Privacy Policy

Website privacy statement and concurrent information for data subjects in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR).

1. General information

Controller within the meaning of the GDPR:

• Company: artaxo GmbH
• Address: Brandstwiete 46, 20457 Hamburg, Germany
• Phone: +49 40 2000 39 89 0
• Email: info@artaxo.com
• Managing directors: Marius Rühland, Tobias Hein
• Commercial register: HRB 139188 (Amtsgericht Hamburg)

External data protection officer:

• IITR Datenschutz GmbH, Marienplatz 2, 80331 Munich, Germany
• Email: email@iitr.de

2. General information on data processing

Personal data is collected only if you provide it to us voluntarily or if it is technically required. Processing of your personal data beyond the statutory authorisations takes place only on the basis of your explicit consent.

For each processing activity we name the applicable legal basis. The abbreviations used in this statement refer to:

• Art. 6(1)(a) GDPR — consent of the data subject.
• Art. 6(1)(b) GDPR — performance of a contract or pre-contractual measures.
• Art. 6(1)(c) GDPR — compliance with a legal obligation.
• Art. 6(1)(f) GDPR — pursuit of a legitimate interest.
• § 25 TTDSG — German implementation of the ePrivacy directive (storage of, and access to, information in end users' terminal equipment, e.g. cookies).
• § 26 BDSG — data processing in the employment context.

Retention period. We retain personal data only for as long as is necessary for the respective processing or for as long as statutory retention periods apply. Specific retention periods are stated in the respective sections below.

Recipients. Recipients of your personal data may include: public authorities where overriding legal provisions apply; processors engaged by us (in particular hosting, email, and IT service providers); further external bodies where you have consented or a transfer is permissible on the basis of overriding legitimate interests.

Third-country transfers. Some of the service providers named below are based outside the European Union, in particular in the USA. Transfers take place exclusively on the basis of the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) or, where a provider is not certified under that framework, on the basis of EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with supplementary technical and organisational measures.

3. Hosting and delivery of the website

Cloudflare (Workers, CDN, Turnstile). This website is operated on the infrastructure of Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Cloudflare provides the content delivery network (CDN), the Workers runtime environment, DNS routing, TLS encryption, and the Turnstile bot-protection service. Every request to this website is routed through Cloudflare's edge network.

Data processed: IP address, user-agent, date and time of the request, requested URL, referrer URL, amount of data transferred, HTTP status code. These so-called server logs are stored for at most 30 days and serve exclusively to ensure the technical operation of the website and to defend against attacks.

Legal basis: Art. 6(1)(f) GDPR; legitimate interest in the secure and stable operation of the website.

Cloudflare is certified under the EU-US Data Privacy Framework. We have concluded a Data Processing Agreement pursuant to Art. 28 GDPR as well as Standard Contractual Clauses with Cloudflare. Cloudflare's privacy policy: cloudflare.com/privacypolicy.

Cloudflare Turnstile. On our contact form we use Cloudflare's bot-protection service Turnstile to defend against automated submissions. Turnstile evaluates anonymous behavioural signals (e.g. mouse and keyboard heuristics) in the browser and forwards a verification token to our server. No persistent identifier is set. Legal basis: Art. 6(1)(f) GDPR; legitimate interest in protection against spam and abuse.

SSL/TLS encryption. All data transfers between your browser and our website — including every contact-form submission — are encrypted exclusively via TLS (HTTPS). TLS certificates are issued and renewed automatically by Cloudflare. With a current browser configuration the connection uses at least TLS 1.2.

4. Reach measurement and web analytics

Cloudflare Web Analytics. We use Cloudflare Web Analytics to collect anonymous reach data. The service operates entirely cookieless and does not create user profiles. Only aggregate metrics such as page views, dwell time, and Core Web Vitals values (loading speed, interactivity, visual stability) are recorded. There is no cross-referencing with other data sources or identification of individual users.

No reading access takes place to terminal-equipment properties such as navigator.* APIs, Local Storage, IndexedDB, or canvas/WebGL fingerprinting. Only header information that your browser sends as part of every HTTP request anyway is processed (user-agent, referrer, language, IP). In our view this does not constitute consent-requiring access to information in your terminal equipment within the meaning of § 25(1) TTDSG.

Legal basis: Art. 6(1)(f) GDPR; legitimate interest in the needs-based optimisation of the website.

5. Cookies and consent management

Cookiebot (consent management). This website uses the consent-management tool Cookiebot from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot manages your consent decisions, documents them in a verifiable manner, and keeps these settings changeable for you at any time. For this purpose a cookie called CookieConsent is stored in your browser; it contains exclusively your consent selection and is valid for twelve months.

Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR and § 25 TTDSG (legal obligation to record consent). Cookiebot's privacy policy: cookiebot.com/en/privacy-policy.

Cookie categories. Cookiebot classifies all cookies and comparable technologies used on this site into four categories:

• Necessary — technically required (e.g. storing the language preference, security cookies). Set without consent; legal basis: § 25(2)(2) TTDSG and Art. 6(1)(f) GDPR.
• Preferences — store your selections such as language or region.
• Statistics — anonymous usage statistics for site optimisation.
• Marketing — tracking for personalised advertising and campaign success measurement.

Cookies in the Preferences, Statistics, and Marketing categories are only set after your explicit consent via the Cookiebot banner (Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG).

Current cookie overview. The following list is generated automatically by Cookiebot and updated monthly:

Manage cookie settings — re-opens the consent dialog.

6. Website tracking

We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to manage the analytics and marketing tools listed below. Tags are delivered through a server-side container at load.krake.artaxo.com, which means tracking requests are processed first-party before anonymised data is forwarded to the respective providers. Tags fire only after your consent via the Cookiebot banner (Google Consent Mode v2 — before consent, all tracking signals are set to denied).

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG. Google's privacy policy: policies.google.com/privacy.

Google Analytics 4 (GA4). Provider: Google Ireland Limited. We use GA4 for statistical reach measurement and to optimise our content. Data processed includes page views, dwell time, device and browser information, and a truncated IP address (server-side IP anonymisation is active). After consent, GA4 sets cookies such as _ga and _ga_*.

Google Ads (incl. Conversion Tracking). Provider: Google Ireland Limited. Used to measure the performance of our ad campaigns and, where applicable, for remarketing. Data processed includes conversion events, truncated IP address, and click identifiers. Cookies such as _gcl_au and NID are set only after consent.

LinkedIn Insight Tag. Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Used for conversion measurement and audience targeting on our LinkedIn ads in B2B contexts. Cookies such as li_sugr and _bcookie are set after consent; LinkedIn may transfer data to its parent company LinkedIn Corporation in the USA (EU-US Data Privacy Framework). Privacy policy: linkedin.com/legal/privacy-policy.

Hotjar. Provider: Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville, St Julian's STJ 3141, Malta. Hotjar produces anonymised heatmaps and sampled session recordings that help us understand usage patterns on our website and improve content accordingly. Data processed includes click, scroll, and mouse-movement data as well as browser and device information; IP addresses are truncated before storage. Sensitive input fields (e.g. passwords, contact-form fields) are blocked from recording by default (suppress-by-default). Cookies such as _hjSession* and _hjSessionUser* are set only after consent. Privacy policy: hotjar.com/legal/policies/privacy.

Microsoft Clarity. Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Like Hotjar, Clarity provides heatmaps and session recordings for UX optimisation. Data processed includes click, scroll, and mouse-movement data plus browser and device information; entered text is masked before storage. Cookies such as _clck and _clsk are set only after consent. Microsoft may process the data in the USA; the transfer is covered by the EU-US Data Privacy Framework (Microsoft is certified). Privacy policy: privacy.microsoft.com.

7. Contact form

When you use our contact form (on the page /en/contact or in the modal dialog), we process the data you provide — name, email address, optional phone number, and message — to handle your enquiry and any follow-up questions. Additionally, for spam protection your IP address, user-agent, and the Cloudflare Turnstile token are processed (see section 3).

Legal basis: Art. 6(1)(b) GDPR (initiation of pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in answering general enquiries and protecting against spam).

Retention period: until your enquiry has been fully handled, plus a reasonable archiving window. If a contract arises from the conversation, commercial and tax retention obligations apply (typically six and ten years respectively).

8. Careers page and application procedure

On our careers page (/en/careers) we embed the job widget of softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin, Germany via iframe. Because loading an iframe technically transmits data to softgarden (in particular IP address and user-agent) immediately on page load, the iframe is loaded only after your explicit consent via the Cookiebot banner (category "Statistics"). As long as you have not granted that consent, a notice is displayed in place of the listings, with the option to grant consent retroactively.

After consent we transmit to softgarden: IP address, user-agent, browser and device information, and any further data you actively enter during the application process. softgarden sets its own cookies for the application workflow; details are in softgarden's privacy policy.

Legal basis for the iframe embed: Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG (consent). Legal basis for the subsequent application process: Art. 6(1)(b) GDPR in conjunction with § 26(1) BDSG.

softgarden's privacy policy: softgarden.com/de/datenschutz. The retention period for application data is generally six months after notification of the decision; deviating retention periods following consent for inclusion in our applicant pool are documented separately.

