1. Responsible controller/contact information
The controller responsible in accordance to data protection laws is (herein also called from time to time “Controller”):
Mambu GmbH, Karl-Liebknecht-Str. 5, 10178 Berlin, Germany.
If you have any questions or suggestions regarding data protection, please do not hesitate to contact us by email at email@example.com.
2. Subject matter of data protection
Subject matter of data protection are personal data. According to Art. 4 No. 1 GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person; this includes, for example, names or identification numbers.
3. Collection and use of your personal data
3.1 Collection of data by automated means (logs)
When accessing our website, your device automatically transmits data for technical reasons. Your IP address is not collected in the course of protocol. The following data is stored separately (logs) from other data that you may transmit to us:
- Date and time of accessing our website
- Name of the requested file/URL
- Statuscode of the request (success/fail)
- Bytes sent by the HTTP-body
- Browser type and version
- Response time of the request
The legal basis for the temporary storage of data is Art. 6 (1) lit. f GDPR.
This temporary storage is necessary in order to maintain the functionality of the website as well as for the optimization of the website and for ensuring the security of the IT systems.
For these purposes, our legitimate interest in the processing of data according to Art. 6 (1) lit. f GDPR.
The data contained in logfiles will be deleted at the latest after seven days.
In order to be able to use all functionalities of our platform, you can be registered at my.mambu.com, however, you need to provide the following required information:
- User name
- Email address
- First name
- Skype name
- Telephone number
This data is necessary in order to provide you with a dedicated user account and to maintain the account for you, so that you can use all features and functionalities of our platform. Furthermore, we may need those and additional data to support you and communicate with you.
Processing of any data entered in the context of the registration function is necessary to provide you with the function of the platform and services as intended, Art. 6(1) lit. (b) GDPR. Insofar as we collect and process your data for the purpose to provide the functionalities of our platform and services, as described above, you are contractually obliged to provide this data, as we are simply not able to provide our services to you or gain access to the platform without that.
During the registration process, this may also be required in view of the fulfilment of a contract or prior to an envisaged contract, even in case that such data is not required anymore for the actual execution of such contract. Even after the actual conclusion of the contract contractual or regulatory obligations may exist to keep personal data of the contractual partner.
3.3 Contact Form
If you contact Mambu via the contact form provided online, your input data including contact data is collected and used to process and respond to your request. Thus, we collect your contact data, in order to receive your requests and to be able to respond accordingly.
The legal basis for the storage of data is Art. 6 (1) lit. f GDPR. In case that the contact via email is intended to conclude a contract, additional legal basis for the processing is Art. 6 Abs. 1 lit. b GDPR.
Mambu has a legitimate interest to reply to the request of a user. Thus, the processing of data collected via the contact form is necessary unless a reply would simply not be possible. Consequently, the legitimate interest of Mambu prevail, Art. 6 Abs. 1 lit. f GDPR.
In general, the data is erased once the purpose of the storage is fulfilled. For personal data collected via online forms, this is the case once the respective communication with the user has ended in the sense that when taking all circumstances into consideration, the request at hand is entirely settled to the satisfaction of both parties and the nature of such request.
Furthermore, you are able to provide additional, non-necessary information via the online forms which are entirely voluntary and only help Mambu when reaching out to the user and in responding to the specific request or in case of question.
The legal basis for the storage of data is Art. 6 (1) lit. f GDPR as Mambu’s legitimate interest prevails.
Mambu has an interest to address and respond to the request of a user, in particular to contact him, in order to take care of the request in a timely manner. This interest is even in line with the interest of the user itself to get the response he was requesting or referring to and who has signalled by providing respective data that he wants to be approached.
In general, the voluntarily provided not necessary data is also erased once the purpose of the storage is fulfilled. This is also the case once the respective communication with the user has ended in the sense that when taking all circumstances into consideration, the request at hand is entirely settled to the satisfaction of both parties and the nature of such request.
4. Transfer of data to third parties
In general, your personal data, protocol data or data provided through online forms will only be passed on without your explicit prior consent in the following cases:
The transfer of this data is justified by our legitimate interest in preventing abuse, prosecuting criminal offences and securing, asserting and enforcing legal claims and that your rights and interests in protecting your personal data do not prevail, Art. 6(1) lit. (f) GDPR.
If European data protection authorities or courts may come to the conclusion that Art. 28 Abs. 1 GDPR were no standalone legal basis for the transfer of personal data to contract processors, such transfer shall be deemed based on our legitimate interest in regard to the commercial benefit by the involvement of specialized contract processors and the fact that in comparison, these benefits are deemed predominant to your interest in view of protection of personal data, Art. 6 Abs. 1 lit. f GDPR.
