Privacy Policy Blockbrain and Knowledge Bots (SaaS)

With the following privacy policy, we would like to inform you how we process your personal data in accordance with the European General Data Protection Regulation (GDPR). This privacy policy applies to all processing of personal data carried out by us in the context of the provision of our services; further details are defined in the respective data processing agreement (DPA).

1. Responsibilities
The independent controller within the meaning of the GDPR for the processing for the provision and operation of the Knowledge Bots software under data protection law is:

Blockbrain GmbH
Marienstraße 37
70178 Stuttgart
E-mail: [email protected]

2. Responsibilities for the SaaS Platform

The independent controller within the meaning of the GDPR for any other processing carried out through the Knowledge Bots software as a SaaS platform is, under data protection law, the tenant.

3. Data Protection Officer

You can reach our data protection officer as follows:
SECJUR GmbH
Falkensteiner Ufer 40
22587 Hamburg
Telephone: +49 40 80 90 81 146
E-mail: [email protected]

You may contact our data protection officer at any time with any questions and suggestions regarding data protection as well as to exercise your rights.

4. Definitions

This privacy policy is based on the terminology used in the GDPR. To make it easier to understand, we would like to explain some important terms in this context:

• Personal data are all information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
  natural person.
• Data subject is any identified or identifiable natural person whose personal data are processed by the controllers.
• Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Recipient is a natural or legal person, public authority, agency or another body to which personal data are disclosed, whether it is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.
• Third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process the personal data.

5. Processing

5.1 Data for the Provision of the Website and the Creation of Log Files
If you use this website purely for informational purposes, without otherwise (e.g. by registering or using the contact form) transmitting data to us, we collect, via server log files, technically necessary data that are automatically transmitted to our server, including:

• Date and time of access
• IP address
• Hostname of the accessing computer
• Page visited on our website
• Amount of data transmitted
• Information about the browser type and version used
• Operating system
• Access status (e.g. whether the website could be accessed without problems or whether an error message occurred)
• Use of website functions (to identify suspicious activities such as spam or brute-force attacks)
• Frequency of access to our website (to identify suspicious activities such as bots or spam)

The temporary storage of the data is necessary for the course of a website visit in order to be able to display our website to you. This processing is technically necessary to ensure the functionality of the website and the security of the IT systems and to detect potential cases of misuse. The legal basis for this processing is Art. 6 (1) sentence 1 lit. f GDPR in order to guarantee the availability, security and stability of our website.

The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the provision of the website this is the case when the respective session has ended. The log files are stored for a maximum of up to 48 hours and are directly and exclusively accessible to administrators for security reasons (e.g. to clarify cases of misuse or fraud). Thereafter, they are only indirectly available via the reconstruction of backup tapes and are permanently deleted after a maximum of four weeks.

5.1.1 Web Hosting
We use WP Engine, Irongate House, 22–30 Duke’s Place, London, EC3A 7LP, United Kingdom, as our hosting provider, whose servers used for our purposes are located in Germany. When using this general data and information, we do not draw any conclusions about your person. The purposes we pursue in particular include:

• Ensuring a smooth connection to the website
• Clarification of cases of misuse or fraud
• Problem analysis in the network, and
• Evaluation of system security and stability. The legal basis for the data processing is our legitimate interest within the meaning of Art. 6
  (1) sentence 1 lit. f GDPR. We have an overriding legitimate interest in being able to provide our services in a technically flawless manner.
  The log files are stored for a maximum of 7 days for security reasons (e.g. to clarify cases of misuse or fraud) and are then deleted. Data whose further retention is required for evidentiary purposes are retained until the final clarification of the matter.

5.1.2 Log Data
For the processing of technical logs, we use Datadog EU, a service of Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018, USA. The data are processed in Datadog EU data centres located on AWS infrastructure in Frankfurt, Germany. The European Commission has adopted an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. Based on this decision, data transfers to organisations in the USA that are appropriately certified are permissible. Datadog is certified under the EU-U.S. Data
Privacy Framework. Information on data protection can be found here.

