This page provides information on data privacy and GDPR related to the integration of excentos Product Guides into websites of a customer of excentos.

Background on legal situation

As a customer of excentos, you can integrate the excentos Product Guides into your websites, applications or further services. This documentation intends to inform you on the legal basis; however it is general information only and no legally binding regulation since you as the provider of your website that integrates excentos Product Guides are responsible to comply with GDPR.

Which data does excentos collect?

In general, the excentos Product Guides do not collect personal data.

However, there are three exceptions:

  • excentos (respectively the network provider) needs to temporarily store the user's IP address in order to defend against cyber-attacks.
    • according to our network provider, the time frame is a maximum of 4 hours and IP addresses are then permanently deleted
    • according to European Court of Justice, also dynamic IP addresses are interpreted as personal data. This question was previously discussed controversely but then finally decided by the European Court.
    • according to our legal advice and interpretation, the temporary storage of IP addresses is acceptable since it complies with a reasoned balance of interests (goal: detect cyber-attacks such as denial-of-service (DOS) attacks which cannot be done without temporarily storing the IP address; the IP addresses are then permanently deleted).
  • if you are using the optional excentos Lead Generator functionality, the Lead Generator component will (depending on your configuration) ask for personal information such as first name, last name, email address, phone number etc
    • in case you are using the Lead Generator, excentos also informs you that you would have to implement the DOI (Double Opt In) process. Reason is that sending product information to your website visitors can be interpreted as sending out marketing material which requires the explicit confirmation of your website visitor to be owner of the email address before receiving the marketing material. You as a website operator are responsible to check, also in accordance with existing CRM systems and existing DOI information, how to implement that process
  • if you implement questions that ask personal information and provide e.g. free text fields where the user might enter his name
    • example in a gift finder: "who do you want to give a present to?" with a free text box where the user enters "Susan" and the result list shows "OK, here are the gift recommendations for Susan"

Where is an exact description of which data excentos collects and what excentos does with the data?

excentos published a description of the data collected on (see the German version here). 
The background of that formulation is that excentos integrated Product Guides ourselves into our website (e.g. for lead generation and demo purposes), and excentos thus needs to comply with GDPR just in the same way as our customers need to.

Is there a template for the privacy statement in our website?

Yes, excentos offers a template. Please note - as also mentioned above - the template is provided as a service to you but it is not a legally binding document. Please review it yourselves also in accordance with your website, other services you are using and your local legal requirements if this regulation complies with your legal needs.

The template also includes the possibility for your website visitors to deactivate the data collection in excentos Analytics. In case you want to provide your users with this option, please integrate the below-mentioned iFrame which will then provide a cookie-functionality to disable tracking to excentos Analytics.

Template for your website's privacy statement (German version)

<h2>Einsatz der Product Guides</h2> 

<p>Auf unserer Website werden Online-Produktberater eingesetzt, um Ihnen als Nutzer*innen einen optimalen Kundenservice zu bieten. Anbieter der Produktberatungslösung ist die excentos Software GmbH (Reiterweg 1, 14469 Potsdam, Zu Optimierungszwecken werden die Nutzerinteraktionen, wie z.B. ausgewählte Antwortoptionen und Navigationstätigkeiten und etwaige Käufe (sofern eCommerce-Tracking aktiviert ist) erhoben. (Vorhandenes Einverständnis der Kunden vorausgesetzt.) Diese Nutzungsdaten werden anonymisiert in einem von excentos betriebenen Webanalysesystem gespeichert. Darüber hinaus erheben die notwendigen Infrastrukturdienste (wie Cloudflare) im Rahmen einer begründeten Interessensabwägung die IP-Adresse und Nutzungsaktivitäten der Nutzer*innen, um Cyber-Attacken abzuwehren. Dies ist eine notwendige Sicherheitsmaßnahme, um die Produktberatungsdienste anbieten zu können. Diese Daten werden lediglich temporär (bis zu 4 Stunden) vorgehalten, um potentielle Angriffsmuster identifizieren zu können. Während dieses Zeitraums ist unter Umständen eine indirekte zeitstempelbasierte Zuordnung zu den Nutzungsaktivitäten möglich. (Nach Ablauf dieses Zeitraums werden die IP-Adressen inkl. aller Logdaten vollständig gelöscht.)</p> 

<p>Mit der Benutzung der Produktberatungslösungen, die auf dieser Website eingesetzt sind, erklären Sie sich mit diesen Bestimmungen einverstanden.</p> 

Template for your website's privacy statement (English version)

<h2>Usage of Product Guides</h2> 

<p>Our website uses Product Guides to advice you during your buying decision process and enable an easy product selection. Provider of the online Product Guide Solutions is the excentos Software GmbH (Reiterweg 1, 14469 Potsdam, Germany, For optimization purposes user interactions (such as selected answer options and navigation activities) and purchases (if eCommerce tracking is enabled) are collected. This usage data is stored anonymously in a web analytics system provided by excentos.  In addition, the necessary infrastructure services (such as Cloudflare) collect the IP address and usage activities of the user as part of a justified consideration of interests in order to defend against cyber attacks. This is a necessary safety measure to enable reliable Product Guide Services. This data is only stored temporarily (up to 4 hours) to identify potential attack patterns. During this period, indirect time-stamp based association to usage activites may be possible for low traffic scenarios. (After this period, the IP addresses including all log data are deleted.)</p>. 


<p>By using the Product Guide Solutions deployed on this website, you agree to this privacy policy.</p> 

(info) Please note: Make sure that the URL included in the iframe tag is not changed when copy-pasting it to your website (it obviously occurred with some browsers that "&" characters were replaced by "&amp;".

Who is responsible for data protection? Do we need a data protection agreement (DPA) or Auftragsverarbeitungsvereinbarung (AVV) with excentos?

As a customer of excentos that integrates excentos Product Guides into your website, you are responsible in terms of DSGVO §4 (7) to comply with data protection regulations. You thus need a DPA (in German: AVV) with excentos.

excentos thus provides standard DPA (in German: AVV) documents:

The DPA (or AVV, respectively) are included as a standard element of our contract and General Terms and Conditions (GTC) or Allgemeine Geschäftsbedingungen (AGB), respectively. See §16 (5) of our GTC or AGB.

  • No labels