Data protection information
This data protection notice is intended to provide an overview of what happens to your personal data (hereinafter also referred to as "data") in our company and to inform you about the data protection claims and rights to which you are entitled within the meaning of the European General Data Protection Regulation ("GDPR") and the Federal Data Protection Act ("BDSG") and the Telecommunications Digital Services Data Protection Act ("TDDDG"). We therefore ask you to take note of this data protection information and, if necessary, to print it out or save it.
Personal data is all data with which you can be personally identified. Your personal data may be processed for various purposes. Essentially, the data processing operations by InsurTech Hub Munich e.V.,c/o WERK1.Bayern GmbH, Am Kartoffelgarten 14, 81671 Munich (hereinafter also referred to as "ITHM" or "we") can be divided into the following areas of application:
- General: General information on data protection, data processing procedures and data subject rights, which apply to all data processing procedures carried out for us, can be found in Part A below.
- Our websites: In connection with our website https://www.insurtech-munich.com (hereinafter: "website") or related external online presences, such as our social media profiles from which we refer to this data protection notice (website and external online presences hereinafter also collectively: "internet presences"), we process data of visitors that is exchanged between their internet-enabled end devices and the server operated by us, as well as data that is communicated to us in the course of using the website. Details on this can be found in Part B.
- Registration as a member & events: You can register as a member on our website and register for webinars, workshops, lectures, meetings, master classes and other events (hereinafter referred to as "events"). Details can be found in Part C.
Please visit the individual sections if you want to obtain information on specific processing situations quickly and in context.
A. General information on data protection and data subject rights
I. Who is responsible for data processing and who can you contact if you have any questions?
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the:
InsurTech Hub Munich e.V.,
c/o WERK1.Bayern GmbH
Am Kartoffelgarten 14
81671 Munich
Phone +49 (0) 1734368171
E-mail: [email protected]
If you have any questions about data protection, please contact us using the contact details above.
II. What rights do you have with regard to your personal data?
If your personal data is processed, you are a "data subject" within the meaning of the GDPR, which may entitle you to the rights described below. If you wish to assert rights against ITHM as the controller, we recommend that you address these to our contact details above:
1. right to information
In accordance with Art. 15 GDPR, you can request confirmation from us as to whether personal data concerning you is being processed by us and request information on the extent to which we process your data.
2. right to rectification
If personal data concerning you is incorrect or incomplete, you have the right to rectification and/or completion in accordance with Art. 16 GDPR
3. right to erasure
If the legal requirements of Art. 17 GDPR are met, you can demand that we delete your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obligations.
Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely to fulfill our statutory erasure obligations once the purpose of processing no longer applies, provided that there is no legal or statutory retention period to the contrary.
4. right to restriction of processing
You can request that we restrict the processing of your data in the cases specified in Art. 18 GDPR. If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
5. right to data portability
According to Art. 20 GDPR, you have the right to have data provided by you, which we process automatically on the basis of your consent or in fulfillment of a contract, handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible. The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. right of objection
If we process your data on the basis of a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR, you can object to this data processing at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions (see Art. 21 GDPR). If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct advertising. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.
7. right to revoke the declaration of consent under data protection law
Some data processing operations are only possible with your express consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future. However, the legality of the data processing carried out until the revocation remains unaffected by the revocation. Please note that even after consent has been withdrawn, it may still be possible to process the data concerned in whole or in part on the basis of other legal bases.
8. right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR in conjunction with Section 19 BDSG). A list of data protection officers and their contact details can be found at the following link: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions you may have.
Of course, you also have the right to contact the supervisory authority responsible for us at our company headquarters:
Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 1349, 91504 Ansbach, telephone: +49 (0) 981 180093-0; e-mail: [email protected]
III Which personal data is processed and from which sources does this data originate?
1. origin of the personal data
Via our website and our services, we also process data that we receive during your visit or that you actively communicate to us as part of your use. Other data is collected automatically by our IT systems when you visit the website or use one of our services. This is primarily technical data (e.g. internet browser, operating system or time of a page view). This data is collected automatically as soon as you enter our website or access one of our services. Details on this can be found in the individual sections of Part B.
In individual cases, we also process data that we have permissibly received or acquired from other third parties or that we have permissibly taken, received or acquired from publicly accessible sources.
2. categories of personal data
The personal data that we regularly process includes personal master/contact data such as: Title, first and last name, salutation, date of birth. Address, e-mail address, telephone number, fax, position in the company.
In addition, depending on the order, service or other relationship with you, we process the following other personal data:
- Address data: Street, house number, address supplements if applicable, zip code, city, country
- Contact details: Telephone number(s), e-mail address(es)
- Registration data: Information about the service through which you have registered; data provided by you during registration
- Offer data
- Access data: Date and time of the visit to our website; pages accessed during use;
- Information about the nature and content of our business relationship, such as contract data, order data, sales and document data, customer and supplier history, consulting documents
- Advertising and sales data, e.g. information interests indicated by you;
- other data that we have received from you in the course of our business relationship (e.g. in discussions with customers),
- the documentation of declarations of consent, in particular double opt-ins
IV. For what purposes and on what legal basis is the data processed?
We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) and, if applicable, other more specific provisions, in particular on the following bases:
- Consent (Art. 6 para. 1 lit.a GDPR, § 25 para. 1 TDDDG): If a service offered by us in any way stores or accesses information in the user's terminal equipment, consent is required in accordance with Section 25 (1) sentence 1 TDDDG. If the service functions without any access to the terminal equipment, the GDPR is relevant. If we request your consent within the scope of the GDPR, this is done on the basis of Art. 6 para. 1 lit. a in conjunction with Art. 7 GDPR. Consent that has been granted can be revoked at any time with effect for the future. Please note that processing that took place before the revocation is not affected by the revocation and that under certain circumstances data processing may continue to be possible, at least in part, on the basis of another legal basis.
- Fulfillment of (pre-)contractual obligations (Art. 6 para. 1 lit. b GDPR): Personal data is processed to fulfill pre-contractual measures or contractual obligations, in particular in connection with the sale and distribution of our products and other services as well as all activities required for the operation or administration of ITHM as is customary in the industry (e.g. customer and user administration). Details on the purpose of this data processing can be found in the respective contractual documents and terms and conditions.
- Protection of legitimate interests (Art. 6 para. 1 lit. f GDPR): Based on a balancing of interests, data processing may take place beyond the actual fulfillment of a contract to safeguard the legitimate interests of ITHM or third parties. This is permissible unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail.
- Fulfillment of legal obligations (Art. 6 para. 1 lit.c GDPR): Processing of your data may be necessary in part for the purpose of fulfilling various legal obligations and requirements to which we are subject, e.g. from the German Commercial Code or the German Fiscal Code.
V. Who receives my data?
At ITHM , those employees or organizational units receive your data that need it to fulfill our contractual and legal obligations or to process or pursue our legitimate interests.
