Privacy Policy

Privacy Policy

Introduction and Overview

We have written this privacy policy (version 16.05.2023-312505392) to inform you in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws about the personal data (referred to as “data”) we, as the data controller – and the processors we commission (e.g., providers) – process, will process in the future, and what lawful options you have. The terminology used is to be understood as gender-neutral. In short: We provide you with comprehensive information about the data we process about you. Privacy policies typically sound very technical and use legal terminology. This privacy policy, however, aims to describe the most important aspects as clearly and transparently as possible. Where it aids transparency, technical terms are explained in a reader-friendly way, links to further information are provided, and graphics are used. We aim to explain in simple and clear language that we only process personal data in the course of our business activities when there is a legal basis to do so. This cannot be achieved with vague, unclear, and overly legalistic language as is often standard on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps you’ll discover something you didn’t know before. If you still have questions, we kindly ask you to contact the responsible party listed below or in the imprint, follow the existing links, and consult third-party sources. You will also find our contact details in the imprint.

Scope of Application

This privacy policy applies to all personal data processed by us within the company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information as defined in Art. 4 No. 1 GDPR such as a person’s name, email address, and postal address. The processing of personal data ensures that we can provide and bill for our services and products, whether online or offline. The scope of this privacy policy includes:

• all online presences (websites, online shops) we operate
• social media presences and email communication
• mobile apps for smartphones and other devices

In short: This privacy policy applies to all areas in which personal data is processed in a structured manner by the company via the aforementioned channels. If we enter into legal relationships with you outside these channels, we will inform you separately where appropriate.

Legal Bases

In the following privacy policy, we provide you with transparent information about the legal principles and regulations – the legal bases of the General Data Protection Regulation – that allow us to process personal data. Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can, of course, read this EU General Data Protection Regulation online at EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679. We process your data only if at least one of the following conditions is met:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be storing the data you entered in a contact form.
2. Contract (Article 6(1)(b) GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, we need personal data in advance to conclude a purchase agreement with you.
3. Legal Obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting. These typically contain personal data.
4. Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For instance, we must process certain data to operate our website securely and economically. This constitutes a legitimate interest.

Other grounds such as the performance of tasks carried out in the public interest or in the exercise of official authority and the protection of vital interests generally do not apply to us. If such a legal basis does become relevant, we will indicate this at the respective point. In addition to the EU Regulation, national laws also apply:

• In Austria, this is the Federal Act concerning the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act), abbreviated as DSG.
• In Germany, the applicable law is the Federal Data Protection Act, abbreviated as BDSG.

If other regional or national laws are applicable, we will inform you about them in the respective sections.

Contact Details of the Data Controller

If you have questions about data protection or the processing of personal data, you will find the contact details of the responsible person or entity below: enterDATA GmbH Hafenstr. 7 45881 Gelsenkirchen Authorized representatives: Michael Georg Schmitt, Dominik Kappel Email: info@enterdata.de Phone: +49 209 5130 8980 Imprint: https://enterdata.de/impressum/

Storage Duration

As a general principle, we store personal data only for as long as is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to retain certain data even after the original purpose has ceased to apply, for example for accounting purposes. If you request the deletion of your data or revoke your consent to data processing, the data will be deleted as soon as possible, provided there is no obligation to retain it. We will inform you below, where applicable, about the specific duration of each data processing activity.

Rights Under the General Data Protection Regulation

Pursuant to Articles 13 and 14 GDPR, we inform you of the following rights you have to ensure fair and transparent data processing:

• According to Article 15 GDPR, you have the right to obtain confirmation as to whether or not we process your data. If this is the case, you have the right to receive a copy of the data and to be informed about:
  • the purpose of the processing;
  • the categories of data being processed;
  • the recipients or categories of recipients of the data, especially if data is transferred to third countries and how the security is ensured;
  • the intended duration of storage or the criteria used to determine the duration;
  • the existence of rights to rectification, deletion, or restriction of processing and the right to object to processing;
  • the right to lodge a complaint with a supervisory authority;
  • the origin of the data, if it was not collected directly from you;
  • whether profiling is performed and what logic and consequences this entails.
• You have the right to rectification under Article 16 GDPR, meaning we must correct your data if it is incorrect.
• You have the right to erasure (“right to be forgotten”) under Article 17 GDPR.
• You have the right to restriction of processing under Article 18 GDPR, meaning we may only store the data but not use it further.
• You have the right to data portability under Article 20 GDPR, meaning we provide your data in a commonly used format upon request.
• You have the right to object to processing under Article 21 GDPR, which can result in changes to processing:
  • If the processing is based on Article 6(1)(e) or (f) GDPR, you may object, and we will examine whether we can comply with your objection.
  • If data is used for direct marketing, you may object at any time. We must then stop using the data for this purpose.
  • If data is used for profiling, you may also object to this processing at any time.
• According to Article 22 GDPR, you may have the right not to be subject to a decision based solely on automated processing (e.g., profiling).
• Under Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

