Data protection information from iteratec GmbH

We, iteratec GmbH, are certain that you should have absolute control over your data. We therefore take the protection of your personal data very seriously and adhere strictly to all data protection laws. The following data protection declaration gives an overview of how we ensure this protection, what kind of data we collect (and for what purpose) and what your rights are with regard to your personal data.

Should you have any questions regarding data protection, feel free to contact us at any time.

Any changes that we make in future to the “Data Protection Declaration of iteratec GmbH” will be posted on this page.

This data protection declaration came into force on 18.05.2018.

Responsible entity

Company:
iteratec GmbH

Street, building no.:
St.-Martin-Str. 114

Post code, city:
81669 München

Commercial register number:
HRB 113519

Directors:
Klaus Eberhardt, Jörg-Stefan Rauch, Michael Schulz, Alexander Youssef

Telephone number:
+49 89 61 45 51 0

E-mail address:
office@iteratec.com

Data protection officer

You can contact our data protection officer via the e-mail address privacy@iteratec.com.

1. Essential information on data processing and its legal basis

1.1. This data protection declaration explains the nature, scope and purpose of the processing of personal data within the scope of our web pages, functions and contents (hereinafter jointly referred to as the “website”). This data protection declaration applies irrespective of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offer is executed.

1.2. The terms used, such as “personal data” or their “processing”, refer to the definitions contained in Art. 4 General Data Protection Regulation (GDPR).

1.3. The personal data of users processed within the framework of the online offer includes usage data (browser type and version, operating system used, the URL of the previously visited site, the IP address of the accessing computer and the time of the enquiry), as well as the content details (e.g. entries made on the application form).

1.4. The term “user” covers all categories of the data subjects. These include our business partners, customers, interested parties and other browsers of our online offer. The terms used, such as “user”, should be understood as being gender-neutral.

1.5. We process users' personal data exclusively in compliance with the relevant data protection regulations. This means that user data will be processed only if legal permission has been granted, in particular if data processing is required by law, if user consent has been obtained, and also on the basis of our legitimate interests (i.e. an interest in the analysis, optimisation and efficient operation and security of our online service as defined in Art. 6(1)(f) GDPR, in particular, when measuring reach, creating profiles for advertising and marketing purposes, and when collecting access data and using the services of third parties).

1.6. We would like to point out that a legal basis is established either by consent, by the need for processing in order to render our services and implement our contractual measures, by the need for processing in order to fulfil our legal obligations, or by the need for processing in order to protect our legitimate interests (Art. 6(1)(a) and Art. 7 GDPR). 

1.7. Which sources and data do we use? We process the personal data of customers, suppliers, interested parties, applicants and employees. We process this data in the context of business relations, application procedures or employment relationships. We also use data from publicly accessible sources, the processing of which is permissible. The legal basis is the fulfilment of (pre-)contractual obligations, a legitimate interest, a legal provision or an existing consent as provided by the person concerned.

2. Security measures

2.1. We take organisational, contractual and technical security measures in line with state-of-the-art technological standards, in order to ensure that the regulations set out under data protection laws are observed and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. 

2.2. The security measures include, in particular, the encrypted transmission of data between your browser and our server. 

You’ve discovered a gap in our security? Please write to us at security@iteratec.com. We will contact you as soon as possible. For encrypted contact, you can also use our certificate.

2.3. As the security team at iteratec, we take care of your online security. If you have any complaints about the misuse of our (or your) network access, or if you receive spam from one of our addresses, please get in touch by e-mail via abuse@iteratec.com.

3. Transfer of data to third parties and third-party providers

3.1. Data will be passed on to third parties only within the scope of statutory requirements. We will pass on user data to third parties only if this is deemed necessary for contractual purposes, e.g. on the basis of Art. 6(1)(b) GDPR or on the basis of a justified interest in accordance with Art. 6 (1)(f) GDPR, and the efficient and effective operation of our business operations.

3.2. If we use subcontractors to render our services, we take appropriate legal precautions, as well as appropriate technical and organisational measures, to ensure that personal data are protected in accordance with the relevant statutory provisions.

3.3. If contents, tools or other resources from other providers (hereinafter referred to jointly as “third-party providers”) are used within the scope of this data protection declaration, these are transferred only to countries with an appropriate level of data protection and to countries that fall within the scope of the GDPR.