5.2 Cookie Banner

When you visit our website or a subpage containing cookies for the first time, a “cookie banner” is displayed. There you will be informed about the individual cookies which we use. For each cookie you can obtain information regarding its name, provider, purpose of processing and storage period.

With our cookie banner, we inform you about the specific cookies we use. In addition, we provide you with the option to decide whether you wish to consent to the setting of non-essential cookies. You can allow us to use non-essential cookies and also revoke this decision there again.
The following data are processed in this context:

• Usage data (e.g. pages visited, time of access)
• Meta and communication data (e.g. IP address)
• Preferences (e.g. your preferred language or the region you are in)
• Statistics (e.g. how visitors interact with the website, collected anonymously)
  The legal basis for the use of the cookie banner is Art. 6 (1) sentence 1 lit. f GDPR. We have an overriding legitimate interest in using the cookie banner in order to obtain the legally required consent for the use of non-essential cookies and to comply with our information
  obligations regarding cookies.

The cookie banner stores your preferences until you reset or adjust them.
The cookie banner is provided via the provider Real Cookie Banner of devowl.io GmbH.

5.3 Use of Cookies

5.3.1 General Information
We use cookies on our website. These are text files that are automatically created by your browser and stored on your IT system when you visit our site. Certain information is transmitted to the respective entity that sets the cookie. It is not possible to execute programs or transmit viruses to your end device through the use of cookies. If you do not wish to use cookies, you can disable them in the settings. From a legal perspective, a distinction is made between necessary and non-necessary cookies.

5.3.2 Necessary Cookies
We use necessary cookies. These are cookies that are technically required to provide all functions of our website. The legal basis for the data processing is our legitimate interest within the meaning of Art. 6 (1) sentence 1 lit. f GDPR. We have an overriding legitimate interest in being able to provide our services in a technically flawless manner. The legal basis for the use of cookies vis-à-vis our contractual partners who use the services we owe contractually via our website is Art. 6 (1) sentence 1 lit. b GDPR, i.e. the performance of our contractual services.

5.3.3 Non-Necessary Cookies
We also use non-necessary cookies (e.g. analytics cookies). These are cookies that are not technically required. We use them to understand your behaviour on our website and to improve our offering. The legal basis for the data processing is your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR. The cookies are only set after you have given your consent via our cookie banner. Blockbrain uses Google Analytics, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for analytics cookies. Information on data protection can be
found here. Blockbrain uses Datadog EU, a service of Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018, USA, for preference and statistics cookies. The data are processed in Datadog EU data centres located on AWS infrastructure in Frankfurt, Germany. Datadog is certified under the EU-U.S. Data Privacy Framework. Further information on data protection can be found here.

5.3.4 Storage Period
With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be stored or preferred content can be displayed directly when the user revisits a website. The data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information on the type and storage period of cookies (e.g. in the context of obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.

Further information can be found in the information we provide in the cookie banner.

 5.4 Customer Relationship Management (CRM)
We use HubSpot, a customer relationship management (CRM) system of HubSpot, Inc., Two Canal Park, Cambridge, MA 02141, USA, and have concluded a data processing agreement pursuant to Art. 28 GDPR to ensure that the processing of your personal data is carried out in accordance with the requirements of the GDPR.

Data Processing
HubSpot is used to store and manage customer and prospect data, contract details, communication histories and other relevant information. The data processed in HubSpot include in particular:

• Contact data: Name, e-mail address, telephone number of the contact person.
• Organisation data: Name and address of the (potential) customer company.
• Contract data: Information on concluded contracts or offers.
• Communication data: Notes from meetings, e-mail correspondence, support requests.

Purpose and Legal Basis
The use of HubSpot serves the following purposes:

• Contract initiation and performance: Management of prospects and customers in the run-up to and during a business relationship (Art. 6 (1) sentence 1 lit. b GDPR).
• Optimisation of customer communication: Efficient and targeted management of communication with prospects and customers (legitimate interest within the meaning of Art. 6 (1) lit. f GDPR). Our legitimate interest lies in the efficient organisation of our sales and customer service.