We also process data in countries outside of the European Economic Area (EEA). In these cases, we base the data transfer on approved Standard Contractual Clauses (SCC) provided by the European Commission (Art. 46 2. (c)) in combination with additional technical and/or organizational measures implemented by the data importer to protect person data.
Mambu stores so-called "cookies" in order to offer you a comprehensive range of functions and to make the use of our websites more convenient. "Cookies" are small files that are stored on your computer with the help of your Internet browser. If you do not wish the usage of "cookies", you can prevent the storage of "cookies" on your computer by appropriate settings of your Internet browser. Cookies, that are already stored, can be deleted at any time, this can also be done automatically. Please note that the functionality and range of functions of our website offer may be reduced as a result.
Furthermore, we may store cookies of third parties, such as:
- Youtube (embedded videos)
- Wistia, inc (embedded videos)
On developer.mambu.com and support.mambu.com cookies of the following third parties may be stored:
- Google Analytics
The legal basis for the processing of personal data by using cookies for purposes of analysis in case of the existence of an opt-in, is Art. 6 (1) lit. a GDPR. The legal basis for the storage of data is Art. 6 (1) lit. f GDPR.
The purpose of using cookies, that are technically necessary, is to make the usage of the website easier for the user. Some of the functionalities of our website cannot be offered without the use of such cookies; for these it is necessary that the browser is recognized even while browsing across different web pages.
The use of such cookies is based on our legitimate interest in an appropriate design, the statistical evaluation and the efficient usage of our website as well as marketing and the fact that your legitimate interests do not predominate, Art. 6 (1) lit. f GDPR.
Mambu uses Hubspot for purposes of marketing campaign analysis and customer relationship management. Hubspot is a service of Hubspot Inc., a US software company having also a subsidiary in Ireland (contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland).
In the course of the service cookies are being placed that are stored on your computer. Both enable us to analyse the performance of our marketing campaigns and allow users of our website to submit contact requests through forms. The information stored (e.g. IP-address, geographical data, browser type, time and duration of the visit and called websites) are analysed and evaluated by Hubspot on behalf of Mambu in order to gain insights about your visit and visited websites of Mambu.
If you do not wish the usage of "cookies" by Hubspot, you can prevent the storage of "cookies" on your computer at any time by appropriate settings of your Internet browser (please also see above sections in this regard).
The use of Hubspot is based on our legitimate interest in an appropriate design, the statistical evaluation and the efficient usage of our marketing campaigns as well as managing relationships with our customers and the fact that your legitimate interests do not predominate, Art. 6 (1) lit. f GDPR.
7. Google Analytics
Mambu uses Google Analytics, a web analytics service offered by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA („Google“). Google Analytics uses so called “Cookies” which are text files that are stored on your computer and allows the analysis of your use of our website. Die information about your use of our website created by the Cookies (incl. your shortened IP address) is transferred to Google servers in the USA and stored there. Google will use this information to analyse your use of our website and create usage reports of our websites for Mambu and to offer further services to Mambu that are related to the usage of our websites. Google may pass the collected information to third parties if this is legally required or in order to have the data processed in the name of Google.
You can deactivate Google Analytics through a browser add-on if you do not wish to be part of Google’s website analysis. You can download the add-on at http://tools.google.com/dlpage/gaoptout.
To prevent Google Analytics tracking across devices, you must opt-out on all systems you use. You activate the opt out cookie here Opt Out Google Analytics
The use of Google Analytics is based on our legitimate interest in an appropriate design, the statistical evaluation and the efficient marketing of our website and the fact that your legitimate interests do not predominate, Art. 6 (1) lit. f GDPR.
8. Recruiting (Lever)
We use Lever, a recruiting software by Lever, 155 5th St 6th floor, San Francisco, CA 94103, USA (“Lever”).
With Lever we collect personally identifiable information on direct applicants and possible candidates that we identified (“sourced”) externally, e.g. from LinkedIn, referrals or via recruitment agencies.
A. Direct applicants need to provide the following required inputs:
- First name, last name
- Email address
- Phone number
- Cover Letter
This data is required to create an applicant record in our recruiting software to manage and process your job application. Further we need this information and possible further information to support the application process and the communication with you.
We collect this information in order to provide you our job application portal as per Art. 6 (1) lit. (b) GDPR.
