Our Privacy Policy

In this privacy policy, we inform you about the processing of personal data when using our website www.exnaton.com. The contact person and so-called person responsible for processing your personal data when you visit this website within the meaning of the General Data Protection Regulation (GDPR) is:

Exnaton
Zeughausstraße 31
8004 Zurich
switzerland
Accessible at info@exnaton.com or www.exnaton.com

If you have any questions about data protection in connection with our services or the use of our website, you can also contact our data protection team at any time. This can be reached at the above postal address and at the email address provided above.
We expressly point out that when using this email address, the content will not only be read by our data protection team. If you would like to share sensitive information, please use this email address to contact you directly first.

1. Data processing on our website

1.1. Accessing our website/ connection data

Each time you use our website, we process connection data that your browser automatically transmits to enable you to visit the website. This connection data comprises so-called HTTP header information, including the user agent, and includes in particular:

  • IP address of the requesting device;
  • method (e.g. GET, POST), date and time of the request;
  • address of the requested website and path of the requested file;
  • If applicable, the previously accessed website/file (HTTP referrer);
  • information about the browser and operating system used;
  • version of the HTTP protocol, HTTP status code, size of the delivered file;
  • request information, such as language, content type, content encoding, character sets;
  • Cookies stored on the device for the accessed domain.

The processing of this connection data is absolutely necessary to enable you to visit the website, to ensure the long-term functionality and security of our systems and to maintain our website administratively in general. The connection data is also stored temporarily and in terms of content in internal log files for the purposes described above, in order to find the cause and take action against this, for example in the event of repeated or criminal calls that jeopardize the stability and security of our website.

The legal basis for this processing is Art. 6 para. 1 lit. b DSGVO, insofar as the page is accessed in the course of initiating or executing a contract, and otherwise Art. 6 para. 1 lit. f DSGVO based on our legitimate interest in making it possible to access the website and the long-term functionality and security of our systems.

The log files are generally stored for a short period of time and then anonymized. As an exception, individual log files and IP addresses are kept longer in order to prevent further attacks from this IP address in the event of cyber attacks and/or to take action against the attackers by means of prosecution.

1.2. Contacting

There are various ways to get in touch with us. This includes various contact forms and contact via e-mail. In this context, we process your data exclusively for the purpose of communicating with you.

The legal basis for this processing is Art. 6 para. 1 lit. b DSGVO, insofar as your information is required to answer your request or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR due to our legitimate interest that you contact us and we can answer your request. We only make promotional telephone calls if you have given your consent to do so. If you are not an existing customer, we will only send you promotional emails based on your consent. In these cases, the legal basis is Art. 6 para. 1 lit. a DSGVO in conjunction with § 7 para. 2 no. 1 or 2 UWG.

The data we collect when you contact us will be automatically deleted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations (see section 6 “Storage period”).

1.3. Register to receive the PowerQuartier demo

You have the option to log on to our website to get access to our PowerQuartier demo. We have marked the mandatory data you provide as mandatory fields. Without this data, registration is not possible.

The following data may be processed as part of registration:

  • first and last name;
  • company (optional);
  • email address;
  • telephone (optional);
  • Preferred language.

The legal basis for processing the data required for registration (mandatory fields) is Art. 6 para. 1 lit. b GDPR. We process optional data such as company and telephone number in order to also reach you by telephone regarding the demo and to respond to your company. For the optional data, the legal basis is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

1.4. Offers and invoices for PowerQuartier

If you are interested in our PowerQuartier product, an offer requires us to process your personal data, which we need to prepare a suitable offer. If you accept our offer and a contract is concluded between us, it is necessary for invoicing to process your personal data, which we need to prepare the respective invoice. We use the bexio software to create and send our offers and invoices. The provider of the platform is bexio AG, Alte Jonastrasse 24, 8640 Rapperswil, Switzerland (hereinafter: bexio).

