Skip to main content

Better safe than sorry - cluetec Audit and mQuest data protection

Zwei Auditoren, eine Frau und ein Mann, mit Tablets und der cluetec Audit Software

1. data protection at a glance

1.1 General notes and mandatory information

cluetec takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use the mQuest services, various personal data are collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done. We would like to point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

1.2 How mQuest works

mQuest is the survey and data collection software from cluetec GmbH, Karlsruhe. cluetec is a German company whose products and services support its customers in their survey and data collection tasks using mobile devices or browsers. cluetec is a technical service provider and does not generally conduct any surveys or polls itself. mQuest is used exclusively by cluetec or by companies that have acquired a license from cluetec (hereinafter referred to as “customers”). The mQuest services are provided by cluetec as “Software as a Service” (SaaS). Direct access to the mQuest services by third parties (e.g. test persons) cannot be excluded. In some cases, mQuest customers also operate the software on their own responsibility in their own data center. In these cases, the mQuest customer is the only contact person in matters of data protection, as cluetec does not process any personal data. In these cases, please contact the respective mQuest customer directly. The following information provides a simple overview of what happens to your personal data when you use our mQuest services. Personal data is any data that can be used to identify you personally. Personal data can come from mQuest customers as well as from users of the mQuest forms or be entered by employees of mQuest customers. This privacy policy applies to the mQuest services. The privacy policy for visitors to our website can be found at https://cluetec-audit.de/privacy-statement-eu/

2. data acquisition via mQuest services

2.1 Cookies

Some of the web-based mQuest services use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies are used to make our services more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser. Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies enable us to recognize your browser on your next visit. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of mQuest services may be restricted. Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested are stored on the basis of Art. 6 para. 1 lit. f GDPR. cluetec has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services. Insofar as other cookies (e.g. cookies for analyzing your surfing behavior) are stored, these are treated separately in this privacy policy.

2.2 Server log files

cluetec automatically collects and stores data from the devices and applications through which users gain access to cluetec’s services in so-called server log files. Such data may include, for example, IP addresses, user names/access codes, version of the app and operating system, type of device, application ID, system and execution information, time and browser type/version. Our servers collect this data and store it in log files. cluetec uses these log files for purposes such as system administration and maintenance, recording and security (i.e. monitoring to protect against misuse, spam and DDOS attacks). These purposes constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR. This is also the legal basis for the processing. This data is deleted 120 days after entry. This data will not be merged with other data sources unless you give us your consent to do so, the merging is based on a contract or on another legal basis. Furthermore, cluetec stores this data together with certain actions, such as the deletion of data records, that users perform in the system.

2.3 User access

User access is sometimes required to use the mQuest services. This requires at least a valid e-mail address and is necessary, for example, for the “forgotten password” function, the optimization of the mQuest services or the sending of information relating to the mQuest services. Further details such as title, surname, name, telephone number or company are voluntary. The basis for data processing is, depending on the design, Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the performance of a contract or pre-contractual actions, or Art. 6 para. 1 lit. a GDPR, which requires consent. Both legal bases are based on a relationship between the user and the mQuest customer who uses the mQuest services. The latter is also the contact person for the implementation of the actions. User accounts and their further details can be changed or deleted at any time by the administrators of the mQuest customers. If a customer contract is terminated or expires, all data collected via mQuest will be deleted.

2.4 Data collection via mQuest forms

cluetec provides the mQuest services to its customers as “Software as a Service” (SaaS). The forms used for data collection are created and provided by the mQuest customers. As a result, the mQuest customer also determines which types of data are collected. The mQuest customer is the “controller” within the meaning of the GDPR.

It is the responsibility of the mQuest customer to ensure that data collection and processing complies with applicable laws and data protection regulations, e.g. the GDPR. The basis for data processing is, depending on the design, Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the performance of a contract or pre-contractual actions, or Art. 6 para. 1 lit. a GDPR, which requires consent. Both legal bases are based on a relationship between the user and the mQuest customer. In this relationship, please contact the mQuest customer.

mQuest customers with an active contract have control over the purpose and duration of the data processing and therefore also the responsibility for the deletion of the collected data. When a customer contract is terminated or expired, all data collected via mQuest will be deleted.