Your data will be forwarded for the initiation or execution of a contractual relationship in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR or - depending on the type of specific contractual relationship - as well as on the basis of legitimate interests of us or third parties in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, in particular to companies that we regularly use in connection with the provision of our services. This concerns the following recipients or categories of recipients
- Affiliated companies, currently InsurTech Hub Munich e.V. and ITHM Innovation GmbH
- ITHM members and partners in the context of network activities of the parties concerned (insurance companies, technology companies and start-ups)
- IT service providers (e.g. e-mail service providers, web hosting companies, software providers)
- Borlabs GmbH, Rübenkamp 32, 22305 Hamburg (Website Consent Technology)
- Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107, USA (website security technology)
- Defiant Inc, Defiant, Inc, 800 5th Ave Ste 4100, Seattle, WA 98104, USA (provider of the WordPress security plugin Wordfence)
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Website Security Technology)
- IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (Webhosting, CDN)
- Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (provider MS365, in particular MS Teams)
- monday.com Ltd, 6 Yitzhak Sadeh Street Tel Aviv, 6777506, Israel (provider of the Monday.com work platform)
- Personio SE & Co. KG Seidlstraße 3 80335 Munich (provider of personnel administration and applicant management software)
- Weglot, SAS, 138, rue Pierre Joigneaux in Bois-Colombes 92270 France (translation service provider)
- Zapier Inc, 548 Market St. # 62411, San Francisco, CA 94104-5401 (interface provider)
- Zoom Communications Inc, 55 S Almaden Blvd, San Jose, CA 95113, USA (operator of the Zoom communications platform).
- Sales partners / sales platforms
- Luma Inc. 548 Market St PMB 36143 San Francisco, CA 94104, USA (operator of event platform)
- Tax and legal advisor
- CHP Rechtsanwalt & Steuerberater Partnerschaftsgesellschaft mbB, Atelierstr. 1, 81671 Munich, Germany
- GÖRG Partnerschaft von Rechtsanwälten mbB, Kennedyplatz 2, 50679 CologneLLP DATA Protect GmbH, Würmstr. 20a, 81375 Munich
If we use a service provider in the sense of order processing in accordance with Art. 28 GDPR, we nevertheless remain responsible for the protection of your data. Where required by law, processors are contractually obliged by means of an order processing agreement to treat your data confidentially and to process it only in the context of providing the service. The processors commissioned by us will receive your data if they require the data to perform their respective service.
Your data will only be transmitted to state institutions and authorities or collected for this purpose within the framework of mandatory national legislation or if you instruct us to do so.
VI How long will my data be stored?
Your personal data will only be used for the purpose for which you have provided it to us or to the processing of which you have consented and will only be stored until this purpose has been fulfilled. After complete fulfillment of the purpose or as soon as you have requested us to delete your data, your data will only be stored for as long as this is necessary due to statutory limitation or retention periods (in particular tax and commercial law). However, the data will be deleted after these periods have expired at the latest, unless you have expressly consented to further or different use. You can also assert rights during the retention periods, such as the blocking of your data. Please see Section A. Clause II.
Your data will be deleted or blocked by us as soon as the purpose of storage no longer applies or you request us to delete it.
As a matter of principle, we process and, in particular, store your data only until the end of the business relationship or until the expiry of the applicable guarantee, warranty and limitation periods. For example, the limitation period according to §§ 195 ff. of the German Civil Code (BGB) is generally three years, but in certain cases up to thirty years. In addition, it may be necessary for data to be stored until the legally binding conclusion of any legal disputes in which the data is required as evidence.
In addition, we are subject to statutory documentation and retention periods (e.g. from the German Commercial Code (e.g. Section 257 HGB), the German Money Laundering Act or the German Fiscal Code (e.g. Section 147 AO)). The retention and documentation periods specified there are between two and ten years. For example, we would have to retain your data even after the termination of a contract with you until the conclusion of the tax audit of the last calendar year in which you were our customer.
VII. Is personal data transferred to a third country?
As part of our processing operations, personal data may also be transferred to locations in so-called third countries outside the EU or the EEA for certain business transactions or areas of activity that have not yet been certified by the EU Commission as having an adequate level of data protection, for example to the USA. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in third countries that are unsafe under data protection law. If such a data transfer should become necessary in individual cases, this will only take place on the basis of an adequacy decision by the European Commission, standard contractual clauses, suitable guarantees for compliance with data protection or your express consent.
Further information on transfers to third countries, including the possible data recipients, can be found in this privacy policy.
B. Use of our websites
In principle, you can visit our websites and use them for information purposes without having to provide any personal data (e.g. register, place orders or otherwise provide information about yourself). In this case, we process personal data of our users only to the extent necessary to provide a functional website and our content and services or to the extent that cookies used on the website provide us with personal information when you visit the website. Information on the cookies we use can be found in Section B, Clauses II. and III.
I. Provision of the website and creation of log files
Description of data processing
Each time you visit our website, our system automatically collects data and information from the computer system of the accessing computer, which your Internet browser automatically transmits to us or our web host (so-called log files). These server log files contain IP addresses or other data that make it possible to assign them to users. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user switches contains personal data. The following information is collected and stored by our hosting provider IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (hereinafter "IONOS"):
- Browser type and browser version
- Operating system used
- Website from which you switched to our website (referrer URL)
- Host name of the accessing computer
- Subpage(s) of our website that you visit
- Date and time of the server request
- IP address of the Internet connection from which our website is used
The data is stored in the log files of our hosting provider. This data is not stored together with other personal user data.
Legal basis and purpose of data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR. The above information is also required to provide the service in accordance with Section 25 (2) No. 2 TDDDG.
We have concluded an order processing contract with IONOS in accordance with Art. 28 GDPR. This is a contract prescribed by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
Temporary storage of the IP address by the system is necessary to enable delivery of the website. For this purpose, the user's IP address must remain stored for the duration of the session.
Data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems.
Duration of storage / possibility of objection and removal
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after 7 days at the latest.
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for users to object to this.
II Use of cookies and similar procedures
1. general information on cookies and similar procedures
Description of data processing
Cookies are text files with a characteristic string of characters that are stored in the Internet browser or by the Internet browser on the user's end device and that enable the browser to be uniquely identified when the website is called up again. When a user accesses a website, a cookie may be stored on the user's operating system. A cookie contains a characteristic string of characters. These cookies are used to make a website more user-friendly, effective and secure. When you visit a website on which a cookie is embedded, the data you enter is stored exclusively in the cookie on your computer. In this case, data is only transmitted to the servers of our website when a page request is made.
Some cookies are deleted after the end of the browser session when your browser is closed (so-called session cookies). These cookies are usually technically necessary, e.g. so that you can log in to the application and remain logged in across pages during your visit to our website.
Other cookies remain on your end device for a specified period and enable us to recognize your browser on your next visit (so-called persistent or protocol cookies). The purpose of using these cookies is to be able to offer you optimal user guidance and to "recognize" you and to be able to present you with a website that is as varied as possible and new content on repeated visits.
Cookies that originate from partner companies or third parties may be used, for example, to collect information for advertising, user-defined content or statistics ("third-party cookies"). If we do not identify cookies as originating from third-party providers, the cookies originate from our website ("first-party cookies"). We will inform you separately about third-party cookies or tracking technologies that we use in the following sections of our privacy policy.
Flash cookies are stored as data elements of websites on your computer if they are operated with Adobe Flash. Flash cookies have no time limit.