Storage Period
The data stored in HubSpot are deleted as soon as they are no longer required to achieve the purpose for which they were collected and no statutory retention obligations conflict with deletion. As a rule, this is the case after the end of the business relationship and the expiry
of the statutory retention periods. Processing on Behalf and Service Provider HubSpot is certified under the EU-U.S. Data Privacy Framework (DPF). Details on data processing at HubSpot can be found in their data processing agreement: https://legal.hubspot.com/dpa

5.5 Customer Success Management (CSM)
We use Planhat, a Customer Success Management (CSM) system of Planhat AB, Stortorget 19, 211 34 Malmö, Sweden, to manage our customer relationships and optimise customer success.

Data Processing
Planhat is used to store and manage customer data, contract details, communication histories, interactions with our software (Knowledge Bots) and other customer-related information. The data processed in Planhat include in particular:

• Contact data: Name, e-mail address, telephone number of the customer’s contact person.
• Organisation data: Name and address of the customer company.
• Contract data: Information on concluded contracts, service level agreements (SLAs) and the use of our services.
• Usage data (aggregated): Data insofar as they are relevant for customer success management.
• Communication data: Notes from meetings, e-mail correspondence, support tickets.

Purpose and Legal Basis
The use of Planhat serves the following purposes:

• Contract performance and customer support: Management and maintenance of the customer relationship, provision of contractually owed support and proactive identification of customer needs (Art. 6 (1) sentence 1 lit. b GDPR).
• Optimisation of internal processes: Analysis of customer behaviour to improve our products and services as well as to manage our sales and customer success teams (legitimate interest within the meaning of Art. 6 (1) lit. f GDPR). Our legitimate interest lies in the efficient and targeted support of our customers and the improvement of our business operations.

Storage Period
The data stored in Planhat are deleted as soon as they are no longer required to achieve the purpose for which they were collected and no statutory retention obligations (e.g. under tax or commercial law) conflict with deletion. As a rule, this is the case after the end of the
business relationship and the expiry of the statutory retention periods.

Processing on Behalf and Service Provider
We have concluded a data processing agreement with Planhat AB in accordance with Art. 28 GDPR and thereby ensure that the processing of your personal data is carried out in accordance with the requirements of the GDPR. Details on data protection at Planhat can be found in their privacy policy: https://www.planhat.com/privacy-policy

5.6 Audio and Video Conferences

Data Processing
For communication with our customers, we use, among others, online conference tools. The specific tools we use are listed below. If you communicate with us via video or audio conference via the internet, your personal data are collected and processed by us and by the
provider of the respective conference tool. The conference tools collect all data that you provide or use to utilise the tools (e-mail
address and/or telephone number). Furthermore, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other “context information” in connection with the communication process
(metadata).

In addition, the provider of the tool processes all technical data required to handle the online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, type and version of operating system, client version, camera type, microphone or
speaker as well as the type of connection. If content is exchanged, uploaded or otherwise provided within the tool, this content is also stored on the servers of the tool providers. Such content includes in particular cloud recordings, chat/instant messages, voicemails, uploaded
photos and videos, files, whiteboards and other information that is shared during the use of
the service.

Please note that we do not have full influence on the data processing procedures of the tools used. Our options are largely determined by the corporate policy of the respective provider. Further information on data processing by the conference tools can be found in the privacy
notices of the respective tools, which we have listed below.

Purpose and Legal Basis
The conference tools are used to communicate with prospective or existing contractual partners or to provide certain services to our customers (Art. 6 (1) sentence 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us and our company (legitimate interest within the meaning of Art. 6 (1) lit. f GDPR). Where consent is requested, the use of the respective tools is based on this consent; consent can be revoked at any time with effect for the future.

Storage Period
The data collected directly by us via the video and conference tools are deleted from our systems as soon as you request us to delete them, you withdraw your consent to storage or the purpose for data storage no longer applies. Cookies stored on your end device remain there until you delete them. Mandatory statutory retention periods remain unaffected. We have no influence on the storage period of your data that are stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the
conference tools directly.