In short: You have rights – don’t hesitate to contact the responsible office listed above! If you believe that your data has been processed unlawfully or your data protection rights have otherwise been violated, you can contact the supervisory authority. In Austria, this is the Data Protection Authority, whose website can be found at https://www.dsb.gv.at/. In Germany, each federal state has its own data protection officer. You can find information via the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the responsible local data protection authority is:

North Rhine-Westphalia Data Protection Authority

Commissioner for Data Protection: Bettina Gayk Address: Kavalleriestraße 2-4, 40213 Düsseldorf Phone: 02 11/384 24-0 Email: poststelle@ldi.nrw.de Website: https://www.ldi.nrw.de/

Data Transfers to Third Countries

We only transfer or process data in countries outside the EU (third countries) if you consent to such processing, if it is legally required, or if it is contractually necessary and in any case only to the extent that it is generally permitted. In most cases, your consent is the most important basis for processing data in third countries. The processing of personal data in third countries such as the USA – where many software providers operate and host their servers – may mean that personal data is processed and stored in unexpected ways. We expressly point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. Data processing by US services (such as Google Analytics) may result in data not being processed and stored anonymously. Additionally, US government authorities may access individual data. Furthermore, it may occur that collected data is linked with data from other services of the same provider, provided you have a corresponding user account. Whenever possible, we try to use server locations within the EU if offered. We provide more detailed information about data transfers to third countries in the appropriate sections of this privacy policy, if applicable.

Data Processing Security

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible, within our capabilities, for third parties to infer personal information from our data. Article 25 of the GDPR refers to “data protection by design and by default” and means that both software (e.g., forms) and hardware (e.g., access to the server room) should always consider security and implement appropriate measures. In the following sections, we will describe specific measures in more detail if necessary.

TLS Encryption with https

TLS, encryption, and https may sound technical—and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transfer data securely on the Internet. This means that all data transmissions from your browser to our web server are secured – no one can “listen in”. By implementing HTTPS, we’ve added an extra layer of security and fulfill data protection through technology design (Article 25 paragraph 1 GDPR). With the use of TLS (Transport Layer Security), a protocol for secure data transfer on the Internet, we ensure the protection of confidential data. You can recognize the use of this protection by the small lock symbol in the top left corner of your browser, next to the website address (e.g., examplepage.com), and the use of the https scheme (instead of http) as part of our web address. If you’d like to learn more about encryption, we recommend a Google search for “Hypertext Transfer Protocol Secure wiki” for helpful resources.

Communication

Communication Summary Affected parties: Anyone who communicates with us via telephone, email, or online form Processed data: e.g., phone number, name, email address, form input. More details can be found in the respective communication method Purpose: Handling communication with customers, business partners, etc. Storage duration: Duration of the business case and legal requirements Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contract), Art. 6 para. 1 lit. f GDPR (legitimate interests)

If you contact us by phone, email, or online form, personal data may be processed. These data are processed to handle and respond to your inquiry and the related business transaction. The data is stored for as long as necessary or as legally required.

Affected Persons

All individuals who contact us through the communication channels provided are affected by the processes mentioned.

Telephone

If you call us, the call data may be pseudonymously stored on the device used and by the telecommunications provider. Data such as name and phone number may also be emailed and stored for responding to the inquiry. The data is deleted when the business case ends and as permitted by law.

Email

If you communicate with us via email, the data may be stored on your device (e.g., computer, smartphone) and also on the email server. The data is deleted when the business case ends and legal retention periods allow.

Online Forms

If you contact us via an online form, the data is stored on our web server and possibly forwarded to one of our email addresses. The data is deleted once the business case ends and retention obligations permit.

Legal Bases

Data processing is based on the following legal grounds:

• Art. 6 para. 1 lit. a GDPR (consent): You give us permission to store and use your data for purposes related to the business transaction;
• Art. 6 para. 1 lit. b GDPR (contract): The processing is necessary to fulfill a contract or pre-contractual measures, e.g., preparing an offer;
• Art. 6 para. 1 lit. f GDPR (legitimate interests): We want to handle customer inquiries and communication professionally. For this, certain technical tools like email programs, servers, and telecom providers are needed to communicate efficiently.

