Privacy Policy

I Introduction

We are pleased that you are visiting our website. We respect your privacy. Data protection and data security when using our website are very important to us. With this privacy policy, we would like to inform you about the extent to which data is collected when you use our website and the purposes for which we use this data. We would also like to inform you about your rights in this regard.

II General information

Below we provide information in accordance with Art. 13 GDPR on the collection of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, email addresses, user behaviour.
The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is
ondeso GmbH, Osterhofener Str. 16, 93055 Regensburg, e-mail: info@ondeso.com
www.ondeso.com/en/imprint/
You can reach our data protection officer at
Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH, Alexander Bugl, Eifelstraße 55, 93057 Regensburg, e-mail: kontakt@buglundkollegen.de

III Making contact

a. Type and purpose of processing
The data you enter in the contact form will be stored for the purpose of personalised communication with you. This requires you to provide your name, email address and message. This serves to allocate the enquiry and subsequently answer it. The provision of further data is optional. If you contact us by e-mail, the data you provide (e-mail address, your name and telephone number, if applicable, etc.) will also be processed for individual communication.

b. Legal basis of the processing
The data provided is processed on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR). By providing the contact form and our e-mail address, we would like to make it easy for you to contact us. The information you provide will be stored for the purpose of processing your enquiry and for possible follow-up questions. If you contact us to request a quote, the data you enter will be processed to carry out pre-contractual measures (Art. 6 para. 1 lit. b GDPR).

c. Data categories
Contact details, reason for your enquiry

d. Recipients
The recipients of the data are internal employees of ondeso GmbH.

e. Storage periods
Data will be deleted no later than 6 months after the enquiry has been processed. If there is a contractual relationship, we are subject to the statutory retention periods according to the German Commercial Code (HGB) and delete your data after these periods have expired.

f. Legal / contractual requirement
The provision of your personal data is voluntary. However, we can only process your enquiry if you provide us with your name, email address and the reason for the enquiry.

g. Transfer to third countries
Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

IV Your rights

If your personal data is processed as a user, you are considered a data subject in accordance with the GDPR. Data subjects have the following rights vis-à-vis the controller:

– Right to information (Art. 15 GDPR)
– Right to rectification or erasure of personal data (Art. 16, 17 GDPR)
– Right to restriction of processing (Art. 18 GDPR)
– Right to notification in connection with the rectification or erasure of your personal data or the restriction of processing (Art. 19 GDPR)
– Right to data portability (Art. 20 GDPR)
– Right to object (Art. 21 GDPR)
– Right to revoke declarations of consent. The legality of the data processing carried out until the revocation remains unaffected by the consent valid to date. (Art. 7 para. 3 GDPR)
– Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Contact details of the supervisory authorities in the individual countries

V Hosting

The hosting services we use (services for the operation and provision of the website) serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services and technical maintenance services that we use for the purpose of operating this online offering.

In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of order processing contract according Art. 28 GDPR).

VI Accessing the website

If you use the website for purely informational purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:

– IP address
– Date and time of the enquiry
– Time zone difference to Greenwich Mean Time (GMT)
– Content of the request (specific page)
– Access status/HTTP status code
– Amount of data transferred in each case
– Website from which the request comes
– Browser
– Operating system and its interface
– Language and version of the browser software.

We may also use another service provider to display the privacy policy. An embedding code is used to transmit your IP address to said service provider (preeco GmbH).
We process your data on the basis of our legitimate interest for a limited period of time in order to initiate a derivation of personal data in the event of unauthorised access or attempted access to local servers and to be able to display the privacy policy properly and to be able to load our fonts from our own server (Art. 6 para. 1 lit. f GDPR).

VII Use of cookies

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive assigned to the browser you are using and through which certain information flows to the body that sets the cookie (in this case, us). They are used to make the website more user-friendly and effective overall.

We distinguish between two categories of cookies: (a) essential cookies, without which the functionality of our website would be limited, and (b) optional cookies for website analysis and marketing purposes.

The use of optional cookies is based on your consent (Art. 6 para. 1 lit. a GDPR).
We describe the optional cookies used on this website in detail in our cookie banner.

VIII Use of Borlabs

Which cookie banner do we use?
This website uses Borlabs’ cookie consent technology to obtain your consent to the storage of certain cookies on your end device and to document this in compliance with data protection regulations. The provider of this technology is Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg, Germany.
Website: https://de.borlabs.io (hereinafter referred to as “Borlabs”).
When you enter our website, the following personal data is transmitted to Borlabs:

– Your consent(s) or the revocation of your consent(s)
– Your IP address
– Information about your browser
– Information about your end device
– Time of your visit to the website

In addition, Borlabs stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the Borlabs cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.
Borlabs is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.

IX Use of Matomo

a. Type and purpose of processing
This website uses Matomo, an open source software for the statistical analysis of visitor access. The provider of the Matomo software is InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand. With the help of Matomo, we are able to collect and analyse data about the use of our website by website visitors. This allows us to find out, among other things, when which pages were accessed and from which region. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, etc.).
The information generated about your use of the website is stored on our server in Germany. The IP address is anonymised immediately after processing and before it is stored. You can find more information on the privacy settings of the Matomo software at the following link: https://matomo.org/docs/privacy/.

b. Legal basis of the processing
The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.

c. Data categories
IP address, device data (device type, device brand, device model, resolution)

d. Recipients
The recipients of the data are internal employees of ondeso GmbH. As we host Matomo ourselves, no connection to the Matomo servers is established.

e. Storage periods
The data is deleted as soon as it is no longer required for our recording purposes or you have objected to its processing.

f. Transfer to third countries
Although Matomo is based in New Zealand, all data is hosted by Matomo on our own servers located in Germany. The processing therefore does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Right to object
You have the right to object to the processing of your personal data at any time. You can inform us of your objection at any time using the contact details provided at the beginning of this privacy policy.

i. Automated decision-making and profiling
With the help of the tracking tool Matomo, the behaviour of visitors to the website can be evaluated and their interests analysed. We create a pseudonymised user profile for this purpose.

X Use of Google reCAPTCHA

a. Nature and purpose of processing
We use the Google reCAPTCHA service in some forms on this website to protect against misuse of our web forms and spam. By checking manual input, this service prevents automated software (so-called bots) from carrying out abusive activities on the website. This serves to safeguard our legitimate interests in protecting our website from misuse and ensuring that our online presence is displayed without disruption, which outweigh our interests.
Google reCAPTCHA uses a code embedded in the website, a so-called JavaScript, as part of the review methods that enable your use of the website to be analysed, such as cookies. The automatically collected information about your use of this website, including your IP address, is usually transmitted to a Google server in the USA and stored there. In addition, other cookies stored in your browser by Google services are analysed by Google reCAPTCHA. Personal data is not read or saved from the input fields of the respective form.

b. Legal basis of the processing
The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the security and functionality of our website.

c. Data categories
IP address

d. Recipients
Recipients of the data are internal employees and Google as a processor.

e. Storage periods
After the end of the purpose and the end of the use of Google reCAPTCHA by us, the data collected in this context will be deleted.

f. Legal / contractual requirement
The provision of your personal data is based on our legitimate interest. Without the provision of your personal data, we cannot grant you access to the content and services we offer.

g. Transfer to third countries
Processing also takes place outside the European Union (EU) or the European Economic Area (EEA). To guarantee the level of data protection in this third country, we have concluded standard data protection clauses with Google.

h. Possibilities of objection
You can prevent Google from collecting the data generated by the JavaScript or cookie and relating to your use of the website (including your IP address) and from processing this data by Google by preventing the execution of JavaScripts or the setting of cookies in your browser settings. Please note that this may restrict the functionality of our website for your use.
Further information on Google’s data protection policy can be found here: https://policies.google.com/privacy.

i. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

XI Use of Google Tag Manager

a. Nature and purpose of processing
Use of Google Tag Manager: Google Tag Manager is a solution that allows marketers to manage website tags via an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

b. Legal basis of the processing
The processing of the data entered is based on our legitimate interest in improving the functionality of our website (Art. 6 para. 1 lit. f GDPR).

c. Data categories
Interactions on the page

d. Recipients
The recipients of the data are internal employees and Google as the processor. We have concluded the corresponding order processing contract with Google for this purpose.

e. Storage periods
Data is only processed in this context for as long as necessary. It will then be deleted, provided there are no statutory retention obligations to the contrary. To contact us in this context, please use the contact details provided at the beginning of this privacy policy.

f. Legal / contractual requirement
You can object to the processing at any time. If you prevent access, this may result in functional restrictions on the website.

g. Transfer to third countries
Processing also takes place outside the European Union (EU) or the European Economic Area (EEA). To guarantee the level of data protection in this third country, we have concluded standard data protection clauses with Google.

h. Profiling
With the help of the Google Tag Manager tool, the behaviour of visitors to the website can be evaluated and interests analysed.

XII Use of Google Analytics

a. Nature and purpose of the processing
This website uses Google Analytics, a web analytics service provided by Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on these websites, your IP address will be shortened by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The purpose of the data processing is to analyse the use of the website and to compile reports on activities on the website. Based on the use of the website and the Internet, further associated services are then to be provided.

b. Legal basis of the processing
The data entered is processed on the basis of the user’s consent (Art. 6 para. 1 lit. a GDPR).

c. Data categories
IP address (shortened/anonymised), Approximate location, Browser and device information

d. Recipient
The recipients of the data are internal employees and Google as the processor. We have concluded the corresponding data processing agreement with Google for this purpose.

e. Storage periods
Data will only be processed in this context as long as the corresponding consent has been given. It will then be deleted, provided there are no statutory retention obligations to the contrary. To contact us in this context, please use the contact details provided at the beginning of this privacy policy.

f. Legal / contractual requirement
The provision of your personal data is voluntary, solely on the basis of your consent. If you prevent access, this may result in functional restrictions on the website.

g. Third country transfer
Processing outside the European Union (EU) or the European Economic Area (EEA) cannot be ruled out.

h. Revocation of consent
You can revoke your consent to the storage of your personal data at any time with effect for the future. You can prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the available browser plug-in: “Browser Add On to deactivate Google Analytics”.

i. Automated decision-making and profiling
With the help of the Google Analytics tracking tool, the behaviour of visitors to the website can be evaluated and their interests analysed. We create a pseudonymised user profile for this purpose.

XIII Use of embedded YouTube videos

a. Nature and purpose of the processing
We embed YouTube videos on some of our websites. The operator of the corresponding plugins is YouTube, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. When you visit a page with the YouTube plugin and you have given your consent to load YouTube videos, a connection to YouTube servers is established. YouTube is informed which pages you visit. If you are logged into your YouTube account, YouTube can assign your surfing behaviour to you personally. You can prevent this by logging out of your YouTube account beforehand. If a YouTube video is started, the provider uses cookies that collect information about user behaviour. Further information on the purpose and scope of data collection and its processing by YouTube can be found in the provider’s privacy policy, where you will also find further information on your rights in this regard and setting options to protect your privacy (https://policies.google.com/privacy).

b. Legal basis of the processing
The legal basis for the integration of YouTube and the associated data transfer to Google is your consent (Art. 6 para. 1 lit. a GDPR).

c. Data categories
IP address

d. Recipient
The recipients of the data are internal employees and YouTube/Google as the service provider.

e. Storage periods
If you have deactivated the storage of cookies for the Google Ad programme, you will not have to expect any such cookies when watching YouTube videos. However, YouTube also stores non-personalised usage information in other cookies. If you wish to prevent this, you must block the storage of cookies in your browser. Further information on data protection at “YouTube” can be found in the provider’s privacy policy at: https://www.google.de/intl/de/policies/privacy/

f. Legal / contractual requirement
The provision of your personal data is voluntary, solely on the basis of your consent. If you prevent access, this may result in functional restrictions on the website.

