Privacy Policy

Privacy Policy

Effective Date: January 1, 2025

1. Introduction

FocusFirst GmbH ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use OrgForward, our organizational assessment platform ("Service").

2. Data Controller

FocusFirst GmbH
Neue Mainzer Str. 66-68
60311 Frankfurt am Main
Germany

Phone: +49 69 870 078 740
Email: hello@focusfirst.com

For data protection inquiries, please contact us at: hello@focusfirst.com

3. Information We Collect

3.1 Information You Provide

  • Account Information: Name, email address, phone number, company details
  • Organizational Data: Company structure, stakeholder information, project details
  • Assessment Data: Survey responses, ratings, and feedback
  • Contact Information: Stakeholder details including names, roles, email addresses, and contact information
  • Communication Data: Messages, support requests, and feedback

3.2 Information Automatically Collected

  • Usage Data: Pages visited, features used, time spent on platform
  • Technical Data: IP address, browser type, device information, operating system
  • Cookies and Tracking: As described below
  • Log Data: Server logs, error reports, and performance metrics

3.3 Information from Third Parties

  • Authentication Providers: If you use social login or SSO
  • Payment Processors: Billing information for subscription management
  • Integration Partners: Data from connected business applications

4. How We Use Your Information

4.1 Primary Purposes

  • Service Delivery: Provide and operate the OrgForward platform
  • Assessment Processing: Conduct organizational assessments and generate insights
  • Account Management: Manage your account, subscriptions, and billing
  • Communication: Send service updates, support responses, and platform notifications

4.2 Secondary Purposes

  • Service Improvement: Analyze usage patterns to enhance platform functionality
  • Security: Detect and prevent fraud, abuse, and security incidents
  • Legal Compliance: Meet legal obligations and respond to lawful requests
  • Business Operations: Internal reporting, analytics, and business planning

4.3 Automated Processing

We use automated systems to analyze data and provide insights. All processing is performed securely and in compliance with data protection laws.

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract Performance: To provide the Service you have subscribed to
  • Legitimate Interest: For service improvement, security, and business operations
  • Consent: For marketing communications and optional features
  • Legal Obligation: To comply with applicable laws and regulations

6. Data Sharing and Disclosure

6.1 We DO NOT sell your personal data to third parties.

6.2 We may share your information with:

Service Providers:

  • Cloud hosting providers
  • Payment processors
  • Email service providers
  • Analytics and monitoring services

Business Transfers:

  • In case of merger, acquisition, or sale of assets

Legal Requirements:

  • To comply with legal obligations
  • To protect our rights and safety
  • To respond to lawful government requests

6.3 Data Location

Your data is primarily stored in data centers within the European Union. We may transfer data to other jurisdictions only with appropriate safeguards in place.

7. Data Security

We implement comprehensive security measures including:

7.1 Technical Safeguards

  • Encryption: Data encrypted in transit and at rest using industry-standard protocols
  • Access Controls: Role-based access with multi-factor authentication
  • Database Security: Secure database architecture with isolation controls
  • Regular Audits: Security assessments and monitoring
  • Incident Response: 24/7 security monitoring and response procedures

7.2 Organizational Safeguards

  • Staff Training: Regular privacy and security training for all employees
  • Data Minimization: We collect only necessary data for service provision
  • Vendor Management: Careful vetting of all service providers

8. Your Data Protection Rights (GDPR)

Under GDPR, you have the following rights:

8.1 Right of Access

Request a copy of the personal data we hold about you.

8.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data under certain circumstances.

8.4 Right to Restrict Processing

Request limitation of how we process your personal data.

8.5 Right to Data Portability

Request transfer of your data to another service provider.

8.6 Right to Object

Object to processing based on legitimate interests or for direct marketing.

8.7 Right to Withdraw Consent

Withdraw consent for processing activities that require consent.

8.8 Right to Lodge a Complaint

File a complaint with your local data protection authority.

To exercise these rights, contact us at: hello@focusfirst.com

9. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

  • Account Data: Retained while your account is active
  • Assessment Data: Retained for business purposes as required by law
  • Communication Data: Retained for support and legal purposes
  • Technical Logs: Retained for security and performance monitoring

You may request earlier deletion of your data, subject to legal and contractual obligations.

10. Children's Privacy

OrgForward is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children under 16.

11. International Data Transfers

When we transfer your data outside the European Economic Area (EEA), we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequate data protection laws
  • Standard Contractual Clauses: EU-approved contract terms for data transfers
  • Binding Corporate Rules: Internal policies for group company transfers

12. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Remember your preferences and settings
  • Analyze platform usage and performance
  • Provide personalized content and features
  • Ensure security and prevent fraud

You can manage cookie preferences through your browser settings.

13. Marketing and Communications

13.1 Service Communications

We may send you service-related emails about your account, security updates, and important platform changes.

13.2 Marketing Communications

We may send marketing emails about new features and company updates. You can unsubscribe at any time by:

  • Clicking the unsubscribe link in emails
  • Updating your communication preferences in your account settings
  • Contacting us at hello@focusfirst.com

14. Third-Party Services

Our platform may integrate with third-party services. These services have their own privacy policies, and we are not responsible for their data practices.

15. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected users without undue delay
  • Provide information about the breach and steps we are taking to address it

16. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. We will:

  • Post the updated policy on our website
  • Notify you via email of material changes
  • Update the "Effective Date" at the top of this policy

17. Contact Information

For questions about this Privacy Policy or our data practices, please contact us:

General Inquiries:
Email: hello@focusfirst.com
Phone: +49 69 870 078 740

Postal Address:
FocusFirst GmbH
Neue Mainzer Str. 66-68
60311 Frankfurt am Main
Germany

Last updated: January 1, 2025