Privacy Policy

GERSTEL GmbH & Co. KG

General Terms and Conditions of Business (GTCs)

Imprint

GERSTEL GmbH & Co KG (hereinafter referred to as "we", "us") attaches particular importance to data protection. We consider it our primary task to maintain the confidentiality of the personal data provided by you and to protect it from unauthorized access. We therefore apply the utmost care and state-of-the-art security standards to ensure maximum protection of your personal data.

With the following privacy policy, we would like to inform you about how we process your personal data in accordance with the European General Data Protection Regulation (GDPR). The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our website www.gerstel.com (hereinafter referred to as "website"), as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online service").

We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

If we further develop our website and our online services or if legal or official requirements change, it may be necessary to amend this privacy policy.

Status: June 2025

1. Controller

Controller within the meaning of the GDPR is

GERSTEL GmbH & Co KG

Eberhard-Gerstel-Platz 1

45473 Mülheim an der Ruhr, Germany

Phone: +49 (0) 208 – 7 65 03 - 0

E-mail: [email protected]

2. Data Protection Officer

You can contact our data protection officer as follows:

secjur GmbH

Falkensteiner Ufer 40

22587 Hamburg

E-Mail: [email protected]

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection and the exercise of your rights.

3. Definitions

This privacy policy is based on the terminology of the GDPR. To simplify matters, we would like to explain some important terms in this context in more detail:

Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

4. Use of Cookies

4.1. General Information

We use cookies on our website. These are text files that your browser automatically creates and that are stored on your IT system when you visit our website. Through cookies, certain information flows to the location that sets the cookie. By using cookies, it is not possible to execute programs or transfer viruses to your end device.

If you do not wish to use cookies, you can disable them in the settings.

From a legal perspective, a distinction must be made between necessary and non-necessary cookies.

(a) Necessary cookies

We use necessary cookies. These are cookies that are technically necessary to provide all the functions of our website. The legal basis for data processing is our legitimate interest within the meaning of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in being able to offer our website in a technically flawless manner. The legal basis for the use of cookies vis-à-vis our contractual partners who make use of services contractually owed by us via our website is Art. 6 (1) (b) GDPR, the provision of our contractual services.

(b) Non-essential cookies

We also use non-essential cookies (e.g. analysis and marketing cookies). These are cookies that are not technically necessary. We use them to understand your behavior on our website and to improve our offer. The legal basis for data processing is your consent pursuant to Art. 6 (1) (a) GDPR. The cookies are only set after you have given your consent via our "cookie banner".

4.2. Retention Periods

A distinction is made between the following types of cookies with regard to the retention periods:

Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that they can be stored for up to two years.

For more information, please refer to the information we provide in the cookie banner.

5. Transmission of Personal Data

As part of our processing of personal data, personal data may be transmitted to other recipients or disclosed to them. The recipients of this personal data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your personal data that serve to protect your personal data.

6. Deletion of Data

The personal data processed by us will be deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other permissions cease to apply (e.g. if the purpose of processing this personal data no longer applies or it is not required for the purpose). If the personal data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted to these purposes. This means that the personal data is blocked and not processed for other purposes. This applies, for example, to personal data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.

Our data protection notices also contain further information on the retention and deletion of personal data, which apply primarily to the respective processing operations.

7. Data for the Provision of the Website and the Creation of Log Files

If you use this website for purely informational purposes without transmitting data to us in any other way (e.g. by registering or using the contact form), we collect technically necessary data via server log files, which are automatically transmitted to our server, e.g:

Date and time of access
Website from which the website was accessed; websites that were accessed via the website
Visited page on our website; amount of data transferred
Information about the browser type and version used
Operating system
Access status (e.g. whether the website could be accessed without any problems or whether you received an error message)
Reference on the website
search terms entered
Access frequency of the individual website
Amount of data transferred
other websites that you visit from this website, either by clicking on a link on this website

The temporary storage of the data is necessary for the course of a website visit in order to be able to display our website to you. This processing is technically necessary to ensure the functionality of the website and the security of the information technology systems. The legal basis for processing is therefore Art. 6 (1) (f) GDPR in order to guarantee the provision, security and stability of our website.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the provision of the website, this is the case when the respective session has ended. The log files are stored for a maximum of 24 hours for statistical purposes and to improve the user experience (Matomo) and are only accessible to administrators. After that, they are only available indirectly via the reconstruction of backup tapes and are permanently deleted after a maximum of four weeks.

To provide our online services, we use storage space and computing capacity that we rent or otherwise obtain from the server provider IONOS SE Elgendorfer Str. 57 56410 Montabaur Germany (web host). We have concluded a data processing agreement with the web host. This is a contract prescribed by data protection law, which guarantees that the web host will only process your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of June 4, 2021. These clauses ensure an adequate level of data protection when transferring your data.

8. Contact Options

If you contact us by e-mail, telephone or fax, we will store and process your inquiry, including all personal data (name, inquiry), for the purpose of processing your request. We will not pass on this data without your consent.

We process the following personal data from you as part of contacting you and responding to your request:

Name
E-mail
Date and time of the request
Meta data of the e-mail
Other personal data that you provide to us when contacting us.

We process your data to answer your request and other resulting matters.

This data is processed on the basis of Art. 6 (1) (b) GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us [Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR] if this has been requested; consent can be revoked at any time.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

9. Contact Form

You have the option of contacting us via our website using contact forms. We process the following personal data from you when you contact us and respond to your request:

[First and last name
E-mail address
Phone number
Company name
Country
Date and time of the request
IP address
Information about the product you are interested in
Communication content

If you contact us as part of an existing contractual relationship or contact us in advance for information about our range of services or our other services, the personal data you provide will be processed for the purpose of processing and responding to your contact request in accordance with Art. 6 (1) (b) GDPR. Otherwise, to safeguard our legitimate interests pursuant to Art. 6 (1) (f) GDPR for the purpose of responding appropriately to customer/contact inquiries.

We delete your personal data as soon as it is no longer required to achieve the purpose for which it was collected. In the case of contact inquiries, this is generally the case when it is clear from the circumstances that the specific matter in question has been conclusively dealt with.

Our contact form is provided by HubSpot Inc, (2 Canal Park, Cambridge, MA 02141 USA; (hereinafter HubSpot).

We have concluded a data processing agreement for the use of HubSpot. This is a contract required by data protection law, which ensures that your personal data is only processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of June 4, 2021.

The personal data is also transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. HubSpot is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

Further information can be found in HubSpot's privacy policy:

https://legal.hubspot.com/de/privacy-policy.

10. Application by E-mail

If you apply to our company by e-mail, we will process your application data exclusively for purposes related to the processing of your application. By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected:

Name (first name and surname)
Gender
E-mail address
Place of residence
Salary expectations
Availability
Phone number
Channel, how you became aware of us

You also have the option of sending informative documents such as a cover letter, your CV and references. These may contain further personal data such as date of birth, address, etc.

Your application will only be processed and acknowledged by the relevant contact persons at our company. The legal basis for the processing of your data is the initiation of a contract in accordance with Art. 6 (1) (b) GDPR, which takes place at your request. If we obtain your consent (e.g. for inclusion in our applicant pool), this constitutes the legal basis for this storage in accordance with Art. 6 (1) (a) GDPR.

If you receive an offer of employment with us during the application process and accept it, we will store the personal data collected during the application process for at least the duration of the employment relationship.

If we are unable to offer you employment, we will retain the data you have provided for up to six months after any rejection for the purpose of answering any questions in connection with your application and rejection. This does not apply if statutory provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.

11. Newsletter

If you would like to receive information about our new products and services, you can subscribe to our newsletter. As part of sending the newsletter, we process the following personal data, among others; the mandatory information for sending the newsletter is your e-mail address.

E-mail address
First and last name
Organization
Metadata (e.g. device information, IP address, date and time of login)

The advertised goods and services are named in the declaration of consent. We use the so-called double opt-in procedure to register for our newsletter. This means that after you have registered, we will send you an e-mail to the e-mail address provided in which we ask you to confirm that you are the owner of the e-mail address provided and that you wish to receive the notifications. We also store the IP addresses you use and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

The legal basis for sending our newsletter is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent to receive our newsletter at any time by clicking on the unsubscribe link in the e-mails or by sending your revocation by e-mail to our e-mail address or by post to the contact details given in the imprint. Your personal data will then be removed from the mailing list.

We use the external provider HubSpot to send our newsletter.

Further information can be found in HubSpot's privacy policy:

https://legal.hubspot.com/de/privacy-policy.