For more information about which cookies we use to make our website more user-friendly, what purpose they serve and what data is stored in them or transmitted to third parties, please refer to the detailed information provided by our cookie consent tool Borlab Cookies. To do this, click on the "Cookie settings" button in the footer of our website.
Legal basis and purpose of data processing
The legal basis for the processing of personal data using technically necessary cookies within the meaning of Section 25 (2) TDDDG is Art. 6 (1) (f) GDPR, insofar as these contain personal data. As the website operator, we have a legitimate interest in the best possible functionality and security of the website as well as a user-friendly and effective design of the site visit, unless we ask you for your consent in accordance with Section 25 (1) sentence 1 TDDDG.
On our website, we have integrated a tool for information and management of the cookies we use and any necessary consent ("cookie consent tool") from the provider Borlabs. This tool blocks all categories of cookies that are not required for the proper functioning of the website, unless you consent to the use of additional cookies.
The purpose of using technically necessary cookies is to simplify the use of websites. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognized even after a page change.
Otherwise, the purpose of the cookies we use in the categories of user settings, analytical cookies, marketing cookies) depends on the services used and is clarified in the following sections of the data protection information.
The legal basis for the data processed using our cookie management tool is Art. 6 para. 1 lit. c GDPR with regard to user consent data, otherwise Art. 6 para. 1 lit. f GDPR and Section 25 para. 2 no. 2 TDDDG. As a website operator, we have a legitimate interest in legally compliant, user-specific and user-friendly consent management for cookies and the legally compliant design of our website.
Duration of storage / possibility of objection and removal
Cookies are stored on the user's end device and transmitted to our website from there. You therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically.
For example, an objection to the use of cookies for online marketing purposes can be declared via a variety of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/ or generally at http://optout.aboutads.info.
You can click on the "Cookie settings" button in the footer of our website to change your cookie settings. If you then call up/load the website again, you will be asked again for your cookie consent. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.
2. borlabs Cookie (Cookie-Consent-Tool)
Description of data processing
We use the cookie consent tool "Borlabs Cookie" from Borlabs GmbH (hereinafter referred to as "Borlabs"). When you access our website, Borlabs Cookies uses a pop-up window to show you a list of cookies divided into function groups, explains the purpose of the cookie function groups and the individual cookies as well as their storage duration. You can then activate the cookies divided into function groups by clicking on the corresponding box and give your consent to the use of the cookies, or give your consent to all cookies. Please note that the technical cookies are already stored when you enter our website and the corresponding field is preset.
Legal basis and purpose of data processing
The legal basis for the processing of personal data using cookies in Borlabs Cookies is Art. 6 (1) (f) GDPR to safeguard our legitimate interests in the best possible functionality and security of the website and a customer-friendly and effective design of the site visit. For this purpose, Borlabs uses technically necessary cookies to save the content of the consent you have given for your next visit. The use of such necessary cookies serves to facilitate the use of websites for users and is therefore necessary for the provision of the service in accordance with § 25 para. 2 no. 2 TTDSG. We cannot offer some functions of our websites without the use of cookies. For these, it is necessary for the browser to be recognized even after leaving the site.
Duration of storage / possibility of objection and removal
Cookies are stored on the user's device and transmitted to our website by the user. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the corresponding settings in your Internet browser. Cookies that have already been saved can be deleted at any time. The cookie used by Borlabs is a technically necessary cookie for which there is no possibility of objection, as otherwise the cookie consent tool integrated on our website would not be able to store the cookie preferences given by the users.
III. further information on procedures, plugins and tools used to design the website
1. content delivery networks
Description of data processing
We therefore design our website with the help of background services, so-called Content Delivery Networks (hereinafter referred to individually or collectively as "CDN"). A CDN is a network of (globally) distributed, high-performance servers that cache content at various locations around the world. For this purpose, personal data can be processed in server log files of the respective CDN. A CDN essentially has two tasks: firstly, to provide content in the shortest possible time and secondly, to relieve the web host by distributing the data traffic. CDNs transmit two types of content: Static and dynamic content.
All website visitors receive static content in the same form, such as code frameworks (e.g. Javascript). Dynamic content is first adapted to the user and only created at the moment of the request. This includes content that takes place via web applications or e-mail and is personalized. In order to be able to use the latter, information about the website visitor must first be transmitted to the CDN.
Cloudflare
We use the "Cloudflare" service. The provider is Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107, USA (hereinafter referred to as "Cloudflare").
Cloudflare offers a globally distributed content delivery network with DNS. Technically, the information transfer between your browser and our website is routed via Cloudflare's network. This enables Cloudflare to analyze the data traffic between your browser and our website and to serve as a filter between our servers and potentially malicious data traffic from the Internet. Cloudflare may also use cookies or other technologies to recognize Internet users, but these are used solely for the purpose described here.
Legal basis and purpose of data processing / duration of storage / possibility of objection and removal
The use of the CDN is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in the attractive design of our website and the technically secure and simple integration and presentation of content, the technically flawless and fast presentation of our website and the relief of our IT infrastructure.
We have concluded an agreement with Cloudflare on the processing of data on behalf of Cloudflare in accordance with Art. 28 GDPR. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.
The storage of information in your terminal equipment or access to information already stored in the terminal equipment via CDN is absolutely necessary in order to make our website available to you (Section 25 (2) No. 2 TDDDG). Consequently, the user has no option to object.
Data transmission to the USA is based on the standard contractual clauses of the EU Commission. Details and further information on security and data protection at Cloudflare can be found here: https://www.cloudflare.com/privacypolicy/.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5666.
If the CDN processes the data further independently, it is the sole controller. For further information on data protection and the storage period of the data collected by the CDN, please refer to their data protection notices and information.
2. google reCaptcha (Invisible reCAPTCHA)
Description of data processing
To protect your login or registration processes and your inquiries in our forms and input masks, we use the reCaptcha service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, which is offered in Europe by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google evaluates behavioral data and user actions (in particular mouse movements) of the users for this purpose. In contrast to other reCaptcha methods, the Invisible reCaptcha does not require additional queries (ticking boxes, image puzzles). Instead, a JavaScript element is integrated into the source code. reCaptcha then runs in the background and analyzes user behavior. From the recorded user actions, the reCaptcha software calculates a Captcha score from which Google draws conclusions as to how high the probability is that the following entry is made by a human or abusively by automated, machine processing (so-called "bots").
Google reCaptcha uses so-called "cookies" for this purpose. For this purpose, Google collects the following data: the information from which page the CAPTCHA is integrated, the IP address of the connection, referrer URL, information on the operating system used, the screen and window resolution, the language set in the browser, the time zone in which you are located, browser plug-ins installed on your end device, the other cookies already installed by Google, mouse and keyboard behavior.
According to Google, the IP address collected is already shortened within the member states of the EU or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases is it transmitted unabridged to servers in the USA, where it is then shortened. According to Google, the IP address transmitted by your browser as part of reCaptcha will not be merged with other Google data. An exception may apply if you are logged into your own Google account at the same time. In this case, however, Google processes your data outside our area of responsibility on the basis of the terms of use concluded between you and Google.