In the case of an offer and as part of invoicing, we process and transmit the following mandatory information to bexio to prepare an offer and to prepare our invoices:

  • master data (title, first and last name, company, address, customer number;
  • contact details (email address);
  • order data (order number, order date, order quantity, order amount, delivery address, billing address, payment method, delivery method, order history, delivery status);
  • Contract data (contract period, contract number, contract partner).

The legal basis for processing is Art. 6 para. 1 lit. b DSGVO. Optionally, information such as telephone and fax numbers is possible so that we can also contact you via these channels if you have any questions. For the optional data, the legal basis is our legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO.

We store your personal data for as long as it is necessary for the contractual relationship and insofar as legal regulations establish an obligation to store it. In the present case, the storage period for offers and invoices is 10 years.

We have concluded an order processing contract with bexio. We base the transfer of data to Switzerland on the adequacy decision issued by the EU Commission for Switzerland in accordance with Article 45 GDPR, which recognizes it as a safe third country. You can find out more about data processing as part of order processing at: https://cdn.www.bexio.com/assets/content/documents/legal/auftragsverarbeitung_DE.pdf. For more information on data processing, please see bexio's privacy policy: https://www.bexio.com/de-CH/richtlinien/datenschutz.

1.5. Newsletters with Mailchimp

You have the option to subscribe to our newsletter, in which we regularly inform you about news about Exnaton, PowerQuartier and ongoing projects. To send our newsletter, we use the Mailchimp platform to be able to organize and analyze the sending of our newsletters. The provider of the platform is The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (hereinafter: Mailchimp).

1.5.1. Sign up for the newsletter

The following personal data is processed and transmitted to Mailchimp as part of the subscription to the newsletter:

  1. first name;
  2. last name;
  3. email address;
  4. language;
  5. date of registration;
  6. IP address used to log in.

You can update the data provided with a link in the emails. The so-called double opt-in procedure is used to order our newsletters, i.e. we will only send you newsletters by e-mail when you confirm by clicking on a link in the notification email that you are the owner of the e-mail address provided. If you confirm your email address, the above data will be stored by us and on Mailchimp's servers until you unsubscribe from the newsletter. The sole purpose of this storage is to send you the newsletter and to be able to prove your registration. In addition, we measure whether our newsletter can be delivered at all.

The legal basis for processing is your consent in accordance with Article 6 (1) (a) GDPR. These can be withdrawn at any time with effect for the future by unsubscribing from the newsletter. There is a corresponding unsubscribe link in every newsletter. A message to the contact details provided above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this.

1.5.2. Newsletter tracking

Through our newsletter, we want to share content that is as relevant as possible for our customers and better understand what they are actually interested in. For this reason, technologies are used in our newsletters that can be used to measure interactions with the newsletters (e.g. opening the email, links clicked, websites opened). This is done with the help of small graphics that are embedded in the newsletter (so-called pixels) and connect to the image server when the email is opened. Mailchimp also collects technical information about your device (e.g. IP address, device information, operating system, browser ID). This data is used for general statistical evaluations and to optimize and develop our content and customer communication.

The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR. Access to the information in the device is then based on the implementation laws of the ePrivacy Directive of the EU member states, for example in Germany in accordance with Section 25 (1) TTDSG.

You can withdraw your consent to the analysis of user behavior at any time with effect for the future by unsubscribing from the newsletter. There is a corresponding unsubscribe link in every newsletter. You can also prevent the opening of an email from being measured by deactivating graphics or the output of HTML content in your email program by default.


1.5.3. Data transfer to Mailchimp

We have concluded an order processing contract with Mailchimp. Due to the transfer of data to the USA, we have also concluded standard contractual clauses from the EU Commission (Implementing Decision (EU) 2021/914, Module 2). You can find out more about data processing as part of order processing at: https://mailchimp.com/legal/data-processing-addendum/. For more information about data processing, please see Mailchimp's privacy policy: https://www.intuit.com/privacy/statement/.