When we process your provided data in order to provide you the job application portal, you are contractually required to provide this information to us. Without this information we cannot provide you our job application portal.
During the registration process, this may also be required in view of the fulfillment of a contract or prior to an envisaged contract, even in case that such data is not required anymore for the actual execution of such contract, i.e. after the application process. This information is required to process your job application or to prepare your work contract. Further also after the job application process was completed, either with an offered work contract or rejection, we may be required to store the provided information for contractual or to fulfill other legal or regulatory reasons.
The deletion of applicant data occurs generally as soon as the purpose of the collection is reached, e.g. when a decision on the job application has been made. For documentation of the transparency and discrimination free decision, we store the applicant data up to six months respectively and upon your explicit consent for a longer period.
B. For sourced or referred (by colleagues or recruitment agency) candidates Mambu collects the following in Lever:
- First name, last name
- Email address
- Phone number
- Link to LinkedIn profile
- Notes on the discussions being held
As part of the initial contact attempt we will inform the potential candidate actively about the processed data as per Art. 14 GDPR and where it is stored (Lever).
Mambu has a legitimate interest to identify potential candidates from public sources, recruitment agencies or internal networks in order to fill open positions. Thus, the processing of data and transfer to Mambu’s recruiting software for managing candidates is necessary. Consequently, the legitimate interest of Mambu prevails as per Art. 6 (1) lit. f GDPR.
Data of sourced or referred candidates (by colleagues or recruitment agency) is stored initially for 3 months in order to stay in touch. In order to consider candidates for future opportunities Mambu will ask for their consent via email or a LinkedIn message as per Art. 6 (1) lit. a GDPR to keep the data for the next 2 years.
If candidates want their records in Mambu’s recruiting software be anonymized or Mambu doesn’t receive a positive answer from a candidate, Mambu will remove all information from the candidate’s profile in Lever (e.g. CV, notes from conversations, qualifications, roles), except for information needed to identify the candidate (e.g. name/email address/link to LinkedIn) and when Mambu reached out. The remaining information is retained in order to verify if Mambu already contacted the candidate recently. If a candidate further wants to have their full record deleted, this may result in future contact attempts as Mambu then has no record of the communication history.
Mambu uses plugins from the service provider Wistia, located at Wistia, Inc., 17 Tudor Street, Cambridge, Massachusetts, 02139 USA, on its website.
Wistia is a video hosting service that allows website visitors to view videos provided by Mambu. Wistia further provides website owners the ability to track engagement metrics and create personalized call-to-actions to improve video viewing experience.
Mambu does not process this information further or transfers it to further third parties.
By the usage of the Wistia plugin you agree with the described data processing by Wistia.
We use Envoy Visitors, a visitor log book software by Envoy, 410 Townsend St, Suite 410, San Francisco, CA 94107 (“Envoy”). With Envoy we collect personally identifiable information on Visitors. Visitors to Mambu offices need to provide the following required inputs:
- First name, last name
- Email address
- Personal Photo
This data is required to create a visitor record in our software to manage and record your visit and print a temporary one-use badge while in Mambu offices.
We collect this information for security purposes in order to comply with our internal visitor policy, which represents a legitimate interest as per Art. 6 (1) lit. (f) GDPR.
When we process your provided data in the visitor kiosk at the entrance of any Mambu building, you are required to provide this information to us. Without this information we cannot provide access to any Mambu office.
The information is further stored beyond the visit as required for internal audit and information security purposes.
The deletion of this data occurs generally as soon as the purpose of the collection is reached, or upon request of the data subject, at the latest though after 12 months.
Mambu uses Discourse from the service provider Civilized Discourse Construction Kit, Inc., Jeff Atwood, Chief Executive Officer, Civilized Discourse Construction Kit, Inc., 410 Clayton Avenue, El Cerrito, California 94530, to host a community forum.
Discourse is a community forum service that allows website visitors to raise and answer questions. Discourse further provides website owners the ability to monitor user profiles, incl. usage statistics, user actions, incl. IP address of signup and last access.
Mambu does not process this information further or transfers it to further third parties.
By the usage of the Mambu’s community forum, provided by Discourse, you agree with the described data processing by Discourse.
12. Partner Management (Impartner)
We use Impartner, a partner relationship management software by Impartner, Inc., of 10619 Jordan Gateway, South Jordan, UT 84095, United States (“Impartner”). With Impartner we collect personally identifiable information on applicants to the Mambu Partner program. Applicants need to provide the following personally identifiable information as required inputs:
- Salutation, First name, last name
- Job title
- Email address
- Phone number
- Company name and address
This data is required to create an applicant record in our partner relationship management software to manage and process your application for access to the Mambu Partner Portal, along with accessing features and functionality as part of the partnership your company has with Mambu. Further we need this information and possible further information to support communication with you as part of using the Mambu Partner Portal.
We collect this information in order to prepare and fulfill a mutual Partner agreement and provide you with access to the Mambu Partner Portal as per Art. 6 (1) lit. (b) GDPR.
When we process your provided data in order to provide you access to the Mambu Partner Portal, you are contractually required to provide this information to us. Without this information we cannot provide you access to the Mambu Partner Portal.
During the registration process, the provided personal information may also be required to match Partner applicant data with existing partnership contracts that Mambu has in place, or in view of the fulfillment of a contract, even in case that such data is not required anymore for the actual execution of such contract, i.e. after the contract is signed. This information is required to process your application to access the Mambu Partner Portal or to prepare your contract to become a partner of Mambu. Further, also after the access to the Mambu Partner Portal process was completed, either with an acceptance or rejection, we may be required to store the provided information for contractual reasons or to fulfill other legal or regulatory reasons.
The deletion of applicant data occurs generally as soon as the purpose of the collection is reached, e.g. when Mambu is informed that an individual is no longer employed by a company who has a partnership agreement with Mambu. For management of duplicate applications, avoiding recertification of individuals under a different partner agreement, documentation of the transparency and discrimination free decision, we store the applicant data up to six months respectively.
13. Prospective and Existing Customer Management (Salesforce)
We use Salesforce, a customer relationship management software by Salesforce.com, Inc., The Landmark @ One Market Street, San Francisco, CA 94105, USA (“Salesforce”). With Salesforce we collect personally identifiable information on customers, partners, prospective customers, and prospective partners. The information is either directly submitted to Salesforce as part of a support inquiry to firstname.lastname@example.org, or is copied to Salesforce by Mambu as part of a partner application (for processed data please see section “Impartner”) or contact inquiry from a Mambu website (for processed data please see section “Hubspot”). Customers need to provide the following required inputs for support inquiries:
- First name, last name
- Company email address
This data is required to create an associated record in our customer relationship management software to manage and process your data for the following purposes:
- If you are a prospective or existing customer of Mambu, to support communication with you.
- If you are a prospective or existing partner of Mambu, to provide access to information within the Mambu Partner Portal, and support communication with you as part of the partnership your company has, or is intending to have, with Mambu.
We collect this information as per Art. 6 (1) lit. (b) GDPR in order to serve your support or contact inquiry, or provide you with access to the Mambu Partner Portal.
When we process your provided data in order to communicate with you, you are contractually required to provide this information to us. Without this information we cannot communicate with you. Further, we may be required to store the provided information for contractual reasons or to fulfill other legal or regulatory reasons.
The deletion of customer or applicant data occurs generally as soon as the purpose of the collection is reached, e.g. when Mambu is informed an individual is no longer employed by a company who has a customer or partnership agreement with Mambu. We generally store:
- Partner applicant data up to six months respectively and upon your explicit consent for a longer period, for documentation of the transparency and discrimination free decision.
- Prospective customer data up to 18 months to support the typical length of Mambu’s sales cycles and report effectively on marketing campaign effectiveness.
- Customer and Partner data, including commercial and support communication, up to ten years after contract termination due to legal obligations and tax reasons.
14. Your rights as data subject
In case your personal data is processed, you are the data subject within the meaning of GDPR and you have the rights outlined hereafter.
14.1 Right of confirmation and access (Information)
Each data subject shall have the right granted by the European legislator to obtain from the Controller the confirmation as to whether or not personal data concerning him or her are being processed.
In case such processing occurs, the data subject may request access to the following information:
- the purposes of the processing of personal data;
- the categories of personal data concerned in the processing;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer in accordance with Art. 46 GDPR.
14.2 Right to rectification of inaccurate data
You have the right that Mambu has to immediately correct or complete any personal data concerning you if it is inaccurate or incomplete. We as the controller would have to execute your request without undue delay.
14.3 Right to restriction of processing
You have the right that Mambu has to restrict processing of your personal data subject to the following prerequisites:
- The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use.
- The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
- The data subject has objected to processing pursuant to Art. 21 (1) of the GDPR pending the verification whether the legitimate interests of the Controller override those of the data subject.