For more information about the processing of data by Google, please read Google's privacy policy: https://policies.google.com/privacy?hl=de,
Legal basis and purpose of data processing
Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR for the purpose of ensuring the integrity and functionality of our online offerings and services. We have a legitimate interest in protecting our online offerings and services and their users from misuse (e.g. automated spying, DDoS attacks or spam). The storage of information in your terminal equipment or access to information already stored in the terminal equipment is absolutely necessary in order to be able to make our website available to you (Section 25 (2) No. 2 TDDDG).
Google is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be found at the following link: https://www.dataprivacyframework.gov/list.
Duration of storage / possibility of objection and removal
The collection of data for the provision of the website is absolutely necessary for the operation of our online offers and services. Consequently, there is no possibility for the user to object. You can object to the collection and forwarding of personal data or prevent the processing of this data only by deactivating the execution of Java Script in your browser or installing a Java Script blocker. In this case, however, you will not be able to use the functions of our online offers and services.
If you are already logged in to a Google service, Google may merge this data on the basis of the Google terms of use and data protection conditions you have accepted. If you want to avoid this, log out of the Google service beforehand. For further information, please contact Google or https://policies.google.com/privacy?hl=de.
3. monitoring the technical operation of our website with Wordfence
Description of data processing
We have integrated Wordfence on this website. The provider is Defiant Inc, Defiant, Inc, 800 5th Ave Ste 4100, Seattle, WA 98104, USA (hereinafter "Wordfence").
Wordfence serves to protect our website from unwanted access or malicious cyberattacks. For this purpose, our website establishes a permanent connection to Wordfence's servers so that Wordfence can compare its databases with the accesses made on our website and block them if necessary.
Legal basis and purpose of data processing
Wordfence is used on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website as effectively as possible against cyberattacks. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.wordfence.com/help/general-data-protection-regulation/.
Possibility of objection and removal
The use of the Wordfence service is absolutely necessary in order to make the website available securely.
If you want your personal data to be deleted, you can exercise your right of objection and removal as described in the general information under Part A.
4. language versions of the websites (translations with Weglot)
Description of data processing
On our website we use the translation service Weglot of Weglot SAS, 138, rue Pierre Joigneaux in Bois-Colombes 92270 France. Weglot is loaded when the website is called up and enables the language of the website to be set via corresponding language icons. As soon as a visitor calls up the translated version of the website, they receive the result in their native language in a flash. By integrating the Weglot translation service, a connection is established between your browser and the Weglot servers when you visit our website and your IP address and device information are transmitted to Weglot. A Weglot reverse proxy sends the content of the website to the Weglot API to retrieve the translation. The Weglot reverse proxy sends the response back to the user's browser. Weglot also uses cookies and local storage. The transmitted or further processed data is necessary for the functionality of Weglot.
The data processed in the context of the use of Weglot is processed by Weglot as a processor on the basis of an order processing agreement in accordance with Art. 28 GDPR in the European Union.
Information on how Weglot handles personal data can be found at https://www.weglot.com/privacy.
Legal basis and purpose of data processing
The legal basis for the data processing carried out in connection with Weglot is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR and the necessity pursuant to Section 25 para. 2 no. 2 TDDDG of making our website available in several languages, including a corresponding selection option for website visitors, unless we request further consent pursuant to Art. 7 GDPR, Section 25 TDDDG.
Possibility of objection and removal
The use of the Weglot service is absolutely necessary in order to make the website available in different language versions.
If you want your personal data to be deleted, you can exercise your right of objection and removal as described in the general information under Part A.
5. integration of content via Vimeo
Description of data processing
On the basis of our legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), we use content or service offers from Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA (hereinafter: "Vimeo") on our website to integrate video content on our website by means of a plugin. If you want to play the embedded videos using this plugin (by clicking the play button), a connection is established between your browser and a Vimeo server and your IP address is sent to Vimeo, as Vimeo cannot send the video content to your browser without the IP address. The IP address is therefore required for the display.
Our Vimeo videos are all integrated in "do-not-track mode", i.e. no data about you is transmitted to Vimeo if you do not play the videos and only a minimal amount of data is transmitted to Vimeo when you play them. Only when you play videos will the following data be transmitted. Furthermore, details of your interaction (e.g. click on the play button) are transmitted to the Vimeo server and stored there, as well as information about which subpage of our website you have visited. This data transfer is neither initiated by us nor do we have any influence over it. If you are logged into your Vimeo account as a Vimeo member, you also enable Vimeo to assign your usage behavior directly to your personal profile when you play our videos on the basis of the user contract you concluded with Vimeo when you registered your member account. Vimeo uses cookies or comparable recognition technologies (e.g. device fingerprinting) to recognize website visitors. We have no influence on the scope and further use of the data collected and processed by Vimeo. According to Vimeo, user data collected via your user account is analyzed by Vimeo in particular to provide needs-based advertising and to inform other users of the Vimeo platform about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Vimeo to exercise this right.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on "legitimate business interests". You can find details here: https://vimeo.com/privacy.
Further information on data processing by Vimeo can be found in Vimeo's privacy policy https://vimeo.com/privacy.
Legal basis and purpose of data processing
The use of Vimeo is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR to provide video content on our website. We strive to offer you the best possible user experience on our website. And of course, interesting videos are a must. With the help of our embedded videos, we provide you with further helpful content in addition to our texts and images.
If you have given your consent via our cookie consent tool, the data processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR or § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TDDDG. Consent given by our users can be revoked at any time.
Duration of storage / possibility of objection and removal
To prevent your data from being assigned, log out of your Vimeo profile before playing our video content. You have further options for restricting the processing of your data in the general settings of your Vimeo account. In addition to these tools, Vimeo also offers specific data protection settings. Alternatively, you can also set your cookie preferences using the cookie consent tool we have integrated. There you will also find further details on storage duration.
6. integration of YouTube content
Description of data processing
From time to time, we use content and service offerings from the video platform YouTube to embed video content on our website using a plugin or to link to videos on our YouTube channel on our website. YouTube is a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, offered in Europe by Google Ireland Limited
Gordon House, Barrow Street, Dublin 4 Ireland (hereinafter: "Google").
We may process data entered by you on our YouTube channel (in particular user name and content published by you under your account) if we respond to your posts or messages via our YouTube channel.
Otherwise, we only receive certain non-personal information from Google about post activity, such as the number of profile or media clicks and the viewing time for a specific video. This data can be viewed via our YouTube account. Furthermore, Google is responsible for its own data processing; we have no way of preventing or stopping the use of analysis tools and similar by Google in YouTube.
When you visit a website on which YouTube is integrated, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
We use YouTube in extended data protection mode. According to YouTube, videos that are played in extended data protection mode are not used to personalize surfing on YouTube. Ads that are played in extended data protection mode are also not personalized. No cookies are set in extended data protection mode. Instead, so-called local storage elements are stored in the user's browser, which contain personal data similar to cookies and can be used for recognition. Details on the extended data protection mode can be found here: https://support.google.com/youtube/answer/171780.
You can find more information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de.
The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.
After activating a YouTube video, further data processing operations may be triggered over which we have no influence.
Legal basis and purpose of data processing
YouTube is used on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR to make video content available on our website or to link to it and to process inquiries or comments. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.