1.6. Webinar invitations with Hubspot

To manage our customers and sales contacts and to send invitations to our webinars, we use the services of the provider HubSpot, Inc., 25 First Street, Cambridge, MA 02141 USA (hereinafter: HubSpot).

The following personal data is processed and transmitted to HubSpot as part of using HubSpot or managing customers and contacts and sending invitations to webinars:

  • first name;
  • last name;
  • email address;
  • company name;
  • Information about the open deal to initiate business.

The legal basis for this data processing is our legitimate interest in accordance with Article 6 (1) (f) GDPR. This can be withdrawn at any time with effect for the future by unsubscribing. A corresponding unsubscribe link is included in every email. A message to the contact details provided above (e.g. by e-mail or letter) is of course also sufficient for this.

If you register for our webinars, the above data will be stored by us and on HubSpot's servers until you withdraw your consent and unsubscribe. The sole purpose of this storage is to send you the invitations and to be able to prove your registration. We also measure whether our invitation can be delivered at all.

We have concluded an order processing agreement with HubSpot. The data generated in this context can be transmitted by HubSpot to a server in the USA and stored there. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with HubSpot (Implementing Decision (EU) 2021/914, Module 2) in accordance with Art. 46 (2) lit. c GDPR. In addition, we also obtain your express consent in accordance with Article 49 (1) (a) GDPR to transfer your data to third countries.

For more information, please refer to HubSpot's privacy policy: https://legal.hubspot.com/de/privacy-policy.


1.7. Job applications

You can apply for open positions with us via our website. The purpose of data collection is to select applicants for the possible establishment of an employment relationship.

We use the Personio service to receive and process your application. The provider of the service is Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, Germany (hereinafter: Personio). As part of the application process, all data that we receive from you with your application is processed. This includes in particular the following personal data (hereinafter “application data”):

  • first and last name;
  • email address, telephone number;
  • application documents (e.g. certificates, curriculum vitae);
  • date of the earliest possible start of a job;
  • salary expectation.

The legal basis for processing your application data is Art. 6 para. 1 lit. b and Art. 88 para. 1 GDPR in conjunction with the respective national legal basis, in Germany, for example, § 26 para. 1 p. 1 BDSG. As a German provider, Personio is subject to the GDPR.

We save your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data as long as it is necessary for the employment relationship and insofar as legal regulations establish an obligation to store it.

If we reject your application, we will store your application data for a maximum of three months after the rejection of your application, unless you give us your consent to store it for a longer period of time. If you have given us your separate consent in accordance with Article 6 (1) (a) GDPR, we will store the data you provided as part of the application process in our pool of applicants for a further twelve months after completion of the application process in order to identify any other positions of interest to you and, if necessary, to contact you again. After the deadline, the data will be deleted. You can withdraw this consent at any time with effect for the future.


2. Use of tools on the website

2.1. Technologies used

This website uses various services and applications (collectively, “tools”), which are offered either by ourselves or by third parties. These include in particular tools that use technologies to store or access information on the device:

  • Cookies: Information stored on the device, consisting in particular of a name, a value, the storing domain and an expiration date. So-called session cookies (such as PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiration date. Cookies can also be removed manually.
  • Web Storage (Local Storage/Session Storage): Information stored on the device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiration date and generally remains stored unless a deletion mechanism has been set up (e.g. storage of a local storage with a time entry). Information in local and session storage can also be removed manually.
  • JavaScript: programming codes (scripts) embedded or called up on the website, which, for example, set cookies and web storage or actively collect information from the device or about the usage behavior of visitors. JavaScript can be used for “active fingerprinting” and the creation of user profiles. A setting in the browser can block JavaScript, but most services will then no longer work.
  • Pixels: tiny graphic automatically loaded by a service, which can make it possible to recognize visitors through the automatic transmission of usual connection data (in particular IP address, information about browser, operating system, language, address accessed and time of access) and to identify, for example, when an e-mail has been opened or visited a website. With the help of pixels, “passive fingerprinting” and the creation of user profiles can be carried out. The use of pixels can be prevented, for example, by blocking images, for example in emails, but the display is then severely restricted.

