Privacy Policy
- INTRODUCTION – SCOPE
Diffusely Austria GmbH is a company established under the laws of Austria, with offices at Karmeliterplatz 8, 8010 Graz, registered with the Companies Register (Firmenbuch) at the Regional Court (Landesgericht) of Graz under the number (FN) 452417w. Diffusely Austria GmbH is doing business as CarCutter and is hereinafter referred to as “CarCutter” .
CarCutter has developed software for the automated processing of photos, pictures, images and movies of vehicles offered via an application programming interface (“API”) and a (mobile) web-application (“App”) (together referred to as the “CarCutter Software”). The object of an agreement with CarCutter is the provision of the CarCutter Software, as a software-as-a-Service via the API and App (“Services”).
This privacy policy (“Privacy Policy”) applies to the processing of personal data with regard to the operation of the website (“Website”), the access and use of the Services through the operation of the API and the App. This Privacy Policy does not apply to the processing of personal data in other business sectors of CarCutter.
This Privacy Policy applies to:
- all visitors of our Website,
- all users who access and use our Services directly through the Platform and the App,
- users who interact with our Services when they are integrated into third-party products or websites, including but not limited to Dealer Management Systems (DMS), Enterprise Resource Planning (ERP) systems, and websites or digital properties of our Clients on which the CarCutter WebPlayer is embedded
- any other individuals whose Data is processed in connection with the Services or content created through the Services, regardless of the system, website or online marketplace/platform through which they access or interact with them.
The protection and security of personal data and the compliance with the data protection regulations – currently the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”) and the Federal Act concerning the Protection of Personal Data in the amended version (Data Protection Act – “DSG”) and legal acts adopted on the basis of this legislation – is given special emphasis by CarCutter. The following Privacy Policy provides the information according to Art 12 ff GDPR of what type of personal data CarCutter processes with regard to the operation of the services for what purposes and how CarCutter ensures the protection of these data
This Privacy Policy is available on www.car-cutter.com and can be electronically viewed, printed, downloaded and stored on a storage medium at any time and is incorporated into any agreement signed by CarCutter, by this reference.
The terms used in this Privacy Policy are understood according to Art 4 GDPR.
- CONTROLLER, DATA PROTECTION OFFICER
Diffusely Austria GmbH, respectively CarCutter, is Controller according to Art 4 No 7 GDPR.
Diffusely Austria GmbH has appointed a DPO:
- Alexandra Lachowsky
- which You may contact with the following email address: privacy@diffuse.ly
- PROCESSING OF PERSONAL DATA IN GENERAL
CarCutter primarily operates in B2B-business. However, in connection with certain Services such as the WebPlayer, CarCutter may automatically receive technical access data originating from end-users of its Clients’ websites, as further described in Section 4. The application of this Privacy Policy is limited to still possible processing of personal data (“Data”) relating to natural persons (“Data Subjects”). The Data will only be processed according to the principles relating to processing of personal data in Art 5 of GDPR and only if and to the extent that at least one of the cases of Art 6 GDPR applies. The purposes and duration of Data processing are stated in Section6. below.
CarCutter does not process any special categories of personal data according to Art 9 Section1 GDPR.
If the legal requirements of other cases according to Art 6 GDPR are not met (or additionally to such a case), CarCutter will ask the Data Subject for consent to the processing of his or her Data for one or more specific purposes. If the Data Subject makes available to or voluntarily provides Data not requested or required by CarCutter, the Data Subject gives his or her consent to the proceeding of the Data by CarCutter.
CarCutter discloses and transfers Data only if and to the extent permitted by the applicable laws. Data may be transferred to the following categories of recipients: processors according to Art 28 GDPR, banks, legal representatives, accountants, auditors and tax advisors, courts, administrative authorities, contract and business partners, insurance companies. Without consent of Data Subjects CarCutter does not transfer data to recipients in non-EU-member-states or international organizations. Within the company of CarCutter Data will be disclosed to all positions and organizational units involved in the processing of the relevant Data.
CarCutter does not process any form of automated processing data consisting of the use of data to evaluate certain personal aspects relating to a natural person (“Profiling”).
- COLLECTION OF DATA FROM THE DATA SUBJECT AND PROCESSING THEREOF
Collection and processing of technical data when accessing the Services
When accessing its Services, CarCutter automatically collects and processes Data of a technical nature (access data and data processed using cookies) for the purpose of providing, securing and optimizing the Services as legitimate interests according to Art 6 Section1 lit f) GDPR and – if necessary – only with consent of the Data Subjects according to Art 6 Section1 lit a) GDPR (see Section7. and 8. below).
Collection and processing of Data when using the Services and communicating
When using its Services, CarCutter collects and processes the following Data for the performance of the contract with the Data Subject according to Art 6 Section1 lit b) GDPR: first and last name, e-mail address, address (street, postal code, state), payment data. When communicating with CarCutter communication data such as telephone number and correspondence data may also be processed according to Art 6 Section1 lit b) GDPR. The processing of Data will be treated confidentially, transferred only using SSL encryption and – if necessary – only be transferred to subcontractors and/or other companies entrusted with the performance of the contract.
Collection and processing of engagement metrics when interacting with the Services or content created through the Services
When accessing its Services, CarCutter automatically collects and processes Data in the form of engagement metrics for the purpose of providing, securing and optimizing the Services as legitimate interests according to Art 6 Section1 lit f) GDPR. This includes, but is not limited to, data such as page views, time spent on specific features, interactions with content, and other behavioral insights (“Engagement Metrics”).
Specifically, this Data is processed for the purposes of:
- enhancing and optimizing the usability and performance of the Services,
- understanding user preferences and behaviors to improve content and features,
- detecting and preventing fraudulent or abusive activity, and
- conducting internal analytics and business intelligence.
Where required by applicable law, mechanisms are in place to allow individuals to manage preferences regarding engagement tracking.
Collection and processing of access data via the embedded WebPlayer
When an end-user of a Client’s website interacts with the CarCutter WebPlayer embedded on that website, CarCutter automatically collects and processes access data of a technical nature transmitted to CarCutter’s servers. This data includes, but is not limited to: interaction and engagement events (e.g. play, pause, spin), session duration and ID, timestamp, device type, browser ID, type and version, operating system, instance ID, and referrer URL.
This data is processed solely for the purposes of delivering, maintaining, securing and improving the WebPlayer and the Services, and for internal analytics, on the basis of CarCutter’s legitimate interests pursuant to Art. 6(1)(f) GDPR. CarCutter does not use this data to personally identify end-users. IP addresses are processed transiently and are not stored in a form that permits re-identification of individuals beyond what is technically necessary.
By choosing to embed the WebPlayer on their website, Clients introduce a third-party component that independently collects technical access data as described above. Clients are responsible, as operators of their own websites, for ensuring their privacy notices disclose the use of such third-party components to their end-users. CarCutter processes the access data it collects via the WebPlayer as an independent data controller for the purposes set out in Section 7 of this Privacy Policy, and not as a data processor on behalf of the Client.
Clients are additionally required, under the terms of their agreement with CarCutter, to include a reference to this Privacy Policy or to the data protection contact address privacy@diffuse.ly in their own privacy notices, so that end-users interacting with the WebPlayer can identify CarCutter as the party responsible for collecting their technical access data and can exercise their data subject rights accordingly.
- DATA NOT OBTAINED FROM THE DATA SUBJECT
Subject to automatically collected technical Access Data according to Section 7. below and Data processed using cookies according to Section 8. below CarCutter does not process Data not obtained from the Data Subject.
- PROCESSING AND RETENTION PERIODS
CarCutter does not process and store Data permanently, but only in accordance with the time limits stipulated under the current applicable legislation, however, for at least as long as is necessary for the purposes for which the Data are collected. CarCutter keeps the Data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.
Data necessary for the performance of a contract IS only kept and processed as long as required for the performance of the contract (including post-contractual duties) and required to comply with the applicable laws (in particular tax laws).