Duration of storage / possibility of objection and removal
To prevent assignment to your user account, log out of your YouTube profile before playing our video content. You must find out about ways to restrict the processing of your data by Google via Google or in your YouTube user account. For example, you can do this in the general settings of your Google account and under "Privacy and security". In addition, you can restrict Google's access to contact and calendar data, photos, location data, etc. in the settings on mobile devices (smartphones, tablet computers). However, this depends on the operating system used.
7. integration of Google Maps content
We use Google Maps to display interactive maps and to create directions.
To use the functions of Google Maps, it is necessary to store your IP address. For this purpose, Google sets a cookie within the meaning of point B (II) each time Google Maps is called up in order to process user settings and data when the page on which the Google Maps component is integrated is displayed. In particular, Google receives information that you have accessed the corresponding subpage of our website. As a rule, this cookie is not deleted when you close your browser, but expires after a certain period of time unless you delete it manually beforehand. This information is usually transferred to a Google server in the USA and stored there.
We have no influence on this data transmission. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform display of fonts. When you access Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.
Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. According to Google, such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, but you must contact Google to exercise this right. For more information on how Google handles personal data, your rights vis-à-vis Google and setting options to protect your privacy, please visit http://www.google.de/intl/de/policies/privacy.
Legal basis and purpose of data processing
The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.
Google also processes your personal data in the USA and is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be found at the following link: https://www.dataprivacyframework.gov/list. Furthermore, the data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.
Duration of storage / possibility of objection and removal
If you do not agree with this processing of your data, you have the option of deactivating the Google Maps service and thus preventing the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you will not be able to use Google Maps, or only to a limited extent.
If you are logged into your Google user account during use, the aforementioned data will be assigned directly to your account. If you do not want this assignment, you must log out of your Google user account before using the Google Maps functions.
IV. Online presence on social networks and platforms
1. social media
Description of data processing
We maintain further online presences within social networks or industry networks (such as LinkedIn) (hereinafter also referred to as "SN") and platforms and link to them from our website. Clicking on the respective buttons (recognizable by the respective logos of the social networks or platforms) takes you to the respective online presence of the SN. The purpose of these online presences is to communicate with the interested parties and users active there and to inform them about our services.
When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.
Since the use of SN takes place outside our website or our services, we have no influence on this, unless otherwise stated below. However, we would like to point out that when using the above-mentioned platforms and networks to which we link, data may also be processed in the USA by these SN companies and may also be processed by the respective operators for market research and advertising purposes, including the creation of user profiles. If you are logged in to the respective networks and platforms, they may also store cookies on your device that track your use of our platform or services and other information about your usage behavior.
Unless otherwise stated in our privacy policy, we only process users' data when they communicate with us within the social networks and platforms, e.g. write comments or send us messages.
In order to make it easier for you to obtain information about the respective data processing and the objection options of the respective operators, we refer below to the data protection declarations and information of the operators of the respective networks.
Legal basis and purpose of data processing
We only process your personal data in the context of direct contact with us via the respective SN or interaction with our presence there or its content. Unless otherwise stated in our privacy policy, we only process user data on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR for the effective information of users and communication if they communicate with us within the social networks and platforms (e.g. when users write posts on our online presences or send us messages). If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
Insofar as personal data is also processed in connection with our presence on an SN and the respective SN alone decides on the purposes and means of processing, the respective SN is otherwise solely responsible for the processing. Please check carefully which personal data you share with us via an SN website. If you wish to prevent SN from processing personal data that you have transmitted to us, please contact us by other means.
Duration of storage / possibility of objection and removal
If you are a member of one of the SNs on which we maintain online presences and do not want the SN to collect data about you via our offer and link it to your data at the SN, you must log out of your SN before visiting our offer. For a detailed description of the respective processing, information on the duration of the storage of data by the respective SN and the opt-out options, we refer to the following linked information from the providers.
In the case of requests for information and the assertion of user rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need help, you can contact us.
LinkedIn is a service of LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA, operated in Europe by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland. LinkedIn is an Internet-based social network that enables users to connect with existing business contacts and make new business contacts. Over 400 million registered people use LinkedIn in more than 200 countries. This makes LinkedIn currently the largest platform for business contacts and one of the most visited websites in the world.
Each time you visit our website, which is equipped with a LinkedIn component (LinkedIn plug-in), this component causes the browser used by the data subject to download a corresponding representation of the LinkedIn component. Further information about the LinkedIn plug-ins may be accessed under https://developer.linkedin.com/plugins. As part of this technical process, LinkedIn receives information about which specific subpage of our website is visited by the data subject.
If the data subject is logged in to LinkedIn at the same time, LinkedIn recognizes which specific subpage of our website the data subject is visiting each time the data subject accesses our website and for the entire duration of their stay on our website. This information is collected by the LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the data subject. If the data subject clicks on one of the LinkedIn buttons integrated on our website ("Recommend button"), LinkedIn assigns this information to the personal LinkedIn user account of the data subject and stores this personal data.
LinkedIn always receives information via the LinkedIn component that the data subject has visited our website if the data subject is logged in to LinkedIn at the same time as accessing our website; this takes place regardless of whether the data subject clicks on the LinkedIn component or not. If the data subject does not want this information to be transmitted to LinkedIn, they can prevent the transmission by logging out of their LinkedIn account before accessing our website.
LinkedIn offers the option to unsubscribe from email messages, SMS messages and targeted ads and to manage ad settings at https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame, which may set cookies. Such cookies can be rejected at https://www.linkedin.com/legal/cookie-policy. The applicable data protection provisions of LinkedIn may be retrieved under https://www.linkedin.com/legal/privacy-policy LinkedIn's cookie policy is available at https://www.linkedin.com/legal/cookie-policy.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:
The company is also certified in accordance with the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified in accordance with the DPF undertakes to comply with these data protection standards
Possibility of objection: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
V. Active use of our website and services
1. contact form and e-mail contact
Description of data processing
Contact forms are available on our website which can be used to contact us electronically. If a user makes use of this option, the data entered in the input mask will be transmitted to us and stored.
- First name (mandatory)
- Name (mandatory)
- E-mail (mandatory)
- Role (mandatory information)
- How did you hear about us?
- Name of your company/employer
- Request for documents (voluntary information)
- Message (voluntary information)
When you send your message via one of our contact forms, the following data is also stored:
- Date and time of use of the form
We created our contact form using the cloud-based project and work management platform monday.com , which is used to play out the form and send it to us. We also use Monday.com as a customer relationship management tool. The data you enter in the contact form is transferred to our CRM system and stored on monday.com's servers in the European Union.
Alternatively, it is possible to contact us via the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored.
Legal basis and purpose of data processing
The legal basis for the processing of data transmitted in the course of sending a contact form request or an email is Art. 6 para. 1 lit. f GDPR. If the contact form request or the e-mail contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
The processing of the personal data from the input mask serves us solely to process the contact. If you contact us by email, this also constitutes the necessary legitimate interest in processing the data.
User data may also be stored in a CRM system or comparable inquiry organization on the basis of our legitimate interests.
The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our information technology systems.
Duration of storage / possibility of objection and removal
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input screen of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified and no legal requirements necessitate longer storage.
Users have the option of withdrawing their consent to the processing of personal data at any time. If a user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.
