read our newsletter and whether you have clicked any links contained
therein. In addition to further technical data, such as data about your computer
hardware and your IP address, the data processed will be stored so that we can
optimize our newsletter and respond to the wishes of our readers. The data will
therefore increase the quality and attractiveness of our newsletter.

The legal basis for sending the newsletter and the analysis is Art. 6 Para. 1 lit. a)
GDPR, for the potential transfer of user related data in the USA it is Art. 49 para. 1
subpara. 1 lit. a GDPR.

You may revoke your prior consent to receive this newsletter under Art. 7 Para. 3
GDPR with future effect. All you have to do is inform us that you are revoking your
consent or click on the unsubscribe link contained in each newsletter.

3. Processing of special categories of data (Art. 9 para. 1 GDPR)

In general, no data from the listed special categories will be processed, except if
they are supplied for processing by the users, e.g. in data entered in online forms.

4. Categories of persons concerned by the processing

  • Employees of Customers (companies, legal entities or comparable,
    commercially active, associations, and natural persons)
  • Interested parties, applicants and visitors of the service offer
  • Cooperation partners

5. Processors and third parties

5.1. If, in the course of processing, we disclose data to others (third parties or
processors), transfer it to them or grant them other access to the data, this is done
on the basis of a legal permission (e.g. if a transfer of the data to third parties, such
as to payment service providers, is necessary for the performance of the contract
in accordance with Art. 6 para. 1 lit. b GDPR), if you have consented to this, if a
legal obligation provides for it or on the basis of our legitimate interests (e.g. when
using agents, web hosts, etc.).

5.2. Third parties are commissioned to process data on the basis of a “data processing
agreement” in accordance with Art. 28 GDPR.

III. Rights of Users and Data Subjects

With regard to the data processing described above, users and data subjects have
the following rights:

1. Right of withdrawal

In accordance with Art. 7 para. 3 GDPR, you are entitled to revoke consents already
granted.

2. Rights of data subjects

You have the following rights:

2.1 Right to confirmation of whether data concerning you is being processed,
information about the data being processed, further information about the nature
of the data processing, and copies of the data (cf. also Art. 15 GDPR);

2.2 Right to correct or complete incorrect or incomplete data (cf. also Art. 16 GDPR);

2.3 Right to the immediate deletion of data concerning you (cf. also Art. 17 DSGVO),
or, alternatively, if further processing is necessary as stipulated in Art. 17 Para. 3
GDPR, to restrict said processing per Art. 18 GDPR;

2.4 Right to receive copies of the data concerning you and/or provided by you and to
have the same transmitted to other providers (cf. also Art. 20 GDPR);

2.5 Right to file complaints with the supervisory authority if you believe that data
concerning you is being processed by the controller in breach of data protection
provisions (see also Art. 77 GDPR).

In addition, the provider is obliged to inform all recipients to whom it discloses
data of any such corrections, deletions, or restrictions placed on processing the
same per Art. 16, 17 Para. 1, 18 GDPR. However, this obligation does not apply if
such notification is impossible or involves a disproportionate effort. Nevertheless,
users will be informed about these recipients.

Likewise, under Art. 21 GDPR, users and data subjects have the right to object to
the provider’s future processing of their data pursuant to Art. 6 Para. 1 lit. f) GDPR.
In particular, an objection to data processing for the purpose of direct advertising
is permissible.

3. Right to object

According to Art. 21 GDPR you have the right to object to the future processing of
your data by the provider according to Art. 6 para. 1 lit f) GDPR. In particular, an
objection to data processing for the purpose of direct advertising is permissible.

• TRUST&TRACE (Webapp)
trust-trace.com

Cookie declaration:

CookieDescription

We distinguish between the following categories of cookies: