In this privacy notice, we (caralegal GmbH) inform you about the processing of personal data when using our product caralegal (hereinafter also referred to as product). You can print or save this privacy notice by using the usual functionality of your browser.
The product caralegal is made available to your employer within the scope of a data processing agreement pursuant to Art. 28 GDPR. caralegal GmbH is merely the operator of the web application, and thus a processor pursuant to Art. 4 No. 8, Art. 28 GDPR. The legal basis for the processing of personal data is the data processing agreement between your employer and us. The data controller within the meaning of Art. 4 No. 7 GDPR is your employer. For the operation of our web application and the performance of our contractual obligation to your employer, we use (sub-)processors (e.g. for hosting the web application or for providing and performing customer support). If you have any question about the data processing in this context, please contact your employer (i.e. the data controller).
1. Contact
The point of contact and so-called controller for the processing of your personal data when using this web application within the meaning of the EU General Data Protection Regulation (GDPR) is:
caralegal GmbH
Am Hamburger Bahnhof 4
10557 Berlin
Germany
Phone: +49 (0)30 7543 6935
For all questions regarding data protection in connection with our product “caralegal”, you can also contact our data protection officer at any time. The data protection officer can be reached at the above postal address and at the email address given above (keyword: “attn. data protection officer”). We expressly point out that when using this email address, the contents are not exclusively noted by our data protection officer. If you wish to exchange confidential information, please contact us directly via this email address at first.
2. Data processing in the application
2.1. Access to our application / Connection data
caralegal is a so-called web application, i.e. the application is not installed locally on the user's computer and the data processing takes place on a so-called web server. Therefore, each time you use caralegal, we collect the connection data that your browser automatically transmits to enable you to use caralegal. The connection data includes the following:
IP address of the requesting device,
Date and time of the request,
Address of the accessed website and the requesting website,
Information about the browser and the operating system,
Online identifiers (e.g. device-ID, Session-IDs).
The processing of the above-mentioned connection data is absolutely necessary to enable the use of caralegal and to guarantee the permanent functionality and security of our systems. The legal basis of this data processing is Art. 6 para. 1 lit. b GDPR. The automatic transmission of the connection data, however, does not constitute access to the information in the terminal equipment as defined by the implementation laws of the ePrivacy Directive of the EU member states, in Germany § 25 TDDDG (Telecommunications Digital Services Data Protection Act). Apart from that, however, it would be absolutely necessary.
2.2. Data processing before log-in
If you access the web application and you are not actively logged into the web application as a user, no personal data is generally collected and processed beyond the
connection data listed above.
2.3. Registration
The caralegal web application can only be used by registered users. The registration of users for the use of caralegal is usually carried out by your own system administrators. We have highlighted the data that you are required to provide (email address and organizational unit, such as company and/or department/division) by marking them as mandatory fields. Without this data, registration and use of the web application is not possible.
The legal basis for the processing of the necessary data for the registration (mandatory fields) is Art. 6 para. 1 lit. b GDPR.
2.4. Data processing after log-in
For registered users, after successful log-in, in addition to the connection data listed under 2.1. Access to our application, the following personal data is processed in accordance with the purpose of the web application:
User ID, password and/or session cookies
Name of the company/organization
Name of the department/workgroup/team
Type of affiliation with the company/organization
Address and contact information (e.g. postal address, email address)
Mobile phone number (only when using two-factor authentication)
Affiliations to roles, groups, collections, and documents in the web application.
The legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
2.5. Optimisation of the web application
If you give us your express consent within the application, we will process the following personal data for the purpose of improving the functions, user-friendliness and reliability of our web application:
User ID and session cookies
Device information (e.g. operating system and device type)
usage and interaction data (e.g. pages visited or content viewed within the application)
The collected data is used to create aggregated reports on feature usage, identify potential problems, and inform product development decisions. Access to raw data is restricted to authorised employees only. All data is stored on infrastructure controlled by the company. No data is transferred to third parties and all data remains on our servers.
The legal basis is Art. 6 para. 1 lit. a GDPR, according to which you have consented to us accessing this data. Insofar as cookies or similar technologies are used, § 25 para. 1 TTDSG applies in addition.
The data is processed for a period of up to 13 months. This period is necessary in order to be able to carry out appropriate evaluations for product improvement, as the use of the software is subject to seasonal fluctuations and also varies considerably from year to year. After expiry of this period, the data is automatically deleted or anonymised, provided that there are no legal retention obligations to the contrary.
2.6. Making contact
If you contact us, we process the data exclusively for the purpose of communicating with you.
The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as your information is required to answer your inquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest that you contact us and that we can answer your inquiry.
The data collected by us when you contact us will be automatically deleted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations.
3. Use of tools in the web application
3.1. Technologies used
This web application uses various services and applications (collectively, “tools”) provided either by us or by third parties. These include, in particular, tools that use technologies to store or access information in the terminal equipment:
1.
Cookies: information stored on the terminal equipment, consisting of a name, a value, the storing domain and an expiration date. So called session cookies are deleted after the session, while so-called persistent cookies are deleted after the specified expiration date. Cookies can also be removed manually.
2.
Web Storage (local storage / session storage): information stored on the terminal equipment, consisting of a name and a value. Information in the session storage is deleted after the session, while information in the local storage has no expiration date and basically remains stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with time entry). Information in local and session storage can also be removed manually.
3.
