Privacy Statement
Effective date: June 18, 2023
Privacy policy
This data protection notice provides you with an overview of the processing of your data by oxethica GmbH. This notice applies to all websites and other services offered by oxethica GmbH. According to the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person, such as name, contact details or user behavior.
I. Responsible body and contact details
The person responsible for data processing is
oxethica GmbH
represented by Prof. Dr. Matthias Holweg and Wiebke Krone
Jüthornkamp 13
22043 Hamburg
Phone: +49 1795034253
E-mail: info@oxethica.com
II General information on data processing
1. visit the website
a. What data do we collect and for what purpose?
When using the website for information purposes only, i.e. access without registering or otherwise providing us with information, we only collect the personal data that your browser transmits to our server. When you visit our website, we collect data that is technically necessary for us to display our website to you and to ensure stability and security. The data is stored in the log files of our system. This data is not stored together with other personal data of the user. The processed data includes in detail
• IP address
• Date and time of access to our website
• User agent (browser name and version and operating system)
b. Legal basis for data processing
The legal basis for the temporary storage of the aforementioned types of data is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, which consists of ensuring the proper display of the website, logging blocked or malicious access and thus ensuring forensic activities as well as the security and stability of our website.
c. Storage duration and deletion periods
The data is generally deleted after one week, but at the latest when it is no longer required to achieve the purpose for which it was collected and there are no longer any legal obligations to retain it.
2. processing of account data when creating an account
a. What data do we collect and for what purpose?
When you create a customer account, you enter into a legal relationship with us under the law of obligations. In doing so, we store your personal data, such as name, e-mail address and position. In addition, we will assign you a UUID when you create a customer account so that you can be uniquely identified in the system. A UUID (Universally Unique Identifier) is a unique identifier that is used to uniquely identify individual objects or persons, similar to a serial number, without two identical UUIDs being repeated.
b. Legal basis for data processing
The legal basis is Art. 6 para. 1 lit. b GDPR, as the storage of your personal data is necessary for the fulfillment of a contract with you or for the implementation of pre-contractual measures.
c. Storage duration and deletion periods
The data will be deleted or blocked if it is no longer required to achieve the purpose for which it was collected, for example because you have deleted your account and there are no longer any legal obligations to retain it.
3. processing as part of the AI assessment
a. What data do we collect and for what purpose?
When using our AI assessment function, we process personal data from you as a user and from the contact person you have provided, such as your name, e-mail address, telephone number and position in the company
b. Legal basis for data processing
The legal basis for the processing of your data as a user is Art. 6 para. 1 lit. b GDPR. We process your personal data in order to fulfill our obligations to you under the contract for the use of the AI assessment function.
If a contact person is stored, the legal basis for the processing of the data of the stored contact person is Art. 6 para. 1 lit. f GDPR, namely our legitimate interest in providing our service to you with the involvement of the stored contact person.
c. Storage duration and deletion periods
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. As a rule, further processing is no longer required if you have deleted your account and there are no longer any statutory retention obligations.
4. making contact
a. What data do we collect and for what purpose?
If you contact us by e-mail or telephone, e.g. via the contact information provided on the website, your personal data such as e-mail address or telephone number, name, position and your request will be stored and processed by us for the purpose of processing your request.
b. Legal basis for data processing
This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR)
c. Storage duration and deletion periods
The data will be deleted or blocked as soon as it is no longer required for the purpose for which it was collected, in particular as soon as we consider the matter to be closed and there are no longer any statutory retention obligations.
III. Newsletter
1. what data do we collect and for what purpose?
We offer you the opportunity to register for our newsletter on our website. We use the newsletter to inform you about our products and services. We use the cloud-based tool "MailChimp" for our newsletter service. The operating company of MailChimp is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
First, we collect your e-mail address and send you a confirmation e-mail with a confirmation link that you must click in order to subscribe to our newsletter. Your e-mail address and the date on which you gave us your consent to the newsletter service will be stored
2. legal basis for data processing
The legal basis for this processing is Art. 6 para. 1 lit. a GDPR, namely your consent to data processing when registering for the newsletter.