CarCutter will delete and no longer process Data only processed with consent of the Data Subject according to Art 6 Section1 lit a) GDPR upon withdrawal of the consent by the Data Subject according to Art 7 Section3 GDPR and Data only processed on the basis of legitimate interests according to Art 6 Section1 lit f) GDPR upon justified objection according to Art 21 GDPR.
With respect to Access Data collected via the WebPlayer when end-users interact with it on Clients’ websites, CarCutter retains raw Access Data for a maximum period of twenty-four (24) months from the date of collection, after which it is deleted or irreversibly anonymised. Anonymised or aggregated data derived from WebPlayer Access Data, which can no longer be used to identify any individual, may be retained for longer periods for internal analytics and service improvement purposes. These retention periods reflect the purposes for which the data is collected and are consistent with the principle of storage limitation under Art. 5(1)(e) GDPR.
- PROCESSING OF ACCESS DATA
CarCutter automatically collects and processes Data of a technical nature about every access to the server on which the Services are located, including accesses originating from end-users of Clients’ websites interacting with the embedded WebPlayer, and which are considered as personal data or can be used to identify the person or personal data of the Data Subject and which are kept in server logfiles (“Access Data”). These include, for example, the IP address, unique device identification, type and version of the operating system and the browser, name of the retrieved web page, file, date and time of retrieval, referrer URL (previously visited page) and the requesting provider.
CarCutter does not process this Access Data for the purpose of identifying the person or personal data of the Data Subject, but solely for the purpose of providing, customizing, adapting, improving, maintaining, optimizing and further developing the Services (including functions, modules and features thereof), for error detection and correction, to maintain the security system and – when using web analytics services – for the purpose of internal statistical evaluation, without any conclusions being drawn on the person or data of the Data Subject.
- COOKIES
Cookies are files that are stored locally in the buffer of the internet browser of the Data Subject and are, in particular, supposed to make the Services (in particular by recognizing the accessing browser and storing files temporarily) more user-friendly, effective and secure as well as enabling an analysis of the use of the Services when using web analytics services.
CarCutter uses Cookies necessarily required for enabling the services on the basis of its legitimate interests according to Art 6 Section1 lit f) GDPR of providing, securing and optimizing the services. Other cookies are used with consent of the Data Subjects according to Art 6 Section1 lit a) GDPR submittable by clicking a checkbox. Data Subjects may withdraw their consent at any time by deactivating and/or deleting cookies in the settings of the internet browser and may set the duration of their storage and when they are deleted. The procedure depends on the internet browser used by the Data Subjects. However, disabling cookies may result in certain features and/or contents of the Services not functioning or functioning as expected.
Session cookies are only stored temporarily for the duration of access or use by the Data Subject; persistent cookies until the Data Subject removes them from the browser.
- GOOGLE ANALYTICS
On the basis of CarCutters’ legitimate interests of providing and optimizing its services according to Art 6 Section1 lit f) GDPR and – if necessary or additionally – with consent of the Data Subject according to Art 6 Section1 lit a) GDPR, submittable by clicking a checkbox, CarCutter may use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”). Google Analytics uses cookies for enabling an evaluation of the services. The information generated by the cookies about the use of the services is usually transmitted to a Google server in the USA and stored there. However, CarCutter uses Google Analytics only with active IP-anonymization, which means an IP address will be shortened beforehand by Google within member states of the European Union or in other signatory states of the Agreement in the European Economic Area.
Google will use this information to evaluate the use of the services, to compile reports on service activity and to provide other services related to service activity and internet usage to CarCutter.
Despite the right of refusing or withdrawing the consent Data Subjects have the possibility to anytime deactivate the cookie-settings in the internet browser and / or to delete and enhance settings as to how long cookies may be stored and when they need to be deleted. The procedure depends on the internet browser used. Moreover, Data Subjects can prevent the processing of the data generated by the cookie and related to the use of the services by downloading the browser plug-in available under the following link and installing: https://tools.google.com/dlpage/gaoptout?hl=de.