JavaScript: programming codes (scripts) embedded in or called up from the website or web application that, for example, set cookies and web storage or actively collect information from the terminal equipment or about the usage behavior of visitors or users. JavaScript can be used for “active fingerprinting” and the creation of usage profiles. JavaScript can be blocked by a setting in the browser, although most services will then no longer function.
4.
Pixel: Tiny graphic automatically loaded by a service, which can make it possible to recognize visitors by automatically transmitting the usual connection data (in particular IP address, information about browser, operating system, language, address called up and time of call-up) and to determine, for example, whether an email has been opened or a website visited. With help of pixels, “passive fingerprinting” and the creation of usage profiles can be carried out. The use of pixels can be prevented, for example, by blocking images (e.g. in emails), although the display is then severely restricted.
With the aid of these technologies and also by simply establishing a connection on a page, so-called “fingerprints” can be created, i.e. usage profiles that do not require the use of cookies or web storage and can still recognize visitors. Fingerprints based on the connection setup cannot be completely prevented manually. Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you can usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you block cookies from being stored, graphics from being displayed, and scripts from running entirely, our services are not likely to function properly or at all.
In the following, we list the tools used by category, informing you in particular about the providers of the tools, the storage period of the cookies or information in local storage and session storage, and the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can revoke it.
We use tools necessary for the web application based on our legitimate interest pursuant to Art. 6 para.1 lit. f GDPR to provide the basic functions of our web application. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the terminal equipment is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 para. 2 TDDDG.
If personal data is transferred to third countries (such as the USA), we refer you to section 6 („Data transfer to third countries“), also with regard to the possible associated risks. We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we (also) transfer the data processed when using the tools to third countries on the basis of this consent pursuant to Art. 49 (1) lit. a GDPR.
3.3. Necessary tools
We use certain tools to enable the basic functions of our web application („necessary tools“). These include ensuring the security of our web application. Without these tools, we could not provide our service. Therefore, necessary tools are used without consent.
The legal basis for necessary tools is the necessity to fulfill our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in the provision of the respective basic functions and the operation of our website. In cases where the provision of the respective website functions is necessary for the fulfillment of a contract or for the performance of pre-contractual measures, the legal basis for data processing is Art. 6 para. 1 lit. b GDPR. Access to and storage of information in the terminal device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TDDDG.
In the event that personal data is transferred to third countries (such as the USA), we refer to Section 6 („Data transfer to third countries“) in addition to the information provided below.
4. Disclosure of data
The data we collect will only be transferred if – in the specific case – there is a legal basis for this under data protection laws, in particular if:
you have given your express consent in accordance with Art. 6 Para. 1 lit. a GDPR,
the disclosure is necessary for the assertion, exercise or defense of legal claims in accordance with Art. 6 para. 1 lit. f GDPR and there is no reason to assume that you have an overriding interest in not having your data disclosed,
we are legally obliged to disclose your data according to Art. 6 para. 1 lit. c GDPR, in particular if this is necessary for legal prosecution or enforcement due to administrative inquiries, court orders and legal proceedings, or
this is legally permissible and necessary according to Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request.
Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy notice, this may include, in particular, data centers that store our web application and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting companies. If we pass on data to our service providers, they may only use the data to fulfill their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us.
5. Data transfer to third countries
As explained in this privacy notice, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.
Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your expressed consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a third country transfer is provided for and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it and that enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the cookie banner, you will also be informed of this.
6. Location of data processing
The processing of data takes place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area.
7. Storage period
In principle, we only store personal data for as long as is necessary to fulfill the purposes for which we collected the data. Thereafter, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law,due to statutory retention obligations or there is another legal basis under data protection laws in the specific case for the continuing standard limitation period at this point in time at the earliest.For evidentiary purposes, we must retain contractual data for three years from the end of the year in which the business relationship with you ends. Any claims become statute-barred at this point at the earliest in accordance with the standard statutory limitation period.
Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents range from two to ten years.
8. Your rights
You are entitled to the data subject rights formulated in Art. 15 – 21, Art. 77 GDPR at any time:
Right to withdraw your consent;
Right to object to the processing of your personal data (Art. 21 GDPR);
Right of access to your personal data processed by us (Art. 15 GDPR);
Right to rectify your personal data stored by us that is incorrect (Art. 16 GDPR);
Right to erasure of your personal data (Art. 17 GDPR);
Right to restrict the processing of your personal data (Art. 18 GDPR);
Right to data portability of your personal data (Art. 20 GDPR);
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
To exercise your rights described here, you can contact us at any time using the contact details above. This also applies if you would like to receive copies of guarantees to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.
Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, even longer for the assertion, exercise or defense of legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5 (2) GDPR.
Finally, you have the right to complain to the data protection supervisory authority responsible for us. You can assert this right at a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, ALT-Moabit 59-61, 10555 Berlin.
9. Right of revocation and objection
You have the right to revoke your consent at any time. This has the consequence that we will no longer continue the data processing based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to data processing for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.
If you wish to make use of your right of revocation or objection, it is sufficient to send an informal message to the contact details above.
10. Data security
We maintain state-of-the-art technical measures to ensure data security, in particular to protect your personal data from risks during data transmissions and from third parties gaining knowledge. These are adapted to the current state of the art in each case. For the secure transmission of the personal data you provide in our web application, we exclusively use secure Internet connections with HTTPS or Transport Layer Security (TLS), which transmits the information you enter in encrypted form, and then store it exclusively in encrypted form.
11. Changes to this privacy notice
We occasionally update this privacy notice, for example if we adapt our product or if legal or regulatory requirements change.
Last amended: September 2025
en_US