4. Online application

4.1. Applicant management: for our online application form and applicant management, we use the platform from the service provider Talention (TFI GmbH, Delphiplatz 1, 42119 Wuppertal, Germany) to ensure fast and secure processing when recruiting new employees. For this purpose, we have concluded a contract processing agreement with the provider in which the provider undertakes to comply with all data protection regulations and to process the data only in accordance with our instructions and only for the corresponding purpose. Further information can be found here

4.2. With regard to applicant data that we receive (by post, e-mail or online), our technical and organisational measures ensure that your personal data is treated confidentially and in line with statutory requirements. Following the completion of the application procedure, your data will be deleted, unless you agree to its storage over a longer period of time. Deletion takes place after four months (due to compliance with deadlines for possible legal action as per the General Equal Treatment Act [AGG]).

4.3. init(U) – Application entry via app for recruiting events
The app can be used to collect data from interested parties, in order to initiate an application process. This includes a person’s name, e-mail address, gender, photo, a self-assessment of technical skills and, if appropriate, application documents. 

This data is 
(a) stored on an internal system and remains accessible only to authorised persons.
b) transferred to the Applicant Management System of our service provider, Talention.

All data will be deleted after four months, unless the interested party explicitly consents to its storage for a longer time for the purpose of establishing contact at a later date. In this case, the data is stored for one year and then deleted.

5. Eventbrite

To facilitate the booking of tickets for some of our events, we use Eventbrite Inc., Delaware, 155 5th Street, Floor 7, San Francisco, CA 94103, USA. When you register for one of our events, you transmit your first and last name, e-mail address and, if applicable, the company you work for to the provider and arrange payment. The provider will then send you an e-mail to confirm your booking. Upon registration, and in addition to the above-mentioned data, Eventbrite will save the selected event, including the scheduled event time (date, time) and the time of registration (date, time).

There is no contract for commissioned data processing with Eventbrite, due to the fact that, at present, only a Data Processing Addendum (DPA) is offered for commissioned and subcontracted data processors (can be viewed at: https://www.eventbrite.de/support/articles/de/Troubleshooting/datenverarbeitungsnachtrag-fuer-auftragsverarbeiter-und-unterauftragsverarbeiter?lg=de).

An overview of Eventbrite's corporate policies can be found at https://www.eventbrite.de/l/LegalTerms/

6. Google Maps

The maps are from “Google Maps”, from the third-party provider Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/
Opt-out: https://www.google.com/settings/ads/ 

7. Google

7.1. We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Currently, we are using both Google Analytics 3 and Google Analytics 4 simultaneously, which have different data protection implications. In the following text, we specify which of the two versions is being referred to. If not explicitly mentioned, the reference applies to both versions.

7.2. Google uses cookies. The information generated by the cookie about users' use of the online service is transmitted to Google's servers and processed there. This can also include transmissions to Google LLC based in the USA.

Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports on the activities within this online service, and to provide us with further services associated with the use of this online service and the internet. Pseudonymous user profiles can be created from the processed data.

7.3. We use data from Google Analytics to continuously improve our online service.

7.4. IP Address

Google Analytics 3: We use Google Analytics 3 with activated IP anonymization. This means that the IP address of the users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

Google Analytics 4: Google Analytics 4 uses IP addresses at the time of collection to determine location information (country, city, latitude, and longitude of the city) and then deletes them before the data is stored on a server.

7.5. Demographic Data and Cross-device Tracking

Google Analytics 3: Our website uses reports on demographic characteristics in which data from interest-based advertising by Google as well as visitor data from third parties (e.g., age, gender, and interests) are used. This data cannot be traced back to a specific person and can be deactivated at any time via the display settings.

Google Analytics 4: In connection with Google Analytics 4, we use the Google Signals service. Google Signals are data from users who are logged into their Google account and have activated personalized advertising. By linking data with these logged-in users, cross-device reports, cross-device remarketing, the export of cross-device conversions to Google Ads, and the collection of demographic characteristics such as age and gender are possible.

7.6. We use Google Tag Manager. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not collect personal information. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has occurred at domain- or cookie level, it will persist for all tracking tags implemented with Google Tag Manager. https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

7.7. Our website utilizes Google Looker Studio, a tool for managing and visualizing data from Google. Google Looker Studio assists us in efficiently analyzing and visualizing data to enhance our service. All data processed through Google Looker Studio are handled in accordance with Google's privacy policies and applicable data protection laws. We are committed to protecting your privacy and ensuring that your data is kept secure and confidential.

7.8. We have concluded a data processing agreement with Google, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.

7.9. You can find further information on the use of data by Google, as well as the settings and objection options available, on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use websites or apps of our partners”), http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”), http://www.google.de/settings/ads (“Manage information that Google uses to serve ads to you”).