Cookies

Cookies Summary Affected: Visitors to the website Purpose: Depends on the specific cookie. More details below or from the provider setting the cookie Processed data: Varies per cookie. More details below or from the provider setting the cookie Storage duration: Varies by cookie, from hours to years Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What Are Cookies?

Our website uses HTTP cookies to store user-specific data. Below, we explain what cookies are and why they are used so that you better understand the following privacy policy. Every time you surf the internet, you use a browser. Common browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies. Cookies are useful helpers. Almost all websites use cookies. More precisely, they are HTTP cookies, as there are other cookies for other applications. HTTP cookies are small files stored on your computer by our website. These cookie files are automatically placed in your browser’s cookie folder—essentially the “memory” of your browser. A cookie consists of a name and a value. Additionally, one or more attributes must be defined for each cookie. Cookies store certain user data, such as language or personal page settings. When you revisit our site, your browser returns the user-related information. Thanks to cookies, our website knows who you are and offers you your preferred settings. In some browsers, each cookie is stored in a separate file; in others (like Firefox), all cookies are stored in a single file. The following graphic shows how a browser and web server interact to set a cookie: There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, while third-party cookies come from partner websites (like Google Analytics). Each cookie should be considered individually, as it stores different data and may have different expiration times—from a few minutes to several years. Cookies are not programs and do not contain viruses, trojans, or other harmful software. They also cannot access information on your PC. Example cookie data: Name: _ga Value: GA1.2.1326744211.152312505392-9 Purpose: Differentiating website visitors Expiration: After 2 years Minimum browser cookie support should include:

• At least 4096 bytes per cookie
• At least 50 cookies per domain
• At least 3000 cookies in total

What Types of Cookies Are There?

Which cookies we use depends on the services used, detailed further in the next sections. Here’s a general classification of HTTP cookies: Essential Cookies: Needed for basic site functionality (e.g., shopping cart persistence). Functional Cookies: Collect info on user behavior or site errors; also used to measure performance. Targeting Cookies: Improve usability by remembering input like location or font size. Advertising Cookies: Deliver personalized ads (a.k.a. targeting cookies). Usually, you are asked on first visit which cookie types you allow. Your selection is saved in a cookie as well. For in-depth technical info, see: RFC6265: HTTP State Management Mechanism

Purpose of Cookie Processing

The purpose depends on the specific cookie. More info is given below or by the software provider that sets the cookie.

What Data Is Processed?

Since cookies are helpers for various tasks, the data stored varies and is described further below.

Cookie Storage Duration

Storage varies by cookie: some are deleted after an hour, others may last years. You can delete cookies manually at any time via your browser. Cookies based on consent are deleted upon revocation, without affecting past legality.

Right to Object – How to Delete Cookies

You always have control over cookie use. You can allow, block, or delete cookies in your browser settings. Here are browser-specific help links: – Chrome – Safari – Firefox – Internet Explorer – Edge For general guidance, search “delete cookies [browser]” (e.g., “delete cookies Chrome”).

Legal Basis

Since 2009, EU “cookie directives” require consent (Art. 6 para. 1 lit. a GDPR) for setting cookies. In Austria, this is § 96 para. 3 TKG; in Germany, § 15 para. 3 TMG. Necessary cookies may be used based on legitimate interests (Art. 6 para. 1 lit. f GDPR), such as ensuring a functional website. All other cookies are set only with your consent (Art. 6 para. 1 lit. a GDPR). Details follow below.

Application Data

Application Data Summary Affected: Users applying for a job with us Purpose: Management of the application process Processed data: Name, address, contact data, email address, phone number, qualifications (certificates), possibly special categories of data Storage duration: If hired, until end of employment; otherwise deleted after application process unless consent given for longer storage Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interest), Art. 6 para. 1 lit. b GDPR (contract), Art. 9 para. 2 lit. a GDPR (special categories)

What is Application Data?

You may apply for a job with us via email, online form, or recruiting tool. All data we receive and process as part of your application are considered application data. This includes personal data like name, birthdate, address, and phone number.

Why Do We Process Application Data?

We process your data to conduct a proper selection process for the advertised position. Additionally, we may keep your application in our archive (with your consent) in case we wish to consider you for a future role. Your data will only be processed internally and responsibly—only by people involved in the application process.

What Data is Processed?