g. Third country transfer
Processing may also take place outside the European Union (EU) or the European Economic Area (EEA). In order to guarantee the level of data protection in this third country, we have concluded the EU standard contractual clauses with Google.

h. Revocation of consent
You can revoke your consent to the storage of your personal data at any time with effect for the future.

i. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

XIV Use of Leadinfo

a. Nature and purpose of the processing
We use the lead generation service of Leadinfo B.V., Rotterdam, Netherlands. This recognises visits to our website based on IP addresses and shows us publicly available information on the IP addresses, such as company names, telephone numbers or addresses of companies, via the Leadinfo dashboard available to us. In addition, Leadinfo sets two first-party cookies to evaluate user behaviour on our website and processes domains from form entries (e.g. “leadinfo.com”) in order to correlate IP addresses with companies and improve services.

b. Legal basis of the processing
The legal basis for the integration of Leadinfo and the associated data transfer to Leadinfo is our legitimate interest (Art. 6 para. 1 lit. f GDPR).

c. Data categories
IP address, Location based on the IP address, Domain from form input fields (e.g. “leadinfo.com”)

d. Recipient
The recipients of the data are internal employees and Leadinfo as the processor.

e. Storage periods
Data will only be processed in this context for as long as the purpose exists or as long as you have not objected to the processing. They will then be deleted, provided there are no statutory retention obligations to the contrary. To contact us in this context, please use the contact details provided at the beginning of this privacy policy.

f. Third country transfer
Processing outside the European Union (EU) or the European Economic Area (EEA) cannot be ruled out.

g. Possibility of objection
If you do not want Leadinfo to collect, process or use data about you via our website, you can object to the processing of your personal data at any time.

h. Automated decision-making and profiling
As a responsible company, we refrain from using an automatic

XV Online presence in social media

We maintain online presences within social networks in order to inform the users active there about our services and to communicate directly via the platforms if there is interest. We are currently represented on the following networks:

– Linkedin
– YouTube
– Xing
– Facebook

All of our social media channels can only be accessed by visitors to the website via an external link. We do not use any plugins or other interfaces on our website that the respective networks offer for embedding the offers on websites.

We have no influence on the collection of data and its further use by the social networks. For example, we have no knowledge of the extent to which, where and for how long the data is stored, the extent to which the networks comply with existing deletion obligations, which analyses and links are made with the data and to whom the data is passed on. We therefore expressly draw your attention to the fact that user data (e.g. personal information, IP address) is stored by the network operators in accordance with their data usage guidelines and used for business purposes.

We process the data of users in the social media presences insofar as they contact and communicate with us via comments or direct messages, for example. The legal basis for the processing of the user’s data is Art. 6 para. 1 lit. b and f GDPR.

– LinkedIn
– YouTube
– Xing
– Facebook

No functions and content of the LinkedIn service, offered by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, are integrated into our online offering. The LinkedIn channels are only accessible via an external link, and if visitors to our website are members of the LinkedIn platform, LinkedIn can assign the call to the social media channel to the user’s profile there if the user visits the LinkedIn profile when logged in. We would like to point out that we have no influence on the content and scope of use of the data collected by LinkedIn. For further information in this regard, please refer to LinkedIn’s privacy policy: https://de.linkedin.com/legal/privacy-policy

No functions and content of the YouTube service, offered by Google Ireland Limited, are integrated into our online offering. The YouTube channels are only accessible via an external link. If visitors to the website are members of the YouTube platform, YouTube can assign the access to the social media channel to the user’s profile if the user visits our YouTube profile when logged in. We would like to point out that we have no influence on the content and scope of use of the data collected by YouTube. For further information in this regard, please refer to YouTube’s privacy policy: https://policies.google.com/privacy?hl=de. We would also like to point out that you can make appropriate changes to your YouTube account to protect your privacy.