7.10. You can prevent the collection of your data by Google Analytics by revoking your consent to the use of cookies here: www.iteratec.com/de/cookies/.Additionally, users can prevent the collection of data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

 

8. Social Media

In its online offer, iteratec provides the option of following its social media offers via so-called “Follow Buttons”. Online maps and videos are also provided by third-parties. In the following, you will find explanations of the individual services.

8.1. Twitter: The functions of the service Twitter can be integrated within our online offer. These functions are provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “Follow” function, the websites you visit are linked to your Twitter account and made public to other users. Data is also transmitted to Twitter. We would like to point out that, as the provider of these pages, we have no knowledge of the content of the transmitted data or of its use by Twitter. Twitter’s privacy policy can be found at http://twitter.com/privacy. You can change your privacy settings on Twitter via the Account Settings under http://twitter.com/account/settings.

8.2. Facebook: A “Follow Button” from the social network Facebook (Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA) is integrated into our pages. 

When you visit our pages, the button establishes a direct connection between your browser and the Facebook server. In doing so, Facebook receives the information that you have visited our site from your IP address. 

We would like to point out that, as the provider of these pages, we have no knowledge of the content of the transmitted data or of its use by Facebook. Further information can be found in the Facebook privacy policy available at http://de-de.facebook.com/policy.php. If you do not want Facebook to be able to link your visits to our webpages with your Facebook user account, please log out of your Facebook user account.

8.3. XING: We use features of the professional network XING. The provider is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Every time one of our pages containing the functions provided by Xing is accessed, a connection to the Xing servers is established. To the best of our knowledge, no personal data is stored. In particular, no IP addresses are stored or user behaviour evaluated. Data protection declaration: https://www.xing.com/app/share?op=data_protection 

8.4. LinkedIn: Our online offer uses functions of the professional network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Every time one of our pages containing the functions provided by LinkedIn is accessed, a connection to the LinkedIn servers is established. LinkedIn is informed that you have visited our website from your IP address. If you click on LinkedIn's “Recommend Button” and are logged into your LinkedIn account, LinkedIn will be able to associate your visit to our website with you and your account. We would like to point out that, as the provider of these pages, we have no knowledge of the content of the transmitted data or of its use by LinkedIn. Data protection declaration: https://www.linkedin.com/legal/privacy-policy.

8.5. Kununu: Kununu is operated by kununu GmbH, Fischhof 3 Top 7, A - 1010 Vienna. Your browser will establish a direct connection to the Kununu servers as soon as you click the button. We have no control over the data that is then collected by Kununu. For information pertaining to the purpose and scope of data collection, its further processing and use by Kununu, as well as your rights and setting options to protect your privacy, please refer to the information contained in the Kununu data protection declaration: http://www.kununu.com/info/datenschutz 

8.6. YouTube: Embedded videos from the “YouTube” platform from the third-party provider Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/ Opt-out: https://www.google.com/settings/ads/. When you click on a link to a video, we allow you only to connect to YouTube services.

8.7. Instagram: This website uses features of the social network Instagram. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. When you visit one of our pages that have integrated Instagram features, a connection to Instagram's servers is established. This informs the Instagram server which of our pages you have visited. If you are logged into your Instagram account, you enable Instagram to directly associate your browsing behavior with your personal profile. You can prevent this by logging out of your Instagram account. For more information on how user data is handled, please see Instagram's privacy policy: https://instagram.com/about/legal/privacy/.

9. Data processing on our Facebook fan page

When you visit our Facebook page, certain information about you is processed. Facebook Ireland Ltd (Ireland/EU) is solely responsible for this processing of personal data. Further information on the processing of personal data by Facebook can be found here.

9.1. Processing of Page Insights
Facebook provides us with statistics and insights for our Facebook page in anonymous form, which enable us to develop an understanding of the types of actions that people take on our page (so-called “page insights”). These page views are created on the basis of certain information about people who have visited our site. This processing of personal data is carried out by Facebook and us as jointly responsible data controllers. This processing serves our legitimate interest in evaluating the types of actions performed on our site and improving our site based on the insight gleaned. The legal basis for this processing is Article 6(1)(f) GDPR. We will never associate the information obtained through Page Insights with a particular Facebook profile by drawing on “Like” information for our Page.
We have reached an agreement with Facebook on processing as joint data controllers, which defines the distribution of data protection obligations between us and Facebook. You can view the details pertaining to the processing of personal data to create Page Insights and the agreement concluded between us and Facebook here.