Depending on the job posting, we process only data that is necessary to decide on your employment. Typically, this includes name, birthdate, contact data, and qualification documents. If you apply via online form, data is transmitted securely. If sent by email, no encryption occurs during transfer. Once on our servers, we are responsible for handling it properly. In some cases, we may also request sensitive data (e.g., health, ethnicity) to comply with employment and social security regulations. These fall under “special categories of data.” Possible data categories include:

• Name
• Contact address
• Email address
• Phone number
• Date of birth
• Resume and cover letter info
• Certificates
• Special category data (e.g., health, ethnicity, religion)
• Usage data (visited websites, access logs, etc.)
• Metadata (IP address, device info)

How Long Is the Data Stored?

If hired, your data becomes part of your personnel file and is stored until the end of your employment. If you are not hired, reject the offer, or withdraw your application, we may store your data for up to 6 months (based on legitimate interest, Art. 6 para. 1 lit. f GDPR) to clarify follow-up questions or legal claims. If no further need exists, data is deleted after that period—unless legal retention requirements apply. With your consent, we may store data longer (e.g., in a talent pool). You can revoke this consent at any time. Without revocation, we will delete the data after 2 years.

Legal Basis

We rely on the following legal bases: – Art. 6 para. 1 lit. a GDPR (consent) – Art. 6 para. 1 lit. b GDPR (contract/pre-contract measures) – Art. 6 para. 1 lit. f GDPR (legitimate interests) – Art. 9 para. 2 lit. a GDPR (special category data) If you are added to our talent pool, this is based on your explicit consent (Art. 6 para. 1 lit. a GDPR). Your consent is voluntary and revocable at any time without affecting the application process. In case of vital interest, data may also be processed under Art. 9 para. 2 lit. c GDPR. For healthcare-related services, Art. 9 para. 2 lit. h GDPR applies.

Customer Data

Customer Data Summary Affected: Customers and business/contract partners Purpose: Delivery of contractual/pre-contractual services and communication Processed data: Name, address, contact info, email, phone, payment info (e.g., invoices, bank data), contract info (e.g., duration, subject), IP address, order data Storage duration: Deleted once no longer required for business purposes and no legal obligation exists Legal bases: Art. 6 para. 1 lit. f GDPR (legitimate interest), Art. 6 para. 1 lit. b GDPR (contract)

What Is Customer Data?

To offer and provide our services, we process customer and partner data, which always includes personal data. “Customer data” refers to all info gathered and processed as part of a contractual or pre-contractual relationship.

Why Do We Process Customer Data?

We process customer data to provide our services. Sometimes, we only need your email address. In other cases, we need full contact, payment, and contract details. We also use this data to improve our marketing and services and for customer support, which we highly value.

What Data Is Processed?

The exact data depends on the service. Examples include:

• Name
• Address
• Email
• Phone number
• Date of birth
• Payment data (e.g., invoices, bank info)
• Contract data (e.g., term, content)
• Usage data (e.g., website visits)
• Metadata (e.g., IP address, device)

How Long Is the Data Stored?

We delete customer data as soon as it is no longer needed for our purposes or legal retention obligations end. For example, after a contract ends, the regular limitation period is 3 years, but it may vary. We do not share customer data without your explicit consent.

Legal Basis

– Art. 6 para. 1 lit. a GDPR (consent) – Art. 6 para. 1 lit. b GDPR (contract) – Art. 6 para. 1 lit. f GDPR (legitimate interests) – Art. 9 para. 2 lit. a GDPR (special category data, if applicable) In case of vital interest (e.g., medical services), Art. 9 para. 2 lit. c or h GDPR may apply.

External Hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the servers of the hoster. This may include, in particular, IP addresses, contact inquiries, metadata and communication data, contract data, contact details, names, website accesses, and other data generated via a website.

The use of the hoster is for the purpose of fulfilling contractual obligations towards our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of providing our online services securely, quickly, and efficiently through a professional provider (Art. 6 para. 1 lit. f GDPR). If consent has been requested, processing is based solely on Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information on the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent may be revoked at any time.

Our hoster processes your data only to the extent necessary to fulfill its service obligations and follows our instructions regarding this data.

We use the following hoster:

Hetzner Online GmbH
Industriestr. 25
91719 Gunzenhausen, Germany
Tel.: +49 (0)9831 505-0
Email: info@hetzner.com

Data Processing Agreement

We have concluded a data processing agreement (DPA) with the provider mentioned above. This is a legally required contract that ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Web Hosting – Introduction

Web Hosting Summary Affected: Visitors to the website Purpose: Professional hosting of the website and operational security Processed data: IP address, time of website visit, browser used, and other data. More details below or from the hosting provider used Storage duration: Depends on the provider, usually 2 weeks Legal bases: Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is Web Hosting?