12. Social Media

We maintain publicly accessible profiles on various social networks. Your visit to these profiles triggers a variety of data processing operations. Below we provide you with an overview of which of your personal data is collected, used and stored by us when you visit our profiles.

When you visit our profiles, your personal data is not only collected, used and stored by us, but also by the operators of the respective social network. This happens even if you yourself do not have a profile on the respective social network. The individual data processing operations and their scope differ depending on the operator of the respective social network and they are not necessarily traceable for us. For details on the collection and storage of your personal data as well as the type, scope and purpose of its use by the operator of the respective social network, please refer to the following explanations.

12.1. Instagram

When you visit our Instagram page, certain information about you is processed. We can only view the information stored in your public Instagram profile (such as your profile picture or information that you share on a public Instagram profile), and only if you have such a profile and are logged into it while you visit our Instagram page.

In addition, the operator of the Meta platform, Meta Platforms Ireland Limited, [Serpentine Avenue, Block J, Dublin 4 Ireland; (Meta)] provides us with statistics and insights for our Instagram page in anonymized form, which help us gain insights into the types of actions people take on our page (Page Insights). These Page Insights are created on the basis of certain information about people who have visited our site.

The processing of your personal data in connection with the operation of our Instagram company profile is based on a balancing of interests in accordance with Art. 6 (1) (f) GDPR in order to offer you a contemporary and supportive information and interaction opportunity with and about us. Furthermore, the processing serves our legitimate interest in evaluating the types of actions taken on our Instagram company profile and improving our company profile based on these findings. The legal basis for this processing is therefore Art. 6 (1) (f) GDPR. If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 (1) (b) GDPR.

Page Insights are processed by Meta and us as joint controllers. We cannot attribute the information obtained via the Page Insights to individual Instagram profiles that interact with our Instagram page. We have entered into a joint controllership agreement with Meta, which sets out the allocation of data protection obligations between us and Meta. Details about the processing of personal data to create Page Insights and the agreement concluded between us and Meta can be found here:

https://www.facebook.com/legal/terms/page_controller_addendum.

With regard to this data processing, you have the option of asserting your rights as a data subject (see "Your rights as a data subject") against Meta. Further information on this can be found in Meta's privacy policy at:

https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.

Meta offers the option of objecting to certain data processing; you can find information and opt-out options here in your account:

https://www.facebook.com/login.php?next=https%3A%2F%2F

www.facebook.com%2Fsettings%3Ftab%3Dads.

Please note that user data is also processed in the USA or other third countries in accordance with the meta data protection provisions. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Meta is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link:

https://www.dataprivacyframework.gov/s/participant-search.

12.2. LinkedIn

When you visit our LinkedIn company profile, certain information about you is processed. In the case of direct messages to us or comments on our LinkedIn company profile or under our posts, we receive the message, the comments and your username.

In addition, LinkedIn processes LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (LinkedIn) as the operator of personal data when you visit our LinkedIn company profile, follow this page, or engage with the page in order to provide us with statistics and insights in anonymized form. This gives us insights into the types of actions that people take on our site (page insights). In particular, LinkedIn processes data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company profile, e.g. whether you are a follower of our LinkedIn company page. With the Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to the summarized Page Insights. It is also not possible for us to draw conclusions about individual members from the information in the Page Insights.

The processing of your personal data in connection with the operation of our LinkedIn company profile is based on a balancing of interests in accordance with Art. 6 (1) (f) GDPR in order to offer you a contemporary and supportive information and interaction opportunity with and about us. The processing serves our legitimate interest in evaluating the types of actions taken on our LinkedIn company profile and improving our company profile based on these findings.

This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. We have entered into an agreement with LinkedIn on processing as joint controllers, which sets out the distribution of data protection obligations between us and LinkedIn. The agreement is available via the following link: https://legal.linkedin.com/pages-joint-controller-addendum. In this respect following applies:

LinkedIn and we have agreed that LinkedIn is responsible for exercising your rights under the GDPR. You can contact LinkedIn online via the following link (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or reach LinkedIn via the contact details in the privacy policy. You can contact the data protection officer at LinkedIn via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO.

You can also contact us using the contact details provided to exercise your rights in connection with the processing of personal data in the context of page inserts. In such a case, we will forward your request to LinkedIn.

LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority.

In addition, LinkedIn processes your data as a user for the provision of services, communication, further development of services and research as well as for advertising, customer support, analysis and security purposes. In principle, LinkedIn is solely responsible for the processing of personal data when you visit our LinkedIn company profile. The categories of personal data that LinkedIn processes are described in LinkedIn's data policy. Further information on the processing of personal data by LinkedIn can be found here:

https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

Please note that in accordance with the LinkedIn Privacy Policy, personal data is also processed by LinkedIn in the USA or other third countries.

12.3. YouTube Channel

We operate a YouTube channel to draw attention to our services and service offerings and to interact with our customers and visitors to the YouTube channel (users). The operator of the video platform is Google Ireland Limited, [Gordon House, Barrow Street, Dublin 4 Ireland; (Google)]. Google Ireland is a company affiliated with Google LLC, [1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; (Google)].

If you contact us via our YouTube channel, e.g. by commenting on one of our videos, we will process your data (e.g. your name and the content of the communication) in order to deal with your request. If necessary, we will also process your data to assert legal claims and defend you in legal disputes in connection with your contributions. The legal basis for the processing of the data that we collect in connection with the use of our company website is our legitimate interests pursuant to Art. 6 (1) (f) GDPR in order to offer you a contemporary and supportive information and interaction opportunity with and about us and to better present our services and service offerings. If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 (1) (b) GDPR.

When you visit our YouTube channel or other pages on the YouTube platform, Google collects so-called usage data. Google Ireland also uses certain data that it has collected from users of the YouTube platform (e.g. which videos users watch) to compile aggregated usage statistics and make them available to the respective operators of the YouTube channel (YouTube Analytics). We also receive such aggregated usage statistics. The information we receive from YouTube Analytics does not allow us to draw any conclusions about individual users. We ourselves have no access to personal data that Google processes for YouTube Analytics. Google determines which data is processed for YouTube Analytics and how. Google provides information on this in its privacy policy: https://policies.google.com/privacy?hl=de&gl=de.

The personal data is also transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Google is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

12.4. XING

When you visit our XING profile with the operator New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (XING), certain information about you is processed. If you contact us via our XING profile, e.g. by commenting on a post on the XING profile or writing us a direct message via the XING platform, we process your personal data [e.g. your name, communication content, job title, company name, industry, education, contact options, photo (profile data)] in order to process your request. The names of the registered XING users who have visited our XING profile are visible to us. The processing is carried out on the basis of a balancing of interests in accordance with Art. 6 (1) (f) GDPR in order to offer you a contemporary and supportive information and interaction opportunity with and about us.

If you send us an application via our XING profile, we will process your application data (such as name, e-mail address, date of birth, postal address and telephone number), the documents you send us (such as CV, certificates, cover letter, including the information contained therein about your person and qualifications) and additional information and messages you provide (such as desired start date and employment, salary expectations, your notice period or your motivation as to why you would like to work for us). The processing is carried out for the purposes of processing the application, including the preparation and conduct of interviews and recruitment tests and the evaluation of the results and as otherwise required as part of the application process. We will contact you during the application process to inform you of the progress of your application or to invite you to an interview or recruitment test. As part of the application process, the documents are first processed by the HR department. If suitable, the personal data and documents will be forwarded to the relevant specialist department. The legal basis for the data processing described above is Art. 6 (1) (b) GDPR. The data processing is necessary to process the application and to establish a possible employment relationship.

If you register for an event organized by us via our XING profile, we will process your profile data to enable you to participate in the event. The legal basis is Art. 6 (1) (f) GDPR to enable you to register and participate easily.

When you visit our XING profile, XING also collects so-called usage data. XING also uses certain data that it has collected from users of the XING platform (e.g. whether a post has been marked with "Like") to create aggregated usage statistics and make them available to the respective operators of the XING profile (so-called "employer branding performance measurement"). We receive such aggregated usage statistics. The aggregated statistics do not allow any conclusions to be drawn about individual users. In particular, we have no access to personal data that XING processes for employer branding performance measurement. XING alone determines which data is processed for employer branding performance measurement and how. We have no legal or actual influence on the processing by XING. XING provides information on this in the XING privacy policy:

https://privacy.xing.com/de/datenschutzerklaerung.

