Privacy statement mQuest®


1 Data protection at a glance

1.1 General notes and mandatory information

cluetec takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with data protection laws and the present data protection statement.

Various personal data will be collected if you use the mQuest services. Personal data means data that can be used to identify you personally. The present data protection statement explains, which data we collect and what we use them for. It also explain how and for what purpose this is done.

Please note that data transmission on the internet (e.g. for communication by e-mail) may be subject to security breaches. Absolute protection of the data against third party access is not possible.

1.2 Functioning of mQuest

mQuest is the survey software of cluetec GmbH, Karlsruhe. cluetec is a German company, which offers products and services to support its customers in their tasks with the survey and collection of data using mobile devices or through browsers. cluetec is a provider of technical services and does not, as a rule, conduct any surveys or data collections itself.

mQuest is used exclusively by cluetec or companies who acquired a license from cluetec for this purpose (hereinafter called "customers"). The mQuest services are provided by cluetec as "Software as a Service" (SaaS). Direct access to the mQuest services by third parties (e.g. test persons) cannot be ruled out.

In some cases, the customers of mQuest also operate the software independently in an own data processing center. In these cases, the mQuest customer is the only contact partner with respect to data protection because cluetec does not process any personal data. In these cases, please contact the respective mQuest customer directly.

The following notes will give you a simple overview about what happens to your personal data when you use our mQuest services. Personal data means all data that can be used to identify you personally. Personal data may originate both from mQuest customers as well as from users of the mQuest forms or be entered by employees of the mQuest customers.

This data protection statement is related to the mQuest services. The data protection statement for visitors of our website is available on our website at

2 Data collection via mQuest services

2.1 Cookies

The web-based mQuest services partly use so-called cookies. Cookies do not cause any harm to your computer and do not contain any viruses. The purpose of cookies is to make our site more user-friendly, more effective and secure. Cookies are small text files, which are placed on your computer and saved by your browser.

Most of the cookies we use are so-called "session cookies". They are deleted automatically at the end of your visit . Other cookies remain in your terminal device's memory until you delete them. These cookies allow us to recognize your browser the next time you visit the site.

You can configure your browser so as to be informed about the placement of cookies, to allow cookies in individual cases only, to exclude the acceptance of cookies in certain cases or in general and to activate the automatic deletion of the cookies when closing your browser. Disabling cookies may restrict the functionality of the mQuest services

Cookies required for electronic communication operations or provision of certain functions desired by you are stored on the basis of Art. 6 (1) (f) GDPR. cluetec has a legitimate interest in storing cookies for technically error-free, optimized provision of its services. To the extent that other cookies (e.g. cookies for analysis of your surfing behavior) are stored, they will be dealt with separately in this data protection statement..

2.2 Server log files

cluetec automatically collects and stores data from the devices and applications used to obtain access to cluetec's services in so-called server log files. This data may include, for instance, the IP addresses, user names / access codes, App version and operating system version, type of device, application ID, system and implementation information, time and browser type / version. Our servers collect these data and store them in log files.

cluetec uses these log files for purposes of system administration and maintenance, recording and security (i.e. monitoring for protection against misuse, spam and DDOS attacks). These purposes represent our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR. It is also the legal basis for data processing. These data are deleted 120 days after their entry.

These data will not be combined with other data sources unless you give us your consent, or the combining of data is based on a contract or any other legal basis. Furthermore, cluetec stores these data together with certain actions, e.g. the deletion of data records, which users perform in the system.

2.3 User accesses

User accesses are partly required for use of the mQuest services. The indication of a valid e-mail address is the minimum requirement for this purpose as well as for the "forgot password" function, the optimization of the mQuest services or the transmission of information related to the mQuest services. Additional information such as Mr/Ms, last name, first name, telephone or company is voluntary.

The basis for data processing is, depending on the configuration, Art. 6 (1) (b) GDPR, allowing the processing of data for the performance of a contract or for taking steps prior to entering into a con-tract, or Art. 6 (1) (a) GDPR requiring the data subject's consent. Both legal foundations are based on a relationship between the user and the mQuest customer using the mQuest services. He is also the contact partner for implementation of the measures. User accesses and their additional information may be modified or deleted by the administrators of the mQuest customers any time.

If a customer contract has ended or expired, all data collected via mQuest will be deleted.

2.4 Data collection via mQuest forms

cluetec provides the mQuest services to its customers as "Software as a Service" (SaaS).The forms used for data collection are prepared and provided by the mQuest customers. As a consequence, the mQuest customer decides what types of data are collected. The mQuest customer is "controller" as defined in the GDPR. It is the responsibility of the mQuest customer to ensure that data collection and processing comply with the applicable laws and data protection regulations, e.g. the GDPR.