9.2. Processing of data communicated to us through our website
We also process information that you have made available to us via our Facebook page. Such information can include the Facebook name, contact details or a message sent to us. We process this personal data only if we have expressly requested you to provide us with this data beforehand. This processing by us takes place with us acting as sole data controller.
If your enquiry is directed at the conclusion or execution of a contract with us, Art. 6(1)(b) GDPR constitutes the legal basis for data processing. Otherwise, we will process data on the basis of our legitimate interest in establishing contact with those individuals submitting an enquiry. The legal basis for data processing in this context is Art. 6(1)(f) GDPR.

10. LinkedIn Insight Tag

We use the LinkedIn Insight Tag for our websites. This tool creates a cookie in your browser which allows us to record the following data, among others:

  • URL, 
  • referrer URL,
  • details regarding the device, 
  • details regarding the browser, 
  • IP address, and 
  • demographic data from LinkedIn for users who are active LinkedIn members. 

LinkedIn does not share any personal data with iteratec but offers anonymised reports about the website target group as well as ad performance. Additionally, LinkedIn offers the possibility of retargeting via the Insight Tag. This data allows iteratec to display targeted ads outside its website without you being identified as a website user.

The use of LinkedIn Insight is based on Art. 6 para. 1 lit. a EU GDPR. You can withdraw your consent at any time.

The data collected by LinkedIn is encrypted, anonymised within seven days and the anonymised data is deleted within 90 days.

You can find further information in the LinkedIn Privacy Policy, and the LinkedIn Opt-Out is available here

11. securecodebox.io

Netlify

The offering on the website securecodebox.io is hosted on the platform of the third-party provider Netlify. A Data Processing Agreement (DPA) according to GDPR has been concluded. Accordingly, the terms of Netlify apply:

 

12. Cookiebot (Cookie Consent Tool)

Our website uses the Cookie Consent Tool “Cookiebot” to obtain your consent to the storage of certain cookies in your browser and to document these in accordance with data protection regulations. Cookiebot is operated by Cybot A/S, 1058 Copenhagen, Denmark.

When you enter our website, a Cookiebot cookie is stored in your browser, in which the consents you have issued (or your revocation thereof) are stored.

The Cookiebot-Consent-Technology is used to obtain the legally required consent for the use of cookies. Data processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in providing a cookie consent management service for website visitors.

For more information on the handling of the transferred data, please refer to the data protection declaration from cookiebot.com: https://www.cookiebot.com/de/privacy-policy/

 

13. Cookies

You will find further information on, among other things, how cookies work, the purpose, scope and legal basis of data processing and the possibility of revocation here.

14. HubSpot

We use HubSpot on our website for marketing activities. We use this integrated software solution for our own marketing, for lead generation and for customer service purposes. These include e-mail marketing, which regulates the dispatch of newsletters and automated mailings, social media publishing and reporting, contact management – such as user segmentation and CRM – landing pages and contact forms.

HubSpot uses cookies, which are small text files, that are stored locally in the cache of your web browser on your device and allow us to analyse your use of the website. The information collected (e.g. your IP address, geographic location, browser type, length of visit and pages viewed) is analysed by HubSpot on our behalf so that we can generate reports about the visit and the pages viewed. Information collected via HubSpot and the content of our website is stored on servers of HubSpot's service providers. If you have provided your consent in accordance with Art. 6(1)(1)(a) GDPR, processing on this website will be for the purpose of website analysis.

HubSpot is a software company from the USA with a subsidiary in Ireland.
Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, Telephone: +353 1 5187500.

Learn more about Hubspot Cookie Security & Privacy.

15. DecentraVote (SaaS)

The DecentraVote application can be requested by and provided to interested parties via our website as a free trial for a limited period of time by way of an SaaS (Software as a Service). In order to request the trial version, please provide your first and last name, e-mail address and the organisation or company you are working for as well as additional information (optional). You will then receive an e-mail which triggers the actual provision of the trial version.

When providing the trial version, all related information such as URL, log-in data and period of validity will be saved.

In order to protect against misuse of repeated requests for trial versions, the data will be saved for a maximum of 12 months.

DecentraVote as well as the application managing the provision and deletion of the trial version are hosted on AWS.

You can find information about how your data is used by Amazon Web Services at https://aws.amazon.com/de/compliance/gdpr-center/

 

16. Hotjar

We use Hotjar on our website from the company Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) to statistically evaluate visitor data. Hotjar is an online tool used for traffic analysis and visitor feedback. The goal is to optimize the conversion rate with the help of the data obtained and to better understand visitor behavior.