No functions and content of the Xing service, offered by New Work SE, Dammtorstraße 29-32, 20354 Hamburg, Germany, are integrated into our online offering. The Xing channels are only accessible via an external link. If visitors to our website are members of the Xing platform, Xing can assign the access to the social media channel to the user’s profile there if the user visits the Xing profile when logged in. We would like to point out that we have no influence on the content and scope of use of the data collected by Xing. For further information in this regard, please refer to Xing’s privacy policy: https://privacy.xing.com/de/datenschutzerklaerung

You can access the Facebook social media network via external links on our website. All functions in the social media network are offered by Meta Platforms Ireland Ltd. The Facebook channels can only be accessed via an external link, and if you are logged into Facebook with your own profile and access our social media channel, Facebook can assign your visit to your logged-in profile. If you do not wish your user account to be associated with your IP address, please log out of your Facebook account before using our website.
For more information on the processing of your data, please refer to Facebook’s privacy policy: https://facebook.com/privacy/explanation

XVI Processing in the context of the business relationship

a. Nature and purpose of the processing
We may process the personal data of our customers, prospective customers, suppliers, vendors and partners for communication, planning, execution of the contractual relationship, marketing, administration and security purposes.

b. Legal basis of the processing
The processing of the data provided is based on a legitimate interest (Art. 6 para. 1 lit. f GDPR) and the fulfilment of the contract (Art. 6 para. 1 lit. b GDPR)

c. Data categories
– Contact information (full name, job title, professional e-mail address, professional telephone number, professional address)
– Billing information and payment data
– Other necessary information in a project or contractual relationship or information that is voluntarily provided to us, such as personal data relating to orders, payments, enquiries and projects

d. Recipient
The recipients of the data are the internal employees of the respective departments and, if applicable, the processors of the departments.

e. Retention periods
We delete personal data when the storage of the personal data is no longer necessary for the purposes for which it was collected or processed or for the fulfilment of legal obligations (e.g. HGB, AO).

f. Transfer to third countries
Your personal data may be transferred to third parties based outside the European Union (EU) or the European Economic Area (EEA) who provide hosting services for us, for example. In order to guarantee the level of data protection in the third country, we have concluded so-called standard data protection clauses with our respective service providers.

g. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.

XVII Information obligations in the application procedure

a. Nature and purpose of processing
We process the applicant data only for the purpose and within the scope of the application procedure in accordance with the legal requirements. Applicant data is processed to fulfil our (pre-)contractual obligations in the context of the application process, insofar as data processing becomes necessary for us, e.g. in the context of legal proceedings.
The application process requires that applicants provide us with the applicant data. If we offer an online form, the necessary applicant data is labelled, otherwise it results from the job descriptions and generally includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. Applicants can also voluntarily provide
us with additional information. By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in the manner and scope set out in this privacy policy. If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We therefore cannot accept any responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending by post. In the event of a successful application, we may process the data provided by applicants for the purposes of the employment relationship.

b. Legal basis of the processing
The processing of your data is carried out for the implementation of (pre-)contractual measures (Art. 6 para. 1 lit. b GDPR).

c. Data categories
First name, surname, address, email address, telephone number, CV, references, certificates, photo, documents that you send us without being asked. Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin).

d. Recipients
Recipients of the data are internal employees of ondeso GmbH

e. Source
We receive information about you directly from you through the application process or from other sources such as recruitment agencies.

f. Storage periods
Subject to a justified cancellation by the applicant, the deletion will take place after a period of 6 month(s) so that we can answer any follow-up questions regarding the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

g. Legal / contractual requirement
The provision of your personal data beyond the retention period, e.g. in order to be included in our applicant pool, is voluntary and based solely on your consent. You can revoke this consent to the storage of your personal data at any time with effect for the future.

h. Transfer to third countries
Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

i. Revocation of consent
If the application for a job offer is unsuccessful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. You can revoke your consent to the storage of your personal data at any time beyond the storage period with effect for the future. You can inform us of your cancellation at any time using the contact option provided at the beginning of this data protection notice.

j. Automated decision-making and profiling
As a responsible company, we do not use automated decision-making or profiling for this data processing.