With the help of these technologies and also by simply establishing a connection on one page, so-called”fingerprints“create, i.e. user profiles that do not require the use of cookies or web storage and can still recognize visitors. Fingerprints due to the connection setup cannot be completely prevented manually.

By default, most browsers are set to accept cookies, script execution, and graphics. However, you can usually adjust your browser settings to reject all or specific cookies or block scripts and graphics. If you completely block the storage of cookies, the display of graphics, and the execution of scripts, our services will probably not work or will not work without interruption.

The tools we use are listed below by category, and we will inform you in particular about the providers of the tools, the storage period of cookies or information in local storage and session storage, and the transfer of data to third parties. It also explains in which cases we obtain your voluntary consent to use the tools and how you can withdraw it.


2.2. Legal basis and revocation

2.2.1. Legal basis

Based on our legitimate interest in accordance with Article 6 (1) (f) GDPR, we use tools necessary for website operation to provide the basic functions of our website. In certain cases, these tools may also be necessary to fulfill a contract or to carry out pre-contractual measures, in which case the processing takes place in accordance with Art. 6 para. 1 lit. b GDPR. Access to and storage of information on the device is absolutely necessary in these cases and is based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TTDSG.

We use all other unnecessary (optional) tools that provide additional functions based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the device is then based on the implementation laws of the ePrivacy Directive of the EU member states, for example in Germany in accordance with Section 25 (1) TTDSG. Data processing using these tools only takes place if we have received your consent in advance.

If personal data is transferred to third countries (such as the USA), we refer you to section 5 (“Data transfer to third countries”), also with regard to any associated risks. We will let you know if there is an adequacy decision for the third country concerned or if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we will (also) transfer the data processed when using the tools to third countries on the basis of this consent in accordance with Article 49 (1) (a) GDPR.


2.2.2. Obtaining your consent

We use the Google Analytics tool to obtain and manage your consent. This creates a banner that informs you about data processing on our website and gives you the option to agree to all, individual or no data processing using optional tools. This banner appears the first time you visit our website and when you revisit your settings to change them or withdraw your consent. The banner also appears on further visits to our website, provided that you have deactivated the storage of cookies or the cookies or information in Google Analytics local storage have been deleted or have expired.

As part of your website visit, your consents or revocations, your IP address, information about your browser, your device and the time of your visit are transmitted to Google Analytics. Google Analytics also stores the necessary information on your device to document the consents and withdrawals you have given.

Data processing by Google Analytics is necessary to provide you with the legally required consent management and to comply with our documentation requirements. The legal basis for using Google Analytics is Art. 6 para. 1 lit. f DSGVO, based on our interest in meeting the legal requirements for consent management. Access to and storage of information on the device is absolutely necessary in these cases and is based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TTDSG.


2.2.3. Withdraw your consent or change your choices

You can withdraw your consent for certain tools, i.e. for the storage and access to information on the device, the processing of your personal data and the transfer of your data to third countries, at any time with effect for the future. Please send us an e-mail to gdpr@exnaton.com. Alternatively, you can withdraw your consent directly from the provider for certain tools.


2.3. Necessary tools

We use certain tools to enable the basic functions of our website (“necessary tools”). These include tools for preparing and displaying website content, managing and integrating tools, detecting and preventing fraud, and ensuring the security of our website. Without these tools, we would not be able to provide our service. Therefore, necessary tools are used without consent.

The legal basis for necessary tools is the need to fulfill our legitimate interests in accordance with Article 6 (1) (f) GDPR in providing the respective basic functions and operating our website. In cases where the provision of the respective website functions is necessary to fulfill a contract or to carry out pre-contractual measures, the legal basis for data processing is Art. 6 para. 1 lit. b GDPR. In these cases, access to and storage of information on the device is absolutely necessary and is based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany, for example in accordance with Section 25 (2) TTDSG.

In the event that personal data is transferred to third countries (such as the USA), we refer to section 5 (“Data transfer to third countries”) in addition to the information provided below.