Why do we use Hotjar on our website?

We use Hotjar's heatmaps. Heatmaps are a way of visualizing data. With Hotjar's heatmaps, you can see exactly what you like to click on, tap, and where you scroll. With this information, we can continuously improve the user experience on our website and provide users with a better experience.

What data is stored by Hotjar?

Hotjar collects information about user behavior. The following data can be collected from your computer or your browser:

  • • IP address of your computer (collected and stored in an anonymous format)
  • • Screen size
  • • Browser information (which browser, which version, etc.)
  • • Your location (country only)
  • • Your preferred language setting
  • • Visited websites (sub-pages)
  • • Date and time of access to one of our sub-pages (websites)

Additionally, cookies store data that is placed on your computer (usually in your browser). They do not collect any personal data. As a principle, Hotjar does not pass on the collected data to third parties. However, Hotjar explicitly points out that it is sometimes necessary to share data with Amazon Web Services. Then parts of your information are stored on their servers. Amazon, however, is bound by an obligation of confidentiality not to disclose this data.

Only a limited number of people (Hotjar employees) have access to the stored information. Hotjar's servers are protected by firewalls and IP restrictions (access only by approved IP addresses). Firewalls are security systems that protect computers from unwanted network access. They are intended to serve as a barrier between Hotjar's secure internal network and the Internet. Furthermore, Hotjar also uses third-party companies for their services, such as Google Analytics or Optimizely. These companies can also store information that your browser sends to our website.

We have concluded a contract for order processing with Hotjar in order to implement the strict European data protection regulations. For more information about Hotjar and the data collected, please refer to Hotjar's privacy policy at the following link: https://www.hotjar.com/privacy If you want to deactivate data collection by Hotjar, click on the following link and follow the instructions there: https://www.hotjar.com/opt-out

 

17. Dante AI (Chatbot)

On our website, we use the ChatBot Dante AI to provide you with an interactive way to contact us and receive support. The ChatBot Dante AI is provided by Dante AI Ltd. When using the ChatBot, personal data such as your IP address, chat history, and any personal information you enter (e.g., name, email address) are processed. This data processing is based on Article 6(1)(b) GDPR for the performance of pre-contractual measures or the fulfillment of a contract, as well as on Article 6(1)(f) GDPR due to our legitimate interest in effective customer communication and support. The data is stored only as long as necessary for the mentioned purposes or as required by legal retention periods. For more information on data processing by Dante AI Ltd., please refer to their Privacy Policy.

18. secureCodeBox as a Service

Through our website, the secureCodeBox as a Service application can be used by interested parties as a free SaaS (Software as a Service). The following data is stored when conducting a scan:

• The client's IP address

• Date and time of the scan

• Unique scan session ID

• Domain validation token

• Acceptance of the terms of use (https://scb.iteratec.de/terms), and

• The domain to be scanned.

To prevent misuse, the data is stored for a maximum of 3 years. secureCodeBox as a Service is hosted by iteratec and Hetzner. Information about the use of your data by Hetzner can be found at: https://www.hetzner.com/de/legal/privacy-policy/

19. User rights

Right to the disclosure of information: Users have the right to request the disclosure, free of charge, of information on the personal data we have stored on them.

Right of rectification: In addition, users have the right to correct inaccurate data, to restrict the processing and deletion of their personal data and, where applicable, to exercise their rights to data portability.

Right of revocation: Users may also revoke their consent, in principle with effect for the future. This revocation must be sent to the data protection officer. 

Right of appeal: In the event of a violation of the GDPR, those affected have a right of appeal vis-a-vis the competent supervisory authority. The right of appeal is without prejudice to other administrative or judicial remedies.

20. Deletion of data

The data stored with us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory storage obligations. To the extent that user data is not deleted because it is required for other (and legally permissible) purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax-related reasons.

21. Right of objection

Users can object at any time, in accordance with statutory requirements, to the future processing of their personal data. This objection may be made, in particular, against processing for direct marketing purposes. Any objection should be directed to the responsible data controller.

22. Changes to the data protection declaration

We reserve the right to amend this data protection declaration to align with changes in legislation, or should there be any changes to our service and the associated data processing. However, this applies only with regard to declarations on data processing. To the extent that user consent is required, or if components of the data protection declaration contain provisions of a contractual relationship with the users, changes will be made only with the consent of users.

Users are asked to update their understanding regarding the content of this data protection regulation at regular intervals.

Munich, 3/7/2024
Executive Management