- GOOGLE ADWORDS
On the same legal basis, the services may additionally use Google AdWords, an online advertising API of Google, using a tool known as conversion tracking. By clicking a Google advert, cookies will be set by Google AdWords for conversion tracking. These cookies expire after 30 days and are not intended to personally identify Data Subjects. Information collected via the conversion cookies is used to compile conversion statistics for CarCutter. If Data Subjects use the services and the cookies have not expired, CarCutter may notice that the Data Subject has clicked the ad and was transferred to the service. CarCutter will be informed about the total number of users that have clicked the adverts and were referred to its services. However, CarCutter will not receive information which would allow it to identify the Data Subject.
INTEGRATION OF SERVICES AND CONTENT OF THIRD PARTIES
The Services may use third-party-plugins to integrate their content and services (as for example “YouTube”-movies). If Data Subjects give their consent according to Art 6 Section1 lit a) GDPR to the activation of such plugins by clicking on a respective button, a direct connection is created to the third-party-servers and the plugin will be activated. The embedded content of the plugins will then be sent to the Data Subjects’ browser. The third party is thereby informed that CarCutters’ services have been visited even if the Data Subject is not logged into the third-party-service at the same time. The plugin transfers protocol data to the third-party-servers. This log information may include the following data: IP address, the address of the visited services, which may also include plugin-features, the type and settings of the browser, the date and time of request, the use of the plugins and cookies.
The transferred data will be processed by the third party according to their privacy policies. CarCutter is not aware of the content of the transferred data and of the procession of the transferred data by the third party.
- DATA PROCESSORS
When data processing is carried out on behalf of CarCutter, it only appoints processors within the meaning of Art 4 Section8 GDPR providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the data protection regulations and ensure the protection of the rights of the Data Subjects. For this purpose, CarCutter enters into appropriate contracts with its processors which meet the requirements of Art 28 GDPR and respects Art 44 GDPR for data processors based in non-EU member states (third countries).
CarCutters’ data processors are currently:
| Name | Use | Location of servers | Links to Data Protection Documents |
| AWS | Cloud infrastructure (processing & hosting) | Ireland, Oregon, Mumbai | https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__French_Translation_2022-03-08.pdf https://aws.amazon.com/agreement/ |
| Scaleway | Cloud infrastructure (processing) | France | https://www.scaleway.com/en/contracts/ |
| Runware | Cloud infrastructure (processing) | Europe and United States | https://runware.ai/terms |
| Make (Celonis) | Automation for information storage | Ireland | https://www.make.com/en/terms-and-conditions |
| Slack (Salesforce) | Internal communication | United States (hosted by AWS) | https://slack.com/intl/fr-fr/trust/privacy/privacy-policy#international |
| Google Analytics 4 | Audience measurement (unidentifiable data only) | United States | https://policies.google.com/privacy?hl=en |
| Firebase | Evaluating product performance | United States | https://firebase.google.com/support/privacy |
| Sendgrid (Twilio) | Send transactional emails to users | United States | https://www.twilio.com/legal/data-protection-addendum https://sendgrid.com/policies/security/ |
| Segment (Twilio) | Storage of events and control of data flow to third party tools | United States | https://segment.com/docs/privacy/complying-with-the-gdpr/ https://www.twilio.com/legal/security-overview |
| Mixpanel | Analysis of user behaviour on the platform to improve services | United States, European Union | https://mixpanel.com/legal/privacy-hub/ https://mixpanel.com/legal/security-overview/ |
| Stripe | Subscription purchasing and invoicing | Ireland | https://stripe.com/en-fr/legal/privacy-center |
| Atlassian | Client support, internal communication | Ireland, Germany | https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers |
| HubSpot | CRM | Germany | https://legal.hubspot.com/privacy-policy |
| Zoho | Invoicing support | United States, European Union, India | https://www.zoho.com/privacy.html |
| Microsoft Office 365 | Reporting tool | United States, European Union | https://www.microsoft.com/en-gb/privacy/privacystatement |
| Notion | Documentation tool | United States (hosted by AWS) | https://www.notion.com/help/privacy https://www.notion.so/notion/Notion-s-List-of-Subprocessors-268fa5bcfa0f46b6bc29436b21676734 |
| Hetzner | Servers | Germany, Finland | https://www.hetzner.com/legal/privacy-policy |
- DATA SECURITY
CarCutter implements, with regard to the criteria set out in Art 32 GDPR, adequate and appropriate technical and organizational measures to ensure a level of security and to protect the security of the processed Data from risks, such as unauthorized procession, destruction, loss and alteration.