2.3.1. Google reCAPTCHA

Our website uses the Google reCAPTCHA service, which is offered to people from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”).

reCAPTCHA prevents automated software (so-called bots) from carrying out abusive activities on the website, i.e. it checks whether the entries made actually come from a human being. For this purpose, reCAPTCHA uses JavaScript and stores cookies and information in local storage on your device. In particular, the following data is processed:

  1. referrer URL (address of the page from which the visitor came);
  2. IP address;
  3. cookies set by Google;
  4. snapshot of the browser window;
  5. user input behavior (e.g. answering the reCAPTCHA question, input speed in form fields, order of selection of input fields by the user, number of mouse clicks);
  6. Technical information: browser type, browser plug-ins, browser size and resolution, date, language setting, display instructions (CSS) and scripts (JavaScript).

The following cookies can be used and read by reCAPTCHA for this purpose: “_GRECAPTCHA” (6 months).

The following information in local storage can be set and read out by reCAPTCHA: “_grecaptcha”.

Google also reads cookies from other Google services such as Gmail, Search and Analytics. If you do not want this association with your Google account, it is necessary that you log out of Google before calling up a page where we have integrated Google reCAPTCHA. The data mentioned is sent to Google in encrypted form. Google's evaluation determines how the captcha is displayed on the page. The use of reCAPTCHA is statistically evaluated. According to Google, your data is not used for personalized advertising.

The legal basis is the need to fulfill a contract or to carry out pre-contractual measures in accordance with Article 6 (1) (b) GDPR, for example when registering to receive the PowerQuartier demo, using the contact form or subscribing to a newsletter. Google reCAPTCHA is used to protect IT security, ensure the stability of our website and prevent misuse. Access to and storage of information in the device is absolutely necessary and is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TTDSG.

Some of the data can also be processed on servers in the USA. In the event that personal data is transferred to the USA or other third countries, this is done on the basis of Art. 49 para. 1 lit. b GDPR to enable the fulfilment of a contract with you or the implementation of pre-contractual measures.

For more information, see:

  1. in Google's privacy policy: https://policies.google.com/privacy;
  2. in Google's terms of use: https://policies.google.com/terms.

2.3.2. Webflow

We use Webflow to create and host our website. The provider is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter: Webflow). When you visit our website, Webflow collects necessary log files with your IP address and stores necessary cookies, which are required to display the website, to provide certain website functions and to ensure security on our website.

The legal basis for this data processing is our legitimate interest in providing our website in accordance with Article 6 (1) (f) GDPR. Access to and storage of information in the device is absolutely necessary and is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TTDSG.

In order to comply with the requirements of the GDPR, we have concluded an order processing agreement with Webflow, Inc. to use Webflow. Due to the transfer of data to the USA, we have also concluded standard contractual clauses from the EU Commission (Implementing Decision (EU) 2021/914, Module 2). Further information can be found in Webflow's privacy policy: https://webflow.com/legal/eu-privacy-policy.


2.3.3. Weglot

We use Weglot to provide our website in various languages and for the associated translation. The provider is Weglot SAS, 7 cité Paradis 75010 Paris, France (hereinafter: Weglot). When you visit our website, Weglot is loaded so that you can change the language via the language icon in the header of our website. Through the connection between your browser and the Weglot server, Weglot receives the usual connection information, which in particular includes the IP address and the HTTP header user agent.

The following information is stored in local storage for this function: “wglang”.

The legal basis for this data processing is our legitimate interest in accordance with Article 6 (1) (f) GDPR in providing our website in English to non-German-speaking website visitors. Access to and storage of information in the device is absolutely necessary and is based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TTDSG.

We have concluded an order processing agreement with Weglot SAS to use Weglot.

For more information, please see Weglot's privacy policy: https://weglot.com/privacy/.