In case the processing of your personal data was subject to restriction, and notwithstanding their storage, such data shall only be processed with your consent or for the establishment, exercise, or defense of claims or for the procurement of the protection of rights of a natural or legal person or for purposes of an important public interest of the European Union or a member state.
In case the restriction of processing has been executed in accordance with the above, you shall be informed by the Controller prior to the cancellation of such restriction.
14.4 Right to erasure (“Right to be forgotten”)
a) Right to erasure
Each data subject shall have the right to request from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller shall have the obligation to erase personal data without undue delay where one of the following reasons applies, as long as the processing is not necessary:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent to which the processing is based according to Art. 6 (1) lit. a GDPR, or Art. 9 (2) lit. a GDPR, and where there is no other legal reason for the processing;
- the data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or - - the data subject objects to the processing pursuant to Art. 21 (2) GDPR;
- the personal data has been unlawfully processed;
- the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject to;
- the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.
b) Information to third parties
Where the Controller has made personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other Controllers processing the personal data that the data subject has requested erasure of any links to, or copy or replication of, those personal data, from these controllers.
The right to erasure does not apply where the processing is necessary:
- for the exercise of the right of freedom of speech and information;
- for the fulfilment of a mandatory legal obligation that is mandatory, according to European or the respective member state’s law the Controller is subject to, or is necessary for the performance of a task carried out in the public interest or in execution of official authority given to the Controller;
- for reasons of public interest in regard to public safety and health pursuant to Art. 9 Abs. 2 lit. h and i as well as Art. 9 (3) GDPR;
- for archives in the public interest, scientific, historical or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the granted right mentioned in a) above would likely make the achievement of such purposes impossible or seriously endangered;
- or for establishing, exercising or defending legal claims.
14.5 Right of information
In case you have claimed the right of rectification, erasure or restriction of the processing towards the Controller, the Controller is obliged to inform all recipients of personal data belonging to you such rectification, erasure or restriction accordingly, unless such information seems to be impossible or only possible by needing inappropriate efforts.
You are entitled to claim to be informed by the Controller about such recipients.
14.6 Right to data portability
You shall have the right to receive the personal data concerning you, which was provided to us as the Controller, in a structured, commonly used and machine-readable format. You shall also have the right to transmit this data to another Controller without hindrance from the Controller to which the personal data has been provided, as long as the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or of Art. 9 (2) lit. a GDPR, or on a contract pursuant to Art. 6 (1) lit. b GDPR, and
the processing is carried out by automated means.
Furthermore, in exercising your right to data portability, the data subject shall have the right to have personal data transmitted directly from one Controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
The right to data portability only applies as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
14.7 Right to object
Each data subject shall have the right to object, based on his or her particular situation, at any time, to processing of personal data concerning him or her, which is based of Art. 6 (1) lit. e, or f GDPR. This also applies to profiling based on these provisions.
Mambu shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If Mambu processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing.
If the data subject objects to Mambu to the processing for direct marketing purposes, Mambu will no longer process the personal data for these purposes.
In order to exercise the right to object, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
14.8 Right to withdraw data protection consent
You as data subject shall have the right to withdraw your consent to processing of your personal data at any time. Irrespective of such withdrawal of the consent, the legitimation of the processing of personal data until the withdrawal shall remain unaffected.
14.9 Automated individual decision-making, including profiling
Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision
- is not is necessary for entering into, or the performance of, a contract between the data subject and a Controller, or
- is not authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
- is not based on the data subject's explicit consent.
Notwithstanding the aforementioned, such decisions shall not be based on specific categories of personal data pursuant to Art. 9 (1) GDPR, insofar Art. 9 (2) lit. a or lit. g do not apply and in case that suitable measures to safeguard the data subject's rights and freedoms and legitimate interests were procured.
In view of the cases 1 to 3 above, the Controller shall procure suitable measures to safeguard the data subject's rights and freedoms and legitimate interests. This means that the Controller is at least required to procure the right to obtain human intervention on the part of the Controller, to express his or her point of view and contest the decision.
14.10 Right to file complaints with the regulatory authority
Notwithstanding any other administrative and judicial procedures, you shall have the right to file a complaint with a competent regulatory authority, in particular in the member state where you are situated, you have your place of work or where the alleged breach has occurred; if you believe that the processing of your personal data is a breach of the regulations set forth in the GDPR.
The regulatory authority, that has been approached by you, shall inform you about the status of the results of an investigation on an ongoing basis as well as about the possibility of a judicial procedure according to Art. 78 GDPR.