3. order processing
When using MailChimp, personal data is transferred to the USA. We have concluded EU standard contractual clauses with the provider, Rocket Science Group LLC, to ensure an adequate level of data protection in the event of a third country transfer.
MailChimp also processes your data on our behalf as a processor in accordance with our instructions for the aforementioned purposes. An order processing contract within the meaning of Art. 28 para. 1 GDPR has been concluded with this processor. This processor is obliged to handle your data in accordance with the General Data Protection Regulation and also takes appropriate technical and organizational measures to ensure the security of your data.
4. revocation options
You can revoke your consent to the newsletter service at any time by unsubscribing from the newsletter. We provide a link for this purpose in every newsletter message.
5. storage duration and deletion periods
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, in particular as a result of a revocation on your part, and there are no longer any statutory retention obligations.
IV. Hosting
External hosting
Our website and our SaaS solution (AI assessment) are hosted by Vercel Inc, a cloud platform provider. This enables a fast and error-free display of our content. The provider is Vercel Inc, 650 California St, San Francisco, CA 94108, USA.
Although the provider Vercel Inc. is based in the USA, the servers on which our website and the SaaS solution are hosted are located in Germany. Therefore, no data is transferred to the USA.
The personal data collected on this website is stored on the hoster's servers. This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.
The hoster is used for the purpose of fulfilling the contract with you as a potential or existing customer in accordance with Art. 6 para. 1 lit. b GDPR and in the interest of a secure, fast and efficient provision of our website by a professional provider within the meaning of Art. 6 para. 1 lit. f GDPR.
Vercel also processes your data on our behalf as a processor in accordance with our instructions for the aforementioned purposes. An order processing contract within the meaning of Art. 28 para. 1 GDPR has been concluded with this processor. This processor is obliged to handle your data in accordance with the General Data Protection Regulation and also takes all necessary technical and organizational measures to ensure the security of your data.
V. Payment service provider
Stripe
The external payment service provider Stripe is used on our website. This offers you as a user a platform via which payment transactions can be made. For customers within the EU, Stripe Payments Europe (Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) is responsible.
If you select Stripe as your payment method during the payment process on our website, you will be redirected to the website of the payment service provider Stripe. The processing of your data, such as account data, is carried out exclusively by Stripe. Stripe does not transmit the data you enter on the Stripe website to us. In this respect, Stripe's privacy policy applies.
VI Cookies
Cookies are stored on your computer system when you use our website. Cookies are text files that are stored in the Internet browser or by the Internet browser on your computer system. Such a cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. We only use technically necessary cookies. Your consent is not required for the use of technically necessary cookies (Section 25 (2) No. 2 TDDG).
The technically necessary cookies are as follows:
Name of the cookie: Type of cookie: Purpose of the cookie: Storage duration:
__Host-authjs.csrf-token
Technically necessary Ensuring the login functionality Session
__Host-next-auth.csrf-token
Technically necessary Ensuring the login functionality Session
__Secure-authjs.callback-url
Technically necessary Ensuring the login functionality Session
__Secure-authjs.session-token
Technically necessary Ensuring the login functionality 1 month
__Secure-next-auth.callback-url
Technically necessary Ensuring the login functionality Session
When using the above-mentioned technically necessary cookies, your personal data, such as your IP address or device identifiers, may be processed. The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, namely to maintain the functionality of our website and to be able to display the page properly.
You can generally deactivate technically necessary cookies for the function of our website in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions of the website may not work or may no longer work properly if you generally deactivate cookies in your browser.
VII Social media
Shared responsibility
We, oxethica GmbH and the operator of the social media platform LinkedIn, Linkedin Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, process your personal data jointly as part of oxethica GmbH's corporate presence on the LinkedIn platform.
To guarantee your rights and in compliance with the requirements of the GDPR, we have concluded an agreement that sets out rules on the processing of your personal data. As joint controllers in accordance with Art. 26 GDPR, we are jointly responsible for the processing of your data. This agreement is available at the following link: https://legal.linkedin.com/pages-joint-controller-addendum.