All personal data stored in the course of contacting us will be deleted in this case, provided that no legal requirements require longer storage.
Monday.com is used as a shipping service provider on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR and an order processing agreement pursuant to Art. 28 para. 3 sentence 1 GDPR.
2. audio and video conferencing
Description of data processing
We use online conferencing tools, among others, to communicate with our customers. The individual tools we use are listed below. If you communicate with us by video or audio conference via the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.
The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). The conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" in connection with the communication process (metadata).
Furthermore, the provider of the tool processes all technical data that is required to process the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.
If content is exchanged, uploaded or provided in any other way within the tool, it is also stored on the tool provider's servers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.
Please note that we do not have full control over the data processing procedures of the tools used. Our options are largely determined by the company policy of the respective provider. Further information on data processing by the conference tools can be found in the privacy policies of the tools used, which we have listed below this text.
Legal basis and purpose of data processing
The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). If consent has been requested, the tools in question are used on the basis of this consent; consent can be withdrawn at any time with effect for the future.
Duration of storage / possibility of objection and removal
The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.
3. newsletter & newsletter data analysis
Description of data processing
We would like to inform our business customers and interested parties at regular intervals with promotional messages about our services and other products, services, coaching, webinars, innovations or news at ITHM by e-mail or other electronic notifications (hereinafter referred to as "newsletter"). We need your e-mail address for this purpose. In the respective newsletter registration forms, further information may be requested in order to send you personalized content tailored to your interests.
You can subscribe to our newsletters by using the corresponding function of a registration form to subscribe to our newsletter or during a registration process by ticking a box (so-called opt-in). For this purpose, we provide various options for registering for our (possibly topic-specific) newsletters on our websites or in the context of registration or order interfaces. The details of the respective contents of the newsletters are specifically described in the respective registration form. This description is decisive for your consent.
In addition to your e-mail address and your name, the IP address and the registration date ("timestamp") are stored for verification purposes when sending the newsletter.
Following your registration, we will send you an e-mail asking you to confirm your newsletter subscription again (so-called double opt-in procedure). This confirmation is necessary to rule out the possibility that someone else has misused your e-mail address to subscribe to our newsletter under a different address. Your e-mail address will only be activated for sending the newsletter once the hyperlink in the e-mail has been activated.
If you opt for a newsletter, we store your data in our customer relationship management tool(monday.com). We use Mailchimp (newsletter service provider) to send our newsletter. The data you enter for the purpose of subscribing to the newsletter is stored on Mailchimp's servers in Germany.
With the help of Mailchimp, it is also possible for us to analyze our newsletter campaigns. For the purpose of analysis, the emails sent with Mailchimp contain a so-called tracking pixel, which connects to the Mailchimp servers when the email is opened. This allows us to see, for example, whether a newsletter message has been opened. Optionally, links in the email can be set as tracking links with which your clicks can be counted. Furthermore, we can use Mailchimp to determine whether and which links in the newsletter message are clicked on.
We can also recognize whether certain previously defined actions were carried out after opening/clicking (conversion rate). For example, we can recognize whether you have made a purchase after clicking on the newsletter.
After you unsubscribe from the newsletter distribution list, your e-mail address will be blocked for future newsletter distribution and stored in a blacklist.
Legal basis and purpose of data processing / data recipients
The legal basis for sending newsletters is the consent given by you as the recipient in accordance with (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR in conjunction with. § Section 7 para. 2 no. 3 UWG ("Act against Unfair Competition"), or if consent is not required for existing customers in accordance with Section 7 para. 3 UWG, on the basis of our legitimate interest in direct marketing measures in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG. § Section 7 (3) UWG.
The logging in the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in a secure and targeted newsletter system that meets both our business sales interests and the ideas and needs of the recipients, as well as in the verifiability of the consents given.
The storage of your e-mail address in a blacklist after you have been removed from the newsletter distribution list serves both your interest and our interest in complying with the legal requirements when sending newsletters (Art. 6 para. 1 lit. f GDPR).
Mailchimp is used as a mailing service provider on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR and an order processing agreement pursuant to Art. 28 para. 3 sentence 1 GDPR.
Further information and Mailchimp's applicable privacy policy can be found at https://www.intuit.com/privacy/statement/.
Duration of storage / possibility of objection and removal
The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.
You can object to the sending of the newsletter at any time or revoke your consent to receive the newsletter. You will find an unsubscribe link at the end of each newsletter. You can also contact us directly using our contact details.
If you do not wish to be analyzed by monday.com, you must unsubscribe from the newsletter.
Unsubscribing from the newsletter does not affect business communication. If this is necessary for the purpose of processing the contract, your data will remain stored by us. Furthermore, we reserve the right to store the necessary evidence until the expiry of the statutory limitation periods in order to prove that the newsletter has been sent in compliance with the law.
Storage in the blacklist is not limited in time.
VI Management systems
Description of data processing
We use functionalities of the project and work management platform monday.com. In particular, we use Monday.com as a customer relations management (CRM) system. monday.com is a cloud-based software solution from monday.com Ltd, 6 Yitzhak Sadeh Street Tel Aviv, 6777506, Israel.
monday.com is an integrated software solution with which we also cover various aspects of our project and work management, including online marketing. This includes, among other things: Email marketing, reporting and contact management (e.g. user segmentation & CRM). We also use monday.com to manage and implement inbound marketing in connection with various functionalities of our online presences.
The stored information is saved on monday.com servers. The processed data can be used by us to contact visitors to our website or users of our services and to determine which of our company's services are of interest to them.
When using monday.com, personal data such as names, e-mail addresses, job titles, contact details, usage data (e.g. how and when the services are used), and payment information are processed. This information is necessary to provide the services, manage user accounts, make support requests and improve the user experience.
Further information and the applicable data protection notices of monday.com can be viewed at https://monday.com/l/privacy/privacy-policy/.
Legal basis and purpose of data processing
We use the information collected via monday.com on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in up-to-date and effective customer management and customer communication as well as to optimize our service and sales processes.
The operating company of the service and thus the recipient of the personal data is based in a country that has been recognized by the European Commission as having an adequate level of data protection. Therefore, no additional guarantees are required for data transmission to monday.com. However, we have concluded the necessary contract with Monday.com Ltd. as our processor in accordance with Art. 28 GDPR https://monday.com/l/de/unkategorisiert/nachtrag-zur-datenverarbeitung-data-processing-addendum-dpa-2/.
Duration of storage / possibility of objection and removal
Your data will be deleted from our CRM system when the respective purpose of storage (in particular the termination of a customer relationship) no longer applies and there are no other legal exceptions to the contrary. You can also exercise your right of objection and removal as described in the General Information under Section A.
VII Applications / Applicant pool
Description of data processing
From time to time, we provide targeted information on our website or our SN appearances about vacancies and, if applicable, about the opportunity to complete internships or apprenticeships with us, or to work for us as part of a dual study program or as a working student.
We process contact details (in particular first and last name, e-mail, telephone number), curriculum vitae, information on professional development, qualifications or language skills in order to contact you about job offers or to check the accuracy of your details from the application documents.