The basis for data processing is, depending on the configuration, Art. 6 (1) (b) GDPR, allowing the processing of data for the performance of a contract or for taking steps prior to entering into a contract, or Art. 6 (1) (a) GDPR requiring the data subject's consent. Both legal foundations are based on a relationship between the user and the mQuest customer. Within this relationship, please turn to the mQuest customer.

mQuest customers with an active contract have control over the purpose and duration of data pro-cessing and thus responsibility for deletion of the data collected. If a customer contract has ended or expired, all data collected via mQuest will be deleted.

Any data received by cluetec from its customers are used exclusively for the purpose indicated in the contract. The data will not be disclosed to third parties.

Forms that use the Aztec Code Scanner Photo feature can read data from UIC918 * and VDV tickets. Personal data, which may be stored in the Aztec code of the ticket, will not be stored.

In order to constantly provide a positive user experience, mQuest Audit collects analytics data using Microsoft Azure's Application Insights. These data are anonymous and are only used to improve the web application by analyzing performance, errors and page views.

3 Your rights

You have the right:

  • to demand information about your personal data processed by us in accordance with Art. 15 GDPR. You may, in particular, demand information about the purposes of processing, the categories of personal data, the categories of recipients to whom the personal data have been or will be disclosed, the envisaged period of storage, the existence of the right to rectification or erasure or restriction of processing or to object to such processing, the existence of a right to lodge a complaint, where the personal data are not collected from us, any available information as to their source, the existence of automated decision-making, including profiling, and meaningful information about details;
  • to demand, in accordance with Art. 16 GDPR, rectification of inaccurate personal data or completion of your personal data stored with us without undue delay;
  • to demand, in accordance with Art. 17 GDPR, the erasure of your personal data stored with us, unless processing such data is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
  • to demand, in accordance with Art. 18 GDPR, the restriction of processing of your personal data, as far as you contest the accuracy of the data, the processing is unlawful and you op-pose the erasure of the personal data and we no longer need the data but you require them for the establishment, exercise or defence of legal claims or you lodged objection against the processing in accordance with Art. 21 GDPR;
  • to demand, in accordance with Art. 20 GDPR, to receive the personal data, which you provided to us in a structured, commonly used and machine-readable format or to transmit those data to another controller;
  • at any time to withdraw the consent given to us, in accordance with Art. 7 (3) GDPR. The consequence of this is that we are not permitted to continue the data processing based on this consent, and
  • to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority at your habitual residence or place of work or our domicile.
  • Please address your request (e.g., data subject requests, requests for information, etc.) to the responsible party, normally the cluetec customer who uses the mQuest services.

If you wish to turn to cluetec directly as processor, please contact us at datenschutz@cluetec.deor at the address indicated in our website's legal notice:

4 Security

4.1 SSL or TLS encryption

The mQuest services use SSL or TLS encryption for security reasons and for protection of the trans-mission of confidential content, which you send to us as processor. You can recognize an encrypted connection in your browser's address line when it changes from “http://” to “https://” and the lock icon is displayed in your browser's bar. You can recognize this in the mQuest App in the setup menu under QuestServer preferences: SSL Connection active.

When the SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

4.2 Confidentiality and state of the art

All data collected through mQuest services are treated confidentially by cluetec. All data are stored securely, and only authorized staff has access to the data..

cluetec implements technical/organizational measures in accordance with the state of the art to ensure the security of your data.

5 Data protection officer

Legally required data protection officer

We have appointed a data protection officer for our company.

Thomas Heimhalt | DATENSCHUTZ perfect e.K.
Office Karlsruhe-West | Stiller Winkel 4 | 76187 Karlsruhe
Telefon: +49 721 5315879

6 Place of data processing

Data processing by cluetec takes place in the EU exclusively.

7 Subcontractors

Operator of the data center

TelemaxX Telekommunikation GmbH
Amalienbadstraße 41 | Bau 61 | 76227 Karlsruhe | Germany

Operator of the cloud service

Microsoft Ireland Operations Limited
Private Company Limited by Shares | Registered in Ireland | No. 256796
70 Sir John Rogerson's Quay | Dublin 2 | Ireland

MongoDB, Inc.
1633 Broadway
38th Floor
New York, NY 10019

Operator of the OCR service

Landsberger Straße 300 | 80687 Munich | Germany

Managed Services

abilis GmbH IT-Services & Consulting
Lorenzstraße 8 | 76297 Stutensee | Deutschland

8 Amendments to this data protection statement

We reserve the right to amend our data protection statement should this be required as a result of new technologies. Please make sure that you have the latest version.

Last amended : 25th April 2022