1. nature and purpose of data processing
When you visit our LinkedIn company page, follow our page or engage with our page, LinkedIn processes personal data to provide us with statistics and insights in anonymized form. This gives us insights into the types of actions that visitors take on our site (so-called page insights). In particular, LinkedIn processes data that you have already provided to LinkedIn via the information in your profile. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page. Personal data is not transmitted to us by LinkedIn. It is also not possible for us to draw conclusions about individual members using the information from the page insights.
The purpose of processing with LinkedIn is to present our company, our products and services and to interact with users.
On our LinkedIn company page, we provide information and offer users the opportunity to communicate. The company page is used to draw attention to our services and products.
2. legal basis
The legal basis for the processing of this data is Art. 6 para. 1 lit. a GDPR, namely your consent that you have given to LinkedIn as part of your registration, as well as our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, namely to improve the user experience when visiting our LinkedIn company page in a target group-oriented manner.
3. rights of data subjects
We have jointly agreed on how we will safeguard your rights and have defined in more detail which obligations each party will fulfill to comply with the obligations of the GDPR. This applies in particular to the exercise of the rights of data subjects and the fulfillment of the information obligations under Art. 13 GDPR and 14 GDPR.
LinkedIn is responsible for responding to requests from data subjects. To do so, you can contact LinkedIn online or reach LinkedIn using the contact details above. You can reach LinkedIn's data protection officer via this contact form.
Below you will find the link to LinkedIn's privacy policy: LinkedIn Privacy Policy.
Calling up our LinkedIn company page and contacting us
We link our company page on LinkedIn on our website. You can recognize the link by the LinkedIn logo. When you click on the logo, a direct connection is established between your browser and the LinkedIn servers and you are redirected to the LinkedIn website
Information such as log files may be transmitted to LinkedIn. We have no influence on the transmission of log files to LinkedIn. Please check LinkedIn's privacy policy for more information.
If you use our company page on LinkedIn to contact us (e.g. by creating your own posts, responding to one of our posts or sending us private messages), the data you provide us with will be processed by us as the sole controller for the sole purpose of contacting you. The processing of your personal data provided for the purpose of contacting you is carried out either to carry out pre-contractual measures or to fulfill an existing contract with you or, in the case of other inquiries, on the basis of our legitimate interest in successful communication with you. The legal basis for our processing is Art. 6 para. 1 lit. b or f GDPR. We delete the aforementioned data as soon as it is no longer necessary to store it or you request us to delete it; in the case of statutory retention obligations, we restrict the processing of the stored data accordingly
VIII SSL encryption
Our website uses the SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser. This applies in particular to data transfer, e.g. when entering your data to create a customer account. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
IX. Rights of the data subject
You have the following rights vis-à-vis us with regard to your personal data:
• Right to information, Art. 15 GDPR
You have the right to request information about all personal data that we process about you at any time
• Right to authorization, Art. 16 GDPR
If your personal data is incorrect or incomplete, you have a right to rectification and completion
• Right to erasure, Art. 17 GDPR
You can request the deletion of your personal data at any time, unless we are legally obliged or entitled to continue processing your data
• Right to restriction of processing, Art. 18 GDPR
If the legal requirements are met, you can request that the processing of your personal data be restricted
• Right to data portability, Art. 20 GDPR
In accordance with Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller
You can withdraw your consent to the processing of personal data at any time in accordance with Art. 7 (3) GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to object to the processing, Art. 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data where the data processing, including profiling, is based on our legitimate interests. If the data is processed by us for direct marketing purposes, you have the right to object at any time and without having to provide reasons arising from your particular situation.
You also have the right not to be subject to fully automated decision-making in accordance with Art. 22 GDPR. In principle, we do not use fully automated decision-making to establish, implement and terminate the business relationship. Should we use these procedures in individual cases (e.g. to improve our products and services), we will inform you separately about this and about your rights in this regard, insofar as this is required by law.
If you wish to exercise your aforementioned rights, simply send a message to the following email address: info@oxethica.com. You also have the right under Art. 77 GDPR to complain to a data protection supervisory authority about the processing of your personal data by us.