We use online application forms from Personio. The provider is Personio SE & Co. KG Seidlstraße 3 80335 Munich. Applicants can send us their applications here using an online form provided by Personio. This information is transmitted to a Personio server and stored there in a database. Further information on information processing by the external software provider Personio can be found at the following link: https://www.personio.de/datenschutzerklaerung/.
If you send us your application as part of a job offer or an unsolicited application, we regularly process personal master data and contact data such as: First and last name, address, e-mail address, telephone number, date of birth and, in addition, the data that you send us with your application documents (CV, photographs, certificates, etc.). If you provide us with data, the scope of the data processed in detail depends largely on the position to be filled. As a minimum, we require data relating to your previous educational/professional background, your qualifications, your skills and personal details in order to be able to assess whether your application is suitable for the vacant position. In this context, the processing of your data is usually absolutely necessary for the preparation and completion of the application process. If you do not provide us with any or sufficient data, this may result in us being unable to consider you as an applicant for the position, having to reject you as an applicant or no longer being able to carry out the application process.
We do not require any information from you that is not usable under the General Equal Treatment Act under German law or any other national or international equal treatment law. Please also do not forward any confidential information or trade secrets of your former or current employer to us.
At our company, those employees or organizational units receive your data who need it to fulfill our contractual and legal obligations or to process or pursue our legitimate interests, primarily the HR department and the management level of the specialist department within which the position is to be filled.
In accordance with § 164 Para. 1 S. 4 SGB IX, we are obliged to inform the responsible representative body for severely disabled persons of every application received from people with a severe disability and to provide the relevant data on the applicant.
If we do not make you a job offer, you may have the opportunity to be included in our applicant pool. If you are accepted, all documents and details from your application will be transferred to the applicant pool so that you can be contacted in the event of suitable vacancies.
Legal basis and purpose of data processing / data recipients
Personal data is processed primarily for the purpose of personnel selection to fill vacancies for the initiation of an employment contract (Art. 6 para. 1 lit.b GDPR).
Based on a balancing of interests, data processing may take place beyond the actual initiation of an employment contract in order to safeguard our legitimate interests in the selection of personnel and assessment of whether an applicant and the position to be filled are a good match (Art. 6 para. 1 lit. f GDPR). This is permissible unless your interests or fundamental rights and freedoms outweigh the need to protect personal data. Data processing to safeguard legitimate interests takes place, for example, when using job exchanges, recruitment agencies and service providers to carry out recruiting procedures.
CVs, certificates and other data provided to us by you, which may contain particularly sensitive information about mental and physical health, racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union or political party or sex life. If you voluntarily provide us with such special personal data (see Art. 9 para. 1 GDPR), the processing is carried out under the additional conditions of Art. 9 para. 2 GDPR.
The use of Personio is in the interest of an appealing presentation of our online offers and in the interest of a GDPR-compliant application process in the context of job advertisements published by us. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. We have also concluded an agreement with Personio for the processing of data on our behalf in accordance with Art. 28 GDPR.
If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.
Duration of storage / possibility of objection and removal
Severely disabled applicants have the right to refuse the involvement of the responsible representative body for severely disabled persons in accordance with Section 164 (1) sentence 8 SGB IX and thus prevent them from being informed. Please let us know in your application whether you refuse to involve the relevant representative body for severely disabled persons.
If you are rejected after the application process has ended, or if you withdraw your application beforehand, we will store your data for a period of 6 months from this point in time in order to be able to meet any obligations to provide evidence under the General Equal Treatment Act (AGG) and to defend ourselves against any legal claims.
In the event of a successful application, we store the applicant data provided in the personnel file for the purpose and for the duration of the employment relationship.
C. Registration on the website & offer and implementation of events
I. Registration on our website
Description of data processing
You can register on our website in order to use additional functions. We will only use the data you enter for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise we will reject the registration. For the registration and administration of users, we use WP-Members, an application from the provider RocketGeek, P.O. Box 202 Washington, GA 30673, USA. In this context, we concluded a data protection agreement with RocketGeek on February 1, 2025. Further information on this can be obtained from the provider at the following link: https://rocketgeek.com/privacy-policy/.
In the event of important changes, for example to the scope of the offer or technically necessary changes, we will use the e-mail address provided during registration to inform you in this way.
Legal basis and purpose of data processing
The legal basis for the processing of the data collected during registration is Art. 6 para. 1 lit. b GDPR due to the intended conclusion of a contract, otherwise Art. 6 para. 1 lit. f GDPR in order to detect and combat harmful behavior and to detect and prevent other negative experiences, to maintain the integrity of our user accounts and to promote protection and security. Both we and users of our services have an interest in preventing, detecting or investigating illegal activity, fraud or security breaches. The above information is also required to provide the service in accordance with Section 25 (2) No. 2 TDDG.
The processing of the personal data from the input mask serves us to provide the user account and to provide any further services and content that may be made available through it.
The data entered during registration may also be processed on the basis of your consent (Art. 6 para. 1 lit. a GDPR) if we ask you for such consent. You can withdraw your consent at any time. The legality of the data processing that has already taken place remains unaffected by the revocation.
II Registration and completion of our events
Description of data processing
We use the lu.ma platform of Luma Inc. 548 Market St PMB 36143 San Francisco, CA 94104, USA to describe our events and to register and invite eligible participants. As soon as you click on one of our event buttons, you will leave our website and be redirected to our individual event page on lu.ma.
If you submit a membership request or register for our events via the lu.ma platform, the data you provide in the respective form (usually name, e-mail, company and role/job description) will be used for participant management and any event information and event analytics sent to you.
"Event Analytics" means the recording and counting of registered participants based on their domain, e.g. "insurtech-munich.com" and the evaluation of participants versus registered persons on this anonymized basis.
If you opt to continue to receive information about formats, events and updates by e-mail in the future, you will receive a confirmation message, subject to your response (double opt-in procedure), we will store your data in our customer relationship management tool (monday.com).
For participant management, for the creation of event analytics and for obtaining any consent, including implementation of the double opt-in procedure, your data is anonymized as far as possible using a Zapier interface and copied into our customer relationship management tool Monday.com. For this purpose, we have concluded an order processing agreement with the provider of the interface(https://zapier.com/legal/data-processing-addendum).
Further information on data protection at the Lu.Ma event platform can be found at: https://lu.ma/privacy-policy
Legal basis and purpose of data processing
The legal basis for the processing of the data sent in the course of sending an electronic registration is Art. 6 para. 1 lit. b GDPR due to the intended conclusion of a contract, otherwise Art. 6 para. 1 lit. f GDPR.
The processing of personal data from the registration form serves us to process the respective registration and to provide the selected learning content.
We have concluded a corresponding contract with Memberspot as our processor in accordance with Art. 28 GDPR.
Duration of storage / possibility of objection and removal
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from a user account, this is usually the case when a user terminates their user account or their membership ends, at the latest when no legal requirements necessitate longer storage.
III Implementation of digital events / conferences using Microsoft Teams
Description of data processing
At the date and time of a digital event or conference specified by us, participants can access the Microsoft Teams web application via a participation link sent to them. Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter: "Microsoft") is the provider responsible for data processing. Microsoft Teams is part of the Office 365 cloud application, for which a user account must always be created. However, it is only necessary to access the Microsoft website to use "Teams" in order to download the software required to use "Teams". "Teams" can also be used if the respective meeting ID and login data for the meeting are entered directly in the "Teams" app. If participants do not want to or cannot use the "Teams" app, the basic functions can also be used via a browser version, which is also provided by Microsoft.