2.4. Analytical tools

In order to improve our website, we use optional tools to recognize visitors and to statistically record and analyze general usage behavior based on access data (“analysis tools”). We also use analysis services to evaluate the use of our various marketing channels. The usage information collected is aggregated and enables us to understand the usage habits of our visitors. This serves to adapt and optimize the design of our website and to make the user experience more pleasant.

The legal basis for the analysis tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (1) TTDSG. To withdraw your consent, see 2.2.3: “Withdrawing your consent or changing your choices”.

In the event that personal data is transferred to third countries (such as the USA), your consent also expressly extends to the transfer of data (Art. 49 para. 1 lit. a GDPR). For the associated risks, please see section 5 (“Data transfer to third countries”).

2.4.1. Google Analytics 4

Our website uses the Google Analytics 4 service (“Google Analytics”), which is offered to people from Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”).

Google Analytics uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is used to analyze your usage behavior and improve our website. We will process the information obtained to evaluate your use of the website and to compile reports on website activity for website operators. The data generated in this context can be transferred by Google to a server in the USA for evaluation and stored there.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning to automatically analyze and enrich the data. In particular, this is done for forecast measurements of the future behavior of visitors based on structured event data, such as the forecast turnover, the probability of purchase and the probability of migration. The forecast metrics can also be used for forecast target groups. You can find out more about this at: https://support.google.com/analytics/answer/9846734. In addition, Google Analytics 4 models conversions if there is not enough data available to optimize evaluation and reports. You can find information about this at: https://support.google.com/analytics/answer/10710245. The data evaluations are carried out automatically using artificial intelligence or on the basis of specific, individually defined criteria. You can find out more about this at: https://support.google.com/analytics/answer/9443595.

We have made the following privacy settings with Google Analytics:

  1. IP anonymization (abbreviation of the IP address before evaluation);
  2. Automatic deletion of old visit logs by limiting the storage period to 2 months;
  3. No reset of the storage period when there is a new activity;
  4. deactivate the collection of accurate location and location data;
  5. disabling the collection of accurate device data;
  6. Disabled advertising feature (including audience remarketing by GA Audience);
  7. deactivated remarketing;
  8. Disabled cross-device and cross-site tracking (Google Signals);
  9. Disabled data sharing with other Google products and services, benchmarking, technical support, account managers.

The following data is processed by Google Analytics:

  1. IP address;
  2. user ID, Google ID (Google Signals) and/or device ID;
  3. referrer URL (previously visited page);
  4. pages viewed (date, time, URL, title, time spent);
  5. downloaded files;
  6. Clicked links to other websites;
  7. if necessary, achievement of certain goals (conversions);
  8. Technical information: operating system; browser type, version and language; device type, brand, model and resolution;
  9. Approximate location (country and possibly city, based on anonymized IP address).

Google Analytics uses the following cookies for the specified purpose with the respective storage period:

  1. “_ga” (400 days), “_gid” (24 hours): recognition and differentiation of visitors using a user ID;
  2. “_ga_gdmvhntjz7” (400 days): Retention of current session information;
  3. “_gat_gtag_ua_154764465_1” (1 minute): Reduce requests to Google servers.

For more information about Google Analytics 4 cookies, please visit: https://support.google.com/analytics/answer/11397207?hl=de.

The legal basis for this data processing is your consent in accordance with Article 6 (1) (a) GDPR. Access to and storage of information in the device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (1) TTDSG.

We have concluded an order processing agreement with Google Ireland Limited to use Google Analytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 (2) lit. c GDPR. In addition, we also obtain your express consent in accordance with Article 49 (1) (a) GDPR to transfer your data to third countries.

For more information, please see Google's privacy policy: https://support.google.com/analytics/answer/6004245.