Tools Used
Google Meet
We use Google Meet. The provider is Google Inc.
Details on data processing by Google: https://policies.google.com/privacy?hl=de-DE
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Conclusion of a data processing agreement
We have concluded a data processing agreement with the provider of Google Meet and fully implement the strict requirements of the German data protection authorities when using
Google Meet.
Microsoft Teams
We use Microsoft Teams. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Details on data processing can be found in the Microsoft
privacy notice: https://privacy.microsoft.com/de-de/privacystatement
Conclusion of a data processing agreement
We have concluded a data processing agreement with the provider of Microsoft Teams and fully implement the strict requirements of the German data protection authorities when using Microsoft Teams.
Meeting Notes
We use Bubbles AI, a product of VanGoux Inc., for the recording, archiving and structuring of our video conferences. Bubbles analyses spoken language and creates meeting summaries for the participants. Detailed information on data protection at VanGoux Inc. can be found at https://www.usebubbles.com/privacy. The recording and analysis of the meetings are based on your consent (Art. 6 (1) lit. a GDPR).
We have concluded a data processing agreement with VanGoux Inc. and ensure full compliance with the strict requirements of the German data protection authorities when using Bubbles AI.
Further information on this agreement can be found here:
https://www.usebubbles.com/privacy
Fathom AI Notetaker
We use the Fathom AI Notetaker to record and archive video conferences and to structure them with regard to existing tasks. Fathom AI Notetaker is a product of Fathom Video Inc. and analyses spoken language for us and creates a summary for the participants of the
respective meeting. Details on the privacy notice of Fathom AI Notetaker can be found here. Further information on data security, certifications and current documents can be found here. The recording and further analysis of a meeting are based on your consent obtained (Art. 6 (1) lit. a GDPR).
Conclusion of a data processing agreement
We have concluded a data processing agreement with the provider Fathom Video Inc. and fully implement the strict requirements of the German data protection authorities when using Fathom AI Notetaker.

5.7 Appointment Scheduling

For the planning and management of appointments, we use various providers. For the purpose of booking an appointment, you enter the requested data and the desired date in the form provided. The data entered are used for planning, conducting and, where applicable, follow-up of the appointment. The appointment data are processed for us by the respective service provider, whose privacy policies you can see below.

The data you enter remain with us until you request us to delete them, you withdraw your consent to storage or the purpose for data storage no longer applies. Mandatory statutory provisions – in particular retention periods – remain unaffected. The legal basis for the data processing is Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in making appointment scheduling with prospects and customers as
uncomplicated as possible. Where corresponding consent is requested, processing is carried out exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. for device fingerprinting) within the meaning of the TDDDG. The consent can be revoked at any time. The data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found there.

The company has a certification under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards in data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards.
Google Calendar
https://policies.google.com/privacy?hl=de-DE
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Calendly
https://calendly.com/legal/privacy-notice
Calendly, Inc., 115 E Main St., Ste A1B, Buford, GA 30518, USA
HubSpot
https://legal.hubspot.com/de/privacy-policy
HubSpot, Inc., Two Canal Park, Cambridge, MA 02141 USA
Microsoft Bookings
Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park,
Leopardstown, Dublin 18, Ireland.

5.8 Customer Communication

5.8.1 E-mail Communication
We use Mailjet, a product of Sinch AB, Lindhagensgatan 112, 112 51 Stockholm, Sweden, for sending our e-mail communication with customers and prospects.
Data Processing
For the purpose of our e-mail communication, we process the following personal data:

• Contact data: E-mail address, name (if provided).
• Communication data: Content of the e-mails sent, metadata of the dispatch (time, delivery status).
• Usage data (tracking): Information about whether e-mails are opened and which links in them are clicked.

Purpose and Legal Basis
The use of Mailjet serves the following purposes:

• Contract performance and customer support: Dispatch of contract-relevant information, invoices, support communications (Art. 6 (1) sentence 1 lit. b GDPR).
• Information and marketing: Dispatch of information on our products, updates or marketing e-mails, provided that appropriate consent exists or where this takes place within the scope of our legitimate interest (Art. 6 (1) sentence 1 lit. a GDPR or Art. 6
  (1) lit. f GDPR). Our legitimate interest lies in direct customer communication and customer care.