Microsoft processes the following data as part of the implementation of a digital event:
- User details: first name, last name, e-mail address, password
- Metadata: Topic and description of the event, participant IP addresses, device/hardware information
- When dialling in with the telephone: information on the incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
- Text, audio and video data: Participants have the opportunity to use the chat, question or survey functions in an "online meeting". In this respect, the text entries made by the participants are processed in order to display them as part of the digital event. In order to enable the display of video and the playback of audio, the data from the microphone of the end device and from any video camera of the participants' end device are processed accordingly during the duration of the meeting. Participants can switch off or mute the camera or microphone themselves at any time via the "Teams" applications. In this case, no corresponding data will be processed by Microsoft
- For recordings of the event: MP4 file of the video, audio and presentation recordings, M4A file of the audio recordings, text file of the online meeting chat.
The scope of the data actually processed also depends on what data a user discloses before or during participation in the event.
Please note that Microsoft reserves the right to process participant data in connection with the use of Teams for its own purposes on the basis of the respective user agreement and Microsoft's terms and conditions. We have no influence on this data processing by Microsoft. To the extent that Microsoft Teams processes personal data in connection with Microsoft's legitimate business operations, Microsoft is an independent controller for such use and as such is responsible for compliance with all applicable laws and obligations. For more information on the purpose and scope of data collection and its processing by Microsoft Teams, please refer to Microsoft's privacy policy at https://privacy.microsoft.com/de-de/privacystatement and Microsoft Teams at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.
If we record events, we will inform you transparently in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed to you in the "Teams" app. If we do not ask for your separate consent, only the presentation part of the event will be recorded, which does not contain any personal data of the participants or content from them. To ensure this, we do not allow any audio or video recordings of the participants during the presentation part. We do not record the Q&A session that may follow the presentation part of an event.
Legal basis and purpose of data processing
The legal basis for data processing during the implementation of our digital event is Art. 6 para. 1 lit. b GDPR, insofar as the events are carried out within the framework of a contractual relationship.
Insofar as we obtain your express consent in special situations, such as recordings, Art. 6 para. 1 lit. a GDPR is the legal basis.
If there is no contractual relationship or the data processing is not directly necessary for the performance of the contract, the legal basis is Art. 6 para. 1 lit. f GDPR. Here, too, our interest lies in the effective implementation of our digital events as well as in the presentation, validation and follow-up of our event. In particular, data on participation in our events is used to enable us to bill and/or provide proof of service provision to third parties and to enable us to control and manage our events. In particular, this data is used to enable us to evaluate the capacity utilization of our events and thus to draw conclusions about the interests of the participants. With these findings, we can understand whether and in which areas future events need to be adapted or optimized.
Microsoft is certified in accordance with the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/list
Duration of storage / possibility of objection and removal
The data stored by us will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the event, this is the case after the conclusion of an event contract at the earliest when the respective event service has been provided in full. As a rule, however, we retain contract-related data beyond this until the expiry of the statutory warranty obligations. In the event of a subsequent statutory archiving obligation, the data concerned will be deleted after the period has expired.
IV. Implementation of digital events / conferences via Zoom Webinars
Description of data processing
At the date and time of a digital event or conference specified by us, participants can access the Zoom web application via a participation link sent to them. Zoom Communication Inc. 55 Almaden Blvd, San Jose, CA 95113 (hereinafter: "Zoom") is the provider responsible for data processing. Zoom Webinars is part of the Zoom Workplace cloud application, for which a user account must always be created. However, it is only necessary to access the Zoom website to use Zoom in order to download the software required to use Zoom. "Zoom" can also be used if the respective meeting ID and login data for the meeting are entered directly in the "Zoom" app. If participants do not want to or cannot use the "Zoom" app, the basic functions can also be used via a browser version, which is also provided by Zoom.
Zoom processes the following data as part of the implementation of a digital event:
- User details: first name, last name, e-mail address, password
- Metadata: Topic and description of the event, participant IP addresses, device/hardware information
- When dialling in with the telephone: information on the incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
- Text, audio and video data: Participants have the opportunity to use the chat, question or survey functions in an "online meeting". In this respect, the text entries made by the participants are processed in order to display them as part of the digital event. In order to enable the display of video and the playback of audio, the data from the microphone of the end device and from any video camera of the participants' end device are processed accordingly during the duration of the meeting. Participants can switch off or mute the camera or microphone themselves at any time via the "Teams" applications. In this case, no corresponding data will be processed by Microsoft
- For recordings of the event: MP4 file of the video, audio and presentation recordings, M4A file of the audio recordings, text file of the online meeting chat.
The scope of the data actually processed also depends on what data a user discloses before or during participation in the event.
Please note that Zoom reserves the right to process participant data in the context of the use of Zoom for its own purposes on the basis of the respective user contract and the terms and conditions of Zoom. We have no influence on this data processing by Zoom. To the extent that Zoom processes personal data in connection with Zoom's legitimate business operations, Zoom is an independent controller for such use and as such is responsible for compliance with all applicable laws and obligations. For more information on the purpose and scope of data collection and its processing by Zoom, please refer to Zoom's privacy policy at https://www.zoom.com/de/trust/privacy/privacy-statement/.
If we record events, we will inform you transparently in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed to you in the "Zoom" app. Unless we ask for your separate consent, only the presentation part of the event will be recorded, which does not contain any personal data of the participants or content from them. To ensure this, we do not allow any audio or video recordings of the participants during the presentation part. We do not record the Q&A session that may follow the presentation part of an event.
Legal basis and purpose of data processing
The legal basis for data processing during the implementation of our digital event is Art. 6 para. 1 lit. b GDPR, insofar as the events are carried out within the framework of a contractual relationship.
Insofar as we obtain your express consent in special situations, such as recordings, Art. 6 para. 1 lit. a GDPR is the legal basis.
If there is no contractual relationship or the data processing is not directly necessary for the performance of the contract, the legal basis is Art. 6 para. 1 lit. f GDPR. Here, too, our interest lies in the effective implementation of our digital events as well as in the presentation, validation and follow-up of our event. In particular, data on participation in our events is used to enable us to bill and/or provide proof of service provision to third parties and to enable us to control and manage our events. In particular, this data is used to enable us to evaluate the capacity utilization of our events and thus to draw conclusions about the interests of the participants. With these findings, we can understand whether and in which areas future events need to be adapted or optimized.
Zoom is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5728.
Duration of storage / possibility of objection and removal
The data stored by us will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the event, this is the case after the conclusion of an event contract at the earliest when the respective event service has been provided in full. As a rule, however, we retain contract-related data beyond this until the expiry of the statutory warranty obligations. In the event of a subsequent statutory archiving obligation, the data concerned will be deleted after the period has expired.
D. Miscellaneous
Due to the further development of our website, our services or our other offers as well as due to changed legal or official requirements, it may become necessary to change this privacy policy. You can call up the current data protection declaration on our website at any time and print it out if required.