The security of the Data is important to CarCutter, but no method of transmission over the Internet, or method of electronic storage is 100% secure. While CarCutter strives to use commercially acceptable means to protect the Data, it cannot guarantee its absolute security.
Additionally, to protect Data and content created through the Services, CarCutter strongly encourages:
- using strong passwords,
- limiting access to the accounts associated to the Services,
- limiting access to the devices used in connection with the Services,
- logging out when the Services are not used.
- RIGHTS OF DATA SUBJECTS
CarCutter safeguards the rights of the Data Subjects in accordance with the applicable data protection regulations. According to the current laws Data Subjects may assert the following (general) rights with regard to the processed Data by submitting a request to CarCutter.
Any request to exercise Data Subject rights shall be made in written form to the email address privacy@diffuse.ly
Binding deadlines in the data protection regulations will be respected by CarCutter.
Right to information and access
In accordance with Art 13 to 15 GDPR Data Subjects have the right to confirmation as to whether or not data concerning them are being processed, and, where that is the case, access to the data and information about the data processed and the rights of Data Subjects.
Right to rectification
In accordance with Art 16 GDPR Data Subjects have the right to obtain from CarCutter the rectification of inaccurate data concerning them.
Right to erasure
In accordance with Art 17 GDPR Data Subjects have the right to obtain from CarCutter the erasure of data concerning them without undue delay.
Right to restriction of processing
In accordance with Art 18 GDPR Data Subjects have the right to obtain from CarCutter restriction of processing.
Right to data portability
In accordance with Art 20 GDPR Data Subjects have the right to receive the data concerning them, which they have provided to CarCutter, in a structured, commonly used and machine-readable format and have the right to transmit those data directly to another controller, insofar as this is technically feasible and insofar as this does not affect the rights and freedoms of other subjects.
Right to object
In accordance with Art 21 GDPR Data Subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Art 6 Section1 lit e) or f), including profiling based on those provisions. In this case, CarCutter will no longer process the data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims. Where the Data Subjects object to processing for direct marketing purposes, the data will no longer be processed for such purposes.
Right not to be subject to a decision based solely on automated processing, including profiling
In accordance with Art 22 GDPR Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Right to withdrawal of consent
According to Art 7 Sectionc3 GDPR Data Subjects have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint with a supervisory authority
In accordance with Art 77 GDPR and Para 24 DSG Data Subjects have the right to lodge a complaint with the Data Protection Authority (Datenschutzbehörde).
Right to an effective judicial remedy
In accordance with Art 79 GDPR and Para 27 DSG Data Subjects have without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the right to an effective judicial remedy (Recht auf Beschwerde an das Bundesverwaltungsgericht).
Individuals whose technical Access Data has been collected by CarCutter via the WebPlayer embedded on a Client’s website may also exercise any of the rights set out in this Section 13 directly with CarCutter, notwithstanding the fact that they have no direct contractual relationship with CarCutter. Such individuals may submit their request in written form to privacy@diffuse.ly. CarCutter will respond to any such request within the timeframes prescribed by applicable data protection law. Where CarCutter is unable to identify the individual from the Access Data alone, given that such data is collected and processed in a non-identifiable form, CarCutter will inform the requesting individual accordingly, in compliance with Art. 11 GDPR.
- CHANGES TO THIS PRIVACY POLICY
CarCutter may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary. If Data Subject rights are materially altered additional notice will be provided, such as via email or through Services.
Changes to this Privacy Policy are effective when they are posted on this page.
- LINGUISTIC DEVIATIONS
If this Privacy Policy is made available in other languages, CarCutter does not assume any warranty and liability for the (outsourced) translation into other languages. In case of linguistic deviations of the versions in other languages than English, the English version shall take precedence.