Storage Period
The data are stored for as long as they are required for the respective communication purpose or until you withdraw your consent. Statutory retention periods remain unaffected. Further information on data protection at Mailjet can be found in their privacy policy: https://www.mailjet.de/privacy

5.8.2 Social Networks – LinkedIn
We use LinkedIn for corporate communications as well as for recruitment.
Data Processing
The provider of LinkedIn, LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, processes personal data.
Categories of data processed:

• Contact data: Names, e-mail addresses, telephone numbers (insofar as provided in profiles or messages).
• Organisation data: Information on the (potential) employer, job title.
• Communication data: Contents of messages, comments, likes, shared posts.
• Usage data: Data on interaction with our company profile and the content we share.
• Applicant data: Application documents and information provided in the context of recruitment (Art. 6 (1) sentence 1 lit. b GDPR, § 26 BDSG).

Purpose and Legal Basis:

• Corporate communication: Provision of information about our company, our products and services; interaction with users (legitimate interest within the meaning of Art. 6 (1) lit. f GDPR). Our legitimate interest lies in the external presentation of our company and the active communication with prospects and customers.
• Recruitment: Search for and contact with potential candidates as well as processing of applications (Art. 6 (1) sentence 1 lit. b GDPR in conjunction with § 26 BDSG).

Joint controllership (joint responsibility):
For certain processing operations, such as the provision of insights data (page statistics), we are jointly responsible with LinkedIn (Art. 26 GDPR). The essential points of the agreement on joint responsibility are set out in the “Page Insights Joint Controller Addendum” of
LinkedIn and can be viewed here: https://legal.linkedin.com/pages-joint-controller-addendum Storage Period:
The storage period is governed by LinkedIn’s deletion policies. Communication data stored directly by us are deleted as soon as the purpose of storage ceases to exist and no statutory retention obligations conflict with deletion. In the case of applications, the data are deleted
after completion of the application process or after a period of six months (in the event of rejection), unless there is consent for longer storage.
Further information on data protection: LinkedIn’s privacy policy can be found at:
https://www.linkedin.com/legal/privacy-policy

5.8.3 Social Networks – YouTube
Data Processing
We operate a channel on YouTube to present our company, our products and services. YouTube is a video portal of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you visit our YouTube channel or watch a video, YouTube processes personal
data. Categories of data processed:

• Usage data: Information about your interaction with our channel and videos (e.g. videos viewed, time of access, playback duration, comments, likes).
• Metadata: IP address, device information, browser type, location data.
• Subscriber data: Information about subscribers to our channel.

Purpose and Legal Basis:

• Corporate presentation and marketing: Presentation of our company and our offerings; interaction with users (legitimate interest within the meaning of Art. 6 (1) lit. f GDPR). Our legitimate interest lies in the external presentation and the communication of product information.
• Insofar as you have a user account with YouTube or Google and are logged in there, data processing is partly based on your consent given to Google (Art. 6 (1) lit. a GDPR).

Joint controllership (joint responsibility):
For certain processing operations, such as the creation of page statistics (YouTube Analytics), we are jointly responsible with Google/YouTube (Art. 26 GDPR). The agreement on joint responsibility (Controller Addendum) can be viewed here.
Storage Period:
The storage period is governed by the deletion policies of Google/YouTube. Further information on data protection:
Details on data processing by Google/YouTube can be found in Google’s privacy policy:
https://policies.google.com/privacy?hl=de-DE

5.8.4 Google’s API
What Blockbrain Knowledge Bot Can Access

• Gmail Account: See your main Google Account email address.
• Calendar: See, edit, share, and permanently delete any calendars you can access in Google Calendar.
• Gmail: Manage drafts, send emails, and view your email messages and settings.

How Your Data Is Used

• No Ads: Your Gmail data will never be used for advertising.
• No Human Access Without Permission: No one at Blockbrain will read your Gmail data unless:
  ○ You give clear permission for specific messages.
  ○ It’s needed for security (like investigating abuse).
  ○ It’s required by law.
  ○ For internal operations, but only with data that is aggregated and de-identified
  (so it can’t be linked back to you).