9. Social-media profiles and joint controllership

artaxo maintains corporate profiles on the following social-media platforms to communicate about our services, open positions, and industry topics:

• LinkedIn — LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
• Instagram and Facebook — Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland.
• Xing — New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

As soon as you visit one of our profiles or interact with our content there (e.g. like, comment, follow), the respective platform processes your data in accordance with its own privacy notice, over which we have no influence. For the statistical visitor insights the platforms make available to us about our profiles (reach, demographic aggregates, interaction metrics), we are joint controllers with the platform operators within the meaning of Art. 26 GDPR. The substantive content of the corresponding agreements is available here:

• LinkedIn ("Page Insights Joint Controller Addendum"): legal.linkedin.com/pages-joint-controller-addendum
• Meta ("Page Insights Controller Addendum"): facebook.com/legal/terms/page_controller_addendum
• Xing privacy policy: privacy.xing.com/en/privacy-policy

Legal basis: Art. 6(1)(f) GDPR; legitimate interest in external presence, recruiting, and industry communication. Primary data-protection responsibility — in particular for the exercise of data-subject rights regarding the data processed on the platforms themselves — lies with the respective platform operators.

10. Information on further data-processing procedures

Processing of customer and prospect data

Data affected: data provided for contract performance; where applicable, further data on the basis of your explicit consent.

Purpose / legal basis: contract performance (offers, orders, sales, invoicing, quality assurance) — Art. 6(1)(b) GDPR; marketing communications to existing customers within § 7(3) UWG or based on your consent under Art. 6(1)(a) GDPR.

Recipients: public authorities where overriding legal provisions apply (e.g. tax office); external processors (including hosting, email dispatch, accounting).

Retention period: after termination of the business relationship in accordance with commercial and tax retention obligations (typically six and ten years respectively under §§ 257 HGB, 147 AO).

Processing of employee data

Data affected: data necessary for performing the employment relationship.

Legal basis: Art. 6(1)(b) GDPR in conjunction with § 26(1) BDSG; Art. 6(1)(c) GDPR for legal obligations towards social-insurance providers and tax authorities.

Recipients: tax office, social-insurance providers, professional associations; external service providers for payroll, travel-expense accounting, and corporate insurance.

Retention period: in accordance with tax, social-insurance, and labour-law retention obligations (typically ten years after termination of the employment relationship).

Processing of supplier data

Data affected: data provided for contract performance.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR for tax retention obligations.

Recipients: tax office; external processors (accounting, payment processing, hosting).

Retention period: typically ten years under §§ 257 HGB, 147 AO.

Video conferences and webinars

For virtual meetings we use Microsoft Teams from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (under our Microsoft 365 Business licence). For service delivery, Microsoft may transmit data to its parent company Microsoft Corporation in the USA; the transfer is covered by the EU-US Data Privacy Framework (Microsoft is certified). Data processed is limited to what is required for participation (first and last name, email address; optional audio, video, and chat transmission).

For larger webinars, industry events, and training sessions we may use additional platforms, which are named separately in the respective invitation workflow. Recordings are made only with the prior documented consent of all participants.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in efficient business communication); for webinar recordings Art. 6(1)(a) GDPR (consent). Microsoft's privacy statement: privacy.microsoft.com.

11. Withdrawal of consent

You may withdraw consent given at any time with effect for the future. The lawfulness of processing carried out before the withdrawal remains unaffected. To withdraw or change your cookie consent, the following options are available:

• Via the Cookie Settings link in the footer of this website (always reachable).
• Via the embedded Cookiebot overview in section 5, where you can enable or disable each category individually or withdraw consent entirely.
• By deleting the stored cookies in your browser settings.

Withdrawal of consent for receiving electronic marketing communications can also be declared at any time by emailing info@artaxo.com.

12. Your rights and right to lodge a complaint

You have the following rights at any time with regard to your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on legitimate interests (Art. 21 GDPR)
• Withdrawal of given consent (Art. 7(3) GDPR; see section 11)

To exercise your rights you can reach us by email at info@artaxo.com or by post at the address given in section 1. For data-protection questions you can also contact our data protection officer directly at email@iitr.de.

Right to lodge a complaint. You have the right to lodge a complaint with a data-protection supervisory authority — in particular with the authority responsible for our registered office:

• Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
• Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany
• Web: datenschutz-hamburg.de

No automated decision-making. Automated decision-making within the meaning of Art. 22 GDPR, including profiling, does not take place on this website.