2.4.2. HubSpot Marketing Analytics

Our website uses the analytics function provided by HubSpot Ireland Limited, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland (“HubSpot”) to track marketing activities. This includes usage analysis of which channels customers came through and how our target group is behaving. We also link website usage data with interactions in our HubSpot CRM system. This allows us to personalize and improve our offerings. The following cookies are set by HubSpot for this purpose:

  1. “__cf_bm” (30 minutes): protection against bots;
  2. “_hstc” (6 months): tracking cookie with information about the user ID, the timestamp of the first, last and current session, and the number of sessions;
  3. “_hssc” (30 minutes): tracking cookie to track sessions;
  4. “_hssrc” (session): tracking cookie to detect a browser restart;
  5. “hubspotutk” (6 months): Recognition of visitors.

3. Online presence in social networks

We maintain online presences on social networks to communicate with customers and interested parties, among other things, and to provide information about Exnaton, PowerQuartier and our ongoing projects. Users' data is usually processed by the relevant social networks for market research and advertising purposes. In this way, user profiles can be created based on the interests of users. For this purpose, cookies and other identifiers are stored on the computers of the persons concerned. On the basis of these user profiles, advertisements are then placed within social networks but also on third-party websites, for example.

As part of operating our online presences, we may be able to access information, such as statistics on the use of our online presences, which are provided by social networks. These statistics are aggregated and may include in particular demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presences (e.g. likes, subscription, sharing, viewing of images and videos) and the contributions and content disseminated about them. These can also provide information about the interests of users and which content and topics are particularly relevant to them. We can also use this information to adapt the design and our activities and content on the online presence and to optimize them for our audience. For details and links to the social network data that we as operators of online presences can access, please refer to the list below. The collection and use of these statistics is generally a joint responsibility. To the extent applicable, the relevant contract is set out below.

The legal basis for data processing is Art. 6 para. 1 lit. f DSGVO, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 lit. b GDPR, in order to remain in contact with our customers and to inform them and to carry out pre-contractual measures with interested parties.

If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to get in touch with you. This can be done, for example, via direct messages or via posted contributions. Content communication via the social network and the processing of content data is the responsibility of the social network as a messenger and platform service. As soon as we transfer or further process your personal data into our own systems, we are independently responsible for this and do so to carry out pre-contractual measures and to fulfill a contract in accordance with Art. 6 para. 1 lit. b GDPR.

For the legal basis for data processing carried out by social networks on their own responsibility, please refer to the privacy policies of the respective social network. You can also find further information on the respective data processing and the options for objection under the links below.

We would like to point out that data protection inquiries can be made most efficiently with the respective social network provider, as only these providers have access to the data and can take appropriate measures directly. You can of course also contact us with your concerns. In this case, we will process your request and forward it to the social network provider. The following is a list of information about the social networks on which we operate online presences:


1. Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)

  1. Privacy statement: https://twitter.com/de/privacy
  2. Opt-out: https://twitter.com/personalization.

2. LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)

  1. Operation of the LinkedIn company page under joint responsibility on the basis of an agreement on the joint processing of personal data (so-called Page Insights Joint Controller Addendum): https://legal.linkedin.com/pages-joint-controller-addendum
  2. Information about the processed page insights data and how to contact us in case of data protection inquiries: https://legal.linkedin.com/pages-joint-controller-addendum
  3. Privacy statement: https://www.linkedin.com/legal/privacy-policy
  4. Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

4. Transfer of data

In principle, the data collected by us will only be passed on if there is a legal basis for this under data protection law in a specific case, in particular if:

  1. you have given your express consent to this in accordance with Article 6 (1) (a) GDPR,
  2. the transfer in accordance with Article 6 (1) (f) GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in not sharing your data,
  3. we are legally obliged to disclose data in accordance with Article 6 (1) (c) GDPR, in particular if this is necessary for legal prosecution or enforcement due to official inquiries, court orders and legal proceedings, or
  4. This is permitted by law and is required in accordance with Article 6 (1) (b) GDPR to process contractual relationships with you or to carry out pre-contractual measures that are carried out at your request.

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include in particular data centers that store our website and databases, software providers, IT service providers who maintain our systems, agencies, market research companies, group companies and consulting firms. If we share data with our service providers, they may only use the data to perform their tasks. The service providers were carefully selected and commissioned by us. They are contractually bound to our instructions, have appropriate technical and organizational measures to protect the rights of data subjects and are regularly checked by us.