Data that cluetec receives from its clients will be used exclusively for the purpose specified in the order. It will not be passed on to third parties.

Forms that use the Aztec code scanner photo function can read data from tickets in UIC918* and VDV format. Personal data that may be stored in the Aztec code of the ticket is not saved.

In order to always provide a positive user experience, analytics data is collected in mQuest Audit using Microsoft Azure’s Application Insights. This data is anonymous and is used exclusively to improve the web application by allowing us to analyze performance, errors and page views.

2.5 Data collection via Audit Intelligence

Audit Intelligence comprises all AI-based functions in cluetec Audit that aim to optimize the audit process through improved insights and automated data analysis.

Audit Intelligence uses Azure OpenAI and Azure AI Services to provide these advanced capabilities. Data from audit reports, including results, findings, mitigation actions and actions, can be collected and used to analyze and refine the AI capabilities. The extent of data use depends on the specific function and intended use case of the AI function used.

In addition, personally identifiable information or personally identifiable information (PII) in client data such as audit reports or findings – including names, emails and addresses of auditors and assigned personnel – may be collected and used by Audit Intelligence. This data collection is solely for the purpose of achieving the intended function or objective of the AI-based services offered and is done in accordance with applicable data protection laws.

The processing of data by Audit Intelligence, including inputs (prompts) and outputs (completions) as well as embeddings of documents, is protected as follows:

  • They are NOT accessible to other customers.
  • They are NOT accessible to other model suppliers.
  • They are NOT used by Azure Direct Model providers to improve their models or services.
  • They will NOT be used to train generative AI base models without your explicit permission or instruction.

We store relevant data, including inputs (prompts) and outputs (completions), separately and solely for the purpose of improving the AI Services and for no other purpose. This approach to data management is done in strict compliance with applicable data protection laws to ensure privacy and confidentiality.

3. your rights

You have the right:

  • to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
  • in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
  • in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
  • in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller
  • in accordance with Art. 7 para. 3 GDPR, to revoke your consent once given to us at any time. The consequence of this is that we may no longer continue the data processing based on this consent in the future and
  • to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office.
  • Please direct inquiries (e.g. requests from data subjects, requests for information, etc.) to the responsible body, normally the cluetec customer who uses the mQuest services.

If you would like to contact cluetec directly as a processor, please contact us at datenschutz@cluetec.de or at the address given in the imprint of our website: https://cluetec-audit.de/impressum

4. safety

4.1 SSL or TLS encryption

The mQuest services use SSL or TLS encryption for security reasons and to protect the transmission of confidential content that you send to us as the processor. You can recognize an encrypted connection in browsers by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. In the mQuest app, you can recognize this in the settings menu under QuestServer settings: SSL connection active.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

4.2 Confidentiality and state of the art

All data collected via mQuest services is treated as confidential by cluetec. All data is stored securely and access to the data is only granted to authorized personnel.
To ensure the security of your data, cluetec implements state-of-the-art technical and organizational actions.

5. data protection officer

Data protection officer required by law

We have appointed a data protection officer for our company.
Thomas Heimhalt | Datenschutz perfect GmbH
datenschutz@cluetec.de

Data processing locations

Data processing by cluetec takes place exclusively within the EU.

7. subcontractors

Provider of cloud services

Microsoft Ireland Operations Limited
 Private Company Limited by Shares | Registered in Ireland | No. 256796
70 Sir John Rogerson’s Quay | Dublin 2 | Ireland
https://azure.microsoft.com/de-de/

MongoDB, Inc.
1633 Broadway | 38th Floor | New York, NY 10019
https://www.mongodb.com/

8. changes to this privacy policy

We reserve the right to change our privacy policy if this should be necessary due to new technologies. Please ensure that you have the latest version.

Last change: 13.05.2026