When you visit websites, including ours, certain information—including personal data—is automatically created and stored. These data should be processed as minimally and justifiably as possible. To view a website, your browser connects to a web server. The server’s hosting is usually handled by professional providers. They store website data and make it accessible. This setup is referred to as “web hosting.” During the connection and data transfer, personal data may be processed by both your browser and the hosting provider’s server.

Why Do We Process Personal Data?

Purposes include:

1. Professional hosting and secure operation of the website
2. Maintaining operational and IT security
3. Anonymous analysis of visitor behavior to improve the site and for legal enforcement if necessary

What Data Is Processed?

Data automatically stored by the web server typically includes:

• The full URL of the accessed webpage
• Browser and version (e.g., Chrome 87)
• Operating system (e.g., Windows 10)
• Referrer URL (previous page visited)
• Hostname and IP address of the accessing device
• Date and time
• Web server log files

How Long Are Data Stored?

Usually, these data are stored for two weeks and then deleted automatically. The data is not shared, but we cannot rule out that authorities may access the data in case of unlawful behavior. In short: Your visit is logged by our provider but is not shared without your consent!

Legal Basis

The legality of this processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interests), as using a professional hosting provider is necessary for safe and user-friendly online operations and to detect and pursue any attacks. We usually have a DPA with the hosting provider in accordance with Art. 28 GDPR to ensure GDPR-compliant handling of personal data.

Web Analytics – Introduction

Web Analytics Summary Affected: Visitors to the website Purpose: Analysis of visitor data to optimize the website Processed data: Access statistics, including location, device data, duration, navigation, click behavior, IP addresses. More details below or from each analytics tool Storage duration: Depends on the analytics tool Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What Is Web Analytics?

We use software on our website to analyze user behavior—known as web analytics or web analysis. These tools collect, manage, and process data from website visits. The data helps us understand how users interact with our site and improve its functionality and content. Most tools also support A/B testing to see which content or design performs better.

Why Do We Use Web Analytics?

Our goal is to offer the best web experience possible. Web analytics tools help us understand who visits our site, what content they prefer, and how we can improve it. This supports both technical enhancements and strategic marketing.

What Data Is Processed?

The data processed depends on the tool used, but typically includes:

• Viewed pages and content
• Clicks on buttons or links
• Visit timestamps
• Browser and device type
• Operating system
• IP address (usually pseudonymized)

No directly identifying personal data (like name or email) is processed.

Duration of Processing

We only process personal data as long as necessary to provide services, or longer if legally required (e.g. accounting).

Right to Object

You can revoke your consent for analytics at any time via our cookie settings or browser tools.

Legal Basis

Web analytics require your consent (Art. 6 para. 1 lit. a GDPR). We also have a legitimate interest (Art. 6 para. 1 lit. f GDPR) in optimizing our service—but we only activate these tools after you consent.

Google Analytics Privacy Policy

Google Analytics Summary Affected: Website visitors Purpose: Evaluation of visitor behavior to optimize the website Processed data: Access data like location, device, duration, navigation behavior, click behavior, IP addresses Storage duration: Depends on property settings Legal bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What Is Google Analytics?

We use Google Analytics, a tracking tool by Google Ireland Ltd (for EU). The tool records your actions on our site via cookies and tracking code. We receive reports on user behavior that help us improve the site. Google Analytics tracks:

• User demographics and interests
• Advertising performance
• User acquisition channels
• User behavior and site navigation
• Conversions (e.g., newsletter sign-ups, purchases)
• Real-time activity on the website

Why Do We Use Google Analytics?

To improve usability and performance of our site. The insights help us focus on relevant content and marketing, reduce bounce rates, and optimize conversion rates.

What Data Is Stored?

Google Analytics sets cookies with randomly generated user IDs to track sessions and behavior pseudonymously. Data may include:

• Page views
• Session duration
• Device and browser data
• IP address (anonymized)

Examples of Cookies:

• _ga – Distinguishes users (2 years)
• _gid – Distinguishes users (24 hours)
• _gat – Throttle request rate (1 minute)
• __utma, __utmb, __utmc, __utmz – legacy cookies with various purposes and durations

More Info

For more on data processing by Google, see: https://policies.google.com/privacy Opt-out plugin: https://tools.google.com/dlpage/gaoptout You can also manage cookie settings directly in your browser. —