5. Data transfer to third countries

As explained in this privacy policy, we use services whose providers are partly based in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include the European Union's standard contractual clauses or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions under Article 49 GDPR, in particular your express consent or the necessity of transfer to fulfill the contract or to carry out pre-contractual measures. If a transfer to a third country is envisaged and there is no adequacy decision or appropriate guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) can gain access to the transmitted data in order to collect it and to analyze and that the enforceability of your rights as a data subject cannot be guaranteed. If you obtain your consent via the consent banner, you will also be informed of this.


6. Storage period

In principle, we only store personal data for as long as necessary to fulfill the purposes for which we collected the data. We will then delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidentiary purposes for civil claims, due to legal storage obligations or, in a specific individual case, there is another legal basis under data protection law for the continued processing of your data.

In particular, for evidence purposes, we must retain contract data for ten years from the end of the year in which the business relationship with you comes to an end. According to the statutory limitation period, any claims expire at this point in time at the earliest.

Even after that, we still need to save some of your data for accounting reasons. We are required to do so due to legal documentation requirements that may arise in Switzerland from the Code of Obligations. The deadlines for storing documents specified there are two to ten years.


7. Your rights, in particular revocation and objection

You are entitled to the data subject rights set out in Art. 7 para. 3, Art. 15 — 21, Art. 77 GDPR at any time if the respective legal requirements are met:

  1. right to withdraw your consent (Article 7 (3) GDPR);
  2. right to object to the processing of your personal data (Article 21 GDPR);
  3. right to information about your personal data processed by us (Article 15 GDPR);
  4. Right to correct your personal data stored by us incorrectly (Art. 16 GDPR);
  5. right to delete your personal data (Article 17 GDPR);
  6. right to restrict the processing of your personal data (Article 18 GDPR);
  7. Right to data portability of your personal data (Article 20 GDPR);
  8. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

To assert your rights described here, you can contact us at any time using the contact details provided above. This also applies if you would like to receive copies of guarantees to prove an adequate level of data protection. If the respective legal requirements are met, we will comply with your data protection request.

Your inquiries about the assertion of data protection rights and our answers to them will be stored for documentation purposes for a period of up to ten years and, in individual cases, even beyond that if there is reason to assert, exercise or defend legal claims. The legal basis is Article 6 (1) (f) GDPR, based on our interest in defending against any civil claims under Article 82 GDPR, avoiding fines under Article 83 GDPR and fulfilling our accountability obligation under Article 5 (2) GDPR.

Once you have given your consent, you have the right to withdraw it from us at any time. As a result, we will no longer continue data processing based on this consent in the future. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If it concerns an objection to data processing for direct marketing purposes, you have a general right of objection, which is implemented by us even without giving reasons.

If you would like to exercise your right of withdrawal or objection, simply send an informal message to the contact details above.

Finally, you have the right to complain to a data protection supervisory authority. For example, you can assert this right with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.


8. Changes to the privacy policy

From time to time, we update this privacy policy, for example when we adapt our website or if legal or regulatory requirements change.

Version 1.0/Status: October 2023


In addition, for further information about cookies, the HubSpot website: https://knowledge.hubspot.com/de/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser as well as those from Cloudfare: https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies remanded.

The legal basis for this data processing is your consent in accordance with Article 6 (1) (a) GDPR. Access to and storage of information in the device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (1) TTDSG.

We have concluded an order processing agreement with HubSpot. The data generated in this context can be transmitted by HubSpot to a server in the USA and stored there. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with HubSpot (Implementing Decision (EU) 2021/914, Module 2) in accordance with Art. 46 (2) lit. c GDPR. In addition, we also obtain your express consent in accordance with Article 49 (1) (a) GDPR to transfer your data to third countries.

For more information, please refer to HubSpot's privacy policy: https://legal.hubspot.com/privacy-policy.