Your Responsibilities
Keep Passwords Safe: Do not share your login or password with anyone. It’s your responsibility to keep them private and secure.
How We Protect Your Data

• Security Measures: We use administrative, technical, and physical safeguards to protect your information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction.
• Encryption: All data is encrypted when it’s sent and when it’s stored.
• Best Efforts: We do our best to keep our systems secure, but we cannot guarantee that third parties will never access your information through illegal actions or attacks.

5.9 Use of Artificial Intelligence
We use artificial intelligence (AI), in which personal data are also processed. Our AI systems are used exclusively in accordance with the applicable legal requirements. These include both specific regulations on artificial intelligence (AI Act) and data protection provisions. In particular, we pay attention to the principles of lawfulness, transparency, fairness, human control, purpose limitation, data minimisation as well as integrity and confidentiality. The processing of personal data is always carried out only on an appropriate
legal basis. We do not use personal data or customer data either to improve or to train AI models and do not make these data available to any service provider for training or improvement purposes.

6. Transfer of Personal Data

In the context of our processing of personal data, it may occur that personal data are transferred to other recipients or disclosed to them. Recipients of such personal data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your personal data that serve to protect your personal data.

7. Storage Period

Unless a more specific storage period is specified in these privacy notices, your personal data remain with us until the purpose for data processing ceases to apply. If you make a legitimate request for deletion or withdraw your consent to data processing, your data will be
deleted, provided we have no other legally permissible grounds for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, deletion will take place after these grounds cease to apply.

8. Note on Data Transfers to the USA

We would like to point out that the USA is not a safe third country within the meaning of EU data protection law. US companies are obliged to hand over personal data to security authorities without you as a data subject being able to take legal action against this. It therefore cannot be ruled out that US authorities (e.g. intelligence services) may process, evaluate and permanently store your data located on US servers for surveillance purposes.
We have no influence on these processing activities.
Important: In the preceding sections 5.1, 5.4.3, 5.6 and 5.7 you will find specific information on the US service providers we use, the respective legal basis and the mechanisms for ensuring an adequate level of data protection (e.g. DPF certification or standard contractual
clauses).

9. Deletion of Data

The personal data processed by us are deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other permissions cease to apply (e.g. if the purpose of processing these personal data no longer applies or they are no longer required for this purpose). If the personal data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted to these purposes.

This means that the personal data are blocked and not processed for other purposes. This applies, for example, to personal data that must be retained for reasons of commercial or tax law or whose storage is necessary for the establishment, exercise or defence of legal claims
or for the protection of the rights of another natural or legal person. Our privacy notices may also contain further information on the retention and deletion of personal data, which apply with priority to the respective processing operations.

10. Your Rights as a Data Subject

As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR. If you wish to exercise any of your rights, please contact us using the contact details provided above or our data protection officer.

10.1 Right to Object
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR; this also applies to profiling based on those provisions. Where personal data concerning you
are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

10.2 Right of Access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to obtain access to these personal data as well as further information and a copy of the personal data in accordance with the legal requirements.

10.3 Right to Rectification
You have, in accordance with the legal requirements, the right to obtain the completion of incomplete personal data concerning you or the rectification of inaccurate personal data concerning you.

10.4 Right to Erasure and Restriction of Processing
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds provided for by law applies and insofar as processing or storage is not required.

10.5 Restriction of Processing
You have the right to obtain from us the restriction of processing where one of the conditions provided for by law is met.

10.6 Right to Data Portability
You have the right, in accordance with the legal requirements, to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format, or to request the transmission of those data to another controller.

10.7 Right to Withdraw Consent
You have the right to withdraw consent given at any time.

10.8 Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that
the processing of personal data concerning you infringes the provisions of the GDPR.

11. Changes and Updates to the Privacy Policy

We will adapt the privacy policy as soon as changes in the data processing activities carried out by us make this necessary. We will inform you if such changes require an action on your part (e.g. consent) or another individual notification. If we further develop our website and our offerings or if legal or regulatory requirements change, it may be necessary to amend these privacy notices. You can access the current
privacy notices at any time here.

Status: January 2026