In addition, XING processes your data as a user to ensure security, to provide the service and to measure and optimize advertising. XING is solely responsible for the processing of personal data when you visit our XING profile. The categories of personal data that XING processes in this context are described in XING's privacy policy.

13. Third-party Tools

13.1. Consentmanager

We use the cookie banner consentmanager, of consentmanager AB, (Håltegelvägen 1b, 72348 Västerås, Sweden). This enables us to obtain and manage the website user's consent to data processing.

When you visit our website or a sub-website for the first time, you will be shown a "cookie banner". There you will be informed about the individual cookies that we use. You can find out the name of each individual cookie, the provider, the purpose of processing and the storage period.

Our cookie banner informs you about the specific cookies we use. In addition, we give you the opportunity to decide whether you want to consent to the setting of non-essential cookies. The following are processed:

the IP address of the connection you are using
the description of the web browser and operating system used,
the language used by your browser and operating system,
the address of the website on which you give your consent,
the date and time of consent,
the country from which you are submitting your request,
a pseudonym used to distinguish between different users,
Your consent status with regard to the cookies and similar technologies used by us or with regard to the services used, which serves as proof of your consent

If we use cookies and similar technologies as part of the integration of the service or if data is stored on or read from your end device by the service, this is done in accordance with Section 25 (2) TDDDG. Subsequent data processing takes place on the basis of Art. 6 (1) (f) GDPR. We have an overriding legitimate interest in using the cookie banner, which enables us to obtain the legally required consent for the use of non-essential cookies and to comply with our duty to provide information regarding cookies.

The cookie banner stores the preferences until you reset or change them. Otherwise, the key and the consent status are stored in the browser for 12 months using the "__cmpconsent" cookie.

We have concluded a data processing agreement for the use of consentmanager. This is a contract required by data protection law, which ensures that your personal data is only processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of June 4, 2021.

Further information on data processing by consentmanager AB can be found at:

https://www.consentmanager.net/de/datenschutz/

13.2. HubSpot CRM

We use HubSpot CRM from HubSpot on this website. With HubSpot CRM, we are also able to record and analyze the user behavior of our contacts on our website.

HubSpot CRM enables us to manage existing and potential customers and customer contacts, among other things. This is an integrated software solution that we use to cover various aspects of our online marketing. These include, among others: Email marketing (newsletters as well as automated mailings, e.g. to provide downloads), social media publishing & reporting, reporting (in particular traffic sources, hits, etc. ...), contact management (in particular user segmentation & CRM), landing pages and contact forms. HubSpot places cookies on your computer. This allows personal data to be stored and analyzed, in particular:

Company domain: the company domain of company visitors. This data is only collected when visitors identify themselves by filling out a form or registering on our website or in our newsletter.
Timestamp: Date and time at which visitors accessed the web pages. This data helps to ensure the accuracy and frequency of visits and provide customers with insights into time-based visits and intentions.
VID: a series of numbers generated when an unidentified visitor visits our website and interacts with us.
the visitor's activity (in particular which pages have been visited and which elements have been clicked on),
Device and browser information (in particular the IP address and the operating system),
Data about the advertisements displayed (in particular which advertisements were displayed and whether the visitor clicked on them)
Data from advertising partners (in particular pseudonymized user IDs)

The personal data collected in this way can be analyzed and used for communication with the potential customer or for marketing measures.

Insofar as the processing of personal data is an elementary component of the implementation of our online service and/or a required service, such as the provision of contact forms, downloads, etc., Art. 6 (1) (f) GDPR is the legal basis for data processing. In these cases, our interest lies in the efficient implementation of the online service. If your consent is obtained for other functions of HubSpot, the legal basis is Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, i.e. the integration only takes place with your consent. You can revoke your consent at any time by changing the corresponding settings in your browser or cookie banner or by deleting the cookies.

The data collected via HubSpot may also be shared with our partner companies under joint responsibility. Insofar as personal data is collected on our website via the tool described here and passed on to partner companies, we and the respective company are jointly responsible for this data processing in accordance with Art. 26 GDPR. The joint responsibility is limited exclusively to the collection of data and its transfer to other companies. The obligations incumbent on us jointly have been set out in a joint controllership agreement. This applies to the transfer of data to the following companies:

Skalar Analytical B.V.: Tinstraat 12, 4823 AA Breda, The Netherlands

URL of the privacy policy: https://assets.skalar.com/assets/Company/071122-Privacy-Policy-Skalar-Analytical-B.V.pdf?v=1670239667&_gl=1*9vm8m7*_gcl_au*NTY3NzA1OTA1LjE3NDA3MjYyMTE.

Promochrom Technologies: 13351 Commerce Parkway, Unit 1103, Richmond, BC V6V 2X7, Canada

URL of the privacy policy: https://www.promochrom.com/privacy-policy

LCTech GmbH: Daimlerstraße 4, 84419 Obertaufkirchen, Germany

URL of the privacy policy: https://www.lctech.de/en/privacy-policy

Est&tsrR analytical: 503 Commercial Drive, Fairfield, Ohio 45014, United States

URL of the privacy policy: https://estanalytical.com/privacy-policy/

Trace Elemental Instruments: Voltaweg 22, 2627 BC Delft, The Netherlands

URL of the privacy policy: https://www.teinstruments.com/privacy/

Further information can be found in HubSpot's privacy policy:

https://legal.hubspot.com/de/privacy-policy.

13.3. Cloudflare CDN

We use the Cloudflare CDN from Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA; hereinafter Cloudflare) on this website to improve the speed and security of our website. Cloudflare offers services such as a content delivery network (CDN) and various security functions. With the Content Delivery Network, our content is mirrored on different servers to ensure optimal accessibility worldwide. User data is processed in the process.

Cloudflare operates a network of globally distributed servers that store copies of our website. When you visit our site, the content is delivered from the nearest server, which reduces the loading time. This speeds up the display, especially for users outside our hosting region, and increases security by protecting against DDoS attacks and a web application firewall.

We want to give you the best possible experience by optimizing the speed and security of our website. Cloudflare helps us do this by improving web performance and blocking threats. In addition, by storing our website in local data centers, bandwidth usage is reduced by up to 60%. Other features such as the "I'm Under Attack Mode" provide additional protection against attacks by requiring a short challenge (e.g. JavaScript task) to be solved before access to the site is granted.

Cloudflare processes data on our behalf, such as IP addresses, security fingerprints and performance data. This information is used to ensure the security of our website and is processed in accordance with applicable law, including the GDPR.

The legal basis for the provision of these services is our legitimate interest pursuant to Art. 6 (1) (f) GDPR to ensure the provision, security and stability of our website.

Cloudflare stores data mainly in the USA and the European Economic Area (EEA). User data for most domains is stored for less than 24 hours. For Enterprise customers, logs can be stored for up to 7 days if enabled. Exceptions exist when security alerts are triggered.

We have concluded a data processing agreement for the use of Cloudflare. This is a contract prescribed by data protection law, which ensures that your personal data is only processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of June 4, 2021.

The personal data may also be transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Cloudflare is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

Further information about processing by Cloudflare can be found at:

https://developers.cloudflare.com/fundamentals/.

13.4. Matomo

We use the open-source software Matomo. With the help of Matomo, we are able to collect and analyze data about how visitors use our website. This allows us to find out, among other things, when which pages were accessed and from which region. We also record various log files, for example:

Optional user ID
Date and time of the request
Title of the displayed page (page title)
URL of the displayed page (page URL)
URL of the page that was displayed before the current page (referrer URL)
Screen resolution used
Time in the time zone of the local user
Files that have been clicked and downloaded
Links to an external domain that were clicked on (outlink)
Page generation time (the time it takes for web pages to be generated by the web server and then downloaded by the user: Page speed)
Location of the user: country, region, city, approximate longitude and latitude (geolocalization)
Main language of the browser used
User agent of the browser used

and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).

From the user agent, we use our Universal Device Detection library to recognize the browser, operating system, device used (desktop, tablet, mobile, TV, car, game console, etc.), brand and model.

We use IP anonymization for the analysis with Matomo. Your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.

Some information is also stored in cookies and then collected by Matomo:

Random unique visitor ID
Time of the first visit of this user
Time of the previous visit of this user
Number of visits by this user

The processing by Matomo is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. You can revoke your consent at any time by changing the corresponding settings in your browser or cookie banner or by deleting the cookies.

We host Matomo on our local server so that no unauthorized transfer to third countries takes place.

13.5. Youtube Website Integration

Our website uses plugins from the video platform YouTube to embed videos and play them directly on our website. The video platform is operated by Google Ireland Limited, (Gordon House, Barrow Street, Dublin 4 Ireland; hereinafter referred to as Google). Google Ireland is a company affiliated with Google LLC, (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as Google).

If you activate embedded videos on our website, a connection to the YouTube servers is established and a data transfer is started. We have no influence on the scope and content of the data that is transmitted to YouTube and possibly other YouTube partners by activating the plugin. Among other things, the YouTube server is informed which of our pages you have visited. According to YouTube, this information is used, among other things, to collect video statistics, improve user-friendliness and prevent abusive behavior. YouTube uses cookies to collect information about user behavior. The cookies remain on your device until you delete them. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account before activating the play button. You can find further information on the handling of user data in the privacy policy of Google: https://policies.google.com/privacy?hl=de&gl=de.

The legal basis for this use is the voluntary and revocable consent given by you in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time with future effect at by making the corresponding changes or adjustments in your settings.

13.6. WebinarGeek with HubSpot Integration

We use the WebinarGeek tool from WebinarGeek B.V., (Chroomstraat 12, 2718 RR Zoetermeer, Netherlands; hereinafter referred to as WebinarGeek) to conduct webinars.

Various types of data are processed when using WebinarGeek. The scope of the data also depends on the data you provide before or during participation in an online meeting.

The following personal data is usually processed:

User details: first name, last name, telephone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department (optional)
Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information
For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
When dialling in with the telephone: information on the incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in a webinar. In this respect, the text entries you make are processed in order to display them in the webinar and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the WebinarGeek applications.
Content of feedback during and after webinars, which you give us and we evaluate accordingly for improvement.

We use WebinarGeek to conduct webinars. If we want to record, we will inform you transparently in advance and ask for your consent. The fact of the recording will also be displayed in the app.

We have also integrated WebinarGeek with our HubSpot CRM (see section 12.2 for more details on HubSpot). The functions of HubSpot CRM are used for the following tasks and purposes:

Connecting the HubSpot form with WebinarGeek to collect subscribers and automatically register them for our webinars.
Automatically send events such as new sign-ups, poll votes, completed call-to-actions, new viewers, rating forms and questions to our HubSpot timeline.
Using the contact properties (HubSpot marketing emails) to send you the unique access link and the date and time of the webinar.
Segmenting our viewers from our audience or filtering our contacts based on whether they have ever watched a webinar.
Detailed segmentation and filtering based on webinar activity, allowing us to create audience profiles and filters within our webinar or across our entire audience.

Otherwise, the legal basis for data processing when conducting webinars is Art. 6 (1) (b) GDPR, insofar as the webinars are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) (f) GDPR. Here, too, there is a legitimate interest in the effective and secure conduct of webinars. If we obtain your consent (e.g. for recording), this constitutes the legal basis for data processing in accordance with Art. 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future.

Automated decision-making including profiling in accordance with Art. 22 GDPR is not used.

We would like to point out that when accessing the WebinarGeek website, WebinarGeek B.V. is responsible for data processing.

We have concluded a data processing agreement for the use of WebinarGeek. This is a contract required by data protection law, which ensures that your personal data is only processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of June 4, 2021.

Data processing by WebinarGeek takes place exclusively in the EU and there is no data transfer to third countries by WebinarGeek.

Further information on processing by WebinarGeek can be found at:

https://www.webinargeek.com/de/datenschutzerklarung.

14. Your Rights as a Data Subject

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR. If you wish to exercise one of your rights, please contact us via the contact addresses given above or our data protection officer.

14.1. Right to Object

YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME TO PROCESSING OF PERSONAL DATA CONCERNING YOU WHICH IS BASED ON ART. 6 (1) (E) OR (F) GDPR; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. IF THE PERSONAL DATA CONCERNING YOU ARE PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR FOR THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS.

14.2. Right to Information

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain information about this personal data and further information and a copy of the personal data in accordance with the legal requirements.

14.3. Right to Rectification

In accordance with the statutory provisions, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.

14.4. Right to Erasure and Restriction of Processing

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds provided for by law applies and insofar as the processing or storage is not necessary.

14.5. Restriction of Processing

You have the right to demand that we restrict processing if one of the legal requirements is met.

14.6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.

14.7. Right to Withdraw Consent

You have the right to withdraw your consent at any time.

14.8. Complaint to the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.